By now, most merchants know about the Visa Integrity Risk Program (VIRP) rolled out in spring 2023. The program is designed to ensure that acquirers and their designated agents — payment facilitators, independent sales organizations and wallets — maintain proper controls and oversight to prevent illegal transactions from entering the Visa payment system.
Since launching the VIRP over a year ago, Visa has added new fees and has been conducting regular audits. With a magnifying glass focused on your business practices, how can you best prepare? This month we are sharing some updates on the rules and some tips to get your business ready for an audit.
When an audit rolls around, you are generally given very little advance notice, so you should always be ready.
VIRP Expansion, Reinforcement and Fees
Visa has expanded its list of high-risk verticals to include adult sites, dating sites, negative option subscription sites, gaming sites, cyber lockers and financial trading platforms. VIRP has also expanded and added fees, increasing the registration fee from $500 to $950 and increasing processing fees by 10 basis points and 10 cents per transaction in the U.S., 10 basis points and 2 cents per transaction in the EU and U.K. Visa stated that the fee increase was to help build out a team to provide more oversight to high-risk verticals offering Visa products.
VIRP also reinforced the rules associated with user-generated content, with changes focused on content moderation, age verification, consent of all parties in images, and other issues. Below are some examples.
- Content compliance: Merchants must keep CSAM, bestiality, incest and nonconsensual content off their sites.
- Takedown requests: Merchants must enable users to report noncompliant content, and enable models to ask for content in which they are depicted to be removed. Merchants must also provide monthly reports to their payment service provider.
- Marketing: Merchants cannot market based on noncompliant search terms or noncompliant affiliate marketing promotions.
- Human trafficking: Merchants must have effective policies in place that prohibit the use of their websites to promote or facilitate human trafficking, sex trafficking or abuse. Participation in an anti-trafficking organization is highly recommended.
- Age verification of consumers: Merchants are required to comply with any applicable laws requiring site viewers to be a certain age, and to ensure that such age verification takes place prior to providing access to site content.
These rules and pricing changes have been written about extensively, and we are now seeing Visa enforcing them. For instance, Visa conducts oversight through acquirers, many of whom are going through audits. In these audits, Visa is digging into their high-risk portfolios and looking at how well adult merchants are managing to adhere to the VIRP standards.
One of our acquirers, an EU bank, went through a Visa audit and unfortunately did not perform well. That acquirer ended up re-underwriting their entire portfolio. This led to many account terminations for merchants not meeting the new standards. We are getting word from our U.S. acquiring partners about similar audits, and to be on standby for reviews of our existing merchants.
Don’t Panic, Prepare
When an audit rolls around, you are generally given very little advance notice, so you should always be ready. To that end, we created the following cheat sheet looking at each policy, whom it applies to, and what specifically you need to do to be ready.
Content Moderation: If your site allows user-generated content, including cam sites and fan sites, you will need to have a detailed policy on how you moderate that content. It’s important to ensure that all recorded content is reviewed prior to posting. Be sure to include what technology, if any, you have in place to help detect noncompliant content, and how many human moderators you have to review escalated content. Sharing your training documentation is also helpful. If you’re a cam platform, be ready to outline the technology you are using to manage livestreams, detect any unverified users in streams and take down streams immediately. You should be able to prove that there is no chance for models to meet up with customers in person or engage in other noncompliant activity. Subscription sites that rely on third-party producers or produce their own content should be able to show an internal policy that details what types of content are prohibited, how the content is reviewed prior to posting and what controls are in place to ensure models are properly age/ID-verified.
Model/Creator Age Verification: Sites allowing user-generated content need to provide a detailed overview of their age verification process and third-party tools used to verify content creators. For studio-produced content, it is likely that you would be asked for a policy, a code of conduct, best practices and rules for content production. Also be ready to provide a sample model release agreement.
Human Trafficking: Make sure you outline what controls you have in place to prevent your program from promoting content featuring trafficked or abused individuals. ASACP (Association of Sites Advocating Child Protection) or NCMEC (National Center for Missing & Exploited Children) are two good organizations to get involved with.
Affiliate Marketing: It is important to have a detailed affiliate marketing policy that outlines how you vet affiliates, including what type of creative assets they are allowed to use to promote your site, and the type of data you collect on each affiliate. Just like merchants go through a “know your customer” (KYC) process when setting up with a payment service provider, KYC should also be done on the affiliates you bring on board.
Consumer Age Verification: This has previously been off the radar at the card brands, but Visa now wants to understand how merchants are complying with jurisdictional age verification requirements. It is important to have a detailed policy in place and show how you are addressing the countries and states such as Texas, Louisiana, Utah, etc. that now require age verification prior to accessing adult content.
Takedown/Complaint Process: Every website should have an easily visible takedown or complaint process link that enables consumers to flag possibly noncompliant content, and allows models to request removal of their content. Each merchant must have a policy that outlines how complaints are handled and ensures that they are addressed within seven days. Content identified as illegal must be removed immediately. Each month, the merchant must report to their payment service provider any takedown requests or complaints, and the disposition of such. Even if you receive no complaints, a report should still be filed stating that. Check with your payment service provider on how to report.
Other Documentation: If audited, you might also be asked to provide updated KYC documentation. If your directors or ultimate beneficial owners (UBOs) have changed, it is important that you let your payment service provider or acquirer know. Other items that could be requested are lease agreements confirming that you are meeting merchant location requirements, updated ID documents for directors and UBOs, a recent utility bill for directors and UBOs and a recent bank statement.
While an audit or review of your website operation can always sound a little scary, being prepared to answer audit questions in a timely manner helps show your payment provider and Visa you are on top of things. The steps above can help make sure you are ready in case VIRP enforcement shines the spotlight on your business.
Cathy Beardsley is president and CEO of Segpay, a merchant services provider offering a wide range of custom financial solutions including payment facilitator, direct merchant accounts and secure gateway services. Under her direction, Segpay has become one of four companies approved by Visa to operate as a high-risk internet payment services provider. Segpay offers secure turnkey solutions to accept online payments, with a guarantee that funds are kept safe and protected with its proprietary Fraud Mitigation System and customer service and support. For any questions or help, contact sales@segpay.com or compliance@segpay.com.
