Visa Global Acquirer Risk Standards (GARS)

Transcription

1 Visa Glbal Acquirer Risk Standards (GARS)

2 The Visa Glbal Acquirer Risk Standards guide was develped fr member use in managing merchants and Third Party Agents. It is intended fr member distributin. Members may distribute this guide t their merchants and Agents, as apprpriate.

3 Table f Cntents Abut This Guide Backgrund Guide Purpse Hw This Guide is Organized Visa Glbal Acquirer Risk Standards Overview Acquirer Risk Respnsibilities Cntrl Mechanisms Acquirer Plicies Plicy Develpment Plicy Apprval Plicy Submissin t Visa Slicitatin Material Review Legal Cnsult Requirements Merchant Agreement Member Payment Acceptance Rle Merchant Agreement Transfer Merchant Agreement Review Merchant Agreement Apprval Merchant Terminatin Infrmatin Security Cmpliance Merchant Ntificatin f Agent Use Merchant Agreement Disclsure Page Merchant Settlement Respnsibility Merchant Agreement Requirements Merchant Prhibitins Merchant Agreement Cntent Merchant Applicatin Merchant Applicatin Member Name and Cntact Infrmatin Merchant Applicatin Business Backgrund and Infrmatin Special Applicatin Cnsideratins fr Card-Absent Merchants Separate Internet Merchant Applicatin Additinal Internet Merchant Applicatin Infrmatin Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved. i

4 4. Funding and Reserves Member Reserve Respnsibility Reserve Cntrls Payments t Merchants Mnitring Merchants and Agents Merchant Activity Mnitring Oversight E-Cmmerce Merchant Cntent Review Agent Activity Mnitring Oversight Merchant Data Retentin and Review Unusual Activity Reprting High-Brand Risk Merchant Data Retentin and Review Unusual Activity Reprting fr High-Brand Risk Merchants Merchant Investigatin Acquirer Investigatin Fllw-Up Mentr Investigatin Assistance Training and Educatin Merchant/ Agent Training and Educatin Managing Third Party Agent Risk Member Use f Agents Member Respnsibilities When Using Agents Terminatin f Agent Cntracts Quarterly Agent Review Agent Audits and Reviews Agent Requirements fr Prviding Infrmatin Merchant Slicitatin Use f High-Risk Independent Sales Organizatin (HR ISO) Use f Payment Service Prvider (PSP) High-Brand Risk Internet Payment Service Prvider Prcessing Requirements Managing Additinal Aspects f Merchant Risk Merchant Qualificatin Standards Merchant Disclsure Requirements Merchant Website Disclsure Registratin Requirements fr High-Risk Telemarketing Merchants (U.S. regin) Additinal Requirements fr all Risk Acquirers Request fr Infrmatin Requirement Additins t the Visa Merchant Trace System (Asia-Pacific regin) Transactin Receipt Depsit i i Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

5 Appendix A Visa Acquirer Risk Management Plicies Visa Plicy Requirements Merchant Underwriting Cntent Cverage Merchant Prtfli Risk Management Cntent Cverage Appendix B Rules fr the Disclsure Page Disclsure Page Examples Appendix C Third Party Agent Due Diligence Risk Standards Appendix D Visa Glbal Acquirer Risk Standards Checklist Appendix E Prper Merchant Name Descriptins Appendix F Acquirer Risk Cntrls fr Payment Service Prviders (PSPs) and Spnsred Merchants Acquirer PSP Prgram Eligibility Acquirer Liability and Accuntability fr PSPs Acquirer and PSP Merchant Agreement PSP Activity and Perfrmance Requirements and Restrictins Spnsred Merchants Underwriting Glssary Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved. i i i

6 i v Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

7 Abut This Guide Backgrund Guide Purpse Hw This Guide is Organized The bligatin t manage and mnitr merchant and Agent relatinships has been a lng standing member respnsibility. The Visa Internatinal Operating Regulatins and Reginal Operating Regulatins place respnsibility fr merchant and Agent versight and any lsses caused by either entity n the acquirer. The Visa Glbal Acquirer Risk Standards (GARS) is designed t help members: Understand their accuntabilities and respnsibilities t the Visa payment system. Oversee and cntrl their relatinships with merchants and Agents. Ensure their day-t-day peratins and practices are in cmpliance with the Visa Glbal Acquirer Risk Standards and the VIOR. This guide shuld be used in cnjunctin with the VIOR. Please refer t the latest versin f the VIOR fr a full list f requirements. Imprtant nte: All acquirers must cmply with the requirements specified in the GARS, except where required by lcal law. Where there is a difference between the infrmatin prvided in this guide and the VIOR, the requirements prvided by the VIOR take precedence. The Visa Glbal Acquirer Risk Standards (GARS) is rganized as fllws: Visa Glbal Acquirer Risk Standards Overview highlights the acquirer s key risk respnsibilities and accuntabilities when managing merchant and Third Party Agent relatinships. Sectin 1: Plicies utlines the plicies needed t mitigate acquirer and any risks that may be presented t the Visa payment system. Sectin 2: Merchant Agreements fcuses n minimum requirements that acquirers must meet when develping merchant agreements. Sectin 3: Merchant Applicatin defines essential member infrmatin that must be prminently displayed n a merchant applicatin. Sectin 4: Funding and Reserves describes the acquirer s respnsibility fr merchant settlement and the requirements fr hlding and cntrlling merchant reserves. Visa Glbal Acquirer Risk Standards (GARS) 1 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

8 Sectin 5: Mnitring Merchants and Agents identifies the cntrls that must be in place t adequately track and evaluate merchant and Agent payment prcessing activity. Sectin 6: Training and Educatin cvers the member s respnsibility t ensure that its merchants and Agents are prperly infrmed and trained t be able t fllw all the plicies and prcedures required t ensure cmpliance with the VIOR. Sectin 7: Managing Third Party Agent Risk explains the actins that Visa members must take t minimize Agent risk expsure. Sectin 8: Managing Additinal Aspects f Merchant Risk highlights additinal requirements and cntrls t cntrlling merchant prgram risk. The Appendices cntain imprtant supplemental infrmatin. The cntents are rganized as fllws: Appendix A includes recmmended cntent elements t help acquirers and Agents develp plicies that prperly supprt merchant risk management and ensure Agent cmpliance with Visa rules and regulatins. Appendix B prvides a sample cpy f the Disclsure Page that must be included if an Agent is a party t an agreement between the member and the merchant. Appendix C cntains the Third Party Agent Due Diligence Risk Standards (Revised December 2008) t be administered during the negtiatin prcess and thrughut the life f the agreement. Appendix D prvides a GARS checklist that can be used t assist the acquirer in maintaining cmpliance with the minimum risk standards specified by Visa. Appendix E explains hw t assign the crrect Merchant Descriptrs fr spnsred merchants. Appendix F includes a set f cntrls that acquirers must apply when using Payment Service Prviders (PSPs). A Glssary has been included at the end f this guide t define terms cmmnly used as part f the Visa Glbal Acquirer Risks Standards. 2 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

9 Visa Glbal Acquirer Risk Standards Overview The Visa Glbal Acquirer Risk Standards prtect the Visa payment system and supprt the safety and sundness f all Visa members by clarifying a member s respnsibilities fr managing merchant and Third Party Agent relatinships. Acquirer Risk Respnsibilities All acquirers in the Visa payment system must ensure their peratins cmply with the VIOR and the minimum standards detailed in this guide. Key acquirer risk respnsibilities identified by Visa include the fllwing: In This Area: Members Must: Plicies Implement plicies that include the minimum standards established by Visa t mitigate risk t the Visa payment system. The plicies must be apprved by the member s Bard f Directrs r an apprpriate senir versight cmmittee. Be made available t Visa upn request. Merchant Underwriting and Agreements Funding and Reserves Mnitring Merchants and Agents Training and Educatin Managing Third Party Agent Risk Managing Additinal Aspects f Merchant Risk Cntrl merchant apprval. Utilize merchant agreements that meet Visa minimum requirements fr disclsure and clearly define bth member and merchant bligatins. Ensure that any merchant agreements are reviewed and apprved prir t their use. Cntrl all funds related t Visa merchant acceptance, including settlement, reserves, hldbacks and ther funds; nn-members are prhibited frm direct cntrl ver such funds. Have adequate cntrls t mnitr Agent and merchant activity t ensure cmpliance with Visa requirements and prevent harm t the Visa payment system. Prvide merchants and Third Party Agents with the necessary educatin and training. Ensure merchants and Third Party Agents are aware f the member s plicies and guidelines and remain in cmpliance with VIOR and Reginal Operating Regulatins. Register all Third Party Agents with Visa and manage/cntrl the Agent relatinship by adhering t Visa s Third Party Agent Due Diligence Risk Standards. Incrprate risk management effrts int every aspect f merchant relatinships and daily peratins. Visa Glbal Acquirer Risk Standards (GARS) 3 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

10 Cntrl Mechanisms Cmpliance and On-site Reviews T ensure cmpliance with the Glbal Acquirer Risk Standards, acquirers and/r their Agents may be reviewed as needed n a risk-priritized basis. Visa may, at its discretin, require that acquirers cntract directly with Visa, r with a Visa Apprved Vendr t perfrm a review f their peratins. The acquirer Appendix D cntains a list f functinal areas and practices that are assessed during the acquirer review prcess. wuld be accuntable fr frwarding a cpy f the review reprt t Visa. Each review utilizes varius techniques t ensure an acquirer s r Agent s cmpliance with the key respnsibilities and ther peratinal requirements. Remediatin Mechanisms Fllwing the nsite review, and based n the severity f the findings, the review reprt may include specific crrective actins r ther risk reductin measures defined in the VIOR. The acquirer will then respnd t the findings with a remediatin plan. Visa will cntinue t wrk and track the acquirer s remediatin prgress. If an acquirer fails t implement an apprved remediatin plan within the specified time frames, Visa may impse the Crprate Risk Reductin Measures as specified in the VIOR. 4 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

11 1. Acquirer Plicies 1.1 Plicy Develpment 1.2 Plicy Apprval 1.3 Plicy Submissin t Visa A clearly stated, fully endrsed risk management plicy is essential t any acquirer peratin. It helps ensure that all emplyees understand management s directin and business bjectives. It is imprtant that emplyees are educated n plicies that apply t their jbs and that they knw what is expected f them, including hw t handle any plicy exceptins. An acquirer must implement a written plicy t gvern the underwriting, mnitring, and cntrl f its merchants and Agents. An acquirer s plicy must include Visa s minimum standards t cntrl risk in the Visa payment system. It may be ne cmprehensive dcument r separate plicies that address Visa s requirements. If separate plicies are used, they shuld be stred in a cmmn lcatin where they can be readily accessed and reviewed upn request. It is recmmended that the acquirer s plicy is reviewed and, where necessary, updated annually. Appendix A prvides a summary f recmmended plicy cntent elements fr acquirers t review and use when assessing their current plicy, r in develping a new plicy. The sample dcument is nt intended t be used as an acquirer s cmplete plicy dcument. Rather, it is a guide fr members t use t make certain that the cntent f their plicies meets Visa s requirements. It is recmmended that an electrnic cpy f the plicy be maintained s that it can be easily mdified t meet an acquirer s changing needs. The acquirer must als prvide a plicy dcument fr merchant/agent distributin that clearly defines the acquirer s rules and plicies and the Agent s r merchant s respnsibilities. An acquirer must ensure that all merchant acquiring business and Agent management plicies are apprved by its Bard f Directrs. The acquirer s plicies must be apprved by its Bard f Directrs r an apprpriate executive level cmmittee. A Bard f Directr endrsement can assist in increasing awareness and exercising versight f the risks invlved in the acquiring business. An acquirer must prvide the member s written plicy dcument t Visa upn request. The member s written plicies may be requested and evaluated during a peridic review f the acquirer peratins. Additinally, Visa may request a cpy f the plicies as necessary in cnjunctin with ther cmpliance issues. This requirement allws Visa t determine if a member is adhering t its wn plicies. It als helps prtect the safety and sundness f the Visa payment system. Visa Glbal Acquirer Risk Standards (GARS) 5 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

12 1.4 Slicitatin Material Review 1.5 Legal Cnsult Requirements An acquirer must implement a plicy and a set f prcedures fr reviewing slicitatin materials used by its Agents. Acquirers must have a plicy in place that ensures the review f an Agent s slicitatin materials t prevent harm t their reputatin and that f the Visa payment system. The member s plicy must include a prvisin that prhibits the use f misleading statements in all slicitatin materials, r in any way creates the impressin that the agent is mre imprtant than the member. Members may chse t prvide training materials and guidelines t their Agents n what standards are cnsidered acceptable fr use in develping slicitatin materials. Hwever, the use f these materials des nt cnstitute cmpliance with this requirement and des nt abslve the member f the respnsibility t review Agent slicitatin materials. Members must include a review f Agent slicitatin materials during their peridic assessment f the Agent s peratins and financial cnditin. An acquirer must abide by the plicy requirements fr the sale f prescriptin drugs (MCC 5122/5912) 1 in a card-absent envirnment. A member must btain a written pinin frm an independent and qualified legal cunsel stating that the merchant s activity fully cmplies with all laws and regulatins applicable t Visa. This cnfirmatin must be btained n a peridic basis, n less frequently than every 12 mnths. Upn Visa request, the member must prvide a cpy f the legal pinin, as necessary, in cnjunctin with ther cmpliance issues. 1 Visa may in the future change the MCC 5122, Drugs, Drug Prperties, and Druggist Sundries /MCC 5912, Drug Stres and Pharmacies t include additinal merchant categries. 6 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

13 2. Merchant Agreement The merchant agreement is a legally-binding dcument that ensures that a merchant perates under the rules and regulatins established by Visa and the acquirer. An imprtant pint fr all acquirers t remember is that merchants shuld nt be managed by reserves alne. The nly way fr acquirers t effectively manage their expsure is thrugh prper underwriting and mnitring. The merchant agreement shuld be thrugh enugh t prtect the acquirer frm imprper card prcessing and include the minimum prvisins stated in the VIOR. 2.1 Member Payment Acceptance Rle 2.2 Merchant Agreement Transfer The merchant agreement must indicate the member is a principal party t the cntract and merchant acceptance f Visa prducts is extended by the member. Visa payment system acceptance is the rle f the member, nt the Agent. Members are respnsible fr all merchant relatinships that access the Visa payment system thrugh their licensed Bank Identificatin Numbers (BINs). Visa recgnizes that Agents ften perfrm ther functins fr merchants. Hwever, allwing the Agent t perfrm these services must nt prmte the Agent abve the member in the eyes f the merchant. An acquirer must cnsent t the assignment and/r transfer f a merchant agreement t anther member. Merchants may be freely slicited and underwritten by all acquiring members. Individual merchants may als chse t mve their relatinship frm ne acquirer t anther withut btaining the cnsent f the acquirer where their current relatinship is dmiciled. Additinally, Agents can freely slicit new merchants fr any member that has registered the Agent with Visa. Nn-members may nt transfer individual r multiple merchant relatinships (prtflis) frm ne member t anther withut the express written apprval f the member hlding the merchant agreement. Ownership f the merchant s Visa transactins rests with the Visa member with whm the merchant has a signed merchant agreement. This ensures that members are aware f and cnsent t an Agent s intent t mve a grup r prtfli f merchants t anther member. Visa Glbal Acquirer Risk Standards (GARS) 7 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

