AGENCY:

Federal Trade Commission.

ACTION:

Proposed consent agreement; request for comment.

SUMMARY:

The consent agreement in this matter settles alleged violations of federal law prohibiting unfair methods of competition. The attached Analysis of Proposed Consent Orders to Aid Public Comment describes both the allegations in the complaint and the terms of the consent orders—embodied in the consent agreement—that would settle these allegations.

DATES:

Comments must be received on or before February 13, 2023.

ADDRESSES:

Interested parties may file comments online or on paper, by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Please write: “Mastercard Incorporated; File No. 201 0011” on your comment and file your comment online at https://www.regulations.gov by following the instructions on the web-based form. If you prefer to file your comment on paper, please mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex Q), Washington, DC 20580.

FOR FURTHER INFORMATION CONTACT:

Christina Brown (202-326-2125), Bureau of Competition, Federal Trade Commission, 400 7th Street SW, Washington, DC 20024.

SUPPLEMENTARY INFORMATION:

Pursuant to Section 6(f) of the Federal Trade Start Printed Page 2358 Commission Act, 15 U.S.C. 46(f), and FTC Rule § 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing a consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of 30 days. The following Analysis of Agreement Containing Consent Orders to Aid Public Comment describes the terms of the consent agreement and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained from the FTC website at this web address: https://www.ftc.gov/​news-events/​commission-actions.

You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before February 13, 2023. Write “Mastercard Incorporated; File No. 201 0011” on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the https://www.regulations.gov website.

Due to protective actions in response to the COVID-19 pandemic and the agency's heightened security screening, postal mail addressed to the Commission will be delayed. We strongly encourage you to submit your comments online through the https://www.regulations.gov website.

If you prefer to file your comment on paper, write “Mastercard Incorporated; File No. 201 0011” on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex Q), Washington, DC 20580.

Because your comment will be placed on the publicly accessible website at https://www.regulations.gov, you are solely responsible for making sure your comment does not include any sensitive or confidential information. In particular, your comment should not include sensitive personal information, such as your or anyone else's Social Security number; date of birth; driver's license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure your comment does not include sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any “trade secret or any commercial or financial information which . . . is privileged or confidential”—as provided by Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule § 4.10(a)(2), 16 CFR 4.10(a)(2)—including competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.

Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled “Confidential,” and must comply with FTC Rule § 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule § 4.9(c). Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted on https://www.regulations.gov —as legally required by FTC Rule § 4.9(b)—we cannot redact or remove your comment from that website, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule § 4.9(c), and the General Counsel grants that request.

Visit the FTC website at https://www.ftc.gov to read this document and the news release describing this matter. The FTC Act and other laws the Commission administers permit the collection of public comments to consider and use in this proceeding, as appropriate. The Commission will consider all timely and responsive public comments it receives on or before February 13, 2023. For information on the Commission's privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/​site-information/​privacy-policy.

Analysis of Agreement Containing Consent Orders To Aid Public Comment

I. Introduction

The Federal Trade Commission has accepted, subject to final approval, a consent agreement with Mastercard Incorporated (“Mastercard”). Mastercard operates a payment card network over which merchants can route debit transactions. Mastercard also operates as a token service provider that generates payment tokens for Mastercard-branded debit cards, including tokens saved in ewallet applications on mobile devices.

The consent agreement contains a proposed order addressing allegations in the proposed complaint that Mastercard has inhibited merchants' ability to route electronic debit transactions in violation of the Durbin Amendment, 15 U.S.C. 1693o-2(b)(1)(B), and Regulation II, 12 CFR 235.7(b), and therefore also in violation of the Federal Trade Commission Act, 15 U.S.C. 41 et seq. The proposed order has been placed on the public record for 30 days to receive comments from interested persons. Comments received during this period will become part of the public record. After 30 days, the Commission will again review the consent agreement and the comments received and will decide whether it should withdraw from the consent agreement and take appropriate action or make the proposed order final.

The purpose of this analysis is to facilitate public comment on the proposed order. It is not intended to constitute an official interpretation of the complaint, the consent agreement, or the proposed order, or to modify their terms in any way.

II. The Complaint

This matter involves allegations that Mastercard's policy with respect to payment tokens saved in ewallets illegally inhibited merchants from being able to route electronic debit transactions to competing payment card networks. The Commission's complaint includes the following allegations.

When a consumer presents a debit card to a merchant to make a purchase, the merchant or the merchant's bank (known as the “acquirer”) uses a payment card network (the “network”) to communicate with the bank or credit union that issued the card (the “issuer”). If the transaction is approved, the network also handles the transfer of funds. The selection of a network to process a transaction is known as “routing.”

