INTERAC Online Merchant Guide. Interac Online. Merchant Guide

Interac Online Merchant Guide

This Guide is provided as a general reference tool only. Acxsys Corporation (Acxsys) and its affiliated and related companies make no warranties, express or implied, in this Guide. Acxsys will endeavour to keep this Guide as up to date as possible. However, all information contained in this Guide is subject to change. Please contact relationship.management@interac.ca for up to date information.

Table of Contents 1. Overview...2 1.1 Background...2 1.2 Purpose of the Document...2 1.3 Who Uses INTERAC Online...2 1.4 Associated Fees...3 1.5 Limits...3 1.6 Implementation Considerations...4 2. Why Should I Offer INTERAC Online...5 2.1 Merchant Benefits...5 2.2 Customer Benefits...6 3. How It Works...7 3.1 INTERAC Online Comprehensive Overview...7 4. How Can I Implement INTERAC Online...10 4.1 Implementation Overview...10 4.2 Selecting a Processor Step 1...10 4.3. Integration Step 2 Figure 4.31: Integration Options...12 4.4. Testing and Certification Step 3...13 5. Hosted Solution...15 5.1 Hosted Solution...15 5.2 Definition of a Hosted Solution...15 5.3 Benefits of the Hosted Solution...15 5.4 What Types of Merchants Opt for a Hosted Solution?...16 5.5 How do I Get Started?...16 5.6 Integration: Two options...16 6. Custom Solution...17 6.1 Definition of a Custom Solution...17 6.2 What Types of Merchants opt for a Custom Solution...17 6.3 The Three Basic Steps...17 6.4 A Technical Perspective...23 7. Shopping Cart Selection...26 7.1 How It Works With Your Solution...26 7.2 Shopping Cart Options...26 7.3 General Shopping Cart Considerations...27

8. Appendix...28 8.1 General Implementation Considerations...28 8.2 INTERAC Online Participants...31 8.3 Merchant Checklist...31

1. Overview 1.1 Background We offer a unique online payment service called INTERAC Online. The INTERAC Online service extends the use of conventional debit payments to online stores as a payment option for online shoppers. Given that many online merchants currently only offer credit cards as a payment option, the INTERAC Online service fills a gap in the payment industry by offering merchants and Canadian consumers a secure alternative payment option for online shopping. But what really differentiates INTERAC Online as a payment option? There are four key features that distinguish it from other online payment methods: - No personal banking information is shared with the merchant allowing customers to maintain privacy and security of their banking information. Reduces claims of fraudulent transactions and chargebacks. - Authorization of an INTERAC Online transaction is controlled by the customer through online banking. - Funds are debited directly from the customers chosen bank account via the bank s secure network. - Guaranteed funds for a merchant once the transaction is approved. 1.2 Purpose of the Document The purpose of this document is to provide merchants with an end-to-end guide on how to offer INTERAC Online to their customers. This guide highlights the merchant benefits of offering the INTERAC Online service and how to choose the best implementation option for your business needs. 1.3 Who Uses INTERAC Online Merchants INTERAC Online is accepted by hundreds of merchants large and small, across various industries. Many major online merchants already accept INTERAC Online, and many more have begun the implementation process. In recent years, INTERAC Online transaction volumes have grown enormously, driven by a combination of new merchants entering the e-commerce space and increasing demands by customers for existing merchants to offer INTERAC Online. There isn t just one type of merchant that offers the service. Registered merchants come from a wide variety of industry segments, from apparel, electronics, and books, to event tickets, provincial lotteries, and charities. Also, major universities accept tuition payments using INTERAC Online, as well as some government departments for taxes and other payments. Foreign merchants can also offer INTERAC Online, as long as they meet compliance standards and provide checkout prices in Canadian currency. For a complete list of participating merchants, please refer to www.interaconline.ca - 2 -

Financial Institutions INTERAC Online is supported by a number of major banks in Canada. These financial institutions offer their customers the ability to choose INTERAC Online payments through online banking. Financial institutions authenticate the customer, communicate and confirm transactions with acquirers, and settle funds. As a merchant, you won t need to deal with these financial institutions directly. For a complete list of participating financial institutions, please refer to www.interaconline.ca Acquirers INTERAC Online is also supported by a number of major acquirers. Acquirers enable merchants to offer INTERAC Online as a payment choice, by communicating with financial institutions across secure networks, and settling your funds. As a merchant, you might deal directly with an Acquirer, or you might deal with a Third Party Service Provider. For a complete list of participating Acquirers, please refer to www.interaconline.ca. Third Party Service Providers There are also a number of third party payments service providers that support INTERAC Online and have relationships with Acquirers. In many cases, you will deal with a third party service provider, rather than an Acquirer directly. For a complete list of participating processors, please refer to www.interaconline.ca. Customers In order to use INTERAC Online, a customer must be registered for online banking at a participating financial institution. In the event a customer decides to pay through INTERAC Online but does not have access to online banking at one of the participating financial institutions, the customer will simply be re-directed back to the merchant site in order to select an alternative payment method. For future purchases, the customer can register for online banking at a participating financial institution. Currently, foreign customers cannot use the service unless they have an online banking account at one of the participating Canadian financial institutions. 1.4 Associated Fees Since fees to online merchants are set by the processors who offer INTERAC Online, it is best to have discussions with them to obtain a better estimate of associated fees. It is important to note, that as a rule of thumb, fees associated with INTERAC Online are lower than credit card associated fees. For information on INTERAC ONLINE service fees, please refer to www.interaconline.ca. Consumer fees, if any, depend solely on the consumer s financial institution and their banking service plan. Typically, consumers will pay the same fee for an INTERAC Online transaction as they would to use their debit card that carries the INTERAC logo at a retail store which is often free as long as the number of debits is within the limits of their monthly package. 1.5 Limits Similar to debit card transactions at physical point of sale, financial institutions impose limits on the size of an INTERAC Online payment. These limits vary considerably depending on the financial institution, but also on the individual customer $1000 is a typical limit.. - 3 -

1.6 Implementation Considerations Costs and work effort associated with integrating INTERAC Online are equally variable. Generally, implementation is quite simple, but it depends on the implementation option and a variety of other factors that accompany the choice of an option. There are two main implementation options: a Hosted solution and a Custom solution. For more details of these solution options, please refer to Sections 5 and 6. Each of these options varies in cost, ease of implementation, time to implement, and user experience. Table 1.61 provides an overview of these factors across the two options to provide you with a better estimate of what you can expect Table 1.61 Cost, Ease, Time and User Experience across the Two Solution Options Cost Ease of Implementation Time to Implement User Experience Hosted Solution Implementation: Low to Medium Post Implementation: High Key Drivers: Cost of solution provider, fully vs. partially Hosted, transaction fees Turnkey Key Drivers: Vendor s ability to integrate, vendor certification status Minimal (days) Key Drivers: The selected solution provider, level of website customization Basic Key Drivers: Limited ability to seamlessly customize payment page, design constraints Custom Solution Implementation: High Post Implementation: Low Key Drivers: Cost of solution provider, testing and certification costs, development time Development required Key Drivers: Existing website complexity, Technical expertise and experience Long (weeks to months) Key Drivers: Resources, existing website complexity, level of integration, certification time Superior Key Drivers: Full flexibility, seamless payment pages - 4 -

