Answer:
Liability for unauthorized charges is determined by VISA Operating Rules. These are the terms to which an institution must agree in order to issue VISA cards. Ultimately the issuing financial institution bears the majority of the risk for fraudulent activity. This is offset by the interchange fees the institution receives.
If VISA determines that a data breach such as the occurrence at Sony was the result of a violation of VISA's operating rules regarding magnetic strip data storage or PCI non-compliance, VISA may, at its discretion, implement the Account Data Compromise Recovery Process (ADCR). VISA will determine the number of cards affected and the amount of fraud that can be attributed to the event and assign a recovery amount to each issuer and bill the member responsible for the breach.
First published on BankersOnline.com 6/13/11
print
share