Skip to main content
Mastercard Compliance - sticky.io

This article contains helpful information about Mastercard's compliance rules, who they impact and how to stay within compliance.

Support avatar
Written by Support
Updated over 2 years ago

Originally Published: April 15, 2019 

Updated: February 3, 2022

Note - Links to all regulatory articles (Visa, Mastercard, European/PSD2) can be found at the end of this article.


PLEASE READ - IMPORTANT 2022 UPDATES:

In November 2021, Mastercard revealed several changes to their rules for subscription billing that will go into effect in 2022. Requirements listed in this section impact all merchants deploying subscription/recurring billing models. Additional requirements apply to negative option programs, where the merchant offers a free or discounted trial period before automatically enrolling the consumer into a full-priced subscription.


Newly implemented changes applicable to all subscription/recurring billing merchants:

  • By March 22, 2022, merchants must provide customers with emailed receipts after every billing. The email must include transaction details and clear instructions on how to cancel.

  • By March 22, 2022, merchants must provide all customers with an electronic way to cancel their subscriptions. This method should be "similar to unsubscribing from email messages or any other electronic method".

    • This excludes phone numbers, contact email addresses or requiring customers to visit a physical location.

  • By September 22, 2022, disclosures must be made at the "point of payment" to inform customers about the terms of the trial or subscription and the amount and frequency of any future payments. These disclosures must be made prior to enrolling customers in a subscription and the merchant must obtain the customer's affirmative acceptance of the terms.

    • This information must be clearly visible without any action from the customer. Traditional "terms and conditions" links, drop-down menus or placing the information at the bottom of the page where customers would have to scroll down to see it.

    • For ecommerce merchants, the "point of payment" can be defined as the checkout page as well as any page where customers can review the details of their order and any page where payment information is entered.

  • By March 22, 2022, merchants using subscription billing models or negative option billing models with periods between billing of six months or longer will need to send subscription reminders to consumers. The notifications must be sent between three and seven days before the card is automatically charged. The notification can be sent electronically by email or by any other electronic method.

    • For negative option billing models, these notifications must:

      • be sent before the consumer is automatically enrolled in the full plan

      • inform the consumer that the subscription plan will start at the end of the trial period unless canceled before the stated date

      • contain the basic terms of the subscription and instructions on how to cancel

Newly implemented changes applicable only to merchants using negative option billing models:

  • By September 22, 2022, disclosure of the terms of the trial, the length of the trial period and the price and frequency of the subsequent subscription must be made at the "point of payment". This includes the screen where customers enter their payment information or any screen that displays a summary of the order (including shopping carts).

    • Requiring the consumer to click on a link, expand a message box or scroll down the page to see the terms will not satisfy the requirements.


The following documentation was published prior to 2022 and is separate from the changes described above.

Who do the below regulations affect? 

These regulations affect negative option billing merchants. A negative option billing model refers to a merchant that sells a good or service at a nominal or “free” price to a consumer.

The merchant requires the consumer to give payment information upfront to receive the trial product and bills the consumer on a future date unless the consumer proactively cancels their subscription.

The typical model is as follows

  • Product is free on Day 1

  • Consumer is charged for the “free trial” on Day 14

  • Consumer is then shipped new product and charged again on Day 30 

Trial Start Date and Duration: The trial period must begin on the date that the product is received by the customer. This means that delivery time must be taken into consideration and the duration cannot start until the consumer has received the product.

Delivery time can fluctuate but it is recommended that merchants assess their average delivery time. This can be provided by the fulfillment provider. In sticky.io merchants are advised to configure the trial duration with delivery time in mind. If the merchant is selling a 14 day trial and the average delivery time is 4 days, the merchant should configure the trial duration as 18 days.