Debit transactions can be “card-present” ( e.g., where the cardholder presents their debit card to a merchant in person) or “card-not-present” ( e.g., where the cardholder is not physically present with the merchant, as in ecommerce transactions made online or through an application on a mobile device). The volume of card-not-present ecommerce transactions has grown significantly in recent years, including for debit cards used in ewallets such as Apple Pay, Google Pay, and Samsung Wallet.

When a cardholder loads a debit card into an ewallet, the debit card is “tokenized,” meaning the primary account number (“PAN”) printed on the card is replaced with a different number—the “token”—to protect the PAN during certain stages of a debit transaction. The token service provider Start Printed Page 2359 (“TSP”) that generates the token also maintains a “token vault” that stores the PAN corresponding to each token. When a cardholder initiates a debit transaction using an ewallet, the merchant receives only the token, and not the PAN. The merchant sends this token to its acquirer, which sends the token to a network for processing. For the transaction to proceed, the TSP must “detokenize” the token for the network, which includes converting the token to its associated PAN stored in the token vault.

Mastercard's rules require that a Mastercard-branded debit card that is loaded into an ewallet be tokenized. Mastercard is also the TSP for nearly all Mastercard-branded debit cards used in ewallets. When an ewallet transaction using a Mastercard-branded debit card is routed to Mastercard, Mastercard thus can perform the detokenization and process the transaction. Competing payment card networks, however, do not have access to Mastercard's token vault. To route a Mastercard-branded tokenized transaction to a competing network, a merchant's acquirer or the competing network therefore must ask Mastercard to detokenize the token. Merchants are thus dependent on Mastercard's detokenization to route ewallet transactions using Mastercard-branded debit cards to competing networks.

Mastercard's ewallet token policy leverages tokens to protect its card-not-present ecommerce revenue by inhibiting merchants' ability to route such transactions to competing networks. For card-present debit transactions using an ewallet—which occur when a cardholder makes a purchase in-store by holding their mobile phone with an ewallet application to a merchant's terminal—Mastercard will detokenize so that merchants may route the transactions to competing networks. In this scenario, the merchant's acquirer or competing network will “call out” to Mastercard's token vault, which will provide the PAN associated with the token.

In contrast, Mastercard will not detokenize for card-not-present (ecommerce) debit transactions, including those using an ewallet. Under Mastercard's policy, there is no process by which a merchant's acquirer or a competing network can call out to Mastercard's token vault and obtain the PAN associated with an ewallet token used in a card-not-present debit transaction, as it can in a card-present transaction. Thus, when a Mastercard-branded card is used in an ewallet for a card-not-present debit transaction, that transaction must be routed over the Mastercard network, and merchants are unable to route transactions to competing networks. Indeed, Mastercard requires, and affirmatively tells merchants that it requires, that merchants route card-not-present ewallet transactions using Mastercard-branded debit cards to the Mastercard network.

II. Legal Analysis

Mastercard's ewallet token policy inhibits merchant routing choice in violation of the Durbin Amendment, 15 U.S.C. 1693o-2(b)(1)(B), and its implementing regulation, Regulation II, 12 CFR 235.7(b). As part of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, Congress amended the Electronic Funds Transfer Act (“EFTA”) to add Section 920, colloquially known as the Durbin Amendment.^[1] The Durbin Amendment instructed the Federal Reserve Board to promulgate implementing regulations, resulting in the publication of Regulation II in July 2011.^[2] The Durbin Amendment and Regulation II were adopted to address concerns about the lack of competition in debit card processing and associated high processing fees—and they embody the principle that merchants must have the opportunity to choose between at least two unaffiliated networks to process debit transactions.

The Durbin Amendment and Regulation II contain two sets of prohibitions designed to promote merchant and consumer savings associated with processing debit transactions. First, they prohibit network exclusivity by (a) prohibiting a debit card issuer or payment card network from directly or indirectly restricting the number of networks on which a debit transaction can be processed to less than two unaffiliated networks, (b) requiring that a debit card issuer enable payment card networks that satisfy certain minimum standards, and (c) prohibiting a payment card network from limiting an issuer's ability to contract with any other network.^[3] Second, they prohibit an issuer or payment card network from directly or indirectly inhibiting a merchant's ability to choose which of the networks enabled for the debit card is used to process a given transaction.^[4]

Violations of EFTA provisions, like the Durbin Amendment, are strict liability offenses.^[5] Accordingly, a prospective defendant incurs civil liability merely from its violation of the Durbin Amendment—a showing of scienter, actual harm, or anticompetitive effects is not necessary to establish a violation.^[6]

For purposes of the Durbin Amendment and Regulation II, a “debit card” includes more than the physical piece of plastic found in a cardholder's wallet. Under both, a debit card is “any card, or other payment code or device, issued or approved for use through a payment card network to debit an account, regardless of whether authorization is based on signature, personal identification number (PIN), or other means, and regardless of whether the issuer holds the account.” ^[7] Ewallet tokens are payment codes stored inside an ewallet and used through a payment card network to debit a cardholder's account; they are thus debit cards governed by the Durbin Amendment and Regulation II.

