Payment Processing Best Practices

American Credit Card Processing Decline in 2010

2011-07-27T16:54:00.002-04:00

American credit card processing was the only electronic payment method to show a decline in use from 2006 to 2009 (-0.2% per year on average). There were 21.6 billion credit card transactions in 2009, 151 million less than in 2006. By volume, credit card payments amounted to $1.9 trillion in 2009, down from $2.1 trillion in 2006. This decline in credit card use may be a result of the economic recession and may not necessarily represent permanent changes in the payment behavior of U.S. consumers and businesses. As a reference, the rate of seasonally adjusted consumer credit card debt in the U.S. rose in every month from January 2006 to its highest point in August 2008 before falling in each following month through September 2010.

Debit card payments, on the other hand, built on their double-digit growth from 2006 to 2009 and made up 34.8% of all non-cash payments in 2009 (2.0% by volume). Total debit card transactions rose 14.8% per year for the period. PIN debit payments, facilitated by American credit card processing companies, rose more quickly (15.6% per year) than signature-based debit payments (14.3% per year). The absolute rise in signature debit payments from 2006 to 2009 (7.7 billion) was greater than the total increase in PIN debit payments (5.1 billion).

The average signature debit amount per transaction fell from 2006 to 2009 from $40 per item to $37. The average value of PIN debit card transaction rose for the period, from $37 to $39 per transaction. Interestingly, the average amount of signature-based payments fell below the average amount of PIN payments, partly reflecting the increase in the use of the signature-based in small-ticket card payments.

Even though they still make up a relatively small volume among the various types of non-cash payments facilitated by American credit card processing companies, the use of prepaid card is the quickest growing one. The number of prepaid card payments rose by 21.5% per year from 2006 to 2009, and the volume of prepaid transactions rose at 22.9% per year. Private label (also known as store cards) was the most used kind of prepaid card, with 2.7 billion transactions counted in 2009. Two billion transactions were made on Electronic Benefits Transfer (EBT) cards, and 1.3 billion were processed through general purpose prepaid cards.

Prepaid debit transactions include payments by cards funded by U.S. firms or government agencies, such as payroll cards and EBT, but exclude single-use and reloadable cards, transit cards, toll systems, and phone cards.

Merchant Credit Card Account General Facts

2011-07-19T17:53:00.002-04:00

Thousands of companies offer merchant credit card accounts, as well as bank cards to consumers. Before the beginning of the last decade of the 20^th century, card issuers competed mostly by waiving annual fees and offering various program advantages. Since then, though, interest-rate competition has taken a much more prominent role in both areas. Many issuers and payment processing services providers, including practically all of the biggest issuers, have lowered rates on many of their clients below the 18 to 19 percent rates typically maintained through most of the last twenty years of the last century. Interest rates in general have recently gotten much more responsive to issuers' costs in recent years as more and more issuers have linked their interest rates to one of several indexes that fluctuate with market rates. (Presently, most large issuers tie the rates on their largest programs to an index, usually the prime rate.) Some issuers have divided their client bases according to various risk characteristics, offering lower rates to existing customers with good payment records while charging relatively high rates on cardholders that are higher-risk or late-paying. What is more, many issuers have tried to gain or maintain market share by providing very low, introductory rates on balance transfers.

Over the past few years, merchant credit card account competition has led to significant shifts in market shares among the biggest providers. The majority of the larger issuers have expanded by acquiring portfolios from smaller competitors or by merging with other companies. Additionally, several of the more rapidly expanding companies in recent years seem to have enhanced their market share by providing comparatively low interest rate cards and attractive balance transfer rates. Others have increased market share through co-branding and similar rebate strategies, usually combined with waivers of annual fees.

Aggressive competition for customers among merchant credit card account providers in 2005 was at least partly responsible for a 5 percent increase from 2004 in the number of MasterCard and Visa cards in circulation, to a grand total of 595.2 million. The number of cards per consumer rose to an estimated 4.95. While the number of cards in circulation kept growing from 2004 to 2005, the growth rate was moderate, indicating that the market was becoming somewhat saturated.

Direct mail offers are still the primary marketing channel. We saw a new record in 2005, with 71 percent of U.S. households receiving an average of 5.7 offers per month in their mail boxes.

E-Commerce Credit Card Processing Suspicious Transactions

2011-07-12T16:31:00.003-04:00

E-commerce credit card processing retailers should devise internal policies and procedures for managing out-of-the-ordinary or suspicious transactions and provide sufficient training for their sales personnel. Being able to identify suspicious transactions may be especially important for merchant account users involved in telephone payments, and employees should be provided clear instructions on the procedures to take to validate these transactions.

Your sales staff needs to be looking out for any of the following indicators of suspicious consumer behavior:

Hesitation. Look out for customers who hesitate or are uncertain when providing you with personal details, such as their ZIP code or the spelling of their street or last name. This is usually a sign that the customer is using a false identity.
Rush orders. Requests for a quick or overnight shipping - the consumer who needs to get the product immediately - should provide another red flag for probable fraud. While oftentimes completely valid, rush orders are among the most common signs of "hit and run" fraud schemes designed for obtaining products for a quick resale.
Random orders. Look out also for consumers who don't seem to pay much attention if a given item is not in stock. To reiterate, sales of this type may be designed for resale rather than for personal use.
Suspicious delivery address. Examine and flag any sale with a shipping address that is not identical with the billing address on the consumer's account.
- Requests to deliver products to P.O. boxes or an office address are not seldom linked to fraud.
- Keep track of ZIP codes associated with high fraud rates and validate any sale that has a delivery address in these locations.
- If your e-commerce credit card processing organization does not usually service international customers, be cautious when delivering to addresses outside the U.S., especially if it is a new customer or a rather large order.

In evaluating what looks to be an atypical order, bear in mind that if the order looks too good to be true, it most likely is.

Historical evidence suggests that online orders with these characteristics can be indicators to possible fraud. Suspicious web-based transactions are much like those in other non-face-to-face settings, although the web provides additional opportunities for online scams. The above list of possible fraud characteristics - compiled from the lists of industry experts - is provided to help you prevent fraud. An e-commerce credit card processing transaction with any one of these signs by itself is rarely a cause for alarm. When you discover several of them, this may be telling you that fraud may be taking place.

Credit Card Processing Companies Risk Exposure

2011-07-06T16:27:00.004-04:00

Merchants and credit card processing companies who store magnetic stripe information provide fraudsters with an appealing and vulnerable platform from which to collect sensitive account information. As the very essence of mag-stripe information theft keeps evolving, so does the requirement for retailers to continually strengthen their security controls and greatly limit their exposure to data compromise risk.

How Credit Card Processing Companies Can Limit Risk Exposure

Achieve PCI compliance. Merchants should work with their credit card processing companies to understand their data security role and what is required in regard to PCI compliance.
Do not keep mag-stripe information after obtaining transaction authorization. The entire contents of track data, which are read from the magnetic stripe by the POS device, must not be stored on any system after an authorized is received. If kept in a PCI-compliant fashion, the account number, "Good Through" date, and customer name are the only pieces of track data that can be stored.
Examine your current or pending payment applications. Perform a thorough evaluation of all such applications to ensure the non-storage of mag-stripe data. Verify the security of these applications using Payment Application Best Practices (PABP), which can be obtained from your credit card processing companies.
Report any account breach immediately after discovering it. If you suspect that such an event has taken place, alert all involved parties right away. Send a list containing all compromised card account numbers to your credit card processing companies within one business day. Keep in mind that the sooner you notify your bank for an account compromise, the sooner you shut the door closed for any counterfeit fraud and minimize your exposure.
Understand your liability for information security issues. Many merchant processing services contracts explicitly hold the retailers liable for any losses resulting from compromised account data if the retailer (and / or its service provider) lacked sufficient data security capabilities.

In the end of the day, an extra effort in prevention can go a very long way, as any costs that retailers and credit card processing companies expend up front to protect mag-stripe data are most likely going to be far lower than what they could end up paying in overall liability for data compromises.

Acquirers are liable for no more than 80 percent of the total number of card accounts implicated in a mag-stripe data compromise. The remaining 20 percent is the rough percentage of accounts that typically will need little or no work by the issuers.

PIN Security and Key Management in Processing Credit Cards

2011-06-29T16:44:00.000-04:00

All banks, retailers, and service providers processing credit cards that manage cardholder PINs and encryption keys must be fully in compliance with the PCI PIN Security Requirements. Here are some best practices on how to do that:

Use compliant point-of-sale (POS) equipment. Buy only POS terminals that have been PCI authorized. Work with your credit card processing companies or Encryption and Support Organization (ESO) to devise a plan that ensures that all installed attended POS terminals are approved by Visa and MasterCard and are using Triple Data Encryption Standards (TDES).
Do not store PIN blocks. Although PINs are safeguarded in an encrypted or enciphered mode within a transaction message, they must never be stored in transaction journals or logs subsequent to processing credit cards. Many processing settings have programs that are designed to overwrite or mask PIN blocks. Still, any acquirer of PIN-based payments must examine all inbound and outbound PIN-based messages to make sure that there is no logging of PIN blocks within any given system. Moreover, any temporary logging function for payment research or troubleshooting must provide for the active removal of PIN blocks. This rule helps prevent collecting and subsequent attacking of any large storage of logged encrypted PINs.
Always manage secure key injection procedures. When POS PEDs and host security modules are first installed, they must be safely loaded with encryption keys. Irrespective of the kind of tamper-resistant security terminals being installed, the principles of dual control split knowledge must be kept in place at all times to ensure the secrecy of the key being used. Additionally, retailers processing credit cards must design procedures that prevent any given person from having access to all constituents of a single encryption key. If a retailer uses an ESO for key injection into a POS terminal, the processor must register the ESO with the Associations.
Use only keys for a single purpose. To minimize the magnitude of data exposure if any key is compromised, encryption keys must be used solely for their primary intended purpose. This concerns all keys used in POS terminals and network processor links. Production keys must not be shared or replaced within an organization processing credit card's test system. All master keys or additional keys used in any production or test setting must be unique and unique for each environment. The use of any production key in a test system setting is a high-risk violation. Any production key compromised in the test system or any key that has been encrypted with such exposed keys is to be considered compromised and must be immediately replaced.

Credit Card Processing Companies Copy Requests

2011-06-22T18:15:00.003-04:00

This article will review the credit card processing companies copy request cycle. When an issuer initiates a copy request to a merchant bank, the latter has thirty days from that point to respond with a copy of the sales receipt back to the issuing bank. If the merchant bank sends the request to the retailer, it will tell them the exact number of days it will have to respond. The merchant account holder must adhere to the processing bank's time frame.

Once the retailer is sent a copy request, it has to retrieve the associated transaction receipt, make a high quality copy of it, and send it by fax, e-mail or mail it to the credit card processing companies within the noted time frame. The merchant bank will now send the copy on to the issuer, which will, for their part, send it to the disputing consumer. The question or issue the customer had with the transaction is most of the time resolved at that point.

Moreover, when a merchant sends the copy to the credit card processing companies, it needs to use a delivery mode that provides a proof of reception. If it sends the copy by mail, for example,it needs to be sent registered or certified. If the copy is transmitted electronically, there will need to be a written record of the delivery.

Telephone Copy Requests

Every now and again and to help their customers, issuers can telephone retailers directly to ask for a copy of a sales receipt. The merchant is not mandated to comply with such a verbal request from an issuer. Still, if it chooses to send a copy of the receipt, it have needs to make certain to save a copy for their own records as well. The merchant may find that they need it for some purpose or other later.

Copy Requests Responses

Responding to copy requests can save merchants both time and money. As retailer needs to always:

Comply with every copy requests it gets.
Comply with all requests in a timely manner.
Make sure that the receipt copy it transmits is readable.

A copy request that is not complied with or it is, but beyond the listed time frame, can solely be charged back for retrieval requests for Chargeback Reason Code 33 Fraud; if not a "true reason" needs to be submitted. Minimizing chargebacks can help merchants improve their customer service and revenues.

Credit card processing companies need to make certain they have correct data on the retailer's "Doing Business As" (DBA) name.

Accept Credit Cards Online With SecureCode Authentication

2011-06-17T15:31:00.003-04:00

MasterCard SecureCode provides a number of authentication choices for merchants that accept credit cards online that provide issuers with considerable leverage in both static and one-time password services to further expand online shopping security.

There has been a great desire to stay away from static solutions. The Associations already support a number of solutions, including the generation of dynamic numbers based on chips either embedded in a card (the so-called display cards), the use of point-of-sale (POS) readers, mobile payments applications and SMS of one-time codes.

The Associations have also partnered with credit card processing companies to evaluate risk-based authentication solutions that allow issuers to estimate both when they will authenticate a payment and how the authentication process occurs. This service is already provided to merchants that accept credit cards online as part of a solution for issuers.

In selecting the right platform, issuers have to look at the risk, reward and customer satisfaction to achieve a good balance. Each platform has differing costs for deploying it and the technology itself.

Following are a set of best practices concerning the authentication process itself:

3-D Secure pages and redirected URL must convey authenticity.
- For the card issuer's ACS visible security for consumers:
  - ACS can have Extended Validation Certificates that require more detailed investigation of the merchants that accept credit cards online by the certificate authority before issuing it. These certificates are distinguished by a green-colored URL in the browser.
  - ACS URL must be using its own domain name rather than the service provider's.
Use risk-based platforms that compile a profile of the PC being used by many financial institutions for their existing web-based banking solutions.
It is crucial to offer the consumer a way to retrieve a forgotten password while shopping, which happens at least 30 percent of the time. Still, an issuer needs to monitor for frequency of change etc., as this may be a sign that the account could have been compromised.
Rather than permitting a consumer to lock his or her card account through "Incorrect password used," consider enabling them to reset the password on the customer's last attempt prior to the lockout.

How to Accept Credit Cards Over the Phone Securely

2011-06-14T17:25:00.002-04:00

Card-absent merchants that accept credit cards over the phone should establish certain procedures for responding to and handling suspicious transactions. Merchant account users need to make sure that their sales staff is familiar with the following procedures and receive constant training on them.

For suspicious mail order and telephone order (MO / TO) transactions, retailers that accept credit cards over the phone should:

Make a Code 10 authorization call: A separate telephone call to the retailer's acquirer's authorization center asking for a Code 10 authorization lets the processor know that there are concerns about a transaction.
Ask the consumer for additional data: For instance, ask for the day-time and evening phone numbers and contact the customer back later. Some retailers ask for the bank name on the front of the card.
Separately confirm the transaction with the consumer: Send a note to the cardholder's billing address, rather than the shipping one.
Use directory assistance or web-based search services to locate or verify a cistomer's telephone number. Do not use the phone number provided by the cardholder for a suspicious transaction.
Confirm the order, resolve any existing discrepancies, and let the customer know that you are performing this verification as a protection against possible fraud.

When asking for some additional information to validate orders, employees that accept credit cards over the phone should use a regular conversational tone so as not to raise customers' suspicions. If a consumer balks or asks why the data is being requested, employees should tell them that they are attempting to protect cardholders from the high cost of fraud.

As always, common sense is your best protection against fraudulent attacks. Trust your instincts! If an order seems too good to be true, it most likely is. We hear all the time that what a retailer thought was a great sale soon turned out to actually have been a fraud. So invest the time to check out that great order that is being shipped halfway around the world to someone with whom you have never done business before. Some additional extra work may well protect you from being the victim of a fraud scheme.

Contacting consumers directly not only minimizes fraud risk, but also improves customer confidence and loyalty. The retailer's order verification procedures need to address the need both to identify fraud and to leave genuine customers with a positive impression of their organization.

Credit Card Merchant Account Discount Issues

2011-06-09T17:12:00.002-04:00

Understanding a credit card merchant account processing activity, statement or a report can be daunting at best of times. There is no accepted standard for displaying the various potential fees that can be charged to retailers. To simplify pricing models, many providers offer a bundled type of rate where all assessed fees are put together into one combined rate, usually known as as a discount. The problem is that the discount rate typically hides the real costs of payment processing.

In the worst case, bundled credit card merchant account arrangements feature many additional fees, which are completely invisible to the client. The purpose of this arrangement is to show the potential problems that can arise from such agreements.Examining some typical, payment-related, fee-billing processes for the two most commonly used credit and debit card networks, Visa and MasterCard, we will examine a whole range of problems associated with bundled discount rates compared to the known alternative which is the interchange-plus credit card processing fee structure.

Many clients agree to a discount-based agreement. In that, the credit card merchant account processor charges a percentage of the gross sale's amount. These agreements can also feature a fixed per-item fee for each sale. A client, however, cannot possibly know what percentage, or dollar amount for that matter, they are paying to each of the participants in the transaction cycle. The largest portion of the discount is made up by the charges that processing banks are mandated to pay the Card Associations and issuers to facilitate a client's transaction.

For instance, the client agrees with its processor to pay a discount of 2.75 percent, for "Qualified" Visa, Discover and MasterCard transactions. Qualified is usually defined as the lowest rate a client can get for a transaction. That discount is in essence paid out to several different parties. The largest percentage, let's assume 2.1 percent, is paid out to the card's issuer in the form of the interchange fee. The processor passes this amount to the bank that issued the card presented in the transaction.

A much smaller percentage of the discount, known as the Assessment, currently set at 0.11 percent, is paid to the Network (Visa or MasterCard) whose card is presented in the transaction. Additionally, the processor keeps a percentage (0.54 percent in our hypothetical example), which is the cost of processing the transaction. However, many clients billed under this arrangement see solely the discount rate in their monthly statements. This is the reason why the discount-based pricing arrangement makes it much more difficult for the credit card merchant account holder to know what precisely is being paid to what party and how much the clients are actually paying for the whole costs of processing.

High Risk Merchant Account Guidelines

2011-06-07T12:33:00.003-04:00

The increase in popularity of mail order and telephone order (MO / TO), as well as e-commerce and other high risk merchant account channels equals higher numbers of retailers that are now processing credit card transactions in settings where both the card and the cardholder are not present - and fraud can be hugely difficult to detect. This is the reason card acceptance procedures for such transactions are quite different from procedures for face-to-face transactions, but need to still allow retailers to establish - to the highest extent possible - the customer's identity and the legality of the purchase.

The following procedures outline the basic fraud prevention guidelines and best practices for high risk merchant account users.

Authorize All Card-not-Present Transactions

Authorization approval is required on all card-absent transactions. Card-not-present payments are all "zero floor limit" sales. Authorization should be done prior to any merchandise being shipped or service performed.

Get the Card Expiration Date

Any time it is possible, high risk merchant account users should ask consumers for their card expiration date and enter it in their authorization requests. Adding the date helps validate that the card and payment are legitimate. A MO / TO or e-commerce order, featuring an invalid or missing expiration date, can be an indication of a counterfeit card or other unauthorized use.

Get the Security Code

The card security codes are three-digit security numbers printed on the back of Visa, MasterCard and Discover cards and four-digit codes on the front of American Express cards that help verify that a consumer is in possession of the card at the time of the order.

Research shows that high risk merchant account users who include security codes in their authorization requests for card-absent transactions can limit their fraud related chargebacks, and should use the codes as a fraud detection tool.

