Rules of Card Acquiring Merchant Agreement

Transcription

1 October 2015 Rules of Card Acquiring Merchant Agreement Kortaccept Nordic AB, Finnish Branch, org.nr , Part of Teller,

2 These Rules of Card Acquiring Merchant Agreement consist of Part A General rules Part B Country-specific rules and rules for domestic card programmes Part C Sector- and/or -service-specific rules Part A General rules 1. Application of the rules This extract of rules describes the framework which applies to the agreement entered into between the Merchant and the Acquirer in respect of acquiring of card transactions. 2. General remarks regarding the acquiring of card transactions and the Merchant Agreement as a whole, contradiction in terms and conditions Acquiring of card transactions refers to the services offered for authorising, clearing and settling card transactions carried out at the Merchant. The services provided by the Acquirer under the Merchant Agreement are mainly directed to entrepreneurs, companies and associations and they are always to be used for industrial and commercial activity only. The content of the service and the parties responsibilities and rights are stated in the approved Merchant Agreement application, in the General rules (Part A) and in the Specific rules (cf Parts B and C) and in the Merchant Instructions which altogether at any given time constitute the content of the Merchant Agreement. The Acquirer is not liable for any damage caused to the Merchant as a result of the Merchant not complying with the terms and conditions of the Merchant Agreement. The Acquirer s right and ability to offer card services are affected by Visa s and MasterCard s regulations and directives. The contractual relation between the Acquirer and the Merchant must comply with these regulations. The Merchant instructions as in force at the time of approval of the Merchant Agreement application by the Acquirer are sent by the Acquirer to the Merchant or they are set available to the Merchant in the Teller s Merchant Portal. Should the approved Merchant Agreement application conflict with the General rules or the Specific rules, the approved Merchant Agreement application prevails. Should the General rules conflict with the Specific rules, the Specific rules shall prevail. 3. Use of third-party service providers Either party may fulfil its obligations under this Merchant Agreement using a third-party service provider. All third-party service providers have to be PCI-compliant and registered as an approved service provider according to the card scheme instructions. The parties are responsible for the activities of their third-party service providers as for their own. 4. Scope The Merchant may utilise the services provided under the Merchant Agreement by the Acquirer only to payments made with MasterCards (debit, credit, Maestro) and Visa cards (debit, credit, Visa Electron, V PAY) and other cards stated in the Merchant Agreement. The card issuers may also introduce new card products (embossed or unembossed). In the case some card issuer introduces new card products, the Merchant may start accepting them as means of payment after complying with the procedures instructed by the Acquirer. The Merchant approves the new terms and conditions (including without limitation new pricing) set by the Acquirer applicable to acquiring of the new card products as the Merchant accepts a Transaction made by a new card product. 5. Other cards The Merchant may enter into agreements with companies that acquire types of cards other than those described in the Merchant Agreement. The Merchant must notify the Acquirer of any such agreements before the card company s cards may be used at the Merchant. Purchases made with such cards are to be credited to the account that is designated by the Merchant and stated in the Merchant Agreement. 6. Types of card payments and other definitions 6.1 Acquirer: means the acquirer, Kortaccept Nordic AB, Finnish Branch in this Merchant Agreement. 6.2 Standard payment (POS): Payments to manned Merchants by the cardholder using the card s chip or magnetic stripe in a payment terminal providing proof of identity by a PIN code, signature or other approved Cardholder Verification Method (CVM) or payments to manned Merchants by the cardholder using the card s or a mobile s contactless feature. Special conditions apply to Standard payments (POS). 6.3 Online purchases in ecommerce environment: Payments to virtual Merchants by the cardholder via the Internet or another open network approved by the Acquirer, approving payments made with the card. Special conditions apply to online purchases. 6.4 Mail and telephone orders (MO/TO): Payments to Merchants that offer goods and services via mail order and telephone order sales. The cardholder writes the number, etc., of the card on the mail order which is signed, or this information is stated on the telephone. Special conditions apply to mail and telephone orders. 6.5 Hotels: A Merchant that offers overnight accommodation, possibly with advance booking. Special conditions apply to hotels. 6.6 Vehicle rental: A Merchant that offers vehicle rental, possibly with advance booking. Special conditions apply to vehicle rentals. 6.7 Unattended payment terminals or Cardholder-Activated Terminals (CAT): Payments are made at unattended terminals by the cardholder using the card in a selfservice payment terminal, possibly providing proof of identity with a PIN code if the payment terminal asks for this. Special conditions apply to unattended payment solutions and automatic machines. 6.8 Recurring payments: A Merchant and a cardholder may enter into an agreement to make periodic payments, often without stating a fixed amount and for an unspecified period. Special conditions apply to recurring payments. 6.9 Cash Advance: The service allows cardholders to withdraw cash either through an ATM or over the counter at a bank or other financial agency, up to a certain limit. Rules of Card Acquiring Merchant Agreement Page 2 of 23

3 6.10 Quasi-Cash: A Transaction representing a Merchant s sale of items that are directly convertible to cash, for example, currency exchange. Special conditions apply to Quasi- Cash Cash-back: The cardholder may withdraw cash from the Merchant when paying a purchase at the Point-of-Sale effectively offering two services in one transaction. Cashback is a domestic service and only cardholders of the participating issuers having access to it. The EMV POS terminal needs to support the service and its requirements. Special Country-specific rules apply to Cashback Authentication service: A function in which the cardholder is identified by the issuer of the card in connection with an Internet-based online payment by means of a separate set of IDs and/or passwords (for example, 3DSecure like MasterCard SecureCode and Verified by Visa) Authorisation: A check carried out by the Merchant in which the card issuer states whether the card s status or the size of the amount prevents a transaction from being executed Authorisation limit: Limit specified by the Acquirer in the local currency for a Point-of-Sale or Trading Site within which the Point-of-Sale or Trading Site in question must always authorise transactions Banking Day: Banking Day means a business day on which banks generally are open to the public for carrying on substantially all of banking functions Card data: Card data means the card number, expiry date, and verification code of the cardholder s card Card Scheme: means the Visa and MasterCard card organisations and their card schemes as well as other card schemes the parties may agree at any given time. It refers mainly to Visa and MasterCard, as the owners of the payment scheme, into which an Acquirer or any other eligible financial institution can become a member. By becoming a member of the scheme, the member is thereby authorised to issue or acquire the Transactions performed within the scheme Card Verification Code/Value (CVC/CVV) are security features of the card, such as CVC, CVV, icvv or PVV. Three- or four-digit number series printed on the card s signature panel, such as CVV2, CVC2, are used in mail orders or telephone orders and ecommerce environment Charge back: A procedure in which an issuer charges all or part of the amount of a Transaction back via an Acquirer to the Merchant in accordance with Card Scheme regulations EMV: EMV is a global standard for credit and debit cards based on chip card technology International Card Organisations/Card Schemes: Visa and MasterCard card organisations and their card schemes, as well as other card schemes the parties may agree on Merchant: The entrepreneur, company or other entity that has concluded a Merchant Agreement with the Acquirer, including all its Points-of-Sale and/or Trading Sites Merchant Agreement: The application/agreement with the appendices, rules and Merchant Instructions which together in their format at any given time constitute the Merchant Agreement Merchant ID: An identification number given by the Acquirer to the Merchant which specifies the Point-of-Sale, Trading Site and/or the main Point-of-Sale Merchant Instructions: Instructions issued by the Acquirer in order to comply with, among others, the rules and instructions of the International Card Organisations, including payment card handling, data security, MO/TO, ecommerce and functions of terminals, as well as best practices and other information to Merchants Merchant Portal Merchant Portal: is a web-based service provided by the Acquirer where the Merchant s administrator gets access and grants access rights within the Merchant organisation. The portal provides information about settlements, batches, specific Transactions and calculated fees. In addition, Merchants can view information about Acquiring products and services and the latest news Payment Service Provider (PSP/internet Payment Service Provider (ipsp)): A third party used by the Merchant to which the Merchant sends the Transactions acquired by it (e.g. a third party or other transaction router). The Merchant Processor must be a certified service provider in accordance with the PCI standard PCI: PCI DSS is the international Payment Card Industry Data Security Standard, used by Visa International, MasterCard Worldwide, American Express, JCB and Discover Financial Services. PCI DSS and other payment card industry standards complement each other and define the minimum safety requirements for card transactions. Adhering to this standard is compulsory for all parties receiving, transmitting or storing card transactions Point-of-Sale (POS) terminal: A certified device and/or system used by the Merchant that reads and verifies the card data Secure Payment Application (SPA): Security method designed to authenticate cardholders when they pay online Transaction date (T): A date on which the Acquirer (or the collection centre with which the Acquirer has on agreement) has received a Transaction with the correct content and in the agreed format from the Merchant or from the Merchant s Payment Service Provider Terminal vendor: A company which supplies certified POS terminals to other companies or Merchants Trading Site: A site approved by the Acquirer with a distinctive Merchant ID issued by the Acquirer and used by the Merchant for MO/TO or ecommerce Transaction: Information about payment based on an agreement between a company and a cardholder to transfer an amount from the cardholder to the Merchant Universal Cardholder Authentication Field (UCAF): A field to support a universal, multipurpose data transport infrastructure that the Card Scheme uses to communicate authentication information among the cardholder, merchant, issuer and acquirer communities. Rules of Card Acquiring Merchant Agreement Page 3 of 23