2. Why Should I Offer INTERAC Online 2.1 Merchant Benefits Financial -Guarantee of funds -The cost effective alternative -Limited fraud Fulfilling customer needs Merchant Benefits Customer -Addresses internet security concerns -Attracts new customers -Improves perception of merchant Ease of Implementation -A proven and reliable process -INTERAC Online is here to stay Financial Customer Ease of Implemen tation Guarantee of funds - The customer s financial institution is responsible for authenticating his/her customer - The financial institution guarantees the funds and ensures the customer s funds are available The cost effective alternative - No authentication costs- the financial institution authenticates the customer - Competitive merchant fees, typically lower than credit - No chargebacks (if merchant fulfills commitment) Limited Fraud - The financial institution is responsible for consumer-side fraud Addresses internet security concerns - Canadian consumers buying online want a debit-like payment alternative - Canadians trust the INTERAC brand and their financial institutions Attracts new customers - Customers concerned with privacy (sharing financial information online) - Customers unable to obtain credit, e.g. youth - New customers looking for new alternatives - Existing customers who use INTERAC everyday Improves perceptions of merchant - Consumers are more likely to perceive a merchant offering the service as more innovative, secure, and flexible A proven and reliable process - The service leverages existing proven payment processes - Ability to engage a third party payment service provider makes integration easy INTERAC Online is here to stay - The service is being delivered by Acxsys Corporation with the support and backing of its shareholders - eight of the largest financial institutions in the country - 5 -

2.2 Customer Benefits Security and Privacy -INTERAC Online is secure -Customer privacy is protected Fulfilling customer needs Customer Benefits Familiarity and Freedom -Customers are familiar with INTERAC -Freedom of payment choice Ease of Use -Easy to use -Convenient -Debt control Security and Privacy Familiarity and Freedom Ease of Use INTERAC Online is secure - The payment to the merchant is completed through the financial institution customers know and trust Customer privacy is protected - Customers do not need to provide any financial details, card numbers, or login information to the online merchant Customers are familiar with the INTERAC brand - Web banking screens and the INTERAC logo are elements of familiarity, which increases consumer confidence, acceptance, and sense of security and safety Freedom of payment choice - Freedom of choice is a key emotional driver for customers to use INTERAC Online - For consumers it simplifies purchasing online for those who do not qualify for a credit card. Easy to use - Because the payment is conducted through the online banking channel the customer is already familiar with using INTERAC Online is easy customers are familiar with it and don t need to create any new passwords or accounts Convenient - Customers now have an alternative payment option to credit cards or PayPal - Customers unable to use credit cards (youth, people unable to obtain cards) - Customers who prefer to use INTERAC services everyday can now use similar services online Debt control - INTERAC Online helps you better manage your finances customers aren t worried about spending more than what they have in their bank account - 6 -

3. How It Works 3.1 INTERAC Online Comprehensive Overview Selecting a payment option should never be a difficult and confusing process for the customer and using INTERAC Online is especially easy and secure. In this section we will go over a detailed example and provide additional details of what is happening behind the scenes. For many merchants, this description will be sufficient; however, for those implementing a Custom solution, a more detailed explanation will be provided in Section 6. In Figure 3.11, we take a step-by-step look at the process with an example of a customer purchasing a book at an online bookstore through his/her online bank (123 Bank). Figure 3.11: Customer experience and back-end processes Step 1 Deciding to pay by INTERAC Online The merchant provides an INTERAC Online option, and presents a learn more link that lets a consumer learn about this payment option before choosing it. When the customer chooses to pay by INTERAC Online, the merchant re-directs the customer s browser to the Gateway Page (Step 2). During re-direct, the merchant passes key invoice information (amount, merchant identification, invoice number) as https form post information. This information passes invisibly to the customer. Step 2 Selecting a financial institution from the Gateway Page The Gateway Page, hosted by Acxsys, displays a list of participating financial institutions. The customer selects a financial institution in this case 123 Bank, and Acxsys performs the re-direct of the customer s browser to the financial institution s Web banking URL, passing the invoice and merchant information as form post information. - 7 -

Step 3 Online banking login At the financial institution s 123 Bank s online banking website, the customer enters his/her login information. 123 Bank authenticates the customer and collects the merchant and invoice information from the form post data. This page will also include a link to cancel and go back to the merchant s website, and may include a link to register for or activate online banking. Step 4 Invoice Details The customer is presented with the invoice of their purchase and merchant details, obtained from the form post information. The customer is given the opportunity to either accept or decline the payment. If the customer chooses to accept the payment, they are prompted to select an account from which to pay. If the customer chooses to decline the payment, they are re-directed back to the merchant website to cancel, try again, or select another payment method. Step 5 Confirm Details Once the customer approves the payment, the financial institution 123 Bank presents a confirmation screen to the customer, asking him/her to confirm the details. When the customer confirms the payment, 123 Bank does the following: 1. Guarantees the funds (i.e. by transferring funds from the customer s account into a suspense account, or by placing a hold for the funds to ensure they will be available) for 30 minutes 2. Generates a unique identifier for this payment. 3. Re-directs the customer s browser automatically back to the Gateway Page which in turn redirects to the merchant s website, passing key information indicating that the payment was successful, including the unique identifier, in the https form post. - 8 -

Step 6 Merchant Re-direct As part of re-directing the customer s browser back to the merchant s website, the financial institution displays a Web page for 2-3 seconds that lets the customer know that he/she is being logged out of online banking and re-directed to the merchant. Step 7 Merchant confirmation The customer is re-directed back to the merchant s Web page. The merchant requests an approval of the funds through its third-party processor or acquirer and, if successful, displays a confirmation screen to the customer and proceeds to fulfill the order. The merchant may display a transition screen while waiting for confirmation of the payment. The confirmation coming from the acquirer originates from the financial institution s communication with the acquirer through the INTERAC network. The customer successfully purchased a book and received confirmation from the merchant. - 9 -

4. How Can I Implement INTERAC Online 4.1 Implementation Overview Easy as 1, 2, 3 Getting INTERAC Online up and running on your website is simple. There are three major activities, or steps, you need to perform in order to offer INTERAC Online. The first thing a merchant needs to do is select a processor (acquirer or third party service provider). You may be thinking, I already have a processor ; in that case, you may already be one step ahead. Merchants who are already registered with a processor for their existing payment options need to discuss if and how their processor can support INTERAC Online functionality. In the event you do not already have a processor, you will have to choose one. In today s payment environment you aren t really a step behind. With lots of processors competing for your business, you have the luxury of selecting one that can meet your business needs, including support of INTERAC Online. Once you have selected your processor, the second step is to integrate INTERAC Online with your website. The bulk of most INTERAC Online implementations will be spent on this step. You have two options to choose from when deciding to integrate with your website: a Custom solution or a Hosted solution. Each solution should be carefully considered as there are trade-offs between factors such as cost, ease of implementation, and customizability. Finally, after choosing a method and successfully integrating INTERAC Online with your website, you are just about ready to go live. The third step involves testing the functionality and reliability of your integration and if necessary, obtaining Acxsys and/or acquirer certification. Diagram 4.11: Implementation Overview Three Steps 4.2 Selecting a Processor Step 1 Selecting a processor is something you should take very seriously. There are various criteria you should take into consideration before making your selection, which should also be taken into account even if you have an existing processor relationship. Before we discuss the criteria, we should first examine your current processor relationship. Have an existing processor Merchants who currently offer an online payment service will already have a merchant account with a processor. If this is the case for you, the first thing you will need to do is contact your processor to determine if they offer INTERAC Online. - 10 -