Billing Address Verification with AVS

The Address Verification Service (AVS) permits card-absent retailers to check a cardholder's billing address with the one at the card issuer. An AVS request features the numeric portion of the billing address (street address and / or ZIP code). It may be transmitted in one of two ways:

As part of the authorization request, or
On its own. The AVS service checks the address data and sends back a result code to the retailer that shows whether the address provided by the cardholder is identical to the address on file with the card issuer.

What Everyone Should Know About E-Commerce Merchant Account Services

2011-06-01T19:00:00.004-04:00

There are certain basic pieces of information that all e-commerce merchant account services users should know. All merchants:

Are required to authorize their bank card transactions. If the account funds are present and the card has not been reported as lost or stolen, the payment will most likely be approved by the card issuer. For online merchants, it is critical to remember that an authorization approval is not a proof that the real cardholder is making the purchase or that a legitimate card is used.
Are subject to the Associations' chargeback rules and regulations for non-face-to-face transactions. A web-based merchant can be held financially liable for a fraudulent transaction, even if the payment has been approved by the issuer. This is due to the fact that there is a far greater chance of fraud resulting from the absence of a card imprint and a customer signature. E-commerce merchant account services users, however, can limit their fraud exposure with the adequate web-specific risk control infrastructure.
Must include an Electronic Commerce Indicator (ECI) for all online transactions. When provided as part of the authorization and / or settlement message, the ECI indicates that the transaction was an e-commerce one. This then allows the issuer to make a better informed authorization decision.

Issuers have at their disposal 120 days from the transaction date to charge back a transaction in which the consumer claims to have not taken part or to have not received what she purchased. This translates into the possibility that a fraudulent payment can end up presenting a substantial risk to the e-commerce merchant account services user long past the day on which the transaction was processed.

In fact, web-based merchant chargebacks have been quite similar to those for direct marketing (MO / TO) and card-not-present (CNP) - between 0.20% and 0.30% of sales volume. Some online merchants with insufficient or no fraud controls in place, however, are experiencing losses of 10% or higher.

In the e-commerce payment processing environment, the shipment date is taken to be the transaction date. Additionally, e-commerce merchant account services users have up to seven days to get an authorization approval from the transaction date.

The Associations' operating regulations apply to all online businesses that take credit cards. In implementing these policies and practices, web-based merchants should never violate Associations' rules by:

Imposing any surcharge fee on the card transaction.
Using the bank card or account number to collect other debts or bounced checks.

Non-Profit Credit Card Processing Requirements

2011-05-30T17:12:00.002-04:00

Non-profit credit card processing rules mandate that organizations should accept for donations payments made with any types of payment cards whose brands they have contracted to process at the time they signed the merchant agreement with their acquiring bank. Non-profits are jointly liable for the contractual obligations under the merchant account agreement they sign with their processor, for all of their locations.

Non-Profit Credit Card Processing Requirements

Non-profit organizations are not allowed to:

Post signs or otherwise state or suggest that they prefer, in a direct or indirect manner, any brand of payment products over another brand, provided they honor both.
Attempt to convince cardholders against using a given card.
Criticize or otherwise damage the reputation of a card brand or any of the brand's services or programs.
Attempt to convince a customer to use any kind of payment products over other types (for example cash, check, etc.).
Place any type of restrictions, conditions, disadvantages, fees or charges when a card is accepted for payment that are not imposed identically on all other kinds of payment products. There is an exception made for ACH funds transfer, checks or cash.
Engage in activities that damage the payment card business or brand.
Market any particular payment product (excepting the retailer's own private label bank card that they issue to customers for use solely at their establishments) more vigorously than the merchant markets the other brands.

Retailers are permitted to advertise rebates from their everyday prices for payments made in cash, by check or by ACH funds transfer, provided they plainly disclose all of the terms of the proposal (that is the everyday and lowered prices) to customers and that any such rebate advertised applies equally to users of all payment products.

Every time payment types are communicated to customers, or whenever consumers ask what kinds of payments are accepted, the non-profit credit card processing rules require organizations to indicate that they accept all types of cards listed in their agreement, according to the detailed guidelines of each brand, marketed as prominently and in the same manner for all payment products.

The non-profit is not allowed to use the marks of the Credit Card Associations (Visa and MasterCard) and Companies (Discover and American Express) in any fashion that may damage or otherwise diminish the goodwill of the particular company's logo or mark, nor are they permitted to indicate that the payment brand endorses the merchant's products or services sold. The merchant must only use the logos and marks as is explicitly needed to perform their functions under the contractual agreement and have to stop using them upon the termination of the agreement.

Recurring and Installment Payment Processing Services

2011-05-20T19:12:00.002-04:00

If merchants accept credit cards for the processing of recurring or installment payments, they need to be in compliance with all applicable rules applicable to each separate card transaction. A recurring or installment payment processing services plan constitutes an obligation, either of a variable or fixed amount, that is paid by a consumer with a series of payments over a given period of time.

Recurring Payment Processing Services Requirements

Merchants must be in compliance with all applicable requirements with regards to each amount debited to a card account in connection with a recurring or installment payment arrangement. If a retailer fails to comply with any one of these requirements, or if a cardholder initiates a dispute at any time over a particular card transaction installment of a recurring or installment payment plan for the items or services that the retailer has agreed to provide in connection with it, the issuer can, at its discretion, charge back the installment amount as well as any previous installments.

Recurring Authorization Approval

Retailers must receive a separate authorization approval from the issuer for each single installment charged to a card account in regards to a recurring or installment plan and the merchant must obtain this authorization prior to depositing the sales data with the acquirer. If the issuer authorizes a particular installment payment, that is not by any means a guarantee that any further installments will be either authorized or paid.

Cardholder Approval

The merchant must have the cardholder's approval for a recurring or installment payment. Be advised that a verbal cancellation is all that is needed from the consumer to put a stop to a recurring arrangement. The cardholder's approval, whether written or otherwise, must include all of the following details:

Cardholder's name, address and account number.
Amount of each individual installment, unless it varies.
Timing or frequency of the installment payments.
Duration of time over which the cardholder allows the merchant to charge installments to her card account.
The card acceptor's merchant number with the processor.
Card date of expiry.
Installment amount.

Payment Processing Services Rules for Submission of Transaction Data

The transaction data that the retailer submits to the acquirer must comply with the processor's requirements. If the processing agreement is terminated, the merchant should not submit data for recurring or installment payments that are due after the cancellation's effective date. If a cardholder who entered into a recurring or installment agreement has its card account terminated, the merchant should not deposit sales data as well.

Credit Card Payment Processing Guidelines

2011-05-18T17:49:00.003-04:00

Payment acceptance needs to be done in accordance with a set of rules established by the credit card associations and companies that are required of all retailers, operating both in face-to-face and non-face-to-face setting. Following is a list of credit card payment processing guidelines that merchants need to comply with.

Card Expiration Date

Merchants should always check the expiration date on the face of the presented card. It is valid all the way through the last day of the month shown on the card. If it has expired, the retailer is not allowed to accept it for payment and will need to call its credit card payment processing provider's authorization center.

Signature on Card

The card acceptor needs to verify that the card is signed within the signature panel on its back and validate that the cardholder name on the back of the card is identical with the name shown on the front of it.

If the presented card is not signed, the merchant needs to request two identification documents, at least one of which contains a picture of the cardholder. When the retailer has confirmed that the customer presenting the card is in fact the authorized cardholder, the customer needs to be asked to sign the back of the card.

Transaction Authorization Approval

If the merchant account user is processing face-to-face charges electronically, it will have to transmit the entire data contained in the magnetic stripe, along with their transaction authorization request by a swipe of the bank card through the point-of-sale (POS) terminal. If the POS device cannot read the magnetic stripe information and the retailer is forced to resort to keying the payment details in to request authorization, it will have to also take a manual imprint of the face of the card as proof of its presence. If the credit card payment processing account user fails to obtain a manual imprint for any one of its keyed payments, the issuer will have full recourse for the transaction.

Whenever the POS device is unable to connect to the issuer's electronic authorization system, the retailer should contact its processor's voice authorization center.

For transactions for merchandise or services that are shipped or provided or alternatively for payments made to the merchant more than thirty days after the order is placed, the retailer will need to obtain an authorization approval at the time the order is placed and then again right before it ships the item or provides the services to the customer.

Accept Credit Card Transactions the Right Way

2011-05-13T16:30:00.002-04:00

When merchants accept credit card transactions at the point of sale (POS) the right way, they become an important part of the payment processing system. That is the reason it is incredibly important that the merchants begin with a right picture of the bank card transaction process and answer the following questions:

What the process is.
How it functions.
Who is involved in it.

This basic understanding will give merchants the important basics for the policies and procedures concerning the processing of credit card payments. It will also be helpful to realize what role the major participants in the card processing play and how they relate to the way merchants do business.

Who Participates In the Card Process

Other than the merchant and its customers, several other participants are involved every time retailers accept credit card transactions. Following is a summary of what each party does in the process:

Cardholder is the authorized user of a Visa, MasterCard, Discover, American Express or a payment card of another brand.
Card acceptor is any merchant that is authorized to accept credit card transactions of any of the payment brands for the purchase of merchandise and services.
Processing bank is a financial organization that contracts with card acceptors to accept payment cards for the purchase of merchandise and services. A processing bank may also use with third-party organizations to provide these and many other services.
Card issuer is a financial organization that maintains a relationship with the cardholder (the authorized user of the payment card). It issues bank cards and contracts with its customers for the billing and payment of amounts used.
Visa and MasterCard (The Associations) are membership-based companies, comprised of financial organizations that issue bank cards and also have relationships with card acceptors to accept their cards for payment of merchandise and services. The Associations offer payment card products, market their brands, and set up the rules and regulations regulating the participation of their members in their programs. They also happen to operate the biggest global payment processing platforms to make possible the flow of payments between banks. Crucially, and very much the flash point of the current dispute between retailer organizations and bank lobbies, the Associations also get to set the so-called interchange rates, which determine the amount of the fees issuers charge merchants for each transactions involving one of their cards. Under a proposal from the Federal Reserve, interchange fees for debit cards will be limited to 12 cents per transactions, beginning in July.

E-Commerce Merchant Account Data Compromise

2011-05-05T19:42:00.002-04:00

E-commerce merchant account data compromise event (ADC) is an occurrence that results, in one way or another, in the unauthorized access to sensitive card account data. A potential ADC event is an occurrence that may result in some way in the unauthorized access to card account data.

Data security vulnerabilities in a web-based credit card processing setting may not necessarily be known. Yet, there may be signs of a data security breach, unauthorized access, or possible indicators of misuse of information within the payment processing environment that may be pointing to an ADC event or a potential ADC event. The following list shows examples of such events:

Web connections from non-business-related internet protocol (IP) addresses or inbound web connections coming from countries that have no business relationship to the potentially compromised business or outbound web connections to non-business-related IP addresses or locations or both.
Access from unidentified or inactive user IDs or excessive user activity.
Uncovering of malware, suspicious files or programs in a setting, or unusual activity or volume in the network systems.
SQL injection activity on internet-facing systems.
Point-of-sale (POS) machines and ATM terminals showing indications of tampering.
Key-logging discovered.
Card-skimming machines found.
Lost or stolen transaction receipts.
Lost or stolen bank card data.
Lost or stolen computers, laptops, hard drives, or other electronic devices that contain payment card information.
Files containing card account data mistakenly sent to an unauthorized party.

If any activity related to any of the above items is uncovered, it is mandatory to immediately initiate an investigation.

Once the ADC event is reported, the requestor needs to monitor the ADC reporting form status codes.If the affected Credit Card Network receives a report of a potential ADC event or an ADC event, it may verify the information shared by the member bank through the ADC Reporting Form. When applicable, the Association will work with the acquiring banks of record to ensure compliance with applicable rules.

Registered users from the affected processing bank need to access the ADC Reporting Form online within five days of the e-mail by navigating as follows below:

Log in.
Go to "My Products" in the Products drop-down menu.
Select Association Alerts.
Click "Yes" in the Security Warning dialogue box. The Association Alerts disclaimer page opens up.
Go over the disclaimer, and then click "Agree" if you accept the terms.
On the Association Alerts page, click "ADC Summary."
From the ADC Summary page, select the tracking number that matches the one in the e-mail notification.
Select the Section B tab and fill out the data fields there asking for the acquiring bank's contact information.
Click "Save."

Merchant Credit Card Processing Partial Authorization Guidelines

2011-05-02T18:58:00.003-04:00

If the balance on a customer's prepaid or debit card account is less than the sale's amount, merchant credit card processing partial authorization procedures make it possible to complete the payment by using the remaining available balance on the card, plus an additional method of payment like cash or another card. This is known as a "split tender" transaction.

If a prepaid card that is used is a gift card or an incentive card, the remaining balance will be automatically communicated to the retailer's point-of-sale (POS) terminal where it can be printed on the transaction receipt.

How Merchant Credit Card Processing Partial Authorizations Work

Here is the sequence of processing a partial authorization request:

The customer's prepaid or debit card balance is smaller than the purchase amount.
The retailer submits a payment processing authorization approval request for the full sale's amount (not including the tip) with a Partial authorization indicator.
Due to insufficient funds, the card issuer sends a partial approval back to the retailer.
The retailer's POS terminal identifies the specific response code and deducts the partially authorized amount from total sale's amount. Keep in mind that in a full service environment, the POS device prints two receipts - one showing the partial authorization transaction amount (without a tip line), and a second one displaying the remaining amount due plus the tip line to show the amount as still outstanding.
The cardholder pays the remaining balance of the sale's amount with another method of payment.
The sale is finalized and a sales receipt is printed displaying the split tender amounts. If in the case of a Balance Return response, the current card balance is also displayed, but it can be formatted as shown below to maintain cardholder privacy:
- If the returned account balance is lower than $200, the POS terminal prints out the exact balance (that is, "Balance Remaining: $58.65").
- If the returned account balance is in excess of $200, the POS terminal prints out "Confirmed," rather than the dollar amounts (e.g., "Balance Remaining: Confirmed").

Protect Your Merchant Credit Card Processing Account Against Fraud

While processing the transaction authorization, always examine the card's security features. Any sign of alteration may signify that you are dealing with a counterfeit card.

If you get an authorization approval, but still suspect fraud, you will need to make a Code 10 call. You will be connected to the issuer's authorization center and a representative will ask you questions to verify the validity of the transaction. Follow her instructions on how to proceed with the transaction.

Visa Credit Card Services Chargeback Monitoring

2011-04-28T12:31:00.002-04:00

Both of the Credit Card Networks (Visa and MasterCard) and companies (Discover and American Express) have devised and instituted credit card services programs for monitoring and managing the chargeback levels of the merchants accepting their bank cards.

Visa monitors the chargeback performance of all businesses and non-profit organizations accepting their cards on a per-month basis and notifies the respective processing bank (also known as a merchant bank or simply an acquirer) whenever any one of its card acceptors reaches or exceeds excessive chargeback rates. Visa considers chargeback rates of 1 percent or higher to be excessive.

Whenever it is informed of a card acceptor with excessive chargeback rates, processing banks are required to take strong measures to decrease the merchant's chargeback rate. How this is done will depend on the interaction of a number of factors, such as the merchant type, processing volume, geographic location, and other credit card services risk factors. Often card acceptors are required to give their sales personnel with additional training on credit card processing procedures. Card acceptors may also be asked to work with their acquiring banks to design and implement a detailed chargeback-lowering plan.

Visa may assess monetary penalties on processing banks that are unable to reduce their card acceptors' excessive chargeback levels. Visa has designed two separate chargeback monitoring programs:

Merchant Chargeback Monitoring Program (MCMP). MCMP monitors chargeback ratios for all processing banks and card acceptors on a per-month basis. If a card acceptor reaches excessive chargeback levels, Visa informs the affected acquiring bank in writing. MCMP applies to all credit card services users with more than 100 total transactions per month, including sales, credits, etc., in excess of 100 chargebacks, and an overall chargeback-to-transaction ratio of 1 percent or higher. The initial notification of an excessive chargeback ratio for a given card acceptor is considered to be a warning. Visa assesses fines only if remedial actions are not performed within a pre-defined period of time to get the chargeback ratio back to acceptable rates.
High-Risk Chargeback Monitoring Program (HRCMP). HRCMP is specially developed to limit excessive chargeback rates by high-risk businesses. High-risk card acceptors include charities, custom made items, diet programs, discount buying clubs, fortune tellers, gambling advice, telephone prepaid cards, ticket brokers, toor to door sales. HRCMP applies to all high-risk card acceptors with greater than 100 total payments per month - sales, refunds, etc. - in excess of 100 chargebacks, and a total chargeback-to-payment rate of 1 percent or higher. Unlike the MCMP, under HRCMP, there is no warning period and charges of $100 per item are imposed immediately if a card acceptor has an excessive chargeback level.

Visa also monitors international transactions and chargeback levels through its Global Merchant Chargeback Monitoring Program (GMCMP).

Merchant Account Reserve Basic

2011-04-26T12:09:00.002-04:00

When a card acceptor is asked to leave a reserve, a portion of its revenues from the monthly transactions is held in an escrow account as protection against possible future losses from chargebacks that the merchant account provider may incur. Reserves are imposed mostly on high-risk businesses and, upon the successful completion of a predefined period, the funds are released back to the retailer. A particular form is the so-called "rolling reserve," where the funds are held each month for a period of typically 6 months. On the 7th month the 1st month's reserve is released to the retailer, then on the 8th month the 2nd month’s reserve is released and so on until the reserve is exhausted.

A reserve can also be required by a merchant account provider if a card acceptor has a bad credit score, on top of a personal guarantee. Usually, whenever a reserve is imposed, the minimum reserve amount in the merchant account is calculated at about 20% or so of the expected overall credit card processing volume. New businesses are typically allowed to build up their reserve amount by keeping transaction amounts which are not taken out until the minimum reserve amount is compounded; after that, the card acceptor is allowed to take possession of the excess money for funding into their bank account.

Every merchant account provider has a unique underwriting policy and its reserve mandates will vary, so it is a great idea that you should obtain multiple merchant account proposals prior to making a decision. It can just turn out that one of the processing banks will not have a reserve requirement for you. You need to also keep in mind that the reserve is just one of the factors that you should evaluate when selecting a payment processing provider. Processing fees are another one and we have examined them in other posts. Listed below is a breakdown of the rates and charges that make up the processing fees:

Discount rate - what the card acceptor is charged by his processor for acquiring the merchant's payments. It consists of a percentage rate (e.g. 2.15%) and a fixed, per-item, fee (e.g. $0.20).
Authorization fee - another per-item fee. You must not agree to pay more than $0.10 for any type of merchant account.
Application or set up fee - both are one-time charges to which you should not agree!
Monthly service fee - as the name of this fee suggests, it is assessed monthly to maintain your account on file. It should not exceed $10.
Support fee - another per-month fee charged for customer service and you should not agree to be paying it.
Payment gateway fee - specific to web-based merchants. It should not be costing you in excess of $19.95 per month.

