On 1st June 2018, Visa Europe (Visa) experienced an incident resulting in a partial failure to its ability to process authorisations. Authorisations were affected for around 6 hours. As a result, many consumers across Europe were unable to complete card purchases.

Visa systems are designed to a high level of reliability and the subsequent review of the incident confirmed that Visa had a robust and resilient authorisations system intended to prevent incidents impacting authorisations. However, the incident highlighted issues with Visa’s communications during the outage.  Reflecting this, we are proposing to issue a specific direction in respect of its communications which would apply to the operator of Visa. 

The aim of our proposed direction is to make sure Visa does all it can to ensure that its participants, service users and other stakeholders are given enough information. This is to allow them to take appropriate action if any future incident occurs where Visa’s services are unexpectedly unavailable. We are proposing to give the specific direction to Visa, but we recognise that effective communication to all participants and consumers is likely to require effective co-operation with a number of organisations.

We are consulting on the specific direction and we invite you to provide comments by 1 March 2019. More details on the issue and our consultation are set out below.

We expect this consultation to be of interest to payment service providers who process card payments, including

  • Issuing banks,
  • E-money institutions,
  • Payment institutions, particularly acquirers and payment facilitators,
  • Other payment system operators (PSOs) and their participants.

Consumer and merchant organisations may also be interested in our consultation.

What is the Visa system?

Visa is the most widely-used card payment system in the UK. In 2017 around four out of five card transactions in the UK were debit card transactions: there were approximately 13.2 billion debit card transactions in the UK and 3.1 billion credit card transactions. 97% of debit cards issued in the UK were issued under the Visa brand in 2017.

Visa licenses payment service providers to issue debit, credit and other payment cards to consumers using the Visa brand, and licenses acquirers to process payments on behalf of merchants.

Visa branded cards are also often used to withdraw cash from ATMs, however, only a small number of UK withdrawals will go across the Visa system.   Typically, a cash withdrawal will only go across the Visa system if Visa branded cards are used by UK visitors overseas or overseas visitors to the UK.  

The 1st June incident

The 1st June incident represented a serious disruption to Visa’s services. During the incident, 2.4 million UK transactions attempted failed. Merchants lost potential sales and consumers lost purchasing opportunities. We noted that some merchants suspended all card payments, including those payments using other card payment systems, for periods during the incident. It may not have been clear to consumers that Visa debit cards continued to work at LINK ATMs during the incident, adding to the general lack of clarity to consumers on how best to respond to the incident. The disruption to Visa’s services could have gone on to cause disruption to other payment systems if the incident had continued for longer.

In Visa’s letter to the Treasury Select Committee (TSC) dated 14 November 2018, Visa recognised that it ‘failed to meet […] the expectations of [Visa’s] various stakeholders’. 

Shortly after 1st June incident, Visa commissioned Ernst & Young LLP (EY) to conduct an independent review of the incident. The resulting report findings and observations (as provided to the TSC in Visa’s letter dated 14 November) confirms that Visa had a robust and resilient authorisations system, but also provides evidence that the partial failure of Visa’s authorisation system caused further disruption than was necessary because Visa’s communications practices were deficient.

In particular, in respect of communications the EY report found:

  • External communications were not timely or regular.
  • External communications were not actionable.
  • Remediation of communications issues identified in a previous incident were still to be completed.
  • Delays in communication approvals.
  • Internal communications were not timely, actionable or delivered through effective channels.
  • Methods used to communicate with clients were not effective or efficient.

If Visa participants do not receive effective and timely communications during incidents that affect the availability of Visa’s services they are unable to fulfil their own obligations for passing information on the incident to consumers and merchants. 

Why we propose to issue a specific direction

EY’s report makes a number of recommendations in order to address the findings. We are encouraged to learn that Visa has accepted all the recommendations and has committed to implementing them in a timely manner. 

However, we consider that the EY recommendations are at a high level and alone may not be sufficiently detailed to ensure that Visa makes the necessary improvements in communicating effectively during an incident.   Additionally, there is a need for assurance that the appropriate steps will be taken to achieve those necessary improvements, and a method for assessing whether Visa’s crisis communication plans continue to evolve to meet changing circumstances.  While Visa has committed to undertake remediation activities, we propose giving the operator of Visa a specific direction, putting a regulatory framework around those activities to enhance the effectiveness of the remediation work. 

The aim of our direction is to ensure that Visa has in place a robust crisis communication plan that takes into account the needs of a wide range of stakeholders, that this plan remains appropriate in light of future changes and experience, and is used in practice.

Reflecting this aim, we propose that Visa should regularly review, test and revise the plan so it is kept current, continuing to take into account the needs of its stakeholders as the plan evolves, to ensure the plan remains effective.  We also propose to require the plan to be used in the event of any future incidents.

We intend to require Visa to:

a) Provide us with evidence that it has remediated the underlying deficiencies in its crisis communications including with the wider payments ecosystem;
b) Provide us with evidence that it has tested crisis communications process with service users, and considered those service users’ views on the effectiveness of its plan;
c) Ensure that it regularly reviews and maintains its crisis communication plan, annually tests the effectiveness of that plan with participants, and reports to us on the outcomes of that testing; and
d) Ensure that its documented crisis communication plan is followed in any future incident.

We consider that if Visa carries out the requirements above this will also address an observation in the EY report that Visa could influence improvements in the effectiveness of crisis communications in the payments processing ecosystem.

We propose that the direction should expire after 5 years, unless we direct otherwise. We consider that this should be a sufficient length of time to ascertain whether the necessary improvements have been made and maintained.  

We have consulted and co-ordinated with the Bank of England in line with our payment systems Memorandum of Understanding.

What are we consulting on?

We would be interested to receive any feedback on our draft specific direction and would welcome evidence in support of your views. In particular we invite answers to these questions:

  1. Will our direction as drafted be effective in meeting our aim? In particular does our direction take sufficiently into account the interests of stakeholders? If not, what changes should we make?
  2. What costs and burdens will our proposed direction impose?
  3. Should the direction expire after 5 years (see 8.2 of the draft direction), or alternatively be subject to a review after a 5-year period of time?

Please send your comments to PSRconsultations@psr.org.uk or by post (to arrive no later than 1 March 2019) to:
SD 9 Team
Payment Systems Regulator
12 Endeavour Square
E20 1JN

We will consider your comments when preparing our response to this consultation.

What happens next? 

Once the consultation has closed, we will review the comments we receive and will, if appropriate, give a specific direction to the operator of Visa.

This incident highlights the importance of effective communications for all payment systems, particularly in crisis situations.  In addition to the specific proposal outlined above, we are separately considering whether there is further work the PSR should undertake to explore whether arrangements for crisis communications across the payments sector are fit for purpose.

We will consider making all non-confidential responses to this consultation available for public inspection.

We will not regard a standard confidentiality statement in an email message as a request for non-disclosure. If you want to claim commercial confidentiality over specific items in your response, you must identify those specific items which you claim to be commercially confidential. We may nonetheless be required to disclose all responses which include information marked as confidential in order to meet legal obligations, in particular if we are asked to disclose a confidential response under the Freedom of Information Act 2000. We will endeavour to consult you if we receive such a request. Any decision we make not to disclose a response can be reviewed by the Information Commissioner and the Information Rights Tribunal.

We take our data protection responsibilities seriously and will process any personal data that you provide to us in accordance with the Data Protection Act 2018, the General Data Protection Regulation and our PSR Data Privacy Policy. For more information on how and why we process your personal data, and your rights in respect of the personal data that you provide to us, please see our website privacy policy, available here.

Share this page: