Merchant Operating Guide.

Transcription

1 Merchant Operating Guide. Training & Reference Material for ASB Merchants. asb.co.nz ASB Bank Limited

2 Contents Welcome 01 Welcome 2 02 Key contact details 3 03 Understanding Merchant Services 4 Your key responsibilities Settlement Merchant statement 04 Terminal message guide 5 Error Messages 05 Authorisation 7 Manual authorisation 06 Card Validation 7 07 Transaction processing 8 How to process transactions Electronic Offline Voucher Processing E-Commerce transactions Virtual Terminal 3DS Manual processing (Paper) 08 Transactional fraud protection 13 What can I do? 09 Card Not Present fraud 13 Pre-autorisation Card Present Fraud Transaction risk Employee fraud 10 Chargebacks 16 Common Chargebacks and mitigation When can a Chargeback occur? 11 Business Protection 17 PCI DSS Brand and business risk Terminal tampering 12 General/Troubleshooting 20 Terminal not working Card Failing TransTrack It s great you have chosen ASB for your new merchant facility. This Guide will help you get familiar with your terminalbased and online merchant facilities, and accepting debit and credit cards. We recommend that you and your staff take the time to read it thoroughly and make sure to keep it handy for reference. If you lose it, you can download a copy from asb.co.nz/merchantservices Also please take note of the obligations specified in this booklet and your Merchant Services Agreement. A clear understanding of your responsibilities will help avoid misunderstandings or disputes. If you have any questions call ASB Merchant Services on who ll be happy to help. Unless otherwise defined, capitalised terms in this Merchant Operating Guide for Card Acceptance shall have the same meaning as that given to them in the Credit Card Merchant Services Agreement: General Terms and Conditions. 2

3 Key contact details Understanding Merchant Services ASB Merchant Services Help Desk (24 hours, 7 days a week) For day-to-day assistance with your merchant facility, transaction queries, general assistance and merchant stationery. Postal ASB Merchant Services PO Box 35 Shortland Street Auckland 1140 Card Authorisation Centre (24 hours, 7 days a week) For all Card authorisations and assistance with suspicious transactions. Paymark EFTPOS Help Desk (24 hours, 7 days a week) Support for your EFTPOS terminal and network queries provided by Paymark. Postal Paymark Limited P O Box 799 Shortland Street Auckland 1140 Your key responsibilities In order to fulfil your responsibilities as a Merchant, you must: Follow the instructions in this Guide. Only process transaction types that we have approved you to process. These are detailed in your facility approval confirmation. Check your statement regularly to ensure that you are paying the correct Merchant Service Fees. Accept and validate all Nominated cards presented for payment. Follow the correct Authorisation procedures. Ensure that the cardholder authorises all Credit Card transactions by using a PIN or signature, unless the transaction is by mail, telephone or internet order, or is a contactless transaction of $80.00 or less Don t split the cost of a single transaction between two or more sales receipts using a single cardholder account to avoid authorisation limits. Don t give cash out with Credit Card transactions (including refunds). Don t impose a minimum or maximum amount on Credit Card or Debit transactions. Retain paper or electronic records of all transactions for 18 months. These must be kept in a secure place and destroyed by shredding into small pieces after 18 months. Be alert to possible Credit Card fraud and report all instances. Protect account and transactional information and your EFTPOS terminal by conforming to the requirements on page 15. For Card Not Present transactions, never store the CSC values (the 3 digit security codes on the reverse of the Visa or MasterCard Credit Cards) after a transaction has been authorised. Settlement ASB is the only New Zealand bank that credits your electronic sales transactions into your ASB account every day, 365 days of the year, including weekends and public holidays. Funds are deposited into your account before midnight on the day you receive them. The funds are available immediately, and interest is calculated and applied on a daily balance including weekends. Merchants who operate an ASB settlement account will normally receive same day value for their daily settlement. Transactions through your EFTPOS terminal settled prior to 10:30pm will be credited to an ASB settlement account on the same day, seven days a week. Transactions through your EFTPOS terminal settled after 10:30pm, or to a non-asb transaction account will normally be credited on the following business day. Merchant Statement A Merchant Statement is sent out monthly. The statement details all Credit Card Transactions you ve processed in that month and shows the amount of the Merchant Service Fee due. It is your responsibility to check your statement frequently and contact us if you see any irregularities. 4

4 Common Error messages: Terminal message guide Terminal message ***INVALID KEY*** Meaning/Action Invalid key pressed: any key not resulting in valid input or in the terminal taking a valid action. Times out after 4 seconds. No action required. All electronic transactions in New Zealand obtain Authorisation as part of the transaction process. The authorised response is one of either: Approved Means the card issuer will allow the purchase. Provided the PIN entered is correct and the signature matches and you are not suspicious of the Card or Cardholder, complete the transaction normally. Cannot read card Please try again ICC declined Bad card swipe. The card must be held level and swiped at a steady speed for a successful read. Wait for the message to time out. Swipe the card again. Press the CLEAR key to cancel the transaction. Clean the card and card reader. Type of transaction selected is not permitted for that card. Declined Means the Card issuer will not allow the purchase. Inform the Cardholder that the card issuer has not