If your processor supports INTERAC Online, you are well on your way. You will still need to check if your current integration method supports INTERAC Online or whether you will need to make any changes, arrangements, or decisions on how to best integrate INTERAC Online with your website (see Step 2 below). On the other hand, if your current processor does not support INTERAC Online, you will need to discuss how they can go about offering the service, working with Acxsys to become certified. Alternatively, you may have to change processors or engage a second processor to support your INTERAC Online functionality. Do not have an existing processor If you do not currently have an existing processor, you need to choose one and get set up with a merchant account. Choosing a processor is an important decision because your choice can limit your flexibility to offer various payment types in the future. Some processors have exclusive relationships with certain shopping cart solutions and other third-party solution providers, and vice-versa. This is why choosing your processor first is important you don t want your processor to limit your shopping cart solution options, nor do you want your shopping cart solution to limit your choice of processor. An important consideration when selecting your processor is to ensure that they are INTERAC Online certified. This is important if you decide to implement INTERAC Online now or want the option to in the future. Your first step is to contact an INTERAC Online certified processor to discuss their offerings, fees, and implementation steps. For a complete list of certified processors, please refer to www.interaconline.ca Tips for choosing a processor Some of the criteria to consider are: - Exclusive processor relationships with shopping carts - Price (setup fees, monthly fees, pertransaction fees) - Ease and speed of obtaining a merchant account - Ease and speed of implementation on your website - 11 -

Other Key Processor Considerations Since your processor works closely with you to ensure you get your funds, you want to select the processor that aligns best with your business and your customers. Choosing the right processor for your business is important, because processors provide a number of key services for the merchant: - Settlement. Processors leverage their existing relationships with, financial institutions, and settlement agents to ensure that your payment is prompt and accurate. Settlement terms dictate how you will receive your money (e.g., daily). Depending on your business needs, cash flow can be an important consideration, so your settlement terms are a very important factor.. - Service. You will also want to consider how well the processor has dealt with it s merchants in the past. You should make sure the processor has a good reputation with similar sized merchants. In order to implement INTERAC Online you will have to work closely with your processor, so you want to make sure they have a good track record of working well with their merchants. - Assume liability. The processor typically assumes the liability in a transaction, allowing customers to be reimbursed for purchases if the merchant commits fraud or negligence. It is for this reason processors perform due diligence on merchants before entering in a relationship. Processors may decide to not accept you as a merchant if they aren t satisfied with your risk level. 4.3. Integration Step 2 Figure 4.31: Integration Options Now that you ve chosen a processor, you are ready to integrate. There are two main approaches to integrating INTERAC Online with your website. Choosing the right option requires an assessment of your business needs and depends on your level of development expertise & available resources, time constraints, and budget. The simplest approach to integration is the Hosted Solution, which requires no development expertise since the payment pages of your website or even your entire shopping cart application are Hosted Solution Custom Solution hosted by another party (acquirer and/or third party service provider). Although this limits the flexibility for your website and comes with associated costs per transaction, it provides a quick and easy solution. If you want more flexibility and control, a Custom Solution is the ideal choice. If you have the development expertise and want the flexibility to write your own software to tightly integrate the INTERAC Online payment experience into your website, the Custom Solution provides you with the freedom to do so. This solution may require some more time and resources than the other solutions, but it will provide the highest degree of customization and the flexibility to work with different acquirers. Once your integration is complete, your ongoing costs are less compared to the Hosted Solution, since you aren t paying a third party processor to host your checkout pages. These two solution approaches are described in more detail in Sections 5 and 6. Figure 4.32 Hosted and Custom Solution Integration Steps Processor hosts your payment pages or your entire shopping cart application Requires no development expertise The simplest approach Shopping Cart: Can be used with or without Allows you to tightly integrate INTERAC Online with your website High customizable Requires development expertise Shopping Cart: Option to build or buy - 12 -

4.4. Testing and Certification Step 3 Test Tools Acxsys has developed a Merchant Test tool in order to allow Merchants, Acquirers and third-party vendors to test INTERAC Online in a test environment hosted by Acxsys. The INTERAC Online Merchant Test Tool simulates the behavior of the Gateway page and the Issuer s online banking application. It accepts form posts from the Merchant web site application being tested, and sends response form posts back to that application. The Test Tool can be used to perform User-defined tests, in which the tester can input the form post data to be returned to the Merchant and Certification tests, which are of a set of pre-defined test cases that must be tested successfully before a Merchant or third-party vendor can obtain Certification. For these tests, the Issuer Response is pre-defined by Acxsys. Certification You are almost on your way to offering INTERAC Online, all you need to do now is get certified. The type of certification you will need depends on your choice of integration solution. When choosing a Hosted Solution, you will likely not need to undergo any certification. This section deals primarily with the certification for Custom Solutions. In every INTERAC Online transaction the merchant has two major roles from a technical perspective, which may require certification with Acxsys and/or your acquirer. - 13 -

The two roles the merchant must fulfill are often split into, what are commonly called, the frontend and the back-end of a transaction. The front-end involves transmitting the required form fields to the Acxsys Gateway page and the back-end involves communicating and verifying the outcome of the transaction with your acquirer. Both the front-end and back-end require that you satisfy certain requirements before you can be certified as a merchant. Let s first take a look at what is involved with each type of certification. Front-End Acxsys Certification Since front-end certification ensures that the process to communicate with the Acxsys Gateway is fully functional, by choosing to go with a third party vendor (i.e., a Hosted Solution), you will not be required to undergo any front-end certification. Your third party vendor will likely have already completed certification with Acxsys. You may be required to undergo some form of basic certification with your third party vendor, with regards to your integration with them. On the other hand, if you choose to go with a Custom Solution, you will be required to perform front-end certification. There is one exception to performing front-end certification testing which depends on your shopping cart. If your shopping cart has already been certified with Acxsys for the front-end of the INTERAC Online transaction, then as a merchant, you will not be required to undergo front-end certification Acxsys certification. Back-End Acquirer Certification The level of certification required for the back-end also differs and depends mainly on your use of a third party vendor. Since back-end certification involves the communication with the acquirer to confirm the transaction, third party service providers with existing relationships with acquirers have already gone through the back-end certification process. Thus, by going with a Hosted Solution, you as a merchant will probably not be required to do back-end certification with your acquirer. On the other hand, if you choose to go with a Custom Solution, regardless of your current shopping cart, you will need to undergo backend certification with your acquirer. Each acquirer will have their own requirements for certification and you will need to work with them directly to fulfill these requirements. The remainder of this section only refers to Front-End Certification. Certification Testing Once your integration of INTERAC Online with your payment page is complete you need to work with your acquirer and/or processor to test the functionality and compliance of your integration. In a general sense, certification testing is the process that a certification candidate follows to ensure that: - The system adheres to the INTERAC Online Functional Specifications - The integrity of INTERAC Online is maintained It is important to note that certification testing is not a replacement for thorough testing of each software component by the merchant and their acquirer and/or processor. For example, certification testing does not cover internal processing within a merchant s system; nor does it include stress testing of large volumes or high loads. - 14 -

