Procedure guide For a smoother operation Welcome to Barclaycard Global Payment Acceptance About this document This procedure guide along with the Terms and Conditions and Additional Service Conditions you subscribed to gives you the information you need for your business to accept payments. Barclaycard Merchant number This guide contains some critical information about the risks associated with accepting payments, and gives details of the steps that you should follow to help raise your awareness of risks and reduce as far as possible, your exposure to these risks. For ease when you contact Barclaycard, please have your merchant number ready. You can keep a record of it here: This forms part of your agreement with us and will allow you and your business to accept payments. For your own benefit and protection, we recommend that you read this document carefully. Please make sure you keep this guide in a safe place, where your employees who use it have easy access to it, but out of reach of your customers and anyone else. 2 Changes to your business Protecting you and your business Being aware of bogus and phishing emails To make sure that you are receiving the services that are most appropriate for your business, please let us know if any of the following changes take place (you can contact our Customer Services team on 0844 811 6666): We will never email you asking for transaction or card details. If you receive an email claiming to be from us and asking for details of your transactions, please do not respond to the email (known as a phishing email). Instead, please do the following: • T he type of business you have been carrying out since you signed the original merchant agreement changes, including changes to the goods or services you provide • O pen a new email and attach the ‘phishing email’. Do not forward it as this will lose potentially important information we need to trace the message • If you start to use other channels • If you change the name of your business • Send your email with the attachment to: [email protected] • If you sell your business or change its legal entity • If there is a significant change in shareholding To report any of these instances contact: [email protected] • If you stop trading • If your business enters any form of insolvency procedure Transaction laundering and third-party processing You will also need to tell us if you change your: If you are approached with a proposal to buy card transactions or process another business’ transaction through your facility, please contact us on 0844 8111 981. This is called laundering and breaks the terms of your agreement. • B usiness address • C orrespondence address • C ontact details • P hone number We must have up-to-date records on you and your business so we can contact you if needed. 3 Contents Payment acceptance Banking procedures and other services Card present Card not present Accepting Card Present transactions Barclaycard processing equipment 7 Using your own processing equipment or one supplied by another company 7 Plastic card designs 8 Accepting cards – best practice 9 9 Accepting non-chip cards 9 Accepting contactless payments 17 Completing your merchant voucher summary (MVS) 17 Posting vouchers 18 Preventing and detecting fraudulent card-present transactions 18 Returning wanted or recovered cards 18 Reward scheme 19 Other services Accepting card payments Accepting cards with a chip Sales and refund vouchers 10 Dynamic currency conversion (DCC) 19 Accepting Card Not Present (CNP) transactions – e-commerce, mail and telephone order 19 Authorising Card Not Present transactions 20 Contactless payments using other technology and items 10 Shipping goods and providing services 20 High-value payment (HVP) 10 Recurring transactions 20 Transactions entered using the keys 10 Accepting payments over the internet (e-commerce)20 Verifying card payments Verifying cardholders using chip and PIN 11 Verifying cardholders by signature 11 Authorisations11 Voice authorisation 11 Code-10 calls for card-present transactions 12 Referrals for card-present transactions 12 Split Sales 12 14 Failure of the chip to read or swipe 16 20 Transaction receipts 21 Using an accredited payment service provider (PSP) to accept e-commerce payments 22 Accepting payments over the internet using your own software 22 Using our payment gateway for accepting payments 22 Requirements for merchants not using the Hosted Payment Page (HPP) Exchanges13 Processing a fall-back paper voucher Website information Security of card data 4 23 Accepting Mail Order and Telephone Order (MOTO) payments 23 Other organisations that store, transmit or process your cardholder data 33 Taking telephone orders 23 If you fail to keep to PCI DSS 33 Protecting cardholder information 34 Storing your records 34 Preventing and detecting fraudulent card-not-present transactions 23 Tools for monitoring fraud Card Security Code (CSC) and Address Verification Service (CSC/AVS) Understanding your statement 24 Internet authentication (3-D Secure) Fraud-screening24 Further advice for internet transactions 24 Refunds25 Other services Dynamic currency conversion for e-commerce transactions What will the statement look like 35 Transaction payment advice 35 Periodic statement 35 Advice on the details of the service charge 35 If you have a question about a merchant invoice and statement you have received 35 25 Exceptional procedures Chargeback and retrieval requests What is a retrieval request? 26 Responding to retrieval requests and chargeback letters 27 Faxlink service 27 To help reduce the risk of chargebacks 27 Timescales for chargebacks 28 Payment security 29 What is PCI DSS? 29 What information must be securely stored? 29 What information must not be securely stored at any time? 29 What you must do to keep to PCI DSS 30 Demonstrating that you are keeping to the PCI DSS Can I pass charges to my customer? 36 Minimum charging 36 Internet authentication Authenticating cardholders successfully 37 How do I use the internet authentication service? 37 Types of authentication 37 Full authentication 37 Attempted authentication 37 Passive authentication 38 The main benefit of authentication – transferring liability 39 Levels of protection 39 31 Card-scheme-approved qualified security assessor Displaying the Verified by Visa and SecureCode logos 39 32 Using our 3-D Secure solution Approved scan vendors 32 Your responsibilities 39 Further action you may need to take 32 Our responsibilities 40 Data compromises 32 Message values 40 The results of a data compromise 33 5 Direct to card schemes 40 Pre-authorisation47 Your responsibilities 40 Accidents involving the vehicle 48 Our responsibilities 41 Procedures for dealing with delayed charges 49 Transaction records 41 Accepting split sales 49 Card issuer pop up or in-line window 41 Your refund policy 49 Your authentication merchant information 41 Extended hire 49 Message values 42 Disputed transactions 50 BIN cache 42 Keeping to the card scheme 42 Extra rules for the Visa vehicle-rental reservation service 50 If authentication fails 43 If authentication fails for Visa transactions 43 Lodging and accommodation Best practice for reducing chargebacks 52 Taking advance reservations 52 Tips on taking telephone reservations 52 Taking reservations by fax or mail 53 Taking a reservation over the internet 53 If authentication fails for MasterCard and Maestro transactions 43 Mistake during authentication for Visa transactions 43 Error during authentication for MasterCard and Maestro transactions 43 Extra tips for checking genuine customers 54 Passing authentication values 44 Taking advance lodging deposits 54 Error conditions 44 Your cancellation policy 54 Scheme directory server unavailable 44 Guests arrivals and check-in 54 Hosted authentication service not available 44 Pre-authorisation departures and check-out 54 Cardholder browser suppresses pop-up window 45 Express and priority check-out service 55 Own authentication software not available 45 Extended stays 55 Chargeback reason codes included 45 Disputed transactions 55 Replying to requests for information and notice of chargebacks 55 No show 56 No-show charges 56 Express and priority check-out charges 56 Other charges 56 Contact numbers 57 Glossary and terminology 58 Sector-specific trading Vehicle rental companies Best practice for reducing chargebacks 46 Tips on taking reservations over the phone 46 Taking reservations by fax or mail 46 Taking reservations over the internet 47 Extra tips for checking genuine customers 47 Your cancellation policy 47 No-show47 Collecting the vehicle 47 6 Payment acceptance We can help you to accept payments from your customers in a number of environments using various payment methods. Barclaycard processing equipment There are two main environments where payments can be accepted. If you are using Barclaycard processing equipment, please make sure you and your staff read the PDQ Terminal Operating Guide, see the terminal section of our website at: http://www.barclaycard.co.uk/business/existingcustomers/mypdq along with this guide before you start using the device. Card Present (CP) When the cardholder is in front of you and has their card with them at the time of the transaction and you take the payment either by reading the chip, by swiping the card through the processing equipment, or by using contactless technology. Please see the Terminal User Guide for important safety information about the equipment and its use, and for relevant information on keeping to our conditions. It is important that you look after your processing equipment and make sure you keep all liquids away from the device. If damage to your device results in it not working, it may need to be repaired before you can accept transactions. If you damage your processing equipment, we may charge you to replace it. Card Not Present (CNP) When the cardholder and card are not with you at the time of the transaction. A Card Not Present transaction can take place: • O ver the internet (e-commerce) • B y mail order or by telephone order (MOTO) • A s a recurring transaction, where the cardholder gives you authority to charge a fixed or varying amount at intervals agreed between you and the cardholder (you would take the agreed amounts from the cardholder’s card for subscriptions, membership renewals and regular premiums Using your own processing equipment or one supplied by another company If you are using your own processing equipment or one supplied by another company, we will need to test and approve it before you use the equipment for live transactions. You must tell us who your supplier is. You can contact our Customer Services team on 0844 811 6666. • U sing ‘tokenisation’, where a cardholder has agreed that you may take extra payments from their card at a later date without them having to give you their card details each time The transaction types you can accept are shown in your agreement with us. You must make sure that you tell us if you want to process any other types of transaction. You are responsible for making sure your supplier keeps to the Payment Card Industry Data Security Standard (PCI DSS) and for making sure the equipment meets industry security standards. If the supplier fails to meet these standards, it will mean you are not keeping to some of these regulations and the card schemes may charge you penalties as a result. Accepting Card Present transactions You can accept card payments using processing equipment that we have either supplied (referred to as ‘Barclaycard processing equipment’) or by using an approved processing equipment of your own or one supplied by another company. You must make sure that your processing equipment can take both chipand-PIN and magnetic-stripe payments. If you are using your own processing equipment you must make sure that you regularly carry out ‘asset management’. Asset management involves recording all stock and serial numbers for each processing equipment you have, the location and basic electronic and physical identification used to authenticate each processing equipment. Your processing equipment must keep to the PCI DSS standard. 7 Plastic card designs There are many different designs for credit and debit cards. You should become familiar with the basic features (such as the card number, chip and so on) on most cards issued by banks and financial institutions. Most processing equipment allow the cardholder to insert their card into the device themselves. However, if you have processing equipment that allows you to handle the card, there are some visual checks which you can carry out before accepting the payment. If you do not follow the basic checks, you may be accepting a fraudulent card, which may lead to unavoidable chargebacks. Visa Cardholder number 16-digit account number with first 4 digits printed below Cardholder’s name Can be embossed or not. VPay cards are printed MasterCard Visa symbol or logo Hologram Flying dove (optional on Visa Electron cards) Chip Embedded microchip Card type identification ‘Electronic use only’ may appear on electronic cards Magnetic stripe Can be a traditional stripe or a hologram (one or a number of flying doves) CVV2 Can also be on signature strip Last four digits of the card number May not appear on Visa electron cards issued outside UK V or UV element Contactless acceptance Card valid from and to dates Can be embossed or not. VPay cards are printed Cardholder‘s number 16-digit account number starting with 5 (embossed or not) with first 4 digits printed below Chip Embedded microchip Hologram Plain silver or gold background, the dove flies and changes colour when the card is tilted. Can appear on the front of Electron cards MasterCard symbol Hologram MasterCard Globe, which changes colour, must appear unless the hologram or halomag stripe appears on the back of the card Magnetic stripe or halomag stripe Signature strip Visa repeated. Some international cards will have a message on the strip and will not be signed. Ask for ID such as a driving licence or passport or make a code 10 call. Strip can be shortened Maestro cards can carry cheque guarantee details or branding for an ATM network. This can be on the front or back of the card. Maestro cards can also hold a photograph of the cardholder and a signature on the front of the card CVV2 Can also be on signature strip Symbol/Logo The symbol is linked circles in red and orange with MasterCard printed in the middle of them Cardholder’s name Can be embossed or not JCB Chip Embedded microchip Card valid from and to to dates Hologram Can be debit or global hologram Card valid from and to dates Can be embossed or not Cardholder number An embossed 15 or 16-digit account number with first 4 digits printed above or below Signature strip MasterCard repeated. The card must be signed. Some international cards will have a message on the strip and will not be signed. Ask for ID such as a driving licence or passport or make a code 10 call Magnetic stripe Can be a traditional stripe Hologram Sun, moon and JCB characters move when card is tilted 3-digit card security code Symbol or logo Signature strip The card must be signed Cardholder’s name Always embossed 8 Accepting cards – best practice Accepting card payments • M ake sure that the card is valid and in date Accepting cards with a chip • Rub your thumb over the signature strip (it should be smooth and level with the surface of the card) and also check that no part of the card has been damaged or tampered with In the UK, cards are issued with a microchip (chip). However, cards issued outside the UK may have embedded chips but they may require different methods of cardholder verification, for example signature. • If you ask the cardholder to sign the transaction receipt, check that their signature matches that shown on the back of the card Chip and PIN is currently one of the most secure methods of card payment available. Your processing equipment must be chip enabled and you must accept transactions using chip and PIN technology where possible to avoid a higher risk of being liable for fraudulent transactions. • Check that the last four digits of the cardholder number printed on the receipt match the last four digits of the embossed account number on the front of the card. If they do not, you must ring for an authorisation and say, ‘I have a card number mismatch.’ If you cannot speak freely, just say, ‘I have a code-10 call.’ (Please see the ‘code-10 calls for card-present transactions’ section of this guide on page 12) The card should be inserted into the chip card reader (see the ‘Verifying card payments’ section on page 11). If the processing equipment cannot read the chip, you are allowed one level of ‘fall-back’ and you may process the transaction by swiping the magnetic stripe through your device (see the section on accepting non-chip cards and using a non-chip-enabled terminal). • C heck that the spelling of the signature (if you can read it) corresponds with that of the name embossed or printed on the card You need to make sure that you get authorisation at the time of processing the transaction. Authorisation confirms that the account has enough funds for the transaction and that the card has not been reported lost or stolen at the time of the transaction. It is not a guarantee of payment. If the genuine cardholder disputes the transaction, you may be liable for the resulting chargeback if you cannot provide a defence. • C heck the hologram moves as you tilt the card back and forth. Counterfeit cards use poor reproductions so it can be easy to identify a fake with a quick glance You must make sure you can accept chip-and-PIN and magnetic-stripe cards. Accepting non-chip cards Your processing equipment should have online access and read non-chip-enabled cards. If you are presented with a non-chip-enabled card, swipe the card through the processing equipment using the magnetic-stripe reader. You must get an online authorisation. If the processing equipment cannot read the magnetic stripe (and the card does not have a chip), ask the customer for another form of payment. If they do not have another form of payment, you may process the transaction as a transaction ‘entered using the keys’. However, this will increase the risk of processing a fraudulent transaction and receiving a chargeback claim (see the section ‘Transactions entered using the keys’ on page 10 of this guide). 