I am Pivotal CREDIT CARD PROCESSING HANDBOOK

Transcription

1 Innovative Reliable Affordable I am Pivotal CREDIT CARD PROCESSING HANDBOOK

2 Finding What You Need Let s Get Started...2 How to Read Your Statement....2 About Pivotal Payments...3 Contact Information...4 Order Your Free Credit Card Signage....4 Voice Authorization...5 Minimize Your Account Risk Dos and Don ts Keeping Your Paperwork In Order...8 Disclosure...9 Financial Information...10 What you need to know about PCI Compliance...11 Important Links for PCI...12 Visa CISP...13 MasterCard SDPP...14 Protecting Yourself Against Fraud Identifying Counterfeit/Altered Cards...17 Processing Credit Card Transactions Processing Credits (Refunds) VIA Your Terminal...22 Submitting Your Credit Card Charges and Credits Accepting Debit Cards Chargeback Management...26 The Chargeback Process Chargeback Reasons Social and Business Networks PCS0502_TSYS/TSYS 1

3 Always Ready to Assist You! At Pivotal Payments, we value your business and encourage you to call if you require assistance with your payment processing needs. Merchant Support technical Support: Billing/Statement Questions: retrieval/chargebacks: Merchant Supplies Order Desk telephone: fax: hours: 7 days a week 9:00am to 5:00pm EST Voice Authorization Visa/Discover Network/MasterCard: (see page 5 for detailed instructions) american Express: diners: Jcb: hours: 24 hrs/day 7 days/week Customer Service american Express: diners: Jcb: hours: 24 hrs/day 7 days a week Order Your Free Credit Card Signage Let your clients know that your business makes it easier and more convenient for them to pay. Visa, MasterCard and American Express offer free credit card stickers, decals and signage for you to display on your store window or at the checkout. Easily order these free stickers at 4 PCS0502_TSYS/TSYS

4 Voice Authorization In the event that you cannot obtain an electronic authorization from your terminal, you must call for a voice authorization. Below are the voice authorization numbers for each of the major credit cards: Visa/ Discover Network/MasterCard: American Express: Diners: JCB: When calling to obtain a voice authorization, you will be required to provide: The credit card number and expiration date. The merchant account number (MID) identifying you to the voice authorization system. If your MID begins with 6314, use only the last 12 digits; if your MID starts with 2866, use the full number. The dollar amount of the transaction. The operator will respond with an authorization number, which you should write on the sales draft. Note: You may also be required to call for an Authorization Approval Code in response to a "Please Call" or "Call Center" message that you have received from your terminal when attempting to process a transaction. IMPORTANT! Once you have obtained an authorization number for the transaction, you will have to manually key the transaction into your terminal in order to receive payment (settlement). You must enter the transaction as an "Offline" or "Force" transaction and you will be prompted to key in the authorization number you have received. You may refer to your terminal Quick Reference Guide or call us for assistance. PCS0502_TSYS/TSYS 5

5 Minimize Your Merchant Account Risk As a merchant who accepts credit cards, there are regulations you should be familiar with and certain precautions you should take to minimize potential risk and insure maximum profitability. For your convenience, we have listed some of the more important Don ts of payment processing. Credit Card Processing Don ts: Do Not DRAFT/ LAUNDER/ FACTOR! Process only those transactions originating from your place of business as described on your merchant application. You must apply separately for any other business which you may own (in whole or in part.) Do Not process credits to a cardholders card unless you have an off-setting sale. Do Not process transactions against your own, personal or business credit cards or those of your employees, officers, spouses, etc. Transactions of this type can be considered cash advances and are not permissible. Do Not process any transaction that represents repayment of any existing cardholder obligations such as return of a personal check or payment of an outstanding loan. Do Not store magnetic-stripe data after receiving authorization. After a transaction is authorized, the full contents of track data, which is read from the magnetic stripe, must not be retained on any systems. Do not store CVV2, CID, CVC2 (the 3 or 4 digit code printed on the back of the card) data. When asking a cardholder for security codes, merchants must not document this information on any kind of paper order form or store it on any database. Know your liability. Merchant agreements now include provisions that hold businesses liable for losses resulting from compromised card data if a business (or its third-party processor) lacks adequate data security. Do not accept credit card details via ever. 6 PCS0502_TSYS/TSYS

