opinion

Merchants in Spotlight With Visa's VIRP

Merchants in Spotlight With Visa's VIRP

By now, most merchants know about the Visa Integrity Risk Program (VIRP) rolled out in spring 2023. The program is designed to ensure that acquirers and their designated agents — payment facilitators, independent sales organizations and wallets — maintain proper controls and oversight to prevent illegal transactions from entering the Visa payment system.

Since launching the VIRP over a year ago, Visa has added new fees and has been conducting regular audits. With a magnifying glass focused on your business practices, how can you best prepare? This month we are sharing some updates on the rules and some tips to get your business ready for an audit.

When an audit rolls around, you are generally given very little advance notice, so you should always be ready.

VIRP Expansion, Reinforcement and Fees

Visa has expanded its list of high-risk verticals to include adult sites, dating sites, negative option subscription sites, gaming sites, cyber lockers and financial trading platforms. VIRP has also expanded and added fees, increasing the registration fee from $500 to $950 and increasing processing fees by 10 basis points and 10 cents per transaction in the U.S., 10 basis points and 2 cents per transaction in the EU and U.K. Visa stated that the fee increase was to help build out a team to provide more oversight to high-risk verticals offering Visa products.

VIRP also reinforced the rules associated with user-generated content, with changes focused on content moderation, age verification, consent of all parties in images, and other issues. Below are some examples.

  • Content compliance: Merchants must keep CSAM, bestiality, incest and nonconsensual content off their sites.
  • Takedown requests: Merchants must enable users to report noncompliant content, and enable models to ask for content in which they are depicted to be removed. Merchants must also provide monthly reports to their payment service provider.
  • Marketing: Merchants cannot market based on noncompliant search terms or noncompliant affiliate marketing promotions.
  • Human trafficking: Merchants must have effective policies in place that prohibit the use of their websites to promote or facilitate human trafficking, sex trafficking or abuse. Participation in an anti-trafficking organization is highly recommended.
  • Age verification of consumers: Merchants are required to comply with any applicable laws requiring site viewers to be a certain age, and to ensure that such age verification takes place prior to providing access to site content.

These rules and pricing changes have been written about extensively, and we are now seeing Visa enforcing them. For instance, Visa conducts oversight through acquirers, many of whom are going through audits. In these audits, Visa is digging into their high-risk portfolios and looking at how well adult merchants are managing to adhere to the VIRP standards.

One of our acquirers, an EU bank, went through a Visa audit and unfortunately did not perform well. That acquirer ended up re-underwriting their entire portfolio. This led to many account terminations for merchants not meeting the new standards. We are getting word from our U.S. acquiring partners about similar audits, and to be on standby for reviews of our existing merchants.

Don’t Panic, Prepare

When an audit rolls around, you are generally given very little advance notice, so you should always be ready. To that end, we created the following cheat sheet looking at each policy, whom it applies to, and what specifically you need to do to be ready.

Content Moderation: If your site allows user-generated content, including cam sites and fan sites, you will need to have a detailed policy on how you moderate that content. It’s important to ensure that all recorded content is reviewed prior to posting. Be sure to include what technology, if any, you have in place to help detect noncompliant content, and how many human moderators you have to review escalated content. Sharing your training documentation is also helpful. If you’re a cam platform, be ready to outline the technology you are using to manage livestreams, detect any unverified users in streams and take down streams immediately. You should be able to prove that there is no chance for models to meet up with customers in person or engage in other noncompliant activity. Subscription sites that rely on third-party producers or produce their own content should be able to show an internal policy that details what types of content are prohibited, how the content is reviewed prior to posting and what controls are in place to ensure models are properly age/ID-verified.

Model/Creator Age Verification: Sites allowing user-generated content need to provide a detailed overview of their age verification process and third-party tools used to verify content creators. For studio-produced content, it is likely that you would be asked for a policy, a code of conduct, best practices and rules for content production. Also be ready to provide a sample model release agreement.

Human Trafficking: Make sure you outline what controls you have in place to prevent your program from promoting content featuring trafficked or abused individuals. ASACP (Association of Sites Advocating Child Protection) or NCMEC (National Center for Missing & Exploited Children) are two good organizations to get involved with.

Affiliate Marketing: It is important to have a detailed affiliate marketing policy that outlines how you vet affiliates, including what type of creative assets they are allowed to use to promote your site, and the type of data you collect on each affiliate. Just like merchants go through a “know your customer” (KYC) process when setting up with a payment service provider, KYC should also be done on the affiliates you bring on board.

Consumer Age Verification: This has previously been off the radar at the card brands, but Visa now wants to understand how merchants are complying with jurisdictional age verification requirements. It is important to have a detailed policy in place and show how you are addressing the countries and states such as Texas, Louisiana, Utah, etc. that now require age verification prior to accessing adult content.