9 Accepting contactless payments Contactless payments using other technology and items (payment form factors) A contactless transaction is a transaction that is processed using near field communications (NFC) technology, where the payment instructions are shared securely between a contactless card or other item and processing equipment which has contactless technology enabled. The contactless reader can be a separate reader or part of your processing equipment. Contactless technology can be embedded into other technology and items such as watches, wristbands, mobile phones and key fobs. For these types of transactions, the processing equipment will go online to check that funds are available. The processing equipment will not ask for a PIN as it does not need to check this. If the transaction fails, the cardholder should use either the associated card or another method of payment. A contactless transaction takes place when the cardholder places the card, item or device over a secure reader. They do not need to enter their PIN unless it is for a high-value payment (HVP). High-value payment (HVP) You can identify a contactless card as it will display the following symbol: We can configure point-of-sale devices to support HVP contactless transactions. HVP transactions are most likely to be made using a mobile phone to carry out the transaction and they need some method to confirm the cardholder is genuine, such as a PIN, to complete the transaction. There is a limit for an individual contactless-card transaction. You can find the current limit at: www.barclaycard.co.uk/simplepayment Transactions entered using the keys If the card presented for payment has a magnetic stripe and fails to swipe through your processing equipment, you can enter the transaction into the device using the keys while the customer is with you. Please make sure you follow the procedure shown in the card chip-read/ swipe failure section in this guide. Make sure that your processing equipment goes online to get authorisation for the transaction. On Barclaycard processing equipment you can also carry out a contactless refund up to the value of the current limit. If the transaction cannot be completed using contactless technology, carry out a chip-and-PIN transaction. Or, if the card was issued outside the UK and does not have a chip, carry out a magneticstripe transaction. If a transaction fails to swipe, you should call for an authorisation on 0844 822 2000. If you are suspicious about the transaction, quote ‘code 10’ as an anti-fraud measure. If you have a record of an approved code-10 authorisation, this will protect you from chargebacks. See the ‘Voice authorisation’ section of this guide for more information. Occasionally the processing equipment may tell you to change a contactless transaction to a chip-and-PIN transaction. This is a security measure aimed at making sure that the person with the card is authorised to use it. Cardholder copies of receipts are optional. We have configured our processing equipment to only print a merchant receipt after a contactless transaction. For information on how to print a cardholder receipt, please see your Terminal Operating Guide. 10 Authorisations Please remember You cannot enter transactions using the keys for Maestro, Visa Electron, V Pay and unembossed cards. If chip and PIN or swipe (or both) fail for these types of card, you should ask the cardholder for another method of payment. For card-present transactions, you must get an authorisation at the time of the transaction, either as a pre-authorisation for the expected value of a transaction (such as a hotel or car-hire bill) or as authorisation of the actual amount. For more information on how to complete a pre-authorisation, see your Terminal User Guide. To prove you saw the card at the time of the transaction, take an imprint of the card using your manual imprinter. This will help you provide a defence if the card issuer raises a chargeback claim against you. Authorisations are either done online through your processing equipment or you can phone for an authorisation on 0844 822 2000. 1. F ill in the voucher details in full and get the cardholder’s signature on the paper voucher. You do not need authorisation for offline devices if the transaction value is below the agreed floor limit. For transactions that are over the floor limit, the processing equipment will try to get online authorisation and may instruct you to get authorisation by phone. 2. E nter the card details into the electronic processing equipment using the keys. You will automatically be credited for transactions entered using the keys on your processing equipment, so you do not need to send the paper voucher for processing. But make sure you keep the paper vouchers for 13 months along with the processing equipment receipts so you can produce them as proof that you saw the card when the transaction was carried out, in case you need to. If you cannot provide an imprinted voucher for these transactions at a later date, it could mean we will charge the transaction back to your business. Voice authorisation When you process a card payment electronically, in most instances your processing equipment will automatically communicate with the card issuer for an authorisation. However, your processing equipment may instruct you to call our authorisation service or you may choose to call the authorisation service without having received an instruction. Verifying card payments A voice authorisation asks for confirmation that the cardholder has enough funds available on their account and checks the card has not been reported lost or stolen at the time of the transaction. Verifying cardholders using chip and PIN When a card with a chip is inserted into the chipcard reader, the processing equipment will ask the cardholder to enter their PIN (personal identification number) to confirm the transaction. The processing equipment will ask for authorisation for all chip-and-PIN transactions. You may need to get a voice authorisation for one or more of the following reasons: • If the sale is more than your floor limit • If you are suspicious in any way about the card or cardholder (see ‘Code-10 calls for card-present transactions’ for details) If authorisation is declined, do not go ahead with the transaction as we will not be able to defend you if the transaction is charged back at a later date. Ask the customer for another method of payment. Do not swipe the card or enter the details using the keys on the device. • If your processing equipment instructs you to • If you have to use fall-back vouchers due to a fault with your processing equipment A voice authorisation does not confirm the cardholder’s identity or guarantee payment. If your point of sale equipment is not able to read the chip, you should complete the transaction as a ‘magnetic stripe’ transaction and confirm it using the customer’s signature. If you need to change the amount of the transaction after the authorisation, cancel the original transaction and get a new authorisation for the new amount. This will make sure the correct amount is taken out of the cardholder’s account. Verifying cardholders by signature There may be instances where you cannot check the identity of the cardholder using their PIN and so you may need a signature to confirm their identity. For more information on our voice authorisations, please see our website: http://www.barclaycard.co.uk/business/ existing-customers/voice-authorisations 11 Code-10 calls for Card Present transactions Split sales If you or your staff are in any way suspicious about a card, the person making the payment or the circumstances surrounding a transaction, you must call for an authorisation on 0800 161 5382. This may mean you can then defend any fraudulent transaction from being charged back to your business: Sometimes, a cardholder will ask to split the payment for something between several cards, or between a card and cash or a cheque. It is important that you follow the instructions below to make sure you understand when you can and when you cannot split a transaction as instructions vary depending on each possible scenario. • Y ou will be asked for your merchant number and then for the type of transaction 1. If several cardholders ask you to split a transaction amount into smaller amounts so that they all pay part of a bill, this is allowed. For example, in a group booking in a restaurant, each person will ask to pay either their own bill or part of the total bill. You are allowed to split the total bill between each cardholder. To prevent future disputes, always make sure each cardholder agrees the amount they will pay by making sure that you process separate transactions for each card. Each transaction must be verified by the cardholder’s PIN or signature as prompted by your processing equipment. Please make sure each cardholder receives a copy of the transaction receipt which applies to the agreed amount. This may or may not include a gratuity (tip) as agreed by the cardholder. • If you are suspicious and cannot speak freely and want to avoid a confrontation, you will be given the option to say, ‘This is a code-10 call’ or press 9 • Y ou will be asked for the card number, followed by the expiry date and the issue number (if this applies) and will be given options to choose from depending on the type of call you are making • A fter this, you will be connected to an operator who will ask a series of questions which you should answer with a yes or no • R emember to keep the card and the goods out of reach of the customer • If you have any surveillance equipment, switch it on If the operator asks you to keep the card, tell the customer politely. Code 10 is only available for Card Present transactions where we may ask to speak to the cardholder. It is not available for transactions where the cardholder is not present, such as mail, telephone and e-commerce transactions. In card-not-present circumstances, we cannot guarantee that the person carrying out the transaction is the genuine cardholder. 2. If one cardholder asks you to split a transaction amount across more than one card (possibly issued by different card issuers), you may go ahead as follows: • O nly go ahead with the transaction if you are not suspicious of the transaction or person with the card Referrals for Card Present transactions • Make sure each card is issued in the same cardholder name (if the name appears on each card) Occasionally, when processing transactions, the company which issued the card may ask for a referral and the processing equipment will instruct you to call for an authorisation. • F ollow the normal card-acceptance procedures as shown in this guide A referral may happen when the card issuer asks us to contact them before releasing a decision. Our aim is to process the referral in a quick and efficient way to reduce the time spent processing the transaction. On most occasions we will ask you to put the cardholder on the phone. Simply follow our customer service advisor’s instructions, and once we have spoken to the person who has given you the card and the card issuer, we will give you a decision. 12 Exchanges Split sales may usually take place when accepting largevalue transactions where the cardholder may not have enough credit available on one card. The cardholder may ask to pay part of the total amount by cash or cheque. Make sure any cheque payment is also issued in the cardholder’s name. We recommend you only allow a cardholder to split a transaction over more than one card if: • Y ou do not need to carry out any other procedure if a cardholder exchanges a purchase for goods of the same value • If the value of the new purchase is less than that of the original, you will need to make a refund transaction for the difference of the cost. You should process refunds on the same card as the original sale. If the original card has been lost or stolen, the refund can be applied to the new account or card. For any other type of card closure (for example, the cardholder has closed their account), you must refund the card number used in the original transaction • T he cardholder has their card with them in front of you (we strongly recommend you do not split a sale on several cards for any telephone, mail-order or e-commerce transaction as you cannot confirm that your customer is the genuine cardholder and so you may be at risk of chargeback claims if the transaction is fraudulent) • If the value of the new purchase is more than the original, carry out a sale for the difference in cost. You will need to get authorisation even if the amount is below your floor limit. Please remember, you cannot make refunds using cash or cheque • E ach transaction is authorised (no matter what floor limit you may operate) • T he cardholder clearly agrees to how much is charged to each card and is given transaction receipts 3. If authorisation is refused on a transaction, do not split the transaction into smaller amounts in an attempt to get authorisation as this may result in chargeback claims against you. If you try to split a sale, any transaction may be charged back. We will not be able to defend you from these chargebacks. 13 Processing a fall-back paper voucher If you are using Barclaycard processing equipment, we will give you a manual imprinter in case your processing equipment fails. Please make sure that your imprinter and paper vouchers are to hand and you get a telephone authorisation for each transaction. 9.Check that the signature on the sales voucher matches the signature on the back of the card. 10.Check that the spelling of the signature (if you can read it) matches that of the name embossed on the card and check that the card is in date. If a title is shown on the card, make sure it matches the sex of the person giving you the card. You should only use the fall-back paper vouchers in exceptional circumstances, for example, if your processing equipment is out of use because: 11.Check the signature strip to make sure that no attempt has been made to disguise the original signature. • Y our phone line is faulty • T he device itself is faulty 12.You must get voice authorisation by calling authorisations on 0800 161 5382. Ask for a ‘standard authorisation’. You cannot process Maestro, Visa Electron, VPay and unembossed cards using paper vouchers. You can only process these cards electronically. 13.If the transaction is authorised, you will be given an alphanumeric (a mix of numbers and letters) authorisation code by a voice-response service. Write the code in the appropriate box on the sales voucher. Tear off the cardholder copy of the sales voucher and hand it to the customer with their card and goods. Please remember authorisation from the card issuer is not a guarantee of payment nor does it confirm that the person who presents the card is the genuine cardholder. The card issuer can charge the card payment back to you even if it has been authorised and particularly if you did not follow the correct procedures. If you rent Barclaycard processing equipment, you must report all faults to our Customer Services Department on 0800 161 5350. 14.If the request is refused, no reason will be given and you should return the card to the customer unless the operator tells you otherwise – and ask for another form of payment. 1. C arry out all normal checks of the card. Please see the ‘Plastic card designs’ section of this guide on page 8. 15.If the transaction is referred to an operator, you should follow their instructions, including passing the phone to the cardholder if needed. 2. Place the card face up on the imprinter . 16.Once the procedure has been completed and all the necessary checks have been carried out, you must make sure that you have recorded the details of the transaction on all copies of the sales voucher. You should then tear off the cardholder copy of the voucher and hand it to the customer with their card and goods. 3. P lace the sales voucher , face up, over the card and operate the imprinter . 4. Remove the sales voucher and card from the imprinter. 5. U sing a ballpoint pen write the following details clearly: 17.Key in the transaction when your processing equipment is working again. If you are using Barclaycard processing equipment, you should do this as a forced sale (at the READY prompt, press MENU and select Force Sale from the TRANSACTION MENU then follow the terminal instructions). This will prevent a second authorisation code being given or the transaction being refused. Take care when keying the card details in to make sure that they are correct. If at a later date, the transaction is charged back due to invalid details being put in, your company may have a chargeback taken. • The date • The amount of each item • T he transaction total (you must not split a sale – split sales are at your own risk and could be charged back) • Details of what was bought. Please do not just write ‘Goods’ as this is not acceptable 6. If the customer is using a purchasing card, they may need a customer reference number to be recorded in the relevant boxes on the sales voucher. 18.If the transaction is accepted, store the sales voucher somewhere safe in case there is a dispute about it. Do not bank the voucher as the processing equipment will credit the amount into your bank account. 