Best Payment Processing Practices for Managing Invalid Chargebacks

2011-04-21T18:54:00.004-04:00

Charged-back payments are bad business for everyone involved in the transaction process and the Credit Card Associations of MasterCard and Visa have set up complicated chargeback verification processes that help considerably minimize chargeback rates and substantially improve the chargeback process. These processes can also help minimize frivolous customer disputes and more importantly invalid chargebacks, decreasing their negative impact on the merchant's bottom line in the process.

Best Payment Processing Practices for Managing Invalid Chargebacks

Whenever the Credit Card Associations detect an invalid chargeback, they will return it to the card issuer that initiated it, and the business and its payment processing provider will never notice it. Most of these companies have also set up processes to regularly review exception items, allowing them to resolve issues before the chargeback has started. Taken together, these procedures ensure that all chargebacks that merchants actually receive are real or that the ones that get through the system can only be addressed by the merchant.

At the same time, although chargeback verification systems are becoming increasingly sophisticated and reliable, there is always a probability that an invalid chargeback will sneak its way by the system and into your monthly payment processing statement. What is more, a chargeback can get through the verification systems, as it adheres to all of the e-commerce merchant account provider's requirements, and yet be totally invalid. In these cases you will need to follow through as quickly as possible and submit your supporting evidence (like transaction receipts, invoices, etc.) to your merchant account provider as a proof that the transaction was valid.

Invalid chargebacks will never be altogether eliminated but you can greatly minimize their occurrence by designing and following through with a set of best payment processing practices for acceptance of credit cards. The way you accept and process bank card orders and other types of electronic transactions must be compliant with all applicable Visa and MasterCard regulations that were instituted precisely in order to help you minimize chargebacks and downgrades (the process of charging non-compliant transactions fees that are considerably higher than your advertised rate).

If the level of invalid chargebacks remains stubbornly high, even though you have invested all these efforts to reduce them and you have gotten help from your payment processing provider, it may just be conceivable that your acquirer lacks the expertise to resolve the problem and your best course of action could be to move to another service provider. Make certain that you do your due diligence when examining the various prospects and evaluate all sides of their service. Contact merchants that are currently using your prospective processor's platform and see if you can gauge their level of satisfaction. Bear in mind that the right acquirer can save you money and help your business grow.

Fraud Prevention Guidelines for Online Payment Processing

2011-04-19T16:34:00.002-04:00

Our readers know very well that, as far as fraud prevention is concerned, non-face-to-face transactions are much more problematic in that they are quite different from the payments that merchants operating in a card-present environment face. As online payment processing is by default done in the virtual reality, the merchant never actually sees and evaluates either the card or the consumer.

On the bright side, though, there are a great number of solutions and best practices that, if implemented with each transactions and followed constantly, will help MO / TO and e-commerce merchant account users minimize fraud and improve their bottom line.

Fraud Prevention Guidelines for Online Payment Processing

If you do your online payment processing in a non-face-to-face setting, incorporate the following suggestions into your processing cycle for each of your transactions:

Get an authorization approval for all payments. The floor limit for all card-not-present payments is always zero and all that means is that you have to ask for and receive an authorization approval for each transaction, whatever the payment amount.
Get the card's expiration date. Always ask your customer to give his card's expiration date. It is used as another way to validate that the cardholder is in a physical possession of his card at the time of the transaction.
Get the card's security code. Card security codes are the three- (for Discover, MasterCard and Visa cards) and the four-digit (for American Express cards) codes on the back (for MasterCard, Discover and Visa cards) or the front of a payment card (for American Express). Obtaining the card security code in a card-not-present transaction is a very powerful way to verify that the consumer is actually in physical possession of his card. Bear in mind that you must never store the card's security codes anywhere in your database. This practice is forbidden by the Credit Card Associations and violators, if caught, will be slapped with steep fines.
Use the AVS (Address Verification Service). The (AVS) allows card acceptors to verify the validity of the billing address that a consumer has provided at the checkout. It does that by sending the submitted address, through the Credit Card Associations, to the credit card's issuer. The issuer then matches the received address to the one it has on file for its own cardholder and sends back a response code that lists the result of its verification process.

Using the above mentioned fraud prevention solutions and processes will help limit fraud and minimize chargebacks. Call your online payment processing company if you need any additional information or assistance.

Credit Card Merchant Services with AVS

2011-04-15T18:23:00.002-04:00

AVS (Address Verification Service) is the most commonly used fraud prevention service for enabling businesses to do their credit card merchant services in a way that allows them to validate the billing address provided by the customer by comparing it to the one on file with the card issuer.

Credit Card Merchant Services with AVS

Using the AVS is fairly straightforward, after your credit card processing provider has established the service for you. First you ask that the customer provides her billing address and then submit the information, along with the other transaction data, to your processor for an authorization approval. Then the address provided by the cardholder will be routed on to the issuer for validation. The issuer then compares it to the one it has filed for its own customer and will automatically send you back a response.

AVS and transaction authorization requests are processed at the same time and, within only a few seconds, the merchant will receive the two results.

AVS Responses and How to Use Them

AVS Response	What It Means
X - Exact Match	The address and the 9-digit ZIP code are the same. In this case, and if all other fraud results are negative, go forward and process the transaction.
Y - Match	The address and the 5-digit ZIP code match. In this case just follow the above suggestions.
A - Partial Match	The addresses match, but the ZIP code does not. This is a sign of a probable fraud. In this case you may want to do some more investigation prior to reaching a decision.
Z - Partial Match	The ZIP codes match, but the addresses do not. This is a strong sign of a probable fraud, so you need to follow the above suggestions.
N - No Match	Neither the addresses nor the ZIP codes are the same. This is a strong sign of probable fraud. You will need to take additional validation steps.
U - Unavailable	The issuer's system is down and the address can't be validated. In this case you will have to base your decision on other factors.
R - Retry	The issuer's system is temporarily unresponsive. Just try again a bit later.
U - no AVS Support	The issuer does not support AVS, so you will have to decide on whether to process the transaction or not based on other factors.
G - Global	The address is outside the U.S. and the AVS service can't be used. You will have to use other tools to verify the veracity of the transaction, that is if you accept international payments in the first place.

In case a payment is authorized and the AVS Response Code is "U" (no AVS support) and the payment is charged back to you, your acquirer can re-present it for you again. In the U.S. issuers have to support AVS or they will lose their right to chargebacks related to fraud.

What Everyone Needs to Know about Payment Gateways

2011-04-12T17:40:00.002-04:00

A bunch of inquiries coming constantly into our company's email boxes and inquiry forms over the past few months that convinced me that I need to offer a refresher course on the very basics of payment gateways. This article will explain to you what gateways are and what they do and will review the payment process.

Payment Gateway Basic Details

Payment gateway is a web tool that is used to transmit payment data from a commercial website to a acquiring bank. So gateways are the internet equivalent of the physical point-of-sale (POS) terminal that is used by physical merchants in face-to-face transaction processing settings. The sales data are encrypted to ensure that the account data are transmitted in a secure way.

Payment Gateway Payment Process

Payment gateways are set up by connecting the website's shopping cart (you need to build a shopping cart before applying) with the processor's back-end system. The payment process goes as follows:

A consumer places a sales order on your e-commerce website and submits his or her payment card account details.
The transaction details (credit card, amount, etc.) are encrypted by a service called secure socket layer (SSL) and sent on to the retailer's server.
The payment gateway at this point gathers the transaction information and, after another SSL encryption process, routes it on to the merchant account back-end server.
The credit card processing bank at this point routes the payment data on to Visa or MasterCard.
If the customer has used a Discover or an American Express card, the process is slightly different, as in this case the issuer is also the acquiring bank. So Discover and AmEx make a decision on whether or not to approve or decline an authorization of the transaction and then send their response back to the retailer.
(Visa or MasterCard routes the payment information to the card issuer.
The issuer now either approves authorization of the payment or declines it and sends its response via a code back to the acquirer. The responses for declined payments also provide details for the reason it did not get authorized.
The acquirer now sends the response code (again using the payment gateway) to the website and it is shown in the visitor's browser.

The payment process may look complicated, however in its entirety, from providing the payment information to receiving the response code, takes just a few seconds.

The retailer now completes the service or delivers the merchandise and then deposits the payment amount. You should never settle transactions prior to the shipping the merchandise. The reason is that, if the consumer notices the transaction amount on his statement or activity log (now accessible on the web in practically real time), before receiving the item, there is a good chance that the sale will be disputed and lead to a chargeback.

Considerations to Accept Online Payments

2011-04-06T16:53:00.003-04:00

If you want to be able to accept online payments, you need an e-commerce website with the following features available:

An already functioning website with an SSL certificate set up.
A functioning shopping cart, which is the service that allows your visitors to collect and manage the items they are interesting in purchasing.
Payment gateway, which is the online version of the point of sale credit card machine that facilitates the transfer of data between your website and your acquirer, swiftly and securely.

The first two items should be provided by your web designer. The e-commerce payment gateway tool may be sold and set up for you by your credit card processing company that you will elect to work with.

You must not pay anything until you actually start to accept online payments through your website. Your biggest consideration, though, as far as rates and fees are concerned, should be your bank card rates. You must carefully evaluate your pricing agreement before making your decision about which processor to choose. I would recommend that you examine pricing proposals from at least ten payment processing providers. The cost to accept online payments consists of multiple components and you need to understand precisely how much you will be charged for each one of them. Listed below is a breakdown of the most typical fees associated with an e-commerce merchant account:

Discount rate - the fees a card acceptor is charged to accept online payments. It is made up of a percentage fee (for example 2.05%) and a fixed fee (e.g. $0.20).
Authorization per-item fee - paid on a "per-transaction" basis, it should be no more than twelve cents for any type of service.
Application processing and set up fee - both are one-time fees that should not be agreed to!
Monthly service fee - as the name implies, this fee is assessed on a monthly basis and should not be exceeding $15.
Support fee - a monthly charged assessed for customer service that you should not be paying.
Payment gateway charge - specific to the online payment processing industry and charged on a monthly basis. This fee should not be in excess of $19.95.

If you notice that there are any other rates or fees on your pricing agreement, you will be very well advised to look for a processor elsewhere. Remember that there are hundreds of them, so there is no shortage. Additionally, some processors may be able to provide you with a line-by-line comparison of their pricing schedules with the competition's.

Flat Rate Merchant Account Lowdown

2011-04-01T16:32:00.003-04:00

Pricing is always at the top of the list of factors that merchants tell us weigh in their decisions when choosing a credit card processing vendor. This is hardly surprising, as we all first look at the price when choosing a provider for one item or other. If we like the price, then we will also examine the other features.

This is a fact that of course has not escaped us and we have been working on a pricing model that would be at once simple, so that applicants can right away understand how it operates and cost-effective, so that it does save money for our merchants and convinces them to accept our proposal. It is not as easily done as you may expect, but at last we came up with the flat rate merchant account pricing, which does just that.

Why Don't Simple and Cost-Effective Go Along?

The flat rate pricing model is our latest and best attempt to unite the strengths of the two existing models: the cost-plus and the two- and three-tiered pricing structures, while minimizing their shortcomings. We still offer both of these older structures, in case a business explicitly requests a pricing based on either of them, however we think that the latest one is far better and always tell that to everyone who contacts us.

You know, the problem with either one of the older pricing models is that it is very difficult to predict with any degree of confidence exactly what rate any single transaction will be processed at. Unsurprisingly, merchants find the uncertainty confounding and unacceptable (after all, most of our merchants are not theoretical physicists!). And they tell us straight! Additionally, applicants explicitly let us know us that predictability is at the top of their list of priorities and that they want to be able to estimate with as high a degree of precision the total amount they would be charged for processing each month as possible.

Does Flat Rate Merchant Account Pricing Actually Achieve Predictability?

Yes, the flat rate merchant account pricing model is actually as predictable as it is possible for the really simple reason that it is a model that only has one rate for all type of cards and payment circumstances. That way businesses know precisely what rate any single payment will be receive before it is processed. For the very same reason merchants can't get overcharged. It only makes sense that if you are given a price in advance and have agreed to it, you can't really be overcharged.

Online Credit Card Payment Processing Fees

2011-03-29T18:00:00.002-04:00

Virtual stores generally pay significantly higher fees for their online credit card payment processing services than brick-and-mortar merchants. This is commonly known and I think it will not surprise you. But what is the reason for it? More importantly, what should be the fees you should be paying? I will answer these questions in this post.

Why Are Card-not-Present Fees Higher?

So card-not-present transactions cost more to accept, because they are much more likely to result in customer disputes than face-to-face payments. This is a problem, in turn, because disputes have the bad habit of often deteriorating into chargebacks, which are seen as a bogey man by Visa, MasterCard and your merchant account vendor.

What Is the Problem with Chargebacks?

The issue is that if your chargeback level is left to exceed 1 percent of your overall transaction count, your credit card processing account will be suspended either by Visa or MasterCard, which makes no difference. What will happen way before that is that your merchant account vendor will suspend your service way before the level comes anywhere near 1%. See, processors get fined by Visa and MasterCard if your chargeback level exceeds this threshold and they won't allow it.

Now you can understand that the higher fees payed by e-commerce merchants are in essence an insurance premium against possible chargeback problems.

Card-not-Present Rate Considerations

The bullet points below represent the various components making up your total processing cost and our suggestions for what you should pay for each one of them:

Discount rate. Web-based processing rates should not be above 2.09% for credit and 1.89% for debit cards for regular card types. Other types of cards, most prominently rewards and business-to-business, are often processed at much higher rates. Much of what you pay would be dependent on the type of pricing model used by your processing bank. Some of them, for example, will offer you one rate for both credit and debit cards. The issue with this approach is that interchange fee for debit cards are much lower, which means that such models would be overcharging you. A much better solution would be based on the pass-through pricing structure, where your processor's rate is added directly on top of the interchange fees, effectively making certain that no single transaction costs you more than others.
Transaction fees. Transaction fees should not be higher than $0.30 per item.
Application and account set-up fees. No such fees should be agreed to!
Gateway set-up and monthly fees. E-commerce gateways are services that connect e-commerce website shopping carts with the acquirer's back-end payment systems and transmit data back and forth between them. For example, the best known gateway is Authorize.Net, which you might be able to get set up for under $50 and pay as little as $10 per month.
Statement fee. This is a monthly fee that can have a variety of names, but the point is that you shouldn't be charged more than $9.99 for it.
PCI compliance fee. This is a new fee that could be assessed either monthly or annually. Either way, it should be below $199 a year.

To conclude, always examine a pricing proposal as a whole, not its components individually.

How to Take Credit Cards when the POS Terminal Is Down

2011-03-25T16:07:00.002-04:00

I'm sure it has happened to you: you've tried to check out from a grocery store or Starbucks or whatever and the POS terminal simply would not read your card. I'm sure that one way or another you have been able to complete the transaction and have forgotten about it by now. But I can guarantee you that, if you have been on the other side of the cash register, you would've had a much tougher time forgetting it.

In this article I will examine the issues that may prevent terminals from reading cards and will suggest a list of procedures on how to take credit cards or substitute them with other forms of payment in such situations.

Issues Preventing Terminals from Reading Cards

The major reasons that could prevent cards from being read include:

The equipment at the check-out is not working properly.
The consumer is not swiping her card correctly.
The card itself is damaged in some way, most likely the magnetic stripe is demagnetized. Be advised that such issues may happen by chance, but they can also be caused by a fraudulent alteration of the card.

What to Do When the Card Cannot Be Read?

Following is a step-by-step guide on what you should do when your equipment cannot read a card:

First of all, to isolate the problem, inspect the equipment to verify if it is functioning adequately and ensure that the consumer is swiping the card correctly.
If the equipment is working properly and the card is swiped the right way, look at the card itself to verify that it is not damaged or tampered with in some way.
If the reading issue is caused by a problem with the card itself, you have several alternatives on how to handle the situation and you will need to create a set of procedures to be followed each time such a situation arises at the check-out. For instance, you may want to ask the consumer for another method of payment (e.g. check, cash, another card, etc.). Another alternative is to override the swiping procedure and key-enter the payment information instead. Yet another option is to obtain a voice authorization approval from your merchant account provider.
If you decide to manually enter the payment information or to ask for a voice authorization, Visa and MasterCard rules require you to take an imprint of the front of the card. The imprint's image needs to be placed on the original credit card transaction receipt or you can print out a separate one and have it signed by the cardholder. This is important, because it gives you re-presentment rights in case of a chargeback.

Finally, you should know that key-entered payments carry higher processing fees..

Credit Card Processing Best Practices for Hotels

2011-03-21T17:44:00.002-04:00

Credit card processing at hotels, motels and other lodging establishments is done under some very peculiar circumstances that need to be accounted. Owners and operators of hotels need to be closely acquainted with these circumstances and be able to implement the rules that govern them into their payment acceptance processes.

My goal in this article is to explain what these unique circumstances are and to offer a set of best payment processing practices you will need to incorporate into your own process:

First of all, if a customer has prolonged his stay or if any additional fees need to be added to the original amount, you will have to get an authorization approval for the difference from the card issuer. If you fail to do that, the whole transaction amount can be charged back to you. But remember that you have already obtained an initial authorization approval, so you only need one for the additional amount. Following are the rules on how to do that:
1. Just as all other transactions, you need to follow your standard transaction authorization process when requesting an approval for the additional amount.
2. If the authorization request for the additional amount is rejected, do not send the amount for settlement. Instead, contact the customer and ask that he provides an alternative form of payment for the additional amount.
You should solely deposit for settlement the originally authorized amount. If the authorization request for the additional amount was declined, you need to:
1. Settle the amount that was previously authorized and leave aside any amount for which authorization was rejected.
2. Promptly contact your customer and ask for an alternative form of payment for the amount for which authorization was not received.
Request an authorization reversal whenever the initially authorized amount is greater than the total cost of the hotel stay. Instead, you will have to issue an authorization reversal for the difference.
Use the final authorization and the fifteen percent rules. When your customer checks out, authorization approval is needed in the following instances:
1. There is no original authorization. There is no need to elaborate on this requirement.
2. There is an initial authorization, but the eventual amount is greater. In such cases you need to use the 15 percent rule to estimate whether or not an additional authorization approval is needed. Here is how to do this:
  1. Add 15 percent to the already authorized amount.
  2. Compare the total you received to the actual amount of the stay.
  3. When the final transaction amount is greater than the total calculated as previously shown, issue an authorization approval for the difference.
Obtain customer acceptance of your terms and conditions. Inform your customers what your terms and conditions are before they make a reservation. In particular, you have to disclose these details:
1. Your cancellation policy.
2. Your policy on "no-show" charges and whether or not they will be added to the total amount or billed separately. and when they will be applied.
3. The way your hotel's name will be displayed on your customer's monthly card statement.

How the Interchange-Plus Pricing Credit Card Processing Pricing Works

2011-03-17T18:58:00.004-04:00

We have just added a new interchange-plus pricing to our quickly expanding line-up of pricing models and I thought I should say a few things about it. The new pricing structure is available to businesses and non-profits that accept credit cards in both card-present and card-not-present setting.