6 Minimize Your Merchant Account Risk cont d Do Not split sales (see below for definition.) Do Not process a transaction that was denied or declined by the authorization center. Do Not process a draft in which the signature does not match that on the back of the card. What is a Split Sale? A split sale is the processing of two or more sales slips for a single sale. As per your agreement and governing regulations, you must process ONLY ONE sales transaction through your terminal for each single sales draft signed by your customer. Processing more than one sales transaction through your terminal for a single, signed draft is not permissible. IMPORTANT NOTE: You must be able to supply a signed, authorized sales draft for every single transaction processed through your merchant terminal or you will be subject to chargeback and full financial liability. PCS0502_TSYS/TSYS 7

7 Keeping Your Paperwork in Order It is important that you keep accurate and complete records of transactions you are processing. This will assist you in tracing transactions and authorizations in the event of a future customer dispute. As there are many don ts, there are a few dos as well. Credit Card Processing Dos: Do have ALL applicable transactions authorized. This minimizes your risk of chargebacks. Do keep copies of sales receipts for 12 months from the date of the original transaction to ensure your ability to respond to copy requests and/or chargebacks. Do maintain the same policy for returns, refunds and/or exchanges for credit card transactions as you do for cash transactions. If you do not permit refunds, you must mark your sales drafts with the statement NO REFUNDS. However, this statement does not limit the cardholder s right to challenge a transaction covered under federal, state and local laws or falling under bank, payment card rules and regulations. Do keep cardholder account numbers and personal information safe/confidential. (See page 11 for more info). 8 PCS0502_TSYS/TSYS

8 Proper disclosure for Refunds and Exchanges As a merchant, you are responsible for establishing the merchandise and adjustment (credit) policies for your business. Clear disclosure of these policies can help you avoid misunderstandings and potential cardholder disputes. Below are some examples of return /credit policies for Card-present transactions. DISCLOSURE STATEMENT WHAT IT MEANS NO Refunds or Returns Your establishment does not issue refunds and does not accept returned merchandise or merchandise exchanges. Exchange Only Your establishment is willing to exchange returned merchandise for similar merchandise that is equal in price to the amount of the original transaction. In-Store Credit Only Your establishment takes returned merchandise and gives the cardholder an in-store credit for the value of the returned merchandise. Special Circumstances You and the cardholder have agreed to special terms. The agreed-upon terms must then be written on the transaction receipt. The cardholder s signature on the receipt indicates acceptance of the terms. Disclosure for Card-Not-Present transactions (Moto) Your refund and exchange policies should be ed, or faxed to the cardholder. To complete the sale, the cardholder should sign and return the disclosure statement to you. Disclosure for Card-Not-Present transactions (Ecomm) Your refund and exchange policies should be available to online customers through clearly visible links on your home page. You should also provide a click through confirmation for important elements of the policy. PCS0502_TSYS/TSYS 9

9 Financial Information Merchant Discount. A merchant account Discount Rate is a fee paid by the merchant to the acquirer for credit card processing purchases charged to a cardholder s credit card. It is an agreed upon rate charged on sales and returned transactions. Transaction Fee A merchant account Transaction fee is paid each time a merchant s gateway, software, or terminal dials and communicates with the credit card processor. This includes: authorizations, sales, returns, closing of batch, and declined transactions. Monthly Processing Fees Your Monthly processing fees are calculated based on all the account fees assessed throughout the month with each date s activity. Monthly processing fees normally do not include your Daily discount or reserves (if applicable). The total of all Monthly Processing fees are debited from your checking account, also known as your DDA, through ACH within the first 5 business days of the following month. Month End Fees Month end fees are assessed at the end of each month and apply to various transactions that occurred during that monthly only. Month-end fees may include, but are not limited to, the following: Authorization Address Verification Services (AVS) Retrieval Requests Chargeback Monthly Minimum Statement fees How do I change the bank account for my deposits? We will need a copy of a preprinted voided check on the new account, plus your signature for verification purposes. Please send us a pre-printed void check or bank letter and a written request by fax at or at ach@pivotalpayments.com. Note: Person signing the request must be the same person who signed the merchant processing agreement. Reminder: If you accept Amex you will need to update your bank details with Amex, the contact details are below: Amex: What should I do if I wish to close my merchant account? Simply send a letter indicating your intent to close the account and the reason why. In order to protect yourself, the letter MUST BE SIGNED by the owner(s) who originally applied for the account. You may also call our merchant support center (see page 3 for telephone #). 10 PCS0502_TSYS/TSYS

