Visa Global Acquirer Risk Standards (GARS)

Transcription

1 Visa Glbal Acquirer Risk Standards (GARS)

2 The Visa Glbal Acquirer Risk Standards guide was develped fr member use in managing merchants and Third Party Agents. It is intended fr member distributin. Members may distribute this guide t their merchants and Agents, as apprpriate.

3 Table f Cntents Abut This Guide Backgrund Guide Purpse Hw This Guide is Organized Visa Glbal Acquirer Risk Standards Overview Acquirer Risk Respnsibilities Cntrl Mechanisms Acquirer Plicies Plicy Develpment Plicy Apprval Plicy Submissin t Visa Slicitatin Material Review Legal Cnsult Requirements Merchant Agreement Member Payment Acceptance Rle Merchant Agreement Transfer Merchant Agreement Review Merchant Agreement Apprval Merchant Terminatin Infrmatin Security Cmpliance Merchant Ntificatin f Agent Use Merchant Agreement Disclsure Page Merchant Settlement Respnsibility Merchant Agreement Requirements Merchant Prhibitins Merchant Agreement Cntent Merchant Applicatin Merchant Applicatin Member Name and Cntact Infrmatin Merchant Applicatin Business Backgrund and Infrmatin Special Applicatin Cnsideratins fr Card-Absent Merchants Separate Internet Merchant Applicatin Additinal Internet Merchant Applicatin Infrmatin Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved. i

4 4. Funding and Reserves Member Reserve Respnsibility Reserve Cntrls Payments t Merchants Mnitring Merchants and Agents Merchant Activity Mnitring Oversight E-Cmmerce Merchant Cntent Review Agent Activity Mnitring Oversight Merchant Data Retentin and Review Unusual Activity Reprting High-Brand Risk Merchant Data Retentin and Review Unusual Activity Reprting fr High-Brand Risk Merchants Merchant Investigatin Acquirer Investigatin Fllw-Up Mentr Investigatin Assistance Training and Educatin Merchant/ Agent Training and Educatin Managing Third Party Agent Risk Member Use f Agents Member Respnsibilities When Using Agents Terminatin f Agent Cntracts Quarterly Agent Review Agent Audits and Reviews Agent Requirements fr Prviding Infrmatin Merchant Slicitatin Use f High-Risk Independent Sales Organizatin (HR ISO) Use f Payment Service Prvider (PSP) High-Brand Risk Internet Payment Service Prvider Prcessing Requirements Managing Additinal Aspects f Merchant Risk Merchant Qualificatin Standards Merchant Disclsure Requirements Merchant Website Disclsure Registratin Requirements fr High-Risk Telemarketing Merchants (U.S. regin) Additinal Requirements fr all Risk Acquirers Request fr Infrmatin Requirement Additins t the Visa Merchant Trace System (Asia-Pacific regin) Transactin Receipt Depsit i i Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

5 Appendix A Visa Acquirer Risk Management Plicies Visa Plicy Requirements Merchant Underwriting Cntent Cverage Merchant Prtfli Risk Management Cntent Cverage Appendix B Rules fr the Disclsure Page Disclsure Page Examples Appendix C Third Party Agent Due Diligence Risk Standards Appendix D Visa Glbal Acquirer Risk Standards Checklist Appendix E Prper Merchant Name Descriptins Appendix F Acquirer Risk Cntrls fr Payment Service Prviders (PSPs) and Spnsred Merchants Acquirer PSP Prgram Eligibility Acquirer Liability and Accuntability fr PSPs Acquirer and PSP Merchant Agreement PSP Activity and Perfrmance Requirements and Restrictins Spnsred Merchants Underwriting Glssary Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved. i i i

6 i v Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

7 Abut This Guide Backgrund Guide Purpse Hw This Guide is Organized The bligatin t manage and mnitr merchant and Agent relatinships has been a lng standing member respnsibility. The Visa Internatinal Operating Regulatins and Reginal Operating Regulatins place respnsibility fr merchant and Agent versight and any lsses caused by either entity n the acquirer. The Visa Glbal Acquirer Risk Standards (GARS) is designed t help members: Understand their accuntabilities and respnsibilities t the Visa payment system. Oversee and cntrl their relatinships with merchants and Agents. Ensure their day-t-day peratins and practices are in cmpliance with the Visa Glbal Acquirer Risk Standards and the VIOR. This guide shuld be used in cnjunctin with the VIOR. Please refer t the latest versin f the VIOR fr a full list f requirements. Imprtant nte: All acquirers must cmply with the requirements specified in the GARS, except where required by lcal law. Where there is a difference between the infrmatin prvided in this guide and the VIOR, the requirements prvided by the VIOR take precedence. The Visa Glbal Acquirer Risk Standards (GARS) is rganized as fllws: Visa Glbal Acquirer Risk Standards Overview highlights the acquirer s key risk respnsibilities and accuntabilities when managing merchant and Third Party Agent relatinships. Sectin 1: Plicies utlines the plicies needed t mitigate acquirer and any risks that may be presented t the Visa payment system. Sectin 2: Merchant Agreements fcuses n minimum requirements that acquirers must meet when develping merchant agreements. Sectin 3: Merchant Applicatin defines essential member infrmatin that must be prminently displayed n a merchant applicatin. Sectin 4: Funding and Reserves describes the acquirer s respnsibility fr merchant settlement and the requirements fr hlding and cntrlling merchant reserves. Visa Glbal Acquirer Risk Standards (GARS) 1 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