Takedown/Complaint Process: Every website should have an easily visible takedown or complaint process link that enables consumers to flag possibly noncompliant content, and allows models to request removal of their content. Each merchant must have a policy that outlines how complaints are handled and ensures that they are addressed within seven days. Content identified as illegal must be removed immediately. Each month, the merchant must report to their payment service provider any takedown requests or complaints, and the disposition of such. Even if you receive no complaints, a report should still be filed stating that. Check with your payment service provider on how to report.

Other Documentation: If audited, you might also be asked to provide updated KYC documentation. If your directors or ultimate beneficial owners (UBOs) have changed, it is important that you let your payment service provider or acquirer know. Other items that could be requested are lease agreements confirming that you are meeting merchant location requirements, updated ID documents for directors and UBOs, a recent utility bill for directors and UBOs and a recent bank statement.

While an audit or review of your website operation can always sound a little scary, being prepared to answer audit questions in a timely manner helps show your payment provider and Visa you are on top of things. The steps above can help make sure you are ready in case VIRP enforcement shines the spotlight on your business.

Cathy Beardsley is president and CEO of Segpay, a merchant services provider offering a wide range of custom financial solutions including payment facilitator, direct merchant accounts and secure gateway services. Under her direction, Segpay has become one of four companies approved by Visa to operate as a high-risk internet payment services provider. Segpay offers secure turnkey solutions to accept online payments, with a guarantee that funds are kept safe and protected with its proprietary Fraud Mitigation System and customer service and support. For any questions or help, contact sales@segpay.com or compliance@segpay.com.

Related:  

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

opinion

Best Practices for Payment Gateway Security

Securing digital payment transactions is critical for all businesses, but especially those in high-risk industries. Payment gateways are a core component of the digital payment ecosystem, and therefore must follow best practices to keep customer data safe.

Jonathan Corona ·
opinion

Ready for New Visa Acquirer Changes?

Next spring, Visa will roll out the U.S. version of its new Visa Acquirer Monitoring Program (VAMP), which goes into effect April 1, 2025. This follows Visa Europe, which rolled out VAMP back in June. VAMP charts a new path for acquirers to manage fraud and chargeback ratios.

Cathy Beardsley ·
opinion

How to Halt Hackers as Fraud Attacks Rise

For hackers, it’s often a game of trial and error. Bad actors will perform enumeration and account testing, repeating the same test on a system to look for vulnerabilities — and if you are not equipped with the proper tools, your merchant account could be the next target.

Cathy Beardsley ·
profile

VerifyMy Seeks to Provide Frictionless Online Safety, Compliance Solutions

Before founding VerifyMy, Ryan Shaw was simply looking for an age verification solution for his previous business. The ones he found, however, were too expensive, too difficult to integrate with, or failed to take into account the needs of either the businesses implementing them or the end users who would be required to interact with them.

Alejandro Freixes ·
opinion

How Adult Website Operators Can Cash in on the 'Interchange' Class Action

The Payment Card Interchange Fee Settlement resulted from a landmark antitrust lawsuit involving Visa, Mastercard and several major banks. The case centered around the interchange fees charged to merchants for processing credit and debit card transactions. These fees are set by card networks and are paid by merchants to the banks that issue the cards.

Jonathan Corona ·
opinion

It's Time to Rock the Vote and Make Your Voice Heard

When I worked to defeat California’s Proposition 60 in 2016, our opposition campaign was outspent nearly 10 to 1. Nevertheless, our community came together and garnered enough support and awareness to defeat that harmful, misguided piece of proposed legislation — by more than a million votes.

Siouxsie Q ·
opinion

Staying Compliant to Avoid the Takedown Shakedown

Dealing with complaints is an everyday part of doing business — and a crucial one, since not dealing with them properly can haunt your business in multiple ways. Card brand regulations require every merchant doing business online to have in place a complaint process for reporting content that may be illegal or that violates the card brand rules.

Cathy Beardsley ·
profile

WIA Profile: Patricia Ucros

Born in Bogota, Colombia, Ucros graduated from college with a degree in education. She spent three years teaching third grade, which she enjoyed a lot, before heeding her father’s advice and moving to South Florida.

Women In Adult ·
opinion

Creating Payment Redundancies to Maximize Payout Uptime

During the global CrowdStrike outage that took place toward the end of July, a flawed software update brought air travel and electronic commerce to a grinding halt worldwide. This dramatically underscores the importance of having a backup plan in place for critical infrastructure.

Jonathan Corona ·
opinion

The Need for Minimal Friction in Age Verification Technology

In the adult sector, robust age assurance, comprised of age verification and age estimation methods, is critical to ensuring legal compliance with ever-evolving regulations, safeguarding minors from inappropriate content and protecting the privacy of adults wishing to view adult content.

Gavin Worrall ·
Show More