Internet Merchant Procedure Guide Procedures for accepting Card transactions across the Internet
Internet Merchant Procedure Guide www.barclaycardmerchantservices.co.uk
Internet Merchant Procedure Guide Contents Accepting Card Payment Transactions Across The Internet 2 Card Types 2 Jargon Explained 3 Card Transaction Processing Options 5 Your Web Site - Hosting Options 6 Card Not Present Procedures 7 1 Barclaycard Merchant Services Security Guidelines 9 Payment Pages - Requirements 13 Transaction Receipts 13 Contact Us 13
Accepting Card Payment Transactions Across The Internet Barclaycard Merchant Services maintains a commitment to supporting its merchant customers in the development of their business. New technology brings new opportunities for businesses and the rapidly developing Internet is no exception. 2 The Internet is a vast collection of inter-connected PCs and networks that use specific protocols. The Internet started as a network for the United States armed forces during the 1960s. It has developed to become the global network that it is today, with millions of users able to surf the net worldwide. These users are all potential customers and, with a degree of care, there is no reason why your business should not benefit from their spending. Perhaps the major difference between the Internet and more traditional communication networks is that the information which passes across it is open to general view. Fortunately, techniques are available commercially which enable confidential information such as customer s credit card numbers to be transmitted across the Internet in a relatively confidential way. The most commonly employed method of achieving this is through the use of a process known as encryption, where the information is scrambled using a complex mathematical equation. The key to the equation is known only by the customer s PC and the merchant s computer. Whilst the encryption of sensitive information offers a degree of confidentiality, the information must be kept secure when it is received by the merchant. Varying methods are used to keep this information safe from prying eyes including the use of firewall technology. Advice on details of the minimum security requirements are detailed in this Procedure Guide which forms part of your Merchant Agreement with Barclaycard Merchant Services. Unfortunately, it is not yet possible to know that your customer is who they claim to be. The inability to see your customer s payment card and check their signature brings additional risks associated with accepting transactions this way. The Card Not Present Procedures section in this Procedure Guide offers more information on the risks you face and provides some useful advice. Card Types Barclaycard Merchant Services is able to accept and process on your behalf card payment transactions made with the following card types - Visa, MasterCard, Switch, Solo and JCB.
Internet Merchant Procedure Guide Jargon Explained Bandwidth The data transfer ability of a communications system. The capacity to transfer data is indicated by bandwidth, the higher the bandwidth the faster a user is able to receive and send more data. Browser Software (Browsers) The software an individual uses to view a website on the Internet. Most common are Netscape Navigator and Microsoft Explorer. Browser software will additionally allow the user to make purchases from your site. Encryption The process of converting a message so that it is unreadable. It is a method of ensuring security through the use of complicated mathematical algorithms. Encrypted messages are assigned a key that must be used in order to decrypt them. 3 File Transfer Protocol (FTP) A common method of transferring files across the Internet. Firewall Computer hardware, software and physical measures which protect confidential information whilst it is on a web server. Home Page The opening page of your website. Hypertext Highlighted words which represent links to other documents, web pages or websites, which are viewed by a click of a mouse. HyperText Mark-up Language (HTML) The language that is used to create documents on the World Wide Web. HyperText Transfer Protocol (HTTP) Another Internet protocol, the standard method of transferring HTML documents (in an encoded format) between web servers and browsers. Internet Protocol (IP) Address A unique address made up of 4 parts separated by full stops e.g. 123.456.789.1. Every PC or interface to the WWW needs an IP address.
Internet Service Providers (ISP) These are defined as business organisations who control Internet server hardware and provide connectivity to the Internet. They promote their services to third parties e.g. hosting merchant websites. 4 JAVA This is potentially the future programming language of choice on the Internet; it allows programs to be created and sent over the network. Secure Sockets Layer (SSL) An accepted protocol which enables secure card payment transactions to be made over the Internet. Server A central computer which makes services and data available. Uniform Resource Locater (URL) The reference by which your website can be accessed. URLs are seen increasingly on company merchandise and advertising material e.g. www.barclaycardmerchantservices.co.uk What are TCP/IP standards? Simply these are a set of network protocols (standards and rules) that allow computers to communicate. TCP/IP actually stands for Transmission Control Protocol/Internet Protocol. World Wide Web (WWW) What most people see as the Internet - where you go to browse a site. The WWW medium allows text, graphics etc. to be accessed through browser software.
