Instructions for merchants

Transcription

1 Instructions for merchants Acquiring payments on the Internet or in mail and telephone orders This handbook is intended for everyone whose work includes acquiring of MasterCard and Visa payments on the Internet or in mail and telephone orders. All merchants with a valid Card Acquiring Merchant Agreement are obliged to follow the instructions in this handbook. The instructions for merchants are available in Nordea Merchant Acquiring's Merchant Portal and at Nordea branches, or they can be delivered to merchants by other means. Detailed instructions on online payment solutions and on the use of payment services is available in user guides delivered by the payment service providers. A payment service provider means a company that offers the service enabling payments over the Internet, mail and telephone. The cashier personnel/merchant should know your merchant ID in case they have to make an authorisation call. You can write down your merchant ID in the space below. MERCHANT ID

2 Contents Accepting cards... 3 Acquiring of payment cards... 3 Quick guide... 4 Details gathered at time of purchase... 4 Information on the receipt... 5 Authorisation... 5 Pre-authorisation (MasterCard)... 6 Final authorisation (MasterCard)... 6 Authorisation reversal... 6 Credit transaction... 6 Payment service and delivery of files... 7 Storing receipt information and requests for receipts... 7 Reporting services... 7 Merchant Portal... 7 Monthly statement... 8 How to read the monthly statement... 8 Special instructions... 9 Card payment debit D Secure... 9 Recurring payments... 9 Agreement between the merchant and the cardholder Technical requirements Mail and telephone orders Payment through a payment link Traditional mail and telephone orders Updating the payment terminal Secure methods of operation Internet payments Mail and telephone orders Watch for fraudsters The following may indicate a higher risk: Suspicion of misuse Misuse Complaints (refunds) Prevention and handling of complaints best practices Consider these when making a website How to act if you receive a complaint for a card payment Secure card environment PCI self-assessment Instructions for exceptional situations Payments Returns and credit transactions Settlements Important contact details Merchant Acquiring Customer Service Merchant Acquiring's automated authorisation service Merchant Acquiring's personal authorisation service Merchant Acquiring's PCI support Other important contact details

3 Valid as of 1 November 2014 Accepting cards When a merchant undertakes to accept MasterCard and Visa payments, the shop must accept all the cards of the card organisations in question. You can acquire card payments from all over the world, but you can prevent the use of, for example, cards from outside Europe for reasons related to risk management. Online cards, such as Visa Electron and Maestro, are only accepted in payments over the Internet or in mail and telephone orders if the card issuer allows it. If the merchant wants to accept American Express and Diners Club cards, it can make a separate agreement with these companies. In the follow-up of distance sales' payment transactions the merchant must use a system especially developed for the prevention of misuse. The system is usually included in the solution delivered by the payment service provider and it helps to detect and prevent possible attempts of fraud and in this way also reduce the amount of complaints. We recommend that you study the details of the system carefully and consider how it can be used to protect your business operations. You should take into account that all legislation concerning distance sales must be followed when selling products or services on the Internet or in mail and telephone orders. The Finnish Competition and Consumer Authority issues guidelines on distance sales to consumers. Acquiring of payment cards These instructions should be made available to persons acquiring card payments/orders. The purpose of this handbook is to provide clear instructions for the acquiring of payments that will allow payments to be made easily and securely. Always follow these instructions when accepting payment cards. With the secure payment method of Merchant Acquiring's Internet service the merchant can make sure that the customer is able to pay the order before the merchant delivers it and it also gives security with respect to risk management. In the following we describe the stages of sale: 1. The customer places an order on the merchant's website. 2. The customer enters the payment stage to pay for the purchased products and gives the merchant his or her card number, validity and card verification code (the last three digits after the card number on the back of the card). 3. The customer pays the order securely on the service provider's site through 3D Secure (MasterCard SecureCode or Verified by Visa). This requires online banking codes or some other method of verifying the customer's identity offered by the card issuer. The service transfers the customer to an identification page on which the customer enters his or her online banking codes and accepts the purchase amount to be debited to his or her card by confirming the payment. 4. The card is checked automatically in the authorisation service of the card issuer. If the card and the amount are accepted, the merchant and the customer are informed that it is OK to execute the purchase. 5. The merchant sends an order confirmation to the customer, for example, by . The merchant delivers the order to the address provided by the customer after making the relevant checks before delivery. Read also the section Increased risk can be anticipated carefully. Nordea Bank Finland Plc YSO