5. Hosted Solution 5.1 Hosted Solution If quick and easy are the most important integration factors for you, then the Hosted Solution is likely your best option. There is no single type of Hosted Solution, since the approach to each solution can vary greatly. Because many processors provide their own approach to a Hosted Solution, there is a lot of variation, making it difficult to provide a single accurate description of how a Hosted Solution will integrate with your website. This section will provide as an overview of what you can expect at a high-level and put you in a position to better understand what each acquirer and/or third-party service provider can offer. 5.2 Definition of a Hosted Solution Essentially a Hosted Solution allows an acquirer or third-party vendor to host the payments form page of your website on their servers. Merchants who opt for a Hosted Solution can have one integrated payment page that can be used for INTERAC Online and other payment options as well. Typically, Hosted Solutions have completed certification with Acxsys and will perform the bulk of the integration with INTERAC Online. 5.3 Benefits of the Hosted Solution Compared to a Custom Solution, the Hosted Solution allows merchants to take a hands-off approach, letting the vendor take care of almost everything. Hosted payment pages reduce or eliminate merchant exposure to cardholder data and vendors are responsible for SSL security considerations. Hosted Solutions that support INTERAC Online functionality will be responsible for the integration with Acxsys, eliminating the need for the merchant to perform the integration. This avoids significant development costs. Because the INTERAC Online processing is done through a hosted payment page which is already certified for INTERAC Online, INTERAC has waived the certification requirements for any merchants that wish to offer it in conjunction with a Hosted checkout. This eliminates potentially expensive deployment costs, as well as time and effort to get certified. The vendor also performs maintenance of the payment page, and once integrated, allows you to easily add other processing options. Having the luxury of adding on other processing options will allow you to keep up with payment trends. Hosted Solutions are often very customizable, with the ability to tailor payment pages according to merchant user interface requirements. Colors, logos, and wording can be sent to vendors in HTML format, allowing the customer to have a similar user interface experience during payment as when they are shopping on the merchant site. Many vendors include other configuration options. Some common ones include: - Enabling specific payment types (i.e. Credit Card or INTERAC Online only or both) - Only requires basic knowledge of HTML to integrate - Transaction results returned to your website for post-processing - Can be configured to automatically e-mail transaction receipts to you and/or your customers, and those emails can be customized - 15 -

5.4 What Types of merchants Opt for a Hosted Solution? Now that you understand the benefits a Hosted Solution has to offer, why doesn t every merchant go with a Hosted Solution? In reality, the benefits for a Hosted Solution depend largely on your merchant profile, your capabilities, and your existing e-commerce offering. In general, a Hosted Solution is best suited for merchants with: - Little to no experience in programming - Have an existing website or intend to create their own website - Not familiar with SSL security or do not wish to be responsible for maintaining SSL security - Want to offer INTERAC Online solution quickly and easily 5.5 How do I get started? The first step in setting up a Hosted checkout is to choose a processor or a third party to host your payment page. The best approach is to talk to as many vendors as possible. When speaking with potential vendors, they will look at your current website and business, allowing them to provide you with a very detailed estimate of what will be involved and the associated costs. If you are looking to implement INTERAC Online, it is easier to start your vendor search by searching for ones that already offer INTERAC Online and that have the ability to integrate with your current shopping cart, if you have one. We will discuss more about shopping cart considerations in Section 7. Once you have selected your vendor, they will create a demo payment page for you, allowing you to view and test it before you take it live. You will also need to obtain a production account with your vendor. Once a production account is set up, developers can simply configure a live payment page and swap its values with the demo credentials in the code. 5.6 Integration: Two options There are two basic ways to integrate a Hosted checkout solution into a merchant website, with a shopping cart or without a shopping cart. Let s take a closer look at the two scenarios. With a Shopping Cart- If you already have a shopping cart, there are probably quite a few Hosted Solutions that support it. Hosted payment checkouts are typically coded to connect with shopping carts that follow certain authorization standards (e.g., Authorize.NET SIM) and that have also been tested and confirmed to work. If your shopping cart doesn t follow the standards required by the Hosted solution of your chosen vendor, you should still discuss your options on how to make this work with your vendor. Once you have confirmed compatibility, integration should be straightforward. Here are common steps that are required for integration: - Rename certain files in the cart software - Insert certain variables from the Payment Page configuration in the shopping cart configuration Having an existing shopping cart that is compatible with your Hosted solution makes integration very easy and that is why choosing your acquirer and shopping cart together are very important. Without a Shopping Cart - A shopping cart isn t a necessary component for the Hosted solution. Because developers can integrate code directly into an HTML page, stand-alone shopping cart software is not mandatory. Form code which codes directly into your HTML page, can have a variety of languages, including Ruby, Perl, PHP, and ColdFusion. - 16 -

6. Custom Solution If you want customizability and flexibility, then the Custom Solution is the way to go. Keep in mind that some of the detailed technical and infrastructural components of the integration will depend on your processor (acquirer or third party service provider). 6.1 Definition of a Custom Solution TIP: Try using INTERAC Online at a few different merchant sites, to see what you like or don t like about how they have integrated INTERAC Online into their checkout process. A Custom Solution is an approach to integration that involves developing and hosting your own website, payment page, and potentially your own shopping cart. This solution means that you will be responsible for configuring your payment page from your e-commerce website to communicate properly with the INTERAC Online Gateway Page. You will also need to develop a link with your processor, which is required to confirm the success of each transaction. The Custom Solution allows you to tightly and seamlessly integrate INTERAC Online to your website s payment page, giving you the ability to control the payment experience for your customers. Although there are many benefits and options in choosing to fully integrate INTERAC Online with your own website, this approach requires development competence, a little more time than the other methods, and certification. The contents of this section will provide you with guidance on how to approach your integration as simply as possible and achieve the best results. 6.2 What Types of Merchants opt for a Custom Solution Since the Custom Solution requires development expertise, time, money, and an existing website, merchants with the resources to handle a Custom Solution tend to choose this option. In general, the following types of merchants tend to opt for a Custom Solution: - Merchants who want more control over their online store - Merchants not comfortable sharing information with or depending on a third party processor - Merchants who have high volume sales and/or high transaction values and wish to avoid third party service provider transaction fees 6.3 The Three Basic Steps The Custom Solution is fairly straight forward there are three basic steps you as a merchant must facilitate to successfully provide INTERAC Online as a payment option. Before we go into the details of your responsibility in facilitating these three steps, let s take a look at what they are: 1. Re-direct the consumer from your check-out page to the INTERAC Online Gateway Page 2. Accept a re-direct from the financial institution s page, to either a Funded URL (successful) or Not Funded URL (unsuccessful) 3. Send a request to your processor for confirmation, if the re-direct was Funded Now that you have a better idea of what to expect, let s take a closer look at each of the three steps. - 17 -