10 How do I update my company information? If you change store locations, product, or service offered or simply change your business telephone number, you must IMMEDIATELY contact our merchant support department to update your information. Note: You must also update your details with Amex as well (see page 9 for telephone #). What you need to know about PCI Compliance Who are the founders of the PCI Security Standards Council? Founders of the PCI Security Standards Council are American Express, Discover Network, JCB, MasterCard Worldwide and Visa International. What is the Payment Card Industry (PCI) Data Security Standard (DSS)? The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. Initially created by aligning Visa s Account Information Security (AIS)/Cardholder Information Security (CISP) programs with MasterCard s Site Data Protection (SDP) program and Discover Information Security Compliance (DISC), the standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents. The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized: Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks PCS0502_TSYS/TSYS 11

11 Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security Important Links on PCI Compliance : To Download the PCI DSS Requirements: download.html Discover Network information on PCI: American Express information on PCI: Visa information on PCI: MasterCard information on PCI: JCB information on PCI: Pin Based Debit Cards - PIN Transaction Security: 12 PCS0502_TSYS/TSYS

12 VISA Cardholder Information Security Program, Discover Information Security Compliance & MasterCard Site Data Protection Program (CISP/DISC/SDPP Compliance) Merchant levels defined Compliance requirements are based on the following merchant levels: Merchant Level 1 2 Description Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year. 3 Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year. 4 Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year. * New merchant level definitions effective as of July 18, ** any merchant that has suffered a breach that resulted in an account data compromise may be escalated to a higher validation level. Compliance validation basics In addition to adhering to the PCI Data Security Standard, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants. Level Validation Action Validated By 1 Annual On-site PCI Data Security Assessment and Quarterly Network Scan Qualified Security Assessor or Internal Audit if signed by Officer of the company Approved Scanning Vendor 2 Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan Merchant Approved Scanning Vendor 3 Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan Merchant Approved Scanning Vendor 4* Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan (if applicable) Merchant Approved Scanning Vendor * The PCI DDS requires that all merchants perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants. PCS0502_TSYS/TSYS 13

13 MasterCard Site Data Protection Program MasterCard's Site Data Protection Program (SDPP) is similar to VISA CISP, with the same 4 merchant levels, and requirements at each level. This program applies to all merchants accepting MasterCard transactions. The Merchant Levels for the MasterCard SDP program are defined below. Merchant Definition Level 1 Level 2 Level 3 Level 4 Criteria All merchants, including electronic commerce merchants, with more than 6 million total MasterCard and Maestro transactions annually All merchants that experienced an account compromise All merchants meeting the Level 1 criteria of a competing payment brand Any merchant that MasterCard, at its sole discretion, determines should meet the Level 1 merchant requirements All merchants with more than one million total MasterCard and Maestro transactions but less than six million total transactions annually All merchants meeting the Level 2 criteria of a competing payment brand All merchants with annual MasterCard and Maestro e-commerce transactions greater than 20,000 but less than one million total transactions All merchants meeting the Level 3 criteria of a competing payment brand All other merchants On-site Review Required Annually 1 Merchant s Discretion 4 Not Required Not Required Self Assessment Not Required Required Annually Required Annually Required Annually Network Compliance Security Scan Date Required June 30 Quarterly Required June 30 Quarterly Required Quarterly 2 June Required Quarterly 2 Consult Acquirer 1 for Level 1 merchants, the annual on-site review may be conducted by either the merchant s internal auditor or a Qualified Security Assessor. 2 To fulfill the network scanning requirement, all merchants must conduct scans on a quarterly basis using an Approved Scanning Vendor. 3 Level 4 Merchants are required to comply with the PCI Data Security Standard. Level 4 Merchants should consult their acquirer to determine if compliance validation is also required. 4 as of June 30, 2011, any Level 2 merchant opting to perform a self assessment must be sure that employees performing said assessment attend and pass PCI SSC-offered merchant training programs; or, alternatively, Level 2 merchants can complete an onsite assessment performed by an Approved Scanning Vendor. 14 PCS0502_TSYS/TSYS

14 Protecting Yourself Against Fraud Identifying counterfeit cards and understanding the telltale signs of suspicious customers is the key to protecting yourself from possible fraud. Be wary of customers who make indiscriminate purchases. Be suspicious of anyone contacting you for a customer s credit card number. Be watchful of the cardholder who appears to be too young to have a credit card. Do not accept a card that appears to be physically altered. Be conscientious about keeping detailed records of all credit card transactions. Check the signature on the draft or printer receipt against the signature on the card to verify your customer s identity. If unsure, ask for a photo ID. Be sure to verify all information on the draft or printer receipt carefully if a card cannot be swiped and an account number must be entered manually. Pay special attention to the account number, a clear, legible imprint is crucial. Make sure to imprint a draft copy if a sale must be entered manually. A printer receipt alone with a hand keyed sale will not prevent a chargeback. Check all dates on the card to make sure they are valid before processing any transaction. Compare the card number on the terminal receipt to the embossed number on the face of the card. Personal contact information (address and telephone number) can be requested and recorded on an invoice- not on a sales draft (important on large or suspect transactions.) PCS0502_TSYS/TSYS 15