4 Quick guide The payment cards specified in the Card Acquiring Merchant Agreement may only be used to pay for products and services. When a merchant undertakes to accept MasterCard and Visa payments, the shop must accept all the cards of the card organisations in question. No minimum or maximum limits on purchases may be set for payment cards. A credit transaction must always be made to the same payment card number used for the original debit transaction. Credits may not be paid to an account or another card. The sum of a purchase may not be divided into several unauthorised payment transactions made with the same card number. The sum of a purchase may, however, be divided over different payment cards/methods. For instance, paying a part of the sum with a MasterCard and the rest with a Visa card. Card payments must not be accepted in the collection of debts or for the refinancing of debt. Details gathered at time of purchase In general, the service provider ensures that the necessary details are gathered and delivered to the Merchant Acquiring service in connection with the transaction. card number the validity of the card card organisation (Visa, MasterCard) the cardholder's name and address, telephone number and address AVV (Address Verification Value) or CAVV (Cardholder Authentication Verification Value) the response code of the verification code CVV2/CVC2 the delivery address the total amount of the purchases the currency of the purchase the purchase date the reference number of the transaction the buyer's name (if not the same as the cardholder) which products or services are contained in the transaction the price of each product or service VAT expenses, if any the cardholder's IP address the company's name and address the authorisation date and code ECI (Electronic Commerce Indicator) sent both in connection with the confirmation and when the compiled transactions are sent together with the AVV/CAVV Retain any mail order coupons, faxes, s and appendices sent by the customer confirming the delivery. 4

5 Valid as of 1 November 2014 Information on the receipt Receipts should show the name and address information of the point-of-sale in the same form as that in which they are stated in the Card Acquiring Merchant Agreement. In addition, the receipt must include the following information: the company's online address and postal address the company's name and business identity code the company's telephone number the validity of the card the cardholder s name the total amount of the purchases the currency of the purchase the purchase date the reference number of the transaction the buyer's name the authorisation code AVV (Address Verification Value) or CAVV (Cardholder Authentication Verification Value) the response code of the verification code CVV2/CVC2 information on the purchase being a card transaction the price of each product or service information on expenses, if any VAT Authorisation Transactions acquired on the Internet or as mail and telephone orders must always be authorised. The authorisation of a card transaction refers to checking whether the payment card is valid and whether the customer's account/card has sufficient balance. The authorisation will also place an authorisation hold equal to the sum of the purchase on the customer's account/card. With the 3DSecure system the cardholder can pay for his or her purchases using the MasterCard SecureCode or Verified by Visa service. Thus the customer's identity and right to use the card can be confirmed. When the purchase is paid using one of these security systems and when the merchant complies with the terms and conditions of distance sales included in the Card Acquiring Merchant Agreement, the merchant is guaranteed to receive the payment. This means that the customer's order can be delivered without risk. An authorisation made outside the 3D Secure system cannot ensure the customer's identity or right to use the payment card. If a transaction is not authorised, the merchant will be financially liable for the transaction in the event of misuse. If you suspect misuse, follow the instructions given in the section 'Watch for fraudsters'. Nordea Bank Finland Plc YSO