Rebill consent: After a trial, before any rebill is initiated the merchant must provide the following information to the consumer: Payment amount, payment date, secondary payment date (if applicable), merchant name as it appears on cardholders statement (descriptor), and instructions for canceling. The merchant MUST also get explicit consent BEFORE issuing the rebill.

sticky.io will have a “consent_required” parameter in the New Order requests. Merchants will be responsible for passing the flag designating the transaction as needing consent prior to the rebill, sticky.io will set the next rebill date, however, the transaction will not rebill until further action is taken. In sticky.io merchants will be able to set a “Consent confirmation” email, X days prior to a rebill that requires consent. The merchant can customize this notification by payment type. sticky.io recommends at least 3 days prior to the rebill; this will give the consumer enough time to give consent. Merchants will need to make a subsequent API request confirming that consent has been received. sticky.io will also allow for customer service reps to consent upon customer request(within the sticky.io order details interface)The merchant will need to configure an email with the aforementioned information.

Cancellation Policy: The merchant must provide a direct link to an online cancellation procedure on the website where the cardholder made the initial purchase. In the event that the page is down, the merchant must present a customer service phone number on the website maintenance page.

The merchant must send a confirmation to the cardholder when the subscription has been canceled. sticky.io provides the ability for merchants to send a “Cancellation Notification.” This notification can be found in the Email Triggers and Email Templates and configured to any product subscription. 

Can I provide all the consent information and consent links as part of the order confirmation email? If we cannot, please describe exactly what part of the Mastercard AN2202 rules we are not following by doing this?

According to the regulations, the consent information must be a separate communication AFTER the trial has ended. It cannot be collected upfront, in your trial confirmation email, and the Order Consent email/template cannot be sent too early in the trial process. From AN2202: "After the trial period for a product has ended, but before any additional payments are made by the cardholder, the merchant must provide the cardholder with the following information for which the cardholder’s authorization will be requested, and the merchant must obtain the cardholder’s explicit consent for the payment amount before initiating the authorization request" 

What are the recommendations for "Transaction notifications and storage"?

Depending on your volume, you could choose to BCC your Email triggers configured in sticky.io to a normal Gmail account you create for archiving purposes. For higher volumes on Google Mail you can look into this: https://gsuite.google.com/products/vault/ 

sticky.io states: For free Trial 5968 merchants not using the NMI PaySafe gateway, you will have to pass the consent_required=1 parameter in the NewOrder API call for Mastercard transactions. 

If you are not on the NMI PaySafeContinuity gateway, then the compliance will be up to you, the merchant. If you are running a free trial, then on the NewOrder API call you make to initiate that transaction, you need to pass consent_required=1 in the API parameters if it is a Mastercard transaction. It is in your control and sticky.io is providing you the tools to be compliant. Only on the NMI PaySafeContinuity gateway do we "force" consent requirements by default. 

If we offer a coupon discount on the first purchase, will this still fall under the new Mastercard AN2202 rules?

We have posed this question to several of the acquirers and processors, and according to them, having a coupon on the first purchase does NOT opt you out of the new regulations. You will still be considered negative option trial in this case. However, we encourage you to talk through this with your acquirer/processor. 

Does this affect companies that do not offer free trials but do use subscriptions?

If you just do straight subscription, the new rules do not apply to you. However, if your MID is still 5968 and with PaySafe, be sure to send "consent required =0" to ensure you opt-out of the default consent requirements that PaySafe has instituted with us. 

Our initial products are recurring to another product at a lower price. Does our offer fall under the new Mastercard AN2202 rules?

This business model should NOT fall under Mastercard AN2202 rules. We recommend that you double check with your processor to make sure that you are not currently classified as a MCC 5968 merchant 

Does this affect digital delivery products, or just physical?

This only affects physical delivery products. Just make sure your trial product description clearly indicates this, in case it is called into question. 

If I am classified as a MCC 5968 merchant, but my model is Straight Sale continuity we don't have to register?

You are okay if doing Straight Sale continuity. Just make sure you pass into your NewOrder calls the newconsent_required=0 flag to ensure any auto-rules required by PaySafe are bypassed.

ADDITIONAL REGULATORY ARTICLES

Did this answer your question?