allowed the purchase and request an alternative form of payment. If the customer queries this, politely suggest that they should telephone their card issuer for an explanation. Remove card Swipe card Displayed when a chip card is first inserted usually due to incorrect insertion or a faulty chip. Displayed after a chip card has been inserted incorrectly or is damaged. Error messages For successful transactions the message is usually APPROVED and for unsuccessful transactions this can be a number of texts depending on why the transaction declined. For example it could be CARD EXPIRED, DECLINED, INVALID CARD, REFER TO CARD ISSUER, DO NOT HONOUR. Terminals have different error codes depending on who your terminal provider is. Contact them to understand the error code your machine is displaying. Insert chip card Ensure card inserted correctly Incorrect pin Signature Declined Displayed when a chip card has been inserted incorrectly or is faulty. If the card is then swiped the terminal displays this message. Transaction has been rejected by the host because the PIN has been incorrectly entered. The transaction will need to be re-done. Transaction has been cancelled by the merchant. No action required. Terminal displays EFTPOS - PROCESSING NOW while the transaction is reversed, then returns to SWIPE CARD display. Please try again (Dial-Up lines) No response received. Check that all cables are plugged in, especially the phone line cable. (Dial failed) Please try again. (Dial-Up lines) Communications have been lost. Check that all cables are plugged in. 6

5 Authorisation Card Validation Transaction processing All electronic transactions in New Zealand obtain authorisation automatically as part of the transaction process. The authorisation process provides a check at the time the transaction is processed, on whether the Card number quoted is a valid card. It checks the availability of funds and establishes whether the card has been reported lost or stolen. It does not establish if the Cardholder is genuine. It is your responsibility to establish that the purchaser is who they say they are, and are authorised to use the card presented for payment. Please note: An authorisation does not guarantee payment. If at a later date the transaction is found to be an invalid transaction, it may be charged back to you. See the Chargeback section for further information. Manual Authorisation You will need to obtain a manual authorisation for a transaction in the following instances: For non-electronic transactions when the amount of sale is greater than your authorised floor limit. Processing non-electronic Card Not Present transactions as your floor limit is $0 for all transactions. To obtain manual authorisation, you will need to contact the Card Authorisation Centre on (24 hours, 7 days a week). To ensure a credit card is valid for payment when Card Present, the following checks should be made: Embossing on the card should be even with all numbers the same size and shape. Check the expiry date on the card. Check the Cardholder name is embossed on the card and it matches any other information provided. Check the four digit number printed below the account number is the same as the first four digits of the account number. Check for the three digit card security code next to the signature panel on the reverse of the card. These numbers are required for mail, telephone or internet transactions. A magnetic stripe is on the reverse of the card. If you are suspicious of the card being a counterfeit, a transaction being fraudulent, doubtful of a signature, or you are suspicious of a Cardholder and do not want to alert the Cardholder, call the Card Authorisation Centre on and request a Code 10 authorisation. The Authorisation Centre will ask you questions that require a yes or no answer and will call the Police if necessary. PROCESSING NOW PROCESSING NOW PROCESSING NOW ACCEPTED How to process transactions Transactions can be processed as either Card Present or Card Not Present. This will be discussed with you during the application process and your facility approval confirmation will identify the types of transactions and card types you have approval to process. Card Present (CP) A Card Present transaction is one where the Cardholder and their Nominated card are present during the transaction at your place of business. These transactions are processed via an EFTPOS terminal and can be processed with or without a PIN. If the magnetic stripe or chip is unable to be read by your terminal, and if your terminal is not in offline mode, contact your terminal supplier to check that the readers on your device are working How to process a chip card The terminal should indicate that the merchant needs to dip the card into the terminal. ACCEPTED PROCESSING NOW PROCESSING NOW ACCEPTED Check the front of the card to see if it has a chip. It s easy to recognise. If the card is a magstripe only card the transaction will proceed in the way you are used to, by swiping the card through the terminal s card reader. ACCEPTED If the card is a chip card, it will need to be inserted into the chip reader. Leave the card in the terminal until it prompts you to remove it at the end of the transaction. If the card is removed too early the transaction will be cancelled. The terminal will briefly display PLEASE WAIT. When prompted enter the amount of the ACCEPTED transaction. The cardholder then selects their account and chooses whether to enter their PIN or sign. A PROCESSING NOW message will be shown on the screen. Only when prompted by the terminal should the card be removed. The terminal will then display an ACCEPTED or DECLINE message. If the customer did not enter a PIN they should sign the receipt now. Remember to check the signature. The transaction is complete. If there is an error with the chip or the chip reader a SWIPE CARD prompt may be displayed, in For which high failure, case refer the to transaction Fallback section. can be processed just like a normal swipe card transaction. For high failure, refer to Fallback section. Contactless Contactless is the