New Visa Mandates for 2021

Fraud False Positives_Blog Image

The payments ecosystem can be complex to navigate, and new challenges are constantly being thrown at it. Technological advances, innovations in fraud and cybercrime, and evolving consumer behaviors are constantly altering the card payments landscape.

To deal with these changes, major card networks like Visa frequently update the rules that issuing banks, merchants, and customers are required to follow. By keeping informed about card network mandates and taking compliance seriously, merchants can avoid fees, reduce their chargeback liability, and protect their revenue from avoidable losses. What new rules and regulatory changes are Visa mandating for 2021?

New call-to-action

Not a year goes by without new mandates from the big card brands. These mandates are designed to protect the integrity of the payments ecosystem by improving the consumer experience and making it harder for fraudsters to place unauthorized transactions. As the largest network, Visa’s pronouncements hold particular weight.

While it’s not always easy to find time to keep up with announcements about these mandates and implement the required changes, doing so is essential.

When merchants are out of compliance with card network rules, they may be subject to costly fines and increase their exposure to chargebacks.

While it may seem at times that the way the networks and issuers protect consumers is by creating more work and responsibilities for merchants, remember that sales go up when consumers are confident in the security of their payment systems, and merchants benefit directly from any regulations designed to reduce fraud and transaction disputes.

Let’s take a look at the changes Visa has in store for 2021.

What is the New Visa Purchase Return Authorization Requirement?

Manage Chargeback In-House Or OutshoreOne of the most significant mandates for this year is the Visa Purchase Return Authorization requirement, set to take effect globally on October 1, 2021.

It requires merchants to submit an authorization request for return transactions that generate a refund for the cardholder. The process will be essentially the same as when merchants request authorization from the issuer for purchase transactions.

Merchants have good reason to welcome this rule change. Authorization requests will make it easier for issuing bank representatives to see pending refunds when cardholders call to dispute charges, which will reduce friendly fraud and other unnecessary chargebacks.

For example, if a merchant is waiting for a return item to be shipped back to them, they can send an authorization request to show a pending refund in the system, and complete the refund transaction once the item is received. If the cardholder calls to dispute the charge in the meantime, the issuer can see the pending refund and know that it would be premature to file a chargeback.

When issuers do initiate a chargeback—for any reason code—Visa will search for a corresponding refund transaction. If it finds a match, it will block the chargeback.

Merchants are advised to include expiration dates in refund authorization messages. Refund transactions may be processed to a different card than the one used in the purchase transaction, provided the original account is no longer usable and the new card is also a Visa.

Zero Floor Limit Fees will apply to unauthorized refund transactions, and Misuse of Authorization Fees will apply to refund transactions that don’t get reversed or settled within the allowable time frame. Visa may delay the enforcement of these fees, but merchants should aim for early compliance. 

What is the Visa 3D Secure Migration?

3D Secure is a powerful fraud prevention tool that blocks stolen card purchases by adding an extra security layer to online transactions. In 2016, 3D Secure 2.0 was released, which eliminated the static passwords used in the first version and introduced frictionless technology.

Effective October 16, 2021, Visa is enforcing a global upgrade to 3D Secure 2.0 by removing merchant fraud liability protections from 3D Secure 1.0.2 transactions.

There are some conditions on this mandate related to issuer participation and whether or not the transaction was fully authenticated, but every merchant who enjoys the benefits of 3D Secure should have upgraded to the more secure, customer experience-friendly 2.0 version long ago.

For merchants in the European Economic Area and other regions where Strong Customer Authentication is mandated by law, 3D Secure 2.0 is one of the most economical and effective ways to meet that requirement.

If you’re still using the earlier version of 3D Secure, don’t waste time trying to figure out how much liability protection you might still have after October—it’s well past time to upgrade already.

How are the Visa Decline Response Code Rules Changing?

Back in April of this year, Visa started grouping authorization decline response codes into four categories. At this time, they enacted new rules for how merchants and issuers should handle the response codes in each category.

The categories are:

  1. Issuer Will Never Approve. These are permanent declines. Reattempts are not permitted and the response should never change.
  2. Not Approved At This Time. This is a temporary decline that may change over time, and reattempts are permitted. For example, a card might have insufficient funds, but they could be replenished.
  3. Data Quality Issue. Here, the transaction has been declined for data-based reasons (invalid account number, expired card, incorrect CVV). Reattempts are permitted, but the merchant should validate the payment data first.
  4. Generic Response Codes. All other response codes fall into this category. Reattempts are permitted.

This mandate should give merchants a better understanding of why certain transactions get declined.

Two integrity fees may be levied to enforce this mandate. Effective globally on October 1, 2021, Visa will charge a Data Consistency Fee when a merchant resubmits an authorization after with any of the following data fields altered after the issuer declines it:

  • Merchant country
  • POS condition code
  • POS environment field
  • Merchant Category Code
  • Electronic Commerce Indicator
  • POS entry mode

On April 1, 2021, Visa started charging merchants in the United States, Canada, and Europe with a Reattempt Fee when they exceed their maximum number of reattempts after receiving a decline response.

In Latin American markets, the Reattempt Fee is also applied when a merchant reattempts a transaction that received a Category 1 decline response code. On April 1, 2022, this condition will apply to U.S. and Canadian merchants as well.


Staying current with card network mandates and rule changes can be challenging, but it’s an unavoidable part of the job for any merchant who accepts credit card transactions.

The good news is that compliance usually means a smoother transaction process and better protection from fraud and chargebacks.

Don’t forget that if you’re having trouble implementing these rule changes, a good chargeback management firm will always factor regulatory compliance into your overall plan of defense and can help guide you through making the necessary adjustments to avoid any rule violations.

Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to:

New call-to-action