global security bulletin no 9 september 13 2013

Global

SecurityBulletin No. 9 13 September 2013

In this bulletin...

3 Upcoming Expiration of the Security Certificates for PCI PTS POI V1compliantPayment Terminals

6 Manage My Fraud and Risk Programs to Replace MasterCard Alerts

11 MasterCard SecureCode 2014 Program Updates

13 MasterCard SecureCode Directory Server IP Address Change and Proxy Update

15 MasterCard SecureCode Directory Server Upgrading SSL LibrariesReminder

16 MasterCard SecureCodeLegacy Connectivity DecommissionReminder

18 Dual Message Stand-In Parameters for ATM Transactions

20 Vendors for Card Production ServicesMonthly Edition

25 Acquirers No Longer Accepting Chargebacks

27 Notification of Chargebacks Under the Global Merchant Audit Program

Enclosures

Calendar of EventsCertified Vendors (for Card Production Services of Any MasterCard, Maestro,or Cirrus Card)Acquirers No Longer Accepting ChargebacksGlobal Merchant Audit Program ChargebacksLegal Notices

2013 MasterCard. Proprietary. All rights reserved.

Production ReviewDue

Contact Information

About This BulletinThe monthly Global Security Bulletin is the primary source of changes to security informationfor customer security personnel. Changes to international Standards announced in this bulletinwith an effective date are effective as of that date, regardless of when any such change ispublished in a manual or other document. If no effective date is specified in the article,the change is effective immediately.

NOTE

All articles apply to all customers unless specified otherwise.

For More InformationSome articles in this bulletin include specific contacts for more information. Customers withquestions about other articles should contact their regional Help Desks or the CustomerOperations Services team in their region or in St. Louis, Missouri, USA at:

Phone: 1-800-999-0363 (in Canada and U.S. regions)1-636-722-61761-636-722-6292 (Spanish language support)

Fax: 1-636-722-7192

Email: Canada, Latin America and the Caribbean,Europe, South Asia/Middle East/Africa, andU.S. regions

[email protected]

Asia/Pacific:

Australia and New Zealand [email protected]

Brunei/Malaysia [email protected]

Cambodia/Laos/Vietnam [email protected]

China, Hong Kong, and Taiwan [email protected]

Indonesia [email protected]

Japan/Guam/Myanmar [email protected]

Korea [email protected]

Philippines [email protected]

Singapore [email protected]

Thailand [email protected]

Spanish language support [email protected]

Vendor Relations, all regions [email protected]

2 Global Security Bulletin No. 9, 13 September 20132013 MasterCard. Proprietary. All rights reserved.

mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]

Upcoming Expiration of the SecurityCertificates for PCI PTS POI V1compliantPayment TerminalsTopic(s): Fraud/Risk, PIN, POI/POS Terminal, Security

Applies to: P Acquirers P Processors

Summary: MasterCard reminds acquirers and processors that the securitycertificates for PIN Entry Devices (PEDs) compliant with version1.0 (V1) of the Payment Card Industry (PCI) PIN TransactionSecurity (PTS) Point-of-Interaction (POI) Standard will expireon 30 April 2014.

Action Indicator: A Attention warranted

Effective Date: 30 April 2014

SummaryThe security certificates of PEDs at the POI installed under the PCI PTS POIV11 Standard will expire on 30 April 2014. After this date, these devicesmust not be used in any new installations.

Devices approved under the PCI PTS POI V1 Standard reflect the level ofsecurity testing and evaluation available at the time. However, as time movedon and hacking methods evolved, these devices have become increasinglyvulnerable to attack.

Compliance Requirements for AcquirersUnder the MasterCard PED Standards, acquirers must:

For new installations, only use devices that have a valid PCI certificate.Acquirers should verify their certificates against the list of Approved PTSDevices on the PCI Security Standards Council (SSC) website:

Website: www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php

1. As of V3, the PCI SSC renamed the PCI PED Standard as the PCI PTS POI Standard.

Upcoming Expiration of the Security Certificates for PCI PTS POI V1compliant Payment Terminals

Global Security Bulletin No. 9, 13 September 2013 32013 MasterCard. Proprietary. All rights reserved.

https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.phphttps://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php

Comply with the device management requirements (specifically thoseoutlined in Requirements 29 and 32) of the PIN Security Requirements v1.0document on the PCI SSC website under the PTS tab:

Website: www.pcisecuritystandards.org/security_standards/documents.php

MasterCard also reminds acquirers and processors that noncompliance with theMasterCard PED Standards may result in:

Noncompliance assessment fees or other disciplinary action;

Potential financial responsibility for fraudulent transactions effected atnoncompliant devices; and

Potential responsibility for an account data compromise (ADC) eventattributable to such use.

Security Best Practices for Terminal DevicesMasterCard encourages acquirers and processors to adopt the followingsecurity best practices for payment terminals, which will potentially reducethe likelihood of successful attacks:

Terminal Replacement PlanAcquirers and processors should developa plan for replacing devices that have expired certificates at the firstopportunity following the devices expiration date. Such a plan shouldalso take into account devices installed under more recent versions ofthe PCI PTS POI Standard.

NOTE

The certificate expiry date for PCI PTS POI V2-compliant devices is 30 April 2017,and the certificate expiry date for PCI PTS POI V3-compliant devices is 30 April2020.

The practice of replacing terminals should be part of the acquirersmigration plan, so that devices are retired from the acceptance network tominimize risk while optimizing these devices business life span.

When migrating, ideally acquirers and processors should use devicescompliant with the latest version of the PCI PTS POI Standard.

A payment terminal replacement plan should also address malfunctioningdevices and consider any models identified in MasterCard Global SecurityBulletins (currently and in the future) as at-risk devices. Malfunctioningdevices may be replaced with a device of the same generation; whereas,at-risk models should be immediately removed from the acceptancenetwork.

4Upcoming Expiration of the Security Certificates for PCI PTS POI V1compliant Payment Terminals

Global Security Bulletin No. 9, 13 September 2013


https://www.pcisecuritystandards.org/security_standards/documents.php

Terminal Inventory MaintenanceAcquirers and processors shouldmaintain a documented, current inventory of their PCI PTS POI-compliantdevices. Devices included in the inventory should have a unique identifierand be assigned an actual physical location of installment or storage. Thisinventory may be paper-based or electronic. The use of an electronicterminal management system is recommended.

Skimming and Theft PreventionAcquirers should help ensure that theirmerchants and processors adhere to the applicable procedures outlined inthe Skimming PreventionBest Practices for Merchants document on thePCI SSC website under the Fact Sheets & Info Supps tab:

Website: www.pcisecuritystandards.org/security_standards/documents.php

It is particularly important that measures against device theft andunauthorized replacement are observed. Acquirers should ensure thatmerchants train their staff to report any incidents discovered as a resultof visual inspections.

Resale Prevention to the Secondary MarketMasterCard discourages theresale of terminals with expired certificates to the secondary market.

Prompt Reaction to MasterCard Security AnnouncementsMasterCardcontinues to monitor and assess threats to payment terminals. In theevent that MasterCard deems it necessary to release information about aspecific compromise, MasterCard may from time to time make specificannouncements (for example, unscheduled retirement dates for specificterminal models). Acquirers and processors should be prepared topromptly react to such announcements.

For More InformationCustomers with questions about this article should contact:

Fernando Lourenco

Business Leader, Payment System Integrity, Transaction Security

Phone: 32-498-58-5782

Email: [email protected]

Customers with general questions about device security at the POI should sendan email message to:

POI Security


Upcoming Expiration of the Security Certificates for PCI PTS POI V1compliant Payment Terminals


https://www.pcisecuritystandards.org/security_standards/documents.phpmailto:[email protected]:[email protected]

Manage My Fraud and Risk Programs toReplace MasterCard AlertsTopic(s): Fraud/Risk, Security

Applies to: P Issuers P Acquirers P Processors

Summary: Effective 15 September 2013, MasterCard will replace theMasterCard Alerts product with the Manage My Fraud andRisk Programs application.

Customers must register for the new applications Reporta Potential Account Data Compromise (ADC) and ViewMasterCard Data Compromise Alerts under the Manage MyFraud and Risk Programs application. Existing users thatcurrently have access to MasterCard Alerts will not be migratedto the new Manage My Fraud and Risk Programs application.