Most card acceptors place pricing at the very top of their lists of criteria used when selecting a merchant account provider. It is completely understandable and most of us do exactly the same when selecting service providers anyway. Still, providing low pricing is the only way a credit card processor can be competitive these days and it is the reason why UniBul Merchant Services has launched an interchange-plus credit card processing model. It works by adding UniBul's mark-up to the interchange fee established by Visa and MasterCard for each bank card transaction. By ensuring that the surcharge is as low as possible, UniBul guarantees that the card acceptor gets the lowest available processing rate.

UniBul Merchant Services' new interchange-plus credit card processing pricing structure charges no fixed monthly fees. Following is a list of all rates and fees:

Application processing - $0.
Processing account set-up - $0.
POS terminal set-up or reprogramming - $0.
Payment gateway set-up - $0.
Payment gateway monthly fee - $0.
Monthly service - $0.
Visa / MasterCard discount rate – 0.25% + $0.15 above interchange fees.

The business' processing rate is the sum of whatever the processor (e.g. UniBul Merchant Services) charges and whatever Visa or MasterCard charge. With the interchange-plus credit card processing model, the rate the processor assesses is exactly the same for all card types, which guarantees that the card acceptor does not get overcharged for any transactions that may otherwise have been classified as "mid-" or "non-qualified." The final processing cost will vary by transaction, because the fees charged by Visa and MasterCard also vary by card type.

Other benefits of UniBul's new pricing model include:

Same-day application decision.
Full disclosure of all processing fees before any commitment is made.
Global credit card processing capabilities to support all major American and foreign card brands.
Wide range of third party payment services to accommodate customers who cannot use cards.
Direct ACH fund deposits into your bank account as soon as on the day following the transaction.
Chargeback and risk management programs to help minimize your fraud exposure.
Online client center to give you instant access to all of your account information.
24 / 7 US-based customer service center for a superior merchant support.

"This is the best interchange-plus pricing structure in the industry and it ensures lowest total cost of processing credit cards," commented Greg Stanski, VP of sales for UniBul Merchant Services. "When you compare pricing models, you have to calculate the total card acceptance costs. Lower headline rates may be advertised on other websites, but you may get hit with set-up fees , additional fees for accepting business-to-business cards and corporate cards (the so-called mid-qualified and non-qualified fees), etc.," he added.

Businesses Unqualified for U.S. Merchant Processing Services

2011-03-14T19:31:00.003-04:00

Not all legally operating U.S. businesses can set up merchant processing services. The reason is that some business types are determined to be unacceptable because of the high risk involved. The determination on which industries are to be considers unqualified is made by individual credit card processing companies, under the guidelines of Visa and MasterCard. These qualifications are flexible, so an industry that may be acceptable to one processing bank may be unacceptable to another and vice versa.

When determining who should go on the list of business unqualified for merchant processing services, the biggest factor taken into account is the probability for generating chargebacks. The data for some industries show that chargeback rates have historically been way too high. However, you need to be aware that your chargebacks rates too will be closely monitored, even if you do get approved. If in any month your business reaches a chargeback rate of one percent or higher, your merchant processing services account will be suspended and, if you can't get them under control, eventually you will lose the ability to accept credit cards.

That being said and considering that processors make their lists on their own, if your business falls into one of the following categories, you will most certainly not be able to set up merchant processing services:

Any business engaged in illegal activity.
Lottery clubs.
Mail order brides and any international match-making services.
Medical benefits packages, including discount medical cards.
Marijuana dispensaries and all affiliated service types.
Merchants or principal owners listed on MATCH.
Merchants physically located outside the U.S.
Merchants engaged in any form of deceptive marketing practices including hidden disclosure, bogus claims and endorsements, pre-checked opt-in boxes and refund / cancellation avoidance.
Money services businesses.
Money transfer services.
Mortgage or loan modification.
Mortgage reduction services.
Multi level marketing or pyramid schemes where the primary objective is the solicitation of new distributors, rather than the sale of products or services.
Non-face-to-face sale of prescription drugs.
Non-face-to-face sale of tobacco products or any other smoking products, including e-cigarettes and smokeless cigarettes.
Non-face-to-face sale of firearms.
Quasi cash.
Replicas and / or counterfeit goods.
Substances designed to mimic illegal drugs, including herbal smoking blends and herbal incense.
Travel - outbound telemarketing.
Virtual currency that can be monetized, resold, converted, traded into physical or digital products and services outside the virtual world.
Illegal gambling.
Foreclosure protection and guarantees.
Extended warranty companies.
Debt consolidation or reduction services.
Drug paraphernalia of any form.
Cruise lines.

How to Accept Credit Cards for Your Cruise Liner

2011-03-11T17:50:00.003-05:00

If you own or manage a cruise line business, your payment processing practices will vary, at least slightly from the ones followed by other merchants. In this post I will offer a series of best practices to be implemented each time you accept credit cards for payment for achieving best results:

Get an incremental authorization approval for any on-board charges. To obtain an incremental transaction authorization approval from the card issuer for the additional payment amount that the customer has generate on board of the cruise liner:

Follow regular authorization procedures to get an approval for the incremental amount.
In case the approval is declined, do not force the transaction and contact your customer and request an alternative form of payment.

If incremental authorization approval request is declined, settle only the cumulative approved authorization amount. Following best settlement practices will help you limit customer disputes and chargebacks which will then lead to minimizing your processing costs and possible losses when card issuers reject incremental authorization requests. You should:

Only settle the approved authorization amount and do not include any of the additional on-board charge amounts for which authorization was declined.
Contact your customer and request another form of payment for the declined incremental amount.

If the originally approved authorization amount exceeds the actual cost of the cruise, submit an authorization reversal. To finalize the settlement and to avoid tying up your customer's line of credit when the authorization amount is above the actual costs, you will have to submit an authorization reversal for the difference between the originally authorized amount and the actual cost of the cruise.
Use the final authorization rule and the 15% rule. Whenever customers check out at the end of a cruise, authorization approval is only required when:

An authorization approval was not originally obtained. If that is the case, you have to authorize the total transaction amount.
An authorization approval was originally obtained, but the actual transaction amount is higher than the initially authorized amount. If that is the case, you will have to apply the 15% rule to establish whether or not an additional authorization is needed. Here is a step-by-step guide on how this is to be done:

Add 15% to the initially authorized amount.
Compare the result to the final transaction amount.
If the final transaction amount exceeds the result, you will have to obtain an additional authorization for the difference.

Prominently disclose all terms and conditions of the sale. Your customers must be fully aware of all terms and conditions of the sale prior to the booking. In particular, the following details need to be provided:

The sale’s amount and related booking fees.
How the fees will be disclosed on the cardholder's monthly statement.
When these charges will be billed.
How your business name will be shown on the cardholder's statement.

Make sure you require that your customers accept the terms and conditions by clicking on an "Accept" or "Agree" button on your website.

Credit Card Processing with Virtual Terminal

2011-03-08T17:19:00.005-05:00

Businesses contacting us with requests for information on our services often seem to confuse virtual terminals with payment gateways. They are not quite clear on what each services does. Additionally, many of them still process payments key-entering the card information into a point-of-sale terminal's keypad, rather than do it through a virtual terminal. But then, that should be expected, considering tha t they don't know what a virtual terminal is.

So with this article I will try to provide the missing information and hopefully, make your decision making process a bit easier.

Virtual Terminal Basics

So virtual terminal is an internet-based service that enables businesses to take credit card payments by key-entering the transaction information, through a browser form, directly into the merchant account provider's payment system.

Once a payment processing account is established, the business gets a direct access to the processor's back end. Multiple user accounts can be created, each with a separate log-in. Then each user can access the service from anywhere web access is present and process payments or refunds, but also to only request transaction authorizations, without actually submitting the payment for clearing and settlement. You may want to do this if you need additional time to research the transaction.

If your business accepts payments on your own website, you will get the virtual terminal as part of your payment gateway package, at no additional charge. The most widely used gateway is Authorize.Net, which UniBul Merchant Services offers for free.

Reasons for Using Virtual Terminal

More than anything else, it is convenience. If you accept credit card and / or check payments over the phone or in the mail, there just isn't a more convenient tool to enable you to do that. You manually manually enter the information into a payment form within your browser and click submit. It is mush easier than using a telephone keypad.

The reason some businesses still use the phone option is mainly habit. It is absolutely fine to do it this way, however a virtual terminal is much easier.

Virtual Terminal Cost Considerations

Virtual terminal fees vary by vendors and processors. Here are some guidelines to look for:

Set-up fee. You should not be paying any set -up fees, whatever your prospective processor tries to convince you.
Monthly service fees. Again, virtual terminals can come on their own or as part of a payment gateway package, which affects the pricing. It ranges anywhere from $0 to $30, but you should evaluate it as part of the whole pricing agreement.
Processing rate. The processing rate can vary widely, but the more confusing thing is that there are multiple pricing models. You should select an interchange-plus model, where the processor charges you no more than 0.50% + $0.10 above interchange. Alternatively, you can consider a flat rate pricing structure.

Wgat Is Authorize.Net Payment Gateway?

2011-03-04T22:13:00.004-05:00

There is a constant stream of inquiries coming at us about payment gateways and more particularly, about our free Authorize.Net merchant account, by far the most popular among them. More often than not, merchants with no e-commerce experience are not quite clear on what exactly payment gateways do and, just as importantly, what they don't do. There is often a tendency to conflate payment gateways with payment processing accounts, which leads to confusion and to our attempts to explain the meanings of the two terms, the interrelation between them and the larger transaction cycle.

This article will be yet another attempt to do that. I have no doubt that it will be read by hundreds of thousands of aspiring merchants, so we will no longer be have to endure the same questions day after day!

What Is Authorize.Net

Authorize.Net, and all other payment gateways, is a software tool that exchanges payment data between e-commerce websites and credit card processors. This is exactly the job that in a brick-and-mortar type of business would be done by a credit card machine. The most conspicuous difference of course is that you don't get to swipe your card through the gateway. Well, the customer does something which, when you think about it is quite similar - she manually enters the information into the merchant's website from her browser.

The Payment Process Step-by-Step

Authorize.Net integrates into the e-commerce website through the latter's shopping cart - another software tool used for organizing products selected for purchase during an e-commerce shopping session. The payment process goes through the following stages:

The customer places an order at the e-commerce checkout of the website and the enters her credit card account information.

The payment data is encrypted by the website's SSL certificate.

Authorize.Net collects the encrypted information, encrypts it yet again, and transmits it to the credit card processing bank's server.

The processor sends the transaction data on to the card issuer through Visa's or MasterCard's payment networks.

The issuer evaluates the available information, compares it to what they have on file for their customer and, if everything checks out, validates the transaction.

The issuer's response is transmitted back to the processor and then, through the gateway, on to the e-commerce website, which shows an approval authorization message to the customer to complete the transaction cycle.

As you see, Authorize.Net is no more than a mere tool for information exchange between commercial and financial institutions. It is no doubt an incredibly important function, not least because if it is not performed properly, these sensitive data can be intercepted by hackers and then used for fraudulent transactions and to steal identity. Still, the gateways role should not be exagerated and it should be seen as a part of the merchant account infrastructure.

Best Practices for Sales Receipts

2009-10-12T12:18:00.004-04:00

Content of Sales Receipts

Each copy of a receipt for a retail sale, credit, or cash disbursement transaction must comply with minimum statutory and regulatory requirements in the jurisdiction in which the receipt originates and any applicable regulations, and must contain the following:

In the case of retail sale and credit receipts, a space for the description of products, services, or other things of value that are sold by the merchant to the customer and their cost, in sufficient detail to identify the transaction.
Sufficient spaces for:
- Customer's signature.
- Card imprint and the merchant or bank identification plate imprint.
- Date of the transaction.
- Authorization number (except on credit slips).
- Sales representative's initials or department number.
- Currency conversion field.
- Merchant's signature on credit slips.
- Description of the identification document supplied by the cardholder on cash disbursements and retail sale slips for certain unique transactions.
A note clearly identifying the receipt as a retail sale, credit, or cash disbursement and identifies the receiving party of each copy.
On the customer copy of the receipt, the words (in English, local language, or both): "IMPORTANT - retain this copy for your records," or words to similar effect.
Any other contents as are not inconsistent with these rules.

It is recommended that each retail sale, credit, and cash disbursement receipt provides a way of identifying the organization that distributed the receipt to the merchant.

Content of Sales Receipts at the Point of Sale

Each copy of a sales receipt produced by a physical terminal at the point of sale must be in compliance with all requirements of applicable laws and regulations. Whether a terminal or another device has been used at the point of sale, the sale receipt must not display magnetic stripe track data other than card account number, expiration date, and cardholder name. The following information information must be included in the sales receipt:

The merchant's Doing Business As (DBA) name, city and state, country, or the point of banking location.
Transaction date.
Card account number.
Transaction amount in the original transaction currency.
Sufficient space for the customer's signature (required on merchant copy only).
Authorization response code (except on credit receipts). Alternatively, the acquiring bank also may print the transaction certificate, the application cryptogram, or both for EMV chip card transactions.
Merchant's signature on credit receipts only.

It is also required that each sales receipt must clearly identify the transaction as a retail sale, credit, or cash disbursement.

Card Account Number Truncation

The Credit Card Associations of Visa and MasterCard require acquiring banks to truncate, or make indeterminable on printed sales receipts generated by automated telling machines (ATM), a minimum of four digits of the personal account number (PAN). The Associations also require PAN truncation for all receipts generated at Cardholder-Activated Terminals (CATs). PAN truncation is permitted for receipts generated at all other points of interaction.

Since 2005 it is also required that all sales receipts generated by newly installed, replaced or relocated point-of-sale terminals, whether attended or unattended, display only the last four digits of the account number. All preceding digits must be replaced with fill characters that are neither blank spaces nor numeric characters, such as "X," "*," or "#."

Following best practices for truncating card account numbers helps merchants fight fraud but it also promotes customer confidence in the merchant's ability to securely handle personal information. The last four digits provide the customer with enough information to identify the card that he or she used in the transaction.

General Truncation Consideration

Typically, the truncation of a greater number of digits, when compared to the total number of digits in the PAN, increases the effectiveness of the procedure. However, it also increases the confusion and difficulty that cardholders may have reconciling their ATM terminal receipts to their periodic card statements. There are several considerations to take into account when developing your own procedures for truncating account numbers:

A truncation of the routing bank account number (BIN) alone, while helpful, may not prevent duplication of the PAN. It is possible to observe the card in use in order to obtain card issuer identification.
Truncating the check digit and several other digits does not improve PAN security. Without the check digit, calculation of several missing digits within the PAN, especially if the routing BIN also is truncated, is substantially more complicated and time consuming.
Truncating a small number of digits, when compared to the total number of digits in the PAN, reduces the effectiveness of the procedure. It is possible to reconstruct a few missing digits by using a trial-and-error approach.
Truncating a greater number of digits, when compared to the total number of digits in the PAN, increases the effectiveness of the procedure.

Electronic Signatures

Acquiring banks that are using Electronic Signature Capture Technology (ESCT) must ensure the following procedures are implemented:

Proper electronic data processing (EDP) controls and security measures are established, so that digitized signatures are recreated on a transaction-specific basis. Acquiring banks may recreate the signature captured for a specific transaction only in response to a retrieval request for the transaction.
Adequate controls exist over employees with authorized access to digitized signatures maintained in the acquiring bank or merchant host computers. Employees and agents should be allowed to access the stored, electronically captured signatures only on a "need to know" basis.
Digitized signatures are not accessed or used in a manner contrary to applicable industry regulations.

Cardholder-Activated Terminals

2009-10-06T13:03:00.007-04:00

Cardholder-Activated Terminals

Typically, cardholder-activated terminals (CATs) are unattended terminals that accept bankcards, debit, credit, and proprietary cards. These terminals are frequently installed at train and subway ticketing stations, gas stations, toll roads, parking garages, and other merchant locations. The cardholder is typically guided through the sales process by a series of requests posted on the terminal's screen. There are four types of cardholder-activated terminals:

Automated Dispensing Machines - Level 1.
Self-Service Terminals - Level 2.
Limited Amount Terminals - Level 3.
In-Flight Commerce (IFC) Terminals - Level 4.

Cardholder-activated terminal requirements specify the maximum dollar amount of transactions permitted as well as authorization, clearing and chargeback requirements and related transaction liability for each cardholder-activated terminal type.

Because cardholder-activated terminals are usually unattended, the traditional point-of-sale (POS) card acceptance procedures do not apply, such as the merchant's verification of the card's authenticity by examining its hologram, embossed account number, or embossed security features for signs of altering. The merchant is also prevented from verifying the authenticity of the cardholder's signature.

Requirements for Cardholder-Activated Terminals

Cardholder-activated terminals must comply with the following six general card acceptance requirements:

All non–face-to-face transactions initiated by the cardholder where the card number is either captured as a result of reading the card electronically or by using an electronic device (such as a transponder, PC, or mobile phone) must include the proper cardholder-activated terminal (CAT) level indicator in both the authorization message and clearing records. Depending on the CAT level indicator, other specific data is required for authorization and clearing.
- The Authorization Request message must include a valid merchant category code, point-of-sale (POS) country code, POS postal code, and CAT level indicator (Level 1, 2, 3, 4, 6, or 7).
- Messages used at the CAT must communicate to the cardholder, at a minimum, the following information:
  - Invalid transaction.
  - Unable to route.
  - Invalid PIN—re-enter (Level 1 only).
  - Capture card (subject to the terminal’s ability to retain cards).
- The merchant identification number and the CAT level indicator must be present in the First Presentment, First Chargeback, Second Presentment, and Arbitration Chargeback messages.
The acquiring bank must ensure that the description of products or services on the CAT sales receipt is clearly recognizable to the cardholder.
Acquiring banks are responsible for providing requested transaction information documents.
No cardholder-activated terminal may accept a payment card for the purchase of scrip.
Acquiring banks must ensure that sales receipts show only the last four digits of the card account number, and that all preceding digits are truncated. The truncated digits must be replaced with fill characters such as "X," "*," or "#" and not with blank spaces or numeric characters.

Requirements for Automated Dispensing Machines

The following card acceptance requirements apply to Automated Dispensing Machines (ADM)/Level 1.

The Automated Dispensing Machine must accept a personal identification number (PIN) as a substitute for signature.
- If PIN is not adopted as a standard within a country or card issuers have not provided one, this level of service is not available.
- The PIN authorization must be made via a secured transmission.
- ADM terminals must be able to support numeric, alpha, or alphanumeric PINs with a minimum length of four digits.
The acquiring bank may decline a transaction after four attempts and four consecutive negative responses of "invalid PIN" or "invalid transaction" from the credit card network. Optionally, the acquiring bank may allow more than four consecutive PIN entry attempts that each received a negative response at an ADM.
All transactions regardless of amount must be authorized on a zero floor limit basis with full, unaltered card read data transmitted.
Card retention at an ADM is not required, however, if the terminal capability is available, the merchant may do so only at the card issuer's specific direction.
- The retained card must be logged and secured under appropriate audit controls.
- The retained card must be cut in half and then returned to the acquiring bank.
For transactions processed at ADMs where a PIN and full, unaltered card data is transmitted, "No Cardholder Authorization" chargeback rights are not available to card issuers because PIN is a valid proxy for the cardholder's signature.
An ADM that is also a hybrid terminal may perform fallback procedures unless it is prohibited by a region. Acquiring banks use fallback procedures when a smart card is present at a hybrid terminal and the merchant processes the transaction by using the magnetic stripe or by manually entering the account number because the merchant cannot process the transaction using smart card technology.

