important for me Postbank P.O.S. Transact

important for me Smooth, secure processing of card payments online, by phone or by fax. The benefits of being a Postbank partner for distance selling. Postbank P.O.S. Transact

2 At a glance The benefits of being a Postbank partner in the processing of credit card payments online, by phone or by fax: Smooth, efficient processing of transactions by an expert and experienced provider with a high-performance platform Acceptance and processing of credit and debit cards from VISA, VISA Electron, V PAY, MasterCard and Maestro On request, maximum protection with 3-D Secure and address verification service Approval service: 24/7, 365 days a year Detection and prevention of card fraud with proactive, our next-generation fraud prevention system

Contents Contents The basics Why this brochure is important to you... 4 When you cannot see the customer, you have to be extra careful... 5 Approval service What happens if something is not right?... 7 Card fraud How to protect yourself from fraudsters... 8 Security procedures About 3-D Secure, CVV-2/CVC-2, PCI DSS and their benefits... 10 We play it safe: Fraud detection and prevention with proactive... 14 Service Example of a single account statement... 16 Example of a collective account statement... 18 What else do I need to know about card acceptance?... 20 Glossary of key terms... 22

4 The basics Why this brochure is important to you Postbank P.O.S. Transact GmbH is an experienced service provider offering success and security in card-based payment. Our expertise, efficiency, innovation, and flexibility, combined with the network, infrastructure and professionalism of Deutsche Postbank AG, have made us unique in Europe. You will find additional information about the correct procedure for credit card acceptance in distance selling in our separate brochure, "General Terms and Conditions for Card Acceptance". This brochure explains how to handle card payments for distance selling transactions over the Internet, the phone or by fax. It is designed as a practical guide to help you process cashless payments smoothly and securely. With our help, you can fully exploit the increased sales opportunities offered by card payment. But first things first. To reduce the risks associated with card payments where there is no direct contact with the customer, some special measures and procedures are required. So please read this brochure carefully before starting to process card transactions as a new online or mail-order Postbank partner. Employees handling these payments should also receive appropriate training.

The basics 5 When you cannot see the customer, you have to be extra careful When a customer pays for goods in person at the point of sale, the terminal performs the essential checks by reading the card data. With distance selling, this is not possible. So it is essential to obtain all the data relating to the transaction. If there are any complaints about the transaction later on, you must be able to demonstrate possession of the card holder's details and authorization, because as the merchant you are liable for the transaction if you did not have authorization to charge the card when the transaction was processed. A preliminary note If you have already processed a transaction by phone, in writing or online and the goods have been paid for, but the customer wants to collect them from your place of business, you must either cancel the transaction or issue a refund. The customer can only collect the goods in person from your place of business if they present the credit or debit card and suitable ID, for example an identity card. If you have already issued a payment receipt, destroy it and print a new sales receipt as normal at the check-out. If you decide to issue a refund, please make the card holder aware that the original transaction, the refund and the new transaction (processed at the point of sale) will all appear on the bill. The normal procedure for distance selling and secure processing of orders and payments is described below. Please also read the information on pages 11-13 about security procedures for e-commerce.

6 The basics Important information for merchants: NEVER store the card verification code! The information you need for distance selling: On the first contact with a customer, make sure you obtain at least the following details: Card number Date of issue or date from which the card is valid (if shown on card) Expiry date Title or salutation of card holder (if applicable) Name and initials of card holder (as they appear on the card) Billing address of card holder Delivery address Card Verification Value / Card Verification Code (CVV-2/CVC-2) This code is the three- or four-digit number printed on the signature strip on the back of the card. You will be required to produce this information (with the exception of the CVV-2/CVC-2) if there are any complaints about the transaction later on. If possible you should also obtain the following information: For telephone orders: Orders placed over the phone carry the highest risk of mistakes. So always obtain the following additional details: Card holder's telephone number Record the date and exact time of the call Please note: If you choose to deliver the goods to an address other than the card holder's address, you are accepting an additional risk. For orders by post / fax: Make sure the order form is signed. Always retain a copy of the written order and proof of delivery and keep a record of the phone call so that you can check the details in the event of a query. Authorization The issuing of an authorization and authorization code for a transaction are not a guarantee of payment - they only indicate that the card has not been reported lost or stolen and that sufficient credit is available at the time of authorization. They do not guarantee that the address provided by the card holder is correct or that the order was placed by the genuine card holder. A contact telephone number