14 2.3 Merchant Agreement Review 2.4 Merchant Agreement Apprval An acquirer must implement a plicy and prcedure fr reviewing merchant agreements used by their Agents. Members must review and apprve all merchant agreements used by their Agents t ensure the agreements cmply with Visa s minimum cntent requirements established by Visa. Members that permit an Agent t use a merchant agreement that has nt been develped by the member must peridically review and apprve the dcument t make certain it cmplies with member and Visa requirements. A peridic review can als help ensure that the Agent des nt mdify r change any terms cntained in the agreement. Visa des nt regulate the terms between the member and the Agent ther than thse specified in the VIOR, Reginal Operating Regulatins, and the Visa Glbal Acquirer Risk Standards. Fr example, Visa des nt regulate the fees, cmmissins, and ther financial terms between the member and the Agent. An acquirer must apprve all merchant agreements prir t entering any transactins int Interchange. Members must cntrl the apprval f all merchants befre they allw the merchant t prcess any transactins. Agents are nt permitted t execute merchant agreements n behalf f a member. Members may use varius means t ensure they review and apprve all merchants befre allwing them t prcess any Visa transactins: The acquirer must have the merchant applicatin, agreement, and underwriting materials transmitted t their underwriting staff fr review and apprval prir t activating the merchant. Acquirers may prvide their Agent with specific criteria that must be met fr member apprval. This prcess allws fr merchant activatin prir t member due-diligence review and apprval. Acquirers that use this prcess must ensure they actively mnitr their Agents and test fr cmpliance with underwriting plicies. The member is required t remain invlved with merchant apprvals and maintains a system fr mnitring plicy cmpliance. Members that prvide their Agents with data-entry capabilities must be able t review all new merchant recrds and merchant recrd mdificatins befre they becme effective in the member s system. Members must mnitr Merchant Categry Cde (MCC) assignments, and have access t their Agent s internal systems fr viewing merchant infrmatin held by the Agent. 8 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

15 2.5 Merchant Terminatin 2.6 Infrmatin Security Cmpliance The merchant agreement must include a clause that prvides fr the immediate terminatin f a merchant by the member fr any activity that may create harm r lss t the gdwill f the Visa payment system. Members shuld invke this clause when a merchant s business practices and exceptin item activity are such that they create a substantial risk f lss and/r harm t the Visa payment system. This includes participating in illegal activity. Members shuld nt abdicate their respnsibility fr terminating a merchant t their Agents. In additin t prtecting their individual interests, members must make decisins that are in the best interest f the Visa payment system. Merchant financial reserves d nt fully mitigate harm t the system r damage t cardhlder expectatins. The merchant agreement must include a clause that ensures that merchants and Third Party Agents acknwledge and understand the imprtance f cmpliance with Visa security requirements, such as thse relating t transactin infrmatin, strage, and disclsure. A merchant has an bligatin t prtect transactin infrmatin. Acquirers must educate their merchants n the imprtance f this cntractual bligatin and the cnsequences f failing t adequately prtect cardhlder data. The Payment Card Industry (PCI) Data Security Standard (DSS) is intended t help prtect Visa cardhlder data wherever it resides ensuring that custmers, merchants, and service prviders maintain the highest infrmatin security standard. It ffers a single apprach t safeguarding sensitive data fr all payment systems. Merchant agreements must specify that all merchants and Third Party Agents that have access t cardhlder data maintain and demnstrate cmpliance with the PCI DSS requirements and all subsequent requirement updates. Details f PCI DSS, as well as the list f PCI DSS cmpliant service prviders are available at (A glbal site link is available fr a specific cuntry r regin access). Members shuld refer t this website as a definitive surce f infrmatin fr the merchant regarding PCI DSS cmpliance, as well as ther infrmatin t assist the merchant in implementing effective security measures fr cardhlder data. Visa Glbal Acquirer Risk Standards (GARS) 9 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

16 2.7 Merchant Ntificatin f Agent Use 2.8 Merchant Agreement Disclsure Page 2.9 Merchant Settlement Respnsibility The merchant agreement must include a clause that requires the merchant t ntify the acquirer f its use f any Agent that will have access t cardhlder data. All Agents that access, stre, transmit, r prcess cardhlder data must be registered with Visa and cmply with established data security standards. Prper educatin and ntificatin must be prvided t merchants t ensure they understand their bligatin t ntify their member when they intend t use an Agent. Members must ensure that nly Visa-registered Agents are utilized. The member shuld request upn applicatin that the merchant identify all third parties invlved in the payment prcess that may have access t cardhlder data. Members shuld review merchant applicatins t identify, evaluate, and register any such Agents. An acquirer must ensure each merchant agreement includes a Disclsure Page that identifies the member and its respnsibilities when an Agent is a party t the agreement. Tri-party agreements are permitted in the Visa system; hwever, they can negate the imprtance f the member s relatinship with the merchant. If an Agent is a party t an agreement between the member and the merchant, a Disclsure Page is required. It must be signed by the merchant at All entities that stre, prcess, r transmit data must cmply with Payment Card Industry Security Standard (PCI DSS) requirements. Disclsure Page samples have been included in Appendix B fr member reference. the time they are slicited by the Agent. Cpies f the Disclsure Page must be immediately prvided t the merchant and attached t the executed merchant agreement. The merchant agreement must state that the member is respnsible fr prviding settlement funds directly t the merchant. The security and handling f merchant funds is a fundamental acquirer respnsibility. This functin cannt be delegated t a nn-member. Merchants must clearly understand that members have direct respnsibility fr settlement. They must als be advised that Agents are nt permitted t directly access r hld merchant funds whether frm settlement r reserves. This requirement des nt prhibit a VisaNet prcessr frm mving settlement funds frm Interchange thrugh the acquirer t the merchant s settlement accunt. In the case where a VisaNet prcessr is als perating as a Third Party Agent, Visa des nt grant the prcessr the right t hld r access a merchant s funds. If funds cannt be prvided directly t the merchant, they must be frwarded t the acquirer. 1 0 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

17 2.10 Merchant Agreement Requirements An acquirer s merchant agreement must be develped frm a risk perspective t ensure the merchant perates under the rules and regulatins established by Visa and the acquirer. Requirements include the fllwing: An acquirer must have a merchant agreement with each f its merchants. An acquirer may nly accept transactin receipts frm a merchant with which it has a valid merchant agreement. It is the acquirer s respnsibility t cmmunicate VIOR t the merchant. The acquirer must assume respnsibility fr any failure by its Agent t cmply with the VIOR and Reginal Operating Regulatins, including but nt limited t, any vilatin resulting in a chargeback r fraud. The acquirer must ensure that the merchant cmplies with the applicable sectins f the VIOR and Reginal Operating Regulatins. In the merchant agreement, an acquirer must clearly distinguish fees assciated with Visa transactins separately frm fees assciated with ther card transactins. The acquirer must nt prhibit a merchant frm using terminal prcessing services ffered by cmpetitrs t deliver Visa transactins captured at the pint-f-transactin directly t VisaNet fr clearing and settlement. A merchant agreement must cntain all f these additinal prvisins: Transactin depsit restrictins, as specified in the VIOR and Reginal Operating Regulatins Transactin prcessing prhibitins, as specified in the VIOR Prhibitin against a merchant depsiting a transactin receipt that des nt result frm an act between the cardhlder and the merchant r the cardhlder and a spnsred merchant (laundering) Prhibitin against a merchant depsiting a transactin receipt that it knws r shuld have knwn t be either fraudulent r nt authrized by the cardhlder The merchant is respnsible fr its emplyees actins while in its emply Disclsure f accunt r Visa transactin infrmatin prhibitins, as specified in the VIOR Disclsure that the PCI DSS cmpliance is required Merchant respnsibility fr demnstrating cmpliance with PCI DSS A requirement that the merchant, if underging a frensic investigatin must fully cperate with the investigatin until cmpleted Visa Glbal Acquirer Risk Standards (GARS) 1 1 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

18 A merchant agreement must allw the merchant t designate as its Agent a third party (that des nt have a direct agreement with its acquirer) t ensure the direct delivery f Visa transactins t VisaNet fr authrizatin clearing and settlement. The merchant must: Advise the acquirer that it will use a Third Party Agent Agree that the acquirer must reimburse the merchant nly fr the amunt f Visa transactins delivered by that Agent t VisaNet, less the apprpriate discunt fee 2.11 Merchant Prhibitins An acquirer must include a list f merchant prhibitins in the merchant agreement r an attached addendum as a referenced item in the merchant agreement. The list f prhibitins shuld clearly state that a merchant must NOT: X Accept cardhlder payments fr previus Visa Card r Visa Electrn Card charges incurred at the merchant lcatin. X Require a cardhlder t cmplete a pstcard r similar device that includes the cardhlder s accunt number, card expiratin date, signature, r any ther card accunt data in plain view when mailed. X Add any surcharge t transactins. X Add any tax t transactins, unless applicable law expressly requires that a merchant be permitted t impse a tax. Any tax amunt, if allwed, must be included in the transactin amunt and nt cllected separately. X Enter int Interchange any transactin receipt fr a transactin that was previusly charged back t the acquirer and subsequently returned t the merchant, irrespective f cardhlder apprval. The merchant may pursue payment frm the custmer utside the Visa system. Applicable Laws A Member must cmply with applicable laws and a Transactin must be legal in bth the Cardhlder s jurisdictin and the Merchant Outlet s jurisdictin. In the event f any cnflict between the VIOR and any applicable law, the requirements f the law gvern. See als: Cardhlder Ntificatins Merchant Agreement ID#: X Request r use an accunt number f any purpse ther than as payment fr its gds r services. X Disburse funds in the frm f travelers cheques, if the sle purpse is t allw the cardhlder t make a cash purchase f gds r services frm the merchant. X Disburse funds in the frm f cash, unless: Merchant is a Ldging r Cruise Line merchant disbursing cash t a Premium Visa Prduct cardhlder, as specified in VIOR, 1 2 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

19 Merchant is dispensing funds in the frm f travelers cheques, Visa TravelMney Cards, r freign currency. In this case, the transactin amunt is limited t the values f the travelers cheques, Visa Travel Mney Card, r freign currency, plus any cmmissin r fee charged by the merchant, r Merchant is participating in the Visa Cash Back Service, as specified in VIOR X Accept a card t cllect r refinance existing debt that has been deemed uncllectible by the merchant prviding the assciated gds r services. X Enter int Interchange a transactin that represents cllectin f a dishnred check Merchant Agreement Cntent A merchant agreement must specify all the cntractual requirements and the merchant prhibitins as stated in the VIOR. An acquirer may include ther prvisins in its merchant agreement if prvided the prvisins are cnsistent with the VIOR. Each merchant agreement must: State the terms required t satisfy payment directly t the merchant. This includes, but is nt limited t, the name f the financial institutin t which the acquirer, its Agent, r spnsred members must depsit funds fr payment f Visa transactins. Clearly state the acquirer s name and lcatin in a fnt size cnsistent with the rest f the merchant agreement printing, and in a manner that makes the acquirer s name readily discernible by the merchant. Be signed by the acquirer and remain n file at the acquirer s place f business. Visa Glbal Acquirer Risk Standards (GARS) 1 3 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

20 3. Merchant Applicatin A well-cnstructed merchant applicatin is essential t btaining relevant infrmatin abut all aspects f a merchant s business. Equally imprtant, is the need fr acquirer identificatin. Pertinent acquirer cntact details shuld be clearly displayed t avid any merchant uncertainty as t wh t g t with service issues and/r questins. 3.1 Merchant Applicatin Member Name and Cntact Infrmatin 3.2 Merchant Applicatin Business Backgrund and Infrmatin The member name and cntact infrmatin must be present n the merchant applicatin and be clear and cnspicuus. Members must ensure their financial institutin s name, cntact address, and phne number are prminently displayed n the merchant applicatin in a fnt size that makes this infrmatin cnspicuus t the reader. Members are accuntable and liable fr the actins f their Agents. It is therefre essential that prspective merchants have ready access t the member. Merchants must be able t cntact the member at any time, fr any reasn. Members may allw an Agent t place its wn cntact name, phne number, and its lg n the applicatin. This infrmatin must nt be mre prminent than the member cntact infrmatin and shuld nt discurage the merchant frm cntacting the member t reprt service deficiencies. Nte: If the Agent s lg is present n the merchant applicatin, the acquirer s lg must als be present. The merchant applicatin must request all relevant infrmatin n the business backgrund, the merchant s business mdel and its peratins, the merchant lcatin, and principals wh are running the business. This includes, but is nt limited t, the fllwing: Merchant Business Backgrund Merchant histry Obtain the merchant s authrizatin t research its backgrund, including credit, banking, financial histry, and hw lng the merchant has been in business. New businesses frequently fail within the first few years f peratin. If the business is a start-up, btain a business plan. Ding-Business-As (DBA) r trade name Cmpare the merchant s dingbusiness-as name t its legal name. Sme merchants may cnduct their daily business activities under ne name and apply fr legal registratin under a different name. If the names are different, it is imprtant t knw bth names. Legal frm f business Inquire abut the legal frm f the merchant s business. Fr example, is the merchant a crpratin, partnership, r sle prprietrship? 1 4 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

21 Business license, registratin numbers Obtain and verify the merchant s business license number r any ther license r registratin numbers that may be required t wn and/r perate a business. Perfrm a search with the apprpriate business bureaus t verify that the merchant wns r perates a legitimate business. Credit histry Determine whether r nt merchant r its principals have previusly filed fr bankruptcy, r have been registered as having any ther credit difficulties nw r in the past. If s, find ut when. This may prvide a gd indicatin f the financial stability f the merchant. Prir Visa Risk Prgram identificatin Determine if the merchant has been previusly identified by Visa Risk Prgram(s). If yes, find ut the specific prgram that identified the merchant and when the identificatin tk place. This may prvide a gd indicatin f the level f merchant underwriting risk. Prir merchant agreement Determine if the merchant and/r any ther principals invlved have a prir merchant relatinship with acquiring banks. If anther acquirer previusly terminated the merchant, nte the reasn fr terminatin n the merchant s applicatin. If available, check any industrywide services such as Enfrcement Management and Accunt System (EMAS) r Visa Merchant Trace System (VMTS), where available and permitted under lcal applicable law, the Terminated Merchant File (U.S. regin) r any ther cmmn terminated merchant database. Other businesses Ask the merchant t supply infrmatin fr any ther businesses it, r the principals, currently wns r perates, r has wned in the past r is invlved as a directr. Business references Obtain ther business references that can supprt its financial respnsibility. Fr example, invices r billing statements frm suppliers and custmers can prvide evidence f the merchant s ability t meet financial payments. Als use any lcal credit agencies fr infrmatin n the business r its principals. Merchant Business Operatins Operating statistics Ask the merchant fr the fllwing perating statistics t gain knwledge f the merchant s expected business revenue: Prjected ttal sales vlume per year Prjected credit and debit vlume per year Actual chargeback vlume (if existing merchant) Percentage f sales by mail rder, telephne rder, r Internet Perid between the purchase and actual delivery f gds Please refer t the Required Merchant Infrmatin sectin in the VIOR applicable t yur regin. Visa Glbal Acquirer Risk Standards (GARS) 1 5 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