8 Sectin 5: Mnitring Merchants and Agents identifies the cntrls that must be in place t adequately track and evaluate merchant and Agent payment prcessing activity. Sectin 6: Training and Educatin cvers the member s respnsibility t ensure that its merchants and Agents are prperly infrmed and trained t be able t fllw all the plicies and prcedures required t ensure cmpliance with the VIOR. Sectin 7: Managing Third Party Agent Risk explains the actins that Visa members must take t minimize Agent risk expsure. Sectin 8: Managing Additinal Aspects f Merchant Risk highlights additinal requirements and cntrls t cntrlling merchant prgram risk. The Appendices cntain imprtant supplemental infrmatin. The cntents are rganized as fllws: Appendix A includes recmmended cntent elements t help acquirers and Agents develp plicies that prperly supprt merchant risk management and ensure Agent cmpliance with Visa rules and regulatins. Appendix B prvides a sample cpy f the Disclsure Page that must be included if an Agent is a party t an agreement between the member and the merchant. Appendix C cntains the Third Party Agent Due Diligence Risk Standards (Revised December 2008) t be administered during the negtiatin prcess and thrughut the life f the agreement. Appendix D prvides a GARS checklist that can be used t assist the acquirer in maintaining cmpliance with the minimum risk standards specified by Visa. Appendix E explains hw t assign the crrect Merchant Descriptrs fr spnsred merchants. Appendix F includes a set f cntrls that acquirers must apply when using Payment Service Prviders (PSPs). A Glssary has been included at the end f this guide t define terms cmmnly used as part f the Visa Glbal Acquirer Risks Standards. 2 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

9 Visa Glbal Acquirer Risk Standards Overview The Visa Glbal Acquirer Risk Standards prtect the Visa payment system and supprt the safety and sundness f all Visa members by clarifying a member s respnsibilities fr managing merchant and Third Party Agent relatinships. Acquirer Risk Respnsibilities All acquirers in the Visa payment system must ensure their peratins cmply with the VIOR and the minimum standards detailed in this guide. Key acquirer risk respnsibilities identified by Visa include the fllwing: In This Area: Members Must: Plicies Implement plicies that include the minimum standards established by Visa t mitigate risk t the Visa payment system. The plicies must be apprved by the member s Bard f Directrs r an apprpriate senir versight cmmittee. Be made available t Visa upn request. Merchant Underwriting and Agreements Funding and Reserves Mnitring Merchants and Agents Training and Educatin Managing Third Party Agent Risk Managing Additinal Aspects f Merchant Risk Cntrl merchant apprval. Utilize merchant agreements that meet Visa minimum requirements fr disclsure and clearly define bth member and merchant bligatins. Ensure that any merchant agreements are reviewed and apprved prir t their use. Cntrl all funds related t Visa merchant acceptance, including settlement, reserves, hldbacks and ther funds; nn-members are prhibited frm direct cntrl ver such funds. Have adequate cntrls t mnitr Agent and merchant activity t ensure cmpliance with Visa requirements and prevent harm t the Visa payment system. Prvide merchants and Third Party Agents with the necessary educatin and training. Ensure merchants and Third Party Agents are aware f the member s plicies and guidelines and remain in cmpliance with VIOR and Reginal Operating Regulatins. Register all Third Party Agents with Visa and manage/cntrl the Agent relatinship by adhering t Visa s Third Party Agent Due Diligence Risk Standards. Incrprate risk management effrts int every aspect f merchant relatinships and daily peratins. Visa Glbal Acquirer Risk Standards (GARS) 3 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