6 Pre-authorisation (MasterCard) As a general rule, card transactions that require authorisation by MasterCard must be preauthorised if the final sum to be debited is not known at the time of authorisation (e.g. in a hotel or car rental company) or if it is not known whether the debit will be made (for example, if it is uncertain whether the ordered goods are in stock). In such a case, the authorisation will be sent to the card issuer's organisation as a pre-authorisation. The final debit transaction must be finalised during the pre-authorisation's payment guarantee period (more details on the periods in the Rules of Card Acquiring Merchant Agreement) and it may not exceed the amount of the pre-authorisation. If necessary, you can extend the validity of an authorisation hold made with a pre-authorisation. Pre-authorisations that have proven unnecessary must be cancelled without delay, and within a maximum of 24 hours, if it is clear that the final debit will not be made or if the pre-authorised amount exceeds the sum of the final debit. Final authorisation (MasterCard) MasterCard payment card transactions requiring authorisation must be given a final authorisation when the sum to be debited is known. However, it is not obligatory to authorise a transaction if it has already been pre-authorised and the payment guarantee period is valid. Please note that card issuers will cancel any authorisation holds once the payment guarantee period has expired if the debit for which they were made has not been finalised. In order to secure payment, please send all payment transactions as soon as possible. Payment transactions must be sent within two days of being finalised. Authorisation reversal If a customer wishes to cancel an order or you wish to correct a debited transaction for some other reason, cancel the transaction on the payment terminal in accordance with the instructions of the terminal supplier or payment service provider. This will cancel the debit before the transaction data is sent. To prevent the authorisation from holding funds on the customer's account, the payment service also reverses the authorisation when the payment transaction is cancelled. Unnecessary authorisations must be reversed as soon as possible and within a maximum period of 24 hours. Credit transaction If a customer returns a product or you wish to correct a debited transaction for some other reason, make a credit transaction on the payment terminal in accordance with the instructions of the terminal supplier. A credit transaction must always be made to the same card as the one used for the original debit transaction. NB. Never make a cancellation transaction on behalf of another company. Never make a credit transaction to a different card or account than the one initially used. 6

7 Valid as of 1 November 2014 Payment service and delivery of files Always follow the instructions from the payment terminal supplier and forward the payment terminal files either without interruption, several times a day or at least once a day. In any case, the files must be forwarded within two (2) days from the reception of the transaction. The files must have the correct merchant ID, merchant category code (MCC) and merchant name, which are used to transmit settlements automatically to the bank account declared by the merchant. Incomplete or erroneous information may slow down the settlement of transactions or result in them being declined. Storing receipt information and requests for receipts Receipts must be stored for the period required by the Accounting Act and, for the purpose of any investigations, for at least 18 months after the purchase. The information on the payment receipt may be stored in printed format or electronically. Printed receipts must be stored carefully so that they are legible. The transaction files containing card information must be stored securely so as to prevent access to outsiders. The merchant is obliged to send the customer a copy of his or her receipt upon request. The merchant has the right to charge the customer a reasonable fee for sending a copy of a receipt. The merchant is also obliged to deliver to Nordea, free of charge, a copy of a receipt or an itemised invoice of an accepted payment within 10 days of a request by the bank. Reporting services Merchant Portal Merchant Acquiring's Merchant Portal allows you to monitor card sales, settlement batches and individual card transactions and transaction batches. Merchants can also download various statistics from the portal. The portal also includes a news channel for urgent messages. You can access the portal through the nordea.fi website. Select 'Merchant Acquiring' under the Netbank button. Your username is your address. If you have forgotten your password, you can request a new one from the Merchant Portal's login page. The Merchant Acquiring Customer Service will also guide you on how to use the portal. Nordea Bank Finland Plc YSO

