• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

Visa Updates Global Compromised Account Recovery Program

May 18, 2015 By Privacy, Cyber & Data Strategy Team

On May 14, 2015, Visa announced several updates to its Global Compromised Account Recovery Program (“GCAR”), which helps card issuers recover costs and fraud losses after a data compromise.  These modifications appear to be designed to address changes in the payment environment and align GCAR recoveries more closely with the current estimated costs and risks that result from data compromises.

With these new updates, GCAR operating expense amounts per eligible account will be determined using a new tiered structure that is based on the issuer size.  Issuers will be grouped into one of three operating expense recovery tiers—small, medium, or large— that is based on the issuer’s annual Visa purchase volume.  Due to the increased costs of data compromises, the operating expense recovery for large issuers will be increased to $2.65 per eligible account. In apparent response to reports that small and medium size issuers have been incurring higher estimated operating expenses, Visa also established operating expense recovery tiers for them: medium-size issuers will have an operating expense recovery rate of $3.85 and small-size issuers will have an operating expense recovery rate of $6.00.

Due to the higher cost of reissuing at risk chip cards, GCAR operating expense recovery amounts will increase by $1.00 for all eligible accounts that had already been issued chip cards before being involved in a data compromise. Lastly, GCAR will no longer exclude accounts indicated in the CAMS alert as expired at the time of the alert.

These modifications will be effective for data compromises in which the first or only Compromised Account Management System (CAMS) alert is sent on or after July 1, 2015.

Visa’s newest modifications come just a few months after its initial announcement of several immediate changes to GCAR. On January 15, 2015, Visa announced that GCAR would provide recovery for all eligible Visa account numbers with magnetic strip data at risk due to a data compromise. Visa has stated that such update is to “reflect the evolution of the U.S. market.” Furthermore, Visa raised the threshold for a breach to be covered by GCAR by raising the number of eligible accounts from 15,000 to 30,000 and the total recoveries for all eligible issuers involved in an event from $150,000 to $300,000.

Filed Under: Data Breach, Enforcement, Privacy, Privacy Policy, Security Breach

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • DOJ Issues New Policy on CFAA Prosecutions
  • EDPB Issues Draft Guidelines on the Calculation of Administrative Fines
  • The California Privacy Protection Agency Solicits Public Input on Forthcoming Privacy Regulations
  • U.S. Department of Commerce Announces the Establishment of a Global CBPR Forum
  • Colorado Issues Pre-Rulemaking Considerations for the Colorado Privacy Act
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.