Requirements for Self-Service Terminals

The following card acceptance requirements apply to Self-Service Terminals (SST)/Level 2.

Self-Service Terminals do not process PIN. They include (but are not limited to) automated fuel dispensers identified with MCC 5542.
All Self-Service Terminals must comply with the following requirements:
- The floor limit for authorization purposes is zero.
- The acquiring bank must read and transmit full, unaltered card account data.
The Authorization System will send all transactions identified as Self-Service Terminals in the Authorization Request message to the card issuer, regardless of Limit 1 parameters.
The maximum transaction amount is $100 or its equivalent.
Chargebacks processed because of no cardholder authorization for Self-Service Terminal transactions will be allowed only if the card issuer verifies that the account number used in the transaction is fraudulent, as documented in a letter written by the cardholder to the card issuer. Additionally, the card issuer must block the account number until card expiration on or before the Central Site processing date of chargebacks processed because of no cardholder authorization. The card issuer also must list the cardholder account number on the respective Credit Card Association's Account File with a "capture card" response until card expiration. Card issuers in the Europe region also must list such accounts on the European Stop List (ESL).Counterfeit transactions occurring at Self-Service Terminals for which the acquiring bank has transmitted the full magnetic stripe data in the authorization request message and for which an authorization was obtained are ineligible for chargebacks processed because of no cardholder authorization.
A U.S.-based merchant acquiring automated fuel dispenser transactions at Self-Service Terminals/Level 2 may forward an Authorization Request message for $1 if properly identified by MCC 5542 (automated fuel dispenser) and CAT level indicator 2. If authorization is obtained, the acquiring bank is protected from authorization related chargebacks "requested/required authorization not obtained", or "exceeds floor limit - not authorized and fraudulent transaction" for transactions less than or equal to $75. The acquiring bank protection is limited to $75 for transactions that exceed $75, and card issuers may charge back only the difference between the transaction amount and the implied $75 limit.
A Self-Service Terminal that also is a hybrid terminal may perform fallback procedures from chip to magnetic stripe unless it is prohibited by a region.

Requirements for Limited-Amount Terminals

The following card acceptance requirements apply to Limited-Amount Terminals/Level 3.

A Limited Amount Terminal must check the account number against the Electronic Warning Bulletin file if the terminal has such a capacity.
The maximum transaction amount is $40 or its equivalent.
Re-presentment rights for chargebacks processed because of no cardholder authorization are not available to card issuers for properly identified Limited-Amount Terminals/Level 3 transactions. Re-presentment rights for chargebacks processed because the requested or required authorization was not obtained or exceeded the applicable floor limit or for not authorized and fraudulent transactions, are available if the maximum transaction amount of $40 or its equivalent has been exceeded.
A Limited-Amount Terminal that also is a hybrid terminal is prohibited from performing fallback procedures from chip to magnetic stripe.

In-Flight Commerce Terminals

Acquiring Bank and Merchant Services Provider Requirements and Transaction Identification
Specifications.
- Acquiring banks must ensure timely delivery and installation of the In-Flight Commerce (IFC) Blocked Gaming File to gaming service providers. IFC Blocked Gaming File access is required before every gaming transaction.
- Acquiring banks must identify in-flight commerce services or merchandise with the most appropriate merchant category code (MCC) in the authorization message and merchant business code (MCC) in First Presentment messages. If an airline also acts as the service provider, the acquiring bank may not use an airline MCC but must assign the proper MCC for each type of IFC transaction. The following list of IFC transaction types must be identified with the designated MCC.
  - Catalog merchant - 5964.
  - Duty-free store - 5306.
  - Gaming - 7995.
  - Miscellaneous services - 7299.
  - Video game - 7994.
- Transactions must be consolidated by MCC, per flight, for each cardholder account.
- The acquiring bank must identify the transaction with the most appropriate transaction category code (TCC) in the authorization request message. The TCC for gaming transactions should be "U" (unique transaction) and for any other type of transactions - "R" (retail purchase).
- The merchant name and location must include the service provider's name and flight identification. The flight identification must be a recognizable identification of the airline.
- The city field description for mailed purchases and gaming transactions should contain the the service provider's customer service telephone number. For all IFC transactions other than mailed purchases and gaming, the city field description optionally may be a customer service telephone number.
- For all IFC transactions except IFC mailed purchase transactions, the transaction date is defined as the date that the flight departs from the originating city. The transaction date for mailed purchases is defined as the shipment date unless otherwise disclosed to the cardholder.
- Acquiring banks must ensure that the service provider provides full disclosure to the cardholder via the video monitor screen prior to the initiation of any IFC transactions. The screen must prompt the cardholder to acknowledge these disclosure terms before initiating a transaction. Disclosures must include the following:
  - Full identification of the service provider and provision for recourse in terms of cardholder complaints or questions.
  - Notification that transactions will be billed upon the issuer's approval of the authorization request.
  - For mailed purchases only, any additional shipping or handling charges.
  - Policy on refunds or returns.
  - Provision for a paper receipt.
  For IFC gaming transactions, service providers must additionally disclose the following:
  - Maximum winnings ($3,500) and maximum losses ($350).
  - Notification that total net transaction amount (whether a net win or loss) will be applied against the cardholder's account.
  - Notification that cardholder must be at least 18 years of age to play.
  - Notification that some card issuers may not allow gaming.
- Acquiring banks must ensure that the service provider is capable of providing an itemized receipt to the cardholder for all IFC transactions. The acquirer must ensure that, at the cardholder's option, the service provider can effect this offer in one of three ways:
  - Printing a receipt at the passenger's seat.
  - Printing a receipt from a centralized printer on the plane.
  - Mailing a receipt to the cardholder.
  The mailed receipt offer must be made available via the video monitor and must require the cardholder to input his or her name and address. For IFC gaming transactions the service provider must provide a receipt to the cardholder by one of the first two methods described above. The receipt must contain the following elements:
  - Identification of the passenger's flight, seat number, and date of departure.
  - Itemized transaction detail.
  - Gaming transaction specified as a net win or net loss.
  - The cardholder's account number truncated on the receipt. Acquiring banks must ensure that transaction receipts provided to cardholders reflect a minimum of four and a maximum of 12 digits of the cardholder account number. The remaining digits must be truncated. It is recommended that the receipt reflect only the last four digits of the primary account number, and that all preceding digits are truncated. It is also recommended that truncated digits are replaced with fill characters such as "X", "*", or "#" and not with blank spaces or numeric characters.
- For IFC terminals, the assurance and demonstration of security of the transmission of data between the on-board client server and the acquiring bank and the physical controls over hardware and operating software. Encryption of transmitted data is advised.
Transaction Requirements.
- There are no maximum transaction amount requirements that apply to any IFC transaction, with the exception of IFC gaming transactions.
- Merchants are not allowed to perform fallback procedures from chip to magnetic stripe on an IFC terminal that also is a hybrid terminal.
Additional Requirements for IFC Gaming Transactions.
- Net gaming losses cannot exceed $350 per flight per cardholder account. Net payouts to cardholders for gaming wins cannot exceed $3,500 per flight per cardholder account. The service provider must monitor gaming activity throughout the flight by and ensure compliance with this requirement.
- When a cardholder posts a gaming win, the transaction must result in posting of net winnings (credit) to the cardholder's account. Under no circumstance may winnings be paid in cash or other form of payment.
- Before participating in IFC gaming activity, the acquiring bank must ensure that such IFC gaming activity will be conducted in full compliance with all applicable laws and regulations.
In-flight Cardholder Account Number Verification Prior to Transaction Initiation.
- The service provider must conduct a Mod-10 check digit routine to verify card authenticity.
- The service provider must confirm that the card account number is within a valid BIN range that begins with:
  - American Express - 3.
  - Visa cards - 4.
  - MasterCard cards - 5.
  - Discover cards - 6.
- For IFC gaming transactions, the acquiring bank must ensure that the cardholder's account number is checked against the IFC Blocked Gaming File. Cardholders whose account numbers are listed on the IFC Blocked Gaming File are prohibited from participating in any IFC gaming transaction.
Authorization Requirements
- The authorization request message must include the cardholder-activated terminal level 4 indicator.
- Acquiring banks must read and transmit full, unaltered card account data. An IFC authorization request may not contain a key-entered account number or expiration date.
- Transactions are either authorized air-to-ground during the transaction or authorized in a delayed batch. All in-flight commerce transactions have a floor limit of zero and must be authorized without exception.
- Acquiring banks must convert all "refer to card issuer" and "capture card" messages received from issuers to "declines."
Additional Authorization Requirements. All IFC gaming losses authorized post-flight must be submitted for authorization for the net amount. All gaming transactions authorized during the flight will be for the full wager amount ($350 or a lower amount pre-determined by the airline and gaming service provider). No gaming wins will be submitted for authorization.
Clearing Requirements.
- Acquiring banks are not allowed to submit declined transactions for clearing.
- No surcharges or service fees may be assessed on any IFC transaction, including IFC gaming transactions.
Additional Clearing Requirements.
- IFC gaming transactions submitted for clearing must be for the net amount that is won or lost.
- IFC gaming win transactions will be submitted as a credit transaction. Interchange will be paid to card issuers by acquiring banks on gaming win transactions.
- Acquiring banks may resubmit a gaming transaction for a different amount within the specified transaction limits if it was previously rejected for exceeding the specified transaction limits which are $3,500 for wins and $350 for losses.

Policies for eCommerce Merchants

2009-09-11T10:56:00.004-04:00

When constructing their websites, merchants doing business over the internet should take into consideration the following policies:

Information security policy. Consumers expect that eCommerce merchants protect the personal information they provide during a transaction. They also expect that merchants describe the measures and procedures they have established to keep sensitive account data save. For a better customer experience, eCommerce merchants should consider implementing the following best practices on information security:
- Educate customers about your security practices. Create a page that details your website's security practices and controls. Consider including in it the following:
  - Explain in details how payment information is protected at all stages of the transaction process: during transmission, while on your server and at your physical work site.
  - Make the page available to all visitors to your website. You should consider placing a link to it in your home page. Placing a link in your header or footer will make the page accessible from any page of your website.
- Include security tips in a FAQ page. Create a FAQ page and include in it questions and answers on how customers can protect themselves while shopping online.
- Add the logos of fraud prevention services that you are using. Place on your website the logos of all fraud prevention and data protection services that you are using.
- Warn customers against sending payment information by email. Email is not a secure way to do business, however some customers are not aware of that. To protect their personal information you should highlight your security practices on your website and in your email correspondence. Advise customers that:
  - Email is an insecure method of communication and should never be used for transmitting account data or other sensitive information.
  - Your website's encryption services ensure that personal information is protected from unauthorized access and provides the safest way for shopping online.
Payment choice selection. Customers should be provided with clear payment choices at the checkout. Unfortunately there are a number of ways in which a customer can get confused when selecting a payment choice. For example options such as "Debit" and "Credit" can be misleading as their meaning may be interpreted differently, depending on the customer's understanding. Providing the option of selecting a payment brand gives the customer a clear payment choice. It is easy to distinguish a Visa card from a MasterCard or an American Express. You should consider placing a menu of radio buttons for each card brand that your payment processing account supports. It is also a good idea to use each brand's logo next to the button.

Once a customer selects the brand of card that they want to use as payment, you should make sure that their choice is honored. Merchants are allowed to suggest a form of payment or to display their preferred choice but you cannot mislead or confuse the customer or omit important information in the process. The customer has the right to use whatever payment method he or she chooses, provided it is supported by the merchant and once the selection is made, the merchant should facilitate the processing of the transaction.

Merchants are not allowed to charge customers additional fees for selecting to use credit or debit cards for payment for products or services. It is allowed, however, to offer a discount if a customer selects to pay in cash, for example. Also, if a merchant accepts card payments, cards should be accepted for all amounts. It is not allowed to set limits on transaction amounts for card payments. Merchants can lose their card payment processing accounts if they do not comply with these requirements.

Account number verification. The merchant has a responsibility to verify the card account number at the point of sale, during the transaction process. It is also in your own best interest, as every unauthorized or fraudulent transaction will most likely result in a chargeback. Most point-of-sale terminals allow merchants to verify that the account number embossed on the front of the card is the same as the account number encoded in the magnetic stripe of the card. The exact verification procedure will depend on the type of terminal used at your store. Some terminals will display the information contained in the magnetic stripe or will print it on the sales receipt. Others will check the numbers electronically. The latter type of terminals will need the merchant to input the last four digits of the embossed card number and compare the provided information with the one stored in the magnetic stripe.

If you are using a terminal that displays or prints the account number on the sales receipt, it will usually use the last four digits of the number. If the numbers do not match, you will receive a "No Match" message. In such instances you should make a "Code 10" call.

The Credit Card Associations now require that point-of-sale terminals truncate card account numbers when printing them on sales receipts. This means that only the last four digits of the account number should be printed on a sales receipt and the expiration date should not be shown at all. This is intended to be an additional preventive measure to protect consumers against card processing fraud.

Billing policy. ECommerce merchants should develop a thorough policy regulating the terms and conditions of their billing procedures and should make it available to customers at the time of purchase. Your policy should include the following information:
- Inform your customers when their cards will be charged.
- If you are using a third party to do your billing, inform your customers how the transaction will be reflected on their credit card statement (provide the third-party service provider's name and the transaction amount). Providing these details will help customers recognize your transaction and minimize the chance that they will file a dispute with their card issuer, initiating a chargeback.
- Encourage your customers to retain a copy of the transaction.
Be advised that it is very important that you do not charge your customer's card before the product has been shipped. Cardholders today can review their transactions in almost real time and, if they see a charge on their accounts without having received the item or at least a delivery notification, they are likely to contact their card issuer and dispute the transaction.

If your organization provides digital content, your policy should also include the following best practices:
- You should never charge your customer's account before the service is actually accessed on your website with the applicable password.
- You should avoid the use of negative renewal options or other marketing techniques that may create the impression that the product is free.
- You should communicate with your customer all special restrictions before the sale is completed.
Lastly, be sure to include in your billing policy the transaction currency that will be used to complete the transaction. Remember that eCommerce merchant websites are accessible from all over the world and, unless there are special restrictions, your customers may be located anywhere. Clearly state the currency, especially if it is not unique (a dollar may be Australian, New Zealand, Hong Kong or U.S.). Be advised that merchants cannot convert transaction amounts into different currencies. You may, however, display equivalent amounts in different currencies, but they must be clearly indicated for information purposes only.

Customer service access. Providing an easy way for customers to contact you is invaluable in creating customer loyalty and preventing disputes and chargebacks. Customers are likely to have questions or concerns regarding their purchases and they expect, and have the right to, that these concerns are addressed in a timely manner. Consider implementing the following best practices into your customer service procedures:
- Provide an email inquiry form. You should display email "Contact Us" options on your website and make them easily accessible. Consider providing different email contacts for your support and sales departments as well as for shipping information.
- Develop an email inquiry response policy. You should implement an auto-response email program to acknowledge receipt of inquiries and provide a time frame for your response. Once you do that, you should make sure that you have sufficient staff available to handle the inquiries within the set time limit.
- Monitor your customer service to ensure that your organization's inquiry response policies are being implemented adequately.
- Provide a toll-free number to contact your customer service department and display it prominently on your website. Providing a toll-free contact number is key for ensuring the highest level of customer satisfaction and preventing disputes and chargebacks. Many consumers prefer having their questions and concerns addressed in a conversation with a live person and are uncomfortable or unwilling to use the email response system. Make sure that you have adequate staff to respond to telephone inquiries in a timely manner.
Card-not-present fraud prevention guidelines. The ability to accept card payments over the phone, in the mail or online makes possible the existence of mail order, telephone order and eCommerce businesses. It is a very convenient payment method for both consumers and merchants. There are, however certain challenges that both industries face when it comes to fraud protection, challenges that are very different from the ones a merchant operating in a card-present environment faces. Because payment processing transactions are done in the virtual domain, the merchant never gets to see either the card or the cardholder. The only way to obtain the consumer's account details is to rely on the information, provided by the consumer himself. The good news is that there are a number of fraud protection services which, combined with a set of best practices, implemented and followed scrupulously, will help both direct marketing and eCommerce merchants reduce fraud and improve their bottom line.

Following is a list of guidelines to help merchants operating in the virtual world reduce fraud.
- Always authorize all transactions. Be advised that the floor limit for all card-not-present transactions is zero which means that you should request an authorization for every single one of them, no matter what the transaction amount. Not obtaining authorization leaves you helpless against both fraud and customer disputes.
- Always obtain the cards' expiration dates. You should always ask your customer to provide his or her card's "Good Through" date. It is another way to verify that the customer is in a physical possession of the card at the time of the transaction.
- Always obtain the card security verification codes. Card Security Verification is the 3- (for Visa, MasterCard and Discover) or 4-digit (for American Express cards) non-embossed numeric code on the back (for Visa, MasterCard and Discover) or the front of a payment card (for American Express). Obtaining the Card Verification Code in a card-not-present transaction is another, and very powerful, tool to verify that your customer is in actual possession of the card. Be advised that you should never store Card Verification Codes in your system. It is prohibited by the Credit Card Associations and violators may be assessed significant fines.
- Always use AVS. The Address Verification Service (AVS) allows merchants to verify the authenticity of the billing address that a cardholder has provided at the checkout. It works by routing the provided address, through the Credit Card Associations, to the card issuer. The Issuer then compares the provided address to the one it has on file for its cardholder and responds by issuing a response code which contains the result of its investigation.
Utilizing the above listed fraud prevention services and implementing the suggested procedures will help eliminate fraud and reduce your chargeback levels. A good payment processing provider should be able to assist you in this process.

Visa's CVV2. All major credit card companies have implemented an additional security feature on their credit and debit cards in their continuous efforts to make shopping online and over the phone a safer proposition. Visa's Card Verification Value 2 (CVV2) is a three-digit number printed on the back of every Visa credit or debit card. It is located in the top right corner of the signature panel or immediately to the right of it. It is preceded by the last four digits of the card's account number, printed in the signature panel. CVV2 was introduced to serve as an additional fraud prevention measure, to help eCommerce and MO/TO merchants verify that their customers are in a physical possession of their cards. It is a feature that all major eCommerce payment gateways support and your payment processing provider should make it available to you.

