On May 14, 2015, Visa announced several updates to its Global Compromised Account Recovery Program (“GCAR”), which helps card issuers recover costs and fraud losses after a data compromise. These modifications appear to be designed to address changes in the payment environment and align GCAR recoveries more closely with the current estimated costs and risks that result from data compromises.
With these new updates, GCAR operating expense amounts per eligible account will be determined using a new tiered structure that is based on the issuer size. Issuers will be grouped into one of three operating expense recovery tiers—small, medium, or large— that is based on the issuer’s annual Visa purchase volume. Due to the increased costs of data compromises, the operating expense recovery for large issuers will be increased to $2.65 per eligible account. In apparent response to reports that small and medium size issuers have been incurring higher estimated operating expenses, Visa also established operating expense recovery tiers for them: medium-size issuers will have an operating expense recovery rate of $3.85 and small-size issuers will have an operating expense recovery rate of $6.00.
Due to the higher cost of reissuing at risk chip cards, GCAR operating expense recovery amounts will increase by $1.00 for all eligible accounts that had already been issued chip cards before being involved in a data compromise. Lastly, GCAR will no longer exclude accounts indicated in the CAMS alert as expired at the time of the alert.
These modifications will be effective for data compromises in which the first or only Compromised Account Management System (CAMS) alert is sent on or after July 1, 2015.
Visa’s newest modifications come just a few months after its initial announcement of several immediate changes to GCAR. On January 15, 2015, Visa announced that GCAR would provide recovery for all eligible Visa account numbers with magnetic strip data at risk due to a data compromise. Visa has stated that such update is to “reflect the evolution of the U.S. market.” Furthermore, Visa raised the threshold for a breach to be covered by GCAR by raising the number of eligible accounts from 15,000 to 30,000 and the total recoveries for all eligible issuers involved in an event from $150,000 to $300,000.