4 7. Rights and obligations of the Acquirer 7.1 Authorisation routing, Transaction Acquiring and Data Errors The Acquirer routes the authorisation requests sent by the Merchant and/or the Merchants Payment Service Provider (PSP) to the Acquirer on the terms and conditions set out in the Merchant Agreement. The Acquirer acquires all Transactions properly presented to it and received by it on the terms and conditions set out in the Merchant Agreement. The Merchant must ensure that the Transactions are sent by the PSP of the Merchant to the Acquirer and that the transaction data sent by the terminal or other solution is free from errors. The Acquirer is entitled to refuse to acquire or send to the card issuer Transactions that have been found to be erroneous or are suspected to be erroneous as well as to apply an extended settlement period. Errors in an assembled data set comprising transactions of several companies and sent by the Payment Service Provider might result in an extended settlement period with respect to all transactions within the same assembled data set, even if the error only concerns a part of the assembled data, e.g. another company than the Merchant. If the Acquirer acquires and settles to the Merchant, Transactions that the Merchant has delivered after the due date or that have been erroneous, the Acquirer is entitled to deduct the Transaction contested by the cardholder or card issuer and any other expenses incurred by the Acquirer from the subsequent settlements with the Merchant and/or its Points-of-Sale or Trading Sites, or to otherwise debit these to the Merchant. The Acquirer is also entitled to refuse to acquire Transactions that entail a specific risk of credit loss or misuse or for any other justified cause for refusal, or to apply an extended settlement period with respect to such Transactions. The Acquirer is not liable for an extended settlement period caused by errors in transaction data or assembled data sets or caused by Transactions delivered after the due date. 7.2 The Acquirer s settlement guarantee The Acquirer undertakes to provide settlement to the Merchant for the Transactions properly presented to the Acquirer and received by the Acquirer in accordance with the Merchant Agreement. The settlement takes place at the latest on a day followed by the number of Banking Days after the Transaction Date agreed in the Merchant Agreement. The payment is to be made to the account that is designated by the Merchant and stated in the Merchant Agreement. The settlement is to take place in the same currency as that in which the transaction took place unless otherwise stated in the Merchant Agreement. The settlement account must be in the same currency as the settlement. The Acquirer s obligation to make payment in accordance with this provision is conditional (i) on the Merchant having met its obligations in accordance with the Merchant Agreement and (ii) on the date of settlement being (a) a Banking Day, and (b) where the currency of the payment is other than the domestic currency of the Acquirer, a day (other than Saturday or Sunday) on which banks are open for general business in the principal financial centre of the country of that currency to enable the Acquirer to execute the Transactions in such currency. If the Merchant is liable for a loss caused to the Acquirer or the Merchant has received settlement for transactions to which it is not entitled, the Acquirer has the right to deduct a corresponding amount from a later settlement with the Merchant. The Acquirer does not normally check the Transaction before settlement is made to the Merchant. The Acquirer may use set-off to collect any claim that it has against the Merchant in connection with this Merchant Agreement. The Acquirer is entitled to hold back the settlement as a risk management measure if it suspects that the Merchant would cause financial or any other kind of risk to the Acquirer. In addition the Acquirer may be obliged to hold back the settlement or do the settlement (in whole or partly) to a third party subject to law or other order binding on the Acquirer. 7.3 Repayment obligation of the Merchant and the Acquirer s right to charge back Where a cardholder makes a complaint regarding a Transaction which has been reported by the Merchant and the Acquirer does not find that the complaint is clearly erroneous, the Acquirer is to charge back the Transaction from the Merchant. Where a Transaction related to a standard payment is made at an EMV terminal or the parties have specifically agreed upon guaranteed payment for transactions of the relevant type, the Merchant must, within seven (7) days of the earlier of (i) the Acquirer s retrieval request or (ii) charge back, demonstrate that in conjunction with the Transaction the Merchant has made the verifications and otherwise has fulfilled the requirements stated in this Merchant Agreement. Where the complaint is based on such, the Merchant must also demonstrate that there was no defect or deficiency on the article or service to which the Transaction related. In the event that the sales company does not fulfil its obligations in this respect, a repayment obligation arises and the amount is charged back from the Merchant. Where the Transaction relates to any other type of card payment, the Merchant must, in addition to the requirements set out chapter hereinabove within seven (7) days the earlier of (i) the Acquirer s retrieval request or (ii) charge back, demonstrate that the Transaction was ordered by the cardholder. Where the Merchant fails to fulfil its obligations in this respect or where the complaint, in accordance with Visa s or MasterCard s rules and regulations, is such that the Transaction can be rejected, a repayment obligation arises. Where repayment obligations arise, the Merchant must immediately pay an amount to the Acquirer corresponding to that which the Acquirer must pay to the issuer who had issued the card used, plus interest on such amount for the period from the date that the Acquirer paid the Transaction amount to the Merchant until such time as payment is made by the Merchant at an interest rate corresponding to local law. The Acquirer is entitled to debit the Merchant s account in the case a repayment obligation arises and the Merchant is obligated to pay in accordance with this provision. The disputed amount may be debited to the Merchant s account unless the Acquirer can immediately reject the cardholder s complaint as being groundless. From the date when the Acquirer receives a claim for payment as mentioned above or is made aware that there may be a Rules of Card Acquiring Merchant Agreement Page 4 of 23

5 breach of the Merchant Agreement, the Acquirer may freeze funds in the Merchant s accounts in the amount equal to the claim against the Acquirer brought by a third party. The Acquirer is entitled to charge a fee for each charge back that occurs during the invoicing period. Should complaints or losses relating to the Merchant during the previous thirty (30) days exceed 0.5% of the card volumes or number of Transactions on a specific Merchant ID, the Acquirer may debit the Merchant for processing costs and/or for charges or fees imposed on the Acquirer by MasterCard or Visa. The Acquirer is also entitled to charge the Merchant for fees and other claims for compensation that can be brought against the Acquirer by a third party (such as MasterCard and Visa) on the basis that the Merchant has breached the Merchant Agreement. Handling costs that the Acquirer incurs in connection with processing the claim may also be debited to the Merchant. The parties are to have a continuous dialogue regarding the volume of complaints and implementation of measures to limit the number of complaints as low as possible. 7.4 Merchant Portal and reporting Merchant Portal is a service provided by the Acquirer to the Merchant. The Acquirer defines the content of the Merchant Portal at any given time. The Acquirer provides the Merchant with administrator codes with which the Merchant s administrator may create the necessary number of user IDs entitling the access to the Merchant Portal. The Merchant identifies itself to the Merchant Portal by utilising the user ID s. The Merchant undertakes to keep, and is liable for keeping, the identification data, consisting of a user ID and password, used in the interactive services separate from each other. The Merchant is liable for the proper safekeeping of identification data to prevent all unauthorised third parties from accessing the data. The Merchant acknowledges the fact that a person using the created ID always has access rights to the Merchant Portal and is entitled to represent the Merchant towards the Acquirer relating to documents set into the Merchant Portal. If the identification data has been lost or the Merchant has reason to suspect that an unauthorised person has gained access to the identification data, it is obligated to prevent unauthorised use and to notify the Acquirer thereof immediately. The Merchant is liable for informing all its employees and other persons acting on its behalf who use or keep its identification data of the safekeeping obligations. The Merchant acquires the data communications required for the use of the Merchant Portal and is responsible for their functioning, costs and security. The Acquirer is not responsible for any failures in data communications or data transfer that do not derive from the Acquirer. Both parties are responsible for ensuring proper data security for their own data systems and for seeing to it that the systems are protected against unauthorised use in a reliable manner. The Acquirer sets available to the Merchant in the Merchant Portal (or at option of the Acquirer or if it has been separately so agreed, sends via or by mail) a report on the settlements on each Banking Day. In addition, the Acquirer sets available in the Merchant Portal or sends via a monthly summary report to the Merchant. The Acquirer may make changes to the reporting system. If the change adds the Merchant s obligations or restricts its rights, the change is subject to a prior notification to the Merchant in accordance with clause 16 of Part A Rules. The Acquirer may give notifications to the Merchant by using the Merchant Portal, as stated in these Rules. 7.5 Use of the service The Acquirer or the Acquirer s service provider does not guarantee uninterrupted use of the service. The Acquirer or the Acquirer s service provider endeavours to rectify faults and errors notified by the Merchant within a reasonable time or, depending on the nature of the fault or error, in connection with further upgrading of the service. The Acquirer or its service provider is entitled to interrupt the use of the service if this is necessary for the maintenance; repair or upgrading of the service or if there is another justified cause for the interruption. The Acquirer or its service provider notifies the Merchant of any interruptions in the use of the service in advance, if possible. 7.6 Reserve/security The Acquirer may demand that the Merchant has to provide security for its obligations to the Acquirer. This may take the form of a deposit in a bank, the withholding of settlement or some other form according to the Acquirer s demands. The security is to be returned to the Merchant 540 days after the termination of the Merchant Agreement at the latest. 7.7 Inspection of the Merchant s premises The Acquirer or a party named by the Acquirer is entitled, without giving prior notice, to have access to the Merchant s premises and equipment for handling card transactions in order to inspect these and ensure that the Merchant s operations are bona fide and honourable. If the Merchant has a service provider to handle the Transactions, the Merchant must ensure that the Acquirer is given a corresponding opportunity to inspect this company s premises and equipment. The inspection pursuant to this provision may take place at least once in a calendar year unless there are unforeseen grounds for carrying out such an inspection more often. Should any error or breach of security regulations be ascertained, the Merchant undertakes to correct these. A site inspection visit report should be generated. The Acquirer may request the Merchant to replace the equipment. If the Merchant s equipment or other procedures do not fulfil the requirements set by the Acquirer, the Merchant shall replace the equipment and/or change the procedures at the Acquirer s request in a manner and within the period specified by the Acquirer. In case of non-compliance with the Acquirer s request, the Acquirer may terminate the Merchant Agreement. 7.8 Miscellaneous The Acquirer may record the calls to its service numbers. The recorded calls will be processed by the authorised personnel only. Recordings will be used, among others, in the processing of claims and in staff training. The Acquirer is entitled to give a Payment Service Provider and/ or terminal vendor necessary information about the Merchant in order to set up the Merchant POS terminals or other systems for the service correctly. Rules of Card Acquiring Merchant Agreement Page 5 of 23