latest form of Credit and Debit Card acceptance and requires the Cardholder to hold their card over the terminal until the transaction has been accepted. You will need to have an EFTPOS terminal that accepts this kind of payment. If the value of the transaction is $80 or less, a PIN or signature is not required and an accepted message will appear on the EFTPOS terminal once the card has been tapped on the card reader and the transaction has been authorised. If the value of the transaction is greater than $80 then a PIN or signature is required to authorise the transaction. If the PIN is used, an accepted message will appear on the EFTPOS terminal if the transaction is successfully authorised. If a PIN is not used, an accepted with signature message will appear on the EFTPOS terminal if the transaction is successfully authorised. The Cardholder must sign the transaction receipt and you must verify the signature against the card. If a declined message appears on the EFTPOS terminal, ask the Cardholder for an alternative form of payment or retain the goods. Refunds Refunds on Card transactions must be returned to the same Card used for the original sale. Never give cash refunds for Card transactions. Receipts For all Card Present transactions, you must provide the cardholder with the Customer Copy of the transaction receipt. This provides the Cardholder with a detailed record of their purchase from you. You must retain the Merchant Copy of all transaction receipts in a secure location for 18 months. Fallback Fallback occurs when a card that is EMV (chip & PIN) enabled is not used correctly and the Merchant swipes the card. The terminal may not read the chip for various reasons including a damaged chip or damaged terminal. 8

6 Fallback occurrences can be numerous and can be unintentional: Faulty chip. Faulty EFTPOS terminal. Technical inoperability issues. Poor merchant practice. Or deliberate: Disablement of EMV chip on card. Disablement of EMV reader on EFTPOS terminal. On the rare occasion that an EMV card cannot complete the transaction via the card reader, you will be prompted to swipe the card. If a chip card cannot be used correctly then PIN should be requested, because the PIN is a higher form of validation than a signature. Risks of operating in Fallback mode Transacting in Fallback mode carries higher risk for the Merchant including: Higher risk of Chargebacks for Merchant. As a lower form of security has been used for processing the payment, the Merchant has more liability for any transactions which are challenged by Cardholders as being incorrectly charged. Fines from schemes or disconnection. If a Merchant continues to process high levels of Chargebacks, Visa will charge US$1 per transaction for excessive Fallback transactions. We will contact you if you are processing higher than acceptable levels of Fallback transactions. Should you continue to process high levels of Fallback transactions, you may face disconnection. Electronic Offline Vouchers Electronic Offline Vouchers (EOV) enable your business to continue processing EFTPOS transactions even if your EFTPOS terminal loses its connection to the network. Connectivity can be lost for a number of reasons, the most common being telecommunications connectivity faults. It s best to consider live backup connectivity options, however EOV is their for you when no connection is available. Why consider EOV? With EOV, your business does not have to come to a standstill should EFTPOS connectivity be lost. Even while you re offline, transactions can still be processed through your terminal in a safe and secure manner (provided EOV has been enabled), making zip zap vouchers a thing of the past. How does it work and what do I need to do to enable it? If you have a version 6.0 terminal, the simple answer is nothing - on most terminals EOV is set up by default (some customers, such as taxi drivers are not set up with EOV by default, please check with your terminal provider). If your EFTPOS terminal loses connectivity, it will ask you if you would like to switch to EOV (offline) mode where it can continue accepting EFTPOS purchase only transactions. The Cardholder will be required to sign the receipt instead of entering a PIN and you will need to validate the signature against that displayed on the Card, as well as keep hold of the receipts. Once connectivity has been restored, your terminal will upload the stored transactions to the Paymark network for processing. Until the stored EOV transactions have uploaded, you must ensure no changes are made to your terminal. How do I use my terminal when it is in EOV mode? Being loaded for EOV will change the message presented on the IDLE screen of your EFTPOS terminal: Before Swipe Card EOV Equipped Terminal Swipe or Insert Card There will also be different instructions for inserting scheme debit chip cards instead of swiping: Before Card is swiped through the card reader and transaction processed as per usual. EOV Equipped Terminal If you see a chip on the card, insert the card into the chip reader (if the card is swiped through the card reader you will be prompted to INSERT THE CARD into the chip reader). Follow the instructions prompted by the terminal until instructed to remove the chip card. If you swipe or insert an EFTPOS card when connectivity to your EFTPOS terminal is lost, then a message will appear on your EFTPOS terminal screen advising: 1. The terminal is offline. 2. The option to continue with the transaction or not. Depending on your terminal type this message will either appear: 1. Once (at the first transaction since entering offline mode). 