Internet Merchant Procedure Guide Card Payment Transaction Processing Options Whether your company utilises its own Internet server or the services of a commercial Internet Service Provider, Barclaycard Merchant Services is able to support your requirements for the acceptance and processing of card payment transactions taken over the Internet. Our aim is to help in integrating card payment facilities into your day to day business operations. We recognise that each of our customers will have different requirements for the acceptance and processing of Internet card payment transactions, and have developed a range of options to ensure that an appropriate service is available to you. 5 Regardless of which option you choose for processing your card payment transactions you must always provide your customer with a receipt. This receipt must include your Internet site address (home page URL) or your email address.you may need to provide Barclaycard Merchant Services with a copy of the receipt if the customer queries the transaction with his or her card company at a later date - see page 13 of this guide for further information. To accept card payment transactions across the Internet you must adhere to the Barclaycard Merchant Services Security Guidelines which include transaction encryption and firewall implementation. These common sense requirements have been developed to provide a degree of integrity and confidentiality for card details passed across the Internet; they will provide a degree of confidence for your customers when making purchases. Barclaycard Merchant Services will require your compliance with the security measures which are detailed in the Merchant Security Guidelines section of this Procedure Guide. Some of our products do not require compliance with these measures. epdq epdq is a secure online service for card payment authorisation and settlement. It enables you to accept and process card transactions from your website 24 hours a day, 365 days a year. The epdq Cardholder Payment Interface product (CPI) enables customers to submit their card details direct to epdq for payment. Barclaycard Merchant Services is therefore responsible for maintaining the security of the card details, not the merchant. With the epdq CPI, you do not need to worry about maintaining a secure server unless you capture your customer s name and address at your site. If this is the case then the Data Protection Act requires that such information is captured and stored securely. The epdq Merchant Payment Interface solution (MPI) does require that you comply with the Merchant Security Guidelines detailed in this Procedure Guide. Visit our epdq website at www.epdq.co.uk for more information.
Host Authorisation And Submission Options This option involves the use of approved software, to convert card transaction data to the appropriate bank standards for authorisation and settlement. A list of approved APACS software specialists is available at www.barclaycardmerchantservices.co.uk. PDQ Terminal Options You are able to utilise the facilities offered by our range of PDQ terminals. Customer card details and the transaction amount received on your website across the Internet are simply 'keyed-in' manually to a PDQ terminal. 6 The PDQ terminal will seek authorisation and ensure the funds are transferred to your bank account, giving you maximum flexibility and control. Third Party Payment Service Provider (PSP) Options Barclaycard Merchant Services is happy to accept your payment transactions from a recognised third party Payment Service Provider (PSP). However, you must ensure that the PSP meets the minimum security measures detailed in this Procedure Guide and that they can offer the necessary communication links to Barclaycard Merchant Services. It is important to stress that you have the responsibility for complying with the Internet Merchant Procedures for Internet card payment transaction acceptance, as Barclaycard Merchant Services will not enter into any contract with the PSP on your behalf. Your Web Site - Hosting Options Internet Service Providers (ISP) A number of our customers will have their websites hosted by an ISP. If your payment page is hosted with an ISP you must ensure that the ISP meets the minimum security measures detailed in this Procedure Guide. It is important to stress that you have the responsibility for complying with the Internet Merchant Procedures for Internet card payment transaction acceptance, as Barclaycard Merchant Services will not enter into any contract with the ISP on your behalf. Own Server If you utilise your own server to accept Internet card payment transactions you must comply, as above, with our security measures.
Internet Merchant Procedure Guide Card Not Present Procedures Internet card payment transactions are classed as Card Not Present (CNP) transactions. As the cardholder (and card) is not physically with you at the time of the transaction it is not possible to check the card details or the customer s signature. There are associated risks with CNP transactions which you must, as a business, make a commercial decision on. Whenever you undertake an Internet transaction, there is no guarantee of payment. If the cardholder should query the transaction at a later date, or any discrepancies arise, the card issuer may resort to a chargeback via Barclaycard Merchant Services to recover the funds from you. The following sections detail some advice: The facts 7 It s a fact that more and more transactions take place every day where the cardholder is not present at the point of sale It s a fact that fraud is common where the cardholder is not present It s a fact that any mistake in recording card details can cost you as much as fraud But it s also a fact that you can help to protect yourself against these dangers What cardholders could say They may claim that the card number was used fraudulently They may deny the transaction They may say that the card has been stolen They may claim that the card number has been used without their authority They may claim that they never received the goods They may claim that the goods were defective, not as described, or not of merchantable quality Any of the above may result in a chargeback, so it is in your own interest to encourage your staff to record details accurately and to be vigilant. In any of these circumstances, please remember that it is your responsibility to investigate the matter and recover the goods and/or payment by some other means. How to fight fraud Fraud is a growing problem where the card and cardholder are not present at the point of sale, but taking simple precautions can help to protect you. If your instinct tells you something isn t quite right, please follow it Never release goods to a third party - such as a taxi driver or messenger - allegedly sent by the cardholder Always arrange delivery of the goods yourself, using either recorded/registered post or a reputable carrier, and obtain a signed and dated delivery note from the Post Office or Carrier
Records Always keep a record of the details of the transaction, because you may need to provide them to us if the customer queries the transaction with his or her card company at a later date. 8 Please ensure your filing system allows you to recover information easily, by date of transaction, or customer s card number. Many card issuers will not provide a cardholder name when querying a card payment transaction and if an error has occurred when recording the name initially, it may not match that contained in your records. We recommend you retain your records for a minimum of three years. If you agree to send the goods to an address other than that of the cardholder, the risk of that card payment transaction being charged back to you is greater. Please take extra care with these transactions and always keep a written record of the delivery address with your copy of the transaction. PDQ Card Payment Transactions For PDQ card payment transactions, please follow the same basic guidelines in conjunction with your Terminal Operating Guide. Although Barclaycard Merchant Services PDQ is one of the most advanced systems available, it unfortunately cannot protect you from fraud, or simple keying in errors. PDQ is a mechanised system and requires your human and professional instincts to help ensure the validity of a name, address or card number. By using your own commercial judgement, staying aware of the hazards and taking these important precautions, you will minimise the risk of a chargeback and maximise the benefits that cardholder not present transactions can bring. Authorisation Please remember that authorisation is not a guarantee of payment - it is an indication that the card has not been reported lost or stolen at the time of your transaction and that sufficient credit exists on the account.