15 Protecting Yourself Against Fraud cont d CODE 10 code 10 is a term used by the credit card association and/or Discover Network to refer to a suspicious transaction. Call your voice authorization center for a CODE 10 authorization, if, for ANY reason you become suspicious of a transaction or cardholder. If you suspect that a transaction is fraudulent, call and request a CODE 10 AUTHORIZATION from your voice authorization center immediately. How do I process a CODE 10 call? Place a voice call to the authorization center. Once the operator answers state, THIS IS A CODE 10. Give the following information to the operator: - Account Number - Card s Effective Date/Expiration Date - Cardholder s Name - Cardholder s Address (if available) - Bank Name on Card. 16 PCS0502_TSYS/TSYS

16 Identifying Counterfeit/Altered Cards Below is a chart that offers the merchant more specific information about how to detect an altered or counterfeit card. Please share this information with your employees; knowing what to look for can help prevent credit card fraud. The most important thing is, if a card looks strange- QUESTION IT! LEGITIMATE ALTERED COUNTERFEIT PRINT Clean, crisp, clearly defined edges. MasterCard, Discover Network or Visa Colors may be off ; Quality too dark or too light with fuzzy edges. The word MasterCard may overlay improperly. Smooth to touch. Colors Smooth to touch, Smooth to touch may VINYL will not scratch off with surface may appear scratch off. Colors may thumbnail. disturbed or uneven. appear raised. EMBOSSING Easily read, letters will be of same height and size. Discover Network Cards have the special embossed Security Character which appears on the same line as the Member Since and Valid Thru information. It appears as a stylized D. From the back of card, original numbers or letters may be detected. If re-embossing has occurred, the hologram may be damaged. Uneven, letters may not match. SIGNATURE PANEL Has a repetitive VISA, Discover Network or MasterCard pattern. Those with the new diagonal, multi-color MasterCard pattern may have the account number printed in the upper left corner. A Discover Network overprint pattern appears on the signature panel, along with an underprint reading VOID. May be pure white. Appears glued or painted. May appear to have liquid style correction fluid applied over the signature panel and then have been re-signed. The new MasterCard multi-colored signature panels are designed to show signs of tampering. A void pattern may be revealed under an altered signature panel. HOLOGRAM VISA cards will have the VISA dove whose wings appear to move when the card is rotated. The vertically-shaped hologram on MasterCard 60/40 has two MasterCard world designs that change places with the initials MC when the card is tilted. The new 80/20 MasterCard word mark exhibits multi-colored changes when rotated. All may be silver or gold. The Discover Network card design shows a celestial sphere made of interlocking rings and an arrow pointer. The word Discover appears in very small letters on the shaft of this arrow. May not have a real hologram, but perhaps a shiny look-alike. FINE LINE VISA BIN MasterCard 60/40 cards have repetitive fine line printing on the card front. Crisp, clear, fine line printing forms a border around the VISA logo in the mark s area and around the MasterCard logo on the back side of the 80/20 card. Applies to VISA only. Card will have the first 4 digits of the embossing account number already preprinted on the card. Fine line printing causes counterfeiters to have a difficult time maintaining the crisp, clean quality of the letters in the repetitive printing, and they may appear to be broken, blotchy or filled in. Number may not appear at all on counterfeit card. PCS0502_TSYS/TSYS 17

17 Processing Credit Card Transactions With your Pivotal Payments merchant account, you can process credit card transactions once your terminal is set up. Processing procedures will vary depending if the customer is present or not and if you are swiping the card or keying in the information. 1. Consumer is present & credit card is swiped through the terminal Swipe the card to request the transaction authorization. Hold the card through the entire transaction While the transaction is being processed, check the cards features and security elements to make sure the card is valid and has not been altered in any way, (See page 17) Obtain authorization and get the cardholder signature on the transaction receipt Compare the name, number, and signature on the card to those on the transaction receipt If you suspect fraud make a code 10 call, (See page 16) 18 PCS0502_TSYS/TSYS