7. If you are selling fuel, use the ‘For Merchant Use Only’ boxes on the sales voucher to record the vehicle registration number. 8. A sk the cardholder to sign the sales voucher in the box shown. Hold the card and watch while the voucher is being signed. 14 19.If when entering the transaction using the keys you receive a ‘Declined Authorisation’ message, fill in the sales voucher and send the sales voucher to us for processing. See the ‘Sales and refund vouchers’ section in this guide We may honour the transaction as long as you have authorisation where needed (in other words, at the time the transaction was carried out with the cardholder present, you followed all the procedures correctly and reported the fault to us, so that it shows on our log reports). Remember, we will not accept altered vouchers. If you make a mistake when entering the details of a transaction, you must destroy the incorrect voucher and start again. Never pin, staple, fold or damage vouchers as this may cause processing problems. If you are suspicious about the card, the person using it or the circumstances of the transaction, you must follow the Code 10 procedure. 20.If you have not been able to key in any vouchers to your point-of-sale processing equipment, pay the vouchers into your bank account within two banking days (see the ‘Sales and refund vouchers’ section of this guide). Card imprinter Sales voucher 15 Failure of the chip to read or swipe To protect your business from losses and reduce the risk of chargebacks when a card fails to be read by your electronic processing equipment, you should do the following: The following information will help you and your company reduce losses through counterfeit fraud. Most of your card transactions will be chip-read or swiped through your electronic processing equipment with no problems. However, there may be times when your processing equipment cannot read the chip or magnetic stripe. You are allowed one level of fall-back, so if the device cannot read the chip, you can fall back to using the magnetic stripe. Or, for a non-chip card, if the device cannot read the magnetic stripe, you may need to manually enter the card number embossed on the front of the card using the processing equipment keys. • E nter the card number, embossed on the front of the card, using the processing equipment keys and get authorisation • A s well as manually entering the card number into the processing equipment, imprint a sales voucher and fully fill in the verification voucher. (This must be signed by the customer and you should write the words ‘For verification only – this voucher is not for banking’ on the voucher.) Pass the customer copy to the customer along with the processing equipment receipt. If you need a supply of pre-printed verification vouchers, please call 0800 161 5363 If you have chip-enabled processing equipment, you should find chip cards will not usually fail to read the chip. You may find that if you enter the details using the keys or swipe the magnetic stripe on a chip card the issuer may refuse the card. This is for increased security. If this is the case, follow the processing equipment prompts, which may mean you have to speak to our authorisation department. Please make sure you follow their instructions. Only give the card back to the customer if you are not asked to keep it. • P lease do not bank the verification (or sales) voucher as your processing equipment will still process the transaction in the usual way • B anking the verification or sales voucher will cause the cardholder’s account to be debited twice. The voucher is simply your proof that the card was present at the point of sale. You can then use it to prove the transaction was valid if the customer then disputes it When a card transaction is processed in this way, a number of very important security checks, usually carried out by the electronic processing equipment, are avoided. It is clear that some fraudsters are aware of this and are taking advantage of the opportunities. Under Visa and MasterCard Card Scheme Regulations, a card issuer has the right to ask to see an imprinted verification voucher signed by the cardholder. If you fail to provide this, the card issuer has the right to charge the transaction back to you. • Y ou should keep the merchant copy of the processing equipment receipt and the verification (or sales) voucher together in case of any future query. If you fail to provide copies and a card issuer does have a query, it could result in a chargeback and losses to your business. You need to fill in the verification voucher fully and include full details of the goods or services bought. Do not just write ‘Goods’. Make sure you write the authorisation code provided by the authorisation department 16 Banking procedures and other services You can only process Maestro card transactions and Visa electron and V Pay cards that are un-embossed electronically (by swiping the magnetic stripe or reading the chip). You cannot enter the details using the keys for printed cards as you will not be able to take an imprint of the card as proof of the card and cardholder being present at the time of the transaction. If a Maestro, Visa electron or VPay card fails to chip-read or swipe through, you should ask your customer for another form of payment as there is no chargeback defence if the card fails to swipe. Please make sure that you follow the end-of-day banking procedure (as shown in your Terminal Operating Guide) to make sure you receive payment for all transactions. It is essential that you send all transactions for payment within two working days of being accepted. If you send a transaction after two working days, the card issuer may reject the transaction, resulting in it being charged back. We will not be able to defend you from these chargebacks: • If your processing equipment is not working, please make sure that you follow the procedure in ‘Transactions entered using the keys’ section of this guide on page 10, so you can receive the payment. To bank any voucher that cannot be processed by your processing equipment, please follow the procedures below • C omplete the three-part merchant voucher summary (MVS) before handing the bank copy of your sales and refund vouchers into any branch of Barclays Bank Each batch of vouchers must be accompanied by part three (the white copy) of the completed MVS. No more than 20 vouchers should accompany each MVS. Sales and refund vouchers If your processing equipment is not working, please make sure you follow the procedure in ‘Transactions entered with the keys’ section of this guide on page 10. These vouchers provide three copies of the sale or refund details, one for your own use, one for the bank to process and one for the cardholder. • M erchant copy – the top copy of the completed sales or refund voucher is your record of the transaction • B ank processing copy – the middle copy of the sales or refund voucher should be handed into your local branch of Barclays Bank. You should hand in vouchers on the day of the transaction and no more than two banking days afterwards • C ardholder copy – the bottom copy must be given to the cardholder for his or her records or, in the case of a mail or phone order, it must be posted to the cardholder 17 Completing your merchant voucher summary (MVS) 2. If your processing equipment has a contactless reader, you will also be able to accept contactless transactions with no verification (please see the section on contactless transactions on page 10). • W rite your merchant name and number (this is normally shown on the top line of your imprinter plate) clearly on the MVS, with the paying-in date If your customer cannot remember their PIN, ask for another method of payment. • List the value of each sales voucher and refund voucher on the back of the MVS in the boxes shown In these instances, if your processing equipment is chip and PIN capable, and the transaction has been taken using the chip and PIN, you will be protected against possible counterfeit, lost and stolen cards, and intercepted card fraud. • W rite the total of each column in the boxes at the bottom • W rite the total number and value of both sales vouchers and refund vouchers on the front of the MVS Card-fraud statistics show there is increased fraud with non-PIN cards. Be aware of the security checks you should make to reduce this type of fraud: • If possible, vouchers should be deposited on the day of the transaction and no more than two banking days afterwards • Keep hold of the card at all times • Keep the goods out of reach of the customer If you have any questions about the credit to your bank account, you should call our Customer Services Department on 0800 161 5350. • C heck the ‘valid from’ date. If the card is newly issued, be extra careful • W atch out for hesitancy when the customer signs and make sure that the signature they give matches the signature on the card Posting vouchers If you are in a remote area and cannot get to a branch of Barclays Bank, you may post your vouchers to us for processing. You should send the MVS bank-processing copies of your sales and refund vouchers to: • B e careful not to be distracted during a transaction. Fraudsters may try to hurry you, or draw your attention away from making card checks Barclaycard Financial Exceptions, Dept FX, Barclaycard House, 1234 Pavilion Drive, Brackmills, Northampton NN4 7SG. • C heck the name on the card and check that it matches the sex of the person giving you the card if this is possible to tell For a supply of our prepaid envelopes, call our Customer Services Department on 0800 161 5350. • B e sure not to process transactions on behalf of anyone else. This would be breaking your merchant agreement and could lead to transactions being charged back to you Preventing and detecting fraudulent Card Present transactions Returning wanted or recovered cards If our authorisation operator asks you to destroy a card and return it to us, please follow the procedure described below. You should politely tell your customer what you have been asked to do. To prevent fraudulent transactions being charged back at a later date, you should have chip-and-PIN-enabled processing equipment and accept transactions by reading the chip. 1. To preserve fingerprints and other forensic evidence, handle the card as little as possible and only by the edges. You must make sure you get authorisation on any transaction where the card details are not captured using the chip (for example, when presented with a magnetic-stripe card transaction) to avoid the risk of loss due to card fraud. 2. With the card facing you, cut off only the bottom left-hand corner. 3. Make sure the signature strip, magnetic stripe, chip and hologram are intact. 1. If your processing equipment is chip-and-PINenabled you could be presented with a number of different scenarios, all of which you can accept: 4. You will find a recovered-card form in your welcome pack. • M agnetic stripe and signature verification (for example, from an overseas customer where the country has yet to upgrade to chip-andPIN technology) • C hip and signature verification (for example, from a disabled customer who cannot use PIN technology) • C hip-and-PIN verification 18 Other services You can get more recovered-card forms by calling our Customer Services Department on 0844 811 6666 Dynamic currency conversion (DCC) • Y ou must fill in the form in full and keep the cut-off slip of the filled-in form in your files If your business takes payments from cards issued outside of the UK, your processing equipment may be configured for DCC. DCC offers Visa and MasterCard international cardholders the choice and convenience of paying for goods and services using their home currency. • Y ou should send the top section of the form and both pieces of the card to: Recovered Card Services, Barclaycard, Department RC, Northampton NN4 7SG If you are returning a Visa Electron card, please also enclose a copy of the processing equipment declined receipt. Your international customers benefit from a clear and competitive exchange rate for credit and debit card purchases made abroad with this service. Once the cardholder uses their card abroad they will be presented with the option to pay using the currency of the card or the local currency. The transaction will stay in that currency throughout the entire transaction and settlement process. As such, both you and your customer know the exact amount of the purchase at the time you make the sale. Reward scheme We may pay a £50 reward to your business for returning a wanted card. You can then decide whether to pass the reward payment on to the person who actually recovered the card. If the police need to keep a wanted card or sales voucher for investigation (for example, if a stolen card is presented), you will need to keep certain details in case there is a question about it. Please make sure you have a copy of the sales voucher (a good photocopy will be acceptable), as well as: • T he card number • T he expiry date • T he name embossed on the card • T he date the card was recovered • T he crime reference number • D etails of the officer and police station dealing with the case You can still claim a reward if the police take the card for evidence. 19 Accepting Card Not Present (CNP) transactions – e-commerce, mail and telephone order You should not: • R elease goods to anyone claiming to have been sent by the cardholder (for example, a taxi driver) to collect the goods • A llow a cardholder to pick up goods paid for with a Card Not Present transaction. If a cardholder pays using an e-commerce or MOTO transaction and collects the goods later, you should cancel the Card Not Present transaction and carry out a new Card Present transaction. Make sure you also carry out the full Card Present procedures It is important that you understand the risks associated with accepting Card Not Present transactions. There are increased risks of chargebacks for Card Not Present transactions because the customer and card are not present at the time of transaction and so cannot always be verified. Authorising Card Not Present transactions Card Not Present transactions must get an authorisation at the time of the transaction, either as a pre-authorisation for the expected value of a transaction (such as a hotel or car-hire bill) or as authorisation of the actual amount. When processing Card Not Present orders you must make sure you get: • T he card number • T he card expiry date • T he gross amount (in other words, including postage, packaging and VAT) of the transaction Shipping goods and providing services Visa transactions must get an authorisation on any day up to seven calendar days before the transaction date (the date the goods are shipped or services are provided). This authorisation is valid if the transaction amount is within 15% of the authorised amount, as long as the extra amount represents shipping costs. • T he customer reference number, if quoted – for a Visa transaction only • T he card security code (CSC), otherwise known as card verification value (CVV or CVV2), card verification value code (CVVC), card verification code (CVC or CVC2), verification code (V-code or V code), card code verification (CCV), or signature panel code (SPC) You must get authorisation for MasterCard transactions on the day the cardholder contacts you to place an order. When the goods or services are ready to be delivered, you should then process the transaction. This should not be for more than the original authorisation amount. MasterCard consider the date you ship the goods or provide the service as the transaction date. If you are shipping goods more than seven days after the original authorisation request, we recommend you get a second authorisation. When presenting the transaction for processing, please quote the original authorisation code, but keep the second one in case there is a dispute about the transaction. If you would like to accept e-commerce Maestro transactions, you must be enrolled with MasterCard SecureCode. When processing Card Not Present orders you should also get: • T he cardholder’s full name and address, as held by their card issuer, including the postcode and phone number • The cardholder’s signature, for mail order Recurring transactions • T he delivery address and name of the person receiving the goods if different from that of the cardholder A recurring transaction is one where the cardholder grants permission, in writing or electronically, to a merchant to periodically bill their account for goods or services delivered over a period of time. There cannot be more than 365 days between transactions. For example, merchants who may benefit from recurring transactions are vehicle breakdown services, insurance providers, and those issuing memberships and subscriptions. Please remember an authorisation does not guarantee payment. It only confirms that there are enough funds available in the account and that the card has not been reported as lost or stolen at the time of the transaction. We cannot guarantee that the person presenting the card details is the genuine cardholder and so you may be at risk of chargebacks following fraudulent transactions. Issuers may refuse a recurring transaction taken on a Visa card if the expiry date is missing, not valid, or has expired. You must provide the correct card expiry date for each recurring transaction. 