If your organization operates in either the eCommerce or the MO/TO industry, you should follow these procedures when accepting credit and debit cards:
- Always ask your customers for the last three digits in the signature panel on the back of the card. Do not ask for the CVV2 number as customers will most likely have no idea what this is.
- Depending on the response the customer gives to your CVV2 request, you should include one of the following indicators in your authorization request, along with the card's expiration date and the account number:
  - "0" - if the CVV2 is not included in the authorization request.
  - "1" - if the CVV2 is included in the authorization request.
  - "2" - if your customer has stated that the CVV2 is illegible.
  - "9" - if your customer has stated that the CVV2 is not on the card.
- When the card issuer replies with the CVV2 result code, you should take it into consideration, along with all other factors in determining the validity of the transaction. You will receive one of the following result codes:
  - "M" - Match - the CVV2 is valid.
  - "N" - No Match - the CVV2 is not valid, a very strong indicator of fraud. It may, however, be the result of a key-entry error, so you may consider resubmitting the CVV2 request.
  - "P" - CVV2 request not processed - you should resubmit the request.
  - "S" - the cardholder has stated that the CVV2 is not on the card. The CVV2 code should be printed on all Visa cards. In the case of an "S" response you should verify that the customer is looking for it in the right place.
  - "U" - the card issuer does not support CVV2. In this case you should considering other fraud prevention services.
Be advised that storing of CVV2 is prohibited. You may store other account information, e.g. cardholder name, account number and expiration date but not the CVV2. Contact your payment processing provider for additional information on using CVV2. It is not only a very effective fraud prevention measure but it also protects against chargebacks as well.

Using cookies and passwords. Web browser cookies are an effective tool to help eCommerce merchants recognize and acknowledge existing customers. They simplify the order process for repeat customers by not requesting that they provide payment details that have already been provided during a previous visit. Consider the following suggestions to improve the effectiveness of the use of browser cookies:
- Use permanent browser cookies to retain non-sensitive cardholder information and preferences to enable repeat customers to order products and services without having to re-enter this information. This simple procedure will help increase customer loyalty as consumers appreciate not having to submit their payment details every time they visit a website.
- Use browser cookies to maintain active user sessions, but once the session expires, you should request that the user logs in again, regardless of the computer being used.
You should establish a procedure for existing customers to safely retrieve their forgotten password while protecting their accounts from fraudsters. Consider implementing the following suggestions:
- When a customer has troubles signing in or claims that he or she has forgotten a password, you should use a customer-provided security data to verify his or her identity. The process should follow these steps:
  - When registering a new account, ask your customer to select a category - such as place of birth, mother's maiden name, favorite sports team - and provide the correct response.
  - If a returning customer has forgotten his or her password, ask the customer for the correct answer to the category that he or she selected at registration.
  - Verify the response and, if correct, prompt the customer to reset their password.
- Use hints to help customers remember passwords. The process of selecting and implementing hint words should follow these steps:
  - Ask the customer during the registration process to select a hint for his or her password.
  - Display the hint word on your website if the customer enters the wrong password when trying to log into his or her account.
For a better customer experience you should try to keep the process of resetting a password simple and have a customer service phone number available for customers to contact you if their attempts fail. Be advised that consumers today have many account profiles on various websites and it is more than possible that they forget a password or a hint. If you receive a call from a customer who cannot reset his or her password, you should verify their identity using personal information that you have on file for them.

Required transaction data fields. Requiring customers to fill in certain transaction data fields can help eCommerce merchants detect potentially risky situations. To assess the risk of fraud and minimize potential losses, merchants should define the data fields that will help recognize high-risk transactions and require that customers complete them before purchasing products and services. Key risk fields include the following data:
- Telephone numbers which can be verified using reverse directory services.
- Email address, particularly when it uses an anonymous service.
- Cardholder name and billing address which, too, can be verified using reverse directory services.
- Shipping name and address, if different from the billing data.
- Card security codes - the 3- and 4-digit numbers on the back or front of credit and debit cards. If there is a mismatch, you should attempt to review the provided code, particularly if the other risk indicators have shown no mismatches. The customer may have simply provided the wrong number.
Once you have selected the required fields in your transaction forms, you should indicate that they must be completed before the form is submitted. You can use color to highlight them or bold fonts, or asterisks to achieve that. You should also provide an explanatory note to your customers, informing them that the highlighted fields are mandatory.

Merchant direct access service. The Merchant Direct Access Service (MDAS) is a fraud prevention system that provides merchants with access to Address Verification Service AVS by telephone. Developed for smaller direct marketing and eCommerce merchants, MDAS provides AVS service on a pay-as-you-go, per-transaction basis.

The process of using the Merchant Direct Access Service is pretty straightforward, all you need is a telephone and a Merchant Access Code (MAC) which you will get from your merchant account provider. To request an AVS, you will dial a toll-free number and follow the instructions that the automated system will give you. You will need to provide your customer's address and account number and the system will give you the verification results.

The responses MDAS provides are very similar to the ones AVS provides but do not include response codes. You will receive one of the following Merchant Direct Access Service responses:
- Exact Match - it means that both the street address and the ZIP code match and you should proceed and complete the transaction.
- Partial Match - the street address matches but the ZIP code does not. It is a potential fraud. It is up to you whether to investigate further or to complete the transaction.
- Partial Match - the ZIP code matches but the street address does not. It is a potential fraud. Depending on the transaction amount, you may decide to investigate further or to complete the transaction.
- No Match - both the street address and the ZIP code do not match. It is a strong indication of fraud and you should take further steps to validate the transaction.
- Retry Later - it means that the card issuer's system is unavailable at present. You should resubmit your authorization request later.
- Global - it means that it is an international address and the system cannot verify it.
Your merchant account provider is best positioned to provide you with additional information on MDAS and to help you get started. Be advised that both the eCommerce and mail order/ telephone order payment processing solutions require the implementation of robust fraud prevention solutions and AVS is one of the most powerful among them.

Validating card information. Validating the provided card information during an eCommerce transaction is a process to help merchants protect themselves from fraudulent transactions. It is recommended that you consider implementing the following suggestions into your card validation procedures:
- Implement a "Mod 10" card validation procedure before submitting a transaction for authorization. The Luhn algorithm, also known as "Mod 10" algorithm, is a simple formula used to validate a variety of identification numbers, including credit card numbers. Most credit card companies use the algorithm as a simple method of distinguishing valid numbers from collections of random digits. The Luhn algorithm will detect any single-digit error, as well as almost all transpositions of adjacent digits. In order to take advantage of it, you should follow these steps:
  - Ask your merchant services provider for the Mod 10 algorithm.
  - Use the Mod 10 algorithm to check all online transactions before submitting them for authorization.
  - Inform the cardholder immediately if the card fails to pass the Mod 10 validation check, for example "The card number you provided is not valid. Please try again."
  - Do not request authorization until the account number passes the Mod 10 validation check.
- Display only the last four digits when showing a number to a repeat customer. The last four digits will provide your customer with enough information to identify the card and decide whether to use it or select another payment mode. At the same time this practice will reduce risk and indicate to your customer that you are handling his or her payment information in a secure manner.
Split transactions. Split transactions occur when a merchant divides the cost of a single transaction between two or more sales receipts, using a single cardholder account. A merchant may split transactions in an attempt to circumvent authorization limits imposed on its merchant account agreement. Splitting sales is prohibited.

When a merchant applies for a card payment processing account, one of the questions he or she is asked to answer in the application form is about the expected average sales amount and overall monthly card processing volume. Merchant account providers need this information to help them estimate the merchant's potential risk exposure. Larger average sales amounts, for example, are riskier because, in a case of a customer dispute or a chargeback, the potential loss is larger, compared to smaller amounts. As a result, the merchant's processing rates are given accordingly. Once the payment processing account is established, the processor will monitor the transactions and, if the merchant exceeds its declared sales amount on a regular basis, its rates may be increased or a processing limit may be imposed, or both. That is the reason why a merchant may try to split sales.

Split sales may be prohibited but split-tender transactions are accepted. Split-tender transactions occur when a customer presents a card to pay for a purchase plus some other form of payment, such as cash or a check or another card. Merchants should set their own policies on whether or not to accept split-tender transactions.

Validating cardholder information. Just as validating the authenticity of a card account number is important in making sure that no false cards are used in eCommerce payment transactions, confirming the provided cardholder information ensures that no authentic cards are used by unauthorized persons. The two validation processes are complementing each other, they represent the two sides of the same coin and should both be implemented in every web-based merchant's card acceptance procedures.

The process of validating a payment card number consists of checking the correctness of the provided customer's telephone number, physical address and email address. The following simple verification steps will help eCommerce merchants identify errors or potential fraudulent activity:
- Use a telephone area code and prefix table to ensure that the provided area code and prefix are valid for the entered city and state. If mismatches are identified, alert the customer and allow him or her to review the information. Also you should allow re-entering the data as the information initially entered may be valid due to recent additions or changes in telephone area codes.
- Use a ZIP-code table to verify that the entered ZIP code is valid for the entered city and state. Although changes in ZIP codes are rarer than changes in area codes, you should still allow customers to override alerts as updates do occur or data may be erroneous.
- Test the validity of the provided email address by sending an order confirmation.
Risk management infrastructure. In order to reduce losses resulting from excessive risk exposure, eCommerce merchants must implement internal fraud prevention measures and controls that are designed to their environment's specifics. A dedicated fraud control department can provide the direction that the organization needs to take to fight fraud. Consider implementing the following measures:
- Establish an official fraud control function. Consider implementing the following suggestions when setting up a fraud control position or department:
  - Elevate fraud detection and prevention to the highest priority.
  - Develop day-to-day objectives that promote profitability, such as:
    - Minimizing the percentage of fraudulent transactions.
    - Minimizing the affect of fraud-prevention efforts on legitimate sales.
    - Minimizing fraud-related chargebacks.
  - Clearly define responsibilities for detecting and reviewing fraudulent transactions.
  - If yours is a larger organization and you have a separate group that deals with chargebacks, you should encourage a close cooperation between the fraud-prevention and chargeback-monitoring groups, as one of the most common causes for chargebacks is fraud.
- Monitor fraud-control performance. Your fraud-prevention efforts will become more effective if you track areas like:
  - Overall fraud as a percentage of your total sales.
  - Fraud recoveries as a percentage of your total fraud.
  - Speed of reviewing and making decisions on suspicious transactions.
  - Number of complaints from customers regarding legitimate sales.
Internal negative file. Establishing and maintaining an internal negative file is an invaluable tool that eCommerce merchants have at their disposal for fighting fraudulent transactions. It will ensure that you will not fall victim multiple times to the same fraudulent account. When building and maintaining an internal negative file, you should make certain to implement procedures to ensure that only details from fraudulent transactions are stored and recorded. Information that relates to customer disputes or chargebacks should be left out of the negative file. The following suggestions will help you build and manage the file.
- Building and maintaining of an internal negative file. You should begin with a review of your own history of fraudulent transactions. Record the details of the fraudulently used accounts to protect your organization from possible future fraud committed by the same person. Follow these steps:
  - Record all key elements of fraudulent transactions. Your file should include names, email addresses, shipping addresses, customer identification numbers, passwords, phone numbers and card account numbers. Remember that it is not allowed to store the 3- or 4-digit card security codes.
  - Set up a process to remove from the negative file information about legitimate customers whose card accounts have been compromised. Their information may have been used by criminals.
- Using the internal negative file to screen transactions. If a transaction data matches data stored in your negative file, you should decline the transaction or, at the very least, initiate a thorough review.

Processing Recurring Payments

2009-09-11T10:47:00.002-04:00

Recurring payments help simplify the process of billing a cardholder for a product or a service that is being provided on a continuous basis. A recurring payment plan exists when multiple transactions are processed at predetermined intervals, as a result of an agreement for the purchase of products or services. A cardholder authorizes a merchant to charge his or her payment card on a regular basis (usually monthly, but it can be at other intervals) for a period of time, however the interval between any two consecutive transactions cannot exceed one year. The transaction amount can be fixed or it can vary. The recurring payment plan is in effect until canceled by the consumer. A good example is a newspaper subscription where a consumer can be making payments indefinitely, until the subscription is canceled. A recurring plan differs from an installment payment plan in that in the latter you have a fixed amount to be paid and the installments are agreed upon in advance and made until paid in full.

The main benefit that merchants get from a recurring payment plan is that it reduces costs, associated with the processing of a single payment. Recurring payments also help increase customer loyalty, increase efficiency and improve the cash flow by ensuring timely and regular payments.

To ensure managing recurrent billing in an effective manner, merchants should incorporate into their procedures the following practices:

Allow customers to choose the billing date. They know best when the money will be available.
Inform the cardholder the name that will be presented. Ensure that the "Doing Business As" name, or some other name, easily recognized by the cardholder, is used when billing or corresponding with the cardholder. Your merchant processing provider will be able to set your billing descriptor to show the desired name.
Provide a clear statement of the cancellation policy on the cardholder's agreement and your website. This will help minimize chargebacks.
Provide the cardholder with clear information regarding the billing arrangements, all charges related to the delivery of products and services.
Ensure that billing is discontinued immediately upon the cardholder fulfilling the cancellation terms - provide the cardholder with cancellation confirmation including when the last billing will occur if this has not already occurred, or if a credit is due when the credit will be processed.
Ensure that the cardholder is notified when goods or services cannot be delivered or provided on the agreed upon date.
Provide the cardholder with an easily accessible contact number for customer service inquiries, and also the right to terminate the recurring transaction.
Ensure an authorization request is made and approval is obtained before a payment is submitted for clearing.
Make sure that all transactions reflect the Recurring Payment Indicator.
Contact the cardholder to obtain alternative account billing details if the authorization response is a decline.

Provide a Merchant Pre-Billing Notification prior to submitting an authorization request for a recurring transaction and you will see less customer disputes and chargebacks.

This type of a payment plan offers many advantages to both the merchant and his customers and these advantages have been discussed previously in this blog. There are, however, certain characteristics, inherent in every recurring payment plan, that make them particularly vulnerable to customer disputes and chargebacks. Implementing the following recommendations will help minimize such problems:

First Payments in a Recurring Plan. The first payment of a recurring plan should be processed just as every other eCommerce or MO / TO card processing transaction. You should always use AVS and the Card Security Verification codes. For Visa and MasterCard transactions it is advisable that you also utilize Verified by Visa and MasterCard SecureCode. The sales receipt of the first recurring payment should include the following information:
- The words "recurring transaction."
- The frequency of the charges.
- The period of time that the cardholder has agreed to making payments (if applicable).
All Recurring Payments. To best protect themselves against customer disputes and chargebacks, merchants should:
- Always use the Address Verification Services (AVS). Only process transactions for which you receive a positive match.
- Keep a file with your customers' card expiration dates and include them in all authorization requests.
- Identify recurring transactions as such. This identification will typically be handled by your merchant account service provider but you should make sure that it is set up properly.
- Always notify your customers before each recurring charge. Provide the notice at least ten days in advance. In the notice you should include the amount and date on which it will be charged.
- Create adequate controls to protect stored cardholder data.
- Never store Card Security Verification codes - the 3- or 4-digit numbers on the back or front of all credit cards.
- Check for customer complaints and respond promptly. Adequately addressed complaint will help resolve the issue before it deteriorates to a chargeback.

eCommerce Card Pyment Acceptance

2009-09-11T10:11:00.004-04:00

The eCommerce card payment acceptance process goes through several stages:

eCommerce Transaction Authentication

Authentication of an eCommerce transaction is the process through which a merchant verifies the validity of the payment information provided be the customer. The process can include a verification of both the cardholder's identity and the card's authenticity. It is important to understand that eCommerce merchants have the responsibility to select and apply the appropriate transaction authentication services. The proper application of the transaction authentication process reduces the number of customer disputes and chargebacks.

The most popular card processing transaction authentication tools are:
- Address Verification Service. Address Verification Service (AVS), as its name suggests, is a service that helps eCommerce merchant account users verify a cardholder's billing address. The verification is done simultaneously with the payment processing transaction authorization. The merchant sends an address verification request to the card issuer who compares the provided data with the information it has on file for its cardholder and sends back a response code indicating the result of the comparison.
- Card Security Verification. Card Security Verification (CSV) is 3- or 4-digit number located on the back (Visa, MasterCard and Discover) or the front (American Express) of every payment card. In eCommerce transactions the CSV number is used to verify that the customer is actually in physical possession of the card. Similarly to AVS, the CSV request is routed to the card issuer, who compares the provided value to the one it has on file for its cardholder and responds accordingly.
- Verified by Visa and MasterCard SecureCode. These services provide cardholders with the option of registering their cards with the respective Association. Upon registration with Verified by Visa (VbV) or MasterCard SecureCode, the cardholder is given a password. When the card is used at a participating eCommerce merchant, the cardholder is asked to enter this password before the transaction can be completed. The provided password is compared to the one the card issuer has on file and, upon confirmation, the cardholder is allowed to complete the transaction.
Employing the above listed authentication tools will greatly improve your ability to fight fraud in your card payment processing operations and will have a positive effect on your bottom line.
- Product Description. Online customers are fully reliant on the merchant's product description for any relevant information about the merchandise or service they are interested in. Unlike an old-fashioned brick-and-mortar store, where consumers can go in and physically inspect the product, in the virtual world of eCommerce this is not possible. Moreover, a physical store presents the opportunity of discussing the product's or service's qualities and features with a live sales person - a presence that many consumers find reassuring. Many customers simply feel more comfortable communicating with another human being and do not trust the descriptions that eCommerce merchants make available on their websites for the products and services they sell. Taking this into account, the question becomes "How do we make an eCommerce website a more consumer-friendly place and how do we make an online product and service description better?" There are simple best practices that can be employed to help address these concerns.
  
  In order to make sure that your website presents an accurate description of the products and services that you sell and to boost your customers' confidence in shopping at your store, you should:
  - Develop a clear and comprehensive product descriptions. Be as detailed as you can. Provide a PDF or other type of a file with the complete manufacturer product sheet. Also, remember that the eCommerce is a global industry and your customers can be anywhere. Unless you limit your sales to a local market, you should include in your product description information that domestic merchants can ignore. For example, if you sell electric goods, you should state the voltage requirement, as it varies around the world. Also, when you provide the products dimensions you should use both English and metric measures.
  - Use product photos and images, if applicable. An image of a product is a very powerful marketing tool. Many of us will not consider making a purchase unless we see what it is we are buying. You should use high-quality images and provide shots from various angles of the product.
- Shipping Policy. A web-based store's shipping policy communicates to consumers the terms and conditions for delivering a product or service purchased on the merchant's eCommerce website. It has to be written in a clear and concise manner and to be made available to consumers through a link on the merchant's website, as well as sent to customers in the confirmation emails that they receive after they place an order. In order to avoid misunderstandings and to minimize customer disputes, your shipping policy should include the following information:
  - Details on the shipping options that you offer and the expected delivery time frame for each one of them.
  - A full disclosure for all shipping and handling fees. It is extremely important that your customers know in advance the exact amount of the shipping charge. This is one of the most common causes for disputes and chargebacks.
  Once the product has been shipped and the customer has been informed of the expected delivery time frame, you should monitor the shipping process. If there is a delay, you should immediately inform your customer of the new circumstances and provide him with the updated delivery date. Be advised that if your customer does not receive the product by the expected delivery date, it is very likely that he or she will file a dispute, initiating a chargeback.
  