6 8. Rights and obligations of the Merchant 8.1 Handing over of Transactions and technical standards The equipment that the Merchant is to use for Transactions and authorisations (such as a terminal), including software, hardware and communications, must be certified and must comply with the prevailing technical standards and guidelines stipulated by the Acquirer. The Merchant is to send the Transactions, the authorisation requests and authorisation reversals to the Acquirer (or a collection centre with which the Acquirer has an agreement) in accordance with the prevailing standard and guidelines stipulated by the Acquirer. The Merchant is responsible for the functioning, costs and security of its equipment used for authorisations, gathering and storing information and handing over Transactions. The Merchant may use a Payment Service Provider to process authorisations and transactions, pass them on to the Acquirer and reverse them. This Payment Service Provider (and any changes of it) must be approved by the Acquirer before the Merchant starts to use the relevant Payment Service Provider. The Payment Service Provider is to comply with the standards and guidelines which apply to the Merchant. The Merchant is at all times responsible for the Payment Service Provider and liable for its errors, costs, and the like. The Merchant must notify the Acquirer of its intention to start to use a different Payment Service Provider well in advance in order to receive the approval or denial of the Acquirer early enough. A special merchant number provided by the Acquirer must be stated in connection with the sending or reversal of Transactions and authorisations. Where the Merchant Agreement covers several types of card payments the Acquirer provides a merchant number for each type of card payment under the Merchant Agreement. Transactions are to be deposited with the Acquirer (or a collection centre with which the Acquirer has an agreement) within two (2) days after the Transaction date on which the cardholder has authorised the payment at the latest unless otherwise agreed in the Merchant Agreement. The Merchant is always liable to retrieve the feedback on that the Transactions have been sent. If Transactions are received by the Acquirer (or a collection centre with which the Acquirer has an agreement) later than by the above-mentioned cut-off time, the Acquirer may refuse to settle the Transactions or to write back settlements that have been made. It is the Merchant s responsibility to ensure that the Merchant has received settlement for Transactions which have been sent to the Acquirer. The Merchant must complain about any lack of settlement within twenty-one (21) calendar days after the Transactions have been handed over to the Acquirer at the latest. In order to decrease the risk relating to malfunctioning of equipment used to send Transactions to the Acquirer, the Merchant is advised to send Transactions to the Acquirer online or at least on a daily basis. The Acquirer may refuse to settle the Transactions sent to the Acquirer in an incorrect form. In the case of any necessary replacement or modification of equipment and system changes, including the introduction of chip cards, the Merchant and Acquirer are each to pay their own costs. The Merchant is financially responsible for Transactions in which a chip card has been used at a terminal or other solution that is not approved in accordance with the EMV specifications. 8.2 Authorisations and blocking controls The Merchant shall authorise each Transaction unless otherwise stated in the Merchant Agreement, in the specific terms and conditions or in the Merchant Instructions. An authorisation is a confirmation from the card issuer that the payment may be carried out. The authorisation may also provide other information but it does not confirm the correct identity of the cardholder. An approved authorisation alone does not provide the Merchant with a guarantee that the card payment will be settled, see clause 7. The floor limit of authorisations must not be disclosed to any unauthorised third parties (including the cardholder). The entire purchase price (the total amount) must be authorised or verified as one amount. The Merchant cannot evade the floor limit dividing the amount or split sales. If the floor limit is exceeded without authorisation having been obtained, the Acquirer may reject or reverse the Transaction. Transactions involving Electron or Maestro cards must at all times be authorised online before they are executed. The same applies to cash-back cash withdrawal transactions. If the Merchant receives a blocking notice from the Acquirer and attempts are made to use a card stated on the notice, the card is to be rejected. An obtained authorisation must be reversed as soon as possible (and however not later than within 24 hours) after a Transaction cancellation or a finalisation of a Transaction for an amount lower than the authorised amount. The Merchant shall ensure (with its PSP) that the reversal has been made. Any authorised amount not reversed must correspond to the Transaction amount. The rules and instructions regarding the manner in which authorisation takes place may be specified in the specific terms and conditions and in the Merchant Instructions Further terms and conditions applicable to the authorisations of MasterCard Transactions In addition to the terms set out in clause 8.2, the terms set out in this clause are applicable to the authorisations relating to Transactions made using a MasterCard payment card unless otherwise stated in the specific terms and conditions or in the Merchant Instructions. The Merchant must code the authorisation request as either pre-authorisation or final authorisation. Pre-authorisations of Maestro Transactions are allowed only in online shopping in ecommerce environment and at unattended, automated fuel dispensers as set out in the specific terms and conditions or in the Merchant Instructions. Unless otherwise stated in the specific terms and conditions or in the Merchant Instructions, the Merchant shall use the final authorisation in which the authorisation is requested for the final Transaction amount and the Transaction may no longer be cancelled after the authorisation request is approved in full. Each approved final authorisation has a payment guarantee period of seven (7) calendar days from the authorisation approval date unless otherwise stated in the specific terms and conditions or in the Merchant Instructions. Rules of Card Acquiring Merchant Agreement Page 6 of 23

7 A pre-authorisation is an authorisation in which the authorisation is requested for an estimated amount and/or the Transaction may not be completed for reasons other than a technical failure or lack of full issuer approval. Pre-authorisations may only be used in accordance with the specific terms and conditions and/or the Merchant Instructions. Each approved pre-authorisation has a payment guarantee period of thirty (30) calendar days from the authorisation approval date unless otherwise stated in the specific terms and conditions or in the Merchant Instructions. To extend the duration of the payment guarantee period, the Merchant may submit additional authorisation requests for the same Transaction on later dates. A unique identifier from the original approved authorisation of a Transaction must appear in each additional authorisation request. The approved amount of any authorisation with an expired guarantee is deemed to be zero. 8.3 Commissions and other fees The Merchant shall pay to the Acquirer the fees stated in the tariff of the Acquirer for the services stated in the Merchant Agreement and other charges, commissions, fees and costs in accordance with the Merchant Agreement. Unless otherwise agreed, the amounts are to be debited in the same currency as the one in which the relevant Transaction is executed and are to be documented by a bank statement or separate statements. All other fees are to be debited in the domestic currency of the Acquirer, unless otherwise agreed in the Merchant Agreement. The account to which the fee will be debited should be in the same currency as the fee. The Merchant is to ensure that there are always sufficient funds to cover the amount debited. The Acquirer is allowed to debit the commissions and fees monthly to the Merchant s account if nothing else is specified in the Merchant Agreement. A tariff and Merchant commissions are part of the Merchant Agreement. The service fees and commissions are debited to the Merchant s account monthly in Gross settlement option and deducted from the settlement amount in Net settlement option. Should the Merchant Agreement be terminated by one of the parties during a period for which the Merchant has paid a fee, any of the fees may not be refunded to the Merchant. 8.4 Permitted transactions The Merchant is to accept transactions with all types of cards that are within the scope of the Merchant Agreement. Additional rules for the handling of cards and card transactions may be stated in the specific terms and conditions or in the Merchant Instructions. Transactions may only be executed in the domestic currency of the Acquirer unless otherwise stated in the Merchant Agreement. The Merchant may not hand over Transactions that contravene local or international laws or rules or in which a card has been used to pay for bets in games or similar circumstances or where the cardholder s payment and/or obligation can be regarded as being invalid by virtue of local law. The Acquirer may at any time demand that the Merchant must document that Transactions have been executed in accordance with this Merchant Agreement or the Merchant Instructions. If there is any doubt that this has not taken place, the Acquirer is entitled, while waiting for documentation, to withhold settlement until the situation has been settled. Should the Merchant have deliberately forced the use of a backup solution, settlement may be withheld if a dispute regarding the Transaction arises. The cardholder is only to be credited in connection with previously approved Transactions. The credit transaction is to be executed using the same card and card number as the originally approved debit transaction. The Merchant is not allowed to pay cash in connection with any return of goods or other repayments to the cardholder. Unless otherwise specified in the specific terms and conditions, a Merchant may only report Transactions under this Merchant Agreement relating to the purchase of goods and services from the Merchant and subsequent reversals relating to previous Transactions. Therefore a Merchant may not report card transactions relating to the receiving of payment for goods and services provided by other companies, as may occur with a distributor s handling. Nor may the Merchant report card transactions which concern payment of existing debt or previously rejected checks. After the Acquirer s special review and prior consent, the Merchant may report Transactions in which the Merchant acts as an agent or intermediary and thereby sells or conveys another party s goods or services or sells or conveys goods or services on another party s behalf, for example, trips or tickets to events. In the cases where another party may perform the service that the card transactions concern, the Merchant is responsible for the service as if it had been performed by the Merchant itself in accordance with the Merchant Agreement, for example, as regards clause 7.3 Repayment obligation Unjustified card usage If the Merchant knew or should have known that the cardholder was not entitled to use the card, the card transaction must not be executed. In cases of doubt, the Merchant is to conduct more detailed investigations, such as checks of identity of the cardholder, or contacting the Acquirer before the Transaction is carried out. This applies both in the case of ordinary electronic usage and when using a backup solution. 8.5 Cross-border Acquiring Unless otherwise agreed in the Merchant Agreement, the Merchant may only hand over Transactions relating to the purchase of goods or services from the Merchant in the Acquirer s country of domicile. If the Merchant operates in multiple countries and the Merchant and the Acquirer have so agreed, the Merchant may hand over Transactions also from the other countries specified in the Merchant Agreement at any given time. For the sake of clarity it is stated that the Merchants operating in cross-border sales must comply with all local laws, regulations and rules in the markets they operate or enter. Furthermore, the Merchant must comply with any regional rules registered with the Card Schemes and informed by the Acquirer or its service providers to the Merchant. Rules of Card Acquiring Merchant Agreement Page 7 of 23