20 If the cardholder wants to cancel a recurring transaction, they may either contact you or they may contact their card issuer direct. If the cardholder cancels the recurring payment through their issuer, you may not know until the next payment fails. Transaction receipts Recurring transactions must not be carried out using a Maestro card. • An instruction to print or keep the receipt for future reference You must give your customers a transaction receipt as part of an order confirmation notice at the time of the purchase. The receipt must include: • Your company name, address and phone number for customer contacts Accepting payments over the internet (e-commerce) • Your website address You can accept payments over the internet using a Barclaycard payment gateway which can be integrated in your website. Or, you can use your own software or another payment service provider (PSP). • The total cost of the purchase, and the currency it is made in Website information • A unique transaction reference number • T he transaction date and type (for example, whether it is a sale or refund) You are responsible for designing your own web page but you must make sure you display: • The name of the purchaser • The authorisation code • Y our company name, registered office address, phone number and email address • A complete description of all goods and services bought • Y our company registration number and VAT number • Clear information on your Terms and Conditions, cancellation, return and refund policy (if restricted) • A complete description and price of all goods and services, clearly stated, including all extra costs such as taxes and delivery costs • T he exact date any free trial period ends, if offered The receipt must only include the last four digits and not the full card number. For MasterCard transactions, the expiry date must not be quoted: • C lear information on your company’s refund and cancellation policies • A statement to describe the type of transaction security that you provide • Keep a record of the cardholder’s name and address in case of any questions in the future • A privacy statement • It is your responsibility to check the card when the goods are delivered. You should make sure that the card number and the expiry date quoted agree with the card presented • Y our transaction currency • T he merchant outlet country at the time of presenting payment options to the cardholder • It is also your responsibility to get a signature and make sure the signature on the card matches the one from your customer • T he scheme logos of the type of cards you accept • Y our delivery policy • A ny export restrictions • If an order is to be collected, you must cancel the original transaction and start a new one as a Card Present transaction. See the ‘Card Not Present procedures and chargebacks’ section of this guide Please remember that you must give the customer a transaction receipt. 21 Using an accredited payment service provider (PSP) to accept e-commerce payments Using our payment gateway for accepting payments Our e-commerce service provides quick and secure transaction processing to authorise and settle card payments. It allows you to accept and process card transactions from your website 24 hours a day, 365 days a year. Your customers simply browse your website, choose the goods or services, and enter their card details as directed. We can accept your internet card payments via a recognised PSP. However, you must make sure that the PSP meets the minimum security measures shown in this procedure guide and that they can offer the communication links needed. It is important to stress that you have the responsibility for keeping to the internet merchant procedures within this procedure guide for us to accept internet card-payment transactions as we will not enter into any contract with the PSP on your behalf. Hosted Payment Pages (HPPs) are simple solutions for accepting card payments over the internet, and they keep to the Payment Card Industry Data Security Standard (PCI DSS). We host your payment page for you so you don’t see any sensitive card data; keeping you safe and secure. You must make sure the PSP keeps to the Payment Card Industry Data Security Standard (PCI DSS), which is a requirement introduced by the major card schemes to help you reduce, as far as possible, the possibility of suffering from a security breach. Please see the section on ‘PCI DSS’ in this guide for more details. If you prefer, you can control the whole process and host your own payment pages. To do this you can integrate with our Application Programme Interface (API), which allows you to take full responsibility for collecting cardholder details and communicate directly with our gateway. (We will give you a guide on how to do this.) If your chosen PSP offers fraud screening, we would recommend that you use their fraudmanagement service. If you choose not to use a Barclays-owned submission product, you must correctly flag every transaction by using the correct level of APACS software. You must maintain the level of software in line with APACS standards. If you fail to keep to this condition, you will be liable for any fines or penalties from the card schemes, which may result from not keeping to the conditions. The services that your chosen PSP offers and the charges that they apply are part of the agreement between you and your chosen PSP, which is separate from your agreement with us. Accepting payments over the internet using your own software You can use your own equipment or software to accept payments over the internet. You are responsible for making sure that we can approve the equipment or software and that it keeps to the necessary cardscheme rules. You must make sure the PSP keeps to the Payment Card Industry Data Security Standards (PCI DSS). The application must be PA DSS (Payment Application Data Security Standard) compliant where necessary, and the business must be compliant with the PCI DSS. 22 Requirements for merchants not using the Hosted Payment Page (HPP) Preventing and detecting fraudulent Card Not Present transactions If most of the transactions you are accepting are mail, telephone or internet transactions, you must use an appropriate e-commerce or MOTO solution. You cannot accept e-commerce transactions using your face-toface chip-and-PIN processing equipment. Security of card data Any merchant accepting e-commerce payments, whether using our payment gateway, an alternative, or their own software, must have minimum security measures before processing card transactions from an internet site. Your payment security responsibilities increase if you use other methods than a Hosted Payment Page (HPP). For more information on these requirements, please see the ‘PCI DSS’ section of this guide. You need to take extra care when taking transactions over the internet, over the phone or by mail order. You need to consider the risks before accepting a Card Not Present payment: • A Card Not Present transaction means that a cardholder and the card are not present with you at the time of the transaction. These are not like a normal face-to-face situation where you can check that the card is genuine and that the ‘customer’ is not just using a stolen card number. In these situations, the genuine cardholder may not be aware that their card number has been compromised, for example, a fraudster has taken the card details from a customer’s discarded receipt Accepting Mail Order and Telephone Order (MOTO) payments Maestro cards cannot be accepted for mail or telephone orders except when the merchant and card issuers are from the same country in the UK, Ireland or France. • e -commerce transactions can be authenticated by the cardholder to prove they are a genuine customer, when you use internet authentication (in other words, Verified by Visa or MasterCard or Maestro SecureCode) – this is the same as entering the PIN at a physical point of sale. If you cannot prove that the cardholder is genuine, you cannot guarantee that the card information provided relates to the genuine cardholder Taking telephone orders • P lease keep a record of the cardholder’s name and address in case of questions in the future • It is your responsibility to check the card upon collection or delivery. You should make sure that the card number and the expiry date quoted agree with the card presented • It is also your responsibility to get a signature and make sure the signature on the card matches the one from your customer • N ever release goods to anyone else (this includes taxi drivers or delivery firms hired by the customer). Always make sure that goods are sent to the person named on the card • If an order is to be collected, you must cancel the original Card Not Present transaction and start a new one as a Card Present transaction. See the ‘Card Not Present procedures’ and ‘Chargebacks’ section of this guide on pages 19 and 26 • If a cardholder comes to collect the goods in person, cancel the Card Not Present payment and process it as a Card Present transaction • If you key in a transaction following a telephone order, you will not be able to guarantee that the customer is the genuine cardholder and so you may be at risk of a chargeback if the transaction is confirmed as fraud Authorisation only confirms that the issuer of the card agrees there are enough funds to pay for the goods and to confirm the card has not been reported lost or stolen at the time of the transaction. An authorisation does not guarantee payment. Please remember, you must still give a customer a transaction receipt. We recommend that the cardholder copy must display only the last four digits of the card number. For MasterCard transactions do not quote the expiry date. Questions you need to ask yourself before accepting the transactions: • Are the goods high value or easily resold? • Is the transaction out of character compared to your usual orders or is the customer ordering many different items and do they seem unlike your usual customer? Please remember, an authorisation does not guarantee payment. It only confirms that there are enough funds in the account and that the card has not been reported as lost or stolen at the time of the transaction. • D oes the address provided seem suspicious or has the delivery address been used before with different customer details? 23 Fraud-screening • Is the customer being prompted by someone else while on the phone? Using rule-based tools can help to check the validity of transactions. A system which allows you to cross-check the name, address, phone numbers, card details, email address and IP address with past and daily records could help you to reduce the risk to your business. • Is the customer trying to use more than one card in order to split the value of the sale? • D oes the customer seem to lack knowledge of their account? Are they providing details of someone else’s card (for example, that of a client or family member)? Constantly cross-checking this type of information will identify any duplication of information which may show that a fraudster is attempting to use similar details elsewhere. For example they may quote different card numbers but use the same name or address or may quote entirely different details but still be seen to come from the same IP address. • Does the customer seem to have a problem remembering their home address or phone number or do they sound as if they are referring to notes? Tools for monitoring fraud You should reject any suspicious instance of duplication (also known as velocity checking) and check further before accepting the order or request. You should use security checks, as recommended by the card schemes, as they can help you identify possible fraudulent transactions. However, they do not prevent fraud or shift the legal responsibility for fraudulent transactions, which may result in chargeback claims. Barclaycard’s payment gateway offers extra fraudscreening tools such as those mentioned above. There are also a number of other providers who can offer help with checking the authenticity of customer information. If you would like more information on these providers, please contact our Customer Services Department on 0844 811 6666. Card Security Code (CSC) and Address Verification Service (CSC/AVS) There are services that can help reduce Card Not Present fraud by asking for a small amount of extra information from the cardholder: Further advice for internet transactions • The Card Security Code, which is a condition of the card schemes (the last three numbers on the signature strip on the card or the three digits in a white box next to the signature panel). You must not store the Card Security Code after the transaction has been authorised To add to existing velocity checks: • Check for sequential card numbers • Review orders made using cards not issued in the UK • R eview orders where the IP address does not match the delivery address (country) • A ddress Verification Service (AVS); a) T he first five numbers of the cardholder’s full statement address • Review orders going to and coming from the same customer – name, address and card number b) The numbers in the cardholder’s postcode • R eview or refuse all or new orders going to a different delivery address other than the registered card address Internet authentication (3-D Secure) • Review or refuse duplicate purchases Internet authentication (Verified by Visa, Mastercard SecureCode) uses 3 D-Secure protocol to authenticate card users as they need to have a password log-on. The cardholder registers for the authentication service with a password they choose, which guarantees that the user is authentic. Please see the internet authentication section of this guide for more details. • R eview or refuse the order if the postcode does not match • Refuse the order if the CSC does not match • Refuse new orders with an invalid card expiry date Use the ‘chargeback data’ you receive to: MasterCard SecureCode must be supported for all Maestro transactions. • Highlight possible problem names, addresses and IP addresses • Always make sure that you respond promptly to ‘request for information letters’ as you may be able to prevent the chargeback • U se internet authentication (3-D Secure) and CSC/ AVS for added security You can find more information on our website to help with your staff’s awareness of fraud: www.barclaycard.co.uk/paymentacceptance 24 Refunds Other services The Distance Selling Regulations (DSRs) and e-commerce Regulations (ECRs) apply if you sell products or services to customers without face-toface contact (for example, e-commerce and MOTO transactions) and where the customer has not had an opportunity to examine the goods before buying or discuss the service in person. Dynamic currency conversion for e-commerce transactions If your business takes payments from cards issued outside of the UK, your processing equipment may be configured for DCC. DCC offers Visa and MasterCard international cardholders the choice and convenience of paying for goods and services using their home currency. The aim of the DSRs and ECRs is to make sure there is a minimum level of consumer protection across the European Union (EU) although other EU countries may put the regulations into practice differently. Your international customers benefit from a clear and competitive exchange rate for credit and debitcard purchases made abroad with this service. Once the cardholder uses their card abroad they will be presented with the option to pay using the currency of the card or the local currency. The transaction will stay in that currency throughout the entire transaction and settlement process. As such, both you and your customer know the exact amount of the purchase at the time you make the sale. Keeping to the DSRs and ECRs is a legal requirement and the courts can take action against you if you break the DSRs and ECRs. You should include these regulations in your e-commerce or MOTO returns policy – to find out more about the DSRs and ECRs, please visit: http://dshub.tradingstandards.gov.uk. Each time you submit an authorisation request to us or our authorised representative, you will use the correct conversion rate that applies on such date. If you are entitled to submit to us or our authorised representative more than one authorisation request for the same transaction, you will use the correct conversion rate that applies on the date that you submit the final authorisation request to us or our authorised representative, regardless of any other conversion rate(s) previously applied by you and communicated to your customer in respect of the same transaction. You will be solely responsible for any indicative conversion rate(s) that you may have provided to your customers. If you want to perform a refund for an e-commerce or MOTO transaction, you must make sure that the refund is processed to the card used in the original sale and does not go over the original sale amount. If the card or account used in the original transaction is closed, another card or account can be used. If the customer has no other card, you should credit the refund to the customer’s bank account in line with your own procedure. You cannot make refunds to the cardholder’s account to credit winnings from gaming. 