2. Before every offline transaction. When connectivity to the Paymark network is re-established you can complete a manual logon by selecting LOGON from the terminal menu. If you do not notice that connectivity is restored, the terminal will try to log on itself when a card is swiped or inserted. Once you have received a LOGON ACCEPTED message, you can process transactions as normal, and the terminal will attempt to begin automatically uploading the stored EOV transactions. This may not always be successful at that time due to network congestion. If this is the case, you can try a manual upload of stored EOV transactions. The process for manual uploads is specific for each terminal type and you should refer to your terminal user guide for instructions. What else do I need to know about EOV? 1. Mobile terminals differ slightly from standard EFTPOS machines and will only enter EOV mode should the Paymark network be unavailable. EOV will not be available should there be an issue with the mobile network connectivity. 2. EOV transactions can only be up to the dollar value of the approved floor limit (typically $300 per transaction). For transactions greater than this limit your terminal will alert you that the limit has been reached and the transaction cannot be processed. 3. Refunds and Cash Out transactions are not available whilst in EOV mode. 4. EOV transactions must be uploaded and not left stored in the terminal. Should the terminal cease to operate or the software is replaced before the upload process is completed, you are at risk of losing all stored transactions. 5. Please contact your terminal reseller and advise that the terminal is in EOV mode, or contact our Helpdesk on 0800 PAYMARK ( ). 6. Some limits apply in regards to the amount of transactions you can process in EOV, please give us a call to discuss the requirements of your business. EOV fraud prevention tips 1. Ensure you only process purchase transactions (not purchase + cash out or cash out only). 2. Check the signature against that on the back of the card as this is your only form of verification. 3. Do not attempt to swap your EFTPOS terminal hardware without uploading transactions or talking with your terminal provider first. Be extra vigilant of expiry dates and card types. Ensure you do not swipe expired cards or card types you do not usually process. Card Not Present transactions (CNP) Card Not Present transactions are where both the Cardholder and their credit card are not present at time of the transaction. These transactions may include mail order/telephone order (MOTO) and E-Commerce internet transactions. Card Not Present transactions require authorisation for all sales as a $0 floor limit applies to all Card Not Present transactions. Authorisation is obtained automatically as part of the transaction process for all electronic transactions. You must ensure that the Cardholder provides you with all the details necessary to properly authorise the transaction. It is also advisable to obtain: A contact phone number (not mobile). The name of the bank that issued the card. For mail orders, ensure that you obtain a signature on the order form. A contact phone number (not mobile). Remember: it is your responsibility to ensure the Cardholder is who they say they are. Acceptance of Card Not Present transactions needs to be explicitly stated in your facility approval confirmation with ASB Merchant Services. You must call us to discuss acceptance of card details from additional channels. E-Commerce (internet transactions) E-Commerce processing is set up for merchants who have a website and wish to sell goods or services via their website and to accept payments at the time of purchase. If you require an E-Commerce facility, these are our minimum requirements to consider approving a facility for you: Must have minimum 12 months banking relationship with ASB. Country of domicile must be New Zealand. Must complete reporting for Visa and MasterCard on website credit card security (PCI). You must, at your cost, arrange for your website to be prepared and maintained in accordance with our reasonable requirements, including those requirements applicable to internet security standards as set down by Visa and MasterCard or otherwise notified by us in /writing from time to time. You must, at your cost, immediately rectify any security or processing faults or issues with your website as identified by either you, or notified to you by ASB. When you apply for an E-Commerce merchant facility, your website will be reviewed as part of the application. More details can be obtained through the Merchant Services team, but the following is a general guide to what your website must display: Clearly indicate the name and nature for your business, giving full contact and address details and company registration number. Clearly indicate what products and services you are offering to the Cardholder. Clearly explain your shipping practices and policies. The Cardholder should be able to determine how long (after purchasing them) it will take to receive their goods or services. 10

7 Ensure that the total costs for products or services are clear to the Cardholder and include all appropriate shipping, handling and taxes to be charged. A list of any export or legal restrictions (if known). All prices must be quoted in a currency you can process (NZ$). Display the Visa and MasterCard symbol in full colour to indicate card acceptance. You must have an easily found refund policy, clearly communicating to the customer their rights and responsibilities. If you have a limited refund or no refund policy, this must be clearly communicated to customers before their purchase decision is made. Clearly provide a customer service phone number that Cardholders can use to resolve disputes. Include a clear, concise statement of your privacy policy and information security procedures. Comply with the PCI DSS standards (see PCI DSS section of this manual). Products sold must not constitute Brand or Risk damage (see Brand and Risk section of this manual). You must ensure the customer is authorised to make payment with the credit card. If you change your web address or products/services or payments system you must notify ASB on The brand marks for both Visa and MasterCard must be displayed on all advertising and promotional material associated with Card Not Present transactions. The brand marks are to be displayed in close proximity to wherever payment options are presented. Please Note: Card Not Present transactions carry a higher risk of fraud. Processing