10 Cntrl Mechanisms Cmpliance and On-site Reviews T ensure cmpliance with the Glbal Acquirer Risk Standards, acquirers and/r their Agents may be reviewed as needed n a risk-priritized basis. Visa may, at its discretin, require that acquirers cntract directly with Visa, r with a Visa Apprved Vendr t perfrm a review f their peratins. The acquirer Appendix D cntains a list f functinal areas and practices that are assessed during the acquirer review prcess. wuld be accuntable fr frwarding a cpy f the review reprt t Visa. Each review utilizes varius techniques t ensure an acquirer s r Agent s cmpliance with the key respnsibilities and ther peratinal requirements. Remediatin Mechanisms Fllwing the nsite review, and based n the severity f the findings, the review reprt may include specific crrective actins r ther risk reductin measures defined in the VIOR. The acquirer will then respnd t the findings with a remediatin plan. Visa will cntinue t wrk and track the acquirer s remediatin prgress. If an acquirer fails t implement an apprved remediatin plan within the specified time frames, Visa may impse the Crprate Risk Reductin Measures as specified in the VIOR. 4 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

11 1. Acquirer Plicies 1.1 Plicy Develpment 1.2 Plicy Apprval 1.3 Plicy Submissin t Visa A clearly stated, fully endrsed risk management plicy is essential t any acquirer peratin. It helps ensure that all emplyees understand management s directin and business bjectives. It is imprtant that emplyees are educated n plicies that apply t their jbs and that they knw what is expected f them, including hw t handle any plicy exceptins. An acquirer must implement a written plicy t gvern the underwriting, mnitring, and cntrl f its merchants and Agents. An acquirer s plicy must include Visa s minimum standards t cntrl risk in the Visa payment system. It may be ne cmprehensive dcument r separate plicies that address Visa s requirements. If separate plicies are used, they shuld be stred in a cmmn lcatin where they can be readily accessed and reviewed upn request. It is recmmended that the acquirer s plicy is reviewed and, where necessary, updated annually. Appendix A prvides a summary f recmmended plicy cntent elements fr acquirers t review and use when assessing their current plicy, r in develping a new plicy. The sample dcument is nt intended t be used as an acquirer s cmplete plicy dcument. Rather, it is a guide fr members t use t make certain that the cntent f their plicies meets Visa s requirements. It is recmmended that an electrnic cpy f the plicy be maintained s that it can be easily mdified t meet an acquirer s changing needs. The acquirer must als prvide a plicy dcument fr merchant/agent distributin that clearly defines the acquirer s rules and plicies and the Agent s r merchant s respnsibilities. An acquirer must ensure that all merchant acquiring business and Agent management plicies are apprved by its Bard f Directrs. The acquirer s plicies must be apprved by its Bard f Directrs r an apprpriate executive level cmmittee. A Bard f Directr endrsement can assist in increasing awareness and exercising versight f the risks invlved in the acquiring business. An acquirer must prvide the member s written plicy dcument t Visa upn request. The member s written plicies may be requested and evaluated during a peridic review f the acquirer peratins. Additinally, Visa may request a cpy f the plicies as necessary in cnjunctin with ther cmpliance issues. This requirement allws Visa t determine if a member is adhering t its wn plicies. It als helps prtect the safety and sundness f the Visa payment system. Visa Glbal Acquirer Risk Standards (GARS) 5 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

12 1.4 Slicitatin Material Review 1.5 Legal Cnsult Requirements An acquirer must implement a plicy and a set f prcedures fr reviewing slicitatin materials used by its Agents. Acquirers must have a plicy in place that ensures the review f an Agent s slicitatin materials t prevent harm t their reputatin and that f the Visa payment system. The member s plicy must include a prvisin that prhibits the use f misleading statements in all slicitatin materials, r in any way creates the impressin that the agent is mre imprtant than the member. Members may chse t prvide training materials and guidelines t their Agents n what standards are cnsidered acceptable fr use in develping slicitatin materials. Hwever, the use f these materials des nt cnstitute cmpliance with this requirement and des nt abslve the member f the respnsibility t review Agent slicitatin materials. Members must include a review f Agent slicitatin materials during their peridic assessment f the Agent s peratins and financial cnditin. An acquirer must abide by the plicy requirements fr the sale f prescriptin drugs (MCC 5122/5912) 1 in a card-absent envirnment. A member must btain a written pinin frm an independent and qualified legal cunsel stating that the merchant s activity fully cmplies with all laws and regulatins applicable t Visa. This cnfirmatin must be btained n a peridic basis, n less frequently than every 12 mnths. Upn Visa request, the member must prvide a cpy f the legal pinin, as necessary, in cnjunctin with ther cmpliance issues. 1 Visa may in the future change the MCC 5122, Drugs, Drug Prperties, and Druggist Sundries /MCC 5912, Drug Stres and Pharmacies t include additinal merchant categries. 6 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