Internet Merchant Procedure Guide Barclaycard Merchant Services Security Guidelines Introduction As the number of people using the Internet has expanded, problems of abuse have become apparent. As with any other large collection of individuals, the community of Internet users contains its share of thieves, vandals, opportunists and other nuisances, often referred to as hackers, attackers or crackers. The threats posed to an organisation using the Internet can be grouped into four major areas: Disclosure of information where, either intentionally or accidentally, information pertaining to an organisation or its customers is divulged to others Unauthorised access to systems and applications where unauthorised individuals gain access to key systems and sensitive information Loss of information integrity where data stored on a computer or in transit is unknowingly amended And denial of service where the availability of computer systems and services is lost due to the overloading of a computer or its network connectivity 9 Site Development In developing an Internet site for electronic commerce purposes, the following approach is strongly recommended: 1. Ensure that your organisation s goals for use of the Internet have been established and that the services needed to meet these goals have been determined. The security solutions that may need to be implemented should be based on your organisation s short, medium and long-term plans. 2. Perform a risk assessment to quantify the risk to those assets that are considered under threat. This will then aid in choosing cost-effective solutions to protect your assets such as information, equipment and network connectivity. The risk assessment should answer two fundamental questions: How valuable are the assets potentially at risk? What are the repercussions of choosing not to take any protective measures? and take into account three perspectives: Confidentiality - maintaining the secrecy or privacy of information so that only those intended can access its content and meaning Integrity - the ability to trust the reliability of information in that there has been no undetected, accidental or deliberate modification Availability - the provision of a service and its features where and when it is required
3. By conducting the exercises described in points 1 & 2, your organisation should be well placed to define a comprehensive policy which will provide the answers to a number of fundamental questions, including: 10 What types of applications can be used on the Internet? What service offerings will be made available on the Internet? How can connections be established? Who in your organisation will require outgoing Internet access and for what purposes? Who will have what responsibilities for implementation, support and maintenance functions, and dealing with security incidents? 4. When answers to the above have been reached, your organisation should be well positioned to select and deploy suitable security measures to meet its business needs. However, there is rarely a single solution that will meet all of an organisation s security needs and it is likely that a combination of approaches will be required. Security Considerations In defining and implementing your solutions to security, the following points should be considered: Connectivity Determine your organisation s communication requirements to and from the Internet Select a reputable and reliable Internet Service Provider and establish a contract to ensure that the requisite service level will be both provided and monitored Bandwidth Inadequate bandwidth to your site will cause a noticeable impact on performance. In determining bandwidth needs, take into account: - your expectations of speed and efficiency and those of your customers - the expected traffic to your site - the incorporation of any bandwidth thirsty applications, e.g. FTP, Java, live audio, etc., in your site design Servers For WWW servers, dedicate the server solely to WWW provision by: - removing all unnecessary functionality - limiting connectivity to the Internet and the server s keyboard where possible - determine what contingency is required and how it will be provided depending on how crucial the availability of your site is, e.g. 24 hours a day, 7 days a week
Internet Merchant Procedure Guide Security Administration Responsibility for security administration should be allocated to at least one individual well versed in detailed Internet security issues to administer and maintain the security solutions Procedures should be developed to ensure that any security incidents are dealt with in a timely manner Firewalls Consideration should be given to use a firewall to provide a security perimeter around your organisation s internal network 11 Experienced personnel should be employed for the installation of a firewall, regardless of whether the firewall is bespoke or off the shelf While low-cost firewall products can be of high quality and appropriate for some security needs, thought should be given to the constraints that they can place on an organisation in realising its goals and policies as they tend to be less flexible in their operation Configuring a firewall can be difficult so additional consideration should be given to having a firewall reviewed by an independent external third party on installation and at regular intervals afterwards Individual Computers By increasing the security of individual computers connected to the Internet your organisation will improve the security of its internal network as a whole. This can involve: - increased controls on user accounts and passwords - the monitoring and removal of illicit software and other information - the installation of integrity checking software e.g. virus scanners Internal Network Partitioning Additional protection can be given to your organisation s internal network by dividing it into partitions or domains, based on the type of information contained therein, and then building internal firewalls to regulate communications among these domains Data Encryption and Key Management There are legal and regulatory issues that must be taken into account when using encryption. The UK, like most countries, has laws regarding the use and export of encryption techniques and encrypted data