18 2. consumer is present & credit card information is keyed into the terminal. If a transaction must be manually keyed into the terminal, use the following procedure: Take an imprint of the card to validate the presence of the card using your manual imprinter. Key the transaction into the electronic terminal. You will be prompted for the ZIP code and street number for this card. The customer should provide you with the ZIP code and street number (house number) that is on their billing statement. This information is sent along with a transaction using an Address Verification Service (AVS) and is compared to the billing address for that card. A match will appear on the transaction record (match, yes or no?) and entitles you to better qualification rates as you are taking additional steps to protect yourself from fraudulent cards. If a match is not obtained, you can still process the transaction at a higher qualification rate. Wait for an Authorization Approval Code and receipt. If you do not receive an electronic authorization, you must obtain a voice authorization. Please see page 5 for Voice Authorization steps. Note: You may be required to call for an Authorization Approval Code in response to a Please Call or Call Center message that you have received from your terminal. Once you obtain your authorization code, you must write it on the sales draft. Post the authorization information to the terminal to ensure payment of the transaction. PCS0502_TSYS/TSYS 19

19 Processing Credit Card Transactions cont d IMPORTANT! Once you have obtained an authorization number for the transaction, you will have to manually key the transaction into your terminal in order to receive payment (settlement). You must enter the transaction as an "Offline" or "Force" transaction and you will be prompted to key in the authorization number you have received. You may refer to your terminal Quick Reference Guide or call us for assistance. 3. consumer is not present & credit card information is keyed into the terminal. Note that you can process mail/telephone/ transactions only if your merchant account is set up as a mail order/telephone order (MO/TO) business type. If you are eligible to process MO/TO transactions, follow this procedure: Obtain the complete cardholder information including: - Cardholder s name exactly as it appears on the credit card - Credit card number - Credit card expiration date - The cardholder s billing address including ZIP code - Cardholder s home or billing telephone number. Key the transaction into the electronic terminal You will be prompted for the customer s ZIP code and street address. If your account is set up as a Mail Order Telephone Order (MO/TO) merchant account, a match is not required in order for the transaction to qualify for the lowest rate but, you do have to enter all prompts previously mentioned and Invoice Number (Customer ID). If any field is left blank, the transaction will not qualify for the best rate. Wait for an Authorization Approval Code and receipt. If you do not receive an electronic authorization, you must obtain a voice authorization. Please see page 5 for Voice Authorization steps. 20 PCS0502_TSYS/TSYS

20 Note: You may be required to call for an Authorization Approval Code in response to a Please Call or Call Center message that you have received from your terminal: Post the voice authorization code back to the terminal for transaction processing. Write Telephone Order, Mail Order, or Internet Order as appropriate on the signature line of the receipt. Return one copy to y our customer and keep one copy for your records. PCS0502_TSYS/TSYS 21

21 Processing Credits (Refunds) VIA Your Terminal A credit (refund) can only be issued to the same credit card account that was used for the original purchase. Once you process a credit, your terminal will generate a receipt containing: The card account number being credited. Date the credit was issued. Amount of credit issued. Your business name and address. Your Terminal Identification number (TID). (Note: a credit should be issued only through the merchant account that was used for the original purchase.) For detailed processing instructions for your terminal, please refer to your terminal s quick reference guide that was included in your welcome kit. What is Batching out and how often should I do it? Batching out or End-of-Day Settlement refers to the process of closing your terminal down for the day. Each tim e you run a transaction, the first one of the day starts a batch. In order for your terminal to settle or contact the host to insure you get paid, it must be instructed that you are done with this batch and would like to settle it. We have auto-settle options available on some terminal models, others you will have to remember to settle every day. for detailed processing instructions for your terminal, please refer to your terminal s quick reference guide that was included in your welcome kit. 22 PCS0502_TSYS/TSYS

22 Submitting Your Credit Card Charges and Credits Settlement: The process of transferring funds for sales and credits between acquirers and issuers, including the final debiting of a cardholder s account and the crediting of a merchant account. Batch: The accumulation of transactions gathered, reconciled and transmitted for clearing and settlement. Batch close: The process of sending transactions to the processor for clearing and settlement. In order to obtain settlement for transactions processed, you must submit (upload) the charges from your terminal. This is a simple procedure and should be done at the end of each business day and only after the goods or services have been provided or delivered. Procedure for submitting charges/credits: Press the "Settlement" key on your terminal at least once a day to transmit all of the charges and credits you process. PCS0502_TSYS/TSYS 23