25 Chargebacks and retrieval requests A chargeback usually takes place when a cardholder disputes a transaction shown on their statement or you process a transaction outside the terms of your merchant agreement. Chargebacks result when a transaction is treated as invalid – for example, if a cardholder questions a transaction shown on their statement and the card issuer, after investigation, agrees to refund the amount. Chargebacks also happen for technical issues such as duplications and no authorisation. • T he goods or services provided were faulty, not as described, or not received • A transaction was processed on behalf of someone else who could not process the transaction themselves. This is called laundering and breaks your merchant agreement If you take a Card Present transaction and your processing equipment is not chip-and-PIN-enabled, you will be legally responsible for any fraudulent transactions and these will be charged back to you. We have a dedicated Chargeback Education Team who can give you advice on the steps you can take to reduce the risk of transactions being charged back. If you want to receive free advice, please contact our dedicated team on 0844 755 0094 or email: [email protected] barclaycard.co.uk All Barclaycard contactless processing equipment are chip-and-PIN-enabled. You may also receive a chargeback if you have not followed any of the terms of the agreement between you and us, including any of the instructions in this procedure guide. The most common reasons for chargebacks are: What is a retrieval request? • The cardholder does not recognise the transaction (for example, they claim their card details have been used fraudulently) A retrieval request or request for information (RFI) is when a cardholder asks for a copy of the transaction details. This is usually because they do not recognise a transaction on their statement or need more details for their records (for example, an expenses claim or tax return). • The transaction has been processed outside of your merchant agreement (for example, you did not get authorisation when needed) • A fraudulent mail, telephone or e-commerce transaction (please see the ‘Preventing and detecting fraudulent card-not-present transactions’ section of this guide on page 23 for more information and guidance on how to avoid these types of chargebacks) Another reason cardholders ask for a copy of the transaction receipt is because the description shown on their statement does not match the name of your company. So, if you seem to be getting a lot of retrievals, check what is being shown on the cardholder statements. You can change the description by contacting our Customer Services Department on 0844 811 6666. • Y ou did not respond in time to a request for a copy of a transaction (retrieval request) • T he card was not valid when the transaction was made, in other words, the transaction was made before the ‘valid from’ date or after the ‘expiry date’ It is a requirement of Visa and MasterCard that if you are mainly carrying out mail or telephone orders, you should include a contact number rather than location within the description. For instance, ‘The E Shop,London’, should be shown as ‘The E Shop, 01207 123 4568’. This encourages people simply to call you to identify their transaction, rather than disputing this with their card issuer. Likewise, if you are carrying out e-commerce transactions, you must display your internet website address or email address on cardholders’ statements so that customers can contact you. • T he amount of the sale is more than your floor limit and you did not ask for authorisation, for whatever reason • T he signature on the processing equipment receipt or sales voucher does not match the signature shown on the card itself • A transaction was taken on a card that should only be used in an automated teller machine (cash machine) As you are simply providing information, there is no loss to your business. However, if you don’t supply a clear and legible copy of the transaction within the time requested (usually 14 days), the card issuer may charge the transaction back to us. We will then pass the cost on to you in the form of a chargeback. • Y ou accepted a card that should have been verified by the PIN after the chip was inserted but you do not have processing equipment that can carry out these checks If a transaction is charged back, it will become a loss to your business. • T wo or more card transactions have been completed for one sale over the floor limit (split sale) and you did not get authorisation 26 To help reduce the risk of chargebacks Chargebacks can cause you hassle and cost your business time and money. Following the correct procedures in this guide will help you avoid chargebacks, so you can gain the full sales benefits of accepting payments by card. • U se chip-and-PIN-enabled processing equipment to help protect your business against fraud. Using chip and PIN helps to check that a card is genuine and that the person using it is the true owner. The chip makes it difficult to counterfeit or copy the card, while the PIN makes it harder for a criminal to use a lost or stolen card. And because, instead of signing, the customer authorises the transaction by keying in a 4-digit PIN only they know, the risk from forgery is reduced. For contactless transactions, as long as you process transactions in line with cardscheme regulations and follow the procedures laid out in this guide, we will offer you the same level of protection Responding to retrieval requests and chargeback letters • P lease make sure we receive a reply by the date quoted, by fax, by post, or whatever other method we have explicitly agreed with you, as not responding within these timescales will usually result in a chargeback • P lease remember to send all relevant documents that support the transaction, in other words, Terms and Conditions and details of authorisation codes, dates and times, where appropriate • M ake sure that all transactions are correctly processed according to the type of card • R emember, transaction copies and all details provided need to be clear, because chargebacks can also take place when transaction copies cannot be read clearly • M ake sure you only accept cards which you have an agreement to process, as some cards perform several functions lease ask for details of our Faxlink service, which P provides a quick and simple way of dealing with retrieval and chargeback letters via a fax machine (see Faxlink service section below). • D o not accept mail, telephone or e-commerce transactions unless you are aware of the possible risks surrounding this type of transaction. If you see an increase in this type of transaction, please let us know so that we can make sure you have the correct agreement in place • If you are already registered and using the Faxlink service, we provide templates you can use. To ask for a copy of the template relevant to your business, please contact 0844 755 0094 • F ollow your instincts – if something about a card or the person using it or the transaction itself does not seem genuine, make a code-10 call to our authorisation department. Please remember that authorisation is not a guarantee of payment and code-10 calls are only for Card Present transactions Faxlink service This service lets you send and receive all chargeback and retrieval information by fax, avoiding postal delays and speeding up the process. There are no extra charges for using this service. • K eep copies of all transaction records. To settle any dispute, you may be asked to provide evidence of a transaction. If you fail to do this, we may make a chargeback to your business. You must keep all receipts for at least six months, and keep copies of transactions for another seven months • R emember to display a limited returns policy on your receipts and at the point of sale, to avoid disputes which could lead to a chargeback 27 Timescales for chargebacks We will give you notice of the chargebacks either by letter, or by fax if you have signed up to our Faxlink service or by whatever other method we have explicitly agreed with you. For disputes where it is likely that you will have extra information that may allow us to defend the dispute, you will have 14 days after receiving the notice to supply the information. For disputes where it is unlikely you will be able to defend the dispute, for example, if you did not get authorisation, we may take the amount from your account at this time. If you disagree with the dispute, it is important that you give us your reasons in writing within 14 days. If you fail to respond within the 14 days, or your reply is unclear or we cannot read it, we may not be able to defend you from the chargeback. Most disputes are raised because the genuine cardholder disputes the transaction on their statement. As cardholders are only sent card statements once a month, it can be up to one month before a cardholder will receive their statement and so dispute the transaction with their card issuer (for example, MBNA, Capital One, NatWest, Barclaycard and so on). In cases where the cardholder claims neither to have carried out or authorised a transaction, the card issuer will ask the cardholder to complete and sign a ‘disclaimer’. This is a legal document where the cardholder declares they did not carry out the transaction. The cardholder can also dispute the transaction by email. Our Chargeback Portfolio Managers can provide tailored advice as to when you should be replying and with what. They can also provide general advice on all matters relating to chargebacks. For advice for your own business, please call us on 0844 755 0094 (9am to 5pm, Monday to Friday. We are closed on bank holidays). Or email us at chargebackteamportfolio. [email protected] and we will get back to you within 48 hours. Please provide your contact details and Barclaycard merchant number (you can find these on your statement). The card issuer does not tell us about the dispute until they have received all the documents they need from the cardholder. The card schemes have strict time limits in which card issuers must let us know about any dispute along with rules for what documents must be provided. We will automatically protect you from a dispute if the correct documents are not supplied by the card issuing company or if the correct time limits are not kept to. As soon as we receive notice of the disputed transaction, we will let you know. The maximum time allowed is 120 days from the processing date of the transaction to dispute the transaction. For transactions relating to delayed travel (for example, holidays), we work out the time limit from the date of travel and not the date of the transaction. 28 Payment security What information must not be stored at any time? As a member of the card schemes we need you to keep to the Payment Card Industry Data Security Standard (PCI DSS). This section sets out the responsibilities you must keep to. You must not store: • T he contents of the magnetic stripe, also known as Track 2 Data • T he card verification value or CVV contained in the magnetic stripe What is PCI DSS? This is an auditable set of controls designed to make sure that certain card information is stored securely by your company and anyone else who stores, transmits or processes the payment cardholder information on your behalf. • T he card verification value contained in the magnetic stripe image in a chip known as the iCVV • T he card security code, also known as CVV2, printed on the back of the card in or next to the signature panel What information must be securely stored? • T he PIN verification value or PVV, which is contained in the magnetic stripe Any information that is necessary to process card transactions correctly, including any information which is recorded electronically or otherwise on any payment card and includes the following: • A ny information that is used to authenticate a card payment, including the card number, expiry date, issue number, passwords, pass phrases and any other unique information supplied as part of the card payment • A ny information that could identify individual cardholders and their purchases. This includes name, address, description of the purchase, amount and other details of the card payment We will call this cardholder data in the rest of this section. 29 What you must do to keep to PCI DSS In keeping to the requirements set out above, you must meet the standard shown in the PCI Standard Security Council (PCI SSC) and set by the card schemes. The current standards that you must keep to in meeting the above requirements are set out in ‘The Payment Card Industry (PCI) Data Security Standard’ (DSS). PCI DSS sets out a number of requirements which you must keep to make sure that cardholder data is securely stored. You must: 1. Install and maintain a firewall to protect cardholder data. This is available for download from the PCI Security Standards Council website at: www.pcisecuritystandards.org 2. Not use vendor-supplied defaults for passwords or other security measures. For more information and useful tools to help you keep to the standard, please see our PCI DSS website at: www.barclaycard.co.uk/pcidss 3.Protect stored cardholder data. 4. Encrypt the transmissions of cardholder data and sensitive information across public networks. 5. Use and regularly update anti-virus software. 6. Develop and maintain secure systems and applications. 7. Restrict access to cardholder data to only those who need to know. 8. Give each person with computer access their own ID. 9. Restrict people’s access to network resources and cardholder data. 10.Track and monitor all access to network resources and cardholder data. 11.Regularly test security systems and processes. 12.Maintain a policy that deals with information security. 30 Demonstrating that you are keeping to the PCI DSS We need you to show that you are keeping to PCI DSS. How you do this will depend on the type and volume of card transactions that we process on your behalf. The responsibilities you must keep to depend on your merchant level which we will decide on using our records. If your business is not keeping to the PCI DSS, you may be legally responsible for paying charges and penalties. Plus, you may have to pay other card-scheme penalties and costs. You will need to get validation that you are keeping to PCI DSS every year and you may need to pass vulnerability scans every three months to keep to the standards. The action you need to take will depend on your merchant level as follows. Level Definition Actions needed to keep to the standards 1 If you process over 6 million Visa or MasterCard transactions a year (see note1 below) •• The way you report that you are keeping to PCI DSS will be managed by the Barclaycard Payment Security team •• Yearly on-site security assessment by PCI SSC-accredited qualified security assessor •• A network scan every three months (if in e-commerce) •• Yearly penetration testing •• Security policies put into practice 2 If you process 1 to 6 million Visa or MasterCard transactions a year •• The way you report that you are keeping to PCI DSS will be managed by the Barclaycard Payment Security team •• Yearly self assessment questionnaire by a PCI SSC-accredited internal security assessor or a yearly on-site security assessment by PCI SSC-accredited qualified security assessor (see note2 below) •• A network scan every three months (if in e-commerce) •• Yearly penetration testing •• Security policies put into practice 3 If you process 20,000 to 1 million VISA or MasterCard e-commerce transactions a year 4 If you only process e-commerce and process fewer than 20,000 VISA or MasterCard transactions a year •• The way you report that you are keeping to PCI DSS will be managed by Barclaycard’s Data Security Manager (DSM) service •• We will send details of the DSM to new customers no earlier than four months from setting up the account, including details of a possible monthly charge for the DSM service •• Complete the online profile and follow-up steps to complete your self-assessment and compliance validation each year. Or, in the DSM profile, upload a self-assessment questionnaire (SAQ) and confirmation that has been validated by a qualified security assessor (QSA) each year •• If, as part of your validation, you have to run vulnerability scans every three months, they must be carried out by an approved scan vendor (ASV). This can be done using the Barclaycard DSM service. Or if you prefer, you can use an ASV listed with the PCI security standards organisation (see below for details). If you use another ASV, every three months you must upload to the portal the technical report demonstrating a pass status If you do not process e-commerce transactions and process up to 1 million VISA or MasterCard transactions a year 1. If you operate in more than one country or region and meet level-one criteria in any Visa country or region, we will consider that you are a global level-one merchant. An exception may apply to global merchants if there is no common infrastructure and if Visa data is not collected across borders. In these cases, we will validate you according to regional levels. 2. If you are a level-two merchant choosing to complete a yearly self-assessment questionnaire (SAQ), you must make sure that all staff involved in the self-assessment go on a PCI Security Standard Council (PCI SSC) merchant training programme and pass any associated accreditation programme each year to continue the option of self-assessment. 