Approval service 7 What happens if something is not right? In distance selling, some situations may require you to call the Postbank approval service: Any distance selling transaction where the agreed maximum amount is reached or exceeded The original transaction has already been approved, but the transaction amount has changed or the transaction has been canceled, partially canceled or refunded When you call the approval service about a distance selling transaction, you must clearly state the following information in the order given: "This is an approval request for a distance selling transaction" Card number Your merchant number The exact amount of the sale (e.g. in euros and cents) Card expiry date Customer's name, initials and address, including postal code The Postbank approval service will provide you with an approval number. Please wrote this down immediately in the space provided on the sales slip or in your shop system / payment platform. Please note that as the merchant, you bear the risk for all distance selling transactions regardless of whether or not you received an approval number for a particular transaction. For distance selling transactions, call the Postbank approval service on Tel.: +49 228 5500 5811. This service is available 24 hours a day, 365 days a year.

8 Card fraud How to protect yourself from fraudsters Card fraud can occur when a fraudster gains access to a card holder's details and uses them to order goods over the phone, by mail order or electronically, for example on the Internet, without the permission of the card holder. Fraudsters normally order goods they can sell on easily, such as computers, TVs, and hifi systems. In addition to the security precautions taken by card organizations and the measures employed by Postbank P.O.S. Transact, there are also ways in which you yourself can tell whether or not a card holder is genuine. Additional checks you can carry out if you have grounds for suspicion to find out if a card holder is genuine: For business customers you do not know, check their details in sources such as business directories. You may be able to look up private customer addresses in the phone book or online. To check quickly and with confidence whether a card is being used legitimately, without the need for special facilities, we recommend our proactive Address Verification Service. Please ask for more information. Obtain the customer's telephone number from the directory assistance by providing the address and call the customer to confirm the order (not necessarily straight away). Exercise caution if the card holder makes unusual suggestions, for example spontaneously offering to use another card if the first one is rejected. Look out for several cards with unusual details or similar card numbers being presented within a particular period. (Fraudsters normally present cards where the numbers are identical apart from the last four digits. This may indicate that a complete card batch has been stolen.) Be especially cautious if the card holder's address is abroad and in a known risk country. Examples of risks to be aware of in relation to the delivery of goods: Goods should not be handed over to third parties, such as a friend of the card holder, taxi driver, chauffeur or courier. (Goods of a relatively low value, such as flowers, may however be delivered to third parties.) We recommend only delivering goods to the card holder's main address. If you accept delivery to a different address, always keep a record of the delivery address with the rest of the transaction data.

Card fraud 9 Do not deliver goods to hotels or other temporary accommodation. Only deliver goods by registered mail or courier and insist on a signed and dated delivery slip or confirmation of delivery. Make sure the goods are delivered to the stated address and not to someone who "just happens" to be waiting outside. Instruct the courier to return with the goods if they cannot be delivered to the correct person or address. Do not deliver to an address that is obviously unoccupied. Reminder An approval number only indicates that the card has enough credit at the time of the transaction. The authorization does not guarantee that the person who is using the card is the real card holder. Never process card transactions on behalf of another business. If you handle transactions on behalf of another person or business, you will be liable for any chargebacks and may also jeopardize your own ability to accept card payments. Card fraud is more common in some geographical regions than others. If you sell goods that are particularly attractive to fraudsters and easy to sell on, there is a high risk of suffering losses from card fraud. To protect your business against risk, it is essential that you and all your employees follow the guidelines explained here. If you are concerned that you may be at particular risk from card fraud, please call Tel.: +49 228 5500 5811 and speak to our risk management department. Our team can provide advice and additional information. Specifically, you may be interested in our fraud management system, proactive. This security system is based on prevention and offers tailored solutions for detecting and preventing fraud. Read more about proactive on pages 14/15 or call our team on Tel.: +49 228 5500 5811. You can help to protect yourself against fraud by using your own checks and precautions. The golden rule is: Never take a risk. Some fraudsters offer a commission for handling their card transactions while they wait for the ability to accept cards themselves. The owners, executives, and employees of the business may not carry out any debit or credit transactions to their own credit or debit cards. If this occurs, Postbank will be entitled to reject the transaction without notice.