Action Indicator: M Mandate

R Customer must register to have access to product orservice

Effective Date: 15 September 2013

Overview of MasterCard Alerts ReplacementEffective 15 September 2013, MasterCard will replace the existing MasterCardAlerts with the Manage My Fraud and Risk Programs application.

Manage My Fraud and Risk Programs is an application available on MasterCardConnect that replaces MasterCard Alerts and serves as the distribution methodfor account data compromise (ADC) events and permits issuers and acquirersto submit requests for ADC investigations.

Principal customers previously registered for MasterCard Alerts must sign upfor the Manage My Fraud and Risk Programs application through MasterCardConnect by 15 September 2013. All customer ID/ICA numbers must beregistered for Manage My Fraud and Risk Programs through MasterCardConnect. Customers that do not register will incur noncompliance fees asfollows.

Billing Event DescriptionBilling EventCode

Rate(USD)

Rate(BRL)

MasterCard Alerts SystemNoncompliance

2SC1361 5,000 13,500

6Manage My Fraud and Risk Programs to Replace MasterCard Alerts




Existing users of the MasterCard Alerts product will not automatically beprovisioned for the Manage My Fraud and Risk Programs application.Customers previously registered for MasterCard Alerts must order the newproduct and provision their necessary customer ID/ICA numbers for ManageMy Fraud and Risk Programs through MasterCard Connect.

Companies must register at least two users for View MasterCard Account DataCompromise (ADC) Alerts and Report a Potential Account Data Compromise(ADC) under the Manage My Fraud and Risk Programs for the following ICAtypes:

CMCirrus and Maestro

CSCirrus

EMEuropay Cirrus and Maestro

MCMasterCard

MSMaestro

In addition, the ICA numbers must be in Assigned or Live status.

To request access, customers should go to the MasterCard Connect Store toorder the Manage My Fraud and Risk Programs application using the followingsteps.

1. Go to www.mastercardconnect.com.

2. Log on using your User ID and Password.

3. Open Store on the MasterCard Connect home page.

4. Scroll down the list of available applications to select Manage My Fraudand Risk Programs.

5. Add Manage My Fraud and Risk Programs to Cart.

6. Open Cart and then Check Out.

Additional ordering options will require the user to select Report a PotentialAccount Data Compromise (ADC) and if applicable, View MasterCard AccountData Compromise (ADC) Alerts. Each option will include the ability to selectthe appropriate ICA numbers for registration. Each ICA number listed in thedrop down selection must have at least two users registered. Both issuers andacquirers can select Report a Potential Account Data Compromise (ADC) whileonly issuers can View MasterCard Account Data Compromise (ADC) Alerts.

NOTE

Each customer ID/ICA number listed in the drop down must have at least two users registered.

Adding and Removing Customer ID/ICA NumbersUse the Manage Subscription functionality in the MasterCard Connect Storeto add and remove ICA data access for the Manage My Fraud and Riskapplication. If there is a need for additional ICA data, customers can managethe subscription to request the additional access.

Manage My Fraud and Risk Programs to Replace MasterCard Alerts





3. Click Store.

4. Locate Manage My Fraud and Risk Programs.

5. Under Subscription (to the right of the application) click Manage. Thesystem will open a window that contains the customer ID/ICA number.

6. Check the box(es) next to the customer ID/ICA number(s) to add theaccess. Uncheck the ICA(s) to remove the access.

NOTE

Do not uncheck an ICA number that is already checked unless you want toremove your access. If you uncheck an ICA number, your access to the datafor that ICA number will be removed.

7. Click Place Order. The system will display a confirmation messageconfirming that the subscription has been updated.

Further instructions for ordering and provisioning the Manage My Fraud andRisk Programs application is available through the Support section of theMasterCard Connect home page. From the Support menu, click Help and go tothe How Do I Order Applications and How Do I Manage Subscriptions.

Reporting a Potential Account Data Compromise(ADC)A customer must use the revised ADC Reporting Form in the Manage MyFraud and Risk Programs application to report and provide information aboutan ADC Event or Potential ADC Event. The use of this form is important asit provides a central location for all ADC Event or Potential ADC Events andis monitored daily by MasterCard. A registered user may access the ADCReporting Form by following these steps:



3. Click Applications, and then click Manage My Fraud and Risk Programs.

4. Under Manage My Fraud and Risk Programs, click Report a PotentialAccount Data Compromise (ADC) at the left of the screen.

5. Read the Terms and Conditions, check the box to accept the Terms andConditions, and click Save & Continue.

6. The member customer ID/ICA number will be automatically populated onthe Welcome screen. Customers will see their institution name, along withprovisioned selections for their customer ID/ICA number and institutiontype from a dropdown box. Once selections are made, click Save &Continue to progress to the reporting form.





Customers will have access to their submitted forms via the enhanced product,along with the ability to provide additional information at the request ofMasterCard. For ADC Reporting Form field definitions, refer to the MasterCardAlerts and ADC Reporting Form Field Definitions in the Account DataCompromise User Guide.

All account files must be submitted in either text format or Excel format andcontain at least 10 valid accounts for review by MasterCard. Customers that donot submit a file that meets the validation requirements will be sent an emailasking to resubmit the account file with the proper requirements. For furtherinformation regarding required account file format, refer to Appendix A of theAccount Data Compromise User Guide.

Customers will receive an email confirmation of submittal indicating a file wasreceived for a specific case. If the file does not meet validation requirements,customers will also receive an email notification with instructions on how toresubmit their account file using the Manage My Fraud and Risk Programsproduct.

View MasterCard Account Data Compromise AlertsA customer must use View MasterCard Account Data Compromise (ADC) Alertsto review and download at-risk accounts.

If applicable, a registered user may access the View MasterCard Account DataCompromise (ADC) Alerts by following these steps:



3. From the top of the MasterCard Connect home page, click Applications,and then click Manage My Fraud and Risk Program.

4. Under Manage My Fraud and Risk Program, click View MasterCard AccountData Compromise (ADC) Alerts located on the left side of the screen.

Customers will see their provisioned alerts for download, with columns forAlert Number, Dissemination Date, Case Type, Number of Accounts, DataElements At-Risk, and Alert Narrative. Customers can select one or more AlertNumbers to view in either .txt or .csv format by checking the box and selectRetrieve Alerts.

For Alert field definitions, refer to the Manage My Fraud and Risk ProgramsDissemination File Format and Field Definitions in the Account DataCompromise User Guide.

Manage My Fraud and Risk Programs to Replace MasterCard Alerts



Important Information Regarding Enhanced ADCAlert Supplemental DataCustomers will have the ability to download ADC Alert data in either .txt or.csv format in the new Manage My Fraud and Risk Programs application. The.txt file option will only provide the primary account number (PAN) data, whilethe .csv option will provide several additional supplemental data fields withvarying lengths and start positions.

The .txt file option for downloading ADC Alert data will combine all accountdata for all impacted provisioned ICAs into one file. This is applicable to eitherone Alert or multiple Alerts are selected for download.

In addition to PAN, the .csv file option for downloading ADC Alert data willprovide the user additional supplemental data elements as announced inGlobal Operations Bulletin No. 8, 1 August 2013.

For additional details about the supplemental data elements provided in the.csv file, refer to the MasterCard Alerts Dissemination File Format and FieldDefinitions in the Account Data Compromise User Guide.

For More InformationCustomers with questions about the information in this article should contactCustomer Operations Services using the Contact Information provided in thisbulletin, their regional Help Desk, or a regional Customer Security and RiskServices representative.

An updated Account Data Compromise User Guide will be published inOctober 2013 before the implementation of the Manage My Fraud and RiskPrograms application.





MasterCard SecureCode 2014 ProgramUpdatesTopic(s): Authorization, Chargebacks, Clearing, E-commerce, Fraud/Risk, Merchant


Summary: MasterCard is notifying issuers, acquirers, and processors of thefollowing planned MasterCard SecureCode updates for 2014:

Attempts Server for stand-in authentication of MerchantVerification Enrollment Requests

History Server for transaction tracking

Customer Database and Information Certification


C Coding or development changes typically required

A Attention warranted

Effective Date: During 2014

BackgroundThe processing of MasterCard SecureCode transactions began in 2003. Overthe past ten years, MasterCard has been improving the program with varioustechnical enhancements and program rules.

MasterCard is taking the next major program enhancements with theimplementation of the Attempts Server, History Server, and Customer Databaseand Information Certification.