31 Further action you may need to take From time to time we may audit your type and volume of card transactions. As a result of the audit, or if we are instructed to do so by a card scheme, we will let you know which merchant level you are for the purposes of PCI DSS and you agree that you will keep to the responsibilities of that level of merchant as described in the table. As a result of considering any report that you must send to prove you are keeping to the PCI DSS (as set out above), we may: • T ell you that you are a different merchant level (for example, a level-one merchant rather than a leveltwo merchant) and you agree that you will keep to the responsibilities of that merchant level Card-scheme-approved qualified security assessor • T ell you to take extra security measures to make sure you keep to PCI DSS within an agreed period of time We are not unique in making sure our merchants keep to the PCI DSS. All card acquirers have the same responsibility to the card schemes (for example, Visa and MasterCard) The specialist organisations which are qualified to carry out on-site audits to check you are keeping to PCI DSS are those the card schemes will tell you about from time to time. You can find details of the current card-scheme-approved specialist organisations at: www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf Data compromises Approved scan vendors If any unauthorised person has access to any cardholder data, or cardholder data is lost, stolen or revealed (we call this a data compromise), or you suspect that either has happened, you must tell us as soon as reasonably possible. The specialist organisations which are qualified to carry out network vulnerability scans are those the card schemes will tell you about from time to time. You can find details of the current card-scheme-approved specialist organisations at: www.pcisecuritystandards.org/pdfs/asv_report.html 32 Other organisations that store, transmit or process your cardholder data The results of a data compromise If we are told that you have suffered any data compromise or suspected data compromise (whether you tell us or any card scheme), you will have to tell an industry approved forensics investigator (QFI) to carry out a forensic investigation at your company about the data compromise. The QFI will review the whole end-to-end process of handling cardholder data and will give you a report on their findings, and set out recommendations for action for you to take as a result. The PCI DSS standards apply to all merchants and the linked organisations that store, process or transmit cardholder data. The standard applies equally to manual processing and storing cardholder information (for example, processing equipment and imprinters) as well as to electronic methods of storage (for example, EPOS, PC). If you suffer a data compromise, you will have to pay the costs of the QFI as a result of any data compromise. Keeping to the standards applies to your whole set-up. You can only be treated as keeping to the standards if any organisations you use also keep to the standards. You must check this every year: If you suffer a data compromise, we may tell you that we have reclassified you as a level-one merchant and that you must keep to the obligations of that merchant level. • A ny organisations you use that store, process or transmit payment cardholder data on your behalf must also be registered on the Visa website at: http://www.visamerchantagentslist.com You can find a list of QFIs at: http://www.visaeurope.com/receiving-payments/ security/downloads-and-resources These organisations include, but are not limited to: If customer data which you or someone else has handled is proven to have been compromised, stolen, used fraudulently and so on and your business is not keeping to PCI DSS, you may have to pay fines to the card scheme and cover losses to the card issuer. The card schemes may decide to fine you as well for not keeping to the standards and not storing sensitive authentication data. • Till vendors • Resellers • EPOS vendors • Software application providers • Payment service providers • Payment processing bureaus • Data storage providers • Web-hosting providers • Shopping-cart providers • Software vendors You must tell us about any organisation you use that stores, processes or transmit cardholder data. If you fail to keep to PCI DSS If you fail to keep to PCI DSS or any of the responsibilities as set out in the operating instructions and procedure guide, you will be breaking your agreement with us and: • W e have the right to recover any penalties, fees or fines imposed by any card scheme in line with our agreement with you (of which these operating instructions and procedures guide forms part) • W e will consider this to be significantly breaking your agreement and we may use any rights we have available to us in line with our agreement with you • W e may suspend your acquiring facilities until you can prove to our reasonable satisfaction that you are keeping to PCI DSS 33 Protecting cardholder information Storing your records You must keep your original copies of transactions in an accessible place for at least six months. We also advise you to keep copies of transactions for another seven months from that date, although this can be on microfilm or similar media. As well as keeping to PCI DSS, you must keep to the following requirements to protect cardholder data. If you are using thermal paper to process transactions, you need to take extra care when storing transaction copies to make sure they do not fade: If we need to send a retrieval request, we will give you the cardholder’s name wherever possible. However, the card issuer does not have to give us this information so we may be unable to tell you. As a result, you should store the transactions by transaction date and not by cardholder number or name. • D o not store them in direct sunlight. Wrap transaction copies in paper or store them in brown envelopes • D o not store them close to heaters • S tore them in a cool, dark and dry environment It is important that you keep all copy vouchers and till rolls in a secure place, to prevent any fraudulent use of the information and in line with PCI DSS requirements. If you need to clarify your PCI DSS requirements, please contact Customer Services on 0844 811 0089. • M aintain an even temperature and humidity. (Ideally, a temperature of 20 to 23 degrees and a relative humidity of 45 to 55%). Do not store in PVC wallets For a supply of our prepaid envelopes, call our Customer Services Department on 0844 811 6666. 34 Understanding your statement Transaction payment advice Your monthly statement is a VAT invoice and a statement. This provides itemised details of payments made to you with the dates we processed the transactions and the payment reference. If you are a single outlet, or you have asked that we send separate statements to each outlet, you will receive: Periodic settlement • A merchant invoice and statement If you have chosen to be paid periodically (for example, weekly or twice weekly), please remember that the figure for the total payments for this period may not agree with the transaction charges on page 1 of your statement, as they cover different accounting periods. Payment for any dates not showing will appear on your next statement. • T ransaction payment advice If you have asked for statements to be sent to your head office, your head office will receive: • A merchant invoice and statement • T ransaction payment advice • A dvice on details of the service charge Advice on the details of the service charge Your outlets will usually receive nothing. This shows a breakdown of the invoice for each outlet and includes a customer reference. Processing equipment rental charges are shown, giving the number of processing equipment at outlet and the total charge. We only send this page to chain head offices. What will the statement look like? Each page number and the total number of pages are shown in the top right-hand corner. There are three main headings: If you have a question about a merchant invoice and statement you have received • T ransactions and other charges if these apply Contact our Customer Services Department on: 0844 811 6666 quoting your outlet or chain head office number. Remember to check that all transactions have been processed and that they show on both your merchant and bank statements. • S tatement of account (including any adjustments) • T otal amount due You must check your monthly service charge statement against your bank statement regularly to see that they match. If you do not do this, you may be legally responsible for any chargebacks for presenting transactions late. Registered in London, England, Reg No 1026167 Reg. Office 54 Lombard Street, London EC3P 3AH MERCHANT INVOICE/STATEMENT Barclaycard Payment services (Dept CSD) Northampton NN4 7SG If you have any queries please call Customer Services Department 0844 811 6666 Period Outlet No. Sample Name PLC Sample Street Sample Town Sampleshire ZZ9 1AA INVOICE THIS PERIOD £9.90 £10.05 Charge £ 3 MasterCard Credit @ 2.77% 3 MasterCard Credit contactless @ 1.85% plus £0.81205 per item 2 UK Visa Delta @ £3.36 per item 1 UK Maestro @ £0.40 per item 1 Visa Business Credit @ 2.91% 3 Visa Credit @ 2.59% £6.50 £3.53 £3.12 £9.57 £42.67 Invoice No. Account VAT Reg. No. Tax Point VAT £ Total £ 0.40 0.09 0.25 Sub Total 4.36 Sub Total 35.00 6.12 41.12 Invoice Total 39.36 6.12 45.48 Other Charges (Standard Rate VAT 17.5%) 1 epdq Management fee 1 pdq Classic contactless Summary of your credit/debit card transaction details listed for all outlets 0.27 0.19 2.44 0.72 4.36 25.00 10.00 STATEMENT OF ACCOUNT Balance brought forward from last period Payment – Thank You Invoice Total (from above) 31.38 31.38 cr 45.48 TOTAL AMOUNT DUE 45.48 Summary of your account Summary of your E-Top Up commission earned This amount will be debited to: Bank Account 11-11-11 12345678 on or after 01 January 2015 Pre Pay Details £80.00 £60.00 £50.00 £30.00 £30.00 £250.00 cr cr cr cr cr 4 4 4 4 4 Pre Pay Three @ 3.45% Pre Pay EE @ 3.45% Pre Pay O2 @ 3.45% Pre Pay Vodafone @ 3.45% Pre Pay Virgin Mobile @ 3.45% Total 1 2.76 cr 2.07 cr 1.72 cr 1.03 cr 1.03 cr 4.67 cr Your E-Top Up commission inclusive of VAT 35 Exceptional procedures Can I pass charges to my customer? Under Visa regulations, you cannot add these surcharges to transactions involving Visa Debit or Visa Electron cards. However, UK law allows surcharges on all cards. Scheme rules allow you to add surcharges to transactions involving MasterCard and Maestro cards, but you will have to display a sign to warn customers that you are doing this. Under the terms of the Credit Cards (Price Discrimination) Order 1990, you are entitled to apply a surcharge to any transaction made by credit card. However, if you decide to do so, you run the risk of being uncompetitive and upsetting your customers who will then be paying higher prices than those who pay with a debit card or by cheque or cash. 3. The amount of the surcharge, which you may add to your normal cash price, must not be more than the amount of the merchant service charge that you will pay us. If you do apply a surcharge, there are several procedures you must follow and a number of restrictions you must keep to. It is your responsibility to make sure that these surcharges are only used if allowed by law, even when the cardholder is not present. 1. Under the terms of the Price Indications (Method of Payment) Regulations 1991, you must display the credit card surcharge at the entrance of your premises, and at the point of sale. If you sell fuel, the regulations are in the Price Marking (Petrol) (Amendment) Order 1991. If you would like copies of the Credit Cards (Price Discrimination) Order 1990, the Price Indications (Method of Payment) Regulations 1991 and the Price Marking (Petrol) (Amendment) Order 1991, please contact your local Trading Standards Office for more information. 2. If you operate a mail, telephone or internet order service, you must make sure you tell your customers about surcharges before they place the order. You must also make sure that your catalogues, advertisements and the order form carry exact details of your plan to surcharge those customers who want to pay by credit card. Minimum charging You must not set any minimum limit on credit and debitcard transactions. You must treat purchases by card in exactly the same way as cash purchases except if you supply a surcharge. 36 Internet authentication Authenticating cardholders successfully Our 3-D Secure solutions fully meet procedure level 1.0.2. If you have chosen to get your software from another source, the source will need to have been approved by all card schemes we support which take part in the scheme. Internet authentication is an e-commerce protocol which allows you to process secure e-commerce transactions by authenticating the cardholder’s identity using a password authentication at the time of purchase. Types of authentication We offer the following card-scheme authentication services and cover them in this procedure guide: The card schemes use three types of authentication. These help to identify which level of authentication was used, and how far you will be liable. • V erified by Visa (for Visa transactions) • SecureCode™ (for MasterCard and Maestro transactions) Full authentication By using authentication services you may be protected against chargebacks on successfully verified transactions. There are different rules for different card schemes, types of card and region. Partial or attempted authentication transactions may not be protected in the same way. This happens when we, the card issuer, cardholder and merchant all correctly process an authentication transaction. The cardholder will successfully authenticate themselves (through a browser pop-up or in-line window) with their card issuer. This is often known as ‘Full authentication’ for Visa and ’Full UCAF’ for MasterCard. You must make sure that you are familiar with how authentication works before using any of the internet authentication services. The card issuer will provide an IAV (issuer authentication value) to show that authentication took place. This value is passed in the authorisation process as proof of authentication. How do I use the internet authentication service? Attempted authentication You must: This happens when the cardholder is not registered for authentication, but you are providing an authentication request. In this instance, the issuer may still provide an IAV (sometimes referred to as an attempt) to show that you successfully tried to authenticate the cardholder. • H ave a valid internet merchant relationship with us to take full advantage of the service • B e registered with us to use cardholder authentication services • H ave the authentication software included in your chosen payment solution. Unless you specifically ask for an alternative, we will assume you want to use authentication for all card schemes which support internet authentication The card schemes differ with how they deal with attempted authenticated transactions. For Visa The definition of an attempted authentication for Visa cards is when both the merchant (you) and the acquirer (us) support authentication and can confirm that everything has been integrated correctly. The attempt to authenticate must be successful. The card issuer must return a response confirming the attempt. If the card issuer cannot confirm the attempt (for example, the system went down) you cannot claim attempted authentication. The following options are available to you. 1. Use our payment gateway, which is already set up to present 3-D Secure to cardholders. 2. Use our payment gateway and add 3-D Secure yourself. 3. Find or develop your own 3-D Secure software solution, which must meet the 3-D Secure specification of at least protocol level 1.0.2. 37 A successful attempt for Visa includes: • T he cardholder pop-up or in-line window does not appear due to a mistake by the issuer or cardholder • C onfirmation from the BIN Cache or MasterCard or Maestro directory that the issuer is not taking part in the scheme • T he issuer service is not responding to your authentication request • C onfirmation that the cardholder is not participating or has not yet enrolled • A uthentication fails, but the transaction is authorised by the card issuer • A 3-D Secure response of ‘A’ in the PARes MasterCard and Maestro issuers do not currently send an IAV for a successfully attempted authentication. Visa card issuers must send an IAV for successfully authenticated transactions and may decide to send an IAV for a successfully attempted authentication. Whether you gain ‘Full UCAF’ or ‘Merchant UCAF’ depends on the MasterCard or Maestro equivalent of the ECI. This must be passed in your payment solution to make sure you are not liable for the transaction. For MasterCard and Maestro The definition of an attempted authentication for MasterCard and Maestro cards is when both the merchant (you) and the acquirer (us) support authentication and can confirm that everything has been done correctly. The attempt to authenticate must be successful. The card issuer must return a response confirming the attempt. The term for this is ‘Merchant UCAF’ which simply means that you are taking part in the SecureCode™ scheme. You cannot claim attempted authentication on a SecureCode™ transaction for Maestro cards issued outside the UK. Passive authentication An issuer may present a 3-D Secure window but decide to not prompt the cardholder to authenticate the transaction. The cardholder will go back to the merchant site without authenticating the transaction. Passive authentication provides full 3-D Secure benefits when completed. You can claim attempted authentication on a MasterCard or Maestro SecureCode™ transaction when you make any attempt to authenticate the cardholder. Ideally, you should receive a 3-D Secure message response from the card issuer confirming the attempt. However, if not, you can still claim you should not be liable as you have correctly used your chosen 3-D Secure solution and successfully sent the authentication request. This might happen when: • Y ou receive confirmation from the BIN Cache or MasterCard or Maestro directory that the Issuer is not taking part in the scheme • Y ou receive confirmation that the cardholder is not taking part or has not yet enrolled in the scheme 38 The main benefit of authentication – transferring liability Displaying the Verified by Visa and SecureCode™ logos In the past, e-commerce transactions have carried a higher risk than standard high-street transactions. This is because neither the cardholder nor the card can be positively identified at the time of the purchase. If a card was used fraudulently or the cardholder disputed the transaction, the card issuer would charge the transaction back to us. Both card schemes need the logos to be displayed on e-commerce payment pages as evidence that they take part in the service. If the logos are not automatically added to your payment page, you should add them yourself. This will give your customers the assurance that you are taking part in the scheme and have been fully registered