The use of encryption technology entails an infrastructure for the storage and distribution and certification of keys which in turn requires the recognition of additional security measures that need to be provided Periodic Review Overall, periodically review your organisation s goals, policies and security solutions to ensure that they remain current and up to date Minimum Security Measures 12 Barclaycard Merchant Services requires minimum security measures to be adopted prior to acquiring card payment transactions from an Internet site. These minimum security requirements apply regardless of whether the site is: maintained solely by the merchant maintained solely by a third party provider which is receiving and processing card payment transactions on behalf of the merchant a combination of the two above The minimum security measures are as follows: 1. All transactions containing card information should be transmitted over the Internet in an encrypted form either using the SSL (Secure Socket Layer) protocol, currently with a minimum effective symmetric key length of 40 bits, or a protocol employing similar encryption algorithms and key length which provide similar or greater strength to SSL. This measure should be adopted not only when the transaction details are being passed from the cardholder to the web server, but also from the web server to the merchant if this takes place directly over the Internet. 2. Any servers involved in processing transactions containing card information and originating from the Internet should not be exposed directly to the Internet. These servers should be placed in a secure domain by means of internal network partitioning with connectivity to the Internet protected by firewall technology. 3. Additional internal network partitioning should be provided between the server(s) involved in processing transactions containing card information and connectivity to the Barclaycard Merchant Services host where automated settlement and/or authorisation transactions are to be generated. It is recognised that differing network protocols provide effective barriers between domains which should be considered either as alternatives or complementary to physical barriers. It should be noted that the above are generic requirements that will result in varying solutions. These solutions will differ from site to site depending upon the technology and network infrastructure adopted. While Barclaycard Merchant Services is unable to provide specific solutions to meet merchant s needs, it will be happy to review and discuss proposals with merchants and third party providers.
Internet Merchant Procedure Guide Payment Pages - Requirements The order form used in your web site must contain the following details: Transaction amount and currency Card type tick box (Visa, MasterCard, JCB, Switch or Solo) Customer s card number Card valid from date Card expiry date (please ensure the date is current) A box to capture the Switch or Solo Issue Number or Start Date (Switch and Solo card types only) Cardholder s full name Cardholder billing address, including a separate postcode box Cardholder s email address Recipients full name Delivery address The page should be designed to incorporate a Modulus 10 Check Digit Algorithm for verifying the card number. To obtain a copy of the Modulus 10 Check Digit Algorithm and the Card Scheme Logos that may be displayed on your website, register via the Internet section of our website at www.barclaycardmerchantservices.co.uk. Transaction Receipts 13 Customers must be supplied with a transaction receipt as part of an order confirmation notice at the time of the purchase The receipt should include the total cost of the purchase, an order reference number, customer contact details and the website address Ideally this receipt should be provided to the customer via email and should include an instruction to print or save the receipt for their records The receipt should not include the card number In addition your website must contain the following information: Your company name, address, telephone, fax number and contact email address Your company registration number and VAT number (where applicable) A complete description of all goods and services supplied should be clearly displayed. This should include full details of price, plus all additional costs such as taxes, delivery charges and export restrictions. The customer should be provided with clear information on your company s delivery, refund and cancellation policies A statement to describe the type of transaction security that is supported A privacy statement Contact Us For further information on trading over the Internet, please contact our e-commerce Support Unit on 0870 60 80 355 (available Monday to Friday 9am to 5pm), or alternatively visit our website at www.barclaycardmerchantservices.co.uk. If you are an existing Internet merchant and have a query on your account, please contact our Customer Services Department on 0870 60 600 60 (available Monday to Saturday 8am to 8pm, and Sunday 9am to 6pm). To apply for an Internet merchant account, please contact our Sales Centre on 0800 61 61 61 (available Monday to Friday 8.30am to 6pm).
Barclaycard Merchant Services, Northampton NN4 7SG. www.barclaycardmerchantservices.co.uk (Barclaycard Merchant Services is a trading name of Barclays Bank PLC). Registered in England. Reg. No. 1026167. Registered Office: 54 Lombard Street, London EC3P 3AH. D71 06/01