22 Guarantees and nging services (cpies f cnsumer cntracts may be required) If any guarantees r extended warranties are purchased frm a third party, it is essential that the merchant purchases them immediately and can shw evidence f ding s. Billing terms Ask the merchant fr its billing terms, if nt immediate. Fr example, des the merchant allw its custmers t pay fr purchases in mnthly installments? The extent and frequency t which an acquirer cnducts its peridic reviews f a merchant s financial cnditin and business peratin depends n the acquirer s initial assessment f the risks assciated with the merchant s business. Credit and return plices Ask the merchant fr details f its credit, refund, and return plicy prcedures t ensure the merchant is prperly handling exchanges and credits. It is imprtant fr the acquirer t btain a cpy f the merchant s standard sales cntract with the cardhlder. Inventry Determine whether the merchant wns r finances its inventry. Cntracts Determine if the merchant has any significant cntractual relatinships, such as a manufacturer s Agent r exclusive supplier that may impact the merchant s ability t meet its financial r peratinal bligatins if a cntract is canceled. Merchant Business Lcatin Type f lcatin Determine the type f lcatin f the merchant, such as strefrnt, indr shpping mall, r ffice. Is the merchant lcatin suitable fr the type f merchant? Is the merchant lcatin in a gegraphic area that has demnstrated excessive levels f fraudulent activity? Own/lease Ask whether the merchant wns r leases the lcatin. If the merchant wns the lcatin, request fr the name and address f the mrtgage hlder, if any. If the merchant leases the lcatin, request the name and address f the landlrd. Time at lcatin Ask the merchant hw lng the business has perated at the present lcatin. Merchant Principal(s) Infrmatin Principal name, address, identificatin number Ask the merchant fr the name, address, Scial Security Number r similar identificatin number, and telephne number f each principal invlved in the business. Ownership infrmatin Obtain the percentage f wnership held by each principal. Als inquire as t the length f time each f the current principals have wned the business. Cnsider getting a guarantee frm the fficers f the crpratin. Percentage f time Ask the merchant fr the percentage f time spent at the business by each principal. 1 6 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

23 3.3 Special Applicatin Cnsideratins fr Card- Absent Merchants An acquirer must cllect and verify additinal applicatin infrmatin fr cardabsent merchants. This includes detailed business plans, samples f merchandise, and cpies f all relevant marketing materials, including catalgs, brchures, telemarketing scripts, and print and bradcast advertisements. 3.4 Separate Internet Merchant Applicatin 3.5 Additinal Internet Merchant Applicatin Infrmatin Fr all merchants establishing an e-cmmerce presence, an acquirer must use a separate applicatin indicating all f the merchant websites that will be prcessing Visa transactins. Whether the applicant is an existing merchant that wants t add a website, r a new merchant, use a separate applicatin r addendum fr e-cmmerce services. This practice can help facilitate the special risk assessment actins related t card-absent vlume. It can als allw fr merchant business name and site cntent verificatin, as well as ensure that the crrect business name is displayed n cardhlder statements. In additin, a separate applicatin frm prvides an easier way t track and reprt e-cmmerce applicatin vlume. Transactins can be flagged and tracked by acceptance mde. Cllect and verify additinal applicatin data and financial dcuments fr Internet merchants. Risk expsure can be lwered by taking a few extra steps during the applicatin prcess t btain additinal infrmatin frm questinable merchants. Required data culd include: Unifrm Resurce Lcatr (URL), als knwn as the website address (e.g., and Internet Prtcl (IP) server address fr the merchant website By cllecting this infrmatin, an acquirer is able t review the actual website and cnfirm that the merchant is actually cnducting the business as described n its applicatin. Cntact details fr the website hsting service This infrmatin can be used t cntact the hsting service and verify that the merchant maintains a legitimate business. addresses and phne numbers fr merchant custmer service Acquirers can verify that a merchant s address is valid by sending a message t that address. An alert shuld be triggered if the message is returned as undeliverable r bunced. In additin, the acquirer shuld check the merchant s custmer service fr its quality respnse and timeliness, as this will decrease custmer disputes and chargebacks. Descriptins f any links n the merchant s website t ther sites t which they may r may nt be affiliated This shuld raise a flag if the linkages d nt make sense r represent merchant types that yu d nt sign. Visa Glbal Acquirer Risk Standards (GARS) 1 7 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

24 4. Funding and Reserves T substantially reduce financial expsure, acquirers must maintain merchant reserves that are utside f the merchant s cntrl. If the merchant des clse dwn the business, the reserve amunts shuld be sufficient t cver any future chargebacks. 4.1 Member Reserve Respnsibility 4.2 Reserve Cntrls An acquirer must hld and cntrl reserves t guarantee a merchant s Visa payment system bligatins. Regardless f any cntractual limits f liability between a member and its Agents, Visa hlds the member respnsible fr cntrlling all aspects f merchant funding prcess. Agents are nt permitted t access and cntrl merchant funds. Members must prvide settlement funds directly t the merchant. Members may allw Agents t mnitr their merchants and cnduct investigatins f any suspected vilatin activity. Based n the result f thse investigatins, it may be necessary t delay settlement t a merchant r cllect funds frm settlement fr a reserve t ffset ptential lsses. In these instances, an Agent may request that a member delay settlement r cllect ther funds frm the merchant, but the Agent may nt actually receive and pssess any merchant funds. Agents may be granted the authrity t make decisins n withhlding r delaying a merchant s settlement funds. This authrity must nt be interpreted by either party t mean funds may be cntrlled r accessed by the Agent. Members that prvide Agents with this level f system access must have plicies and prcedures in place t ensure Agent cmpliance. Fllwing an investigatin r the clsure f the merchant, the member remains respnsible fr prviding funds due t the merchant. All merchant reserves maintained fr the purpse f securing Visa payment system bligatins must be held in a manner, such that the funds can be readily identified with the merchant fr which they are held. Generally, reserves are held in either a unique depsit accunt in the merchant s name r in a general accunt via ledger entries. In all cases, members must have cntrls in place t ensure their Agents r merchants cannt access reserve funds. Acquirers shuld review merchant reserves mnthly t ensure: All funds that have been added r remved frm the reserves can be accunted fr and explained. The funds cllected r disbursed can be mapped back t their surce (settlement r ffset f cllectin item). 1 8 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

25 4.3 Payments t Merchants An acquirer must prcess the payment f funds t merchant accunts in a prper and timely manner. An acquirer must directly pay r credit its merchant s accunt prmptly after transactin receipt depsit. The acquirer must nt waive, release, abrgate, r therwise assign t a nnmember its bligatin t guarantee and ensure payment fr all transactins in which the merchant hnred a valid Visa Card r Visa Electrn Card prperly presented fr payment. An acquirer that is hlding funds as security t ensure prper merchant perfrmance must hld these funds in an accunt in the merchant s name. Visa Glbal Acquirer Risk Standards (GARS) 1 9 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

26 5. Mnitring Merchants and Agents T prtect prfitability and reduce lsses in tday s merchant envirnment, acquirers must be able t Members have identify and investigate ptentially high-risk business a fiduciary at the earliest pssible mment. Daily mnitring f a respnsibility t merchant s depsit and authrizatin activity can help safeguard any accunt fr any merchant reserves an acquirer recgnize any unusual r sudden change in they retain. nrmal merchant depsit activity levels. An acquiring member is als bliged t mnitr the perfrmance f its Third Party Agent(s) t ensure that all activities cmply with VIOR. 5.1 Merchant Activity Mnitring Oversight 5.2 E-Cmmerce Merchant Cntent Review An acquirer, at a minimum, must mnitr its merchants in accrdance with the merchant activity mnitring standards. Existing member mnitring standards fr merchants were develped as a baseline fr a minimum level f versight f merchant perfrmance. At a minimum, acquirers must mnitr the fllwing: Unusual credit vucher activity Chargebacks that apprach r exceed Visa s established mnitring prgram threshlds New and inactive merchant depsit activity Net zer balance depsits Mnitr merchants and investigate situatins where there are a significant number f lw-value transactins cmpared t the merchant s average transactin value. Other items listed under Merchant Activity Mnitring in Appendix A f this guide. Members may allw their Agents t perfrm daily merchant mnitring fr exceptin reprting. Hwever, this practice des nt abslve the member frm their versight respnsibility. The acquirer shuld review every page n every merchant website t ensure cmpliance with VIOR. This review shuld cnsist f a cmbinatin f practive and persistent website analysis. Acquirers shuld review every page n every website n less than nce every 30 calendar days. This is t ensure that merchants d nt prcess illegal r prhibited transactins, as specified in the VIOR. 2 0 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

27 A member must cmply with lcal applicable laws and a transactin must be legal in the jurisdictin f bth the cardhlder and the merchant. In the event f any cnflict between the VIOR and any lcal applicable law, lcal law requirements prevail. 5.3 Agent Activity Mnitring Oversight 5.4 Merchant Data Retentin and Review 5.5 Unusual Activity Reprting An acquirer must review and mnitr the activity f each f its Agents n a quarterly basis. Agent perfrmance must be mnitred t ensure cmpliance with the VIOR and applicable Reginal Operating Regulatins, as well as with the member s internal plicies. In additin t quarterly statistical reprting, acquirers shuld review cmpliance with marketing materials cntent, Merchant Categry Cde (MCC) assignment, underwriting, mnitring, and ther sensitive peratins. An acquirer must meet the minimum Visa merchant data retentin and review requirements. This includes the fllwing: At minimum, retain all f the fllwing data n a daily basis: Grss sales vlume Average transactin amunt Number f transactin receipts Number f chargebacks Number f credits Cmpare the actual prcessing vlume against the apprved transactin vlumes Use rlling averages t create nrmal weekly activity fr the merchant s prcessing Cmpare the merchant s actual prcessing vlume t the nrmal weekly activity parameters established fr that merchant Beginning with the merchant utlet depsit activity prcessed n the 31st calendar day frm the first depsit, the acquirer must generate unusual activity reprts if ne f the fllwing ccurs: Current weekly grss sales vlume equals r exceeds $5,000 and any f the fllwing meets r exceeds 150 percent f the nrmal weekly activity: Number f weekly transactin receipt depsits Grss amunt f weekly depsits Average transactin amunt Number f weekly chargebacks Average elapsed time between the date f the merchant receipt and the Central Prcessing Date (cunting each as ne day) exceeds 15 calendar days. Visa Glbal Acquirer Risk Standards (GARS) 2 1 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

28 5.6 High-Brand Risk Merchant Data Retentin and Review The acquirer must meet Visa High-brand risk merchant data retentin and review requirements. This includes the fllwing: Retain the fllwing daily data: Grss sales vlume, Average transactin amunt, Number f transactin receipts, Average elapsed time between the transactin date f the transactin receipt and the settlement date (cunting each as ne day), Number f chargebacks, and Number f credits. Cmpare merchant s daily prcessing vlume t the apprved prcessing levels. Cllect the data ver a perid f at least ne mnth, beginning after each merchant s initial depsit. Use the data t determine the merchant s nrmal daily activity fr each High-brand risk merchant categry. Begin daily mnitring f the merchant s depsit activity prcessed n the 31st calendar day frm the first depsit. Cmpare current related data t the nrmal daily activity parameters at least daily. Review and adjust the merchant s nrmal daily activity at least mnthly, using the previus week s activity. A High-brand risk merchant is defined as a Merchant Outlet that is required t be classified with Merchant Categry Cde 5967, Direct Marketing Inbund Teleservices Merchant, 5966, Direct Marketing Outbund Telemarketing Merchant, 5962, Direct Marketing Travel-Related Arrangement Services, 7995, Betting, including Lttery Tickets, Casin Gaming Chips, Off-Track Betting, and Wagers at Race Tracks, 5122, Drugs, Drug Prprietaries, and Druggist Sundries and 5912 Drug Stres and Pharmacies Visa may change the definitin f a High-brand risk merchant t include additinal merchants categries. See the Visa Merchant Data Standards Manual fr detailed descriptins f each merchant categry cde. 5.7 Unusual Activity Reprting fr High- Brand Risk Merchants The acquirer must identify and address unusual High-brand risk merchant activity if a merchant s prcessing significantly exceeds nrmal daily activity fr: Number f daily transactin receipt depsits Grss amunt f daily depsits Average transactin amunt Number f daily chargebacks 2 2 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

29 5.8 Merchant Investigatin 5.9 Acquirer Investigatin Fllw-Up 5.10 Mentr Investigatin Assistance The acquirer must immediately investigate any merchant exceeding the threshlds specified in the VIOR. The acquirer must ensure merchant cmpliance with the regulatins and cnfirm the existence f risk cntrl prcedures by cnducting: A physical inspectin f the merchant utlet. An audit f the merchant website, if applicable The acquirer must prvide Visa with a suspect vilatin reprt if it discvers any merchant r agent vilatins. Visa may waive r suspend penalties t accmmdate unique r extenuating circumstances r if vilatins f the VIOR are identified and rectified prir t Visa issuing the ntificatin that a vilatin has ccurred. The acquirer must investigate a merchant utlet appearing in an unusual activity reprt within seven calendar days f generating the exceptin reprt, as specified in the VIOR. When the investigatin reveals merchant invlvement in illegal activity r any ther brand damaging activities listed under the Brand Prtectin sectin in VIOR, the acquirer must: Take apprpriate legal actin t minimize lsses. Cperate fully with Visa, issuers and law enfrcement agencies, and release all infrmatin relative t the merchant upn request. Attempt t make the merchant respnsible fr the transactin. Hld funds, if pssible. Initiate criminal and civil prceedings against the merchant, if applicable. A member must, t the best f its ability, assist ther members with a fraudulent activity investigatin. This can be accmplished by perfrming tasks such as: Interviewing merchants, spnsred merchants, cardhlders, suspects, witnesses, physical evidence. Recvering lst, stlen, r cunterfeit cards. Prviding infrmatin t prper authrities fr the pssible arrest f persns, at the issuer s request. Perfrming any ther reasnable investigative assistance. Visa Glbal Acquirer Risk Standards (GARS) 2 3 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

30 6. Training and Educatin Acquiring members have an bligatin t the Visa payment system t prvide their Third Party Agents and merchants with sufficient infrmatin t ensure they are able t cmply with the VIOR and Reginal Operating Regulatins. In additin, Agents and merchants must understand the member s plicies and prcedures t effectively fulfill their cmmitments t the member. 6.1 Merchant/ Agent Training and Educatin An acquirer must prvide its Agents and merchants with training and/r educatin materials t ensure the Agents and merchants understand and cmply with their plicies. Agents must understand a member s plicies and prcedures as well as relevant VIOR s that they d nt vilate any expected perfrmance standards. Therefre, members must: Clearly cmmunicate plicies, prcedures, and requirements t all f their merchants and Agents t make sure that they d nt vilate any expected perfrmance standards. Obtain the Agent s cmmitment t cmply with member plicies and prcedures, as well as relevant VIOR. Plicies and prcedures prvided t the Agent shuld include, but are nt limited t the fllwing: VIOR Prper merchant slicitatin practices Use f member-branded materials Merchant underwriting criteria, including prhibited merchant types and Merchant Categry Cdes (MCCs) Cde f cnduct Payment Card Industry (PCI) Data Security Standards (DSS) and ther data security requirements fr the prtectin f cardhlder data 2 4 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