to take part. If at any stage you ask not to use the authentication service, you should remove both logos from your payment page if they are not automatically removed. The logos will be made available to you when you apply for 3-D Secure. If we receive a chargeback for a transaction you have processed, we will ask for evidence to support the transaction. In most cases evidence can be provided that the card was used, but not that the genuine cardholder was using the card. In this situation, the card issuer would charge the transaction back to you (a chargeback), resulting in you losing the goods or services plus the cost of the transaction. Using our 3-D Secure solution Your responsibilities We control the authentication process within the HPP and will make sure you have as little disruption as possible to your current transaction processing. With cardholder authentication you can prove that the cardholder used their card at the time of the transaction. You must: Cardholder authentication helps prevent chargebacks where cards are used fraudulently, or where the cardholder denies using the card. The liability shifts from you, back to the card issuer. • C orrectly integrate the HPP in line with instructions given to you when signing up • R ead and understand how the HPP handles authenticated transactions – this information is provided in the integration guide Reducing as far as possible the risk of fraud is essential and you should use internet authentication along with, and not instead of, any other fraud checks that you should have in place. It is important that you maintain your existing fraud checks. If you do not carry out your existing fraud checks, it could result in you receiving chargebacks. • S et up any 3-D Secure fraud-detection settings in your back-office Levels of protection Cardholder authentication protects you against specific types of chargeback. Depending on where the card is issued, and the type of authentication gained (see above) who is liable will be different. However, for you to transfer liability, you must strictly keep to the 3-D Secure protocol. Card scheme Visa MasterCard Types of card it applies to Level of cover •• •• •• •• •• Full worldwide cover (Visa Intra and Inter Regional) for fully authenticated transactions •• Full worldwide cover (Visa Intra and Inter Regional) for successfully attempted authentication. Visa Credit Visa Debit Visa Electron Visa Commercial •• MasterCard Credit (including commercial cards) •• Worldwide cover for both full and successfully attempted authentication •• Worldwide cover for full authentication •• Successfully attempted authentication for UK domestic transactions where both the card issuer and the merchant are based in the UK Maestro Visa commercial cards issued in the USA are not protected. 39 Our responsibilities Your responsibilities We will: You must: • R egister you with each card scheme we support • S ign up for authentication, providing details of your chosen payment solution, and must say that you only want to be registered for the service • P rovide you with the relevant integration guides • C ontrol the processing of authentication transactions • M ake sure we have approved your chosen payment solution (if not a Barclaycard e-commerce solution) to process internet authentication transactions • K eep to relevant card-scheme policies • P rocess transactions according to your 3-D Secure fraud-detection settings • C orrectly build and put into practice your authentication and payment solution in line with the latest 3-D Secure procedure and APACS standards • M aintain a full audit trail and provide transaction evidence to the card issuer if there is a chargeback where we believe authentication was correctly carried out and your responsibility should be transferred to the card issuer (this does not include a request for information (RFI) • G et full approval from us to use the APACS standards at the necessary level • M ake sure that the authentication responses returned by your authentication solution are correctly passed to your payment solution to be provided in the authorisation message • M ake sure the correct authentication values are attached to both the authorisation and clearing message where appropriate • M ake sure that the IAV (CAVV for Visa, AAV for SecureCode™) is correctly passed in the authorisation message • M aintain authentication transaction records on your behalf and use these to provide evidence that the transaction was authenticated if there is a chargeback. It will be our responsibility to make sure that the correct IAV (CAVV, AAV) ECI, and XID (for Visa) value is attached to both the authorisation and settlement transaction • M ake sure any other data is passed in the authorisation message • M ake sure any extra data is passed in the clearing message • M anage the process around the cardholder pop-up or in-line window (in other words, size, time outs) Message values Cardholder authentication generates new message values to show the level of security used, plus the result of the authentication. We will make sure the HPP processes all new message values correctly. There may be times where authentication is not possible (for example, the in-line window does not appear). You must decide if you want to continue processing the transaction. You can set this on the HPP. You can find full instructions in the HPP integration guide. • M anage the process if an error happens on the pop-up or in-line window (if the cardholder cancels) • S ecure the authentication merchant information used to register you with the card schemes at all times • M ake sure the BIN cache for each scheme (if being used) is updated at least every 24 hours If a cardholder cannot authenticate themselves, you must refuse the Visa transaction. If this does happen, depending on the issuer, Barclaycard SmartPay will refuse the transaction. • M aintain full audit records of authentication transactions (including BIN cache updates) • G ive us evidence of authentication (in other words, your 3-D Secure logs) if we need this to defend a chargeback. This information must be returned to us within 14 days of our original request MasterCard and Maestro transactions are allowed to continue. Direct to card schemes If you have chosen to find or build your own authentication solution that communicates directly with the card schemes taking part in the scheme, you are responsible for the whole authentication process and must make sure you keep to the integration and implementation requirements. If you are using another product to carry out internet authentication, you must make sure it can support the requirements shown in this section. 40 Our responsibilities • A ccept authorisation and clearing messages from your chosen payment solution containing authentication data We will: • R egister you with each card scheme taking part in the scheme which we support and you have signed up to • P rovide transaction evidence to the card issuer if there is a chargeback where we believe authentication was correctly carried out and you can transfer liability based on information we have received from you • P rovide you with the appropriate authentication merchant information as registered with the card schemes • P rovide scheme or procedure updates to you when this applies Transaction records You must keep and store full authentication records to provide evidence in case an authenticated transaction is charged back. The table below shows what evidence will be needed if there is a disputed transaction. Full authentication (Visa) Full UCAF (MasterCard and Maestro) Attempted authentication (Visa) Merchant UCAF (MasterCard and Maestro) ECI value = 5 CAVV Supplied in readable format PAReq/PARes XID ECI value = 2 AAV Supplied in readable format PAReq/PARes ECI value = 6 attempts CAVV Supplied in readable format VEReq/VERes OR PAReq/PARes XID ECI value = 1 AAV (if supplied) VEReq/VERes OR PAReq/PARes If your solution supports BIN cache, you must also supply CRReq/CRRes. We may ask you to provide transaction information to support a card issuer retrieval request. If you do not provide the information we ask for, you may be at risk of being liable for the transaction. Card issuer pop up or in-line window balance of informative and non-specific information so you do not encourage potential fraud. It is your responsibility to present the browser pop-up or in-line window to the cardholder. The card issuer will create the content and will carry out the authentication. You must control the size and conditions relating to time-out and dealing with mistakes associated with the window. Your authentication merchant information We will give you specific data to take part in the service, and will register this with each scheme. This will allow you to process authentication transactions through each scheme. It is strongly recommended that you use an in-line window to prevent problems commonly associated with pop ups being suppressed (also referred to as pop-up killers) and avoid situations where customers accidentally close the pop-up window. Whether you use pop-up or in-line, it is your responsibility to present the browser pop-up or in-line window to the cardholder. Your authentication software supplier should provide the recommended size of the pop-up or in-line window. You will need to code these details into your authentication solution and pass them on each authentication request. You must make sure that you correctly include the information we provide, which may be different for each scheme. If you fail to pass the correct details, it could result in a failure of authentication request. It is recommended that the time out for the pop-up or in-line window is set to a reasonable time to allow cardholders enough time to authenticate themselves. It is your responsibility to set this in line with your website and risk policy. You must make sure you display an adequate error message to the cardholder if you enforce your time-out. Once included, you should not change this information unless we tell you to. If you lose this information or feel it has been compromised in any way, you should contact us immediately. We will issue you with new details and re-register you with the relevant card schemes. This process may take up to 10 working days. There may be times where the cardholder closes, cancels or cannot view the pop-up or in-line window. You must make sure your website can handle the error responses associated with this and must display clear error messages to the cardholders. You should use a We will not give this information to any other payment provider acting on your behalf. We will only give it to you. 41 Message values Cardholder authentication generates new message values to show the level of security being used, plus the result of the authentication. You must make sure that you fully understand the responses sent to your authentication solution by the card schemes and pass this to your payment solution in the authorisation and clearing messages. The key value is the issuer authentication value (IAV). For Visa this will be the CAVV and for MasterCard this will be the AAV. The IAV will always be provided by the card issuer and you should not alter it. Your payment solution will also need to make sure you attach the correct e-commerce indicator (ECI) to the authorisation and clearing message. The table below provides a definition of the ECI values used by each card scheme. Visa MasterCard and Maestro 5 Authentication is successful. 6 Authentication is attempted but cardholder was not registered. 7 Authentication is not successful or not attempted (standard e-commerce transaction). 2 Authentication is successful. Full UCAF. 1 Authentication is attempted but cardholder was not registered. Merchant UCAF. 0 Authentication is not successful or not attempted (standard e-commerce transaction). Your authentication software integration guide will provide details on how you should correctly map authentication values into your chosen payment solution. You must make sure your payment solution supports the necessary level of APACS to communicate with our acquiring system. You can get this information by contacting us. BIN cache Keeping to the card scheme The BIN cache is a store of BIN ranges that can be held locally on your server. If you want to use the BIN cache, you must contact each scheme directory using the appropriate 3-D Secure requests (CRReq/CRRes) to download the latest version at least every 24 hours. You can check the BIN cache before contacting the relevant scheme directory to check whether a cardholder is taking part in the scheme. This could reduce the number of messages you need to generate. It is important that you understand any responsibilities you may have when taking part in cardholder authentication. This will vary according to which payment product you use. 42 If authentication fails Usually, if a cardholder is registered for authentication, they will be familiar with the process to correctly authenticate themselves. However, there may be times where the cardholder does not follow the correct process, or where a card may be being used fraudulently. The following scenarios may happen. 1. F ailed authentication a) The cardholder may fail to enter their correct password (they have up to three attempts). c) The pop-up or in-line window may time out. d) The content of the window may be corrupt due to a mistake by the issuer. 2. A mistake during authentication e) The cardholder browser may stop the pop-up. a) The cardholder may cancel the pop-up or in-line window. b) T he cardholder may close the pop-up or in-line window. The card schemes have set policies on how to deal with failed authentication and mistakes during authentication. If authentication fails for Visa transactions What will you receive within the PARes message? What should you do? If you are using a Barclaycard gateway ‘N’ response Refuse the transaction and do not process the transaction as the cardholder could not authenticate themselves. Our HPP will automatically refuse the transaction for you If authentication fails for MasterCard and Maestro transactions Error during authentication for MasterCard and Maestro transactions If authentication fails you will receive an ‘N’ response within the PARes message. You have the option of either refusing the transaction and stopping processing because the cardholder could not authenticate themselves, or continuing with the transaction and attempting authorisation. You may choose to carry on with the transaction and must be aware that you will be liable for the transaction (in other words, you could still be charged back). Our Barclaycard e-commerce solution will automatically either refuse or continue the transaction based on the response returned by the issuer and in line with scheme rules. If you do continue and are given an authorisation code by the card issuer, you will be liable for the transaction. If authorisation is not given, you must refuse the card in the normal way. Mistake during authentication for Visa transactions If there is a mistake during authentication, you may choose to carry on with the transaction and must be aware that you will be liable for the transaction (in other words, you could still be charged back). The ePDQ HPP will either refuse or continue with the transaction based on how you set up the appropriate continuity flags within the ePDQ technical settings. Our SmartPay Hosted Payment Page will automatically either refuse or continue the transaction based on the response returned by the issuer and in line with scheme rules. 43 Passing authentication values Error conditions You must make sure you keep to our Barclaycard e-commerce solution v1.0.2. You will also need to make sure that you can pass the authentication results in your authorisation and clearing message. You must have included the APACS standard that supports this. In the unlikely event that you experience an error condition while using cardholder authentication, you need to make sure you can handle the responses. You can get information on which standard is used by contacting us. If you use our integrated 3-D Secure solution, you do not have to do this. You may see a mistake if the HPP, Barclaycard SmartPay, or your own solution cannot connect to the relevant scheme directory. If this is the case, you will be sent a corresponding error message, which you must handle appropriately. Scheme directory server unavailable You must be able to receive and pass: • Issuer authentication value (IAV) – CAVV for Visa, AAV for SecureCode™ If the directory server is not available, this is considered a ‘break’ in the authentication process as neither a positive (success) or negative (failure) message can be supplied. As such, different rules will apply on who is liable for the transaction. • ECI values • XID (for Visa) • 3-D Secure procedure messages Visa You can continue with the transaction, but must pass an ECI 7 as this was a non-authenticated transaction. You will not benefit from any chargeback protection. It is your responsibility to make sure that the values, if received from the card issuer, are not altered in any way and are passed as received. The CAVV or AAV could be incorrectly passed if: MasterCard and Maestro If you have correctly integrated the HPP, Barclaycard SmartPay or your own solution and get this error, you can claim merchant UCAF and still be protected (depending on the conditions in 1.4). The ePDQ HPP will process transactions based on your settings within the ePDQ technical setting. Our SmartPay hosted payment page will process the transaction based on the response returned by the issuer and in line with scheme rules. • T he payment solution you are using does not support these values • T here is a problem with your integration to the hosted authentication service or payment software An incorrect ECI value could be passed if: • T here is a problem with your integration to the hosted authentication service or payment software (or both) • Y ou have registered to take part but have not told us you want to go live Hosted authentication service not available on a Barclaycard payment Gateway • Y ou have accidentally hard-coded every ECI value to a set limit (in other words, ECI 7 for standard e-commerce) If you cannot authenticate transactions because the hosted authentication service is not operating, we also see this as a ‘break’ in the process but it has a different outcome. You must make every attempt to avoid the possible mistakes shown above. If you fail to pass the IAV, or incorrectly pass the ECI value, you will be liable for the transaction. If you deliberately falsify any authentication value, we may end your authentication and merchant agreements. If the hosted authentication service is not available, you should report this to us immediately. Transactions will not be authenticated if this service is down. You can continue with the transaction, but must pass an ECI 7 for Visa or ECI 0 for MasterCard as this was a non-authenticated transaction. You will not benefit from any chargeback protection for either card scheme. Only the ePDQ and SmartPay HPPs will automatically process authentication values. The ECI values passed must match for both the authorisation and the clearing message. If the ePDQ HPP detects that the hosted authentication service is down, it will process transactions based on your configuration of the ePDQ technical settings. With Barclaycard SmartPay, if the hosted authentication service is down, transactions will be unable to continue for authorisation. 