Attempts ServerUsed to provide Accountholder Authentication Value(AAV) stand-in processing when

The Issuers Access Control Server (ACS) is not available

The cardholders enrollment data is not available on the issuers ACS

The issuer is not enrolled in the SecureCode Program

History ServerUsed for MasterCard to track all final disposition oftransaction authentication.

Customer Database and Information CertificationUsed for enhancedrelationship management of issuers, acquirers, merchants, and serviceproviders (ACS and MPI).

MasterCard SecureCode 2014 Program Updates



Implementation ConsiderationsThe following should be considered by issuers and acquirers for the MasterCardSecureCode program enhancements.

The Attempts Server will require all Merchant Plug-in (MPI) providers tocommunicate UCAF AAV values to Acquirer authorization processors. Thiscommunication is required for all transactions where the Directory Serverprovides stand-in authentication for cards that are not enrolled in theMasterCard SecureCode program with their ACS service provider or ACS serviceprovider is not available to authenticate the cardholder.

As Attempts Processing implements, the MasterCard stand-in AAV values willbe based on a common MasterCard key for AAV generation rather than theissuers specific key. This will impact any issuer who is performing their ownAAV Validation when authorizing their transactions. MasterCard will changethe MasterCard on-behalf AAV Validation service to appropriately validateboth the issuers key and MasterCard stand-in key. Issuers with concernswith AAV Validation as part of their authorization should contact MasterCardSecureCode Customer Support.

The History Server will require all ACS service providers to communicatethe details of all authentication transactions to the History Server as perthe 3-D Secure protocol. Issuers should immediately contact their ACSservice providers to ensure their provider can support communication to theMasterCard History Server.

The new Customer Database and Information Certification will require allissuers and acquirers to maintain their enrollment and processing informationfor card ranges, merchants, service providers, authentication method, andspecific contact and technical information. ACS and MPI service providersare also required to maintain their information for customer relationshipmanagement and processing certification/audit.

Operational ImpactsMasterCard will communicate specific operational impacts for communicationto the History Server, processing of Attempts Server stand-in authenticationUCAF AAV values and new Customer Enrollment and Information attestationforms in a future Global Operations Bulletin.

For More InformationCustomers with questions about these updates should contact:


12MasterCard SecureCode 2014 Program Updates



mailto:[email protected]

MasterCard SecureCode DirectoryServer IP Address Change and ProxyUpdateTopic(s): MasterCard SecureCode

Applies to: P Acquirers P Processors

Summary: Effective 2 February 2014, the MasterCard SecureCodeDirectory Server URL at directory.securecode.com will bemoving to a new IP address (216.119.218.16).

Action Indicator: C Coding or development changes typically required

A Attention warranted

Effective Date: 2 February 2014

OverviewAs part of the ongoing improvements to provide the greatest reliabilityof MasterCard SecureCode, effective 2 February 2014 at 03:00 St. Louis,Missouri, USA time, the MasterCard SecureCode Directory Server URL atdirectory.securecode.com will move to a new IP address (216.119.218.16).During this update, the Directory Server will migrate to an HTTP/1.1 compliantproxy, which will improve overall connectivity resiliency and performance.

This update will not affect any acquirers, merchants, or Merchant Plug-in(MPI) providers that use the directory.securecode.com URL and do not blockuntrusted IP addresses via whitelisting (a firewall configuration that allowsonly specific IP addresses to access the network). Any acquirers, merchants, orMPI providers that have whitelisted the current IP address on their firewallsor applications will need to make updates to also trust the new IP addressprior to the change.

MasterCard SecureCode Directory Server IP Address Change and Proxy Update



Impact on Acquirers, Merchants, and MPI ProvidersAs per 3-D Secure protocol, all requests to the MasterCard SecureCode DirectoryServer should use the URL (directory.securecode.com) for connectivity. If thecurrent MasterCard SecureCode Directory Server IP has been added to anyfirewall or application whitelists, the new IP address (216.119.218.16) willneed to be added as a trusted IP address in order to maintain connectivity after2 February 2014 at 03:00 St. Louis time.

For More InformationCustomers with questions about this upcoming change should contactMasterCard SecureCode Customer Support.


14MasterCard SecureCode Directory Server IP Address Change and Proxy Update




MasterCard SecureCodeDirectory Server Upgrading SSLLibrariesReminderTopic(s): MasterCard SecureCode


Summary: Effective 30 September 2013, MasterCard will upgrade securesockets layer (SSL) libraries on the MasterCard SecureCodeDirectory Server (DS).



OverviewOn 30 September 2013, MasterCard will upgrade secure sockets layer (SSL)libraries on the MasterCard SecureCode Directory Server (DS). OpenSSL is anopen source cryptography toolkit implementing the SSL and Transport LayerSecurity (TLS) protocols. This change will not impact the general SSL/TLSfunctionality as it exists today. This change should not impact Issuer AccessControl Servers (ACSs) or ACS providers that are using applications thatsupport updated versions of OpenSSL.

Impact to Acquirers, Merchants, and MPI ProvidersAccording to the 3-D Secure protocol, all requests to the MasterCard SecureCodeDirectory Server should be sent using applications that support updatedversions of OpenSSL. If any requests are being generated by applications usingoutdated OpenSSL versions to connect to the MasterCard SecureCode DS, theywill be required to upgrade their SSL libraries before 30 September 2013.

For More InformationCustomers with questions about this upcoming change should contact:

MasterCard SecureCode Customer Support


MasterCard SecureCode Directory Server Upgrading SSL LibrariesReminder



MasterCard SecureCodeLegacyConnectivity DecommissionReminderTopic(s): MasterCard SecureCode


Summary: This article announces a new date for the removal of legacyconnectivity to the MasterCard SecureCode Directory Server(DS), which uses the 12.x.x.x Internet Protocol (IP) addressrange.


Effective Date: 31 October 2013

OverviewIn Global Operations Bulletin No. 5, 1 May 2013, MasterCard announced thateffective 30 June 2013, MasterCard will remove the legacy connectivity to theMasterCard SecureCode DS, which uses the 12.x.x.x IP address range. This datehas been extended to 31 October 2013, to better support our customers.

The legacy IP range (12.x.x.x) is no longer considered valid for MasterCardSecureCode DS due to several infrastructure changes that have occurred.The address has remained active to allow migration to the URL as customerschedules permitted, but can no longer be supported after 31 October 2013.

This will not impact any acquirers, merchants, or Merchant Plug-in (MPI)providers that are currently using the MasterCard SecureCode Directory ServerUniform Resource Locator (URL) (directory.securecode.com) or that are usingthe current IP address to connect (which uses the 216.x.x.x IP address range).

16MasterCard SecureCodeLegacy Connectivity DecommissionReminder




Impact to Acquirers, Merchants, and MPI ProvidersAccording to the 3-D Secure protocol, all requests to the MasterCardSecureCode DS should use the URL (directory.securecode.com) for connectivity.If any requests are using the legacy IP range (12.x.x.x) to connect to theMasterCard SecureCode Directory Server, they must migrate to the URL before31 October 2013.

If for any reason the MPI software requires an IP address to be used inplace of a URL, the IP address of directory.securecode.com is 216.119.208.94.This can also be found by performing a domain name server (DNS) lookupof the URL. MasterCard strongly recommends that customers use thedirectory.securecode.com URL to reduce the number of changes that may berequired in the future.

For More InformationCustomers with questions about this upcoming change should contact:

MasterCard SecureCode Customer Support


MasterCard SecureCodeLegacy Connectivity DecommissionReminder



Dual Message Stand-In Parameters forATM TransactionsTopic(s): ATM, Authorization

Applies to: P Issuers P Processors

Summary: In preparation for EMV migration in the U.S. region, MasterCardimplemented PIN bypass changes in Dual Message Stand-Inprocessing announced in the Release 13.Q2 Document. Issuersshould leverage PIN validation for ATM transactions processedduring Dual Message Stand-In processing.

Effective immediately, MasterCard has reverted ATM limits forDual Message Stand-In processing above the zero limit defaultto zero to encourage customers to review parameter settingsand consider the PIN Validation Service.

Single Message Stand-In ATM processing is not impacted bythis implementation.