8 Monthly statement The monthly statement is created on the first day of each month and it contains a summary of the previous calendar month's Visa and MasterCard sales and service fees. The monthly statement can be sent by or downloaded from the Merchant Portal in.pdf,.xml and.csv format. Card sales are itemised in the monthly statement according to card organisation (Visa and MasterCard) and card type. Card sales are shown in both the original transaction currency and in euros. Service fees are calculated based on the transaction batches received by Nordea during the month. Please note that card transactions are settled in accordance with the agreed settlement timetable, which means that recorded card sales will differ from the settlements made during the same month. For this reason, the settlements made during the last days of each month will be shown in the following month. You can view your settlements through the Merchant Portal by selecting 'Search' and 'transaction batches', where you can search settlements based on their date. How to read the monthly statement The first page of the monthly statement contains a summary of the previous month's card sales. No. Cur. Card sales in currency Card sales in EUR Service fee Rounding Service fee Account number Debiting date Cumulative service fees Amount Number of card transactions belonging to the card type category Transaction currency Amount of card sales in original transaction currency Card sales in euros Service fee calculated based on card transactions in the card type category Not used in Finland Not used in Finland Account number from which the service fees will be debited Date on which services fees will be debited to the account Cumulative service fees from the beginning of the year Amount of service fees to be debited from the account The second page of the monthly statement contains an itemisation of the transaction batches for which service fees will be charged. Merchant ID Batch number Reception date No. Card sales in currency Card sales Unique business location ID Number of the transaction batch Date on which the transaction batch was received by Nordea. The service fees are charged on the basis of the reception date. The reception date will not necessarily be the same as the purchase date if there has been a delay in sending the transaction batch. Number of card transactions contained in the transaction batch Amount of card sales in original transaction currency Amount of card sales in settlement currency 8

9 Valid as of 1 November 2014 Special instructions Card payment debit The merchant is entitled to charge from the cardholder a payment corresponding to the merchant's costs arising from the acquiring of card payments for a purchase made with the card. The debit requires that a notice on the debit is posted on the merchant's website and that it is ensured that the customer clearly understands before the card payment what paying with the card actually costs. The merchant must also itemise the payment amount on the customer's receipt or order confirmation. 3D Secure It is obligatory to use the 3D Secure in connection with a transaction authorisation. You can identify the cardholder with the help of the service. Your service provider will execute the 3D Secure service for you. If a card used for a purchase does not support the 3D Secure service (the customer's card has not been signed up for the service), the transaction must always be authorised and special diligence must be applied. Remember that payment will not be guaranteed if the cardholder is not identified through the 3D Secure service. If this is the case, there is always the risk that in claim cases the merchant is responsible for the purchase amount. Recurring payments The recurring payments service of Merchant Acquiring is an easy way to replace traditional paper invoices. The service is especially suited for a payment option in long-term orders made over the Internet, but it can also be used in mail and telephone orders. With the recurring payments service, you can invoice the customer daily, weekly or monthly based on the rules agreed with the customer beforehand. Recurring payments include the benefits and options of card payments, including one invoice, a term of payment and a credit facility. Recurring payments are internationally used in the following areas: Download services of music, videos etc Operator billing Magazine and newspaper subscriptions Gym memberships Travel card sales Text messaging services Electricity bills Cable TV The service accepts Visa and MasterCard products. The card issuer decides whether its cards can be used in this service. If the first transaction is an Internet payment, the service is subject to both the terms and conditions of recurring payments and the specific terms and conditions of Internet payments. If the first transaction is a mail or telephone order, the merchant is also subject to the specific terms and conditions of mail and telephone orders. It is the merchant's responsibility to ensure that no card data is stored in the shop's systems. Nordea Bank Finland Plc YSO

10 Agreement between the merchant and the cardholder The merchant must conclude a separate agreement on recurring payments with the cardholder. The customer must be informed clearly that he or she is concluding an agreement on recurring payments. If the provisions governing distance selling in the Consumer Protection Act are applicable, the merchant must ensure that the advance information defined by the law is given. In addition to the information required by the law, the following must be clearly stated in the agreement on recurring payments between the merchant and the cardholder: The agreement is applied to recurring payments, meaning that the cardholder's card is debited a payment at agreed intervals. The services or products the agreement covers. The frequency and date of debits; for example, on the last banking day once a month is an acceptable minimum definition. The amount that can be fixed or variable on the basis of the services used. Validity of the agreement The cardholder's obligation to renew the agreement if the card details change during the validity of the agreement. How to renew the agreement. The merchant must also provide the cardholder with information on the need to renew the agreement. The termination of the agreement and instructions on how to do it. The merchant's contact information. The agreement must be made in writing either on the merchant's order page on the Internet or in the form of or some other electronic recording. The merchant must store the agreement for the period the recurring payments are debited + six (6) months. The agreement must be delivered to Nordea at request. The receipt to the customer must clearly state when the merchandise is delivered and how much the customer's card is debited in accordance with the payment agreement made. The merchant must always send the cardholder an advance notification of a coming debit, for example, by . If he or she so wishes, the cardholder can cancel the agreement by informing the merchant of it. After the cancellation the merchant is no longer allowed to debit the card. Technical requirements All recurring payments must be authorised. The first payment must be made with 3DSecure (MasterCard SecureCode or Verified by Visa). If the authorisation is rejected, the transaction cannot be executed. Subsequent transactions can be executed without authorisation. Merchants can execute recurring payments when they have concluded an agreement with a payment service provider that is included in the list of providers accepted by Nordea. The payment service provider delivers 3DSecure to the merchant with which the merchant can verify the cardholder during an Internet payment or through a link in mail and telephone orders. 10

