DalPay Internet Billing. Virtual Terminal User Guide

Transcription

1 DalPay Internet Billing Virtual Terminal User Guide Version 1.2 Last revision: 01/01/2010 Page 1 of 11

2 Version 1.2 Last revision: 01/01/2010 Page 2 of 11

3 REVISION HISTORY... 4 INTRODUCTION... 5 A. WHAT DO I NEED TO USE THE VIRTUAL TERMINAL?... 5 B. HOW DOES THE DALPAY VIRTUAL TERMINAL WORK?... 5 C. WHAT ARE PROHIBITED ACTIVITIES WHEN USING THE VIRTUAL TERMINAL?... 6 i. FIGURE 1: Extract from the PCI DSS Version D. PLACING ORDERS USING THE VIRTUAL TERMINAL... 8 E. MAKING A LIVE TEST ORDER F. WHAT HAPPENS AFTER A TRANSACTION IS ACCEPTED VIA VIRTUAL TERMINAL Version 1.2 Last revision: 01/01/2010 Page 3 of 11

4 Revision History Version Date Change Notice Pages Remarks Released Affected 1.0 August 1, First release All PCI DSS 1.1 applies July 1, 2008 Screen shot changes p. 8. PCI DSS 1.1 applies 1.2 January 1, 2010 Screen shot changes p. 7, 8. PCI DSS 1.2 applies Version 1.2 Last revision: 01/01/2010 Page 4 of 11

5 Introduction This user guide describes use of DalPay s Virtual Terminal for merchants processing MOTO (mail order/telephone order) transactions as a Card-Not- Present transaction. a. What do I need to use the Virtual Terminal? In order to use the Virtual Terminal a DalPay merchant in good standing must at the minimum have returned to the DalPay Risk Department a correctly completed Payment Card Industry (PCI) Data Security Standard Self- Assessment Questionnaire A and Attestation of Compliance: (Please refer to a Qualified Security Assessor or DalPay Support for guidance in completing these documents.) Once the Risk Department has received and approved this documentation, the Virtual Terminal feature can be activated for a specific account. b. How does the DalPay Virtual Terminal work? The Virtual Terminal requires collection of the same transaction information as DalPay Checkout, but allows the merchant to self-key the order details on our SSL secured order pages, instead of having a customer visit the same pages themselves as part of a DalPay Checkout order sequence. Orders placed by a merchant directly using the Virtual Terminal do not receive the full benefit of fraud scrubbing by the DalPay Automated Anti-Fraud Inspection System (which only works fully when customers enter their own orders themselves), so a MOTO order entered using the Virtual Terminal in this way should be treated as a higher risk transaction. As a rule of thumb, a merchant should aim to process less than 25% of their orders via the Virtual Terminal, and the rest directly by customers via DalPay Checkout, in order to benefit from the fraud scrubbing that DalPay provides. (As MOTO transactions are inherently higher risk, authorization forms may be required for more of these transactions than transactions entered by customers via DalPay Checkout.) Version 1.2 Last revision: 01/01/2010 Page 5 of 11

6 c. What are Prohibited Activities when using the Virtual Terminal? Please note that under the Payment Card Industry Data Security Standard (PCI DSS), Sensitive Authentication Data must NOT be stored. Sensitive Authorization Data in the context of Card-Not-Present transactions is defined as the CVC2/CVV2/CID*. (*This is the 3-digit security code on the back of the card; Visa calls it CVV2, MasterCard calls it CVC2. JCB call it the CAV2. For American Express cards it is called the CID or 4DBC and is 4-digits on the front of the AMEX card.) You must never store the CVC2/CVV2/CID in any database, or on any paper form, i.e. after the transaction has been authorized and accepted by one of DalPay s acquiring banks, you must make sure you have removed any record you had of it. For more information please refer to the PCI DSS (extract shown in Figure 1), and/ or the Qualified Security Assessor who assisted you in completing your Self-Assessment Questionnaire and Attestation of Compliance. Your operating jurisdiction may require specific protection of other cardholder or transaction data as well, or proper disclosure of your company's practices if consumer-related personal data is being collected during the course of business. Detailed discussion of this aspect is beyond the scope of this document. (In Iceland for example DalPay is subject to, and compliant with the requirements of Act no. 77/2000 on The Protection of Privacy as regards the Processing of Personal Data.) Version 1.2 Last revision: 01/01/2010 Page 6 of 11