13 2. Merchant Agreement The merchant agreement is a legally-binding dcument that ensures that a merchant perates under the rules and regulatins established by Visa and the acquirer. An imprtant pint fr all acquirers t remember is that merchants shuld nt be managed by reserves alne. The nly way fr acquirers t effectively manage their expsure is thrugh prper underwriting and mnitring. The merchant agreement shuld be thrugh enugh t prtect the acquirer frm imprper card prcessing and include the minimum prvisins stated in the VIOR. 2.1 Member Payment Acceptance Rle 2.2 Merchant Agreement Transfer The merchant agreement must indicate the member is a principal party t the cntract and merchant acceptance f Visa prducts is extended by the member. Visa payment system acceptance is the rle f the member, nt the Agent. Members are respnsible fr all merchant relatinships that access the Visa payment system thrugh their licensed Bank Identificatin Numbers (BINs). Visa recgnizes that Agents ften perfrm ther functins fr merchants. Hwever, allwing the Agent t perfrm these services must nt prmte the Agent abve the member in the eyes f the merchant. An acquirer must cnsent t the assignment and/r transfer f a merchant agreement t anther member. Merchants may be freely slicited and underwritten by all acquiring members. Individual merchants may als chse t mve their relatinship frm ne acquirer t anther withut btaining the cnsent f the acquirer where their current relatinship is dmiciled. Additinally, Agents can freely slicit new merchants fr any member that has registered the Agent with Visa. Nn-members may nt transfer individual r multiple merchant relatinships (prtflis) frm ne member t anther withut the express written apprval f the member hlding the merchant agreement. Ownership f the merchant s Visa transactins rests with the Visa member with whm the merchant has a signed merchant agreement. This ensures that members are aware f and cnsent t an Agent s intent t mve a grup r prtfli f merchants t anther member. Visa Glbal Acquirer Risk Standards (GARS) 7 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

14 2.3 Merchant Agreement Review 2.4 Merchant Agreement Apprval An acquirer must implement a plicy and prcedure fr reviewing merchant agreements used by their Agents. Members must review and apprve all merchant agreements used by their Agents t ensure the agreements cmply with Visa s minimum cntent requirements established by Visa. Members that permit an Agent t use a merchant agreement that has nt been develped by the member must peridically review and apprve the dcument t make certain it cmplies with member and Visa requirements. A peridic review can als help ensure that the Agent des nt mdify r change any terms cntained in the agreement. Visa des nt regulate the terms between the member and the Agent ther than thse specified in the VIOR, Reginal Operating Regulatins, and the Visa Glbal Acquirer Risk Standards. Fr example, Visa des nt regulate the fees, cmmissins, and ther financial terms between the member and the Agent. An acquirer must apprve all merchant agreements prir t entering any transactins int Interchange. Members must cntrl the apprval f all merchants befre they allw the merchant t prcess any transactins. Agents are nt permitted t execute merchant agreements n behalf f a member. Members may use varius means t ensure they review and apprve all merchants befre allwing them t prcess any Visa transactins: The acquirer must have the merchant applicatin, agreement, and underwriting materials transmitted t their underwriting staff fr review and apprval prir t activating the merchant. Acquirers may prvide their Agent with specific criteria that must be met fr member apprval. This prcess allws fr merchant activatin prir t member due-diligence review and apprval. Acquirers that use this prcess must ensure they actively mnitr their Agents and test fr cmpliance with underwriting plicies. The member is required t remain invlved with merchant apprvals and maintains a system fr mnitring plicy cmpliance. Members that prvide their Agents with data-entry capabilities must be able t review all new merchant recrds and merchant recrd mdificatins befre they becme effective in the member s system. Members must mnitr Merchant Categry Cde (MCC) assignments, and have access t their Agent s internal systems fr viewing merchant infrmatin held by the Agent. 8 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

15 2.5 Merchant Terminatin 2.6 Infrmatin Security Cmpliance The merchant agreement must include a clause that prvides fr the immediate terminatin f a merchant by the member fr any activity that may create harm r lss t the gdwill f the Visa payment system. Members shuld invke this clause when a merchant s business practices and exceptin item activity are such that they create a substantial risk f lss and/r harm t the Visa payment system. This includes participating in illegal activity. Members shuld nt abdicate their respnsibility fr terminating a merchant t their Agents. In additin t prtecting their individual interests, members must make decisins that are in the best interest f the Visa payment system. Merchant financial reserves d nt fully mitigate harm t the system r damage t cardhlder expectatins. The merchant agreement must include a clause that ensures that merchants and Third Party Agents acknwledge and understand the imprtance f cmpliance with Visa security requirements, such as thse relating t transactin infrmatin, strage, and disclsure. A merchant has an bligatin t prtect transactin infrmatin. Acquirers must educate their merchants n the imprtance f this cntractual bligatin and the cnsequences f failing t adequately prtect cardhlder data. The Payment Card Industry (PCI) Data Security Standard (DSS) is intended t help prtect Visa cardhlder data wherever it resides ensuring that custmers, merchants, and service prviders maintain the highest infrmatin security standard. It ffers a single apprach t safeguarding sensitive data fr all payment systems. Merchant agreements must specify that all merchants and Third Party Agents that have access t cardhlder data maintain and demnstrate cmpliance with the PCI DSS requirements and all subsequent requirement updates. Details f PCI DSS, as well as the list f PCI DSS cmpliant service prviders are available at (A glbal site link is available fr a specific cuntry r regin access). Members shuld refer t this website as a definitive surce f infrmatin fr the merchant regarding PCI DSS cmpliance, as well as ther infrmatin t assist the merchant in implementing effective security measures fr cardhlder data. Visa Glbal Acquirer Risk Standards (GARS) 9 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