11 Valid as of 1 November 2014 Mail and telephone orders With Merchant Acquiring Mail and telephone orders you can ensure that the customer can pay for the order before you deliver it. You can acquire card payments from all over the world. You can accept payments securely through the 3DSecure service or by completing the purchase as a regular mail or telephone order through a payment terminal. In the latter case, the transaction is authorised in Nordea's authorisation service. Payment will not be guaranteed if the cardholder is not identified through the 3D Secure service. If this is the case, there is always the risk that in claim cases the merchant is responsible for the purchase amount. In mail and telephone orders the customer's card is not physically present, and for that reason the cardholder cannot be identified in the same way as when the payment is made over the Internet using 3DSecure. Without a security system all purchases contain a risk. The most recommendable procedure is to send a payment link to the customer through which the purchase can be completed over the Internet. The merchant must confirm that the payment service provider takes care of mandatory fraud monitoring, which also reduces the likelihood of misuse. A payment service provider means a company that offers the service enabling payments over the Internet and in mail and telephone orders. Fraud monitoring generates, for example, risk ratings to help the merchant to assess the risk and to make checks before sending the product. Fraud monitoring always requires also from the merchant active measures and follow-up. The execution of the purchase and the check of the card verification code (CVV2/CVC2) require that the merchant uses the hosted solution (Web solution) delivered by the payment service provider. Payment through a payment link 1. Customers place an order by telephone, fax or letter and provide the merchant with their card number, card validity and card verification code (the last three digits after the card number on the back of the card). If the order is made by letter, customers must also sign the order. If the provisions governing distance selling in the Consumer Protection Act are applicable, the merchant must take into account the requirements concerning advance information. 2. The merchant sends the order confirmation to customers by , including a link for the payment that the merchant has retrieved from the service provider's service. If the provisions governing distance selling in the Consumer Protection Act are applied in connection with an order confirmation, the merchant must deliver the advance information defined by the law and the cancellation form if these have not been delivered before in a permanent manner. 3. The customer pays the order securely on the service provider's site through 3D Secure (MasterCard SecureCode or Verified by Visa). This requires online banking codes or some other method of verifying the customer's identity offered by the card issuer. The service transfers the customer to an identification page on which the customer accepts the purchase amount to be debited to his or her card by confirming the payment. 4. The merchant receives a confirmation of payment in the service provider's service and delivers the order to the address provided. Nordea Bank Finland Plc YSO