E-Commerce transactions There are a number of ways that Internet/E-Commerce transactions can be processed. Recurring and Tokenisation The customer enters the credit card into your site. Your website sends the credit card number to your payment gateway and you are returned a token. You can then use the token to debit the card number whenever you need to - you provide the token to the payment gateway and they put the payment through against the card. The benefit is that you are able to take more than one payment from the same credit card in this situation, and can set up your own scheduled payments if that is what you require. When the credit card expires the token is no longer any use and you will need to go back to the Cardholder to get a new credit card number and expiry date. This is an excellent solution for any Merchant where their customer has an account that needs to be debited more than once by credit card. Batch For merchants who have a need to process large numbers of transactions quickly, easily and in a PCI DSS compliant environment. ASB can recommend payment gateways who can provide a PCI compliant software process which is capable of processing thousands of transactions as a single batch, this will save any business valuable time, effort and staff resources by moving away from having to manually process transactions individually. One off Payment gateway providers can advise you on which shopping carts/booking software are compatible with their products to provide a PCI compliant fully hosted solution. Card details are processed in a secure environment outside of your IT network. As the Merchant you are presented with the Accepted or Declined information and accepted transactions are credited to your account. Virtual terminal What is it? A virtual terminal is a secure website which Merchants can log into to process Visa and MasterCard. It is similar to a standard EFTPOS terminal (that you would find in your local store), except that a virtual terminal uses a computer and a secure internet connection to process payments. How to use and when? Virtual terminals enables online businesses to stay open 24 hours a day, every day of the year. This reliable service is an instant way for your customers to pay for goods and services with their credit cards over the phone. This service can be upgraded for use with PCI compliant fully hosted online shopping carts or booking software as your business expands. Mail order/telephone order MOTO key entry via terminal is only to be used for processing postal mail and telephone orders. If your business wants to have an online or internet presence you must discuss it with ASB, because a separate facility will need to be set up to maximises data security. A $0 floor limit applies to all Card Not Present transactions and authorisation is required for every sale. Please ensure the Cardholder provides you will all the details necessary to authorise the transaction properly. Minimum requirements are listed in the Card Not Present section above. Ensure the card details are obtained in a secure manner and destroyed or rendered illegible once authorisation is obtained. Processing a Refund When you re logged into the Merchant Admin of your E-Commerce facility, locate the transaction in question and press the refund button. If the transaction was successful you will be presented with a refund amount and refund button. Adjust the amount you wish to refund, if required, and click refund. Please note: Processes and screens will vary according to your payment gateway provider. If you are uncertain of how to process a refund it s best to contact them directly for support. 3DS 3DS covers the MasterCard SecureCode (SecureCode) and Visa s verified by Visa (VbV) initiatives. These were designed to verify the identity of the Cardholder for online purchases and assist merchants to minimise their exposure to fraud by allowing Cardholders to choose an online PIN or Password that confirms they are the real owner of the card. 3DS is not a failsafe tool. It is your responsibility to satisfy yourself that the Cardholder is who they say they are. Cardholders can still claim goods not received/defective, not as described merchandise or that credits were not processed. Please view the Chargeback section of this guide for information on how to protect your business and what to do if requested to provide information for a Chargeback. Note: If you choose to manually process a credit card which is experiencing problems on your 3DS enabled website, you become liable for all Chargebacks raised for unauthorised transactions. ASB enables 3DS on all new E-Commerce websites. If your existing website does not support 3DS, please talk to our team on Manual Processing (Paper) Filling out a sales voucher 1. Place the Card face up in your imprinter. 2. Place a sales voucher in the imprinter over the card. 3. Make the imprint firmly, making sure the details are clearly imprinted on all copies. 4. Fill in the date, a brief description of the goods or services, the amount of the sale and initial (all transactions must be in New Zealand currency). 5. Get the customer to sign the sales voucher. 6. If the sale is over the authorised floor limit ($100) phone the Card Authorisation Centre on Write your authoristation number in the space provided. 8. Provide an appropriate copy of the sales voucher and return the card to the Cardholder. 9. Include the bank copy of the voucher with your Merchant Summary. 10. Render the card number illegible and securely retain the merchant copy of the sales voucher for 18 months. 11. Never ask a Cardholder to sign a blank sales voucher. Please note: Authorisation of a sales transaction does not constitute a guarantee of payment. The authorisation process includes checks on: Whether the card number quoted is a valid card. The availability of funds. Whether the card has been reported lost or stolen. It does not establish if the Cardholder is genuine. It is your responsibility to establish that the purchaser is who they say they are, and are authorised to use the card being presented.