16 2.7 Merchant Ntificatin f Agent Use 2.8 Merchant Agreement Disclsure Page 2.9 Merchant Settlement Respnsibility The merchant agreement must include a clause that requires the merchant t ntify the acquirer f its use f any Agent that will have access t cardhlder data. All Agents that access, stre, transmit, r prcess cardhlder data must be registered with Visa and cmply with established data security standards. Prper educatin and ntificatin must be prvided t merchants t ensure they understand their bligatin t ntify their member when they intend t use an Agent. Members must ensure that nly Visa-registered Agents are utilized. The member shuld request upn applicatin that the merchant identify all third parties invlved in the payment prcess that may have access t cardhlder data. Members shuld review merchant applicatins t identify, evaluate, and register any such Agents. An acquirer must ensure each merchant agreement includes a Disclsure Page that identifies the member and its respnsibilities when an Agent is a party t the agreement. Tri-party agreements are permitted in the Visa system; hwever, they can negate the imprtance f the member s relatinship with the merchant. If an Agent is a party t an agreement between the member and the merchant, a Disclsure Page is required. It must be signed by the merchant at All entities that stre, prcess, r transmit data must cmply with Payment Card Industry Security Standard (PCI DSS) requirements. Disclsure Page samples have been included in Appendix B fr member reference. the time they are slicited by the Agent. Cpies f the Disclsure Page must be immediately prvided t the merchant and attached t the executed merchant agreement. The merchant agreement must state that the member is respnsible fr prviding settlement funds directly t the merchant. The security and handling f merchant funds is a fundamental acquirer respnsibility. This functin cannt be delegated t a nn-member. Merchants must clearly understand that members have direct respnsibility fr settlement. They must als be advised that Agents are nt permitted t directly access r hld merchant funds whether frm settlement r reserves. This requirement des nt prhibit a VisaNet prcessr frm mving settlement funds frm Interchange thrugh the acquirer t the merchant s settlement accunt. In the case where a VisaNet prcessr is als perating as a Third Party Agent, Visa des nt grant the prcessr the right t hld r access a merchant s funds. If funds cannt be prvided directly t the merchant, they must be frwarded t the acquirer. 1 0 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

17 2.10 Merchant Agreement Requirements An acquirer s merchant agreement must be develped frm a risk perspective t ensure the merchant perates under the rules and regulatins established by Visa and the acquirer. Requirements include the fllwing: An acquirer must have a merchant agreement with each f its merchants. An acquirer may nly accept transactin receipts frm a merchant with which it has a valid merchant agreement. It is the acquirer s respnsibility t cmmunicate VIOR t the merchant. The acquirer must assume respnsibility fr any failure by its Agent t cmply with the VIOR and Reginal Operating Regulatins, including but nt limited t, any vilatin resulting in a chargeback r fraud. The acquirer must ensure that the merchant cmplies with the applicable sectins f the VIOR and Reginal Operating Regulatins. In the merchant agreement, an acquirer must clearly distinguish fees assciated with Visa transactins separately frm fees assciated with ther card transactins. The acquirer must nt prhibit a merchant frm using terminal prcessing services ffered by cmpetitrs t deliver Visa transactins captured at the pint-f-transactin directly t VisaNet fr clearing and settlement. A merchant agreement must cntain all f these additinal prvisins: Transactin depsit restrictins, as specified in the VIOR and Reginal Operating Regulatins Transactin prcessing prhibitins, as specified in the VIOR Prhibitin against a merchant depsiting a transactin receipt that des nt result frm an act between the cardhlder and the merchant r the cardhlder and a spnsred merchant (laundering) Prhibitin against a merchant depsiting a transactin receipt that it knws r shuld have knwn t be either fraudulent r nt authrized by the cardhlder The merchant is respnsible fr its emplyees actins while in its emply Disclsure f accunt r Visa transactin infrmatin prhibitins, as specified in the VIOR Disclsure that the PCI DSS cmpliance is required Merchant respnsibility fr demnstrating cmpliance with PCI DSS A requirement that the merchant, if underging a frensic investigatin must fully cperate with the investigatin until cmpleted Visa Glbal Acquirer Risk Standards (GARS) 1 1 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