8 8.6 Requirements for the Merchant s services The Merchant must accept all valid cards falling within the scope of this Merchant Agreement as full settlement for the sale of goods and services. The Merchant must accept cards for registration as electronic transactions (terminal) unless otherwise stated. The Merchant undertakes to handle card transactions in a professional manner, to ensure that the personnel who handle card transactions possess the necessary competence and comply with the terms and conditions of the Merchant Agreement, including without limitation Merchant Instructions, and with generally accepted practices in the industry. The Merchant must show that it accepts cards by using stickers in entrance areas and beside payment points and must state in its advertising material the cards that can be used for payment. The Merchant is entitled to use the Acquirer s business name and trademark, MasterCard s and Visa s trademarks and the trademarks of other cards covered by this Merchant Agreement. This is to be done in the way that the Acquirer instructs. The Merchant is to remove all trademarks and other symbols and identifiers of the International Card Organisations from all of its material and its main Point-of-Sale and all Points-of-Sale and Trading Sites immediately after the termination of the Merchant Agreement. The Acquirer is to a reasonable extent provide the Merchant with advertising and information material relating to card payments. The Merchant must comply with all laws to which it may be subject where a failure to do so is reasonably likely to have a material adverse effect on (i) the business, assets, financial condition or the prospects of the Merchant and/or its group taken as a whole, (ii) the ability of the Merchant to perform its obligations under the Merchant Agreement or (iii) the validity or enforceability of the Merchant Agreement or a part of it. The Merchant has obtained, and must comply with, any material official approval, authorisation, consent, licence or the like required or appropriate for (i) the carrying on by it of its business and (ii) the execution and performance of the Merchant Agreement and any related document and the use of the service under the Merchant Agreement. The Merchant is to promptly inform the Acquirer of: any changes to ownership factors, the board of directors, general manager or contact information required for its operations under the Merchant Agreement, any material changes in its business, and any circumstances referred to in clause 14 which could entitle the Acquirer to terminate the Merchant Agreement with immediate effect. Should the Merchant believe that the Acquirer has incorrect information about the Merchant, the Merchant must immediately contact the Acquirer to rectify the matter. 8.7 Filing The terminal records, signed receipts and merchant bookings must be stored in accordance with the prevailing accounting regulations, and according to PCI (see clause 10.1), and for a minimum period of 18 months. If requested by the Acquirer, purchase receipts, logs, vouchers and suchlike, or if necessary copies of these, must be handed over to the Acquirer within five (5) days of a request received. If the Merchant uses a service provider to store documentation, the service provider must hand over the documentation on behalf of the Merchant. This obligation also applies after the Merchant Agreement has expired. Upon request by the Acquirer, all information that has been compiled during the last eighteen (18) months before the Merchant Agreement has expired must be delivered to the Acquirer. 8.8 Register of Point-of-Sale terminals The Merchant is liable to have an up-to-date register of all its Point-of-Sale terminals, and also the Point-of-Sale terminals which have been taken out of use. The Acquirer may at any time ask for such a register and it should at any time be up-todate. 8.9 Currency indemnity and waiver The Merchant is obliged at the Acquirer s request to indemnify the Acquirer against any cost or loss arisen out of the conversion of a currency in the case of any sum due from the Merchant has to be converted from the currency in which it is payable into another currency for the purpose of filing a claim against the Merchant or obtaining or enforcing an order, judgement or kind and there has been discrepancy between the rate of exchange applied to the conversion and the rate of exchange available to the Acquirer at the time the Acquirer receives the sum. The Merchant waives any right it may have in any jurisdiction to pay any amount under the Merchant Agreement in a currency other than that in which it is expressed to be payable in the Merchant Agreement. 9. Duty of confidentiality The parties must not disclose any information regarding the content of the Merchant Agreement or any information that the parties gather in accordance with the rules and instructions of the Merchant Agreement and which relates to the parties or the cardholder. The information may only be disclosed to the Acquirer, to a service provider engaged by the Acquirer, to a company or other corporation based in Finland or abroad which belongs to the same domestic or foreign group or economic interest consortium as the Acquirer at any given time or to a company or to some other company that is legally in such a position that information can be disclosed to it and to service providers engaged by the Merchant for handling card transactions. When information is disclosed to the latter type of company, the duty of confidentiality applies to such company as well. The obligation to maintain confidentiality in accordance with this provision also applies after the Merchant Agreement has terminated. The parties and their service providers must not process personal data obtained from the Transaction apart from that which is necessary for executing the Transaction. The information must not be used in selective marketing measures or other contexts which contravene local rules and regulations. 10. Security requirements The Acquirer may lay down requirements for the equipment that the Merchant must have for authorisations, gathering and storing information and handing over Transactions. In order Rules of Card Acquiring Merchant Agreement Page 8 of 23

9 to prevent information which is confidential according to the clause regarding the duty of confidentiality becoming known to unauthorised third parties, the Merchant must implement the necessary security measures. The Merchant must implement the security measures that the Acquirer considers necessary Storage and securing of cardholder data and PCI regulation The Merchant must at all times comply with the common standard PCI (Payment Card Industry Data security standard) and the regulations of Visa, MasterCard and/or the Acquirer for secure trade and perform the required security checks. These are required where Visa AIS is concerned (Account Information Security) and are available at and where Master- Card is concerned SDP (Site Data Protection) and are available at More information about PCI can be found at More detailed rules and instructions regarding what the Merchant must apply may be stated in the specific terms and conditions. The Acquirer is also entitled to issue security rules and instructions in another manner. The rules and instructions issued by the Acquirer separately or in the specific terms and conditions can specify, for example, what kind of a technical solution the Merchant needs to have for making authorisation, collecting information, reporting or other measures of handling the transaction data. All the physical and/or electronic storage of cardholder data must take place in such a way and in such a form that the data are inaccessible to unauthorised third parties. All the access rights must be logged and all users must be assigned a separate user identity. All stored card numbers must be encrypted and CVV2/CVC2 or other sensitive authorisation data must under no circumstances be stored after an authorisation has been made. The Merchant may not save the card verification value in the chip application (icvv/chip CVC) or the PIN verification value in the magnetic stripe (PVV). Should a Payment Service Provider (PSP) store, process and transfer cardholder data on behalf of the Merchant, the Merchant undertakes to inform the Acquirer of this. The Merchant s service provider will in such cases be subject to the regulations mentioned above. The Merchant undertakes to immediately contact the Acquirer if it suspects fraud, infringement into a system or another incident that can constitute a security risk. Furthermore, the Acquirer is entitled to delay the settlement of suspicious card transactions until the incident has been investigated. In connection with serious suspicions the Acquirer is entitled to temporarily stop all card transactions. Should there be reasonable grounds to suspect a breach of security or that cardholder data has gone astray or the PCI rules define that the Merchant has to go through the security scanning, the Merchant must by order of the Acquirer examine the Merchant s systems thoroughly, ( vulnerability scanning ). Such an examination must be performed by a PCI-certified data security company. The Merchant must bear all the costs incurred in connection with this. Should the Merchant fail to comply with the PCI DSS requirements and the cardholder data goes astray, the Merchant will be financially liable for the investigations, forensic costs and any losses that arise as a result of misused cards. In addition, the Acquirer may charge the Merchant for the fines that the card companies impose on the Acquirer as a result of the Merchant s incompliance with the PCI DSS requirements. 11. Liabilities 11.1 Liability for Damage Each party is liable for damage caused to the other party by a breach of the Merchant Agreement subject to the limitations set out below in clause 11.2 and/or in the Merchant Agreement Limitation of liability The parties are not liable for the other party s losses which arise from a force majeure, amendments to law, measures implemented by the authorities, acts of war, disruption of postal, telephone or data traffic or any other electronic communication networks, data transfer, automatic data processing, interruptions of general transactions, strikes, boycotts, lockouts, blockades or other similar circumstances. The reservation regarding strikes, lockouts and blockades also applies if the parties themselves are the objective of, or themselves initiate, such measures. The parties are not liable for any indirect damage including, without limitation, loss of profits or revenue, loss of savings or business or loss of goodwill. Limitations of liability do not apply to intentional acts or gross negligence or breach of confidentiality obligations. 12. The validity, service utilisation and termination of the Merchant Agreement The Merchant Agreement enters into force and the Merchant may start to utilise the services provided under the Merchant Agreement when the Merchant has signed the Merchant s application for Card Acquiring Merchant Agreement, the Acquirer has approved the Merchant s application for Card Acquiring Merchant Agreement and the Merchant has fulfilled all the conditions precedents set out by the Acquirer for the utilisation of the service. The Merchant Agreement continues to be in force until further notice. The Merchant Agreement may be terminated by either party by giving a written notice at least three (3) months prior to the termination. The Acquirer may terminate the Merchant Agreement and block the settlement account with immediate effect if one or more of the following circumstances occur or the Acquirer suspects might occur: One or more items in the Merchant Agreement are breached The Merchant has given incorrect or incomplete information regarding its business. The Merchant provides services or sells products on the market in a way that in the opinion of the Acquirer is contrary to responsible business practice. The Merchant s area of operations has changed since the Merchant Agreement was entered into and the Merchant has not given notice of this or the Merchant has terminated its business or changed its business materially in a way which in the opinion of the Acquirer is inappropriate for acquiring Transactions Rules of Card Acquiring Merchant Agreement Page 9 of 23