10 Security procedures The acronyms you can trust in card payment: 3-D Secure, CVV-2/CVC-2, and PCI DSS are security features developed by VISA and MasterCard that help to protect merchants from becoming victims of card fraud.

Security procedures 11 About 3-D Secure, CVV-2/CVC-2, PCI DSS and their benefits Security plays an essential role in e-commerce. The features explained here significantly reduce the risks and give merchants and customers increased confidence in the security of card transactions. 3-D Secure technology Until recently, online merchants who accepted credit cards for online payments faced the risk of chargebacks if a transaction was revoked - because in distance selling, the merchant does not physically see the card used for payment, nor does the customer sign the sales slip. The 3-D Secure technology developed by VISA - offered under the label "Verified by VISA" and by MasterCard as "MasterCard SecureCode" - helps to protect online merchants against credit card fraud. The key feature of 3-D Secure is the merchant plug-in (MPI), which must be installed in the merchant's payment system. Merchants who use payment authentication with 3-D Secure are protected against the risk of "chargeback due to fraud" almost anywhere in the world, because with "Verified by VISA" and "MasterCard SecureCode" the buyer can usually be positively identified as the card holder. The risk of losses resulting from declined payments is reduced to a minimum, the only exception being the actual chargeback fees. The card holder's right to a refund for reasons unrelated to fraud (e. g. goods not delivered / wrong goods delivered) remains unaffected. The card holder also benefits from this security standard, because by choosing a password they can reduce the risk of an unauthorized individual using their credit card. In a sense, the password replaces the customer signature at the check-out. In order to use 3-D Secure authentication, the card holder simply needs to contact their bank and set up a password and Personal Assurance Message. This allows the bank to identify the customer at any time. Neither the merchant nor the merchant's bank can see the password. 3-D Secure prevents fraud with stolen credit card numbers. Online merchants who use this technology provide their customers with greater confidence in online credit card transactions. Card verification code (CVV-2/CVC-2) The card verification code is a credit card security feature for distance selling where the card is not present. MasterCard uses the term Card Verification Code (CVC-2), while VISA refers to the Card Verification Value (CVV-2). It is designed to prevent the use of stolen credit card details and make payment processes in distance selling more secure. Card organizations are constantly enhancing existing security systems and introducing new technologies.

12 Security procedures State-of-the-art security measures significantly reduce the merchant's payment risk in distance selling. The potential costs are a necessary investment that will always pay for itself. The card verification code consists of three digits and is printed on the signature strip on the back of the card. There is no mathematical relationship between this code and the credit card number, and the code is not stored on the magnetic strip. During a payment when the card is not present, the card holder is asked to provide the card verification code. In a normal payment process, the merchant sends this code to the bank for verification. PCI DSS: Protection against theft of credit card data from IT systems MasterCard and VISA introduced the Payment Card Industry Data Security Standard (PCI DSS) to increase data security for the storage, processing and/or transmission of card data. All businesses that handle confidential data must comply with these requirements and hold the relevant certificates. Postbank P.O.S. Transact GmbH believes that PCI DSS offers important benefits for all merchants who handle sensitive card data. This standard minimizes the risk of serious financial losses caused by the fraudulent use of data. It also reduces the risk of sensitive information falling into the wrong hands and being used for criminal purposes. PCI DSS is a mandatory standard for merchants who collect customer card data on their own systems, whether for permanent storage, short-term processing or forwarding to a service provider. These merchants and their service providers must demonstrate that they have taken. adequate technical and organizational measures to protect card data, transaction data, and account information from attacks and to prevent it being compromised. The security of the entire network is only maximized when all parties participate. Breaches of the rules are penalized by fines, which in serious cases may be in six figures and which could be applied in full to you as the merchant. A merchant is only exempt from the requirements of PCI DSS if card data is sent directly to a service provider without coming into contact with the merchant's own system. If you are unsure whether card data is stored, processed or forwarded on your systems, please contact us at pcidss@postransact.de. We will be happy to help. How to get certified If you are directly involved in the transaction process or store confidential card holder data, you must register with us. All you need to do is complete a simple online form, which takes about 10 minutes. Once you have registered, we can take all the other steps required. We will check the architecture and configuration of your Internet connection for loopholes that could be used by an attacker to prepare and carry out an attack. We will test your system for potential weaknesses using online security scanners and manual analyses. If we uncover any security loopholes, we will advise you on how to address them.