12 Traditional mail and telephone orders 1. Customers place an order by telephone, fax or letter and provide the merchant with their card number, card validity and card verification code (the last three digits after the card number on the back of the card). If the order is made by letter, customers must also sign the order. If the provisions governing distance selling in the Consumer Protection Act are applied, the merchant must ensure that the advance information defined by the law is given. 2. The merchant enters the card details in the payment terminal and authorises the transaction and its amount by calling Nordea's authorisation service. The amount of the purchase is reserved from the customer's account. 3. The merchant sends an order confirmation to the customer. If the provisions governing distance selling in the Consumer Protection Act are applicable, the merchant must deliver the advance information defined by the Consumer Protection Act and the cancellation form in connection with the order confirmation if these have not been delivered before in a permanent manner. 4. The merchant delivers the order to the address given by the buyer and executes a purchase transaction. Updating the payment terminal If you are using a payment terminal intended for mail and telephone orders, update the payment terminal daily with the parameters made available to you by the payment terminal provider. Accept any other updates by the payment terminal supplier without delay. Secure methods of operation Internet payments Ensure that the payment service provider offers 3DSecure. The adoption of 3DSecure (Verified by Visa and MasterCard SecureCode) has reduced online fraud. If the identification of the cardholder ends with a rejection in the 3DSecure check, do not accept the transaction. Check the verification code of the card (3 last digits on the back of the card) in connection with the authorisation. If the check is rejected, do not continue to process the transaction. Do not send the product before you have checked that an increased risk rating by the payment service provider's system intended for the prevention of misuse or some other factor indicating higher risk is not related to the transaction. Mail and telephone orders If possible, send the customer a link which he or she can use to complete the order as an Internet purchase using 3D Secure. Check that the delivery address is the buyer's home address. Check that the order is delivered to the country in which the card has been issued. Check the verification code of the card (3 last digits on the back of the card) in connection with the authorisation. If the check is rejected, do not continue to process the transaction. Only complete the transaction if your authorisation request is accepted. If there are repeated rejections given to the same card before an acceptance, the received authorisation reply may not be valid. 12

13 Valid as of 1 November 2014 Watch for fraudsters In receiving payments you should be aware of possible fraudsters who, for example, try to order products for reselling purposes without ever intending to pay you for the product. The following may indicate a higher risk: A first-time customer A relatively large transaction amount or more purchases than usual The customer hesitates when giving personal information (see above) The customer wants an express delivery The customer makes random purchases, does not care about the colour, whether something is out of stock or orders one item of each product The customer's delivery address differs from the home address The customer pays with several cards The delivery address is in another country A higher than normal risk assessment from the payment service provider's misuse prevention system Suspicion of misuse If one or several of the statements in the previous section are true, the order may include a risk of fraud. If you suspect misuse, pay special attention to the information below. You can contact the payment service provider for support in the assessment and to agree on measures with which the risk can be restricted, if necessary. If after making the checks you still suspect misuse, it is better to cancel the transaction and not to deliver the customer's order. If you suspect misuse, contact also Merchant Acquiring's customer service without delay; see Contact information. Never return the customer's money to his or her account, except by refunding the card used for the purchase. Investigate the transaction in the fraud prevention system provided by the service provider (Use the fraud prevention system provided by the service provider or purchase the service from a third party). Check all purchases for unusual purchase behaviour, such as o several purchases with the same card o exceptionally large sums o delivery address in a different country o the same delivery address in purchases made with different cards Update your company's practices and action plan regarding the maximum amount and number of purchases allowed on one card or the maximum number of deliveries allowed to one address. If something seems suspicious, call the customer and ask him or her questions, such as which bank has issued the customer's card, what is the customer's address etc. Observe whether the customer hesitates in giving normal information required for making the purchase. You can also send a letter if you cannot reach the customer by phone. If necessary, check the customer's address by using the telephone number. Be careful when selling products to countries not using 3D Secure, such as the United States. Please take into account that corporate cards issued outside Europe do not have a payment guarantee so accepting them always involves a higher risk. Nordea Bank Finland Plc YSO