31 7. Managing Third Party Agent Risk Acquirers are making use f Third Party Agents fr a range f services, including accunt slicitatin, transactin prcessing and custmer supprt. Hwever, members must ensure their use f Agents des nt increase the risk expsure t the Visa payment system. Frm a member perspective, a well-cntrlled Agent relatinship can reduce the pssibility f bank failure, minimize risk f lss t the payment system, and prtect the gdwill f the Visa brand. 7.1 Member Use f Agents A member that uses any Third Party Agent must cmply with all requirements, as stipulated by VIOR and Visa Reginal Operating Regulatins. This includes the fllwing requirements. A member must register its Agents with Visa prir t the perfrmance f any cntracted services r transactin activity. Only a registered Third Party Agent that has a direct written cntract with a member may perfrm services n behalf f the member. An apprpriate senir fficer f the member must review all dcumentatin and apprve the Agent. Apprval must be based n sund business practices that will nt cmprmise either the member r Visa, and may nt be based slely n any purprted limitatin f the member s financial liability in any agreement with the Agent. Additinally, a High-Risk IPSP (HR IPSP) is required t reprt t the member: Acquisitin f new High-brand risk spnsred merchants Mnthly transactin activity fr all High-brand risk spnsred merchants The reprts must be prvided t Visa in specified electrnic frmats available frm Visa upn request. Members with currently registered Agents: May be required, upn request frm Visa t prvide dcumentatin t cnfirm cmpliance with the Third Party Agent Due Diligence Risk Standards. Must perfrm an annual review f all Agents t cnfirm nging cmpliance with the Third Party Agent Due Diligence Risk Standards. Visa Glbal Acquirer Risk Standards (GARS) 2 5 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

32 A member that fails t cmply with Visa requirements may be assessed a fine as specified in the Fines Related t Third Party Agents table belw. Vilatin Fine First ccurrence $10,000 Secnd ccurrence in a rlling 60-mnth perid $25,000 Third ccurrence in a rlling 60-mnth perid $50,000 Fur r mre ccurrence in a rlling 60-mnth perid $100,000 Fr repeated vilatins in a 60-mnth rlling perid, Visa may assess fines in additin t thse specified in the abve table at management s discretin. Fines are cumulative. In the U.S. regin, Visa may assess an additinal fine f $20,000 fr each 30 calendar day perid, r prtin theref, during which the member fails t: Register the Agent. Ntify Visa f a change as specified by the VIOR. Fr any vilatin f the requirements detailed in Use f the Third Parties sectin, Visa may impse varius risk reductin measures based n the Crprate Risk Reductin Measures sectin in the VIOR. A member must execute a written cntract with each Agent that perfrms cardhlder r merchant slicitatin and transactin prcessing. This agreement, t the extent permitted by applicable law, must: Be executed by a senir fficer f the member, Cntain and ensure that Agents cmply with the substance f the fllwing, as applicable: VIOR and Reginal Operating Regulatins Payment Card Industry (PCI) Data Security Standards (DSS) Requirements 2 6 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

33 7.2 Member Respnsibilities When Using Agents A member that uses any Agent retains the verall respnsibility fr establishing prper risk cntrls and prcedures. This includes the fllwing: Cntrl f the apprval and review f merchants, apprval f cardhlder applicatins, and the establishment f merchant fees fr Visa transactins. Maintain a file n the Agent that includes all applicable dcumentatin, and retain this file (with the reasn fr discntinuance) fr a minimum f tw years fllwing terminatin f the relatinship. Guarantee that the member and its Agents will cmply with the Visa requirements fr the use f Agents. Identify each Agent and designate the activities that it is authrized t perfrm n the member s behalf. Ensure that the Agent has access t and uses the infrmatin cntained in the current Visa Interchange Directry, if the member uses the Agent fr prcessing any f the fllwing: Chargebacks Arbitratin Cmpliance Authrizatins Referrals Fraud Reprting Settlement Advise the Agents that: Such an rganizatin r individual must nt represent registratin in the Visa Member Management System (VMM) as an endrsement f its services by Visa. Registratin f an Agent is specific t each member, and requires a separate Agent registratin prcess fr each Agent/member business relatinship. Accept respnsibility fr any and all lsses caused by its Agent. 7.3 Terminatin f Agent Cntracts A Third Party Agent cntract must include a prvisin that allws a member r its merchant t terminate a cntract if the Third Party Agent participates in any f the activities described in Prhibitin f Third Party Agents frm Prviding Services r the member r its merchant becmes inslvent. Visa Glbal Acquirer Risk Standards (GARS) 2 7 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

34 The cntract must include a prvisin allwing the member r its merchant t terminate the cntract if the Agent participates in any f the activities described belw. Prhibitin f Third Party Agents frm Prviding Services Effective 23 July 2010, Visa may permanently prhibit a Third Party Agent and its principals frm prviding services with respect t Visa prducts fr gd cause, such as: Fraudulent activity Activity that causes the member t repeatedly vilate the VIOR Operating in an unsund, unsafe manner Any ther activities that may result in undue ecnmic hardship r damage t the gdwill f the Visa system, if the Third Party Agent fails t take crrective actin 7.4 Quarterly Agent Review 7.5 Agent Audits and Reviews Members must maintain a file n each Agent, perfrm a quarterly review f their perfrmance, and cmplete the ISO Quarterly Reprt. This reprt must be signed by a senir fficer and sent back t Visa within 30 calendar days f its receipt. Failure t submit a reprt in a timely manner r t prvide accurate infrmatin may result in an n-site risk review r ther risk cntrls t be placed n the acquirer. The member, Visa, r their designees may cnduct an Agent financial and prcedural audit and/r review at any time. 7.6 Agent Requirements fr Prviding Infrmatin If the member, Visa, its designees, r any regulatry agency requests cardhlder r merchant infrmatin, the Agent must prvide the infrmatin in writing as sn as pssible, but n later than seven business days frm receipt f a request. A member, Visa, its designees, r any regulatry agency may request infrmatin f any type, including: Organizatinal structure Emplyee infrmatin Sales-related data Financial infrmatin 2 8 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

35 7.7 Merchant Slicitatin An Agent must nt present itself t prspective cardhlders and merchants under any ther Trade Name except the ne registered with Visa in the Visa Membership Management System (VMM). An Agent must nt present itself as, r appear t be, a member f Visa. An Agent that uses the Visa Prgram Marks must: Prminently identify the member by name and city adjacent t the Visa- Owned Marks. The material must nt identify the Agent, unless the Agent is prminently identified as an Agent r representative f the member. Clearly disclse n its slicitatin material that subsequent merchant agreement is between the member and the individual merchant. The Agent must nt: Permit the use f any Visa-Owned Mark by any f its wn Agents, r Use any Visa-Owned Mark n any marketing material, including business cards and letterhead r statinary. 7.8 Use f High-Risk Independent Sales Organizatin (HR ISO) Effective 1 December 2011, an acquirer wh cntracts with an Independent Sales Organizatin (ISO) t slicit High-brand risk merchants r High-brand risk spnsred merchants, must register that ISO with Visa as a High-Risk Independent Sales Organizatin (HR ISO), whether r nt the ISO has already registered with Visa as an Agent. 7.9 Use f Payment Service Prvider (PSP) An acquirer cntracting with a PSP t prvide payment services t a merchant that is cnsidered t be High-brand risk, must register that PSP with Visa as a High-Risk IPSP (HR IPSP), whether r nt the PSP has already registered with Visa as a PSP. (Fr nn-united States members, this rule is effective 1 December 2011). Appendix F includes a list f acquirer cntrls related t the use f PSPs. The acquiring member must nt prcess any card-absent, High-brand risk transactins until registratin has been recrded and has been Visa apprved High- Brand Risk Internet Payment Service Prvider Prcessing Requirements If a cardhlder accesses the website f an electrnic cmmerce merchant cnsidered t be High-brand risk r a High-brand risk spnsred merchant and the cardhlder is then linked t the website f the HR IPSP fr payment: The name f the HR IPSP must appear in the clearing and authrizatin recrd in cnjunctin with the name f the High-brand risk spnsred merchant. Prcessing requirements apply, as specified in the VisaNet manuals. Visa Glbal Acquirer Risk Standards (GARS) 2 9 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

36 8. Managing Additinal Aspects f Merchant Risk The changing nature f the payment envirnment means acquirers are faced with a landscape f grwing risks, where the need fr acute awareness and vigilance f merchant perfrmance is cnstant. Cnsequently, risk management effrts must be incrprated int every aspect f merchant relatinships and daily business. T be effective, an acquirer must set up and maintain a risk-respnsible peratin. 8.1 Merchant Qualificatin Standards 8.2 Merchant Disclsure Requirements 8.3 Merchant Website Disclsure Prir t entering int a merchant agreement, an acquirer must determine that the prspective merchant is financially respnsible and cnfirm that: It will abide by the VIOR and lcal law. There is n significant dergatry backgrund infrmatin abut any f its principals. An acquirer must ensure that its merchant, spnsred merchant, High-brand risk merchant, r High-brand risk spnsred merchant, have clearly disclsed thrughut the rder prcess all f the fllwing: Terms and cnditins f a prmtin, if restricted The length f the trial perid, if ffered, including clear disclsure that the cardhlder will be charged unless the cardhlder expressly rejects the charge The date n which any charges will cmmence Clear steps t be taken by the cardhlder t cancel the transactin prir t the end f the trial perid General cancellatin plicy A website perated by a merchant, spnsred merchant r PSP, High-brand risk merchant, High-brand risk spnsred merchant r HR IPSP must cntain specific disclsure details. These include: Visa Brand Mark in full clr t indicate Visa card acceptance, as specified in the Visa Prduct Brand Standards Legal restrictins (if knwn) Cmplete descriptin f the gds r services ffered Return/refund plicy Custmer service cntact, including address r telephne number 3 0 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

37 Address f the merchant s permanent establishment, including the merchant utlet cuntry either: On the same screen view as the checkut screen used t present the final transactin amunt, r Within the sequence f web pages the cardhlder accesses during the checkut prcess Transactin currency (e.g., U.S. dllars, Canadian dllars) Exprt restrictins (if knwn) Delivery plicy Disclsure f the merchant utlet cuntry at the time f presenting payment ptins t the cardhlder Cnsumer data privacy plicy Security capabilities and plicy fr transmissin f payment card details Terms and cnditins f a prmtin, if restricted The length f the trial perid (if ffered), including clear disclsure that the cardhlder will be charged unless the cardhlder expressly rejects the charge Clear steps t be taken by the cardhlder t cancel the transactin prir t the end f the trial perid 8.4 Registratin Requirements fr High-Risk Telemarketing Merchants (U.S. regin) Effective 1 December 2011, befre accepting transactins frm a high-risk telemarketing merchant, an acquirer must submit t Visa a cmpleted Visa New High-Risk Merchant Registratin using the Visa Membership Management System (VMM) via Visa Online. A High-brand risk merchant is defined as a merchant utlet that is required t be classified with Merchant Categry Cde 5967, Direct Marketing Inbund Teleservices Merchant, in its spnsred merchant prtfli, 5966, Direct Marketing Outbund Telemarketing Merchant, 5962, Direct Marketing Travel-Related Arrangement Services, 7995, Betting, including Lttery Tickets, Casin Gaming Chips, Off-Track Betting, and Wagers at Race Tracks, 5122, Drugs, Drug Prprietaries, and Druggist Sundries and 5912 Drug Stres and Pharmacies Visa may change the definitin f a High-brand risk merchant t include additinal merchant categries. See the Visa Merchant Data Standards Manual fr detailed descriptins f direct marketing merchants. Visa Glbal Acquirer Risk Standards (GARS) 3 1 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

38 8.5 Additinal Requirements fr all Risk Acquirers Effective 1 December 2011, an acquirer f High-brand risk merchants, HR IPSP, r High-brand risk spnsred merchants must participate in the Visa Merchant Trace System (VMTS), where available and permitted under lcal applicable law, r the Terminated Merchant File (U.S. regin) if VMTS is nt available. VMTS participatin requires that merchants d bth f the fllwing: Query VMTS prir t entering int an agreement with a prspective electrnic cmmerce merchant r Mail/Phne Order merchant r spnsred merchant. List any electrnic cmmerce merchant r mail/telephne rder merchant r spnsred merchant that has been terminated fr just cause n VMTS. A U.S. acquirer must add a merchant t the terminated Merchant File within 24 hurs f determining that: The merchant was terminated fr reasns ther than thse listed in Terminated Merchant File Listing Requirements - U.S. Regin Within 90 calendar days f the terminatin date, the acquirer determines that the merchant shuld have qualified fr the listing The merchant listing must include the: Business name Names and identificatin f principals f terminated merchants The acquirer must reprt terminated merchants, as specified by MasterCard Wrldwide. VIOR ID#: If an acquiring member receives a respnse indicating a pssible match against a merchant listed n the VMTS, where available and permitted under lcal applicable law, r the Terminated Merchant File (U.S. regin) if VMTS is nt available, the member must: Verify that the merchant identified in the respnse is the same merchant fr which the inquiry was generated, and Cntact the listing member directly t determine why the merchant was added t the file. The acquirer shuld make its acceptance decisin based n further investigatin, and must use Visa Merchant Trace System (VMTS), where available and permitted under lcal applicable law, r use the Terminated Merchant File (U.S. regin) if VMTS is nt available. 3 2 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

39 8.6 Request fr Infrmatin Requirement 8.7 Additins t the Visa Merchant Trace System (Asia-Pacific regin) 8.8 Transactin Receipt Depsit Effective 1 June 2011, an acquirer must prvide infrmatin relating t any request fr infrmatin presented by Visa, its designees, r any regulatry agency, as required under the Glbal Brand Prtectin Prgram. The required infrmatin must be prvided in writing as sn as pssible, but n later than 7 business days fllwing receipt f the request fr infrmatin. An acquirer may receive a request fr any type f infrmatin, including, but nt limited t, the fllwing: Organizatinal structure Emplyee infrmatin Sales-related data Financial Infrmatin Security Infrmatin Effective 1 March 2011, all acquirers lcated in Australia, Hng Kng, India, Indnesia, Macau, Malaysia, Cambdia, New Zealand, Philippines, Sri Lanka, and Thailand must: Enter terminated merchant details int the Visa Merchant Trace System database within ne business day after terminating a merchant agreement due t ne f the reasns specified in the Terminated Merchant Listing Reasns in the Visa Merchant Trace System Participatin Requirements. Cmply with all requirements specified in the Visa Merchant Trace System Service Participatin Requirements. Except as permitted fr PSPs, a merchant must nly depsit transactin receipts that directly result frm cardhlder transactins with the merchant. A PSP may depsit transactin receipts n behalf f a spnsred merchant. A merchant must nt depsit a transactin receipt until it des ne f the fllwing: Cmpletes the transactin. Ships r prvides the gds, except as specified in the Delayed Delivery Transactins sectin f the VIOR. Perfrms the purchase service, r btains the cardhlder s cnsent fr a recurring transactin. Visa Glbal Acquirer Risk Standards (GARS) 3 3 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

40 3 4 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

41 Appendix A Appendix A cntains suggested merchant and Agent prgram risk management plicy cntent elements fr acquirers t use when assessing their current plicy r in develping a new plicy. Visa Glbal Acquirer Risk Standards (GARS) 3 5 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved..