Re-direct to the Gateway page Step 1 When a consumer selects the INTERAC Online payment option to purchase their good or service, the first step is to re-direct them from your merchant website to the INTERAC Online Gateway Page, where the customer selects the financial institution they wish to pay from. During this re-direct, you must issue a form post to properly relay the required information to the INTERAC Online Gateway Page. The form post serves as a medium to pass required information to the financial institution. There s also a security check here against listed referral URLs to ensure that you are truly a registered merchant. The form post can be handled in various ways. Two common options include: 1. Form post embedded in the checkout page. This option contains an HTML form element that includes the necessary fields with the information to be passed. When the customer clicks on the pay by INTERAC Online button, the form post will be invoked and the customer will be re-directed to the INTERAC Online Gateway Page. 2. Form post as part of a Serve up page. When the customer selects INTERAC Online, a Serve up page is provided, which contains a form with the necessary data in hidden fields. This option uses JavaScript to immediately submit the form to the Gateway Page. The customer is not required to click on any links using this option. With either option being merely technical preference, there are required form fields that must be filled in order for a successful INTERAC Online payment transaction. Table 6.31 describes these form fields and how they should be used. Table 6.31: Summary of the fields required for the re-direction If the transaction doesn t go through, the customer will be sent to a Non Funded URL. See Step 2. Field Name in HTTPS POST IDEBIT_MERCHNUM Description This is your own merchant number, provided to you by your processor. IDEBIT_AMOUNT This is the amount of the transaction, in cents. For example, $13.25 would be represented by 1325. IDEBIT_INVOICE IDEBIT_MERCHDATA IDEBIT_FUNDEDURL IDEBIT_NOTFUNDEDURL This field is used to identify this particular purchase. Generally this should be an invoice number or an order number. It will be displayed to the user in online banking as a reference number so we encourage you to use something meaningful. (It could be, for example, part of the customers name appended to a date, or some such). This field is also returned to you in the re-direct back to your site, so you can use it to identify (or double check) which purchase is being paid for. This is optional proprietary merchant data sent to the financial institution and received in the response unchanged. It is not used or displayed to the consumer. This one is important and is easy to get wrong. This is the URL the customer will come back to after authorizing the payment. You must provide a list of all the possible URLs you would ever use in this field to your processor. If anyone tries to re-direct to the Gateway Page but the contents of this field don t match one of the URLs already registered for you by your processor, the transaction won t go through. This one is also important it is where the financial institution will send the customer back to if for any reason the payment was not successfully authorized. Note that this one also needs to match one of the URLs you provided to your processor. - 18 -

Accept re-directs to the Funded URL- Step 2 If the customer s payment was successful (i.e., they were authenticated and had funds to complete purchase), you will need to support a landing page which will allow the customer to be re-directed back to your website and await confirmation of the payment. Since we are assuming a successful transaction, you will need a Funded URL landing page. This landing page will receive the successful transaction form post information from the Gateway Page. You may have more than one Funded URL landing page for different types of re-directs, but it will be simpler if you only support one when first starting out. The re-direction to the Funded URL will contain a form post, so you will need to collect the values contained in the form post fields. Listed below are the field values you will receive. Table 6.32: Form field values from the form post With regards to the integrity of the form post fields, you have to be careful. It is a fine balance between not wanting to reject anything that might possibly be valid, yet rejecting anything that is obviously a rogue request. Field Name in HTTPS POST IDEBIT_TRACK2 IDEBIT_INVOICE IDEBIT_MERCHDATA IDEBIT_ISSNAME IDEBIT_ISSCONF Description Assigned by financial institution. Contains PAN, Expiry Date, and Transaction ID. The merchant may populate this field with a meaningful invoice number. If the field is populated, the financial institution must display the invoice number in online banking. Field is optional. The merchant may populate this field if there is useful information that will help identify this Customer / session / invoice when the financial institution re-directs the Customer back to the merchant. Financial institution s name to be displayed on the merchant s confirmation page. Should be in the language the Customer was using for online banking. Issuer Confirmation Number from online banking to be displayed on the merchant's confirmation page The above form field data is collected from the Gateway Page. Once you have received the form field values from the form post, you must check to ensure the contents of these fields are present and valid. This is an important check since the integrity of the contents will help determine if the transaction is legitimate, free of errors, and complete. The next step is to pick up the transaction that was in process. To retrieve the transaction, the best practice is to use the browser s session ID, which will enable the customer to continue where he or she left off. Many web servers will allow you to do this automatically, so you likely won t have any issues. Another way to ensure you select the same transaction on your Funded URL page is to use the contents of the IDEBIT_INVOICE field as a unique identifier for this transaction. This can be done in addition to the browser session ID pickup. With either method, it is important to double-check that the IDEBIT_INVOICE field matches with the original transaction identifier. According to the specifications, contents of the IDEBIT_MERCHDA TA field should return exactly as it was sent out in the original re-direct. However, we don t encourage you to use this field, since the combination of session id and IDEBIT_INVOICE is a more reliable approach identifying transactions. Now that you have confirmed the transaction and re-directed the customer back to the Funded URL, you might think you are done this is not the case. Even though we use the term Funded URL when a customer lands on the URL page, it does not guarantee that the customer really authorized the transaction. The possibility exists that a hacker - 19 -

or fraudster is attempting to fool you by setting up the fields the way you expect them. This is why Step 3 is important, allowing you to receive confirmation from the processor that the transaction was indeed legitimate. Accept Re-directs to the Not Funded URL Before you verify confirmation from the processor, you may not always be required to proceed to Step 3. There is still the possibility that the customer gets re-directed to the Not Funded URL. If this is the case, the financial institution will send the customer back to the Not Funded URL, which means that the customer was not able to complete the transaction. In the interests of privacy, you won t have any indication as to why the transaction failed. The only thing you can be certain of is that the customer either clicked on the Cancel or Return to merchant button at some point upon leaving the merchant website. There are several potential reasons for this: - They don t bank at one of the participating financial institutions - They aren t registered for online banking - They didn t have sufficient funds in their account - They changed their mind regarding method of payment - They decided they wanted to change their order before paying - They decided not to purchase your goods or services after all Whatever the reason, your next step is to take them back to the checkout page so they can try again, use a different payment option, or modify their order. You should provide all possible options to ensure you don t lose that customer. Request processor confirmation - Step 3 Show me the money Assuming Step 2 brought the customer to the Funded URL, and you have received and verified the form field values from the form post, you now need to send a request for confirmation to your processor. While you send out the request to the processor, you also need to inform the customer of the status of their transaction. Since we know the customer was re-directed to Funded URL, what does the customer really see when they are sent to this page? Well, the Funded URL page doesn t actually confirm that the transaction is complete; rather, it indicates to the customer that the merchant is awaiting confirmation. Thus the Funded URL serves as a page to communicate this status to the customer. Thus, while the customer is awaiting confirmation, you should be sending off a request to your processor who will subsequently return confirmation or denial of the payment. Based on the processor s response, you will update the customer on the success of the transaction. It is important to note that each processor has its own method and format for dealing with this confirmation process; they might refer to it as an API call or a web service request. Regardless of the processor s method, you will likely be receiving confirmation based on the matching of the three form fields you send to the processor: Amount, Track2, and Invoice. The matching of these three fields with the processor will help to confirm that the transaction is legitimate. The way the matching occurs is through the associated values of those fields you obtained in creating the first form field in Step 1 (during re-direct to the Gateway- Page 18). If the transaction was legitimate, the processor will be able to validate the values of those fields with the financial institution. If the values match identically with the values you send to the processor in Step 3, then you will likely receive a successful transaction confirmation. The processor will verify the three fields with the financial institution in the following manner: - 20 -

