How to use this checklist: Use this as a quarterly operational review for Visa and Mastercard members — both principal and affiliate. Chargeback ratio breaches and missed scheme reporting are the two highest-risk items; Section 2 and Section 4 should be reviewed monthly. New card programmes (Section 5) require scheme registration before launch, not after.
1. Scheme Membership & Registration
- Principal membership agreementAll terms reviewed; service commencement date confirmed; annual review of key obligations completed.
- BIN/IIN registrationAll BINs registered with the relevant scheme; any changes notified within required timeframe and confirmation retained.
- Sponsorship arrangementsIf operating as an affiliate, sponsor bank obligations clearly understood, documented, and reviewed against scheme rules.
- Scheme contactsRelationship manager, technical support, and compliance contacts identified and contact list kept current.
- Scheme website accessReporting portal credentials active and accessible for all users who need them — access reviewed after any staff changes.
2. Chargeback & Dispute Management
- Chargeback ratio monitored monthlyBoth volume and value chargeback rates calculated monthly — trend tracked against scheme thresholds.
- Visa chargeback thresholdsCurrent position confirmed against 0.9% and 1.8% thresholds (or applicable scheme programme limits) — escalation trigger in place.
- Mastercard chargeback thresholdsCurrent position confirmed against 1.5% (excessive) and 3.0% (high-risk) thresholds — early warning process documented.
- Dispute response processDocumented procedure with timescales for each chargeback reason code — team trained and process tested.
- Response ratePercentage of chargebacks responded to within scheme timeframes measured monthly and improvement actions assigned where below target.
- Root cause analysisTop five chargeback reason codes analysed monthly; remediation actions assigned to named owners with deadlines.
3. Fraud & Risk Controls
- Fraud rate monitoredScheme-level fraud rate threshold not exceeded — monitoring frequency and alert thresholds documented.
- 3DS implementation3D Secure enrolled and version confirmed as 3DS2 — fallback to 3DS1 not permitted on any active BIN.
- Strong Customer AuthenticationSCA exemptions applied correctly under FCA rules and scheme requirements — exemption usage monitored and reviewed.
- Unusual activity monitoringSpike alerts configured for fraud rates, transaction volumes, and decline rates — escalation path documented.
- Annual fraud risk assessmentControls reviewed against current fraud threat landscape annually — outcomes documented and remediation actions tracked.
4. Reporting & Compliance
- Monthly scheme reporting submittedAll required reports (fraud, volume, incidents) filed on time each month — submission confirmations retained.
- Scheme compliance programmeAny Visa Compliance Programme or Mastercard SDP requirements identified and addressed — remediation plan in place if applicable.
- PCI DSS complianceCurrent attestation in place — SAQ or QSA assessment completed and Certificate of Compliance on file.
- Security incident responseScheme notification procedure documented — responsible person identified and notification within required timeframe if a breach occurs.
- Annual compliance reviewScheme compliance calendar reviewed annually with legal and compliance — upcoming deadlines entered into tracking system.
5. Commercial & Financial
- Scheme fee reconciliationMonthly scheme fees reconciled against scheme invoices — variances investigated and queried within the dispute window.
- Assessment chargesAny scheme assessments (VAMP, VDMP, MATCH listings) monitored — challenged where applicable and outcomes tracked.
- Budget for scheme feesForecast scheme fee costs included in annual budget — updated quarterly to reflect volume changes and scheme fee announcements.
- New products/programmesScheme registration requirements for any new card programme identified and completed before launch — not post-launch.