8 Transactional fraud prevention Fraud can be committed by persons using stolen credit card details, your employees or both colluding. This can cause significant financial and reputational loss for your business. To minimise the risk of fraud, use all functionality offered: Card Present Chip and PIN in preference to signature Card Not Present Fully hosted with 3DS. What can I do? It s your responsibility to verify to your own satisfaction the identity of a customer prior to the supply of goods and services. The following are suggested checks: Ask for comprehensive customer details and validate these. Obtain the customers full name, address and home phone number. Do an order confirmation telephone the customer some time later to confirm order details before delivering. Where the customer is not aware of the order or cannot confirm the details, issue a refund on the card and do not deliver the goods. Partial refund make a small refund (example 37 cents) back to the card. Ask the customer to access Card Not Present fraud Accepting payment for goods in a Card Not Present manner comes with a higher level of risk than Card Present transactions. Please see page 8 for transaction processing. Pre-authorisation If you are taking payment in advance where goods will be collected by the Cardholder, you should talk to us about preauthorisation. This will enable you to confirm the card number provided at the time of ordering is valid and the funds are available. When the customer comes to collect the goods you can process the Card in a Card Present manner, finalising and completing the pre-authorisation amount. 10 potential warning signs of Card Not Present fraud Stay alert for the following fraud indicators. Any one of these factors could indicate a higher degree of fraud risk. 1. First-time shopper. Criminals are always looking for new Merchants to steal from. their account and state the amount refunded. Ask the customer where their card was issued and by which bank. You can verify these details on websites such as binbase.com and exactbins.com Ask the customer to show their credit card and drivers licence (where possible) as identification on the delivery. Never deliver the goods to post office boxes. Never leave the goods at unattended premises. Always ask for the card expiry date. If you have any doubts and cannot verify any of the points above, we recommend that you issue a refund to the card and seek alternative forms of payment until a trading relationship is established. Never refund to a different card, and never refund or forward funds to a bank account or via Telegraphic Transfer. Receiving authorisation, including funds deposited to your account does not guarantee payment. Transactions may be challenged up to 180 days after they have taken place and funds may be reversed from your account. 2. Larger than normal orders. Stolen cards or account numbers have a limited life span, criminals need to maximise the size of their purchase. 3. Orders that include several of the same item. Having multiples of the same item increases a criminal s profits. 4. Rush or overnight shipping. Criminals want their fraudulently obtained items as soon as possible for the quickest possible resale and aren t concerned about extra delivery charges. 5. Shipping outside the Merchant s country. There are times when fraudulently obtained goods and services are shipped overseas. If the majority of your orders come from New Zealand, ensure that you take care to validate the legitimacy of the order. 6. Inconsistencies. Information in the order details, such as billing and shipping address mismatch, addresses that do not look legitimate and an irregular time of day when the order was placed. 7. Multiple transactions on one card over a very short period of time. This could be an attempt to run a card until the account is closed. 8. Shipping to a single address, with transactions placed on multiple cards. This could involve an account number generated using special software, or even a batch of stolen cards. 9. Multiple transactions on one card or a similar card with a single billing address, but multiple shipping addresses. This could represent organised activity, rather than one individual at work. 10. Orders from internet addresses that make use of free services. Customers who sign up for free services are not required to provide proof of their identity or address in order to establish an account, so it is important to take extra steps to validate the person placing the order. Certain industries in New Zealand have been identified as higher risk for fraudulent activity. If you are in one of the following industries please take extra care with all internet transactions. Electronics stores Computer software stores Telecommunication services Food stores Gift card Novelty stores Sporting goods stores Jewellery stores Card Present fraud Card Present fraud still occurs. Here are some common signs which should raise alarm for you: Larger than normal orders. Stolen cards or account numbers have a limited life span, criminals need to maximise the size of their purchase. Price is not considered. Criminals will often not haggle on price as they want to complete the purchase in as little time as possible. Colour, design is not considered. Criminals will often not worry about colour, or other flexibility in a product as they want to complete and obtain the goods in as shorter time as possible. Inconsistencies. Information in the order details such as billing and shipping address mismatch, addresses that do not look legitimate. Multiple transactions on one card. If a card is stolen the purchaser will not know the limit and will purchase until the card has reached its limit. Split transactions on multiple cards. If the cards are stolen the purchaser will attempt to spread a large purchase over a number of cards as they do not know the credit available on the cards. Damaged cards. Always use the highest form of security. Cards can be damaged so the Chip or Magnetic Stripe will not work in an EFTPOS terminal reducing the option from PIN to Signature, or Chip to Magnetic Stripe. Never accept payment via a damaged chip card without a PIN, and train your staff to ask for PIN on all transactions, or to verify magnetic stripe with a second form of ID the details of which can be written on the reverse of the merchant copy EFTPOS receipt. Second forms of ID may be a photo Driver s License, Passport, or any other ID that gives you comfort that the transaction is being completed by a person who is entitled to the card. Last minute shopper. Purchaser arrives at the end of the day and flusters staff with a rush order and any of the above signs. Transaction risk Higher risk transactions The following types of transactions are examples of those that carry higher risk. Extra care should be taken when processing transactions of this nature: First time customers. International orders - particularly South East Asia and Africa. orders especially from a free address such as Yahoo!, Hotmail or Gmail. Card Not Present transactions, including , internet, mail and telephone orders. Any transaction where the card is not swiped, inserted or tapped on an EFTPOS terminal. Transactions which are manually keyed into an EFTPOS terminal. Manual transactions where no authorisation has been obtained. Manually entered transactions where the card number is manually keyed into the terminal instead of swiping or inserting the card. Transactions where an authorisation has not been obtained. 14