18 A merchant agreement must allw the merchant t designate as its Agent a third party (that des nt have a direct agreement with its acquirer) t ensure the direct delivery f Visa transactins t VisaNet fr authrizatin clearing and settlement. The merchant must: Advise the acquirer that it will use a Third Party Agent Agree that the acquirer must reimburse the merchant nly fr the amunt f Visa transactins delivered by that Agent t VisaNet, less the apprpriate discunt fee 2.11 Merchant Prhibitins An acquirer must include a list f merchant prhibitins in the merchant agreement r an attached addendum as a referenced item in the merchant agreement. The list f prhibitins shuld clearly state that a merchant must NOT: X Accept cardhlder payments fr previus Visa Card r Visa Electrn Card charges incurred at the merchant lcatin. X Require a cardhlder t cmplete a pstcard r similar device that includes the cardhlder s accunt number, card expiratin date, signature, r any ther card accunt data in plain view when mailed. X Add any surcharge t transactins. X Add any tax t transactins, unless applicable law expressly requires that a merchant be permitted t impse a tax. Any tax amunt, if allwed, must be included in the transactin amunt and nt cllected separately. X Enter int Interchange any transactin receipt fr a transactin that was previusly charged back t the acquirer and subsequently returned t the merchant, irrespective f cardhlder apprval. The merchant may pursue payment frm the custmer utside the Visa system. Applicable Laws A Member must cmply with applicable laws and a Transactin must be legal in bth the Cardhlder s jurisdictin and the Merchant Outlet s jurisdictin. In the event f any cnflict between the VIOR and any applicable law, the requirements f the law gvern. See als: Cardhlder Ntificatins Merchant Agreement ID#: X Request r use an accunt number f any purpse ther than as payment fr its gds r services. X Disburse funds in the frm f travelers cheques, if the sle purpse is t allw the cardhlder t make a cash purchase f gds r services frm the merchant. X Disburse funds in the frm f cash, unless: Merchant is a Ldging r Cruise Line merchant disbursing cash t a Premium Visa Prduct cardhlder, as specified in VIOR, 1 2 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

19 Merchant is dispensing funds in the frm f travelers cheques, Visa TravelMney Cards, r freign currency. In this case, the transactin amunt is limited t the values f the travelers cheques, Visa Travel Mney Card, r freign currency, plus any cmmissin r fee charged by the merchant, r Merchant is participating in the Visa Cash Back Service, as specified in VIOR X Accept a card t cllect r refinance existing debt that has been deemed uncllectible by the merchant prviding the assciated gds r services. X Enter int Interchange a transactin that represents cllectin f a dishnred check Merchant Agreement Cntent A merchant agreement must specify all the cntractual requirements and the merchant prhibitins as stated in the VIOR. An acquirer may include ther prvisins in its merchant agreement if prvided the prvisins are cnsistent with the VIOR. Each merchant agreement must: State the terms required t satisfy payment directly t the merchant. This includes, but is nt limited t, the name f the financial institutin t which the acquirer, its Agent, r spnsred members must depsit funds fr payment f Visa transactins. Clearly state the acquirer s name and lcatin in a fnt size cnsistent with the rest f the merchant agreement printing, and in a manner that makes the acquirer s name readily discernible by the merchant. Be signed by the acquirer and remain n file at the acquirer s place f business. Visa Glbal Acquirer Risk Standards (GARS) 1 3 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

20 3. Merchant Applicatin A well-cnstructed merchant applicatin is essential t btaining relevant infrmatin abut all aspects f a merchant s business. Equally imprtant, is the need fr acquirer identificatin. Pertinent acquirer cntact details shuld be clearly displayed t avid any merchant uncertainty as t wh t g t with service issues and/r questins. 3.1 Merchant Applicatin Member Name and Cntact Infrmatin 3.2 Merchant Applicatin Business Backgrund and Infrmatin The member name and cntact infrmatin must be present n the merchant applicatin and be clear and cnspicuus. Members must ensure their financial institutin s name, cntact address, and phne number are prminently displayed n the merchant applicatin in a fnt size that makes this infrmatin cnspicuus t the reader. Members are accuntable and liable fr the actins f their Agents. It is therefre essential that prspective merchants have ready access t the member. Merchants must be able t cntact the member at any time, fr any reasn. Members may allw an Agent t place its wn cntact name, phne number, and its lg n the applicatin. This infrmatin must nt be mre prminent than the member cntact infrmatin and shuld nt discurage the merchant frm cntacting the member t reprt service deficiencies. Nte: If the Agent s lg is present n the merchant applicatin, the acquirer s lg must als be present. The merchant applicatin must request all relevant infrmatin n the business backgrund, the merchant s business mdel and its peratins, the merchant lcatin, and principals wh are running the business. This includes, but is nt limited t, the fllwing: Merchant Business Backgrund Merchant histry Obtain the merchant s authrizatin t research its backgrund, including credit, banking, financial histry, and hw lng the merchant has been in business. New businesses frequently fail within the first few years f peratin. If the business is a start-up, btain a business plan. Ding-Business-As (DBA) r trade name Cmpare the merchant s dingbusiness-as name t its legal name. Sme merchants may cnduct their daily business activities under ne name and apply fr legal registratin under a different name. If the names are different, it is imprtant t knw bth names. Legal frm f business Inquire abut the legal frm f the merchant s business. Fr example, is the merchant a crpratin, partnership, r sle prprietrship? 1 4 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