10 The Merchant sells or brokers goods or services, or performs other operations which contravene MasterCard s, Visa s or another business partner s regulations. There is a reason to suspect that the Acquiring service is being used or will be used for criminal activity or activities. The Merchant acts or plans to act in a way that would damage the reputation of the Acquirer or a third party. The number or type of complaints deviates from that which the Acquirer regards as normal or exceeds by 0.5%the number of Transactions per Merchant ID in a month. The Merchant has not fulfilled any or all of its payment obligations towards the Acquirer when due, or the Acquirer has right to cancel its commitment towards the Merchant, under an agreement or another undertaking binding between the Acquirer and the Merchant or the Acquirer considers that the Merchant s liquidity is otherwise insufficient. The Merchant offers goods or services that, in the Acquirer s view, are of such a nature that they contravene the Acquirer s policy. The Merchant has been engaged in unlawful or criminal acts. The Merchant has defaulted on a payment or committed some other fundamental breach of the Merchant Agreement. The Merchant s settlement account is terminated. The Merchant starts debt settlement proceedings, goes into liquidation, petitions to be wound up or is forced into bankruptcy. Such termination must be given in writing. The parties have the right to terminate the acquiring of a certain type of card payments from the scope of the Merchant Agreement. Following the termination of the Merchant Agreement, wholly or partially, the Merchant s sales paid for through cards whose acquiring has been terminated immediately cease. When the Acquirer is entitled to terminate the Merchant Agreement with immediate effect or has reason to suspect that such right to terminate exists, the Acquirer may refuse to acquire reported Transactions. If the Merchant Agreement is terminated, the Merchant must hand back all the material and equipment it has received from the Acquirer and immediately stop all sales using the cards covered by this Merchant Agreement. After the termination, the parties are still responsible for Transactions handled during the validity of the Merchant Agreement. For example, the Acquirer has the right to debit chargebacks and fees to the Merchant s account. If the Merchant Agreement is terminated due to misuse as defined by the International Card Organisations (e.g. misuse of card data or suspected money laundering) or any other breach of the Merchant Agreement by the Merchant or by any of the Merchant s service providers, the Acquirer is entitled to register the reason for terminating the Merchant Agreement in the data systems maintained by the International Card Organisations, where data will be stored for five (5) years from the registration. 13. Intellectual Property Rights All intellectual property rights to the Merchant services and the service descriptions are the property of the Acquirer. All trademark rights and all other intellectual property rights to Visa and MasterCard trademarks and to other trademarks of the International Card Organisations belong to the appropriate International Card Organisation. The Merchant is not granted any other rights to them, except for those expressly set out in these rules. 14. Amendments to the terms and conditions in the Merchant Agreement and other changes The Acquirer is entitled to amend the Merchant Agreement and its terms and conditions, such as these rules and charges, commissions and fees. If an amendment to the Merchant Agreement or its terms and conditions does not add the Merchant s obligations or restrict its rights, or is caused by an amendment to legislation or Card Scheme rules or a decision of the authorities or is made for critical security reasons, The Acquirer is entitled to announce the amendment by publishing it on at the Merchant Portal or in another electronic channel provided or accepted by the Acquirer, by sending the amendment to the Merchant via or by post or they may be otherwise delivered to the Merchant. The amendment comes into effect at the time announced by the Acquirer. If an amendment to the Merchant Agreement or its terms and conditions add the Merchant s obligations or restricts its rights, and is not caused by an amendment to legislation or Card Scheme rules or a decision of the authorities or is not made for critical security reasons, the Acquirer will inform the Merchant of the amendment via Merchant Portal, or another electronic channel provided or accepted by the Acquirer, via , by post or in some other manner agreed separately either electronically or on paper. The amendment enters into force at the time stated by the Acquirer; however, no earlier than one (1) month from the sending of the notification. If the Merchant does not wish to accept such an amendment, the Merchant may, by giving at least fourteen (14) days prior to the amendment a written notice to the Acquirer to terminate the Merchant Agreement with effect from the date when the amendment enters into force. Changes of charges, commissions and fees included in the tariff of the Acquirer are published in the revised tariff. Such changes take effect as of the date indicated by the Acquirer. In addition, the Acquirer has the right to issue new or amend the Merchant Instructions with effect from the time announced by the Acquirer by publishing the Merchant Instructions via the Merchant Portal or by sending them via or by post or by informing the Merchant of setting them available to the Merchant at the branches of the Acquirer or by delivering them in some other manner either electronically or on paper. A change of the settlement account must be documented in writing to the Acquirer 15. Transfer The Merchant may not transfer its rights or obligations pursuant to the Merchant Agreement to a third party without the Acquirer s prior written approval. Rules of Card Acquiring Merchant Agreement Page 10 of 23

11 The Acquirer is entitled to transfer its rights and obligations pursuant to the Merchant Agreement to another company in the Nets Group. 16. Notices A written notification sent by post from the Acquirer is considered to have been delivered to the Merchant on the seventh (7th) day after the notification was sent at the latest, provided the letter is sent to the address which is stated in the Merchant Agreement or which is otherwise known to the Acquirer. An electronic notification by the Acquirer to the Merchant is considered to have been delivered to the Merchant no later than on the next day after the Acquirer has published the notification or has delivered the notification to the Merchant by using at least one of the agreed electronic means. 17. Dispute resolution The parties must attempt to reach an amicable resolution of any dispute relating to the Merchant Agreement. If the parties fail to agree the disputes arising from the Merchant Agreement, they are processed in the District Court of the capital of the country where the Acquirer has its domicile unless otherwise agreed. The Merchant Agreement is governed by the law of the country where the Acquirer has its domicile. Rules of Card Acquiring Merchant Agreement Page 11 of 23

12 Part B Country-specific rules and rules for domestic card programmes 1. in Denmark 2. in Finland 3. in Norway 4. in Sweden 5. in Estonia 6. in Latvia 7. in Lithuania 8. in Poland Part B 2. Specific rules for payments in Finland and rules for domestic card programmes The Acquirer referred to in the Part A, B and C of these Rules of Card Acquiring Merchant Agreement is Kortaccept Nordic AB, Finnish Branch. Kortaccept Nordic AB, Finnish Branch Teollisuuskatu 21 FI Helsinki Tel ( ) Fax ( ) Mail kortaccept-fi@teller.com Kortaccept Nordic AB, Finnish Branch has been registered in the Trade Register maintained by the National Board of Patents and Registration. The business operations of Kortaccept Nordic AB, Finnish Branch are supervised by the Swedish Financial Supervisory Authority (Finansinspektionen, P.O. Box 7821, 10397, Stockholm, Sverige, Separate agreements are needed for routing of other card scheme transactions like American Express (AmEx), Diners and PLCs (private label cards). Authorisations In Finland the Card schemes set country-specific floor limits for authorisations are followed. The value of the floor limit is the maximum amount the Merchant can complete a Transaction without online authorisation. A party that puts to use higher floor limits than are set or refuses to authorise Transactions that must be authorised has financial liability for possible disputable Transactions. by publishing the floor limits in the Merchant Instructions or by informing the payment service provider of the floor limits required for the POS terminal. Cash withdrawals in connection with payments made with cards The Merchant may offer Cash-back to the cardholder in accordance with the Merchant Instructions. Cash withdrawals in connection with Cash-back may only take place in conjunction with face-to-face purchases and may not exceed the maximum amount set out in the Merchant Instructions. The issuer may decide to have lower Cash-back limits and also if Cash-back is allowed for the card type. A Cash-back transaction is only made in connection with a purchase and it has to be always online authorised. The cardholder receipt must show the purchase amount and Cash-back amount separately. Surcharging The Merchant is entitled to impose an additional charge on the cardholder in connection with purchases made with a Visa or MasterCard only to the extent that it is allowed according to the Finnish law. The Merchant must, in connection with the provision of a service or an item which is paid by card, offer its customer reasonable terms and conditions and ensure that the customer is clearly informed regarding the terms and conditions for its provision. The charge must be separately shown on the receipt. Restricted loop cards Issuers of cards may issue, in accordance with the Card Scheme rules, cards that only Merchants belonging to a certain business code of the merchants (MCC) may accept for payment. These cards may be destined to be used only for payment of a certain goods and/or with a value of certain minimum/maximum amount e.g. relating to fringe benefits in accordance with the tax regulation. The Merchant accepting restricted loop cards for payment of certain fringe benefits must comply with the laws and regulations as well as with the decisions and instructions of the Finnish Tax Administration regarding fringe benefits in force at any given time. The published floor limits set up to the POS terminal Apply to EMV chip transactions to determine which Transactions may be authorised offline, Apply to all Transactions completed at a Merchant that does not have an online-capable Point-of- Sale (POS) terminal, Do not apply to any magnetic stripe-read face-to-face transaction completed at an online-capable terminal (floor limit is zero), and Do not apply to any non face-to-face transactions e.g. unattended terminals or ecommerce (floor limit is zero). Floor limit values are assigned according to the business code of the Merchant (MCC), the transaction category code (TCC), and the geographical location. The Acquirer informs the Merchant of the floor limits in force at any given time Rules of Card Acquiring Merchant Agreement Page 12 of 23

13 Part C Sector- and/or service-specific rules This part contains a specific extract of the terms and conditions applicable to 1. standard payments (POS) 2. mail orders and telephone orders (MO/TO) 3. online shopping, ecommerce 4. recurring transactions 5. Quasi Cash 6. unattended payment terminals or cardholder-activated terminals (CAT) 7. hotels 8. car rentals 9. contactless payments The specific rules apply in addition to the general rules. In the case of any conflict between the specific rules and the general rules, the specific rules prevail. 1. Specific terms and conditions applicable to standard payments (POS) 1.1 Verification If the chip on the card is read without any participation of the Merchant and the cardholder authorises the transaction with PIN, or if the chip is read, at the option of the cardholder, using the contactless interface of the terminal for a transaction under the CVM-required limit, the Merchant does not need to perform the card verification listed below. This is also applicable if the information on the card is read without any participation of the Merchant and the card does not demand any further measures than that the information is read. In connection with purchases, the Merchant must perform the following verifications: Card verification The Merchant must through ocular inspection of the card ensure that: the card number, name of the cardholder, and term of validity are stated on the card the card does not show any signs of alteration the card bears the cardholder s signature the term of validity on the card has not expired the first four digits of the card number are identical to the four digits printed on the card directly under or above the card number. In the case the digits are not identical; the Merchant must retain the card and contact the Acquirer for further instructions. the card number on the sales slip is identical to the card number on the card, and the term of validity on the sales slip is identical to the term of validity stated on the card Customer identification The cardholder must approve that the agreed amount will be debited to the card either through PIN or signature. The Merchant ensures that it is actually the cardholder who approves that the amount will be debited to the card by: (A) Verification with PIN In order for PIN codes to be accepted in connection with customer identification, the card number must be read mechanically. PIN codes are entered using a PIN keypad approved by the Acquirer. The PIN keypad may only be used at the Merchant where the original installation took place. The cardholder may at no time be requested to enter his or her PIN code where PIN usage is not permitted for the card in question. In connection with return transactions, PIN numbers must not be used. (B) Verification with signature The customer s signature on the invoice or sales slip must be compared with the signature on the card and with the signature on the valid, official identity verification document issued by the authorities. In addition, the Merchant must verify that the photo on the ID matches the customer. Where the signatures or the photo do not match, the card must not be accepted for payment. 1.2 Collection of information The following information must be collected by the card being read electronically in a terminal or other solution approved by the Acquirer and distributed to the Acquirer: Merchant s name address with country code transaction type (purchase or returned purchase) trademark (Visa, MasterCard, Maestro) acquirer card number card expiry (Valid through) transaction date and time for authorisation transaction amount transaction currency authorisation code Terminal Verification Result (TVR), Application Identifier (AID) and Transaction Status Information (TSI) reference number Otherwise the collected transactions follow the specification provided by the Acquirer or the Acquirer s service provider. Manually registered Transactions are not permitted unless approved technical equipment allows this and the Acquirer and the Merchant have made a special agreement. 1.3 Authorisation All card transactions must be authorised through a terminal or other approved solution. The floor limit is zero (0) if nothing else is laid down in the Merchant Agreement or stated in the Country-specific rules and rules for domestic card programmes as informed in the Merchant Instructions. 2. Specific terms and conditions applicable to mail order and telephone order (MO/TO) 2.1 Permitted transactions These special conditions apply to MasterCard and Visa cards. Transactions using Maestro, Electron and V PAY cards are not permitted. 2.2 Information to be obtained The Merchant must obtain the following information in connection with a Transaction (this should be stated in the customer s mail order/telephone order): Rules of Card Acquiring Merchant Agreement Page 13 of 23

