MasterCard is extending its Zero Liability protection to cardholders and small businesses in all of its markets in an effort to recalibrate the program to match the realities of digital commerce.
"It didn't make sense to have different rules in different parts of the world," said Nancy O'Malley, chief payment system integrity officer at MasterCard. The rules are being changed to manage increases in e-commerce, as well as purchase patterns that show more international travel among consumer cardholders.
The global standard replaces a hodgepodge of local rules. In the Eurozone, consumers can be held liable for up to around $400 in lost and stolen card transactions. In Asia/Pacific it's about $50 and in Latin America there are no rules. These differences came about because in the past, fraud was a more regional phenomenon than it is now, O'Malley said.
"It's a function of history. These rules emerged in the 1990s," she said. "Nowadays data compromises can occur anywhere in the world and be global in scale."
The revised rules are aimed at consumer and small business cardholders and apply to PIN-based transactions at the point of sale, ATM withdrawals and online/mobile transactions on MasterCard, Maestro and Cirrus-based transactions. The rules additionally covers transactions made using a credit card, debit card, small business or prepaid card registered to a consumer.
The Purchase, N.Y.-based card network has extended liability protection to small businesses in the U.S. since 2014 with the global expansion scheduled for completion by the early second quarter of 2016. Corporate cards for larger businesses are managed separately and are not part of the Zero Liability global expansion.
MasterCard consulted with issuers and regulators on the Zero Liability program with the goal of expanding minimum standards for protection against unauthorized transactions.
"It was a very significant task; we had to look at local laws and regulations and our existing rules," O'Malley said, adding that regulators have largely been supportive given that the expansion is enhancing consumer protection.
There is a potential cost to the added liability protection, though "a lot" of issuers told MasterCard the value will override any increase in fraud losses, O'Malley said.
"This move recognizes that the rising tide of data breaches is the new reality and ensures that consumers everywhere, not just in certain countries, will continue to feel safe transacting with their payment card," said Julie Conroy, a research director at Aite Group.
MasterCard is also attempting to erase uncertainty over liability coverage that can exist even within the U.S.
"Small businesses can exist in a nebulous gray zone when it comes to Reg Z in the U.S. as the use of these cards could include the commingling of personal and business transactions," said Al Pascual, director of fraud and security for Javelin Strategy & Research. "And these cards face the same type of threats in the U.S. as consumer-oriented cards, including breaches and the growth of card not present fraud."
The cross-border nature of e-commerce calls attention to the mismatch of liability standards in different countries.
"I actually tried to create a chart that depicted the liability for various countries across the globe last year and discovered that it was a confusing patchwork," Conroy said. "In many countries, consumers bore partial or even full liability for the fraud, and the extent of the liability could differ based on card or transaction type."