21 Business license, registratin numbers Obtain and verify the merchant s business license number r any ther license r registratin numbers that may be required t wn and/r perate a business. Perfrm a search with the apprpriate business bureaus t verify that the merchant wns r perates a legitimate business. Credit histry Determine whether r nt merchant r its principals have previusly filed fr bankruptcy, r have been registered as having any ther credit difficulties nw r in the past. If s, find ut when. This may prvide a gd indicatin f the financial stability f the merchant. Prir Visa Risk Prgram identificatin Determine if the merchant has been previusly identified by Visa Risk Prgram(s). If yes, find ut the specific prgram that identified the merchant and when the identificatin tk place. This may prvide a gd indicatin f the level f merchant underwriting risk. Prir merchant agreement Determine if the merchant and/r any ther principals invlved have a prir merchant relatinship with acquiring banks. If anther acquirer previusly terminated the merchant, nte the reasn fr terminatin n the merchant s applicatin. If available, check any industrywide services such as Enfrcement Management and Accunt System (EMAS) r Visa Merchant Trace System (VMTS), where available and permitted under lcal applicable law, the Terminated Merchant File (U.S. regin) r any ther cmmn terminated merchant database. Other businesses Ask the merchant t supply infrmatin fr any ther businesses it, r the principals, currently wns r perates, r has wned in the past r is invlved as a directr. Business references Obtain ther business references that can supprt its financial respnsibility. Fr example, invices r billing statements frm suppliers and custmers can prvide evidence f the merchant s ability t meet financial payments. Als use any lcal credit agencies fr infrmatin n the business r its principals. Merchant Business Operatins Operating statistics Ask the merchant fr the fllwing perating statistics t gain knwledge f the merchant s expected business revenue: Prjected ttal sales vlume per year Prjected credit and debit vlume per year Actual chargeback vlume (if existing merchant) Percentage f sales by mail rder, telephne rder, r Internet Perid between the purchase and actual delivery f gds Please refer t the Required Merchant Infrmatin sectin in the VIOR applicable t yur regin. Visa Glbal Acquirer Risk Standards (GARS) 1 5 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

22 Guarantees and nging services (cpies f cnsumer cntracts may be required) If any guarantees r extended warranties are purchased frm a third party, it is essential that the merchant purchases them immediately and can shw evidence f ding s. Billing terms Ask the merchant fr its billing terms, if nt immediate. Fr example, des the merchant allw its custmers t pay fr purchases in mnthly installments? The extent and frequency t which an acquirer cnducts its peridic reviews f a merchant s financial cnditin and business peratin depends n the acquirer s initial assessment f the risks assciated with the merchant s business. Credit and return plices Ask the merchant fr details f its credit, refund, and return plicy prcedures t ensure the merchant is prperly handling exchanges and credits. It is imprtant fr the acquirer t btain a cpy f the merchant s standard sales cntract with the cardhlder. Inventry Determine whether the merchant wns r finances its inventry. Cntracts Determine if the merchant has any significant cntractual relatinships, such as a manufacturer s Agent r exclusive supplier that may impact the merchant s ability t meet its financial r peratinal bligatins if a cntract is canceled. Merchant Business Lcatin Type f lcatin Determine the type f lcatin f the merchant, such as strefrnt, indr shpping mall, r ffice. Is the merchant lcatin suitable fr the type f merchant? Is the merchant lcatin in a gegraphic area that has demnstrated excessive levels f fraudulent activity? Own/lease Ask whether the merchant wns r leases the lcatin. If the merchant wns the lcatin, request fr the name and address f the mrtgage hlder, if any. If the merchant leases the lcatin, request the name and address f the landlrd. Time at lcatin Ask the merchant hw lng the business has perated at the present lcatin. Merchant Principal(s) Infrmatin Principal name, address, identificatin number Ask the merchant fr the name, address, Scial Security Number r similar identificatin number, and telephne number f each principal invlved in the business. Ownership infrmatin Obtain the percentage f wnership held by each principal. Als inquire as t the length f time each f the current principals have wned the business. Cnsider getting a guarantee frm the fficers f the crpratin. Percentage f time Ask the merchant fr the percentage f time spent at the business by each principal. 1 6 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