14 cardholder s name cardholder s address (delivery name and address) name of the person making the order card number card type card s expiry date card s control digits (CVC2/CVV2), i.e. the last three digits on the signature panel on the back of the card cardholder s signature (in the case of mail orders) transaction currency transaction date authorisation code order date shipping date shipping address description of the merchandise and services total amount of the order order confirmation number information on whether the cardholder wishes the Value Added Tax (VAT) amount to be specified Merchant name Merchant location online address, if any itemised charges if any 2.3 Authorisation The Merchant must obtain authorisation for the order s total amount and check the card s control digits (CVV2/CVC2). This is done by stating the control digits in the authorisation request. The authorisation is carried out by the Merchant s approved electronic system contacting the Acquirer or the Acquirer s service provider. If the authorisation and/or control digits are not approved by the authorisation request, the Transaction must not be carried out. This section is applicable to Visa Transactions: If more than seven (7) days elapse between the date when the authorisation is made and the date when the goods are sent and the amount is debited, the Merchant must obtain a renewed authorisation for the total amount. If this renewed authorisation is not agreed on, the cardholder must not be debited and the goods must not be delivered. This section is applicable to MasterCard Transactions: If the transaction might not be completed for a reason such as the goods ordered being later found out to be out of stock, the Merchant must obtain a pre-authorisation for the agreed amount and later obtain an additional authorisation to get the duration of the payment guarantee period of seven (7) days extended, if necessary. If the cardholder is debited after the payment guarantee period has expired the transaction may be charged back also on the basis that the card account is permanently closed. 2.4 Requirements for the Merchant s services The Merchant is to comply with the legislation in force governing sales and marketing via distance selling. Immediately following the order, the Merchant must send the cardholder a written confirmation of the order and inform the cardholder of any cancellation conditions. The ordered goods may not be sent before an authorisation in accordance with clause 3 has been made. Once the Transaction has been authorised, the goods are to be sent within seven (7) days unless any other agreement regarding delivery has been entered into in writing with the cardholder. 2.5 Delivery of Transactions Transactions may not be handed over until the goods have been sent off to the cardholder. When the goods are sent, the Transaction is to be handed over by the deadlines stated in the general terms and conditions. With mail order, telephone order (MOTO) hosted with an internet Payment Service Provider (ipsp), connected to fraud monitoring, the Merchant is always responsible for fraud and risk if not 3D Secure. 3. Specific terms and conditions applicable to online shopping in ecommerce environment 3.1 A general description of online payments using MasterCard SecureCode/Verified by Visa. With MasterCard SecureCode/Verified by Visa, the Merchant may accept card payments via the Internet and verify a transaction with it (verification service). The Merchant must have installed a payment solution that contains MasterCard Secure- Code/Verified by Visa in order to be able to execute Transactions. The MasterCard SecureCode/Verified by Visa functionality applies to cards issued within the MasterCard and Visa EU regions; acceptance of cards issued outside these regions is not covered by a corresponding security level and complaint rules. The Merchant must use software for an online shopping -payment solution in accordance with an agreement with the Acquirer. This software is not covered by this Merchant Agreement. 3.2 Guaranteed payment Transactions effected using Visa cards and MasterCards over the Internet are in most cases subject to guaranteed payment (see clause 7.3 Repayment obligation of the General rules relating to Merchant Agreement). However, Transactions made using Visa Commercial Cards and MasterCard Commercial Cards issued outside Europe are not subject to guaranteed payment ID check via an issuing bank Once a card number has been registered by the Merchant or its Payment Service Provider, an enquiry will immediately be sent to Visa s or MasterCard s register of card issuers and card number series which are included in 3D Secure. The enquiry must be sent in the form and manner defined by the Acquirer or a service company engaged by the Acquirer. Where the cardholder s card is included in 3D Secure, he or she is linked to the card issuing bank s website. The Merchant assists in such linking service in the manner defined by the Acquirer or a service company engaged by the Acquirer. Once the customer has successfully passed the ID check by the issuing bank, he or she is then linked back to the Merchant s website. The Merchant collects CAVV/AAV from Cardholder Web interface and this value must be included in the Transaction according to the 3D Secure specification. In order to ensure that the verification against Visa s and MasterCard s register and the following linking, etc., takes place Rules of Card Acquiring Merchant Agreement Page 14 of 23

15 correctly, the Merchant uses software stipulated by the Acquirer or a service company engaged by the Acquirer. Such software is not covered by this agreement. 3.4 Permitted Transactions A Transaction pursuant to this Merchant Agreement may only be executed if: the card in question is covered by MasterCard SecureCode/ Verified by Visa and the cardholder has been successfully identified by the card issuer or the card in question is not covered by MasterCard Secure- Code/Verified by Visa. 3.5 Information to be obtained The following information is to be obtained by the Merchant with a system approved by the Acquirer: From the cardholder via the Internet card number card s validity period trademark with which the card is associated cardholder s name and address Address Verification Value (AVV) or Cardholder Authentication Verification Value (CAVV) that the cardholder is given after the attempt of identification with the card issuer. shipping address total transaction amount currency in which the purchase has been made transaction date transaction s reference number buyer s name message confirming the Transaction as acard transaction goods or services covered by the purchase price for each article or service VAT share of the total amount and the basis for the VAT itemised charges From the Merchant s technical system: the cardholder s IP address Merchant s name Merchant s location From the institution that authorises the payment: authorisation date authorisation code ECI value The transaction amount and a copy of the cardholder s receipt(s) are to be obtained from the Merchant s own system. The information obtained is to be shown in a data medium or printout from such a medium. The Acquirer must upon request have access to the MPI-log (3D Secure log). 3.6 Authorisation All card transactions must be authorised. The authorisation must take place electronically online in connection with the cardholder entering his or her card number on the Merchant s website in the form stipulated by the Acquirer. The relevant Electronic Commerce Indicator (ECI) value must be shown in a request for authorisation. The AVV/CAVV value must also be registered together with the request for authorisation. The Merchant must check the card s control digits (CVV2/ CVC2). This is done by the control digits being stated when the cardholder orders goods or services. This check must produce an approved result. This section is applicable to Visa Transactions: If more than seven (7) days elapse between the date when the authorisation has been made and the date when the goods are sent and the amount is debited, the Merchant must obtain a renewed authorisation for the total amount. If this renewed authorisation is not agreed on, the cardholder must not be debited and the goods must not be delivered. This section is applicable to MasterCard Transactions: If the transaction might not be completed for a reason such as the goods ordered being later found out to be out of stock, the Merchant must obtain a pre-authorisation for the agreed amount and later obtain an additional authorisation to get the duration of the payment guarantee period extended, if necessary. As a rule, the payment guarantee period of pre-authorisations of MasterCards is thirty (30) days, save for pre-authorisations of Maestro Transactions. The payment guarantee period of both pre- and final authorisations of Maestro Transactions is seven (7) days. If the cardholder is debited after the payment guarantee period has expired the transaction may be charged back also on the basis that the card account is permanently closed. 3.7 Requirements for the Merchant s services The Merchant is to comply with the legislation in force governing sales and marketing via distance selling. The Merchant is to design its online shop in such a way that complaints are avoided. The online shop must contain information on how to contact the Merchant for complaints or for other reasons. The online shop must be approved by the Acquirer before it is opened. Similarly, all changes must be approved by the Acquirer before the online shop can be reopened. The Merchant s website must state that the Merchant is linked to the MasterCard SecureCode and Verified by Visa services. In addition, the Merchant must meet the MasterCard SPA/UCAF requirements. The Merchant must therefore create UCAF Hidden Fields. These fields must be located and designed as the Acquirer or the Acquirer s service provider states. The cardholder must confirm having read the terms and conditions when making the order. The Merchant must comply with MasterCard s and Visa s rules in force for safe e-commerce, including, but not limited to, PCI DSS. When a card transaction is carried out online, the cardholder is to be given an electronic receipt for the Transaction. The following information must be stated on the receipt: Merchant s Internet address, URL Merchant s name Merchant s organisation number Merchant s address Merchant s telephone number card s validity period Rules of Card Acquiring Merchant Agreement Page 15 of 23