Security procedures 13 If you have any questions, please contact the Postbank Card Acceptance Service: Postbank Service Kartenakzeptanz 90314 Nürnberg Germany Tel.: +49 228 5500 5811 E-mail: service@postransact.de www.postransact.com

14 Security procedures proactive is a set of effective, made-to-measure services designed to prevent card fraud in e-payment. It is tailored to the needs of specific industries and merchant profiles and the demands of international business.

Security procedures 15 We play it safe: Fraud detection and prevention with proactive The advantage of the greater revenue potential generated by credit card sales is counterbalanced by a risk factor. Merchants face the risk of fraudulently obtained card details being used to make payments, resulting in the loss of goods or services and the costs of handling the consequences. In response to this problem, Postbank P.O.S. Transact developed the fraud management system proactive. Fortunately, there is an ideal solution for merchants facing this dilemma. It is perfectly possible to maximize revenue potential by accepting credit or debit cards while protecting yourself from risk and therefore enjoying maximum peace of mind. It was for this reason that Postbank P.O.S. Transact developed the fraud management system proactive. proactive works before a transaction starts to thwart criminal ideas, strategies, and attacks, enabling online merchants to keep the risk of loss of goods or services extremely low and avoid chargebacks. To provide the right prevention solution for every business, we offer merchants three effective packages: proactive Basic, proactive Advanced, and proactive Premium. Our key services include: Real-time monitoring of transactions for active fraud prevention Near-time transaction analysis to detect fraud patterns Customer-specific consulting and services proactive delivers added value for small and mid-sized companies, major chains, and international online stores, reducing both the incidence of fraud and the associated costs. For information about our fraud management system proactive, please call us: Tel. +49 228 5500 5811 We will be happy to send you a free copy of the proactive brochure and flyer. You can also view or download them as PDF documents at www.postransact.com/security/proactive/ downloads/ spot the fake Prevention is our mission. proactive next-generation fraud management to combat fraud and enable success. Postbank P.O.S. Transact

16 Service Example of a single account statement If you have any questions about your account statement, please call our service team on Tel.: +49 228 5500 5811 Fax: +49 228 5500 5822 Or write to us at: Postbank Service Kartenakzeptanz 90314 Nürnberg Germany Your account statement Unless otherwise agreed, you will receive a account statement for all transactions submitted during the billing period. It is clearly laid out to help you make optimum use of the itemized information it contains. Our aim is to provide you with as much information as possible so you can monitor your card transactions easily. Here we explain part of a single account statement. Unless otherwise requested, we provide standard account statements. This contains the submitted collective numbers and corresponding transaction details, in chronological order. After the list of collective numbers and individual transactions, additional information is listed, for example the monthly basic fee, VAT, or merchant refunds. Finally there is a summary of all billing details and the total billing amount. Check all account statements from Postbank to make sure they are correct and complete. Any errors or omissions in an account statement must be reported within six weeks of receipt. You may also request to have the account statement corrected after this deadline expires, but you must prove that the account statement was incomplete or incorrect. Key 1) The barcodes help us process your account statement internally. 2) Unique reference numbers identify individual transactions. They may be numerical only or alphanumerical. 3) Invoice numbers are not issued consecutively but according to a calculated value. 4) The collective numbers are separated by card type (VISA / MasterCard). 5) Individual transactions are listed by card number (with part of the number replaced by XXX). 6) A chargeback is triggered by a complaint relating to an entry and is listed in the additional information. 7) This box contains the aggregation of the statement in EUR. 8) Other fees include chargeback fees charged to the merchant. 9) Other entries relate to transactions not specifically listed in the statement (e.g. refunds, costs, supplementary VAT payments, merchant refunds). Detailed information about other fees and other entries can be found in section 6, Additional information.