14 Check whether the customer has purchased something before, what the delivery address has been and if you have received earlier claims, whether the given delivery address has been used. Be careful with deliveries requested to PO boxes, corporate addresses, hospitals and prisons. Think whether it feels sensible that a customer living in another country buys this product from Finland. Use common sense. If something looks too good to be true, it probably is! Misuse If you notice that misuse has taken place, contact also Merchant Acquiring's customer service without delay; see Contact information. In addition, we recommend that you consider why the misuse has happened and if there is something in your practices and operating methods that should be updated. You can also contact the payment service provider to agree on measures with which the risk can be restricted, if necessary. Nordea can also contact a merchant if we notice suspicious transactions in our own follow-up. Complaints (refunds) Almost all card transactions are accepted without problems. However, sometimes cardholders make complaints to the card issuer about a transaction made with their card. The card issuer is entitled to make a complaint to a merchant about a card transaction in certain special situations. Visa and MasterCard have defined these situations carefully. Less than one refund is made per 1,000 transactions. Here is a list of the most common reasons for complaints worldwide: the authorisation request was not accepted the termination of a subscription (recurring transactions) double debits purchases with closed cards undelivered product or service card fraud. Prevention and handling of complaints best practices Complaints cause extra costs and extra work, so it is worthwhile to avoid them with the following good practices: Send the order confirmation to the customer in a permanent manner, e.g. by . Take into consideration the obligations to disclose provided by the Act. Communicate the potential expenses clearly. Deliver the products or services in time. Contact the customer if there are delays in the delivery. Communicate the contact information so that it is easy for the customer to contact your company. Deal with returns quickly. If a cardholder returns a product or service he or she has purchased, the credit transaction must always be made to the same card that was used to make the purchase. 14

15 Valid as of 1 November 2014 If you get a request for a receipt copy, reply quickly and with sufficient information. Communicate the practices applied to complaints and returns on your website. Process complaints and customer feedback quickly. Forward the card transactions in time after a purchase (no later than 2 days from the transaction). Consider these when making a website All laws and regulations governing distance and online sales must be complied with. The website must contain information on how the customer can contact the company. It must also indicate that the company is using 3D Secure, Verified by Visa and MasterCard SecureCode. The cardholder must accept the terms and conditions in connection with making a purchase. It is not sufficient that the customer ticks a box without seeing the terms and conditions on the screen. The terms and conditions must show on the screen, after which the customer can tick the box and accept the choice. How to act if you receive a complaint for a card payment When Nordea sends you a request concerning the transaction subject to the complaint, send the information as soon as possible to Merchant Acquiring; however, within 5 days. If the merchant does not provide sufficient information or does not meet the time limit, the complaint is decided in favour of the cardholder and the merchant must return the claimed payment to the cardholder. In its reply to the complaint, the merchant must confirm that the purchase has been made by the right person and that the product has been delivered. Secure card environment It is important to understand the requirements of the PCI DSS (Payment Card Industry Data Security Standard) in order for the customer to make purchases as securely as possible. The merchant must make sure that it is not possible to penetrate its systems and to install a program enabling card fraud. Below is a check list of the issues you need to monitor constantly. They are also related to the most common ways for the fraudsters to infiltrate a company's systems. Install and maintain firewalls Use anti-virus software and update it regularly Restrict access to the data to only those who need it for business purposes Create an individual user ID for each user of the data system Remove the possibility to use the payment system remotely Limit the access to the customers' ledger Select a complex password for the systems Keep a log on the use of the systems Use strong encryption in unprotected networks and do not allow access to the payment system via an unprotected network If you are using a payment terminal, make sure it is only serviced by an authorised party Nordea Bank Finland Plc YSO

16 What consequences could a card data theft have? The merchant's brand suffers and the customers' confidence in the merchant decreases. The card data may be used in card forgeries or for making online purchases. Any complaints may have a major financial effect on your company. Fines, fees or compensations for losses charged by Visa and/or MasterCard or Nordea. Negative publicity PCI self-assessment You are therefore asked to complete a self-assessment according to Visa and MasterCard's security requirements, ie the Payment Card Industry Data Security Standard (PCI DSS) annually. Your company's PCI contact person will receive via a link to a survey which deals with the security of your company's payment environment. Nordea's PCI support is pleased to help you in matters related to PCI and filling-in the survey; see Contact information. Instructions for exceptional situations If an exceptional situation arises, you can always contact our customer service. In the table below, you will find instructions for the most common problem situations. Payments Card denied in payment authorisation Problems with the functioning of the payment service or in its functionalities If the payment transaction is not accepted, additional check-ups are not possible via the authorisation service. The cardholder or the issuer of the card may also have prevented the online use of the card for security reasons. Ask the customer to contact the card issuer or ask the customer for another means of payment. Contact the payment service provider. Returns and credit transactions Customer wishes to return a product or cancel a service Credit transaction unsuccessful Make a reversal transaction in accordance with the payment service supplier's instructions. If you are unable to make a reversal transaction, you can make a credit transaction. A credit transaction must always be made to the same payment card as the one used for the original debit transaction. The sum of the credit transaction may not exceed the original debit transaction. Usually the credit transaction can be made through the service of the payment service provider. Contact the payment service provider. 16