7 i. FIGURE 1: Extract from the PCI DSS Version Version 1.2 Last revision: 01/01/2010 Page 7 of 11

8 d. Placing orders using the Virtual Terminal After logging into the Merchant Menu you will see the icon bar at the top of the screen. Click on 'order pages' to bring up your Page IDs (you need one for each web page, or currency that you accept via DalPay): You enter orders through the Virtual Terminal by clicking on the MOTO icon to the right of the Order setting: This will pop up the Virtual Terminal page: Version 1.2 Last revision: 01/01/2010 Page 8 of 11

9 (First, you should enter a test order to become familiar with how the system works - see the next section, Making a Live Test Order for details on how to enable the test card for your account.) The Terminal page asks you first for details about the order, with lines for sub items within the order, each having a Description, Price and Quantity (Qty). So in an example of a single sub-item description might be My first product', you can enter additional sub-items also, so a single customer's order for a few items might be something like this: Product description Price Qty (in USD) My first product Second product Shipping FedEx Direct Signature Required To make a one-off charge choose the default of 'Do not rebill credit card' then click to 'Enter customer and card details'. All Description, Price and Quantity sub items entered appear in your transaction history from 'orders' from the main menu, and are also included in the sent to the customer by , and in your merchant copy as well. When you click on the 'Enter customer and card details' you will be taken to the DalPay Checkout phased validation screens where you are asked over three pages for the customer's Country and Card Type, then to enter their shipping and billing addresses, followed by their card details. See What Happens After a Transaction is Accepted via Virtual Terminal for what happens if the card is accepted. If the card is declined, you will receive an error message page, and can try again, and also separately view the transaction as Declined in the transaction list from 'orders'. Version 1.2 Last revision: 01/01/2010 Page 9 of 11

10 (If you wish further details as to the reason for the decline, please contact us by raising a support ticket or by phone and we will check in further detail.) The most typical reason is either that their card account is over the credit limit, or the card is not enabled for international use (in both cases the card holder should contact their issuing bank to check). e. Making a Live Test Order To enter a test order using the Virtual Terminal you should enable our internal test Visa card for your account. Enable this from 'order pages', 'Test Order Page' (or 'Run Test order' from the main page). If no Name on Card code is already set, click on 'New' to get a fresh Name on Card Code such as 'HAeVcanH' then on the Enabled field 'no' setting or 'enable it' link to activate it for 60 minutes of use. You then checkout as usual from your website Order Page (or Virtual Terminal) choosing Visa, and using the Name on Card Code given as the 'Name on Card', along with Card Number: , Expiry: 01/11, and CVV: 999. You will get a copy of the order to the set in Order as the supplier, as well as a copy as the customer to the address you gave in the checkout process. Please note that it is forbidden by card association rules to run your own or family members' credit cards - even for testing purposes - through your merchant account or a DalPay Retail account. Please use the Visa test card instead. Version 1.2 Last revision: 01/01/2010 Page 10 of 11

11 f. What Happens After a Transaction is Accepted via Virtual Terminal When the order is accepted you will receive a copy of the order by from [email protected] to the address set in Order for each Page ID (such as [email protected]). The customer will also receive an order confirmation to the address you enter for them. You should view more details about the transaction from 'orders' in the Merchant Menu - see following important note. (Order is set in the 'Order page address:' field for each Page ID.) IMPORTANT PLEASE NOTE: Unlike a card physically swiped at a terminal, the Virtual Terminal captures charges as Card-Not-Present transactions. A status of accepted for a transaction means that at the time the transaction was put through, the credit/debit card account used was open and had a sufficient balance to accept the charge, and was not immediately declined. Do NOT assume that it was the legitimate cardholder that placed the order merely because the order has a status of accepted. DalPay recommends in the case of delivery of tangible products you wait 24 hours from placement of the order before shipping. This is to allow time for any urgent post-scrubbing updates from our anti-fraud networks. It is important to protect yourself from chargebacks by paying attention to the Transaction Fraud Score, and other particulars of the order, and as necessary performing Secondary Screening. Version 1.2 Last revision: 01/01/2010 Page 11 of 11