16 cardholder s name total transaction amount currency in which the purchase has beenmade transaction date transaction s reference number buyer s name authorisation code message confirming the transaction as a card transaction goods or services covered by the purchase price for each article or service itemised charges, if any VAT share of the total amount and the basis for the VAT. 3.8 Delivery of Transactions Transactions may not be handed over until the goods have been sent off to the cardholder. When the goods are sent, the Transaction is to be handed over by the deadlines stated in the general terms and conditions. When handing over a Transaction, the AAV/CAVV and ECI values are to be sent along with the notification. 3.9 Security requirements The Merchant s system must at least be able to handle transaction encryption with 128 bits SSL or similar protection factor. Customer-related information in the systems must be protected against access and changes by unauthorised third parties, both employees of the Merchant and others. The updating of a system functionality using open networks must be authenticated in the system using digital signatures or suchlike. Refer also to clause 10 of the general terms and conditions. 4. Specific terms and conditions applicable to recurring transactions If the first payment is an online payment, special conditions applicable to online shopping also apply. If the first payment is a mail order payment, special conditions applicable to mail orders also apply. The Merchant must clearly state on its website and in its mail-order information that the cardholder is entering into an agreement regarding recurring payments and that this is not just a one-time purchase. If the cardholder withdraws from this agreement, the Merchant s right to debit the cardholder s card number ends. The Merchant must have its website and the terms and conditions governing recurring payments that the cardholder agrees on with the Merchant approved by the Acquirer. The Merchant must also have its recurring payment solution approved by the Acquirer before being used. The Merchant is not entitled to have guaranteed payments for recurring payments. 4.1 Requirements for the cardholder s order In addition to information regarding online shopping orders and mail orders, the order must also contain information stating: the order is an order involving recurring payments the payment period and frequency of the payments (the frequency between the transactions cannot be more than twelve (12) months). the duration of the order the payment criteria how the order is to be renewed and cancelled. The Recurring Services Merchant must retain the cardholder s permission in a format, such as an , other electronic record or paper, for the duration of the recurring transactions, and provide it upon the issuer s request. 4.2 Authorisation and permitted Transactions All Transactions must be authorised online. Transactions with Electron, Maestro and VPay are not permitted. The first payment must include a check of the MasterCard SecureCode/Verified by Visa (for online payments) or CVC2/CVV2 (for mail order payments). If the check is not successful, the Transactions may not be carried out. When a card has expired and the cardholder provides information on his or her renewed card, a new first Transaction using this new card must be authorised, including a check of the MasterCard SecureCode/Verified by Visa (for online payments) or CVC2/CVV2 (for mail order payments). The subsequent Transactions may be executed without these verifications. All authorisation requests must contain the relevant indicator for recurring Transactions. 4.3 Complaints Complaints about the first Transaction (in the case of online payments) are to be dealt with in the same way as for online shopping and complaints about the first Transaction (in the case of mail orders) and all subsequent Transactions are to be dealt with as for mail orders. 4.4 Handing over of transactions All Transactions must contain the relevant indicator for recurring payments. The Transactions must also contain contact information on the Merchant in the field of the Merchant s name or city address to make it easy for the cardholder to contact the Merchant, if necessary. 5. Specific terms and conditions applicable to Quasi-Cash 5.1 Permitted Transactions Cash-back is not permitted in connection with a Quasi-Cash transaction. Reversals are not permitted. Transactions with Maestro are only permitted if the cardholder is verified by using PIN. 5.2 Verification In connection with purchases, the Merchant must perform the following verifications: Card verification The Merchant must through ocular inspection of the card ensure that: the card number, name of the cardholder, and term of validity are stated on the card the card does not show any signs of alteration the card bears the cardholder s signature the term of validity on the card has not expired the first four digits of the card number are identical to the four digits are printed on the card directly under or above the card number. the first four digits are also stated on the sales slip. Rules of Card Acquiring Merchant Agreement Page 16 of 23

17 In the case the digits are not identical; the Merchant should retain the card and contact the Acquirer for further instructions. the card number on the sales slip is identical to the card number on the card, and the term of validity on the sales slip is identical to the term of validity stated on the card Customer identification The cardholder must always approve that the agreed amount will be charged to the card by authorising the Transaction by PIN or by signing the invoice/sales slip. The merchant must ensure that it is actually the cardholder who approves that the amount will be charged to the card by verifying the cardholder s signature according to this routine: (A) Verification with PIN When a PIN code is entered in connection with customer identification, the card number must be read electronically. PIN codes are entered using a PIN keypad approved by the Acquirer. The PIN keypad may only be used at the Merchant where the original installation took place. (B) Verification with signature The customer s signature on the invoice/sales slip must be compared with the signature on the card and with the signature on the ID and they must be similar. The Merchant must request the personal identification of the cardholder in the form of a valid, official identity verification document issued by the authorities (for example, a passport, an identification document, or a driving licence) according to law in force. In addition, the Merchant must verify that the photo on the ID matches the customer. Where the ID does not match the customer, the card must not be accepted for payment. The Merchant must verify that the ID does not show signs of alteration. Information regarding the type and number of ID must be stated on the sales slip. These controls must always be performed, even if the cardholder verifies the purchase by PIN or if the card is issued outside the country where the Transactions take place. The Merchant must otherwise at all times comply with the rules and instructions regarding identification issued by governmental authorities, or set out in the agreements entered into between the Acquirer and the Merchant. 5.3 Collection of information The following information must be collected by the card being read electronically in a terminal or other solution approved by the Acquirer and distributed to the Acquirer: Merchant s name address with country code transaction type (purchase or returned purchase) trademark (Visa, MasterCard, Maestro) acquirer card number card expiry (Valid through) transaction date and time for authorisation transaction amount transaction currency authorisation code TVR, AID and TSI reference number Otherwise the collected transactions follow the specification provided by the Acquirer or the Acquirer s service provider. 5.4 Authorisation All card transactions must be authorised through technical equipment. The floor limit is zero (0). The authorisation must contain information regarding the card number, card expiry, amount and the specific MCC code given by the Acquirer. The authorisation for a specific purchase is approved when the Merchant receives the control number of the authorisation. Manually registered Transactions are not permitted. If there is something wrong with the card or the terminal solution or other solution used and the card cannot be read electronically, the Transaction must not be performed. 5.5 Handing over the Transactions The Merchant must use the MCC code given by the Acquirer when reporting the Transactions. 6. Specific terms and conditions applicable to unattended payment terminals and cardholder-activated terminals (CAT) An unattended payment terminal or a cardholder-activated terminal (CAT) Transaction occurs at an unattended electronic POS terminal or by means of a cardholder-controlled electronic device. Since no Merchant representative is present at the time of the Transaction, it is a non-face-to-face Transaction. 6.1 Types of automatic machines Acceptance in accordance with this Merchant Agreement includes the different types of automatic machines, e.g. ticket dispensing machines, vending machines, automated fuel dispensers, toll booths and parking meters. A self-service terminal with online authorisation capability is an unattended terminal where the Transactions are authorised. A self-service terminal with offline authorisation capability is an unattended terminal where the Transactions remaining below the floor limit may be authorised offline through the EMV chip with or without CVM. The automatic machines or terminals must be approved by the Acquirer or by a company that the Acquirer has approved before they can be used. 6.2 Permitted Transactions A card transaction that is carried out using an automatic machine must not exceed the limits set out for certain terminals and advised in the Merchant Instructions. Card transactions which exceed this amount may be rejected by the card issuer if there are valid reasons for doing so. At certain cardholder-activated terminals (CATs), if both the card and the CAT support chip technology, the Transaction may only be completed using the chip. A technical fallback is not permitted at such terminals. 6.3 Authorisation All card transactions must be authorised through technical equipment. The floor limit is zero (0) if nothing else is laid down in the Merchant Agreement or stated in the countryspecific rules or in the Merchant Instructions. Rules of Card Acquiring Merchant Agreement Page 17 of 23

18 All intended Transactions at unattended fuel dispensers must be pre-authorised for the maximum amount determined by the cardholder prior to the refill unless otherwise stated in the Merchant Instructions. The pre-authorisation response may be for the full maximum amount requested as a pre-authorisation or for a lesser amount. The final Transaction is guaranteed only up to the pre-authorised amount for a guarantee period of seven (7) days. If the final amount of the Transaction after the refill is less than the pre-authorised amount, the excess amount of the pre-authorisation must be reversed immediately. Further terms and conditions applicable to authorisations and authorisation reversals at unattended fuel dispensers may be set out in the Merchant Instructions. However all Electron and Maestro Transactions at unattended fuel dispensers must always be preauthorised and the final Transaction amount may not exceed the level of the obtained authorisation. Chip-initiated transactions may be approved offline, provided that the transaction amount does not exceed the floor limit and the issuer has personalised the card to allow this. A floor limit set out in the Merchant Instructions, or its equivalent in local currency, will apply to chip- initiated transactions at an unattended terminal (UAT) within Visa Europe unless the market has a different floor limit. 6.4 Requirements for the Merchant In order to limit the risk of misuse, the Merchant must secure the automatic machine and its environment in the best way possible. The cardholder must be able to choose to receive a receipt for the Transaction. The receipt must state the following information: Merchant s name Merchant s organisation number location of the automatic machine time and date of the transaction masked card number currency in which total amount of the transaction has been carried out transaction s reference number authorisation reference VAT percentage of the total amount. 7. Specific terms and conditions applicable to hotels and other lodging services In this clause 7, a reference to a hotel shall be read and construed as a reference also to other lodging services. 7.1 Guaranteed reservation When the cardholder contacts a hotel to make a booking, the hotel must 1. obtain information on the card number, the card s expiry date, the cardholder s name as stated on the card and the cardholder s address 2. inform the cardholder about: the price of the room (including taxes and charges), the hotel s address and the booking number for the booking, and advise the cardholder to retain this number 3. inform the cardholder about: the hotel s cancellation rules, including that the room is booked until the check-out time on the day after arrival, that cancellation must take place by 6pm (in the hotel s time zone) on the expected arrival date and that, if the room is not used or cancelled, the cardholder will be debited for one night s stay ( no show ). This is not applicable if the cardholder made the hotel reservation within 72 hours before the supposed arrival. If the cardholder wishes to receive a written confirmation of the order, the hotel must include in it all the information stated in sections 1-3 above (only the last four digits of the card number are to be shown). 7.2 Cancellation If the cardholder cancels the booking, the hotel must give the cardholder a cancellation number advise the cardholder to retain the cancellation number enter the cancellation in the hotel s booking system send the cardholder a written confirmation of the cancellation that contains the card number (only the last four digits), the expiry date, the cardholder s name taken from the card and the cancellation number. The hotel or its third-party booking agent must not require a cancellation notification more than 72 hours before the scheduled arrival time and date agreed at the time of the booking. If the cardholder makes the reservation within 72 hours of the scheduled date, the cancellation deadline must be no earlier than 6pm (local time) on the arrival date. 7.3 No show If the cardholder does not arrive at the hotel and has not cancelled the booking, the hotel may debit the cardholder for one night s stay and write no show/guaranteed reservation in the signature area on the copy of the receipt. The authorisation and handing over of no show Transactions and the storage of receipts must take place in accordance with the general terms and conditions applicable to this agreement. If a card transaction that has been debited for a no show transaction is unknown to the issuer and the issuer charges back the transaction, the hotel will be debited with the amount of the Transaction. The hotel must store the original booking information and room number for 18 months after the date when the Transaction is handed over; see clause 11 of the general terms and conditions. When a cardholder uses the Hotel Reservation Service, and does not claim or cancel the accommodation, the hotel or its third-party booking agent must complete a transaction receipt that must contain the following: amount of one night s lodging plus applicable tax cardholder s name account number card expiry date and the words No-Show on the signature line of the Transaction receipt. 7.4 Overbooking If the hotel does not have a room available for the cardholder when the cardholder arrives, the hotel must at no extra cost to the cardholder assign the cardholder a comparable room at another hotel arrange transport to this hotel allow a long distance phone call in accordance with the cardholder s wishes Rules of Card Acquiring Merchant Agreement Page 18 of 23

