Before I start off on this, please note that Visa Europe isn’t part of Visa, Inc.. but a separate entity owned and operated by several European member banks. What Visa Europe does may or may not be influenced by Visa, Inc.
Why did Visa Europe turn their backs on iZettle last week? Of course, we don’t know what happened yet, but is this a sign of things to come for the US darling company, Square? Or is Square navigating with Visa on a tight rope and managing the show?
Was this just political or were there too many “liability” issues and “non-compliance” issues? iZettle system supports “Chip and Signature” while most European cards are “Chip and Pin” . It may seem straight forward that the liability would be on iZettle for any fraud. However, if the cards were issued as “Chip and Signature”, the liability would shift to the issuer if iZettle took enough information about the card holder.
Let us read the Square situation with Visa. While Visa has invested in Square, there are some non-compliance and liability related questions here as well:
1. Square claims that they are PCI-DSS Level 1 compliant. However, they are not included in the list of vendors validated by Visa. (Visa has released a guideline for visa card accepting software vendors to follow certain guidelines under the Payment Application Best Practices. Check out http://usa.visa.com/download/merchants/validated_payment_applications.pdf ). Square is NOT listed in this.
2. Visa also has specified a requirement for the merchant to collect signature on paper to address proper fraud liability issues. Since there is no paper signature, the liability will rest with the acquirer (Chase ). Of course, if the transaction qualifies for Visa Easy Payment Service, there is no necessity for this requirement. In any case, the complexity is with identifying the Merchant Category Code (MCC) in this Person to Person (p2p) model. I would guess that the entire fraud liability would rest with Square and Chase!
3. The acquirer and the merchant “must” not take any supplemental information from the card holder as per Visa’s operating rules. Check this out at http://corporate.visa.com/_media/visa-international-operating-regulations.pdf . Since an e-mail address is taken as part of the transaction, this may be a non-compliance. Unless Square treats this information securely under PCI standards and not use it for marketing or other purposes…
I am sure Square is taking all necessary precautions, but it may be on a risky wicket with Visa. While Square has become a phenomenon with its innovative solutions, it may have to navigate carefully with Visa and Mastercard. It may have been forced to sell out some stake to Visa to ensure uninterrupted blessing from the giant?
Coming back to iZettle – Maybe that company did not navigate the risky situation properly with Visa Europe.. Maybe this is a fight between Visa and Mastercard (who apparently invested in iZettle last month).. Maybe Visa wants to pave the way for Square to enter in Europe and control the growth of alternate technologies…