42 Visa Acquirer Risk Management Plicies The fllwing cntent elements help serve as a recmmended framewrk fr develping acquirer merchant risk management plicies that ensure merchant and Agent cmpliance with Visa s rules and regulatins. Visa Plicy Requirements Merchant Underwriting Cntent Cverage An acquirer must implement an underwriting, mnitring, and cntrl plicy fr its merchants and Third Party Agents. These plicies must be apprved by its Bard f Directrs r an apprpriate executive cmmittee. The acquirer s risk management plicies shuld cver all management functins perfrmed by the acquirer and its Third Party Agents. This includes, but is nt limited t the fllwing: Merchant underwriting and agreements Merchant prtfli risk management Third Party Agents Signing An acquirer must implement a plicy fr merchant categry designatins that represent an unacceptable level f risk and will nt be signed, such as: Questinable prducts r services that may be prne t cnsumer disputes and higher levels f chargebacks Delayed r future delivery f merchandise r service Large prtin f card-absent sales transactins Underwriting Merchant applicatin requirements: Minimum applicatin cntent fr all new merchants List f all third parties invlved in the payment prcess that may have access t transactin data Applicatin cntent fr existing merchant adding a new site Change in wnership applicatin requirements Addendums fr mail rder/telephne rder (MO/TO) and e-cmmerce merchants 3 6 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

43 Standard merchant underwriting criteria: Required review and apprval befre an existing merchant is allwed t add a new lcatin Re-underwriting fr a merchant that has a change in majrity wnership Quantifying a new merchant s risk expsure Cnditins r restrictins which require an applicatin t be declined Minimum levels f wnership required n the merchant applicatin Minimum credit bureau scre required fr apprval Allwable criteria regarding majr and minr dergatry credit histry Persnal guarantees frm merchants Minimum acceptable criteria fr merchant apprval Larger business underwriting: Minimum acceptable criteria fr apprval Setting cmmercial lending-based merchant apprval criteria fr larger cmpanies Reviewing business bureau reprts fr larger merchants Evaluating financial reprts fr publicly traded cmpanies Higher risk merchant underwriting: Defining mre stringent apprval criteria fr higher risk merchants Perfrming higher risk merchant credit investigatin Obtaining and reviewing prduct r service marketing material Verifying banking references Cnducting a detailed review f prduct r service Cnducting business prperty, supplier reference checks and Better Business Bureau Cnducting fulfillment huse reference checks Perfrming additinal psitive verificatin checks t validate merchant address and wnership as described in the Fraud Preventin plicies listed n the next page Apprval authrity: Designating merchant vlume apprval limits by psitin and title Setting apprval limits fr certain Merchant Categry Cdes (MCCs) and business classificatins by psitin and title Establishing and enfrcing prper transactin prcessing requirements Tracking f applicatin apprval rates, decline reasns, and verrides Visa Glbal Acquirer Risk Standards (GARS) 3 7 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

44 Override plicy: Defining frmal decline decisin verride apprval authrities Establishing new infrmatin t be btained that may warrant apprval, r additinal risk cntrl measures that are t be utilized Risk mitigatin: Daily debiting f discunt and fees fr higher risk merchants Requiring letters f credit r reserves fr higher risk merchants Establishing mre restrictive activity mnitring parameters fr higher risk merchants Fraud Preventin Applicatin data verificatin: Verifying merchant applicatin infrmatin Cnducting telephne screening Cnfirming the accuracy f the MCC assignment Use f Visa Merchant Trace System (VMTS), where available and permitted under lcal applicable law, r Terminated Merchant File (U.S. regin), r ther cmmn terminated merchant database, if VMTS is nt available. Submitting merchant and principal infrmatin int the Visa Merchant Trace System (VMTS), where available and permitted under lcal applicable law, r Terminated Merchant File (U.S. regin), r ther cmmn terminated merchant database, if VMTS is nt available Investigating merchants with pssible matches Investigating merchants with high levels f inquiry frm ther acquirers Suspending merchants that appear n retractive reprts until validity can be determined Merchant site inspectins: Requiring site inspectins f the primary business lcatin Ensuring site inspectin cntent is adequate t assess fraud risk and business stability Differentiating traditinal stre-frnt frm MO/TO and e-cmmerce merchants Requiring inspectins and due diligence fr merchants using fulfillment huses Website inspectins: Website cntent and merchant infrmatin standards Name displayed n website matches merchant descriptin Merchant lcatin Privacy plicy Prducts ffered fr sale 3 8 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

45 Links t ther sites Minimum website requirements fr payment purpses Security methd fr payments and disclsure including verificatin f cmpliant payment applicatin Website data security and encryptin practices Back rder, return, and refund plicies Terms and Cnditins E-cmmerce merchant requirements: Cmplying with all the prvisins f the VIOR pertaining t e-cmmerce transactins. Include the prvisins in its merchant agreement r as a separate addendum Requiring merchant websites t display cnsumer data privacy plicy Requiring merchant websites t display security methd fr the transmissin f payment data Offering cardhlders a secure transactin methd, such as Secure Sckets Layer (SSL) r 3-D Secure Signing and Retentin Requirements: Having each merchant agreement signed by the acquirer and remain n file at the acquirer s place f business New Merchant Set-up Ensure all PSPs, including High-brand risk merchants, HR IPSPs and/r Independent Sales Organizatins (ISOs) have been registered with Visa Review the applicatin t identify Third Party Agents with access t cardhlder data and ensure that they are PCI DSS cmpliant Where applicable, the member must ensure that the Agent is registered with Visa if the merchant is using an Agent E-cmmerce merchant set-up: Use f Electrnic Cmmerce Indicatr (ECI) Safeguards t secure strage f cardhlder data Requirements t use firewalls and separate servers t prevent intrusins Merchant Agreement Risk Expsure Terms and Cnditins Agreement terms and cnditins: Requiring cmpliance with minimum risk prvisins f VIOR and Reginal Operating Regulatins t be included in all agreements: - Prhibitins and ther requirements as utlined in the VIOR - Payment Card Industry (PCI) Data Security Standards (DSS) cmpliance requirement - Bank disclsure statement - Acquirer respnsibility t hld and cntrl merchant reserves Visa Glbal Acquirer Risk Standards (GARS) 3 9 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

46 Merchant Prtfli Risk Management Cntent Cverage Peridic Accunt Review Establishing merchant selectin criteria: Defining the review timing based n risk-weighted criteria Targeting inactive merchants fr review Cnducting peridic reviews fr e-cmmerce merchants Establishing peridic review cntent including: Updating merchant file dcumentatin Obtaining and evaluating financial reprts Assessing merchants using cnsumer credit bureau scres Using merchant shpper prgrams fr higher risk merchants Reviewing websites at least annually fr changes in prducts, delivery methds r return plicies Cnfirming cnsistency with riginal applicatin addendums Assessing cmpliance with data security requirements Actins necessary t mitigate risk: Cnducting a detailed review if warranted by initial screenings Taking actins t mitigate risk expsure discvered by the peridic review Fllw-up and remediatin plans Necessary Merchant Activity Mnitring Exceptin activity reprting that includes: Daily reprts t detect high-risk activity: - Authrizatins - Depsits - Transactins - Credit vucher activity - Draft retrieval requests - Chargebacks Overall chargeback rates t ensure that mnthly Visa threshlds will nt be exceeded Unusual activity available fr review befre funding is prvided t merchants Exceptin activity time frames t ensure: Exceptin activity reprts are reviewed n a daily basis Highest pririty alerts are reviewed first Merchant mnitring parameters are peridically evaluated and adjusted 4 0 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

47 Suspect Vilatin Investigatin Establishing plicies fr investigating suspect activity: Exceptin cnditin criteria requiring investigatin Suspect Vilatin Reprt (SVR) filing Escalatin prcedures between Agents and acquirer Establishing pre-defined suspect activity interventin authrity: Suspensin plicy and authrity prcessing Funds hlds plicy and delegated authrity Merchant ntificatins and timing Lss Cntrl Terminating merchant relatinships: Establishing pre-defined interventin authrities t cntrl lsses Hlding reserves and depsits frm terminated merchants t limit chargeback risk expsure Establishing criteria and timing fr adding merchants t the Visa Merchant Trace System (VMTS), where available and permitted under lcal applicable law, r Terminated Merchant File (U.S. regin), r ther cmmn terminated merchant database, if VMTS is nt available Initial Agent Due Diligence Initial due-diligence review that must take int cnsideratin: Principals and backgrund infrmatin Financial perfrmance review Merchant prtfli risk perfrmance and assessment On-site peratins review Review dcumentatin and recmmendatins Apprval and signing prcess fr new Agents Slicitatin materials and marketing practices Items listed in Appendix C f this guide Usage Plicies fr Agents with Sales Respnsibilities Establishing merchant signing and underwriting criteria fr Third Party Agents Agent slicitatin materials and marketing practices Establishing merchant mnitring standards fr Third Party Agents Escrw accunts held by the acquirer fr merchant funding Agent reserves held by the acquirer Visa Glbal Acquirer Risk Standards (GARS) 4 1 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

48 Letters f Credit in favr f the acquirer Cntrls ver merchant settlement funds Cntrls ver ACH prcess Identifying third parties that have access t a merchant s transactin infrmatin Registering the parties as Agents with Visa Requiring Agents t cmply with the Payment Card Industry (PCI) Data Security Standards (DSS) Onging Due Diligence Due-diligence review timing (at a minimum, annual review) Respnsibilities fr signing new merchants Respnsibilities fr mnitring risk expsure Financial statement reviews Operatinal statistics and perfrmance reviews On-site reviews cmpliance with acquirer plicies Review dcumentatin and recmmendatins ISO Quarterly Reviews Agent perfrmance versight Agent/Merchant Training and Risk Educatin Plicies and Prcedures Acquirer merchant signing risk Acquirer merchant mnitring risk Merchant fraud and chargeback risk 4 2 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

49 Appendix B Appendix B prvides tw examples f the Disclsure Page that must be included in the agreement if an Agent is a party t an agreement between a member and a merchant. Visa Glbal Acquirer Risk Standards (GARS) 4 3 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved..

50 Rules fr the Disclsure Page A Disclsure Page clearly cmmunicates t the merchant the name f the financial institutin with whm they have a merchant agreement. The fllwing are specific rules fr the Disclsure Page. 1. If the Third Party Agent perfrms merchant slicitatin nly (n underwriting, custmer service, risk mnitring, etc.), a Disclsure Page is nt required. 2. The Disclsure Page must either be (a) n the first page f the merchant applicatin in its wn area, r (b) n a standalne page. See examples n the fllwing pages. 3. The Disclsure Page can include the Agent s cntact infrmatin, but the Agent must nt be presented as the financial institutin. 4. The Disclsure Page requires full merchant signature (nt initials). 5. If the Disclsure Page is n the first page f the applicatin, the signature must be in the bx fr the Disclsure Page, nt an verall signature fr the applicatin. 6. The Disclsure Page must list the merchant and acquirer s high level respnsibilities. 7. The Disclsure Page must include the acquirer s cntact infrmatin including phne number and address. 8. A cpy f the Disclsure Page must be given t the merchant. If an Agent is spnsred by multiple acquirers, the cntact infrmatin fr each acquirer can be listed n the bank disclsure page. The sales Agents culd then have a check-bx r anther methd f identifying the acquirer. 4 4 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved..

51 Disclsure Page Examples Example f a Bank Disclsure Page (n the first page f the applicatin) This example has been enlarged t shw the detail f the cntents. BANK DISCLOSURE Member Bank Infrmatin: ABC Bank, ABC Drive, Fster City, CA Phne (800) Imprtant Bank Respnsibilities: 1. A Visa member is the nly entity apprved t extend acceptance f Visa prducts directly t a merchant. 2. A Visa member must be a principal (signer) t the merchant agreement. 3. The Visa member is respnsible fr and must prvide settlement funds t the merchant. 4. The Visa member is respnsible fr all funds held in reserve that are derived frm settlement. 5. The Visa member is respnsible fr educating merchants n pertinent VIOR with which merchants must cmply. Merchant Infrmatin: Refer t Merchant Applicatin Imprtant Merchant Respnsibilities: 1. Ensure cmpliance with cardhlder data security and strage requirements. 2. Maintain fraud and chargebacks belw threshlds. 3. Review and understand the terms f the merchant agreement. 4. Cmply with VIOR. The respnsibilities listed abve d nt supersede terms f the merchant agreement and are prvided t ensure the merchant understands sme imprtant bligatins f each party and that the Visa Member - ABC Bank - is the ultimate authrity shuld the Merchant have any prblems. Merchant Name: Phne: Address: Agent/salespersn (ptinal): Merchant Signature/Title: Date: Visa Glbal Acquirer Risk Standards (GARS) 4 5 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

52 Example f Bank Disclsure Page (as standalne dcument) Member Bank (Acquirer) Infrmatin Acquirer Name: Acquirer Address: Acquirer Phne: Imprtant Member Bank (Acquirer) Respnsibilities 1. A Visa member is the nly entity apprved t extend acceptance f Visa prducts directly t a merchant. 2. A Visa member must be a principal (signatry) t the merchant agreement. 3. The Visa member is respnsible fr and must prvide settlement funds t the merchant. 4. The Visa member is respnsible fr all funds held in reserve that are derived frm settlement. 5. The Visa member is respnsible fr educating merchants n any VIOR with which merchants must cmply during the curse f peratin. Merchant Infrmatin Merchant Name: Merchant Address: Merchant Phne: Imprtant Merchant Respnsibilities 1. Ensure cmpliance with cardhlder data security and strage requirements. 2. Maintain fraud and chargebacks belw threshlds. 3. Review and understand the terms f the merchant agreement. 4. Cmply with VIOR. The respnsibilities listed abve d nt supersede terms f the merchant agreement and are prvided t ensure the merchant understands sme imprtant bligatins f each party and that the Visa member (acquirer) is the ultimate authrity shuld the merchant have any prblems. Merchant s Signature: Date Merchant s Printed Name & Title 4 6 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved..

53 Appendix C Appendix C cntains the Visa Third Party Agent Due Diligence Risk Standards (Revised December 2008) that must be administered during the negtiatin prcess and thrughut the life f the Agent agreement. Visa Glbal Acquirer Risk Standards (GARS) 4 7 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved..