17 Valid as of 1 November 2014 Settlements Transaction batch has not been forwarded for processing Visa and MasterCard transactions have not been settled American Express, Diners and Käyttöluotto transactions have not been settled Payment terminal supplier's, American Express's or Diners' payment reference missing from settlements Contact the payment service provider (ipsp). For investigating the matter, the following are needed: merchant's name and business identity code, merchant ID, transaction date and delivery date of the file, reference, batch ID, amount, number of transactions and payment reference number. ipsp finds out whether the batch in question has been included in the file sent (batch ID and delivery ID needed) and if it has been transmitted successfully. The payment terminal providers have online services of their own use these to check whether the transactions have been transmitted. You can check the status of Visa and MasterCard transactions in the Merchant Portal. If the service indicates that the transactions have been settled, you can check the settlements from your bank account. NB. Settlements may be credited to the bank account on different dates depending on the card. Contact Merchant Acquiring's customer service if the Visa and MasterCard transactions have not been settled to your account within the agreed timetable. The payment terminal providers have online services of their own use these to check whether the transactions have been transmitted. If the service indicates that the transactions have been settled, you can check the settlements from your bank account. NB. Settlements may be credited to the bank account on different dates depending on the card. If the transactions have not been settled to your account within the agreed timetable, please contact American Express, Diners or Nordea Finance. Contact the payment service provider. Nordea Bank Finland Plc YSO

18 Important contact details Merchant Acquiring Customer Service Tel , Mon Fri (local network charge/mobile call charge). Maundy Thursday and New Year's Eve Our customer service will help you with the following matters: Visa and MasterCard acquiring and related inquiries. Advice or support related to the Merchant Portal. Advice on settlements. Advice or help on the service or if you want to make changes to the service (NB. account number changes must be made through your own branch). Checks and procedures related to file uploads and downloads. Advice in problem situations. Merchant Acquiring's automated authorisation service Tel (local network charge/mobile call charge), 24/7. An automated authorisation service, which you can access in Finnish, Swedish or English. The service is provided to merchants in situations in which there are problems in processing authorisations. The service proceeds step by step, requesting the merchant to enter the merchant ID the card number the card expiry date the three-digit CVC2/CVV2 security code the sum rounded up to the nearest full euro. For example, in the case of the amount of euros, 89 euros is given as the amount for a payment terminal. You will receive an authorisation code for the payment and can complete processing the card payment at the payment terminal. Merchant Acquiring's personal authorisation service Tel (local network charge/mobile call charge), open Mon Fri , Sat , Sun (noon) Merchant Acquiring's PCI support Tel (local network charge/mobile call charge), pci@nordea.com 18

19 Valid as of 1 November 2014 Other important contact details Keep all other important contact details also at hand so that you can quickly resolve any problems that may arise. The transaction files are transmitted via the payment service supplier chosen by the merchant. After this, the transaction files are processed in different places depending on the card. American Express tel Diners tel Netaxept (Nets) tel Payex tel Point tel Nordea Bank Finland Plc YSO

20 This handbook is intended for everyone whose work includes acquiring of MasterCard and Visa payments. All merchants with a valid Card Acquiring Merchant Agreement are obliged to follow the instructions in this handbook. The instructions for merchants are available in Nordea Merchant Acquiring's Merchant Portal and at Nordea branches, or they can be delivered to merchants by other means. Detailed instructions on the use of the payment service systems are available in the service providers' user guides. 20