9 Chargebacks Lower risk transactions The following types of transactions are lower risk: Card Present transactions where the transaction is completed through the EFTPOS terminal or an imprint of the card as well as signature and authorisation is obtained. Internet transactions authenticated via Verified by Visa or MasterCard SecureCode. Note: All transactions carry a level of risk. Before you accept payments, you need to make yourself familiar with these risks. Employee fraud Typical ways employees perpetrate credit card fraud: Process a credit transaction to their own account. Employees may issue credits to their own credit card or to an accomplice s card using the Merchant s EFTPOS terminal using funds meant for the Merchant s direct deposit account. Record card numbers. Employees may pocket receipts left behind by Cardholders or may copy card numbers onto a separate piece of paper. Systems that truncate the card number on the customer s receipt can help your business avoid this type of fraud. Use a card skimmer. A dishonest employee can steal valuable information off a customer s card through use of a small, battery-operated card skimmer. This hand-held device reads a card s magnetic stripe and records the Cardholder data for later download to a computer. From there, the numbers can be used to make unauthorised purchases or create counterfeit cards. Despite the opportunity for employee fraud, you as a Merchant are not totally without protection. Most terminals or transaction software tools allow you to require a password in order to process a credit transaction, and there are a number of other tactics you can use to prevent employee fraud. These include: Reconciling your work daily rather than monthly. Password protecting the credit function on your credit card terminal. Secure your terminal outside normal business hours. Have a separate authoriser of credits in addition to the person who physically processes a credit. Make sure all credits have accompanying internal documentation of customer information (name, and contact information) and reason for return or dispute. Match credits to returned or disputed goods or services, verify with customers that they did actually return/dispute goods or services. Have more than one person review monthly statements. Send all credit transactions to a central office for review. Review credits daily, or have a trusted employee do the review. Fully investigate credits without matching sales. Review any batches with negative dollar amounts (more credits than sales). Conduct regular internal audits at random times and intervals. Audit bookkeeping and accounting processes quarterly. Track credits by card number, terminal number, employee, frequency, and dollar amount (exception based reporting). Review any volume spikes in credit/return/dispute activity. Protect your passwords and verify internal access controls for online account reporting, and checking account change requests. 3DS is not a failsafe tool. It is your responsibility to satisfy yourself that the Cardholder is who they say they are. A Chargeback is a reversal of a credit card transaction previously credited to your account. Generally, if a Cardholder disputes a transaction and you do not have sufficient evidence to show that the Cardholder authorised the transaction, the liability for the Chargeback will then rest with you. This means that the original transaction is reversed and you will not receive payment for the goods or services you may have already delivered. You may also be required to pay fees for investigating and processing the Chargeback. If you are requested to present information for a Chargeback (where a purchase is being disputed by the Cardholder) information that will assist includes: Evidence that the transaction was completed by a member of the Cardholder s household. Details of order including Cardholder s name, delivery address and what was purchased. Signed order form. Details of order placed, delivery information (date and address), and signed delivery docket to confirm goods have been received. Evidence, such as photographs or s, to prove a link between the person receiving the merchandise and the Cardholder, or to prove that the Cardholder disputing the transaction is in possession of the merchandise. Details of any credits you have processed to the original card used in the transaction. Note: Providing this information does not guarantee funds will not be deducted from your Merchant Account in accordance with Visa and MasterCard s terms and conditions but do assist ASB in answering the dispute on your behalf. Chargeback reason: Credit not processed Obtain details of any credits you have processed to the original card used in the transaction. Please note: It is important to refund to the original card only, as refunds processed in any other manner to other cards or accounts will not be valid. To minimise your Chargeback risks, talk to your web developer to see if one or more of the following can be automatically captured and stored: Customer name, and shipping address and what was purchased. Evidence that the transaction processed 3DS authorisation. Purchaser s IP address. Purchaser s address. Description of the goods downloaded, if applicable. Date and time goods were downloaded, if applicable. Proof that the Merchant s website was accessed for services after the transaction date, if this is a subscription purchase. Mail/Telephone Order transaction: Signed order form. Details of order including Cardholder s name, delivery address and what was purchased. There are business processes you can implement to help your business reduce the likelihood of receiving a Chargeback. You can reduce the risk of Chargebacks caused by customer disputes by keeping good records. This will help you to find specific transactions quickly and easily. Common Chargebacks and mitigation If you are contacted for information regarding a transaction that has been charged back, you will need to provide the following information as a minimum: You should include all of the following information in your invoices, contract and promotional materials: Your business name as it will appear on the Cardholder s statement. Your business address. Customer service contact numbers. A complete description of goods and services provided. A specific delivery time. Details of your return and cancellation policy. Details of debit dates for regular instalments such as memberships or subscriptions. You can also reduce the risk of Chargebacks resulting from fraudulent use of cards by requesting the card verification code, or CVV2/CVC2, and using a security program such as MasterCard SecureCode or Verified by Visa. Chargeback reason: Goods not received/defective, not as described merchandise Obtain details of order placed, delivery information (date and address), and signed delivery docket to confirm goods have been received. Evidence, such as photographs or s, to prove a link between the person receiving the merchandise and the Cardholder, or to prove that the Cardholder disputing the transaction is in possession of the merchandise. 16