Action Indicator: A Attention warranted

Effective Date: Immediately

BackgroundIn preparation for EMV2 migration in the U.S. region, MasterCard implementedPIN bypass changes in Dual Message Stand-In processing announced inthe Release 13.Q2 Document. As a best practice, MasterCard recommendscustomers leverage card security services during Stand-In processing, asannounced in the article BIN Management Best Practices in Stand-InProcessing published in Global Operations Bulletin No. 1, 2 January 2009.

To encourage best practices as EMV evolves, MasterCard recently announced arate reduction for Stand-In PIN validation in Global Pricing Bulletin No. 5, 26April 2013, which reduced the fees from USD 0.01 per transaction to USD 0(no charge).

Effective immediately, MasterCard has reverted the ATM limits for Dual MessageStand-In processing above the zero limit default to zero to encourage customersto review their parameter settings and consider the PIN Validation Service.Single Message Stand-In ATM processing is not affected by this implementation.

2. EMV is a global standard established by EMVCo LLC for credit and debit paymentcards based on chip card technology. EMVCo LLC was formed in 1999 by Europay,MasterCard, and Visa to manage, maintain, and enhance the EMV IntegratedCircuit Card Specifications for Payment Systems. Go to www.emvco.com fordetails.

18Dual Message Stand-In Parameters for ATM Transactions




RecommendationsCustomers should review all of their Stand-In parameters routinely as bestpractices to align the parameters with their evolving portfolio needs. Ifcustomers would like to raise Dual Message Stand-In ATM parameters abovethe zero defaults, PIN validation is recommended. Customers should considerleveraging one of the following card security services:

Mag Stripe Validation Serviceprovides additional testing of the magneticstripe, or card validation code 1 (CVC 1) data, using a Data EncryptionStandard (DES) algorithm to validate the legitimacy of the card and theauthenticity of the point-of-sale (POS) or ATM transaction.

M/Chip Validation Serviceevaluates the chip cryptogram data received inthe authorization request to validate the authenticity of chip cards for POS,ATM, and contactless transactions.

MasterCard PayPass Validation Serviceprovides additional testing ofmagnetic stripe or CVC 3 data, to authenticate cards used for contactlesstransactions.

MasterCard SecureCodeauthenticates the cardholder using a uniquepersonal code during authorization to ensure their online transactions arelegitimate.

PIN Validation Serviceensures the legitimacy of transactions requiring acardholder PIN.

For More InformationCustomers with questions regarding this article should contact the MasterCardCustomer Operations Services team, which will be able to direct inquiries tothe appropriate MasterCard representative for further details.

Customer Operations Services

Phone: 1-800-999-0363 (in Canada and U.S. regions)1-636-722-6176

1-636-722-6292 (Spanish language support)


Dual Message Stand-In Parameters for ATM Transactions



Vendors for Card ProductionServicesMonthly EditionTopic(s): Chip, Cirrus Card, Debit, Fraud/Risk, Maestro Card, MasterCard Card, Security

Applies to: P Issuers P Processors

Summary: Each month in the Global Security Bulletin, MasterCardpublishes a list of vendors certified as meeting the followingrequirements for card production services of any MasterCard,Maestro, or Cirrus card:

MasterCard Physical Security Standards for Plastic CardVendors

Logical Security Requirements for Card PersonalizationBureaus

Security Requirements for Mobile Payment Provisioning

The requirements also pertain to derived branded products andrelated sensitive components and data.

Action Indicator: I Informational only (no action required)


BackgroundMasterCard publishes a monthly edition of the Certified Vendors (for CardProduction Services of Any MasterCard, Maestro, or Cirrus Card) list inthe Global Security Bulletin to identify vendors certified for card productionservices. The list provides vendor names by region and includes the variousservices that they provide. In addition, the list indicates vendors by countryfor convenience of use.

NOTE

The vendor listing by country also gives customers a clearer view of the market within their owncountries.

20Vendors for Card Production ServicesMonthly Edition




MasterCard publishes the monthly edition of the list of certified vendors toprovide customers with critical changes regarding:

New vendors

Vendor decertification or partial decertification

Vendor extension of the card production activities certified

Change of company name or legal entity ownership

Vendor site address change

Contact information changes

Refer to Chapter 2 (MasterCard Card Production Standards) of the Security Rulesand Procedures manual for a description of the Global Vendor CertificationProgram (GVCP), its program management, the certification process, theLogical Security Program requirements, and customer obligations.

Definitions of ServicesThe following activities are card production services. A customer employinga vendor to perform any such service on its behalf in connection with theissuance of cards, access devices, or mobile payment devices must ensurethat the vendor has been certified by MasterCard under the GVCP. Chapter 2(MasterCard Card Production Standards) of the Security Rules and Proceduresmanual provides further information about card production.

The following tables describe the card manufacture services, cardpersonalization services, and other specialized services performed inconnection with card production.

Card Manufacture Services

Service Definition

Chip embedding Process by which an integrated circuit is permanently attachedto a payment card to become an integral part of the card.

Card manufacture Card production process composed of one or more of thefollowing:

Pre-press (card design layout, printing films, and printingplates generation)

White plastic sheets printing

Sheets assembly

Sheets lamination

Sheets cutting or punching

Hologram and signature panel hot stamping

Vendors for Card Production ServicesMonthly Edition



Card Personalization Services

Service Definition

Card embossing Personalization process that creates raised characters on aplastic card body.

Card encoding Process by which personalization data is written onto amagnetic stripe residing on the card.

Card mailing Process by which a card or PIN mailer is individuallypackaged and sent to a presort facility or delivered to thepostal service for delivery to the cardholder.

Card personalization Personalization process for unembossed cards that writes dataon the card by a technology other than embossing such aslaser engraving, thermal transfer, or indent printing.

Chip personalization Process of writing data to the integrated circuit by means ofelectrical or electromagnetic interaction between the chip andpersonalization device. Chip personalization usually occurssubsequent to chip embedding but may also occur prior toor during chip embedding.

Specialized Card Production Services

Service Definition

Card fulfillment Stand-alone service by which a newly issued or reissued cardis combined with additional materials resulting in a completepackage ready for distribution to the cardholder. A facilityapproved for personalization services is also approved forcard fulfillment as part of its personalization activity.

Data preparation Stand-alone service by which issuer and cardholder data areprocessed and configured for subsequent personalization bythe issuer or different certified vendor. A facility approved forpersonalization services is also approved for data preparationas part of its personalization activity.

Disaster recovery Card production at a facility established and activatedexclusively during an emergency event pursuant to a certifiedvendors Business Continuity Plan (BCP). Card production atthis facility is only authorized for the vendor that establishedit.

The disaster recovery facility must not be used to alleviatecapacity restraints associated with normal card production.These facilities are evaluated against a subset of the securityrequirements and must be upgraded to compliance with thefull set of security requirements upon activation.





Service Definition

Mobile provisioning Service whereby a Trusted Service Manager (TSM) loads apayment application, provides personalization data, or sendspost-issuance application management commands to a mobilepayment device via an over-the-air (OTA) communicationmethod.

Partial manufacture Facility that produces card components containing sensitivesecurity features or personalization data where the full card issubsequently completed by a certified vendor.

PIN printing Stand-alone service whereby a PIN mailer is printed andmailed. A facility approved for personalization services is alsoapproved for PIN mailing as part of its personalization activity.

Monthly EditionThe enclosed Certified Vendors (for Card Production Services of AnyMasterCard, Maestro, or Cirrus Card) list provides a current listing of allvendors certified for card production services, effective 13 September 2013.

NOTE

This vendor list supersedes all lists that MasterCard previously published.

For More InformationSend an email message to the MasterCard GVCP central email address listedbelow or to any of the following individuals if you:

Have any questions about the program, the vendors on the enclosed list,or the activity that the vendors are certified to perform

Find that a vendor listed does not comply with the MasterCard PhysicalSecurity Standards for Plastic Card Vendors, the Logical SecurityRequirements for Card Personalization Bureaus, the Security Requirementsfor Mobile Payment Provisioning, or all applicable MasterCard Standardsand security best practices

Want to receive a copy of the MasterCard Physical Security Standardsfor Plastic Card Vendors, the Logical Security Requirements for CardPersonalization Bureaus, or the Security Requirements for Mobile PaymentProvisioning

NOTE

The MasterCard Physical Security Standards for Plastic Card Vendors and the Logical SecurityRequirements for Card Personalization Bureaus documents are published through the Publicationsproduct on MasterCard Connect.