23 3.3 Special Applicatin Cnsideratins fr Card- Absent Merchants An acquirer must cllect and verify additinal applicatin infrmatin fr cardabsent merchants. This includes detailed business plans, samples f merchandise, and cpies f all relevant marketing materials, including catalgs, brchures, telemarketing scripts, and print and bradcast advertisements. 3.4 Separate Internet Merchant Applicatin 3.5 Additinal Internet Merchant Applicatin Infrmatin Fr all merchants establishing an e-cmmerce presence, an acquirer must use a separate applicatin indicating all f the merchant websites that will be prcessing Visa transactins. Whether the applicant is an existing merchant that wants t add a website, r a new merchant, use a separate applicatin r addendum fr e-cmmerce services. This practice can help facilitate the special risk assessment actins related t card-absent vlume. It can als allw fr merchant business name and site cntent verificatin, as well as ensure that the crrect business name is displayed n cardhlder statements. In additin, a separate applicatin frm prvides an easier way t track and reprt e-cmmerce applicatin vlume. Transactins can be flagged and tracked by acceptance mde. Cllect and verify additinal applicatin data and financial dcuments fr Internet merchants. Risk expsure can be lwered by taking a few extra steps during the applicatin prcess t btain additinal infrmatin frm questinable merchants. Required data culd include: Unifrm Resurce Lcatr (URL), als knwn as the website address (e.g., and Internet Prtcl (IP) server address fr the merchant website By cllecting this infrmatin, an acquirer is able t review the actual website and cnfirm that the merchant is actually cnducting the business as described n its applicatin. Cntact details fr the website hsting service This infrmatin can be used t cntact the hsting service and verify that the merchant maintains a legitimate business. addresses and phne numbers fr merchant custmer service Acquirers can verify that a merchant s address is valid by sending a message t that address. An alert shuld be triggered if the message is returned as undeliverable r bunced. In additin, the acquirer shuld check the merchant s custmer service fr its quality respnse and timeliness, as this will decrease custmer disputes and chargebacks. Descriptins f any links n the merchant s website t ther sites t which they may r may nt be affiliated This shuld raise a flag if the linkages d nt make sense r represent merchant types that yu d nt sign. Visa Glbal Acquirer Risk Standards (GARS) 1 7 Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.

24 4. Funding and Reserves T substantially reduce financial expsure, acquirers must maintain merchant reserves that are utside f the merchant s cntrl. If the merchant des clse dwn the business, the reserve amunts shuld be sufficient t cver any future chargebacks. 4.1 Member Reserve Respnsibility 4.2 Reserve Cntrls An acquirer must hld and cntrl reserves t guarantee a merchant s Visa payment system bligatins. Regardless f any cntractual limits f liability between a member and its Agents, Visa hlds the member respnsible fr cntrlling all aspects f merchant funding prcess. Agents are nt permitted t access and cntrl merchant funds. Members must prvide settlement funds directly t the merchant. Members may allw Agents t mnitr their merchants and cnduct investigatins f any suspected vilatin activity. Based n the result f thse investigatins, it may be necessary t delay settlement t a merchant r cllect funds frm settlement fr a reserve t ffset ptential lsses. In these instances, an Agent may request that a member delay settlement r cllect ther funds frm the merchant, but the Agent may nt actually receive and pssess any merchant funds. Agents may be granted the authrity t make decisins n withhlding r delaying a merchant s settlement funds. This authrity must nt be interpreted by either party t mean funds may be cntrlled r accessed by the Agent. Members that prvide Agents with this level f system access must have plicies and prcedures in place t ensure Agent cmpliance. Fllwing an investigatin r the clsure f the merchant, the member remains respnsible fr prviding funds due t the merchant. All merchant reserves maintained fr the purpse f securing Visa payment system bligatins must be held in a manner, such that the funds can be readily identified with the merchant fr which they are held. Generally, reserves are held in either a unique depsit accunt in the merchant s name r in a general accunt via ledger entries. In all cases, members must have cntrls in place t ensure their Agents r merchants cannt access reserve funds. Acquirers shuld review merchant reserves mnthly t ensure: All funds that have been added r remved frm the reserves can be accunted fr and explained. The funds cllected r disbursed can be mapped back t their surce (settlement r ffset f cllectin item). 1 8 Visa Glbal Acquirer Risk Standards (GARS) Ntice: This infrmatin is prprietary t Visa. It is distributed t Visa participants fr use exclusively in managing their Visa prgrams. It must nt be duplicated, published, distributed r disclsed, in whle r in part, t any ther persn withut prir written permissin frm Visa Visa. All Rights Reserved.