Making the Most of Card Network Mandates: An Case Study

Blog Image - Visa 3ds changes - Ancestry Case Study

Card network mandates, new regulations, rule changes—they all just keep coming, and merchants often feel like they all they can do is hunker down and defend themselves as best they can against chargebacks and non-compliance penalties. This is not the worst approach: compliance with new mandates should be priority number one, as merchants who disregard them expose themselves to a great deal of liability and fees.

Merchants who intend to grow and thrive even as the ecommerce landscape changes around them, however, should be taking a more proactive approach to learning the ins and outs of rule and policy changes announced by the banks and card networks. When your eyes are open for the opportunities these changes may open up, you can adapt in ways that expand your ways to earn revenue instead of just preserving the ones you already have.

Not sure how regulatory changes can be leveraged to benefit your business? Let’s take a look at how managed to do just that with Visa’s 2018 mandate.

The Impact of Policy Changes is a genealogical research website where users can look up historical documents, test and analyze their DNA, and connect with distant relatives. Signing up is free, but most of their most useful resources are restricted to paying subscribers, although some of their products (like the DNA testing kits) can be purchased separately.

Mastercard Mandates eBookLike all successful ecommerce companies, maintains awareness of card network policy changes, which typically take effect in April and October of each year. As payment technologies, fraud methods, and consumer behavior evolves from year to year, the card networks have to keep updating their policies and regulations to keep up with new developments and expectations in the payment card industry and the markets they serve.

New policies from the card networks mean that merchants must change their processes in order to comply with them. In the card-present payment processing world, the introduction of EMV chips was a change that demanded a complete overhaul of merchant processes. While it didn’t come from any card network, the European Union’s GDPR regulations was a recent change that had huge implications for nearly every ecommerce merchant on the web. When policies change, processes follow.

A Silver Lining to Visa’s 2018 Mandate

Part of Visa’s 2018 mandate was a change to their chargeback policy regarding transactions with a mismatched CVV2 value. To fight card-not-present fraud, Visa decreed that if a Visa card transaction takes place and the CVV2 doesn’t match, but the issuing bank approves the transaction anyway, then the issuing bank will carry the liability for any dispute arising from that transaction.

The reasoning behind this is that if issuing banks are liable for chargebacks with a CVV2 mismatch, then they will be more likely to reject those transactions, making it harder for fraudsters to make purchases with stolen card when they don’t have the full set of payment credentials.

Many merchants saw this policy change, realized it only directly impacted issuing banks, and breathed a sigh of relief. One less policy change for merchants to adapt to! saw something different.

A Liability Shift Opens the Door for Incremental Lift

Let’s back up for a moment and look at’s processes leading up to this policy change. Historically speaking, CVV2 mismatches weren’t a frequent occurrence or a big issue for In fact, fewer than 3% of all transactions they processed resulted in a CVV2 mismatch. Many of these transactions would be caught and rejected by the issuing bank, but some of them would be approved—about 19% of all CVV2 mismatches.

As part of their fraud prevention efforts, had a common-sense policy toward transactions where the CVV2 values didn’t match: they would reject them and decline the sale. They knew this might cost them some legitimate sales where the customer simply typed the number in wrong, but CVV2 mismatches are often the work of fraudsters using stolen card numbers. Online retailers aren’t supposed to store CVV2 data, so they typically aren’t included in payment data breaches, and fraudsters rarely have access to them, even if they have all the rest of the payment credentials.

So was rejecting these mismatched transactions because of the chance they were made by fraudsters, but with Visa’s new 2018 mandate, the liability for any chargebacks that would have resulted from these transactions was shifted from the merchant to the issuing bank.

New call-to-actionIn August 2018, stopped rejecting transactions with mismatched CVV2 values. Instead, they allowed them to go through, knowing that if they were being made by fraudsters, the liability for the inevitable chargeback would fall upon the issuing bank, not

With Visa’s new policy in effect,’s fraud prevention process was redundant. If they had left it as is, they would have been doing extra work that would have benefited their customers’ issuing banks, not their own bottom line.

Instead, they let the issuing banks assume the sole responsibility for deciding whether to reject or accept CVV2 mismatch transactions.

The end result was an incremental lift in their transaction approval rate of about 0.28%: a tiny portion of their total transaction volume, but for a big company like, not a trivial amount of money to leave on the table. Best of all, they were able to gain this incremental lift not by increasing the labor or complexity involved in their processes, but by eliminating redundant steps and making them more streamlined and efficient. That’s a win/win for, and all it required was to look for the opportunities hidden within Visa’s policy changes.


The first thing merchants must do when a new mandate or law changes the regulations they have to follow is make sure that their processes won’t cause them to run afoul of the new rules. Too many merchants stop there instead of taking the next step and looking for ways that the new rules can help instead of hinder them.

Remember that merchants’ stake in ecommerce is as important as any other, and the card networks know this. It’s easy to focus on the ways in which mandates can seem onerous or punitive to merchants, but the card networks have to protect merchants too in order to keep the overall ecommerce ecosystem healthy and functional. Keep an open mind when the next mandate is handed down—there may be opportunities for your business, if you know where to take them.

Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to:

Download our New Visa Claims Resolution Whitepaper