Vendors for Card Production ServicesMonthly Edition



Name Contact Information

Werner Fischer

Global Vendor Certification ProgramPhone:Fax:Email:

1-914-249-1371

1-914-249-4256

[email protected]

Helen Paschenko

Product ManagementPhone:Fax:Email:

1-914-249-6295

1-914-249-4256

[email protected]

Help Desk

Global Vendor Certification ProgramEmail: [email protected]




mailto:[email protected]:[email protected]:[email protected]

Acquirers No Longer AcceptingChargebacksTopic(s): Chargebacks, Fraud/Risk, Security


Summary: Effective immediately, MasterCard no longer requires theacquirers listed in the attached Microsoft Excel file to acceptchargebacks for fraudulent transactions that occurred at themerchant locations listed. Issuers no longer may charge backany transactions as specified in a previous Global SecurityBulletin, regardless if the central processing date occurredwithin the period listed in the previous bulletin.

Action Indicator: F Financial impact

Effective Date: Effective immediately

BackgroundRecent Global Security Bulletins identified the acquirers for the merchantlocations listed in the attached Microsoft Excel file for violations of the GlobalMerchant Audit Program (GMAP) as referenced in Rule 8.2 of the SecurityRules and Procedures manual.

NOTE

The merchant information is shown as it appears in the System to Avoid Fraud Effectively (SAFE)database. To ensure that the data is accurate, customers should carefully enter the merchantinformation into SAFE.

Acquirer ResponsibilitiesMasterCard no longer requires the acquirers for these merchants to acceptchargebacks for fraudulent transactions at these merchant locations for messagereason code 4849Questionable Merchant Activity.

Acquirers No Longer Accepting Chargebacks



Merchant ListingsTo view the merchant chargeback information, open the attached MicrosoftExcel file. MasterCard also provides the chargeback information in the portabledocument format (PDF) file in the MasterCard Bulletins product on MasterCardConnect.

Acquirers are listed numerically by member ID (acquirer ID) within eachregion. Merchants are listed alphabetically. Not applicable (N/A) indicates thata chargeback period no longer applies to the acquirer and merchant listed,as of the date of the merchants first publication in the Acquirers No LongerAccepting Chargebacks file. Actual dates listed in the Chargeback End Datecolumn are in the mm/dd/yy format. The Month/Year Added column indicatesthe month and year in which MasterCard added the merchant to the file.

NOTE

MasterCard recommends that users sort the information by date to review the applicablechargebacks.

MasterCard no longer requires acquirers to accept chargebacks for themerchants listed as of the date of the merchants first publication in theAcquirers No Longer Accepting Chargebacks file, which corresponds to themonth and year listed in the Month/Year Added column.


26Acquirers No Longer Accepting Chargebacks




Notification of Chargebacks Under theGlobal Merchant Audit ProgramTopic(s): Chargebacks, Fraud/Risk, Security


Summary: The acquirers listed in the attached Microsoft Excel filemust accept chargebacks for all fraudulent transactions(excluding fraudulent application, account takeover, andnever-received-issue transactions) that occurred at the merchantlocations listed, during the time period listed for each merchant.Issuers may charge back transactions reported to the System toAvoid Fraud Effectively (SAFE) to the appropriate acquirers.

Action Indicator: F Financial impact

Effective Date: Effective immediately

BackgroundMasterCard replaced the Merchant Audit Program and Excessive CounterfeitMerchant Program with the Global Merchant Audit Program (GMAP), asdescribed in Rule 8.2 of the Security Rules and Procedures manual.

NOTE

The merchant information is shown as it appears in the SAFE database. To ensure that the data isaccurate, customers should carefully enter the merchant information into SAFE.

Acquirer ResponsibilitiesMasterCard requires each acquirer listed in the attached Microsoft Excel fileto accept chargebacks for all fraudulent transactions (excluding fraudulentapplication, account takeover, and never-received-issue transactions) thatoccurred at the merchant locations identified herein for the period indicated.

Notification of Chargebacks Under the Global Merchant Audit Program



If MasterCard extends a chargeback end date for a merchant location listedin the attached file, the acquirer must accept chargebacks for the merchantthrough the chargeback extended date. These chargebacks are for violationsof the GMAP, as described in Rule 8.2 of the Security Rules and Proceduresmanual.

NOTE

A number of the reported violations may have resulted from customer failure to cooperate withthe MasterCard audit requirements.

Issuer Chargeback RightsIssuers may charge back fraudulent transactions reported to SAFE to theappropriate acquirers according to the chargeback procedures outlinedin section 3.24 of the Chargeback Guide for message reason code4849Questionable Merchant Activity. Issuers have 120 days from the St.Louis Operations Center (Central Site) processing date, or an extended periodof 120 days from the publication date of the first Global Security Bulletinthat listed the merchant location, to charge back fraudulent transactions thatoccurred during the chargeback period.

For the purposes of calculating the extended 120-day period, the Month/YearAdded column indicates the month and year that corresponds to the firstbulletin publication that listed the merchant location.

Merchant ListingsTo view the merchant chargeback information, open the attached MicrosoftExcel file. MasterCard also provides the chargeback information in the portabledocument format (PDF) file in the MasterCard Bulletins product on MasterCardConnect.

Acquirers are listed numerically by member ID (acquirer ID) within eachregion. Merchants are listed alphabetically. Dates listed in the ChargebackStart Date, Chargeback End Date, and Chargeback Extend Date columns arein the mm/dd/yy format. Merchant information will remain in the file eachmonth for 120 days past the Chargeback End Date, or Chargeback Extend Dateif populated. The Month/Year Added column indicates the month and year inwhich MasterCard added the merchant to the file.

NOTE

MasterCard recommends that users sort the information by date to review the applicablechargebacks.

28Notification of Chargebacks Under the Global Merchant Audit Program





Notification of Chargebacks Under the Global Merchant Audit Program



Calendar of Events

Calendar-1 Global Security Bulletin No. 9, 13 September 2013 2013 MasterCard. Proprietary. All rights reserved.

Calendar of Events The calendar of events provides significant dates for security-related events. Refer also to the consolidated Calendar of Events on MasterCard Connect.

September 2013 13 MasterCard has published a monthly edition of the list of

vendors certified as meeting the MasterCard Physical Security Standards for Plastic Card Vendors for card production services of any MasterCard, Maestro, or Cirrus card. For more information, refer to Global Security Bulletin No. 9, 13 September 2013.

15 MasterCard will implement the Manage My Fraud and Risk Programs product, which replaces the MasterCard Alerts system. For more information, refer to Global Security Bulletin No. 9, 13 September 2013.

1617 MasterCard Academy of Risk Management will host Principles of Fraud Management for Issuers and Acquirers in Nairobi, Kenya. To register, go to www.mastercard.com/arm or send an email message to [email protected].

1718 MasterCard Academy Europe will host MasterCard Mobile Proximity Payments in Waterloo, Belgium. To register, go to www.etouches.com/ehome/index.php?eventid=51011& or visit our website at www.mastercardacademy.com, or send an email message to [email protected].

2627 MasterCard Academy Europe will host MasterCard Chargebacks Seminar in Waterloo, Belgium. To register, go to www.etouches.com/ehome/index.php?eventid=51141& or visit our website at www.mastercardacademy.com, or send an email message to [email protected].

30 MasterCard will update secure sockets layer (SSL) libraries on the MasterCard SecureCode Directory Server (DS). For more information, refer to Global Security Bulletin No. 7, 15 July 2013.

Revised!

New!

New Date!
http://www.etouches.com/ehome/index.php?eventid=51011&http://www.etouches.com/ehome/index.php?eventid=51141&

Calendar-2 Calendar of Events Global Security Bulletin No. 9, 13 September 2013 2013 MasterCard. Proprietary. All rights reserved.

October 2013

23 MasterCard Academy Europe will host MasterCard Mobile Proximity Payments in Kiev, Ukraine (in the Russian language). To register, go to www.etouches.com/ehome/index.php?eventid=70170 or visit our website at www.mastercardacademy.com, or send an email message to [email protected].

7 MasterCard Academy Europe will host Debit: ATM and Maestro Chargebacks in Waterloo, Belgium. To register, go to www.etouches.com/ehome/index.php?eventid=51144& or visit our website at www.mastercardacademy.com, or send an email message to [email protected].

89 MasterCard Academy of Risk Management will host Principles of Fraud Management for Issuers and Acquirers in Sydney, Australia. To register, go to www.mastercard.com/arm or send an email message to [email protected].