- Amount. They will ensure the transaction amount figure is an exact match compared to amount information provided by the financial institution. If not, the transaction will be rejected. - Track2. This is a number that serves as a unique identifier for a particular payment, separate from any other payments. Again, they will match this field to ensure it contains the exact value that was you passed in the form fields in Step 1. If there is no match, the financial institution won t be able to locate this particular transaction, and it will be declined. - Invoice. Although this field isn t matched by the processor today, it may be in the future, so make sure to test and properly utilize this field from day one. Now that we have a better understanding of which fields get validated by the processor, let s investigate the outcomes of an approval or a decline by the processor. Approved The payment transaction is complete you are guaranteed the funds and you can proceed to ship the goods or provide the service. TRAP: Some merchants have had rounding errors in their code, which have resulted in unnecessary transaction declines. Make sure the Amount you send to the processor is exactly the same to the cent as what you used in IDEBIT_AMOUNT field you sent to the Gateway Page. Although you have received confirmation, the customer hasn t. INTERAC Online requirements dictate that you must immediately display a confirmation page to the customer. This is your opportunity to confirm to the consumer that you will be shipping the goods or providing the service. You can also provide confirmation / tracking information as you would with any other method of payment. Because this is an INTERAC Online payment, there are two additional pieces of information that you are required to include on this page: - 1. The financial institution s name (from the IDEBIT_ISSNAME field). - 2. The financial institution s confirmation number (from the IDEBIT_ISSCONF field). While the rules are flexible as to what to label these fields, we recommend financial institution name and financial institution confirmation number. Declined For some reason, the transaction didn t go through even though the customer was initially re-directed to the Funded URL. This is quite rare and you certainly want to pay close attention to any declines. You will need to display some kind of regrets error to the customer, such as Sorry your payment was unsuccessful. Then, you should take the customer back to the checkout page as they may want to try again or attempt another method of payment. Since declines happen in the back-end, somewhere between the merchant, acquirer and financial institution, the payment has likely already been removed from the customer account. As a merchant you should be aware that the money is held for 30 minutes and will be returned into the In the magstripe card world, Track 2 data is sensitive data that must not be stored. Track 2 data shares the name, but it isn t the same kind of sensitive data. Make sure it is really obvious to the consumer that their transaction failed remember that the consumer has already confirmed the payment in online banking, so they aren t expecting an error message customers account after 30 minutes. This is important to understand in the event the customer asks why his/her money is gone but the payment was unsuccessful. Now that the customer is informed of the decline, you will need to figure out what went wrong. Occasionally there are some system problems that may cause declines that are beyond your control. For example, a financial institution can have a failure in their online banking systems, meaning they - 21 -

will be temporarily unavailable and you will simply have to wait until they are back online. However, if you are getting a significant number of declines, you should do two things: - 1. Make sure you are passing the correct field values you are require to be passing which is easier to do if you save an error log of all the relevant fields, including the form post fields to the Gateway Page, form post fields you received back from the financial institution, fields you sent to your processor in the confirmation request, and fields you received back from your processor. - 2. Talk to your processor let them know you had this problem, and any patterns you see in certain transactions which were declined, e.g., those from a particular financial institution, or during a particular time period. Other Possible Outcomes When a transaction fails, best practice would be to allow customers to save their order for a future time - Cancel Payment. If the customer chooses to cancel the payment while in online banking, the financial institution re-directs the customer back to the merchant website. The merchant can then offer the customer to choose a different financial institution or different payment method. - Abandoned Cart. If the customer leaves or closes the browser for some reason, the transaction is incomplete. It will remain incomplete unless the customer returns and reattempts their purchase. In the event that the customer does not return, the transaction will remain incomplete, a situation which is unavoidable across any payment option. If for some reason the purchase is not confirmed by the financial institution within 30 minutes of the initial customer transaction authorization (e.g., in the event of network communication errors during confirmation), then the funds will be returned to the customer s account by the financial institution once those 30 minutes have expired. - 22 -

6.4 A Technical Perspective Now that you have a good grasp of how form posts are used to re-direct customer information and confirm the success or failure of the transaction, Figure 6.41 provides a visual depiction of the transaction flow and the relationship between all the parties and networks involved in an INTERAC Online transaction. Figure 6.41: INTERAC Online Transaction Flow - 23 -

Third-Party Service Provider (optional) - 24 -

Step 1 Customer chooses the INTERAC Online option on the merchant website Step 2 Merchant re-directs the customer s browser to the Gateway Page (hosted by Acxsys), passing the invoice details via https. Step 3 The customer picks a financial institution (FI) and Acxsys redirects the customer s browser to that FI s online banking site, passing the merchant and invoice details via https. Step 4 The financial institution picks up the merchant and invoice details from the https form post. The customer logs in to online banking. Once the customer has selected an account to pay from, the financial institution generates a PAN (unique transaction number), guarantees the funds in the customer s account (4a), saves the transaction data as a funds guarantee (4b), and forwards the customer s web browser to the Gateway which redirects to the merchant return URL, passing the PAN, transaction number, and the merchant Data via https form post (4c). Step 5 The merchant passes the PAN, transaction number, and original amount to the acquirer, using its proprietary communication channel. Step 6 The acquirer sends a request for payment confirmation to the financial institution, through the IMN, based on the information passed from the merchant in Step 5. Step 7 The financial institution compares the request for payment confirmation to the funds guarantee from Step 4b (looking it up by the PAN and transaction number), and sends back either an approval or rejection response, to the acquirer, through the IMN. If the payment is approved, the financial institution ensures that the customer s account has been debited and that the transaction is included for settlement with the acquirer. Step 8 The acquirer relays the financial institution s response to the merchant and the merchant displays the appropriate message to the customer. The merchant should fulfill if, and only if, the payment was approved. Funds are subsequently settled through settlement agents. - 25 -