  Be advised that criminals have exploited a weak link in the shipping process. When placing an order on an eCommerce merchant website, they will provide the stolen card number with the correct billing address. Once the merchandise has been shipped and they are given a tracking number, they will redirect the shipment to their own address. To protect the integrity of your card processing account and your customers from this type of fraud, you should consider not providing a confirmation number on a selective basis, when selling higher-risk merchandise or shipping to higher-risk addresses.
- Merchant Account Benefits. Setting up a merchant account is a process that requires that the merchant invests a certain amount of his or her time to first find the right processing provider and then to go through the actual application and set up. Once the service is established, it has a certain monthly maintenance cost, in the form of a statement fee and, in some cases, other fees and charges. Moreover, payment processing contracts are usually for two or three years. So it is a legitimate question to ask what benefits your establishment will get from a merchant account and is it worth the investment of time and effort to set one up.
  
  For most merchants the answer is that yes, it is worth it and you should consider setting one up as soon as your processing volumes grow large enough to justify it. By that I mean that there is a break-even point, specific for every business, beyond which the lower card processing rates, associated with merchant accounts, fully offset the fixed monthly fees, which are absent with third party solutions. The main benefits of having your very own merchant account service are:
  - A more professional image. All types of merchant accounts are perceived, and justifiably so, as a sign that the business is of a certain size and it is committed to providing a complete shopping service. Actually, taking into account the strict requirements that payment processing companies demand that applicants meet, it is true that a merchant account shows a certain level of commitment on the part of the merchant.
  - A lower card processing cost. The difference in card processing rates, that a direct merchant account provides over a third party processing solution, is significant and cannot be overstated. A comparison between an average eCommerce merchant account and PayPal shows that the difference can be as high as 0.8% + $0.05 per transaction for merchants that process less than $3,000 per month. Now that is substantial!
  - More control over your account. A third party processing solution leaves your processor with a complete control over your card payment processing activity. They can hold on to your money and even freeze your account if a suspicious activity is thought to have occurred. A direct merchant account gives you complete control over your processing activities, provided you follow the rules established in your processing agreement. As far as fraudulent transactions are concerned, the final decision, and responsibility, on whether a payment should be processed or not, is yours and various fraud prevention services are available to help you reach that decision.
- Avoiding Duplicate eCommerce Transactions. ECommerce merchants need to develop procedures to help them identify and prevent duplicate orders from being processed. Unlike face-to-face transactions, where once the card is swiped, it is pretty easy to determine whether or not the transaction has been processed, orders placed online are susceptible to being duplicated, as sometimes it takes a long time for the customer to receive an authorization response and he or she might do it all over again. Duplicate orders can lead to higher card processing costs, as merchants will pay for every transaction that their merchant account provider processes, regardless of whether it is legitimate or not. Moreover, merchants will have to spend extra time to sort out the duplicate transactions, issue credits to the affected customers which all leads to additional expenses as well. Another unwanted side effect from duplicate transactions is the customer dissatisfaction that naturally results from having their credit card accounts billed twice for the same purchase. Customers may, in such cases, call their card issuer directly, instead of contacting the merchant and try to clear up the issue. They are likely to dispute the transaction, initiating a chargeback.
  
  As you see there are plenty of reasons why you should establish controls to prevent customers from inadvertently submitting a transaction twice. You can use the following best practices to build your procedures around:
  - Require customers to make positive clicks on order selections, rather than hit the "Enter" key on their keyboard. In other words, have customers click on a "Submit" or a similar button.
  - Once the order has been submitted, display a "Order Being Processed" or a similar message.
  - Regularly check your orders for duplicates.
  - Send email messages to customers to confirm whether or not a duplicate order was intentional.

eCommerce Transaction Processing
- Transaction Settlement. Settlement is a process through which a card issuing bank exchanges funds with an acquiring bank to complete a cleared transaction, where clearing is the exchange of transaction information between the card issuer and the acquirer. Clearing and settlement occur simultaneously. The settlement process may vary slightly from one merchant account service provider to another but it goes through the following stages:
  1. Once the service has been provided or the merchandise shipped, the merchant captures the transaction payment information and submits it, with the daily batch, to its merchant processing services provider for settlement.
  2. The merchant processing bank submits the transaction data to the Credit Card Association (Visa or MasterCard) for settlement.
  3. The Credit Card Association sends the transaction information to the card issuer and then settles it by crediting the merchant processing bank's account and debiting the card issuer's account. The amount, debited from the card issuer's account is equal to the transaction amount, minus interchange. The amount credited to the processor is equal to the transaction amount, minus interchange, minus the association fees.
  4. The merchant processing bank receives its funds, usually within 24 hours of the transaction, and credits the merchant's account, usually within 48 hours of the transaction. The merchant receives an amount that is equal to the amount credited to the merchant bank's account, minus payment processing costs.
  5. The card issuer posts the transaction information on its cardholder's account and sends a monthly statement. The cardholder has the option to pay the full amount or a lesser amount, but no less than a minimum amount, established in the cardholder agreement. If the cardholder chooses to pay an amount, lesser than the full amount, the remaining balance will be charged an interest rate.
- Transaction Controls. Implementing transaction controls will help eCommerce merchants reduce their risk exposure by identifying high-risk transactions. These controls help determine when a cardholder or transaction should be more thoroughly investigated. When establishing your transaction control policies and procedures, consider implementing the following steps:
  - Setting up transaction controls and velocity limits. The initial process of establishing and implementing your organization's transaction control should adopt the following procedures:
    - Establish review limits on the number and dollar amount of transactions approved for a customer within a specified period of time. Later you should adjust these limits to reflect the customer's purchasing patterns.
    - Establish review limits based on single transaction amount.
    - Make sure that velocity limits are checked for multiple characteristics, including shipping address, telephone number and email address.
    - Track and adjust velocity limits as you accumulate information on your customers' purchasing patterns. The limit should be stricter for new customers and looser for customers with solid purchasing and payment track record.
    - Contact customers that exceed your preset limits to determine whether the activity is legitimate and should be approved.
  - Adjust transaction controls and velocity limits based on transaction risk. Use your risk experience regarding selected products, shipping locations and customer purchasing patterns and modify your transaction controls and velocity limits to reflect it.
  Implementing transaction controls will help prevent fraud, minimize customer disputes and reduce the number of chargebacks.
- AVS Processing. Address Verification Service may be used with or without an authorization request.
  - AVS with an Authorization Request. MO/TO and eCommerce merchant account users can process AVS requests just as they process authorizations, either in real time or in a batch using a terminal or a PC. Real-time authorization requests are used typically for transactions where the customer waits for a response online. Batch authorizations are used for transactions where there is no immediate need for a response. The process of transaction authorization and address verification goes through the following stages:
    1. A consumer place an order in a card-not-present environment.
    2. The merchant confirms the order information, including the merchandise description, price, card account number, card expiration date and shipping address. The merchant now requests that the customer provides a new piece of information - his or her billing address (the billing address is where the cardholder receives his or her card statements).
    3. The merchant enters the provided billing address information into its authorization request, along with the rest of the transaction information. Both requests are sent to the merchant's payment processing provider who sends them on to Visa or MasterCard.
    4. The Credit Card Association (Visa or MasterCard) then sends the requests on to the card issuer who makes separate decisions on each request. The card issuer compares the provided billing address to the one it has on file for its cardholder. It then returns both the authorization and the address verification responses through the same channel. The address verification response consists of a single-digit code which the merchant's credit card processing provider may change to make it easier to understand.
  - AVS without an Authorization Request. In some cases merchants can send an address verification request without a transaction authorization request. Such situations may arise when:
    - Merchants want to verify a customer's billing address before a transaction authorization is requested.
    - An earlier transaction authorization request has received an approval but an AVS request has received a "Try again later" response.

Face-to-Face Card Payment Acceptance

2009-09-10T18:38:00.005-04:00

Card-present transactions (also called face-to-face transactions) occur when both the card and the cardholder are present throughout the payment processing. Face-to-face payment processing settings reduce the risk of fraudulent transactions. The cardholder has the card in his physical possession and the payment information is read from the card's magnetic stripe as it is swiped through the terminal. The merchant has a responsibility to make sure that the transaction is legitimate and should physically examine the card and compare the cardholder's signature on the back panel to the one the customer provided on the sales receipt. Because of the lower processing risk, associated with card-present transactions, Visa and MasterCard have set lower interchange rates for them. The processing rate, at which a transaction is processed, is the sum of the interchange fees for this particular card type and the processing cost incurred by the acquiring bank. Besides processing rates there are other fees and charges that merchants pay for using their processing accounts. Following is a breakdown of card-present merchant account processing rates and fees and our suggestions as per what they should be.

Discount rate. Discount rate is a percentage of the transaction amount. You should pay no more than 1.69% for credit cards and 1.40% for debit cards. These are the rates for consumer cards which are the most widely used. Various business-to-businesses, commercial, rewards and other types of cards typically get charged at a higher interchange rate (the base processing rates set by Visa and MasterCard). You need to ask your merchant services provider what pricing structure they are using. The best choice for you will most likely be the interchange-plus pricing which will ensure that the payment processing costs they add to the interchange fees are the same for all types of cards and you will not get overcharged.
Transaction fee. Transaction fee is a fixed dollar amount that you pay for each transaction. You should not accept anything higher than $0.20 (it will most likely be the same for debit and credit cards).
Set up fee. You should not be paying any set up or application fees, even if your merchant account provider attempts to convince you otherwise!
Monthly maintenance fee. Every merchant account provider will charge you such a monthly fee, although they might have different names for it. You should not be paying more than $10.
Support fee. Another monthly fee that you should not agree on paying.

In order to accept cards, you will need a payment processing terminal and your merchant account provider will provide you one and configure it to work with their system. You can purchase the terminal from a third-party vendor as well. You should carefully review the whole merchant processing agreement for charges that may make it more expensive than it seems. All agreements will include provisions for chargebacks, bounced checks, representations, etc.

Card-Present Transactions Processing without using a Terminal

Often in card-present processing environments merchants will find themselves unable to read the card's account information with the use of their terminal or they may not be able to obtain an authorization for the transaction. The issue may be caused by one of three things:

The terminal's magnetic stripe reader is not working properly.
The card is not being swiped through the reader correctly.
The card's magnetic stripe has been damaged or demagnetized. Be advised that damage to the card may happen by accident, but it may also be a sign that the card is counterfeit or has been altered.

When the terminal is not reading the card's information, the terminal operator should:

Check the terminal to make sure that it is working properly and that the cardholder is swiping the card correctly.
If the terminal proves to be in order, the point-of-sale staff should examine the card to make certain that it has not been tampered with and it is valid.
If the examination of the card discovers that the problem is caused by the magnetic stripe, the point-of-sale person should follow store procedures. One option would be to override the swiping procedure and to key-enter the transaction data or a call to the merchant services provider's authorization center may be required.
For both key-entered and voice authorized transactions the merchant should take a manual imprint of the front of the card to prove that the card was present. The imprint should be made on the sales receipt or on a separate sales receipt signed by the customer. The card imprint protects the merchant from chargebacks if a case of a fraud.

Although keyed card payment processing transactions are fully acceptable, the merchant should keep in mind that they are associated with higher levels of fraud and chargebacks. A significant disadvantage proves to be the fact that certain security features, such as expiration date and Card Security Codes, are unavailable.

Card-Present Processing

Processing card transactions in a card-present environment offers the advantage of having the card available for inspection and the cardholder is present so he or she can be asked to provide additional information, if needed. To benefit from this advantage and to ensure that transactions are processed the right way, merchants need to follow a few simple procedures at the point of sale. Incorporating these suggestions into your card payment processing practices will significantly lower the levels of fraudulent transactions at your establishment. Consequently, customer disputes and chargeback levels will also decrease and your payment processing costs will be the lowest possible.

Swiping the card. The first step in the card payment acceptance process is the swiping the card. Place the card's magnetic stripe against the card reader and hold it through the entire transaction. This procedure can be performed, and usually is, by the cardholder.
Checking the card's security features. While waiting for the authorization response, check the card's security features to make certain it is authentic. Make sure that the card account and verification numbers have not been tampered with and that the back of the card is signed.
Obtaining your customer's signature on the sales receipt. If the authorization response is positive, you should obtain the cardholder's signature on the sales receipt. Without a signed receipt you may lose your representation rights in the case of a chargeback.
Comparing the information on the sales receipt to the one on the card. Once you have obtained your customer's signature, compare it to the one on the back of the card. Also, compare the name and account number on the card to the ones printed on the receipt. If everything checks out, return the card to your customer and provide him with the bottom copy of the receipt. You will want to keep the top, white copy of the receipt because it produces better quality copies, in case you need one later.
If you suspect a fraud, make a "Code 10" call. If a security feature is missing or it appears as if it has been tampered with, or if the signature that your customer provided on the sales receipt does not much the one on the back of the card, make a "Code 10" call to your authorization center for instructions on how to proceed. You may be asked to decline the transaction and keep the card. You should only keep the card if it is safe to do so. Otherwise, complete the transaction and alert the card issuer after the customer leaves the store.

Card-Present Fraud Signs

There are signs of suspicious behavior that unauthorized card users may display at the point of sale and, if your personnel have received the proper training, they should be able to identify them and act according to your organization's procedures. Identifying fraud before it actually takes place helps to avoid chargebacks against which you have no remedy. Following is a list of suspicious signs at the point of sale that you should look out for:

Purchasing large quantities without much attention to details. If a customer is purchasing a sizable amount of merchandise, without much care for size, color, or even price, that might be an indication for fraud.
Ignoring free delivery options. If your customer asks no questions or completely ignores a free delivery option, in favor of a quicker but paid one, this could be a warning sign.
Rushing the cashier into a quicker processing of the payment. Although your customer may really be in a hurry, such behavior may be intended to force the point-of-sale person to circumvent fraud prevention measures.
Making multiple purchases within a short period of time. If a customer completes a purchase, leaves the store and then comes right back in, he or she might be doing it because they believe that making multiple fraudulent transactions, each for a lesser amount, would not attract much scrutiny.
Shopping either right after the store opens or before it closes. A fraudster might be shopping early in the morning or late in the evening, in the hope that the point-of-sale personnel will not be as attentive as during other stretches of the day.

Be advised that, although suspicious, a certain behavior might be perfectly well justified and explained in another, completely legitimate way. By themselves, none of the above examples constitutes a proof of a fraudulent activity. You should always use your observations of customer behavior in the context of the particular setting. Different establishments attract different types of customers and what is considered a normal customer behavior at one place might be interpreted as completely irregular at another.

Once the point-of-sale person has accumulated enough observations to conclude that a fraudulent activity is probably taking place, you should contact your merchant bank's authorization center and make a "Code 10" request. You should keep the card in your possession, but only if it is safe to do so. If you feel threatened or uncomfortable, complete the transaction and make the call to your merchant account bank's center right after the customer leaves. Then follow the instructions your merchant bank gives you.

Skimming of Credit Cards

What is skimming. Skimming is a fraudulent activity involving the illegal copying, or "skimming", of the account information, stored in the magnetic stripe of a credit or debit card. Skimming typically takes place after the card has been presented to be used in a legitimate transaction. The copied information is subsequently used to make copies of the payment card to be used in fraudulent transactions or the information itself may be sold to criminals.

The skimming process. Sadly it is way too easy to skim the information off of a credit or debit card. The information theft is usually committed in a card-present setting, for example in a restaurant, a bar or in other similar establishments where the swiping of the payment card takes place out of sight of the cardholder. Once the customer presents his or her card and it is taken to the processing terminal, it is run through a small mobile device which copies the information contained in the magnetic stripe. Then the card is also run through the terminal's slot to complete the legitimate transaction and it is eventually returned to the unsuspecting cardholder.

Preventing skimming. Skimming is illegal and it is every merchant's responsibility to ensure that it is not taking place in his or her establishment. You and your personnel should be on guard against:

The use of all electronic devices that are not needed or normally used in your type of business. If you are not sure exactly what a particular device is used for, you should investigate.
Any offers to record payment card account information for whatever reason.

If you believe or suspect that skimming might be taking place in your establishment, you should immediately contact your payment processing provider and take the appropriate measures against the employee(s) involved.

Minimizing Key-Entered Transactions

Merchants that accept payments in a face-to-face environment have the advantage of processing transactions at lower rates compared to their counterparts operating in a card-not-present environment. Key-entered transactions, however, are charged at higher rates and should be kept to a minimum.

The first step in the process of minimizing the key-entered card processing transactions is to estimate their share of the total transactions. To do that you should divide the total number of key-entered transactions for a certain period (a month or a quarter) by the total number of sales. If your business is processing mail order and telephone order transactions, you should exclude them from both totals. To represent the result as a percentage, you should multiply it by 100.

If your key-entered transactions exceed one percent per terminal, you should investigate the situation. Following is a list of the most common reasons for high rates of key-entered transactions and possible solutions.

Damaged Magnetic Stripe Reader. Check magnetic stripe readers regularly to make sure they are working.
Dirty Magnetic Stripe Readers. Clean magnetic stripe reader heads several times a year to ensure continued good use.
Magnetic Stripe Reader Obstructions. Remove obstructions near the magnetic stripe reader. Electric cords or other equipment could prevent a card from being swiped straight through the reader in one easy movement.
Spilled Food or Drink. Remove any food or beverages near the magnetic stripe Falling crumbs or an unexpected spill could soil or damage the machines.
Anti-Theft Devices that Damage Magnetic Stripes. Keep magnetic anti-theft deactivation devices away from any counter area where customers might place their cards. These devices can erase a card’s magnetic stripe.
Improper Card Swiping.
- Swipe the card once in one direction, using a quick, smooth motion.
- Never swipe a card back and forth.
- Never swipe a card at an angle; this may cause a faulty reading.

Code 10

Credit card processing companies offer the Code 10 authorization procedure as an additional protection against fraud in a card-present transaction environment. Code 10 is an authorization call that a processing terminal operator can make to his or her payment processing provider's authorization center when he or she suspects that a customer is attempting to commit a fraud at the point of sale. The cause for a suspicion may be that the card looks as if it has been tampered with or altered, or that the customer is behaving in a suspicious manner. If the terminal operator believes that there is enough evidence to suspect that a fraudulent activity is taking place, he or she should make a "Code 10" call and request a voice authorization for the transaction at issue with their payment processing provider.

The process of requesting a "Code 10" transaction authorization is pretty straightforward. It consists of the following steps:

Having the card in his or her possession the terminal operator should dial the payment processing provider's voice authorization center.
The operator should then state to the representative who picks up the call "I have a Code 10 authorization request." The authorization center's representative will probably asked for some transaction details and then the call will be routed to the card issuer.
When speaking with a representative at the card issuer's authorization center, the terminal operator will be asked questions about the transaction at issue which he or she will answer by a simple yes or no. The card issuer's representative will then determine whether or not the transaction is fraudulent and provide instructions on how to proceed.
The operator should follow the instructions of the card issuer's representative.
If the instruction is for the card to be picked up, it should only be done if it is safe. Otherwise the transaction should be completed and further action should be taken after the customer leaves the store.