54 Third Party Agent Due Diligence Risk Standards Revised December 2008 The fllwing risk standards must be administered during the registratin prcess and thrughut the life-cycle f the Agent agreement. Nt all due diligence standards will apply t all Agents. The member must determine which standards apply t the specific functins the Third Party Agent is perfrming. Cmpensating cntrls may be used where applicable, subject t Visa apprval. 1. Member must register their Third Party Agent with Visa and attest t cmpleting an adequate risk and financial review prir t any activity with the Third Party Agent. Third Party Agents must nt be utilized until the registratin has been recrded, and written cnfirmatin frm Visa has been prvided. 2. Member is respnsible fr reviewing and apprving the fllwing minimum supprting dcumentatin: a. An adequate financial review f the Third Party Agent has been cmpleted which includes a review f current financials and an utside party review (i.e. Dunn & Bradstreet, Experian, Better Business Bureau, SAS 70 r equivalent type reprt) if available. b. An adequate financial review f Third Party Agent principals accepting financial liability has been cmpleted. c. Thrugh backgrund check n the Third Party Agent and its principals has been perfrmed. d. A thrugh n-site review has been cnducted which cvers all majr services that will be prvided. e. Current and previus acquiring and/r issuing business relatinships, including all Ding Business As (DBA) r alternate names, f the Third Party Agent have been checked and reviewed. f. Adequate plicies, prcedures and cntrls have been established by the Third Party Agent and reviewed as they pertain t the business type. These plicies, prcedures and cntrls may include clear and secure prcedures fr adding and deleting merchants, funding and reserves f prepaid cards, cmpliance with applicable anti-mney laundering laws, regulatins and ther regulatry requirements. 4 8 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

55 g. An adequate and timely management and exceptin reprting prcess has been established by the Third Party Agent t which the member wuld have access. h. Payment Card Industry Data Security Standards (PCI DSS) cmpliance has been received by Visa and the member, if the Third Party Agent is string, prcessing r transmitting Visa accunt numbers. If the Third Party Agent is in prcess f becming PCI DSS cmpliant, the member has cnfirmed the Third Party Agent has either cntracted with a Qualified Security Assessr (QSA) and is actively wrking twards PCI DSS cmpliance, r is in prcess f cmpleting a Self Assessment Questinnaire (SAQ). i. An nging prcess fr cntrlling risks assciated with the Third Party Agent has been established by the member, which includes a review f all the items n this dcument n an annual basis. 3. Apprpriate fficers f the member must review all due diligence dcumentatin and apprve the Third Party Agent. Apprval must be based n sund business practices that will nt cmprmise either the member r Visa and may nt be based slely n the language f the service agreement that limits the member s financial liability. 4. Member must ensure that any required reprting n the Third Party Agent s activity be submitted in a timely manner, as required by Visa. 5. Member must ensure that prmpt and apprpriate actin is implemented if Visa risk mnitring prgrams identify the Third Party Agent as intrducing substantial risk int the Visa payment system. 6. Member is respnsible fr ensuring that any services prvided by the Third Party Agent n behalf f the member r its merchants are perfrmed by that Third Party Agent itself and are nt subcntracted t any ther entity. If subcntracting is necessary fr business reasns, the member must treat the subcntracted entity as a Third Party Agent. 7. Member has cnducted an n-site review f the Third Party Agent s PIN security cntrls t validate cmpliance with the PCI PIN Security Requirements and PCI Encrypting PIN PAD Security Requirements manuals. Member has established plicies and prcedures that include an annual review f the Third Party Agent s prcesses and cntrls t ensure they remain cmpliant. 8. Member has cnfirmed the Third Party Agent is in cmpliance with VIOR, lcal, cuntry and reginal laws r regulatins. Visa Glbal Acquirer Risk Standards (GARS) 4 9 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

56 5 0 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

57 Appendix D Appendix D prvides a checklist f the Visa Glbal Acquirer Risk Standards (GARS) that can be used t assist the acquirer in maintaining cmpliance t the minimum risk standards. Visa Glbal Acquirer Risk Standards (GARS) 5 1 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved..

58 Visa Glbal Acquirer Risk Standards Checklist 1. Merchant Signing & Underwriting Plicy Yes N Cmments a. Did the acquirer have a cpy f the Merchant Signing and Underwriting plicy? b. Did the acquirer prvide a cpy f the Bard f Directrs Reslutin r an apprpriate management cmmittee apprval f the current plicy? c. Are merchant signing prvisins in place t mitigate risk related t merchants with high-risk characteristics? Merchants cnsidered unacceptable and will nt be signed? Merchants cnsidered High-risk that will require mre stringent underwriting and risk cntrls? d. Did the acquirer have a plicy and set f prcedures fr reviewing slicitatin materials used by its agents? e. Are merchant underwriting prvisins in place t mitigate risk that assess bth creditwrthiness and mitigate risk expsure? Assessment f the creditwrthiness f the business? Evaluatin f the creditwrthiness f the business wners r key principals? Cnditins, restrictins, r minimum credit criteria threshlds which if nt met will require a decline? Stringent underwriting standards and dcumentatin requirements fr higher risk merchants? Physical site inspectin requirement fr higher fraud risk merchants? Terminated Merchant File/Visa Merchant Trace System inquiry? Website standards and require inspectin? Merchant apprval respnsibilities and signing authrities? Decline decisin verride cnditins and signing authrities? Review and apprval befre a merchant is allwed t add a new lcatin? New applicatin and re-underwriting fr a change in wnership? 5 2 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

59 Assessment t ensure the sale f gds and services is legal and cmplies with the Glbal Brand Prtectin Prgram (GBPP) in the VIOR? (Fr acquirers with merchants in MCC 5912/5122, ensure that the merchant signing and underwriting plicy stipulates that the acquirer must btain a written pinin frm an independent and qualified legal cunsel that states the merchant activity fully cmplies with all laws and regulatins applicable t Visa.) f. Des the acquirer have a plicy and prcedure fr reviewing merchant agreements used by their Agents? (Applicable t acquirers wh use Agents) 2. Merchant agreement Yes N Cmments a. Des the merchant agreement: Indicate that the member is a principal party t the cntract and merchant acceptance f Visa prducts is extended by the member? Have clause that prvides fr the immediate terminatin f a merchant by the acquirer fr any significant circumstances that create harm r lss t the gdwill f the Visa payment system? Have a clause that ensures that merchants and Third Party Agents acknwledge and understand the imprtance f cmpliance with Visa security requirements, such as thse relating t transactin infrmatin, strage, and disclsure? Have a clause that requires the merchant t ntify the acquirer f its use f any Agent that will have access t cardhlder data? A disclsure page that identifies the member and its respnsibilities when an Agent is a party t the agreement? State that the member is respnsible fr prviding settlement funds directly t the merchant? Include a list f merchant prhibitins frm the VIOR and Reginal Operating Regulatins r an attached addendum as a referenced item in the merchant agreement? Examples: D nt accept cardhlder payments fr previus Visa Card r Visa Electrn Card charges incurred at the merchant lcatin. D nt require a cardhlder t cmplete a pstcard r similar dcument that includes the cardhlder s accunt number, card expiratin date, signature, r any ther cardhlder accunt data in plain view when mailed. D nt add any surcharge t transactins. D nt add any tax t transactins, unless applicable law expressly requires that a merchant be permitted t impse a tax. Any tax amunt, if allwed, must be included in the transactin amunt and nt cllected separately. Visa Glbal Acquirer Risk Standards (GARS) 5 3 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

60 D nt enter int Interchange any transactin receipt fr a transactin previusly charged back t the acquirer and subsequently returned t the merchant, irrespective f cardhlder apprval. The merchant may pursue payment frm the custmer utside the Visa system. D nt request r use an accunt number fr any purpse ther than as payment fr its gds r services. D nt disburse funds in the frm f travelers cheques, if the sle purpse is t allw the cardhlder t make a cash purchase f gds r services frm that merchant. D nt disburse funds in the frm f cash, unless: merchant is dispensing funds in the frm f travelers cheques, Visa TravelMney Cards, r Freign Currency. In this case, the transactin amunt is limited t the value f the travelers cheques, Visa TravelMney Card, r Freign Currency plus any cmmissin r fee charged by the merchant, r merchant is participating in the Visa Cash Back Service. D nt accept a card t cllect r refinance an existing debt that has been deemed uncllectible by the merchant prviding the assciated gds r services. D nt enter int Interchange a transactin that represents cllectin f a dishnred check. State the terms required t satisfy payment directly t the merchant. This includes, but is nt limited t, the name f the financial institutin t which the acquirer, its Agent, r spnsred members must depsit funds fr payment f Visa transactins. State the acquirer s name and lcatin in letter fnt size cnsistent with the rest f the merchant agreement printing, and in a manner that makes the acquirer s name bvius t the merchant. b. Is each merchant agreement signed by the acquirer and n file at the acquirer s place f business? Examples: Determine the % f merchant files the acquirer can prvide. Determine the % f merchant files that have signed merchant agreements. 5 4 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

61 Cmpliance Test: Obtain a system-generated listing f all merchants r selected MCCs if the prtfli is t large. Randmly select 5 merchants while n-site including recently signed and mre seasned merchants. Request that the acquirer prvide the merchant files while n-site. Ensure that sampled agreements are selected fr each Agent and fr merchants directly slicited and signed by the acquirer. If the first 5 files are nt sufficient t prvide a cnsistent rating, review 5-10 additinal files. c. Did the acquirer cnsent t all assignments and/r transfers f a merchant agreement t anther member? Cmpliance Test: Randmly select 5 merchants frm the list f merchants that has been assigned and transferred during the calendar year. Ascertain that the assignment and transfer has btained the express written apprval, if applicable. If the first 5 files are nt sufficient t prvide a cnsistent rating, review 5-10 additinal files. d. Did acquirer ensure that all merchant agreements are apprved by the member prir t entering any transactins int Interchange? Cmpliance Test: Randmly select 5 merchants. Validate that there was n merchant activity befre the merchant agreement was signed. If the first 5 files are nt sufficient t prvide a cnsistent rating, review 5-10 additinal files. e. Are merchant apprvals made in accrdance with the underwriting plicy? Did the acquirer decline merchant applicatins that d nt meet plicy cnditins, restrictins r minimum credit criteria threshlds? Did the acquirer fllw underwriting apprval respnsibilities and signing authrities? Did the acquirer fllw decline decisin verride cnditins and signing authrities? Cmpliance Test: Randmly select 5 apprved higher risk merchants within the past 6 mnths. Higher risk merchants are t be selected frm MCCs with a future delivery aspect (e.g. airlines, cruises) and/r thse defined as high brand risk. If the first 5 files are nt sufficient t prvide a cnsistent rating, review 5-10 additinal files. Did the merchant files and dcumentatin cntain evidence that the acquirer nly apprved merchants that met plicy cnditins, restrictins r minimum credit criteria threshlds? f. Did the merchant agreement include key prvisins t mitigate risk and meet Visa regulatin and plicy requirements? Examples: A merchant must nt depsit a transactin receipt that it knws r shuld have knwn t be either fraudulent r nt authrized by the cardhlder. Visa Glbal Acquirer Risk Standards (GARS) 5 5 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

62 The merchant is respnsible fr its emplyees actins while in its emply. Prhibitin against laundering A merchant depsiting a transactin receipt that des nt result frm an act between the cardhlder and the merchant r the cardhlder and its spnsred merchant (laundering). Immediate terminatin fr cause, including any significant circumstances that create harm r lss f gdwill t the acquirer r Visa system. Merchant acknwledges and understands the imprtance f cmpliance with Visa security requirements, such as thse relating t transactin infrmatin, strage, and disclsure. The merchant must ntify the acquirer f its use f any Agent that will have any access t cardhlder data. Acquirer will cntrl and disburse all settlement funds t the merchant. Acquirer hlds a security interest in all depsit accunts maintained fr settlement purpses and the unilateral right t debit fr unpaid fees, fines and chargebacks. Acquirer s right t hld merchant funds in reserve accunts and financial guarantees. Prhibitins against depsiting a credit transactin withut a preceding debit. Merchant acknwledges liability fr all chargebacks. Acquirer has the right t place the merchant in the Terminated Merchant File/Visa Merchant Trace System if the merchant has been terminated fr cause and merchant agrees t indemnify and hld the acquirer harmless. 3. Merchant Applicatin Yes N Cmments a. Is the acquirer name and cntact infrmatin clearly stated n the applicatin? b. Did the merchant applicatin request cntain: Infrmatin n the merchant? Examples: Merchant name DBA Merchant Tax ID number Merchant address Merchant phne number Business type (Crpratin, Partnership, etc) 5 6 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

63 Infrmatin n the business wners and principals? Examples: First and last name f principals Business Registratin Numbers Address f principals Infrmatin t adequately assess credit and fraud risk expsure? Examples: Card acceptance methd card-present/card-absent Mnthly bankcard vlume Highest and average ticket size Types f gds and services sld Previus prcessr statements Return and refund plicies Business references? Other businesses that the merchant r its business wns/ perates, r has wned in the past r is invlved as a directr? c. Is there a separate applicatin fr all merchants establishing an e-cmmerce presence? d. Did the merchant applicatin r the e-cmmerce/mo/to addendum cntain additinal infrmatin required fr e-cmmerce and MO/TO merchants? Examples: Detailed business plans, samples f merchandise, and cpies f all relevant marketing materials, including catalgs, brchures, telemarketing scripts, and print and bradcast advertisements Delivery methds Card charging plicies Unifrm Resurce Lcatr (URL), Internet Prtcl (IP) server address fr the merchant website Cntact details fr the website hsting service addresses and phne numbers f merchant fr custmer service Descriptins f any links n the merchant s website t ther sites t which they may r may nt be affiliated e. Did the applicatin request that the merchant identify all Third Party Agents invlved in the payment prcess that may have access t cardhlder data? f. Is the Tri-Party/Bank Disclsure frm included with a signature? Visa Glbal Acquirer Risk Standards (GARS) 5 7 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

64 g. Is applicatin infrmatin subject t a frmal verificatin prcess fr fraud preventin purpses? Are the business identity and lcatin verified against third party data surces such as directry assistance r state recrds? Are the business wners r key principals verified against credit bureau r ther reliable third party recrds? h. Is the credit wrthiness f the business wner r principals evaluated fr small business merchants? Cmpliance Test: Randmly select 5 new merchants bked within the past 6 mnths that meet the acquirer s plicy definitin fr a small business. Review merchant files and dcumentatin t see if persnal credit bureau reprts were btained fr the majrity business wners and key principals f small businesses. If the first 5 files are nt sufficient t prvide a cnsistent rating, review 5-10 additinal files. i. Are persnal credit bureaus btained fr majrity business wners and key principals f small businesses? j. Is credit wrthiness f the business evaluated? Are the business and key principals screened against negative files that huse prir charge-ffs and/r dergatry infrmatin abut ther accunt relatinships the merchant might have with the acquirer r with related entities r affiliates? Are financial statements, tax returns r trade line credits reviewed and assessed fr larger businesses? Are mre stringent underwriting standards and dcumentatin requirements applied t higher risk merchants? k. Is a frmal risk expsure assessment perfrmed? Did the acquirer quantify r prduce a qualitative assessment f the ptential risk expsure f signing a new merchant? Did the risk expsure assessment fr a new merchant cnsider actual r prjected sales? Did the risk expsure assessment fr a new merchant cnsider estimated shipping times r ther delays in merchandise r delivering a service t a custmer? Did the risk expsure assessment fr a new merchant cnsider value f depsits and future delivery f gds r services? Did the risk expsure assessment fr a new merchant cnsider refund and chargeback rates? Did the risk expsure cnsider the merchants refund r return plicies? 5 8 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

65 3A. New Merchant Set-up Yes N Cmments a. Have the merchant descriptins been reviewed and MCCs cnfirmed? Cmpliance Test: Randmly select 5 new merchants bked within the past 6 mnths frm any 3 MCC grups. Review merchant files and dcumentatin t determine if MCC assignment appears crrect. If the first 5 files are nt sufficient t prvide a cnsistent rating, review 5-10 additinal files. b. Are merchants assigned t the crrect MCC? c. Has there been a thrugh review f the merchant lcatin? Cmpliance Test: Randmly select 5-10 new merchants fr evidence f site inspectins f merchant websites, warehuses, and/r ffice facilities by the member. If this is nt sufficient t prvide a cnsistent rating, an n-site visit n at least 1-2 new merchant(s) may be necessary. d. Have High-brand risk merchants been registered with Visa? Cmpliance Test: Randmly select 5 merchants frm a system-generated list f all merchant lcatins in MCCs: 5122, 5912, 5962, 5966, 5967 and Als include Agent-serviced prtflis as well t determine whether all the High-brand risk merchants have been registered with Visa. If the first 5 files are nt sufficient t prvide a cnsistent rating, review 5-10 additinal files. e. Are e-cmmerce merchants using secure prcessing platfrms? Cmpliance Test: Randmly select 5 new Web merchants bked within the past 6 mnths. Review merchant master file, file dcumentatin, and the merchant website t determine if the merchant is using a secure prcessing platfrm certified by the acquirer. Review 5 10 additinal merchants if the first 5 reviewed are nt sufficient t prvide a cnsistent rating. f. Are merchants that cnduct sales ver the Internet using an acquirer-certified e-cmmerce platfrm that prvides secure prcessing? Visa Glbal Acquirer Risk Standards (GARS) 5 9 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