7. Shopping Cart Selection With both the Custom and Hosted Solutions, you have the option of using a shopping cart. An online shopping cart is a software solution which allows online shopping customers to accumulate a list of items for purchase. Upon checkout, the software typically calculates a total for the order, including shipping and handling charges and associated taxes. 7.1 How It Works With Your Solution With a Custom Solution, you have the option of creating your own shopping cart. This option requires programming expertise, but is typically not very difficult to integrate if you are already developing your own solution. If you do decide to create your own shopping cart, you must make sure that it is able to send form post information to the INTERAC Online Gateway. A Custom Solution can also be made to work with pre-existing shopping cart software. Some shopping carts are very flexible (i.e., based on open source), making for an easier implementation. You may have to work with the shopping cart vendor to discuss how best to proceed. With regards to a Hosted Solution, you also have the option of using pre-existing shopping cart software or not using a shopping cart at all. With a Hosted Solution, shopping carts are not mandatory, as developers can integrate the code directly into an HTML page. If you do not want to integrate one directly into an HTML page, there are many shopping carts solutions on the market that are plug-and-play, many of which are already integrated with some Hosted Solutions. Choosing to integrate an existing shopping cart with your Hosted Solution is lower risk and can save much time during integration. 7.2 Shopping Cart Options If you decide to use third party software for a shopping cart in either solution, there are several general option types that vary among software providers. Some are plug and play and require no IT experience at all, while other may be a bit more complicated to integrate. Let s look at Table 7.21, which outlines some of the general levels of shopping cart options to help you better understand which type would be best suited for your business. Table 7.21: Summary of the fields required for the re-direction Shopping Cart Type Basic Shopping Cart Storefront Shopping Cart Advanced Shopping Cart Professional Shopping Cart Description A low-cost entry level cart. Option to host your own custom product pages or use a Hosted secure webspace. Gateway and shopping cart managed through a single user-interface. Basic HTML knowledge required. Create an entire e-store. Step by step setup wizard. Canada Post and UPS shipping modules. Professionally designed shopping cart templates. No programmatic knowledge required. More design options, personal domains. Add custom html headers / footers, change fonts and styles. Use the full shopping cart or Hosted payment pages only. Advanced inventory management modules, product import tools and affiliate tracking features. Optimized for merchants with a larger product and customer list. - 26 -

7.3 General Shopping Cart Considerations Flexibility- a primary consideration when choosing shopping cart software is whether it will continue to serve your websites needs now and in the future. Shopping carts can be limited to certain transaction volumes and product offerings. Check to see whether you will be limited to a certain number of products. If your business changes, you don't want your cost structure tied to your existing set-up. - Promotions. The option to support coupons or gift certificates on your shopping cart can be complicated. If you want support specials and promotions features, make sure your shopping cart can be configured to support this. - "Quick-buy" feature. This is important for supporting INTERAC Online, since quick buy doesn't require registration at checkout. Often, shoppers will leave on a site if there is a registration form to fill out before finishing their payment transaction. - Shipping. Your shopping cart must calculate shipping based your method of calculation. If you ship based on weight, be sure the cart can accommodate that need. Look for applications that plug directly into the big companies, such as UPS and FedEx so you can get real-time rates and tracking status. - Reporting. Some shopping carts can report on sales activity information, allowing you to collect and analyze business information. - Support. It is important to understand how good the vendor support is (i.e., will you receive prompt responses to your questions regarding technical support). Customer service provided by real people, live chat and a forum for peer support are important parts of the relationship with your cart supplier. - 27 -

8. Appendix 8.1 General Implementation Considerations There are several other considerations you must take into account when integrating INTERAC Online. With a Hosted Solution, you won t have to worry about most of these. For detailed information about these requirements refer to the Merchant Checklist in Appendix A. Also note that your processor may have its own rules and guidelines so check with them for additional requirements. Refunds Returns and refunds are a big part of doing business, and INTERAC Online understands this. Merchants may choose to refund their customer, subject to their own refund policies. In order to ensure that the funds are deposited back to the account that the funds were originally withdrawn from, the refund transaction needs to reference an original payment through the unique transaction identifier. In the case of a refund, the financial institution retrieves the original transaction details including the customer s account information, which the financial institution uses to process the refund deposit. Only completed INTERAC Online payments can be refunded. It is also important to note that is optional for processors to support refund functionality, so you will need to discuss refund details ahead of time. Financial institutions on the other hand, are required to support refunds. Note that there is no front-end process for refunds, i.e., no involvement by the Gateway Page or online banking. With regards to communicating refund policies and status, merchants are responsible for communicating with the customer regarding the processing of the refund, as per the merchant s usual policies. No e-mail notice about the refund is sent by Acxsys, the processor, or the financial institution. Customer Service and Dispute Resolution It is common to have disputes and customer service issues, but it is important to have a common understanding beforehand, regarding which party will assume responsibility in certain situations. Outlined below is a table with common dispute scenarios grouped into areas / types and the party generally liable for the corresponding scenarios. Table 8.11: Dispute resolution table- Dispute Areas and Responsible Parties Dispute Area / Type Responsible Party Shipment, faulty goods, refunds, merchant website Payment, account debited, online banking, account takeovers, customer fraud, financial institution fraud or negligence, financial institution systems or processing error, unauthorized transactions posted to the customer s account Merchant fraud or negligence, acquirer fraud or negligence, merchant systems or processing error, acquirer systems or processing error, merchant registration, merchant complaints Merchant Financial institution Acquirer Liability As discussed earlier, INTERAC Online s model truly protects the merchant. Since INTERAC Online is based on the premise that the customer s financial institution is responsible for authenticating the - 28 -

customer and making sure they authorize the payment from their bank account, the liability lies with the financial institution. Merchants, however, are responsible for doing their part in fulfilling the order to the customer. In the rare event that an INTERAC Online transaction is completed by a fraudster (e.g. someone who has managed to obtain a customer s online banking credentials), the merchant does not normally have to return the money if the goods have been shipped. All you need to do is participate in any fraud investigations. Some merchants have discovered first-hand that a disputed credit card or other payment transactions often result in the merchant being debited for goods that were shipped. In an INTERAC Online world: - You won t be debited for goods inadvertently shipped to a fraudster - You won t need to perform elaborate fraud checks on your customer to try to avoid fraud - You won t be denying payments to legitimate customers just because your fraud detection measures consider them suspicious this means more completed sales - You won t see any chargebacks for transactions that the customer claims were not authorized Privacy of Information Acxsys does not collect or keep any information about customers. Acxsys does however keep merchant information regarding their acquirer relationship, i.e., name, address, website, and industry category. It is the acquirer s obligation to explain the use of the information collected from merchants and to obtain the merchant s consent. Language and Registration Participating financial institutions and acquirers are already registered by Acxsys. Financial institutions must provide their display name, logo and login URLs in French and English for use on the Gateway Page. Merchants are added to the system by their acquirer. Acquirers provide Acxsys with relevant merchant information, such as English and French display name(s) and logo(s) for use on the Gateway Page. Timeouts A customer may wander away for lunch, or even close the browser in the middle of the checkout process. This may happen during the INTERAC Online portion of the process, while your website is waiting for a re-direct to either the Funded or Not Funded URL. Websites typically time out after a certain amount of time to avoid keeping around a shopping cart that will never be used. The same approach should cover INTERAC Online transactions if too much time passes without a re-direct back to the merchant site, you can decide to cancel the transaction. As mentioned above, any re-direct that does not correspond to a currently active transaction should be ignored with an appropriate error message. There is no maximum limit on how long a customer may take after choosing the INTERAC Online option on the merchant s website until he/she has authorized a payment at the financial institution s Web banking site. It is at the merchant s discretion how long it will wait for the customer to authorize payment before abandoning the order, however, if the merchant s time limit is less than 30 minutes, the customer must be made aware of the time limit before they leave the merchant website. Once the customer has authorized the payment and the financial institution logs the funds guarantee, the merchant has 30 minutes to confirm the transaction. If the financial institution does not receive the request for payment confirmation within this time, the financial institution cancels the transaction, lifts the guarantee of funds, and will decline the request should it arrive later. Because INTERAC Online doesn t require collection of any customer information, it is suggested to allow customers to choose their method of payment before asking for address and phone information, if you don t require it - 29 -