Mastercard's ewallet token policy does not allow card-not-present debit transactions using ewallet tokens ( i.e., debit cards) to be routed to competing debit networks. A merchant thus has only one option: Mastercard's network. Mastercard's policy thereby inhibits the merchant's ability to direct the routing of card-not-present transactions using ewallet tokens over the available network of its choosing, in violation of the Durbin Amendment and Regulation II.

Even if, for the sake of argument, an ewallet token is characterized not as a debit card but as a means of access to the underlying PAN, Mastercard still unlawfully inhibits merchant routing choice with respect to card-not-present Start Printed Page 2360 ewallet transactions. Mastercard requires that all Mastercard-branded debit cards loaded into ewallets be tokenized. And, in fact, nearly all such cards are tokenized by Mastercard—via decisions in which merchants have no say. Because Mastercard tokenizes these cards and then withholds detokenization, card-not-present ewallet transactions are not routable to competing networks—these networks are unable to process the transactions without the corresponding PANs. Mastercard thereby inhibits merchant routing choice by employing a technology that compels merchants to route transactions over Mastercard's network.

Additionally, Mastercard's agreements with ewallet providers require those providers to inform merchants that, by accepting card-not-present transactions through ewallets, merchants agree that transactions made with Mastercard-branded debit cards will be routed to Mastercard. Mastercard thereby inhibits merchant routing choice by contract.

III. Proposed Order

The proposed order seeks to remedy Mastercard's illegal conduct by requiring Mastercard to provide PANs so that merchants may route tokenized transactions using Mastercard-branded debit cards to the available network of their choosing. Under the proposed order, Mastercard must also refrain from interfering with the ability of other persons to serve as TSPs, and it must not take other actions to inhibit merchant routing choice in violation of Regulation II, 12 CFR 235.7(b).

Section I of the proposed order defines the key terms used in the order.

Section II of the proposed order addresses the core of Mastercard's conduct. Paragraph II.A. requires Mastercard, upon request by an authorized acquirer, authorized network, or other authorized person in receipt of a Mastercard token, to provide the PAN associated with the token for purposes of routing the transaction to any competing network enabled by the issuer. This provision is designed to restore and preserve merchant routing choice so that merchants may accept ewallet tokens without being forced to route all such transactions over Mastercard's network. The order specifically requires that Mastercard provide PANs for ecommerce, card-not-present debit transactions in the ordinary course, including in a manner consistent with the timeliness with which Mastercard provides PANs for card-present transactions and without requiring consideration for making the PANs available.

Paragraph II.B. prevents Mastercard from prohibiting or inhibiting any person's efforts to serve as a TSP or provision payment tokens for Mastercard-branded debit cards. This paragraph prevents Mastercard from taking other actions that would inhibit merchant routing choice in the context of tokenized transactions.

Paragraph II.C. prohibits Mastercard from, directly or indirectly by contract, requirement, condition, penalty, or otherwise, inhibiting the ability of any person that accepts or honors debit cards for payments to choose to route transactions over any network that may process such transactions, in violation of Regulation II, 12 CFR 235.7(b). This paragraph prevents Mastercard from taking other actions, even outside the context of tokenized transactions, that would inhibit merchant routing choice.

The proposed order also contains provisions designed to ensure Mastercard's compliance with the order. Section III requires Mastercard to provide notice to competing networks, acquirers, and issuers via an ad hoc Mastercard bulletin using language found in the proposed order's Appendix A. Section IV requires Mastercard to provide prior notice to the Commission before the commercial launch of any new debit product that requires merchants to route debit transactions to Mastercard's network. Sections V through VII contain provisions regarding compliance reports to be filed by Mastercard, notice of changes in Mastercard, and access to Mastercard documents and personnel.

As stated in Section VIII, the proposed order's purpose is to remedy Mastercard's alleged violation of the Durbin Amendment, EFTA Section 920(b)(1), 15 U.S.C. 1693o-2(b)(1), as set forth by the Commission in its complaint. Section IX provides that the order will terminate 10 years from the date it is issued. However, if the United States or Commission files a complaint in federal court alleging a violation of the proposed order (and the court does not dismiss the complaint or rule that there was no violation), then the order will terminate 10 years from the date such complaint is filed.

Footnotes