89 MasterCard Academy Europe will host Exploring the EMV 4.2 Standard in Moscow, Russian Federation (in English interpreted into Russian language). To register, go to www.etouches.com/ehome/index.php?eventid=51145& or visit our website at www.mastercardacademy.com, or send an email message to [email protected].

810 MasterCard Academy of Risk Management will host Arbitration and Compliance Workshop in St. Louis, Missouri, USA. To register, go to www.mastercard.com/arm or send an email message to [email protected].

9 MasterCard Academy Europe will host Business Opportunities with Chip in Istanbul, Turkey. To register, go to www.etouches.com/ehome/index.php?eventid=50998& or visit our website at www.mastercardacademy.com, or send an email message to [email protected].

10 MasterCard Academy Europe will host Chip and your Business in Istanbul, Turkey. To register, go to www.etouches.com/ehome/index.php?eventid=51001& or visit our website at www.mastercardacademy.com, or send an email message to [email protected].

New!
http://www.etouches.com/ehome/index.php?eventid=70170http://www.etouches.com/ehome/index.php?eventid=51144&http://www.etouches.com/ehome/index.php?eventid=51145&http://www.etouches.com/ehome/index.php?eventid=50998&http://www.etouches.com/ehome/index.php?eventid=51001&

Calendar of Events


October 2013 14 The Global Academy of Risk Management (ARM) will host a pre-

conference training seminar, An Insiders Guide to Protecting Your Business and Improving Compliance Performance, in conjunction with the risk management conference in St. Julians, Malta. For more information, refer to Global Security Bulletin No. 7, 15 July 2013.

14 The Global Academy of Risk Management (ARM) will host a pre-conference training seminar, Payment Card Industry (PCI) UpdatesWhats New in Data Security Standard (DSS) 3.0, Point-to-Point Encryption (P2PE), and Tokenization, in conjunction with the risk management conference in St. Julians, Malta. For more information, refer to Global Security Bulletin No. 7, 15 July 2013.

15 MasterCard will add functionality to allow users to submit batch chargebacks and System to Avoid Fraud Effectively (SAFE) items in NICS. For more information, refer to Global Security Bulletin No. 8, 15 August 2013.

15

MasterCard will revise its Standards regarding a Loss Control Program (LCP) and a Fraud Management Program (FMP) for the Maestro brand. For more information, refer to Global Security Bulletin No. 8, 15 August 2013.

1516 Global Academy of Risk Management (ARM) will host a risk management conference in St. Julians, Malta for customers in the Europe region. For more information, refer to Global Security Bulletin No. 7, 15 July 2013.

17 The Global Academy of Risk Management (ARM) will host the 2013 Merchant Risk Summit in St. Julians, Malta for customers in the Europe region. For more information, refer to Global Security Bulletin No. 8, 15 August 2013.

1718 The Global Academy of Risk Management (ARM) will host the 2013 European Chargeback Conference in St. Julians, Malta for customers in the Europe region. For more information, refer to Global Security Bulletin No. 8, 15 August 2013.


October 2013 18 MasterCard will extend the Standards associated with issuer and

acquirer handling of fraudulent accounts to Cirrus card transactions for the Dual Message System. For more information, refer to Global Security Bulletin No. 4, 15 April 2013.

18 MasterCard will revise its Standards to require the use of different Chip Card Validation Code (CVC) and CVC 1 values on newly issued and reissued chip cards. For more information, refer to Global Operations Bulletin No. 11, 1 November 2011.

18 MasterCard will revise its Standards regarding global floor limits. For more information, refer to Global Security Bulletin No. 2, 15 February 2013.

20 MasterCard will extend the Standards associated with issuer and acquirer handling of fraudulent accounts to Cirrus card transactions for the Single Message System. For more information, refer to Global Security Bulletin No. 4, 15 April 2013.

22 MasterCard Academy Europe will host MasterCard PayPass Workshop in Barcelona, Spain. To register, go to www.etouches.com/ehome/index.php?eventid=51149& or visit our website at www.mastercardacademy.com, or send an email message to [email protected].

2223 MasterCard Academy Europe will host Introduction to Chargebacks in London, United Kingdom. To register, go to www.etouches.com/ehome/index.php?eventid=51139& or visit our website at www.mastercardacademy.com, or send an email message to [email protected].

2324 MasterCard Academy Europe will host MasterCard Advanced Chargebacks Seminar in Barcelona, Spain. To register, go to www.etouches.com/ehome/index.php?eventid=51162& or visit our website at www.mastercardacademy.com, or send an email message to [email protected].

31 MasterCard will remove the legacy connectivity to the MasterCard SecureCode Directory Server (DS), which uses the 12.x.x.x Internet Protocol (IP) address range. For more information, refer to Global Security Bulletin No. 7, 15 July 2013.
http://www.etouches.com/ehome/index.php?eventid=51149&http://www.etouches.com/ehome/index.php?eventid=51139&http://www.etouches.com/ehome/index.php?eventid=51162&

Calendar of Events


November 2013 67 MasterCard Academy Europe will host Fraud Management for

Acquirers in Stockholm, Sweden. To register, go to www.etouches.com/ehome/index.php?eventid=51138& or visit our website at www.mastercardacademy.com, or send an email message to [email protected].

78 MasterCard Academy of Risk Management will host Efficient Chargeback Processing Seminar in New Orleans, Louisiana, USA. To register, go to www.mastercard.com/arm or send an email message to [email protected].

13 MasterCard Academy Europe will host Exploring the M/Chip Card Specifications in Paris, France. To register, go to www.etouches.com/ehome/index.php?eventid=51146& or visit our website at www.mastercardacademy.com, or send an email message to [email protected].

1315 MasterCard Academy of Risk Management will host Principles of Fraud Management for Issuers and Acquirers in Guangxi, China (in Chinese language). To register, go to www.mastercard.com/arm or send an email message to [email protected].

2022 MasterCard Academy of Risk Management will host Principles of Fraud Management for Issuers and Acquirers in Taipei, Taiwan. To register, go to www.mastercard.com/arm or send an email message to [email protected].

2526 MasterCard Academy Europe will host How Chip Works for Debit and Credit Cards in Athens, Greece. To register, go to www.etouches.com/ehome/index.php?eventid=51101& or visit our website at www.mastercardacademy.com, or send an email message to [email protected].

26 MasterCard Academy Europe will host Protecting Your Business with MasterCard (Compliance) in London, United Kingdom. To register, go to www.etouches.com/ehome/index.php?eventid=50990& or visit our website at www.mastercardacademy.com, or send an email message to [email protected].
http://www.etouches.com/ehome/index.php?eventid=51138&http://www.etouches.com/ehome/index.php?eventid=51146&http://www.etouches.com/ehome/index.php?eventid=51101&http://www.etouches.com/ehome/index.php?eventid=50990&


November 2013 27 MasterCard Academy Europe will host Regulatory Update in

London, United Kingdom. To register, go to www.etouches.com/ehome/index.php?eventid=68993& or visit our website at www.mastercardacademy.com, or send an email message to [email protected].

2728 MasterCard Academy Europe will host Security and Key Management for Chip Cards in Athens, Greece. To register, go to www.etouches.com/ehome/index.php?eventid=51104& or visit our website at www.mastercardacademy.com, or send an email message to [email protected].

TBD MasterCard Academy of Risk Management will host Principles of Fraud Management for Issuers and Acquirers in Sao Paulo, Brazil (in Portuguese language). To register, go to www.mastercard.com/arm or send an email message to [email protected].

December 2013 6 MasterCard Academy Europe will host a two-hour virtual

training class on Overview of Fraud Management. To register, go to www.etouches.com/ehome/index.php?eventid=51151& or visit our website at www.mastercardacademy.com, or send an email message to [email protected].

910 MasterCard Academy of Risk Management will host Principles of Fraud Management for Issuers and Acquirers in Dubai, United Arab Emirates. To register, go to www.mastercard.com/arm or send an email message to [email protected].