Placing a Code 10 call after the customer has left the store is very important. Even though a fraudulent transaction might already have been processed, placing the call at that time will prevent the same fraud from being committed elsewhere or even in the same store in the future.

Credit Card Recovery

Visa and MasterCard regulations demand that in certain circumstances a credit card should be picked up from a customer at the point of sale, but only if it is safe to do so. Typically, if there is sufficient evidence to believe that a credit or debit card is being used fraudulently or if its security features look as if they have been altered, your point-of-sale personnel should attempt to recover the payment card. Any of the following examples would provide a sufficient reason for picking up a payment card:

The card's security features are missing or altered. If the 3- or 4-digit card verification security code (CVV2, CVC2 or CID) is missing or has been tampered with, or if the hologram does not appear right, or if the "Good Through" date is altered, that should raise your suspicion.
The card number on the sales receipt does not match the account number on the card. If the account number that your terminal has read from the magnetic stripe and printed on the sales receipt does not match the one on the front of the card, this should immediately raise a red flag.
The merchant receives a pick-up response. If, upon placing a "Code 10" call with the card issuer, you have been instructed to pick up the card, you should follow the instructions.

When attempting to pick up a card from a customer you should follow these procedures:

A card recovery should only be attempted if it is safe to do so. If not, you should complete the transaction and, once the customer leaves, alert the card issuer and the management of your business. Do not try to be a hero, if your customer is threatening you or becomes violent, you should let him or her go.
Inform the cardholder that the card issuer has instructed you to recover the card and that, for more information, he or she should contact them.
Be polite and courteous with the cardholder. Treat the situation as a business transaction, not as a law-enforcement procedure.
Once you have recovered the card, contact your payment processing provider for further instructions.
Cut the card in half lengthwise and be sure to not damage the hologram and the account number or the magnetic stripe.
Send the recovered card's pieces to your payment processing provider.

Be advised that there are cash rewards that the Credit Card Associations of Visa and MasterCard pay to merchants who have recovered counterfeit cards. Ask your payment processing provider for details.

Zero-Percent Tip Authorizations

Transaction amounts should never be estimated. Following this rule is particularly important for restaurant merchants and it means that card transactions should only be authorized for the known amount of the bill. Merchants should never add on an estimated tip. Consumers today can, and do, check their credit card activity online in almost real time. If they see an amount that they do not recognize, cardholders are likely to ask questions and contact their card issuer.

Policies on Unsigned Cards

One of the merchant's responsibilities at the point of sale is to make certain, using the information that is available, that the card used to make the payment is valid and to compare the signature on its back panel to the one provided by the customer on the sales receipt. But what is to be done when the card is not signed? Well, all unsigned cards are considered invalid and should not be accepted, even if all other security features are valid and there is no other reason to be suspicious. When you are presented with an unsigned card at the point of sale, you should follow these steps:

Request that your customer provides a valid ID. A driver's license or a passport would be sufficient. Where the law allows it, the ID's serial number and expiration date should be written on the receipt before the transaction is completed.
Request that the customer signs the card. The card should be signed in front of you. Examine the signature and compare it to the one on the ID. If the customer refuses to sign the card, the card remains invalid and you should not accept it. Ask for another payment method.
If the provided signature matches the one on the ID, go ahead and complete the transaction.

If your customer refuses to sign the card and you still accept it, you will most likely have no recourse if the transaction is later disputed and will end up with a chargeback.

Card Type, Account Number and Expiration Date

Credit and debit cards bear several identification features that make them unique and help merchants and cardholders prevent their fraudulent use. These features are used during the transaction authorization process as well. Merchants should incorporate the following best practices to ensure that transactions are processed in a safe and secure fashion:

Request that customers provide both the account number and the card type and ensure that they match. Consider applying the following procedures:
- Request that customers select their card's type (Visa, American Express, MasterCard, Discover, etc.) before they enter the card's account number.
- Verify the validity of the provided information by comparing the selected card type and the first digit of the provided card number. The credit card companies use different account numbering systems. The first digit of every payment card identifies its type. Listed in the table below are the first digits that the major American card brands place in their account numbers.
  
  Card Type
  
  First Digit of Account Number
  
  American Express
  
  3
  
  Visa
  
  4
  
  MasterCard
  
  5
  
  Discover
  
  6
- Display an error message if there is a mismatch between the selected card type and the provided account number and request that the customer re-enters the data.
- Allow customers to enter card account numbers with or without hyphens, with or without spaces between digits, or clearly identify your preferred format.
Request that customers provide their card's expiration date. You can either provide a blank field to be filled in by the customer or a pull-down menu from which the customer to make a selection. If you choose the latter option, make sure that you do not provide a default month and year of the expiration date to prevent the customer from erroneously select it. The default date will most likely be different from the actual one and the transaction will be declined.

Card Acceptance Procedures

2009-09-10T17:43:00.000-04:00

Acceptance Procedures for Purchase Transactions

The following requirements are relevant to the merchant's acceptance procedures for purchase transactions.

Card must be present. A payment card must be presented to the merchant for all transactions except in the case of mail orders, telephone orders, card-not-present unique transactions, eCommerce transactions, and pre-authorized orders.
Determine whether the card is valid. The merchant must complete the following steps to determine whether each card presented is a valid payment card:
- Check the valid date and the expiration date on the face of the card. If the card is expired or not yet valid, the merchant must obtain an authorization from the card issuer.
- Check the Electronic Warning Bulletin or international Warning Notices. If the account number is listed, the merchant must not complete the transaction without obtaining an authorization from the card issuer.
- Compare the four-digit truncated account number imprinted in the signature panel with the last four digits of the embossed account number on the face of the card.
- Unless a hybrid terminal is used, compare the embossed account number on the face of the card with the number displayed or printed from the point of sale (POS) terminal.
- If a photograph of the cardholder is present on the card, compare the photograph on the card with the person presenting the card.
- Check that the card is signed.
- For unique transactions processed in a face-to-face environment (with the exception of truck stop transactions and card-read transactions where a non-signature CVM is used), request personal identification of the cardholder in the form of an unexpired, official government document. Compare the signature on the personal identification with the signature on the card.
Unsigned cards. If the card is not signed, the merchant must:
- Obtain an authorization from the card issuer.
- Ask the cardholder to provide identification (but not record the cardholder identification information).
- Require the cardholder to sign the card.
Suspicious cards. If the merchant believes that there is a discrepancy in the signature, or if the last four digits of the embossed account number do not match the four-digit truncated account number on the signature panel or displayed on the terminal, or if the photographic identification is uncertain, the merchant must contact its acquiring bank for instructions. If any unexpired card does not have a hologram on the lower right corner of the card face (for Visa and MasterCard cards), the merchant must pick up the card and contact its acquiring bank's Code 10 operator to advise it of the pick-up and to receive mailing instructions.

Obtaining an Authorization

The following information and requirements are relevant to the merchant's obtaining of an authorization.

Treat all transactions the same. With respect to obtaining authorizations of transactions, the acquiring bank must treat all transactions at a merchant location in the same manner.
Retain the card while obtaining authorization. The merchant must use its best efforts, by reasonable and peaceful means, to retain the card while making an authorization request.
When to obtain an authorization. The merchant must obtain an authorization from the card issuer before completing the transaction in the following instances:
- The transaction amount exceeds the merchant's floor limit or the floor limit applicable to the transaction.
- The card is expired or not yet valid.
- The card is not signed.
- The merchant wishes to delay presenting the transaction record.
- The transaction receipt cannot be imprinted although the card is present.
- The merchant's data processing equipment is unable to read the magnetic stripe or the chip (if one is present) on the card.
- The account number is listed on the regional Warning Notice.
- The transaction is a recurring payment and a previous authorization request was declined.
- The merchant is suspicious of the transaction for any reason.
Reporting a suspicious transaction. To report a suspicious transaction, the merchant must contact the authorization center, state "This is a Code 10" and await instructions.In all instances, except where the transaction exceeds the applicable floor limit, the merchant must inform the authorization center of the reason for the authorization request.
Pick-up-card response. If a cardholder account is listed on the electronic Warning Bulletin or regional Warning Notice, the merchant must not complete the transaction. The merchant must retain the card by reasonable and peaceful means and notify the authorization center for further instructions. If the authorization center cannot be reached, the merchant must retain the card by reasonable and peaceful means until the center can be reached.

Obtaining an Authorization for Hotel, Cruise Line, and Car Rental Transactions

The following information and requirements are relevant to merchants obtaining authorizations for hotel / motel, cruise line, and car rental transactions.

Authorization procedures. Hotel, motel, car rental, and cruise line merchants must comply with the standard authorization procedures and the requirements set out below.
Initiating the transaction. When the transaction is initiated, the merchant must request an authorization for an estimated transaction amount if the estimate exceeds the applicable floor limit. The merchant also may request an authorization for any additional estimated amounts as needed. Merchants engaging in car rental transactions may not include charges representing either:
- The vehicle insurance deductible amount, or
- An amount to cover potential damages when the cardholder waives insurance coverage at the time of the rental.
Charges for damages must be processed as a separate transaction. The merchant must provide a reasonable estimate of the cost to repair the damages and obtain agreement from the cardholder. If the cardholder chooses to pay for the repairs using his or her card, the merchant must:
- Prepare a specific sales slip with proof of card presence.
- Provide the estimated amount for repairs indicating that the amount will be adjusted accordingly pursuant to completion of the repairs and submission of the invoice for such repairs.
- Obtain a signature from the cardholder.
Completing the transaction. When the transaction is completed (i.e., when customer checks out of the hotel / motel or returns the car) and the final transaction amount is determined, the following will apply:
- If the final transaction amount does not exceed the merchant's floor limit, the merchant is not required to obtain an authorization, but it must check the account number against the international Warning Notice or the Electronic Warning Bulletin.
- If the final transaction amount does not exceed the merchant's estimated amount by 15%, the merchant is not required to request a secondary authorization. The initial authorization guarantees the full amount of the transaction.
- If the final transaction amount exceeds the merchant's estimated amount by 15%, the merchant must request a secondary authorization on the additional amount.
- If the final transaction amount exceeds the merchant's applicable floor limit, but a previous authorization was not received because the merchant's estimate did not exceed its applicable floor limit, the merchant must obtain an authorization for the full amount of the transaction.

If the card issuer declines a subsequent authorization request, the merchant is guaranteed the cumulative amount of previous authorizations, plus 15%.

If a pick-up-card response is received in response to a subsequent authorization request, the merchant must pick up the card. The merchant is guaranteed the cumulative amount of the previous authorizations, plus 15%.

Obtaining an Authorization when a Tip is Added

The following information and requirements are relevant to the merchant's obtaining of an authorization when a tip is added, either before or after the authorization process.

If the transaction amount is below the merchant's floor limit, and the cardholder adds a tip in an amount less than or equal to 20% of the transaction amount, the merchant is not required to obtain an authorization even though the total transaction amount may exceed the merchant's floor limit.
If a merchant obtained an authorization for a transaction, and the cardholder adds a tip in an amount greater than 20% of the transaction amount, the merchant must obtain an authorization for the additional amount. The card issuer is responsible for the full amount of the transaction.
If the cardholder adds a tip in an amount greater than 20% of the transaction amount and causes the transaction amount to exceed the merchant's floor limit, the merchant must obtain an authorization for the total amount of the transaction.

Completing the Sales Receipt

The following information and requirements are relevant to the completion of the sales receipt:

Include all goods on one sales receipt. All goods and services purchased in the same transaction must be included on a single sales receipt.
Sales receipt information requirements. The following information must be included on the sales receipt.
- A description of the goods. A description of the goods and services and their price, including applicable taxes, must be entered on the sales receipt in detail sufficient to identify the transaction. If no currency is identified on the sales receipt, the transaction is considered to have taken place in the currency that is legal tender at the point of interaction. If the merchant offers multiple currencies, then the sales receipt must indicate all of the following information:
  - The transaction amount in the merchant's local currency (the goods or services total).
  - The converted transaction amount in the currency chosen and agreed to by the cardholder and the merchant (the sale total).
  - The currency symbol of each.
  - The method by which the currency agreed to by the cardholder was converted from the amount in the merchant's local currency.
- The transaction date. The transaction date must be entered on the sales receipt.
- An imprint of the card. A legible imprint of the card must be made on the sales receipt, or the merchant may electronically record the customer's card information and the merchant location. If a transaction is completed without obtaining a card imprint or electronically derived card information, the merchant must note legibly on the sales receipt sufficient detail to identify the cardholder, the merchant, and the card issuer. This information must include at least the name and address of the merchant, the name or trade name of the card issuer as it appears on the face of the card, the account number, the security code, the expiration date (or dual date), the cardholder name, and any company name.If the transaction is completed without obtaining a card imprint or electronically derived card information, the merchant is considered to have verified the true identity of the customer as the cardholder, unless the merchant obtained and noted on the sales receipt independent evidence of the cardholder's true identity.Transactions based on mail orders, telephone orders, preauthorized orders, electronic commerce orders, Guaranteed Reservations and Advanced Resort Deposits may be completed without a card imprint.
- The authorization number. If an authorization is obtained from the card issuer, unless the transaction is an offline chip-read transaction, the authorization number must be entered on the sales receipt. If more than one authorization is obtained over the course of the transaction (as may occur for hotel, motel, or vehicle rental transactions), all authorization numbers, the amounts authorized, and the date of each authorization must be entered on the sales receipt.
- The primary account number. The primary account number (PAN) must be truncated on all cardholder-activated terminal sales receipts. Subject to local and national laws, PAN truncation is permitted on any other sales receipt type. It is recommended that only the last four digits of the PAN are printed on the receipt. Truncated digits should be replaced with fill characters such as "x," "*," or "#," and not with blank spaces or numeric characters.
- Delayed presentment. When the merchant receives approval for delayed presentment, the authorization number and the words "Delayed Presentment" must be noted legibly on the sales receipt.
- Cardholder identification. For unique transactions processed in a face-to-face environment (with the exception of truck stop transactions and card-read transactions where a non-signature CVM is used), the merchant must record on the sales receipt a description of the unexpired, official government document provided as identification by the cardholder, including any serial number, expiration date, jurisdiction of issue, customer name (if not the same name as embossed on the card), and customer address.
- The transaction certificate. The transaction certificate is not required on the sales receipt. However, if the acquiring bank elects to record the receipt of a transaction certificate on the sales receipt, then the merchant must enter the complete transaction certificate on the sales receipt.
- Prohibited information. The sales receipt or any other document must not reflect the following information:
  - The PIN, any part of the PIN, or any fill characters representing the PIN.
  - The card security code (CVC2, CVV2 or CID), which is indent-printed on the signature panel of the card.
Obtain the cardholder's signature. In a face-to-face environment, the merchant must give the cardholder the option of a signature-based transaction. Unless the cardholder uses a PIN, the cardholder must sign the sales receipt.
- Compare signatures. Unless the cardholder uses a PIN, the merchant must compare the signature on the sales receipt with the signature on the card to determine whether they appear to be the same.
- Discrepancy between signatures. If the merchant believes that the signature on the card does not match the signature on the sales receipt, the merchant must contact the acquiring bank for instructions. The signature would not match if the signature panel were signed "John P. Smith" and the sales receipt "Stan Smith" or K. Smith." The signature would be acceptable if signed "John P. Smith," "J. P. Smith" or "John Smith." The signature would be acceptable if a title such as Mr., Mrs., or Dr. is missing or is included.
- Signature not required. Transactions based on mail orders, telephone orders, preauthorized orders, electronic commerce orders, Guaranteed Reservations, Advanced Resort Deposits and Express Checkouts may be completed without the cardholder's signature. The merchant must type or legibly print on the signature line of the sales receipt the letters "TO", "MO", "PO", "EC", "Guaranteed Reservation / No Show," "Signature on File – Express Check-out," or "Advance Deposit" as appropriate. The merchant must retain and make available to the acquiring bank upon request the cardholder's written request to the merchant for preauthorization. The merchant must not deliver goods or perform services covered by a preauthorization after receiving notification that the preauthorization is canceled or that the card covered by the preauthorization is not to be honored.
Give the cardholder a copy of the receipt. The merchant must provide the cardholder with a true and completed copy of the sales receipt.

Multiple Sales Receipts and Partial Payment

Split tickets are prohibited. A merchant is prohibited from using two or more sales receipts, also known as a split ticket, to avoid an authorization request.
Include all goods on a single sales receipts. All products and services purchased in a single transaction must be included in one total amount on a single sales receipt except in the following instances:
- Multiple cards are presented. More than one card is presented for payment on a single transaction, and an authorization is obtained for the portion of the transaction charged to a each card.
- Multiple items are billed. Multiple items are purchased and individually billed to the same account, and an authorization is obtained for each item purchased.
- Partial payment. A merchant is prohibited from processing a card transaction where only a part of the total amount is included on a single sales receipt except in the following instances:
  - When the cardholder bills a portion of the transaction amount to a card and pays the remaining balance by cash or check.
  - When the products or services will be delivered or performed after the transaction date, one sales receipt represents a deposit, and the second sales receipt represents payment of the balance. The second sales receipt is conditioned upon the delivery or performance of the goods or services.
  An authorization must be obtained for the total amount of the transaction if it exceeds the applicable floor limit. The merchant must note on the sales receipt the words "deposit" or "balance," as appropriate. The sales receipt representing the balance must not be presented until the products or services are delivered or performed.

Returned Merchandise, Adjustments, Credits and Other Specific Terms of a Transaction

Merchant disclosure of specific transaction terms. The merchant may impose specific terms governing a transaction. In the event of a dispute, such specific terms will be given effect, provided that such specific terms were disclosed to and accepted by the cardholder before completion of the transaction. The merchant may impose specific transaction terms by, for example, printing the specific terms on the invoice or sales receipt in close proximity to the cardholder signature line before presenting the invoice or sales receipt to the cardholder for signature. Specific transaction terms also may be disclosed by other means, such as by signage or literature, provided the disclosure is sufficiently prominent and clear so that a reasonable person would be aware of and understand the disclosure before the transaction is completed.Specific transaction terms may include, for example, such words as "Exchange Only," "In-Store Credit Only" or "Original Packaging Required for Returns." Specific terms may address such matters as late delivery, delivery charges, or insurance charges.
Returned merchandise and canceled services. A merchant is not required to accept returned merchandise or the cancellation of services unless a right of return or cancellation was a condition of the transaction. If the merchant agrees to accept merchandise for return or to cancel services, the merchant must credit the same account used to purchase the merchandise or service.If the merchandise or service is purchased with a card, upon a partial or entire return of merchandise or cancellation of service, or if the merchant agrees to a price adjustment, the merchant may not provide a full or partial refund or adjustment by cash or check or by any means other than by a credit to the card account used to purchase the merchandise or service. The cardholder must be provided a copy of the credit receipt. A cash or check refund is permitted for involuntary refunds by airlines or other carriers or merchants only when required by law.
- Credit receipt requirements. The credit receipt must contain the following information:
  - The date.
  - A description of the returned merchandise, canceled services or adjustment made.
  - The amount of the credit.
  - The merchant's signature.

Card Type	First Digit of Account Number
American Express	3
Visa	4
MasterCard	5
Discover	6