19 pass on all messages and phone calls to the cardholder to this hotel. 7.5 Booking via an agent The hotel is responsible for bookings that take place via agencies/agents. It is the agent s responsibility to ensure that cancellations which have been reported to agents are passed on to the hotel. 7.6 Authorisation When the cardholder arrives at the hotel, the hotel and the cardholder are to fill in and sign a registration form. In addition to other information, the form must state the subsequent amounts that the hotel may debit after the cardholder has left, and the cardholder s agreement to be willing to accept these Further terms and conditions applicable to the authorisations of Visa Transactions When authorising a Transaction to be made using a Visa payment card, the hotel is to calculate the estimated cost of the cardholder s stay based on the duration of the stay and the room price and obtain authorisation for this amount on the terminal. The hotel must inform the cardholder of the size of the authorised amount. The terminal receipt is to be stored together with the registration form during the cardholder s stay. If the amount debited to the cardholder during the stay exceeds the authorised amount by more than 15%, the hotel is to obtain authorisation for the estimated additional amount. This may take place several times during the stay. The terminal receipt for the additional authorisation is to be kept together with the registration form. When the cardholder is leaving the hotel, the cardholder s bill is to be made ready and a Transaction involving the total amount is to be carried out using the terminal. The cardholder is to key in his or her PIN code or sign the terminal receipt or use other approved cardholder verification method (CVM). If the total amount exceeds the already authorised amount(s) by less than 15%, the hotel does not have to obtain any further authorisation (save for payments with Electron). If the total amount exceeds the already authorised amount(s) by more than 15%, the excess amount must be authorised. Electron Transactions must always be authorised for the final amount. The Transaction is to be handed over to the Acquirer in accordance with the general terms and conditions. If the authorised amounts are larger than the bill s total amount, the hotel must reverse the the excess amount Further terms and conditions applicable to the authorisations of MasterCard Transactions When authorising a Transaction to be made using a MasterCard payment card, the hotel is to calculate the estimated cost of the cardholder s stay based on the duration of the stay and the room price and obtain a pre-authorisation for this amount on the terminal. The hotel must inform the cardholder of the size of the pre-authorised amount. The terminal receipt is to be stored together with the registration form during the cardholder s stay. Maestro payment cards may not be used to pre-authorise a hotel stay. Authorisations of Maestro Transactions must be made as final authorisations by using either pre-payment of hotel stay or final payment once the amount is known. If the amount debited to the cardholder during the stay exceeds the pre-authorised amount, the hotel is to obtain an additional pre-authorisation for the estimated additional amount. This may take place several times during the stay. The terminal receipt for the additional authorisation is to be kept together with the registration form. When the cardholder is leaving the hotel, the cardholder s bill is to be made ready and a Transaction involving the total amount is to be carried out using the terminal. The cardholder is to key in his or her PIN code or sign the terminal receipt or use other approved cardholder verification method (CVM). If the total amount exceeds the already pre-authorised amount(s), the excess amount must be authorised with a final authorisation. The Transaction is to be handed over to the Acquirer in accordance with the general terms and conditions. If the authorised amounts are larger than the bill s total amount, the hotel must reverse the excess amount Interim billing For stays lasting more than fourteen (14) days, the hotel is advised to prepare the cardholder s bill after fourteen (14) days, carry out a Transaction for this amount and send the Transaction to the Acquirer. Thereafter, a new 14-day bill period is to be started as stated above. 7.7 Express checkout Upon arrival at the hotel If the hotel allows an express checkout, the cardholder must fill in and sign an express checkout form, which can be part of the hotel s registration form, for example. This form must as a minimum state the hotel s name, address and telephone number, the cardholder s name and address, room number and signature, and card number. The form must clearly state that the cardholder is asking the hotel to debit the cardholder s card number for the final hotel bill without the cardholder having to sign for this. The hotel must read the chip in a terminal and carry out the normal authorisation procedure. Upon departure from the hotel The hotel is to prepare the cardholder s bill for the stay and carry out a terminal transaction for the total amount. This section is applicable to Visa Transactions: If the total amount is less than 15% more than the already authorised amount(s), the hotel does not have to obtain any further authorisation. If the total amount exceeds the already authorised amount(s) by more than 15%, authorisation must be obtained for the excess amount. This section is applicable to MasterCard Transactions: If the total amount exceeds the pre-authorised amount(s), a final authorisation must be obtained for the excess amount. The words signature on file express checkout if it is a MasterCard trademark and Priority Check Out if it is a Visa trademark must be noted in the terminal receipt s signature area. The Transaction is to be handed over to the Acquirer in accordance with the general terms and conditions. The hotel must send a copy of the hotel bill, terminal receipt and express checkout form to the cardholder within three days of the cardholder checking out of the hotel. The hotel must Rules of Card Acquiring Merchant Agreement Page 19 of 23

20 store all documentation for eighteen (18) months and send a copy to the Acquirer, if requested. 7.8 Subsequent debiting of the cardholder If stated on the registration form, the hotel may subsequently debit the cardholder for his or her use of room service, the telephone, minibar and restaurant. The hotel cannot subsequently debit the cardholder for defects in, damage to or thefts from the room. The subsequent debiting is to be carried out as a terminal transaction and the words signature on file are to be noted in the receipt s signature area. The Transaction must be authorised. A copy of the terminal receipt and a bill specifying the items subsequently debited are to be sent to the cardholder. 8. Specific terms and conditions applicable to car rental 8.1 Requirements stipulated for the Merchant The Merchant needs to send a written booking confirmation to the cardholder via or by letter. When the cardholder collects the car/vehicle, the Merchant and the cardholder must fill in and sign a rental contract. In addition to other information, the rental contract must state the amounts that the Merchant may debit after the cardholder has returned the car and the cardholder s acceptance of the fact that amounts may be subsequently debited. Subsequent debits may cover fuel, traffic fines, tolls and damage to the car. If the Merchant allows an express return, the cardholder is to fill in and sign an express return form, which can be part of the rental contract, for example. The Merchant should ensure that all the terms and conditions relating to subsequent debits and express returns are clearly stated to the cardholder and shown on the same side of the form as the cardholder s signature Further terms and conditions applicable to the authorisations of Visa Transactions The Merchant is to calculate the estimated amount for the cardholder s rental period based on the length of the period, the rental price and possibly kilometre price and obtain authorisation for this amount via the terminal. No amount for possible damage to the car or for a collision/loss damage waiver is to be included in the authorised total amount. The Merchant must inform the cardholder of the size of the authorised amount. The terminal receipt is to be stored together with the rental contract during the rental period. If the amount charged to the cardholder during the rental period exceeds the authorised amount by more than 15%, the Merchant is to obtain authorisation for the estimated additional amount. This may take place several times during the rental period. The terminal receipt for an additional authorisation is to be stored together with the rental contract Further terms and conditions applicable to the authorisations of MasterCard Transactions The Merchant is to calculate the estimated amount for the cardholder s rental period based on the length of the period, the rental price and possibly kilometre price and obtain a preauthorisation for this amount via the terminal. No amount for possible damage to the car or for a collision/loss damage waiver is to be included in the authorised total amount. The Merchant must inform the cardholder of the size of the pre-authorised amount. The terminal receipt is to be stored together with the rental contract during the rental period. Maestro payment cards may not be used to pre-authorise a car rental. Authorisations of Maestro Transactions must be made as final authorisations by using either pre-payment of car rental or final payment once the amount is known. If the amount charged to the cardholder during the rental period exceeds the pre-authorised amount, the Merchant is to obtain an additional pre-authorisation for the estimated additional amount. This may take place several times during the rental period. The terminal receipt for an additional pre-authorisation is to be stored together with the rental contract Damages When the car is returned, the cardholder s bill is to be prepared and a Transaction for the total amount is to be carried out in the terminal. If the cardholder has agreed to a collision/loss damage waiver (CDW/LDW) in the rental contract and damage has been incurred, the Merchant may include the collision/loss damage waiver amount in the total amount for the rental period. If the cardholder has not agreed to a collision/loss damage waiver, the amount relating to the damage must only be debited to the cardholder s bill if the cardholder has accepted this in the rental contract and the cardholder has agreed to the damage amount. This section is applicable to Visa Transactions: Debits relating to damage must be authorised and carried out as a separate terminal transaction using the cardholder s PIN code or signature or other approved cardholder verification method (CVM). The Merchant must give the cardholder a credible estimate on the cost of the repair work and tell him/her that the amount may be altered in connection with the repair work. The final cost of the repair must not exceed this estimate by more than 15%. If the final amount is less than the estimated amount, the Merchant must reverse the excess authorisation amount. This Transaction must be handed over to the Acquirer within thirty (30) days of the previous Transaction to which it is related. The cardholder keys in his or her PIN code or signs the terminal receipt or uses some other approved cardholder verification method (CVM). If the total amount exceeds the already authorised amount(s) by less than 15%, the Merchant does not have to obtain any further authorisation. If the total amount exceeds the already authorised amount(s) by more than 15%, authorisation must be obtained for the excess amount. The Transaction must be handed over to the Acquirer in accordance with the general terms and conditions. This section is applicable to MasterCard Transactions: Debits relating to damage must be pre-authorised and carried out as separate terminal transactions using the cardholder s PIN code or signature or other approved cardholder verification method (CVM). The Merchant must give the cardholder a credible estimate on the cost of the repair work and tell him or her that the amount may be altered in connection with the repair work. The final cost of the repair may not exceed this estimate. If the final amount is less than the estimated amount, the Merchant must reverse the excess authorisation amount. Rules of Card Acquiring Merchant Agreement Page 20 of 23