1011 MasterCard Academy Europe will host Fraud Management for Issuers in London, United Kingdom. To register, go to www.etouches.com/ehome/index.php?eventid=51137& or visit our website at www.mastercardacademy.com, or send an email message to [email protected].
http://www.etouches.com/ehome/index.php?eventid=68993&http://www.etouches.com/ehome/index.php?eventid=51104&http://www.etouches.com/ehome/index.php?eventid=51151&http://www.etouches.com/ehome/index.php?eventid=51137&

Calendar of Events


December 2013 1213 MasterCard Academy Europe will host MasterCard Mobile

Proximity Payments in London, United Kingdom. To register, go to www.etouches.com/ehome/index.php?eventid=51012& or visit our website at www.mastercardacademy.com, or send an email message to [email protected].

15 MasterCard will implement the Issuer Monitoring Program (IMP). For more information, refer to Global Security Bulletin No. 6, 14 June 2013.

February 2014

2 The MasterCard SecureCode Directory Server URL at directory.securecode.com will be moving to a new IP address (216.119.218.16). For more information, refer to Global Security Bulletin No. 9, 13 September 2013.

April 2014

30 Security certificates for the Payment Card Industry (PCI) PIN Transaction Security (PTS) Point-of-Interaction (POI) Standard will expire. For more information, refer to Bulletin No. 9, 13 September 2013.

October 2015 16 MasterCard will revise its Standards regarding global floor limits.

For more information, refer to Global Security Bulletin No. 2, 15 February 2013.

April 2017 1 Acquirers must include the Cardholder Verification Method

(CVM) Results (tag 9F34) in all authorization messages containing data element (DE) 55. For more information, refer to Global Security Bulletin No. 8, 13 August 2010.

New!

New!
http://www.etouches.com/ehome/index.php?eventid=51012&


Certified Vendors (for Card Production Services of Any MasterCard, Maestro, or Cirrus Card)

Published 13 September 2013
www.mastercard.com

2013 MasterCard. Proprietary. All rights reserved. 1 Certified Vendors (for Card Production Services of Any MasterCard, Maestro, or Cirrus Card) 13 September 2013

Table of Contents

Vendors Certified for Card Production Activities ................................................................................ 2

Asia/Pacific Region ...................................................................................................................... 4

Canada Region .......................................................................................................................... 21

Europe Region ........................................................................................................................... 23

Latin America and the Caribbean Region ................................................................................. 50

South Asia/Middle East/Africa Region ...................................................................................... 59

U.S. Region ................................................................................................................................ 70

Vendor Agents .................................................................................................................................... 78

Vendors (Certified) by Country .......................................................................................................... 84

Asia/Pacific Region .................................................................................................................... 84

Canada Region .......................................................................................................................... 87

Europe Region ........................................................................................................................... 87

Latin America and the Caribbean Region ................................................................................. 92

South Asia/Middle East/Africa Region ...................................................................................... 94

U.S. Region ................................................................................................................................ 96

2 2013 MasterCard. Proprietary. All rights reserved.

13 September 2013 Certified Vendors (for Card Production Services of Any MasterCard, Maestro, or Cirrus Card)

Vendors Certified for Card Production Activities

The following pages contain an alphabetical listing of vendors certified to provide card production services for any MasterCard, Maestro, or Cirrus card, grouped by region. MasterCard defines the list of vendor card production activities as follows.

Card Manufacture Services

Service Definition

Chip embedding Process by which an integrated circuit is permanently attached to a payment card to become an integral part of the card.

Card manufacture Card production process composed of one or more or the following:

Pre-press (card design layout, printing films, and printing plates generation) White plastic sheets printing Sheets assembly Sheets lamination Sheets cutting or punching Hologram and signature panel hot stamping

Card Personalization Services

Service Definition

Card embossing Personalization process that creates raised characters on a plastic card body.

Card encoding Process by which personalization data is written onto a magnetic stripe residing on the card.

Card mailing Process by which a card or PIN mailer is individually packaged and sent to a presort facility or delivered to the postal service for delivery to the cardholder.

Card personalization Personalization process for unembossed cards that writes data on the card by a technology other than embossing such as laser engraving, thermal transfer, or indent printing.

Chip personalization Process of writing data to the integrated circuit by means of electrical or electromagnetic interaction between the chip and personalization device. Chip personalization usually occurs subsequent to chip embedding but may also occur prior to or during chip embedding.


Specialized Card Production Services

Service Definition

Card fulfillment Stand-alone service by which a newly issued or reissued card is combined with additional materials resulting in a complete package ready for distribution to the cardholder. A facility approved for personalization services is also approved for card fulfillment as part of its personalization activity.

Data preparation Stand-alone service by which issuer and cardholder data are processed and configured for subsequent personalization by the issuer or different certified vendor. A facility approved for personalization services is also approved for data preparation as part of its personalization activity.

Disaster recovery Card production at a facility established and activated exclusively during an emergency event pursuant to a certified vendors Business Continuity Plan (BCP). Card production at this facility is only authorized for the vendor that established it.

The disaster recovery facility must not be used to alleviate capacity restraints associated with normal card production. These facilities are evaluated against a subset of the security requirements and must be upgraded to compliance with the full set of security requirements upon activation.

Mobile provisioning Service whereby a Trusted Service Manager (TSM) loads a payment application, provides personalization data, or sends post-issuance application management commands to a mobile payment device via an over-the-air (OTA) communication method.

Partial manufacture Facility that produces card components containing sensitive security features or personalization data where the full card is subsequently completed by a certified vendor.

PIN printing Stand-alone service whereby a PIN mailer is printed and mailed. A facility approved for personalization services is also approved for PIN mailing as part of its personalization activity.

MasterCard has certified the following vendors for the services indicated. The key contacts are listed as follows:

(P) = Primary contact (S) = Security contact



Asia/Pacific Region

Company Name, Address, and P & S Contact

MCBS Billing Code

Phone Number

Fax Number

Services Provided

Abnote (Australasia) Pty. Ltd. 81 Williamson Road Ingleburn, New South Wales 2565 Australia (P) Andrew Smith (S) Gregoire Maes

90524 61-2-9829-0111 61-2-9829-0196 Card embossing Card personalization Card encoding Chip personalization Card mailing Mobile provisioning

Abnote NZ Ltd. 25 Halwyn Drive Hornby, Christchurch New Zealand 8042 (P) Andrew Smith (S) Paul Williams

90533 64-3-349-9500 64-3-349-7166 Card manufacture Chip embedding

Abnote NZ Limited 12 Piermark Drive Albany, Auckland 0632 New Zealand (P) Stephen Morgan (S) Andrew Smith

90521 64-9-415-5000 64-9-415-5002 Card embossing Card personalization Card encoding Chip personalization Card mailing Mobile provisioning

Allcard Plastics Philippines, Inc. Lot 3 Block 17 E Rodriguez Jr. Avenue Corner Titan St. Acropolis Subdivision Quezon City Philippines 1110 (P) Roy Ebora (S) Allieta Cue

90901 63-2-5701321 63-2-5707175 Card manufacture Chip embedding Card embossing Card personalization Card encoding Chip personalization Card mailing

Asia Pacific Card and System Sdn. Bhd. No. 1, Lebuh 1, Bandar Sultan Sulaiman, Taiwanese Industrial Park, Pelabuhan Klang Selangor 42000 Malaysia (P) Eddie Huo Shao Wei (S) NG Soon Teck

90826 603-3176-6700 603-3176-5700 Card manufacture Chip embedding


Asia/Pacific Region


MCBS Billing Code

Phone Number

Fax Number

Services Provided

Asia Smart Cards Centre (M) Sdn. Bhd. LG Floor, Wisma Boustead, 71 Jalan Raja Chulan, 50200 Kuala Lumpur Malaysia (P) Koh Chor Meng (S) Khadijah Bt. Engku Salleh

90775 603-2148-1181 603-2148-0181 Card embossing Card personalization Card encoding Chip personalization Card mailing

Beautiful Card Corporation No. 4 Wenming 1st St. Guishan Shiang Taoyuan County 33383 Taiwan (R.O.C.) (P) Katherine Liao (S) Richie Ku

90814 886-3-318-3128 886-3-327-7193 Card manufacture Chip embedding Card embossing Card personalization Card encoding Chip personalization Card mailing

Beijing Datang Smartcard Technology Co., Ltd. 6 Yongjia North Road Haidian District Beijing China 100094 (P) Shi Chunguang (S) Gao Yuxin


Beijing Watchdata System Co. Ltd. No. 3 Anqing St. Konggang Industry Zone B Shunyi District Beijing China 101300 (P) Ma Lianhua (S) Wu Lili