Transaction Amount Limits The total amount of an INTERAC Online transaction isn t capped, but financial institutions manage all limits for their customers as part of their proprietary systems. Additionally, acquirers also manage merchant limits, including refunds. Therefore, the actual transaction amount limit will depend on your relationship with your acquirer and the customer s relationship with their financial institution. User Interface Considerations With all the benefits INTERAC Online offers, you will likely want to encourage your customers to use INTERAC Online over other payment types. If so, consider the following best practices: - Listing it first among options and making it the default choice, requiring explicit selection of another method - Offering discounts for payment by INTERAC Online - Advertising INTERAC Online in banner ads on your site Design Constraints and Branding Branding is important and the merchant must show the INTERAC Online logo and/or appropriate text when the INTERAC Online payment option is provided. The name and mark of the service must always be branded INTERAC Online. The merchant website must display the product logo and product description on the web page where the customer makes the payment choice. Only merchants registered with Acxsys by their acquirers are permitted to use the INTERAC Online name and marks. The merchant must also provide a link to a URL hosted by Acxsys, which provides information about the INTERAC Online service. Depending on the merchant s Web site, this may be provided in English and/or French. - English URL. http://www.interac.ca/en/interac-online/interac-online-for-consumers - French URL. http://www.interac.ca/fr/interac-en-ligne/interac-en-ligne-pour-lesconsommateurs 128-bit encryption Keep it safe merchants must use no less than 128-bit SSL encryption if collecting personal information. Acceptable Browsers and Frames Firefox, Internet Explorer, Safari, and Chrome the list of internet browsers goes on. Luckily, as long as your customers are using recent versions of their browser of choice, they won t encounter any issues when paying for INTERAC Online. As a best practice, you should encourage your customers to use upgrade to the latest browsers. Note that when using frames, the address bar does not reflect what site the content within a frame is being served from. It is critical that the consumer sees the actual URL address of their online banking. Thus, usage of frames is not recommended to the merchants as part of their Custom Solution for INTERAC Online. Java and JavaScript Considerations Almost all financial institutions require JavaScript for online banking, and all current INTERAC Online participants (TD, BMO, RBC, Scotiabank) are no exception. There are however some financial institutions including many credit unions (e.g., Prosepra, Westminister) that do not require JavaScript. Although the INTERAC Online Gateway Page does not require JavaScript itself, not supporting it will negatively affect the customer experience. If JavaScript is not enabled, then the customer must manually click a link in order be taken to their online banking site. The re-direction page will show the following: - 30 -

Re-directing... If your browser does not re-direct you in a few seconds, click here. This is accomplished by the following line as part of the FORM HTML element: If your browser does not re-direct you in a few seconds,<input type="submit" class="submitlink" value="click here"> As a matter of good practice, we would recommend the same approach. Take advantage of JavaScript if it is enabled to provide a better customer experience, but provide a fallback for customers who do not have it enabled. By providing this fallback FORM HTML element, there is no need to explicitly require the customer to enable JavaScript. 8.2 INTERAC Online Participants In any and every INTERAC Online deployment, there are many players that are involved merchants, customers, acquirers, financial institutions, INTERAC Association, Acxsys Corporation, settlement agents, and sometimes third party service providers. Each of these players has a role in making an INTERAC Online transaction happen. Let s take a look at the role of each player. Merchant A merchant refers to an online store that offers INTERAC Online as a payment choice. Customer A customer is a person who has an account and access to online banking at a participating financial institution. Acquirer An INTERAC Online acquirer enables merchants to offer INTERAC Online as a payment choice. An acquirer must connect to the IMN (Inter-Member Network) either directly or through a relationship with a Connection Service Provider (CSP). An acquirer also needs a Settlement Agent (SA), or be its own SA, in order to settle the funds through ACSS (Automated Clearing Settlement System). Financial Institution A financial institution offers its customers the ability to approve an INTERAC Online payment through online banking. The financial institution must connect to the IMN either directly or through a relationship with a CSP. A financial institution also needs a Settlement Agent (SA), or be its own SA, in order to settle the funds through ACSS. INTERAC Association INTERAC Association operates the IMN and two Shared Services, INTERAC Direct Payment and Shared Cash Dispensing, as a not-for-profit association of members. Merchants will not be involved with the IMN. Acxsys Corporation Acxsys Corporation is a for-profit corporation that operates the INTERAC Online service and other services. It also provides management services to the INTERAC Association under contract. Acxsys typically does not deal with merchants, except on a consultative basis. Settlement Agent (SA) A Settlement Agent is an institution that provides ACSS settlement services to a financial institution or an acquirer. Settlement agents are not a merchant contact. Third-Party Service Provider A Third-Party Service Provider is any service provider that is party to an INTERAC Online transaction, either on behalf of the merchant or the acquirer, other than a SA or CSP. This could be - 31 -

as a processor or as a provider of a payment gateway, plug-in application, hosted pages or other value-add services or software applications. The use of a Third Party Service Provider is optional. 8.3 Merchant Requirements The Merchant must adhere to the requirements listed below. 1. Checkout Page c Display the INTERAC Online design (logo), or wordmark (the text INTERAC Online ), or both 2. Design and Wordmark Requirements (any page) 2.1 Other Payment Option Logos c Display the INTERAC Online design (logo) if the Merchant displays the trademarks or logos of other payment options c The design must be equal in size and no less prominent than other payment option Trade-marks 2.2. INTERAC Wordmark c The INTERAC wordmark must be either in capital letters or italics, e.g., the INTERAC Online service c The first use of the INTERAC Online wordmark has the notation beside the word INTERAC in superscript text. For example, Interac (English) or «Interac MD» (French) c Show the following footnote on the same page as the wordmark: Trade-mark of Interac Inc. Used under licence (English), or «MD Marque de commerce d Interac Inc. Utilisée sous licence» (French) 2.3. Version of Design c Use the two-colour design on the Web c Horizontal version: height no smaller than 25 pixels (width-to-height ratio = 2:37:1) c Vertical version: width no smaller than 30 pixels (width-to-height ratio = 1:1:37) 3. Learn More Information preferably on the Checkout page c Provide consumers with a link to Learn More in English and/or French. English URL -- http://www.interac.ca/index.php/en/interac-online/interac-online-forconsumers French URL -- http://www.interac.ca/fr/interac-en-ligne/interac-en-ligne-pour-lesconsommateurs - 32 -

4. Confirmation Page c State that the transaction is successful c Display the Financial Institution s name and confirmation number c Provide ability to print 5. Error Page c Indicate that payment was unsuccessful c State that the order is cancelled or display other payment option(s) 6. Timeout Message c Display if consumer has < 30 minutes to complete payment 7. Payment c Display the total in Canadian dollars Checklist for Security/Privacy Requirements 1. The Merchant must: c Use no less than 128-bit SSL encryption if collecting personal information c Protect consumer information in accordance with applicable federal and provincial privacy legislation c Adhere to the Canadian Code of Practice for Consumer Protection in Electronic Commerce Checklist for Required Screenshots 1. Please attach screenshots of the following Web pages: c Checkout page (page where customer selects INTERAC Online option) c Confirmation page (one of test case 1, 2, or 3) c Error page (test case 4) - 33 -