Service 17

18 Service Example of a collective account statement Your account statement By separate agreement we can also provide collective account statements. This is recommended for merchants with a very high volume of transactions for a billing period, as it is much simpler than single account statements. Unlike a single account statement, it only lists the transaction data of individual collective numbers, in chronological order. The additional information shows, for example, a list of chargebacks within the billing period. The summary at the end shows the balance of the individual totals and the final billing amount. Check all account statements from Postbank to make sure they are correct and complete. Any errors or omissions in an account statement must be reported within six weeks of receipt. You may also request to have the account statement corrected after this deadline expires, but you must prove that the account statement was incomplete or incorrect. Key 1) The barcodes help us process your account statement internally. 2) The account statement number is the customer number. This is based on the merchant numbers for VISA and MasterCard. 3) Invoice numbers are not issued consecutively but according to a calculated value. 4) The collective numbers are separated by card type (VISA / MasterCard). 5) In collective account statements, transactions are grouped by day. They are also grouped into VISA and MasterCard transactions. 6) A chargeback is triggered by a complaint relating to an entry and is listed in the additional information. 7) This box contains the aggregation of the statement in EUR. 8) Other fees include chargeback fees charged to the merchant. 9) Other entries relate to transactions not specifically listed in the statement (e.g. refunds, costs, supplementary VAT payments, merchant refunds). Detailed information about other fees and other entries can be found in section 6, Additional information.

Service 19

20 Service What else do I need to know about card acceptance? What do I need to know about account statements? What should I do about a change of address? On the next few pages we explain everything you need to know for your own internal processing. Check all account statements from Postbank to make sure they are correct and complete. Any errors or omissions in an account statement must be reported within six weeks of receipt. Account statements Unless otherwise agreed, we will send you an account statement for all transactions in one billing period. This statement is clearly laid out to help you make optimum use of the itemized information it contains. Our aim is to provide you with as much information as possible so you can monitor your card transactions and perform business analyses easily. You may also request to have the account statement corrected after this deadline expires, but you must prove that the account statement was incomplete or incorrect. Changes to master data It is very important that you notify us of key changes to your business, especially: Changes to your bank details If your bank details change, contact our service team immediately. You may be faced with considerable delays in the settlement of your statement. Please send us confirmation of the changes to your bank details - a standard form is available for this. Please contact us for a form.

Service 21 Change of address Please notify us of a change of address immediately and send us confirmation of your new address - a standard form is available for this purpose. Please contact us for a form. Change of business When you sign an acceptance agreement with Postbank, you provide us with a description of the goods and services you offer. This information, as well as your estimated average turnover, are essential to the ongoing risk assessments we perform on a regular basis. So it is essential that you notify us in writing of any changes to the nature of your business, such as changes to the range of products or services you offer, or expansion into another line of business. If you fail to do this, your transactions will be delayed until we have completed our investigations and the new risk assessment. Changes to contractual relationship / change of owner Your acceptance agreement with Postbank is not transferable under any circumstances. If you sell or close your business, please notify us in writing. If the buyer of your business wants to benefit from the "Postbank Service Agreement for Card Acceptance", a new agreement must be signed. If you neglect to notify us that you are no longer the business owner, you will continue to be liable for all obligations generated by the new owner. You are obliged to notify us in writing if the legal form of your business changes, for example from a retail trader to a limited liability corporation, if you take on a new partner, or if a partner leaves the business. Changes to the acceptance agreement If you wish to change your card acceptance facility, even if you want to use your card acceptance facility for distance selling, you must first agree this with Postbank. Contacting us The foremost priority of the Postbank Card Acceptance Service is to provide you with the best possible customer service. If you have a problem, do not hesitate to contact us and we will endeavor to find a solution. In the majority of cases we are able to fully resolve the issue. When you call, please provide us with the following information: Your name and address Full details of the problem Your contractual partner number (for security reasons please do not send this information by e-mail) The remedy you require from us Copies of all documents relating to the problem (please retain the originals) We will make a note of the issue immediately and stay in touch with you until it has been fully resolved.