Asia/Pacific Region


MCBS Billing Code

Phone Number

Fax Number

Services Provided

Biosmart Co., Ltd.312-31 Duk San-Dong, Asan City Chung Nam Korea 336-120 (P) Hyejung Lim (S) Jessie Ryu


Cassis Services Sdn. Bhd. Suite P5-01, Fifth Floor Podium Block, Menara Keck Seng 203 Jalan Bukit Bintang Wilayah Persekutuan Kuala Lumpur 55100 Malaysia (P) Serina Lee Onn Wei (S) Christina Lai Hui Fuen (S) Chua Tian Yee

90801 603-2300-2801 603-2300-1371 Card embossing Card personalization Card encoding Chip personalization Card mailing Mobile provisioning

Chan Wanich Security Printing Company Ltd. 192 Suksawad Road Prasamutjedee Samutprakarn Bangkok 10290 Thailand (P) Marachai Kongboonma (S) Paul Iu


Dai Nippon Printing Co., Ltd. 5-8-1, Minamisuna Koto-ku Tokyo Japan 136-0076 (P) Takahiro Onodera (S) Haruo Takahashi

90936 81-33-513-2743 81-33-513-2598 Mobile provisioning

Dai Nippon Printing Co. Ltd. Nara Plant: 712-10 Oaza Toin Kawanishi-Cho Shiki-gun, Nara Pref. Japan 636-0293 (P) Hiroshi Nishioka (S) Tadaki Fujioka

90504

81-74-544-1121 Telex: J22737 DNPRINT

81-74-543-2055 Card manufacture Chip embedding Card embossing Card personalization Card encoding Chip personalization Card mailing


Asia/Pacific Region


MCBS Billing Code

Phone Number

Fax Number

Services Provided

Dai Nippon Printing Co. Ltd. Ushiku Plant: 70 Tsukuba-Minami Okubara Industrial Park 1650 Okubara-cho Ushiku-shi, Ibaraki-ken Japan 300-1283 (P) Mikio Kushima (S) Tetsuo Nogami

90725

81-298-75-2211 81-298-75-2301 Card manufacture Chip embedding Card embossing Card personalization Card encoding Chip personalization Card mailing

Dai Nippon Printing Co. Ltd. Warabi Plant: 4-5-1, Nishiki-Cho Warabi-shi, Saitama-ken Japan 335-0005 (P) Yuji Egawa (S) Masayuki Iijima

90503 81-48-444-1111 Telex: J22737 DNPRINT

81-48-420-1119 Data preparation

Data Products Toppan Forms Ltd. 218 Latkrabang Industrial Estate 23 Chalongkrung Road Lumpratiew, Latkrabang Bangkok Thailand 10520 (P) Apichart Ariyaviriyanant (S) Jaroonruk Prakobwaithayakij


DataSonic Corporation Sdn. Bhd. No. 11G, Ground Floor The Highway Centre, Jalan 205 Section 51 Petaling Jaya 46050 Selangor Malaysia (P) Chris Tan (S) Chan Kaang Huei




Asia/Pacific Region


MCBS Billing Code

Phone Number

Fax Number

Services Provided

Dz Card (Malaysia) Sdn. Bhd. 5, Jalan Empat 4 off, Jalan Chan Sow Lin Kuala Lumpur Malaysia 55200 (P) Rubendran J.Retnam (S) Aaron Le Boutillier


Dz Card (Thailand) Ltd. 139 Bangplee Industrial Estate M00 17 Bangna-Trad Road Bangplee, Samutprakan 10540 Thailand (P) Aaron Le Boutillier (S) Harry Gundelach


Dz Card (Philippines) Inc. dz Card Building, Sta. Agueda Avenue, Pascor Drive, Sto. Nino Paranaque City 1704 Philippines (P) Jean Jacobi (S) Harry Gundelach

90784 63-2-851-1870 63-2-852-2147 Card embossing Card personalization Card encoding Chip personalization Card mailing

Eastcompeace Technology Co. Ltd. No. 8 Ping Gong Zhong Road Nanping, Zhuhai Guangdong China 519060 (P) Catherine Lee (S) Megan Joo


Foongtone Technology Co., Ltd. No. 7-1 Lane 365, Sec 1 Chung Yung Road Tu Chen City, Taipei HSien Taiwan 236 (P) John Tu (S) P.J. Lee



Asia/Pacific Region


MCBS Billing Code

Phone Number

Fax Number

Services Provided

Fujian Hongbo Printing Shares Co., Ltd. Factory #50, Changle Airport Industrial Concentration Zone Fuzhou Fujian Province China 350200 (P) Joe Pang (S) Hank K

90944 86-591-2862-7000-800

86-591-2862-7000-810

Card manufacture Chip embedding

Gemalto Pte Ltd. 12, Ayer Rajah Cresent Singapore 139941 (P) Ramon Padiernos (S) Chue Fook Wah


Gemalto PTY Ltd. 13 Redl Drive Mitcham VIC Australia 3132 (P) Graham Adams (S) Matthew Richardson


Gemalto Sdn. Bhd. Level 2, Plaza See Hoy Chan Wilayah Persekutan 50200 Kuala Lumpur Malaysia (P) Charlie Nair (S) Chua Fook Wah


Gemalto Philippines Inc. Bldng 7A, Southern Luzon International Business Park Batino Calamba Laguna Philippines 4027 (P) Fook Wah Chue (S) Kevin Liu




Asia/Pacific Region


MCBS Billing Code

Phone Number

Fax Number

Services Provided

Gemalto Pte Ltd. 9 Tai Seng Drive Lobby B #02-02P Singapore 535227 (P) Raman Ponnappan (S) Bruno Escude

90926 65-6317-1333 65-6873-1646 Mobile provisioning

Gemalto Taiwan Ltd. Basement 1, No. 192 Lien Cheng Road Chung Ho, Taipei County 235 Taiwan (P) Fook Wah Chue (S) Ray Chien


Giesecke & Devrient Australasia Pty Ltd.

Victoria Plant: 94 Rushdale Street Knoxfield, Victoria 3180 Australia (P) Ajith Chrathilaka (S) Scott OHara

90742 61-3-9765-1200 61-2-9763-5455 Chip embedding Card embossing Card personalization Card encoding Chip personalization Card mailing

Sydney Plant: 9 Rachael Close, Silverwater Silverwater NSW 2128 Australia (P) Ajith Chrathilaka (S) Scott OHara


Giesecke & Devrient (China) Information Technologies Co., Ltd. 399 Huoju Avenue Nanchang High-New Tech. Development Zone Nanchang City Jiangxi Province China 330096 (P) Qun Hu (S) Hongying Zhu

90785 86-791-811-2355 86-791-810-0958 Chip embedding Card embossing Card personalization Card encoding Chip personalization Card mailing


Asia/Pacific Region


MCBS Billing Code

Phone Number

Fax Number

Services Provided

Goldpac Secur-Card Ltd. Goldpac Building Fuxi-QianShan Zhuhai China 519070 (P) David Lu (S) Roger Lu


Goldpac Secur-Card Ltd. Shanghai Branch No. 166 of Min Dong Road Pudong New Area Shanghai China 201209 (P) David Lu (S) Jason Zhang


Guangdong Chutian Dragon Smart Card Co., Ltd. Zhuweitian Yifa Industrial Zone of Fenggang Dongguan Guangdong Province China 523697 (P) Annabelle Tang (S) Joy Fu

90881 86-769-8750-6332 86-769-8750-9888 Card manufacture Chip embedding Card embossing Card personalization Card encoding Chip personalization

Hengbao Co. Ltd. Hengtang Industrial Zone Dangyang City, Jiangsu Province China 212355 (P) Zhou Jiang (S) Wang Yan


Hitachi Maxell, Ltd. 45-101, Kagamida Oyamazaki-cho Otokuni-gun, Kyoto 618-8558 Japan (P) Ikuo Yamazaki (S) Shigeo Komori




Asia/Pacific Region


MCBS Billing Code

Phone Number

Fax Number

Services Provided

Huangshi G&D Wa Security Card Ltd. Hangzhou Road West, Huangshi City, Huangshi, Hubei Province China 435000 (P) Xiao Wei (S) Hu Qun


ICK Co., Ltd. 96BL, 1Lb, Sungseo 3rd Industrial Complex Dalseo-Gu, Daegu Korea 704-240 (P) Daniel Lee (S) Min Soo Bang

global security bulletin no 9 september 13 2013

Documents