66 3B. Merchant Site Inspectins Physical Yes N Cmments a. Are physical site inspectins perfrmed fr higher risk (including High-brand risk) merchants? Cmpliance Test: Randmly select 5-10 new merchants bked within the past 6 mnths that meet the acquirer s plicy requirement fr a site inspectin. Review merchant files and dcumentatin fr evidence that a site inspectin was cmpleted. b. Did the merchant files and dcumentatin cntain evidence that a site inspectin was cmpleted? c. Did the physical site inspectins prvide sufficient infrmatin t determine whether the merchant is engaged in a legitimate business? Did the inspectin recrd indicate whether the exterir signage is cnsistent with the type f stated business n the applicatin? Did the inspectin recrd indicate whether the prduct inventry is cnsistent with the type f stated business and sales vlume n the applicatin? Did the inspectin include phtgraphs f the exterir and interir f the merchant s place f business? d. Are site inspectins cnducted fr fulfillment huses? Cmpliance Test: Randmly select 5 new merchants bked within the past 6 mnths that meet the acquirer s plicy requirement fr a fulfillment huse site inspectin. Review merchant files and dcumentatin fr evidence that a fulfillment site inspectin was cmpleted. Did the merchant files and dcumentatin shw evidence that a fulfillment site inspectin was cmpleted? Did physical fulfillment huse site inspectins include elements t mitigate risk? Did the inspectin recrd whether the fulfillment huse cnfirms the merchant is a custmer? Did the inspectin verify the merchandise shipment methds and return practices stated n the applicatin? 3C. Merchant Site Inspectins Internet Yes N Cmments a. Are e-cmmerce merchant website inspectins cnducted? Cmpliance Test: Randmly select 5 new Internet merchants bked within the past 6 mnths that meet the acquirer s plicy requirement fr a Web site inspectin. Review merchant files and dcumentatin fr evidence that a Web site inspectin was cmpleted. Review 5 10 additinal files if the first 5 files are nt sufficient t prvide a cnsistent rating. 6 0 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

67 Did the merchant files cntain dcumented evidence that a website inspectin was cmpleted? Did the merchant files cntain a checklist r ther mechanism t shw a website inspectin was cmpleted? Did the merchant files cntain screenshts r printuts f the key pages f the website? b. Did website inspectins include steps t examine cntent and cnfirm applicatin data t mitigate risk? Did the merchant name displayed n website match details prvided in the applicatin frm (e.g., merchant name, URL, descriptin)? Did the website ffer a cmplete descriptin f the gds r services ffered? Did it state the returned merchandise and refund plicy? Did it state the exprt r legal restrictins (if knwn)? Did it state the delivery plicy? Did site prvide custmer service cntact, including electrnic mail address and/r telephne number? Did site state the transactin currency (e.g., U.S. dllars, Canadian dllars)? Did site address f the Merchant Outlet s Permanent Establishment, include the cuntry? Did site state the privacy plicy fr cnsumer data? Did site ffer a secure methd fr making card payments and disclsure t cardhlders? Did the prducts ffered fr sale match thse n the applicatin? c. Was the website examined fr links t ther sites indicating prduct r services nt disclsed n the applicatin? 4. Settlement Yes N Cmments a. Did the acquirer have frmal plicies and prcedures fr merchant settlement? Did the acquirer have a stated plicy regarding settlement f merchant funds? Did the acquirer have defined prcedures fr mnitring fund settlement? b. Did the acquirer have the fllwing cntrls and mnitring in place fr reviewing settlement f funds? Did the acquirer hld and cntrl all merchant funds? Did the acquirer established cntrls t prevent a new accunt number being established by an unauthrized party t divert merchant funds? Visa Glbal Acquirer Risk Standards (GARS) 6 1 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

68 Did the acquirer cnfirm r review all DDA changes? Did the acquirer review and cnfirm DDA changes cmpleted by authrized third parties? c. Did the merchant have the fllwing plicies and prcedures in place fr advanced settlement funding? Did the acquirer allw merchants t participate in advanced funding? Did the acquirer have written plicies and prcedures fr advanced funding? Did the settlement flw fr merchant advances g t the merchant s accunt and then the fees and interest are deducted and sent t the acquirer r Third Party Agent? Did the acquirer mnitr advanced funding reprts? Did the acquirer reassess risk expsure if a merchant participates in merchant advances? d. Has the acquirer established a frmal plicy t pre-define interventin authrities and t help cntrl lsses? e. Des the acquirer s plicy gverning interventin and lss cntrl cver respnsibilities fr suspending prcessing? f. Des the acquirer s plicy gverning interventin and lss cntrl cver established plicies and delegated authrities t hld and release funds? g. Has the acquirer established cntrls t ensure the merchant cannt withdraw funds frm reserve accunts? h. Has the acquirer established cntrls t suspend credit items r batches fr merchants in wrkut psitins t prevent reserve depletin? i. Has the acquirer established a frmal plicy t define respnsibilities and actins fr terminating merchants? Cmpliance Test: Randmly select 5-10 recently terminated merchants. Review merchant files, dcumentatin and the Terminated Merchant File r Visa Merchant Trace System (whichever is applicable) t determine if the terminated merchants were added n a timely basis. If the files are nt sufficient t prvide a cnsistent rating, review 5-10 additinal files. Des the acquirer add terminated merchants t the Terminated Merchant File r Visa Merchant Trace System (whichever applicable) n a timely basis? Des dcumentatin fr terminated merchants shw investigatin results that supprt the terminatin decisin? Des dcumentatin fr terminated merchants shw terminatin date and reasn? 6 2 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

69 5. MONITORING merchants and agents Yes N Cmments a. Are there transactinal cntrls in place t mnitr merchants? Are there autmated cntrls t prevent merchant funding fr higher risk activity until it can be reviewed and released? Are autmated authrizatin and depsit cntrls established at the individual merchant level? Are autmated authrizatin and depsit cntrls established at the MCC level? Are net credit batches suspended until depsit can be reviewed and cleared? Are large credit transactins with n previus sales suspended and reviewed? Are large frced debit transactins suspended and reviewed? b. Are merchant activities reviewed peridically? Are exceptin reprts created and available n a daily basis? Are the reprts reviewed n a daily basis? Are exceptin reprts fr unusual activity available fr review befre funding is prvided t merchants? Are cntrls in place t ensure the highest pririty alerts are reviewed n a daily basis? c. Are there regular reviews n the merchant mnitring parameters? Are chargeback rates reviewed t identify merchants that exceed the acquirers internal threshlds fr chargebacks, as well as threshlds established by Visa? Des the mnitring review unusual and/r suspicius transactin activity? Examples: Descending dllar amunt authrizatin attempts High rates f key entered transactins Large r high rates f frced transactins Large ut-f-pattern depsits and large individual transactins Multiple sales with the same card number Large changes in the average transactin size High rates f card-absent internatinal activity Visa Glbal Acquirer Risk Standards (GARS) 6 3 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

70 Large credit transactins within depsits Depsits with negative batches Depsit activity fr new merchants Reductin in sales vlume Increasing r excessive draft retrieval request rates Increasing r excessive chargeback rates by merchant lcatin Suspicius nn-bank card activity Are merchant mnitring exceptin parameters established at the individual merchant lcatin level? Des the acquirer peridically evaluate the effectiveness f merchant mnitring reprts and adjust accrdingly? d. Did the acquirer identify and address unusual activity fr High-brand risk merchants n a daily basis? Grss amunt f daily depsits? Average Transactin Amunt? Number f daily transactin receipt depsits? Number f daily chargebacks? e. Des the acquirer cmpare current related data t the nrmal daily activity parameters at least daily? f. Des the acquirer review and adjust the merchant s nrmal daily activity at least mnthly using the previus mnth r a rlling 60 r 90 day average as a cmparisn? g. Des the acquirer investigate merchants with unusual activity r exceeding threshlds specified in the Activity Mnitring sectin f the VIOR? Is a frmal plicy in place cvering key elements f suspicius activity investigatin? Des the acquirer s suspect vilatin investigatin plicy cver the fllwing items? Are exceptin cnditin criteria in place fr requiring an investigatin? Are there assigned respnsibilities fr reviewing and investigating suspect vilatin? Are there authrity levels fr taking actin t mitigate risk, including escalatin prcedures between agents and acquirer? Are criteria in place fr determining which exceptin alerts require further investigatin? Is there a timeline fr investigating and reslving exceptin alerts? 6 4 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

71 Are prcedures fr Suspect Vilatin Reprt filing (after Timeline fr investigating and reslving exceptin alerts ) Are cntrls in place t ensure the Suspect Vilatin Reprt plicy is fllwed? Des the investigatin and reslutin prcess include at a minimum the fllwing steps? Is acquirer recrding suspect vilatin in a merchant histry database and reviewing previus exceptin cnditins and investigatin results? Are investigatin steps being perfrmed such as cntacting Issuers and cardhlders t verify transactins? Are cntacts within issuer rganizatins being develped t assist in investigate suspect transactins? Are pre-defined steps being used t bring rapid clsure t investigatins? Is acquirer establishing required internal and external ntificatins t dcument cmpletin f an investigatin? h. Des the acquirer fllw the steps described in VIOR when an investigatin reveals merchant invlvement in illegal activity? Examples: Take apprpriate legal actin t minimize lsses. Cperate fully with Visa in any investigatin, and release all infrmatin relative t the merchant upn request. Cperate with Issuers and law enfrcement agencies. Attempt t make the merchant respnsible fr the transactin. Hld funds, if pssible. Initiate criminal and civil prceedings against the merchant, if applicable. 5A. Peridic Accunt Review Plicies & PROCEDURES Yes N Cmments a. Is a prcess in place t identify merchants that warrant a peridic credit review based n risk expsure? Are peridic credit reviews cnducted n an nging basis annually, quarterly, r mnthly fr selected merchants? Are merchants selected fr peridic credit review based upn a quantitative r qualitative assessment f ptential risk expsure? b. Des the peridic review include evaluatin f persnal credit bureau reprts, business bureau reprts, r financial statements? Visa Glbal Acquirer Risk Standards (GARS) 6 5 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

72 Are financial statements, tax returns, r trade line credits reviewed and assessed fr larger businesses during the peridic reviews? Is the persnal credit histry and standing reviewed fr the majrity wners r key principals f small businesses as part f a peridic review prcess? Des the peridic review prcess include inspectin f merchant websites? 6. Training and Educatin Yes N Cmments a. Des the acquirer cnduct Agent and merchant risk management training and educatin after signing an agreement with the Agent and/r merchant t prvide services? b. Des the acquirer cnduct Agent risk management training and educatin at least annually? c. Des the Agent and merchant risk management training and educatin cver applicable Visa Reginal Operating Regulatins, VIOR, merchant risk, including fraud awareness and chargeback liability? 7. Managing Third Party agent risk Yes N a. Des the acquirer have a frmal underwriting, mnitring and cntrl plicy gverning usage f Third Party Agents? b. Has the Bard f Directrs apprved the plicy gverning usage f Third Party Agents? c. Des the plicy address the rights and respnsibilities fr each f the fllwing elements listed belw? Underwriting standards? Mnitring? Lss cntrl? Slicitatin materials? Apprval and Decline Override Authrity? Acquirer n-site reviews f Agents timing and cntent? Quarterly Agent review cntent? d. Des the underwriting plicy gverning merchant slicitatin by an Agent cntain key prvisins related t assessing creditwrthiness and fraud risk expsure? e. Des the plicy include/require/specify the fllwing items? List f merchants cnsidered unacceptable and will nt be signed? 6 6 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

73 List f merchants cnsidered high-risk that will require mre stringent underwriting and risk cntrls? Assessment f the creditwrthiness f the business? Evaluatin f the creditwrthiness f the business wners r key principals fr small businesses? Stringent underwriting standards and dcumentatin requirements fr higher risk merchants? Cnditins, restrictins r minimum credit criteria threshlds which if nt met require a decline? New applicatin and re-underwriting fr a change in wnership? Terminated Merchant File r Visa Merchant Trace System (whichever is applicable) inquiry? Website standards and require inspectin? Physical site inspectin requirement fr higher fraud risk merchants? Review and apprval befre a merchant is allwed t add a new lcatin? Merchant apprval respnsibilities and signing authrities? Member s decline decisin verride cnditins and signing authrities? f. Des the acquirer cnduct initial and nging due diligence reviews f its Agents perfrming sales r back rm prcessing peratins? Des the acquirer cnduct initial due diligence reviews f Third Party Agents? Des the acquirer cnduct nging due diligence reviews f Third Party Agents at least annually? Cmpliance Test: Review the due diligence files fr each ISO. What percentage f files shw prf f at least annual due diligence? g. Is there a prcess in place t review underwriting functins perfrmed by Agents and ensure cmpliance with acquirer plicy? Is there a prcess in place t review underwriting functins perfrmed by Agents and ensure cmpliance with acquirer plicy? Is there a prcess in place t review and apprve merchant applicatins underwritten n its behalf by Agents? Visa Glbal Acquirer Risk Standards (GARS) 6 7 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

74 h. Des dcumentatin f n-site reviews include review f all items listed in acquirer plicy gverning Agent respnsibilities? Underwriting standards? Risk mnitring? Lss cntrl? Slicitatin materials? Apprval and decline verride authrity? i. Are due diligence reviews f Agents perfrming sales r back rm prcessing peratins scheduled and cnducted in accrdance with acquirer plicy? j. Des the acquirer cnduct quarterly reviews f the Agent s key perating statistics? k. Des the acquirer s quarterly reprts submitted t Visa include all Agents, nt just Third Party Agents? l. Is a plicy in place t augment nrmally scheduled n-site reviews based n the results f quarterly reprts? m. Des the Agent agreement include key risk management prvisins t mitigate risk and meet Visa regulatin and plicy requirement? Examples: Requirement t fllw the acquirer s signing and underwriting plicy Terms that ensure the acquirer is nt abdicating respnsibility fr underwriting decisins Nt initiating prcessing until merchant agreement signed by acquirer Agent liability fr lsses Reserves held and cntrlled by acquirer fr ptential Agent failure Merchant reserves held and cntrlled by acquirer Agent merchant servicing respnsibilities Terms that ensure the acquirer is nt abdicating respnsibility fr activity mnitring Agent prhibitins Acquirer merchant terminatin rights Agent agreement terminatin clauses Acquirer s right t cnduct regular inspectins n. Are the High-Risk Internet Payment Service Prviders (IPSPs) and High-Risk Independent Sales Organizatins (HR ISOs) registered with Visa? 6 8 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