22 Service Glossary of key terms Expert answers to your questions Our dedicated and experienced team of experts help merchants to process card payments online, by phone or by fax professionally and securely. As well as providing technical and administrative support, they can also assist with any problems that arise in the course of business. We will also be happy to tell you about other card acceptance products we offer. Acquirer A contracting compagny licensed by a credit card organization, which is the first point of contact for other merchants if they want to start accepting card payments. Only an acquirer will provide you with a merchant number, which you need for card acceptance. Approval request The merchant may accept a transaction up to a defined amount without first seeking approval from the issuer. If the amount exceeds this limit, the merchant is obliged to submit an approval request. Authorization The message issued by Postbank on request from a merchant, conveying the information that a transaction involving a particular amount is possible with a particular credit card. Card holder The person in whose name a credit card is issued. Card verification code The three- or four-digit number printed on the card in addition to the card number (see CVC-2/CVV-2). Chargeback Reverse debit of a payment amount Credit cards All credit and debit cards issued according to the terms of credit card organizations and other payment instruments expressly included in the acceptance agreement whereby the user issues an instruction to debit his/her account instead of paying by cash. The term credit card is normally used to refer to a charge card, where all transactions are accumulated over a month and then billed together (unlike a real credit card, where only an agreed partial amount is billed at the end of the month). Credit card acceptance agreement The credit card acceptance agreement, also referred to as the merchant agreement, is an agreement between the merchant and the acquirer. When the agreement is signed the merchant is given a merchant number. Credit card data The credit card number, the expiry date, and the payment amount. In the case of distance selling transactions it also includes the card verification code and, if required by Postbank for the scenario in question, the name and address of the card holder. Credit card issuer The bank or company which issues a credit card. Credit card organizations Organizations such as VISA Europe and MasterCard Inc., which operate payment systems and issue licenses to credit card companies and acquirers in relation to the credit cards covered by an acceptance agreement. CVC-2/CVV-2 Card Verification Code / Card Verification Value. With VISA and MasterCard, this is the three-digit number printed on the signature strip on the back of the card.

Service 23 Debit card A debit card is a payment card which allows a transaction amount to be debited immediately from the card holder's account. It does not use credit, but allows cashless payment anywhere in the world. Distance selling Contracts for goods and services where credit card details are transmitted over the Internet, by mail, by fax or over the phone, even if there is no distance selling contract as defined in Section 312 b of the German Civil Code. E-commerce Business transaction where the sale takes place online and the credit card details are sent over the Internet. EDDA Electronic direct debit authorization Electronic transmission The method by which the merchant and Postbank electronically communicate for the purpose of processing card sales and which has been expressly approved and specified by Postbank for use by the merchant. girocard girocard is the generic, neutral framework of the German credit services sector for two debit payment systems: electronic cash at the point of sale and the German ATM system. It guarantees the secure and simple use of debit cards (previously also known as ec cards) by means of a PIN. The European credit services sector is currently working to implement a Single Euro Payments Area or SEPA. The purpose of SEPA is to enable all citizens to use payment services anywhere in the eurozone under the same terms as in their country of residence. The name girocard and the logo were introduced by the German credit services sector in 2007. girocard is primarily intended to facilitate the international acceptance of German debit cards in the course of creating a standard logo for the SEPA zone. Goods and services The goods and/or services to be provided by the merchant and paid for by credit card. Limit (or floor limit) The maximum amount, agreed with Postbank, which the merchant can charge to a customer's card without authorization. Mail order / MOTO Method of distance selling where credit card details are communicated by mail, fax or phone. Merchant number Number used to identify the credit card acceptance agreement between the merchant and the acquirer. Retrieval request Request for information about a transaction, made by the card holder or the card-issuing bank. Transaction submission Request for payment sent to Postbank by the merchant. This is request is made by submitting data records to Postbank in accordance with the terms of the acceptance agreement. Call us - we will be happy to help If you require more information about the topics covered in this brochure, or want to find out more about card acceptance and distance selling, do not hesitate to contact us. Card acceptance service line Approval service for approval inquiries relating to credit card acceptance Tel.: +49 228 5500 5811 Fax: +49 228 5500 5822 kreditkarten@postransact.de www.postransact.com Disclaimer Please note that this document has been produced with the greatest care and using careful research, and is for general information purposes. However, we can accept no liability for the content of this document. Only contractual agreements between Postbank and its contractual partners shall be definitive.

Postbank Service Kartenakzeptanz 90314 Nürnberg Germany Tel.: +49 228 5500 5811 Fax: +49 228 5500 5822 kreditkarten@postransact.de www.postransact.com Postbank P.O.S. Transact GmbH Frankfurter Strasse 71-75 D-65760 Eschborn Postbank P.O.S. Transact 100 % chlorine-free bleached pulp POS 201-063-2013 Valid at: June 2013