10 If you are contacted in relation to a Chargeback, it is your responsiblilty to provide information to ASB to assist in providing evidence to the card issuing bank on your behalf. Failure to provide information in the required time frame (normally 10 business days) can result in the Chargeback being processed in accordance with Visa and MasterCard requirements. If, after ASB have submitted your documentation to the Cardholder s bank, we are still unable to satisfy the Cardholder bank that the transaction was valid, ASB will confirm this in writing advising a date for the debit to be processed for the full amount. When can a Chargeback occur? We can chargeback a transaction if: The goods or services supplied are illegal or prohibited. Business Protection The card was not valid at the time of the transaction. The cardholder disputes liability for the transaction for any reason. The cardholder did not authorise the transaction. Authorisation for the transaction was declined for any reason. The sales receipt has been altered without the cardholder s authority. It was processed to your own credit card. You breach a term of your Merchant Agreement. The transaction amount is greater than your floor limit and you did not get an authorisation. It represents the refinance of an existing debt or the collection of a dishonoured cheque. How to minimise your PCI DSS risk? The best way to lower your reporting obligations is to remove the presence of credit card numbers from your business. PCI approved, fully hosted solutions (provided by companies such as DPS, IP Payments, Paystation etc) will capture the credit card numbers and process this information for you. This prevents any card numbers or other details contacting your IT systems, being available to staff within your business, and lowers risk of card numbers being stolen via web and IT attacks. As a Merchant accepting Visa or MasterCard, you must not store or retain any sensitive data post authorisation which includes but is not limited to: Primary Account Number CVV2/CSC2/CVC2 Customer Pin Number Magnetic stripe data. This includes cards used in POS readers for obtaining customer name, or other details in Hospitality POS, bar tabs, retail POS, loyalty or any other magnetic stripe reader. Obligation PCI DSS applies to any party that interacts with credit card numbers in any manner at any point in or after the transaction has been completed. This includes any interface, PC, web page that may see, pass, transmit, collect, process, or store card numbers. All these parties in the payment process must be PCI DSS compliant regardless of the size of the business or volume of transactions made. It is the responsibility of the Merchant to ensure all parties in their payment process are PCI Compliant. Brand and business risk What is brand and business risk? Brand risk is any product, action, content or service which has the potential to damage the reputation of ASB, MasterCard or Visa. If Visa, MasterCard or ASB deem a Merchant as potentially damaging their brand, the Merchant can have their merchant facilty removed without notice, for breach of terms and conditions. PCI DSS What is it? The Payment Card Industry Security Standards Council is an institution which includes MasterCard and Visa International whose aim is to enhance credit card payment security. It aims to achieve this goal through the mandatory adoption of the PCI Data Security Standard (PCI DSS) by all businesses that store, process and/or transmit credit card scheme data (card numbers and other sensitive information). The requirements of PCI DSS Goals Build and maintain a secure network Protect Cardholder data Maintain a vulnerability management programme Implement strong access control measures Regularly monitor and test networks Maintain an Information Security policy PCI DSS Requirements 1. Install and maintain a firewall configuration to protect Cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. 3. Protect stored Cardholder data. 4. Encrypt transmission of Cardholder data across open, public networks. 5. Use and regularly update anti-virus software or programmes. 6. Develop and maintain secure systems and applications. 7. Restrict access to Cardholder data by business need to know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to Cardholder data. 10. Track and monitor all access to network resources and Cardholder data. 11. Regularly test security systems and processes. 12. Maintain an Information Security policy. Should you wish to find out more, Visa and MasterCard have additional information at the following links: Visa Account Information Security (AIS) accountsecurity.shtml MasterCard Site data programme (SDP) mastercard.com/us/company/en/whatwedo/site_data_ protection.html Protection The benefits of PCI DSS include: Reducing the risk of credit card fraud. Avoiding fines, penalties and costs related to credit card security breaches and non-compliance. Increasing consumer confidence in credit card payments. Reducing your business exposure to potential lost revenue as a result of fraud. Reporting Reporting is due on either a quarterly or annual basis (depending on your volume of transactions and how you process them). This is a general guide please talk to the Merchant Services Team on for further information. If you use fully hosted solutions and do not receive, store or transmit credit card numbers you will need to report once a year. If you do not use fully hosted solutions and do receive, store or transmit credit card numbers you will need to provide quarterly scans and reporting of your system. Unacceptable businesses The following examples include some merchant categories that are banned by Visa and MasterCard: Counterfeit and copyright infringing merchandise. Child pornography. Illicit websites depicting violence and extreme sexual violence. Potentially deceptive marketing practices. Online gambling. Purchase or trade of media or activities related to child pornography, bestiality, rape (or any other non-consensual sexual behaviour) or non-consensual mutilation of a person or body part. The following business types will need to be monitored and may be required to pay a fee for annual registration with Visa and MasterCard (including but not limited to): Drugs (prescription/pharmacy only/restricted medicine) Tobacco product sales. Pay per call/minute services (horoscopes/ chat lines/marketing services). Internet hosting/access/data storage. Social media sites. Any business that may be deemed brand damaging to ASB, Visa or MasterCard. Cyberlockers (internet based data storage facilities). Software suppliers (risk of Malware). Sale of Government forms. 18