75 . Are the High-Risk Internet Payment Service Prviders identifying each Merchant Name field in the Authrizatin Spnsred Merchant separately in the Merchant Name field in the Authrizatin and Clearing Recrd? p. Are the prjected vlumes cmpared t prir prcessr statements and/r similar merchants within the existing prtfli? q. Is a prcess in place t ensure sales Agent cmpliance with underwriting plicies and reduce risk expsure? Are cntrls in place t audit applicatins apprved by each sales Agent and submitted t the acquirer fr apprval and bking? Are cntrls in place t ensure acquirer s evaluate merchant applicatins presenting higher risk? r. Are cntrls in place t ensure an Agent signed cannt begin prcessing until apprved by the acquirer? s. Des the acquirer have merchant activity transactin cntrls and mnitring prcess in place fr sales Agent prtflis? Examples: Merchant activity transactin cntrls Merchant activity mnitring timely reprt prductin Merchant activity mnitring exceptin reprt cntent Suspicius Vilatin Review (SVR) Alert investigatin, reslutin and lss cntrl t. Are merchant reserves r letters f credit held by the acquirer and nt accessible t the sales Agent r the merchants signed by the Agent? u. Des the acquirer have adequate reserves t prtect against ptential business failure f Agents? v. Are there cntrls in place t prevent Agent access t the Agent s reserve accunt? w. D Agents have the ability t redirect funding f merchant depsits t a different accunt number? x. Des the plicy gverning use f Third Party Agents include identifying third parties that have access t a merchant s cardhlder transactin data and registering the parties as Agents with Visa? Des the acquirer s plicy include steps t identify merchants that may use third parties with access t cardhlder data? Des the acquirer s plicy require third parties with access t cardhlder data t be registered with Visa? Visa Glbal Acquirer Risk Standards (GARS) 6 9 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

76 Des the acquirer maintain a list f all Third Party Agents and sub-cntractrs with access t cardhlder data? y. Des dcumentatin f n-site reviews include assessment f whether Agent is cmplying with all prvisins f the Payment Card Industry (PCI) Data Security Standard (DSS)? Des the acquirer have a dcumented frm r signed checklist frm Third Party Agents that states they d nt have access t cardhlder data? 8. Managing additinal aspects f merchant risks Yes N Cmments a. Are prspective merchants reviewed against the Visa Merchant Trace System (VMTS), where available and permitted under lcal applicable law, r the Terminated Merchant File (U.S. regin), r ther cmmn terminated merchant database, if VMTS is nt available? Did the acquirer inquire against the Visa Merchant Trace System (VMTS), where available and permitted under lcal applicable law, r the Terminated Merchant File (U.S. regin), r ther cmmn terminated merchant database, if VMTS is nt available, fr new merchants? Did the acquirer inquire against the Visa Merchant Trace System (VMTS), where available and permitted under lcal applicable law, r the Terminated Merchant File (U.S. regin), r ther cmmn terminated merchant database, if VMTS is nt available, fr change f wnership? Did the acquirer review pssible matches t determine whether the applicant was invlved and reasns fr terminatin? Did the acquirer decline r require additinal risk management cntrls fr cnfirmed matches n the Visa Merchant Trace System (VMTS), where available and permitted under lcal applicable law, r the Terminated Merchant File (U.S. regin), r ther cmmn terminated merchant database, if VMTS is nt available? Did the acquirer review retractive alert pssible matches t determine whether the applicant was invlved and reasns fr terminatin? 7 0 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

77 8A. PCI DSS Cmpliance Yes N Cmments a. Des the acquirer have dcumented plicies t ensure PCI DSS cmpliance is cnfirmed annually? b. Are merchant applicatins reviewed t identify Third Party Agents with access t cardhlder data and register thse Agents with Visa? Cmpliance Test: Select 5 recent applicatins that list third parties invlved in the payment prcess and check if the third parties are registered with Visa as apprpriate. Review 5 additinal files if the first 5 files are nt sufficient t prvide a cnsistent rating. Are third parties listed n the merchant applicatin investigated t determine whether they shuld be registered as Agents with Visa? Are third parties with access t cardhlder data required t be PCI cmpliant? c. Des the merchant applicatin r the underwriting prcess discuss the fllwing fr merchant PCI DSS cmpliance? Merchant s current PCI DSS status? Review f the current prcessing histry, including any nging r prir cmprmise investigatins? Identificatin f payment applicatins used by new merchants n new merchant agreements? Mandate upgrade f any knwn vulnerable payment applicatins as a cnditin f prcessing? Data security and PCI DSS cmpliance educatin as a part f the merchant s welcme kit? Visa Glbal Acquirer Risk Standards (GARS) 7 1 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

78 7 2 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

79 Appendix E Appendix E explains Sectin 1.2 f the Merchant Data Standards Manual and the assigning f prper merchant descriptrs fr spnsred merchants. Visa Glbal Acquirer Risk Standards (GARS) 7 3 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved..

80 Prper Merchant Name Descriptins Sectin 1.2 f the Merchant Data Standards Manual utlines the three frmat ptins available fr direct marketing merchants t use in the Merchant Name field. These ptins all require direct marketing merchants t use their legal merchant name r their DBA in cnjunctin with an accurate descriptin f the prduct r service sld. The prper Merchant Name allws bth the acquirer and Visa t track the ttal vlume fr the business and the risk expsure f the direct marketing cmpany. The purpse f using an accurate merchant descriptin is t assist the cardhlder in recgnizing the transactin. The Merchant Name field shuld cntain the Ding Business As (DBA) name f the merchant and be the name mst recgnizable t the cardhlder. The Merchant Name field must nt be used as a descriptin field in lieu f the required, recgnizable name. The name f the High-risk IPSP must appear in the Clearing and Authrizatin Recrd in cnjunctin with the name f the High-brand risk spnsred merchant (e.g. IPSP name*spnsredmerchantname) The * must be in psitins 4, 8, r 13 f the Merchant Name field. Belw are examples f incrrect and crrect merchant name descriptrs fr a sample merchant that sells multiple prducts. The HR IPSP, ABC Prcessing Inc., handles transactins fr several merchants including Diet Pr and Detx Pr. Field Incrrect Optin 1: * in Psitin 4 Optin 2: * in Psitin 8 Optin 3: * in Psitin 13 Merchant Name: DIET PRO ABC* DIET PRO ABC INC*DIET PRO ABCMARKETING*DIET PRO Merchant City: Fster City Merchant State: CA CA CA CA Merchant Zip: Merchant Name: DETOX PRO ABC*DETOX PRO ABC INC*DETOX PRO ABCMARKETING*DETOX PRO Merchant City: Fster City Merchant State: CA CA CA CA Merchant Zip: Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

81 Appendix F A Payment Service Prvider (PSP) is an entity that cntracts with an acquirer t prvide payment-related services t spnsred merchants. The PSP interfaces with the acquirer n behalf f its spnsred merchants, and must ensure that its spnsred merchants are cntractually bligated t perate accrding t Visa requirements. A PSP cntracts with an acquirer t prvide payment services t a spnsred merchant. A spnsred merchant (seller) cntracts with a PSP t btain payment services. PSPs are respnsible fr their spnsred merchants, and bear financial liability fr their actins, and must ensure that the spnsred merchants perate accrding t Visa rules and requirements Acquirers are respnsible fr the actins f their PSPs and the PSPs spnsred merchants. Visa Glbal Acquirer Risk Standards (GARS) 7 5 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved..

82 Acquirer Risk Cntrls fr Payment Service Prviders (PSPs) and Spnsred Merchants Acquirers must thrughly vet and mnitr the actins f each PSP and their spnsred merchants. In additin, acquirers are respnsible fr all merchant agreement requirements as specified in the VIOR. The fllwing cntrls are intended t assist acquirers in this effrt. As an acquirer, yu must: Acquirer PSP Prgram Eligibility Acquirer Liability and Accuntability fr PSPs Acquirer and PSP Merchant Agreement Ensure yur institutin is in gd standing in all Visa Risk Management prgrams. Meet prescribed acquirer Tier 1 capital requirements. Understand that yu are liable fr the acts, missins and adverse cnditins caused by yur PSP and its spnsred merchants. Ensure that yur PSP and spnsred merchants adhere t all Visa risk prgrams. Cmply with Visa merchant mnitring standards. Indemnify Visa against claims and liabilities invlving yur PSPs r spnsred merchants. Ensure that yur PSPs and all f their spnsred merchants are lcated in yur institutin s licensed jurisdictin. Always query the Terminated Merchant File (TMF) (r equivalent) befre entering int an agreement with a PSP. Make certain that the merchant agreement between a PSP and yur acquiring institutin cntains the PSP s respective rights, duties, and bligatins fr participatin in yur Visa prgram. Ensure that the merchant agreement with yur PSP: Specifies that the cntract between a PSP and a spnsred merchant cntains the merchant agreement and the card acceptance and website requirements as utlined in the Visa Internatinal Operating Regulatins (VIOR). States that yur institutin may immediately terminate the PSP r its spnsred merchant fr gd cause as utlined in the VIOR. 7 6 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

83 Includes a statement that the PSP is financially liable fr all acts, missins, cardhlder disputes, and ther cardhlder custmer service-related issues caused by the PSP s spnsred merchants. Include a statement that the PSP must nt transfer r attempt t transfer its financial liability by asking r requiring cardhlders t waive their dispute rights. PSP Perfrmance Requirements and Restrictins Clearly cmmunicate t yur PSPs that they must never: Permit a spnsred merchant t transfer r attempt t transfer its financial liability by asking r requiring cardhlders t waive their dispute rights. Depsit transactins n behalf f anther PSP. Mnitr t make certain that PSPs adhere t the abve requirements. At the request f Visa Risk, make sure that the PSP prvides cmprehensive lists, including names r principals, cuntry f dmicile etc. Ensure that: PSPs with ne r mre spnsred merchants in designated high risk Merchant Categry Cdes (MCCs) cmply with the existing High-Risk Internet Payment Service Prvider (HRIPSP) registratin prgram. The PSP name is included in the transactin recrd as specified in VIOR Exhibit 2L (BASE II recrd requirements). PSPs are registered with Visa. An acquirer must send registratin frms and supprting dcuments as specified by Visa t cnfirm that it has perfrmed cmprehensive due diligence and financial review f the PSP. PSPs understand that certain merchant types may nt be prcessed. Spnsred Merchants Underwriting Ensure yur institutin cmplies with all applicable laws and/r regulatry requirements (e.g., anti-mney laundering). Query the TMF (r equivalent) prir t the PSP entering int an agreement with a spnsred merchant. If a merchant is listed n the TMF (r equivalent), d nt allw that merchant t be a spnsred merchant. Enter int a merchant agreement directly with any spnsred merchant that exceeds US $100K in annual Visa sales vlume. This triggers all f the required underwriting activities that apply t any merchant entering int a merchant agreement with an acquirer. Visa Glbal Acquirer Risk Standards (GARS) 7 7 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

84 7 8 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

85 Glssary Acquirer Visa Glbal Acquirer Risk Standards (GARS) Chargeback Electrnic Cmmerce Indicatr (ECI) Electrnic Cmmerce Merchant High-Risk Telemarketing Merchant Interchange A member, as specified in the Visa Bylaws, Sectin 2.04, that signs a merchant r disburses currency t a cardhlder in a cash disbursement, and directly r indirectly enters the resulting transactin receipt int Interchange. A set f minimum respnsibilities and requirements that members must fllw when managing merchants and Third Party Agents. A prcessed bankcard transactin that is later rejected and returned t the merchant bank by the issuer fr a specific reasn, such as a cardhlder dispute r fraud. The merchant bank may then return the transactin t the merchant, which may have t accept the dllar lss unless the transactin can be successfully represented t the issuer. A transactin data field used by e-cmmerce merchants and merchant banks t differentiate Internet merchants frm ther merchant types. Use f the ECI in authrizatin and settlement messages helps e-cmmerce merchants meet Visa prcessing requirements and enables Internet transactins t be distinguished frm ther transactin types. Visa requires all e-cmmerce merchants t use the ECI. A merchant that cnducts the sale f gds r services electrnically ver the Internet and ther netwrks. A Merchant Outlet that is required t be classified with Merchant Categry Cde 5967, Direct Marketing Inbund Teleservices Merchant, in its Spnsred Merchant prtfli, 5966, Direct Marketing Outbund Telemarketing Merchant, 5962, Direct Marketing Travel-Related Arrangement Services, 7995, Betting, including Lttery Tickets, Casin Gaming Chips, Off-Track Betting, and Wagers at Race Tracks, 5122, Drugs, Drug Prprietaries, and Druggist Sundries and 5912 Drug Stres and Pharmacies Visa may change the definitin f a High-risk merchant t include additinal merchant categries. See the Visa Merchant Data Standards Manual fr detailed descriptins f direct marketing merchants. The exchange f clearing recrds between members. Visa Glbal Acquirer Risk Standards (GARS) 7 9 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved..

86 Independent Sales Organizatin (ISO) Mail Order/ Telephne Order (MO/TO) Member Merchant Merchant Agreement Merchant Categry Cde (MCC) Merchant Outlet Merchant Reserves An rganizatin that has a direct relatinship with issuing and/r acquiring members. Members cntract with ISOs t prvide specific services such as merchant slicitatin, cardhlder slicitatin, custmer service and card applicatin prcessing. Plus ISOs act n behalf f members t deply and/r service qualified ATMs. Prepaid ISOs have relatinships with issuers t slicit ther entities (i.e., merchant, crprate clients, gvernment entities, etc.) t sell, activate, r lad prepaid cards. A merchant, market, r sales envirnment in which mail r telephne sales are the primary r a majr surce f incme. Such transactins are frequently charged t the custmers bankcard accunts. An entity that is classified in the VIOR as any f the fllwing Visa member types: Acquirer Affiliate Assciate Type Member ATM Acquirer Debit Interchange Grup Member Issuer Participant Type Member Spnsr Spnsred Member An entity that enters int an agreement with an acquirer financial institutin t accept Visa cards fr payment f gds and services. In ding s, the merchant displays an Acceptance Mark that is Visa-Owned Mark. The cntract between a merchant and an acquirer permitting the merchant t accept Visa cards fr payment f gds and services, and requiring that the merchant abide by certain rules gverning the acceptance and prcessing f Visa transactins. A cde designating the principal trade, prfessin, r line f business in which a merchant is engaged, as specified in the Merchant Data Standards Manual. The merchant lcatin at which a face-t-face, Mail/Phne Order (MO/TO), r Internet transactin is cmpleted Funds held in an accunt r therwise secured fr use in ffsetting ptential merchant lsses. 8 0 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

87 Payment Card Industry (PCI) Data Security Standard (DSS) Payment Service Prvider (PSP) Prcessr Settlement Third Party Agent Transactin A set f requirements established by the Payment Card Industry (PCI) t prtect cardhlder data. These requirements apply t all members, merchants, and Agents that stre, prcess, r transmit cardhlder data. An entity that cntracts with an acquirer t prvide payment-related services t spnsred merchants. The PSP interfaces with the acquirer n behalf f its spnsred merchants, and must ensure that its spnsred merchants are cntractually bligated t perate accrding t Visa requirements. PSPs are respnsible fr the actins f their spnsred merchants, and bear liability fr their actins. A PSP is nly permitted t sign spnsred merchants. A member, r Visa-apprved nn-member acting as the Agent f a member, that prvides authrizatin, clearing, r settlement services fr merchants and members. The reprting and transfer f settlement amunts wed by ne member t anther, r t Visa, as a result f clearing. A cntractr, including prcessrs and any Independent Sales Organizatin (ISO), Third Party Service Prviders, r Independent Cntractrs (ICs), whether a member r nn-member, engaged by a member t prvide services r act n its behalf in cnnectin with Visa. The act between a cardhlder and merchant that results in the sale f gds r services. Visa Glbal Acquirer Risk Standards (GARS) 8 1 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

88 2011 Visa. All Rights Reserved. VRM