44 Cardholder browser suppresses pop-up window If the cardholder browser does not allow the pop-up to be displayed, this is also considered as a ‘break’ in the authentication request. As with the scenarios above, you may continue with the transaction but for Visa transactions you will not benefit from any chargeback protection. As recommended, you should consider using an in-line window to avoid these mistakes. Your own authentication software not available If you cannot authenticate transactions because the hosted authentication service is not operating, we also see this as a ‘break’ in the process but it has a different outcome. Transactions will not be authenticated if this service is down. You can continue with the transaction, but must pass an ECI 7 for Visa or ECI 0 for MasterCard as this was a non-authenticated transaction. You will not benefit from any chargeback protection for either card scheme. Chargeback reason codes included You must be aware that each card scheme uses a different ‘reason code’ to charge a transaction back. If you are using any automated risk tools, you should make sure you cater for each scheme reason code if it applies. Visa 75 Transaction not recognised – when the cardholder tells you that they do not recognise an item on their card statement. 83 Fraud card absent environment – the card was not present and a transaction was processed without the cardholder’s permission, or a fake (card) account number was used. MasterCard and Maestro 37 No cardholder authorisation – the cardholder denies responsibility for the transaction or the acquirer lacks evidence of a cardholder’s authentication (in other words, a signature). 63 Cardholder does not recognise – potential fraud. When a cardholder claims he or she does not recognise a card-not-present transaction (such as an e-commerce transaction). If after being presented with new information, the cardholder says that they did not authorise the transaction. You may be asked to provide supporting information to us to defend a transaction (see section on Retrieval requests on page 26). Protection against this reason code may help to avoid a chargeback following the request. One of the critical success factors of the authentication schemes is to remove chargebacks from the system. Each of the card issuers are adding edits to make sure, wherever possible, that you are not charged back for a transaction that was authenticated. You will be liable for the transaction for all chargeback reason codes that are not set out in this document. 45 Sector-specific trading Vehicle rental companies These may not prevent all types of fraud but will act as a deterrent to fraudsters. Best practice for reducing chargebacks If your vehicle reservation system allows you to check the card security code given at the time of the reservation, you should enter it. However, if you are using processing equipment that cannot check the card security code, you should still ask for it as it may deter potential fraudsters. However, you must not keep or store the CSC code. There are certain types of chargebacks that happen more frequently among vehicle-rental providers. To support you we have created this best-practice guide on the correct procedures to deal with chargebacks and provide advice on how to reduce the cost to your business. You must authorise every transaction, but please remember that authorisation does not guarantee payment – it only confirms that: You should discuss and agree the hire rate and get the caller’s permission to accept your cancellation policy. The cancellation and no-show policy must be clearly explained to the customer. Once you have confirmed that you have accepted their order, please make sure you send a copy of your Terms and Conditions, written confirmation of the reservation details together with the cancellation and no-show policy to the cardholder. 1. The card has not been reported lost or stolen at the time of the transaction. 2. There are enough funds available at the time of the transaction. Except for contactless transactions, you will still be legally responsible for any Card Not Present transactions if the genuine cardholder later states that they did not make or authorise a transaction. Taking reservations by fax or mail Like the tips on phone reservations, we recommend asking for as many details as possible from the cardholder as previously listed. When taking orders from company cardholders, you should check that the fax or letter looks genuine, for example, that it’s on genuine company-headed paper. Obvious questions are shown below: Please remember that any transactions processed without the card being present may result in a chargeback if they are later disputed. It is in your own interest, where possible, to process transactions with the card present and make sure the cardholder is verified by their PIN or you get a signature (if the card is not PIN-enabled). • Does it contain a company logo? • Does it contain the correct corporate colours? Tips on taking reservations over the phone • D oes it show a switchboard phone number? Check by calling the sender (the switchboard operator would normally announce the company’s name) As telephone reservations are Card Not Present transactions, we recommend you take the precaution of asking for as many details as possible to confirm the authenticity of the unseen cardholder: • D oes it contain a registered address for ‘Ltd’ and ‘PLC’ companies? • T he name of the caller • Is it signed by someone in authority? • T heir direct-dial phone number (not a mobile phone number) Faxes and mail bookings should contain the same details needed for telephone reservations – except for the CSC. You should also make sure that the cardholder has accepted your cancellation policy. • T he name of the person who needs the vehicle (if not the caller) • T heir expected collection date and time We recommend calling the sender for confirmation of the reservation, the card details and the CSC. • T he number of days they are expected to hire the vehicle Ideally you would also reply in writing confirming that you are accepting the reservation (fax or mail), and send a copy of your Terms and Conditions, including your cancellation policy, reservation details and no show policy. • T he card number of the card to be used for the charges • T he card ‘valid from’ date • T he card ‘expiry date’ • T he cardholder’s name • T he cardholder’s billing address • T he card security code (the last three digits on the signature strip on the back of the card or the three digits in the box next to the signature panel) 46 Taking reservations over the internet However, if the genuine cardholder later claims that they never made the original reservation, the transaction may still be charged back. We would not be able to defend a chargeback in this case. Transactions over the internet are effectively Card Not Present transactions and are prone to being disputed and charged back. It is in your own interests to process transactions with the card present wherever possible. Collecting the vehicle When taking bookings over the internet, you should use the same procedures and precautions as those taken by phone. This includes making sure that cardholders can confirm they accept your Terms and Conditions, for example, by having a tick box. Ask to see the customer’s card and ask them to read your Terms and Conditions and sign the rental agreement. Then carry out the usual visual checks to make sure the card is genuine, for example, check the hologram, and that the signature strip has not been tampered with. We strongly recommend that your website uses ‘Internet Authentication’. (Please see the Internet Authentication section of this document on page 37) You must not ask the cardholder to sign a blank transaction receipt in case there are any other charges or delayed charges. Extra tips for checking genuine customers The cardholder must give their permission to be charged extra or delayed charges. Set up your reservation system (or a stand-alone computer) to check the billing and company address by comparing it to the Royal Mail address. See www.royalmail.com. Or, you can invest in PC software that uses a postcode address to confirm addresses. Find out more at these websites and sources of information: If possible get payment by processing a Card Present transaction (see the ‘Accepting card-present transactions’ section of this guide on page 7). If you already have the payment, make sure you get an imprint of the card on the car rental agreement as proof that the cardholder agreed to pay by card. • w ww.streetmap.co.uk If the cardholder asked for a specialised vehicle (in other words, a vehicle that forms less than 10% of your fleet or one that you have arranged specifically for the customer to hire) and it then becomes unavailable, you must provide the following services at no extra charge. • C heck the electoral roll. Companies like Equifax do this, and will charge for the service (0845 600 1772 or www.equifax.co.uk). Or, you can buy and install electoral-roll software • C heck the Yellow Pages or BT Telephone Directory for the customer’s listing. Then call and ask for the person who sent the fax • A similar vehicle at another car rental establishment for the reservation period • Transportation to the other outlet Your cancellation policy Pre-authorisation While you may have a cancellation policy in your Terms and Conditions (which you must clearly tell your customer about), you may not charge any cancellation fee to the card used for the reservation. If you do make a charge to the card, we will not be able to defend you from any chargeback. Pre-authorisation lets you estimate the final transaction amount, get authorisation and reserve the payment while the vehicle is still on hire. Base your estimate on: • The cardholder’s intended rental period • The rental rate and tax which applies You cannot demand more than 72 hours cancellation before the scheduled collection time and date of booking. • Mileage rates No-show You cannot use pre-authorisation with Maestro cards, and it does not apply to possible vehicle damage or other insurance excess amounts. If a cardholder doesn’t turn up, having failed to cancel their hire vehicle, you are then entitled to charge one day’s rental at the reserved vehicle rate. You can simply charge the card given at reservation. Pre-authorisations are valid for the length of the rental period. However, for extended hire we recommend you close the customer’s account after 14 days and bill them every two weeks. Send a copy of the transaction receipt and a copy of your Terms and Conditions to the cardholder at their billing address. You need to make sure that ‘No show’ is clearly written in the space where the cardholder would normally sign the transaction receipt. The transaction receipt should also clearly show the card number, expiry date and cardholder’s name. The operating guide for your processing equipment includes instructions for pre-authorisations, including chip-and-PIN card transactions, when the hirer will need to enter their PIN number to confirm they are the genuine cardholder. 47 You can update estimates as often as you need, up to and including the date the vehicle is returned. When you issue a new estimate, make sure it does not include amounts which have already been authorised. Useful tips The pre-authorisation will apply for the length of the rental. However, we recommend that you close the customer’s account after two weeks and bill the customer every two weeks. • M ake sure your transaction receipt always includes the details of the authorisation code, the dates and the amounts • T he operating guide for your processing equipment contains instructions for carrying out preauthorisation. This can include carrying out a pre-authorisation using a card with a chip and PIN. The cardholder will have to put in their PIN number at the time of the pre-authorisation to confirm they are the genuine cardholder • A lways tell the hirer how much you have estimated, as it will reduce the funds available on their card. Explain that they have not yet been charged, and that their final bill is unlikely to be exactly the same as the estimate • If your customer unexpectedly decides to reduce the hire period, simply provide the appropriate refund. Refunds must always be applied to the same card used for the original payment • Estimate the final amount and get pre-authorisation • D o tell the hirer how much you have pre-authorised, as this will reduce the funds they have available on the card. Explain to the hirer that no charge has actually been made at this point, and that it is unlikely that the final bill will be exactly the same as the pre-authorised amount Pre-authorisation – end of hire For Visa: • If the final bill is within 15% of the estimated amount you can use the code provided during the estimated authorisation Accidents or damage involving the vehicle However, you will need a final authorisation code if: If the vehicle is involved in an accident, you may charge Visa cardholders for the damage to the vehicle. You must also get an estimate of the cost from an organisation which can legally provide these services. You should always send the estimate to the cardholder if you are making a charge for damage. The following conditions also apply: • T he final transaction amount is above your floor limit and you have not got a previous authorisation • T here is more than 15% difference between the final bill and the pre-authorisation amount • T he hirer is paying by Visa Electron and the final bill is more than the sum of all the estimated authorisations you have already received for their hire period • T he cardholder must have agreed in writing to pay the charges by Visa card (this permission should make up part of your rental agreement). It is critical that your car rental agreement clearly states that any extra or collision charges will be charged to the Visa card used to pay for hiring the car. The cardholder must sign to agree that they accept these Terms and Conditions. The cardholder’s signature must be on the same page of the car rental agreement as the Terms and Conditions that allow you to charge the Visa card. If the cardholder’s signature is on a separate page, we may not be able to defend you from a chargeback if the cardholder claims that they never agreed to their Visa card being charged for any extra charges For MasterCard: • If the final bill is greater than the estimated authorisation amount, you will need a further authorisation code for the difference Handling pre-authorisation Pre-authorisation allows you to estimate the final transaction amount and allows you to reserve the funds on the card by receiving an authorisation while the vehicle is still being hired. However, this does not apply to Maestro cards. Instead we recommend you get full payment when the vehicle is collected, for the expected hire value. If the customer unexpectedly decides to reduce the length of hire, you can then simply provide the appropriate refund. • T he charge must be made within 90 calendar days of the date of the transaction • There is a bigger risk of chargeback if you do not let the cardholder know about the charge The value should be based on the cardholder’s intended rental period, the rental rate with tax which applies and the mileage rates. You can update the estimates as often as you need, up to and including the date the vehicle is returned. Each extra pre-authorisation request must not include previously authorised amounts. And you may not try to gain pre-authorisation for potential vehicle damage or the insurance excess. Note about MasterCard: To apply extra charges to a MasterCard, you must get a separate cardholder signed authority by processing a Card Present transaction. If the charge is disputed later, this will be needed as proof that the cardholder authorised the extra charge. 48 Procedure for dealing with delayed charges You and the cardholder may come to an agreement on the cost of the damage before processing the delayed or amended charge transaction. If you and the cardholder cannot agree on the cost of the damage, and if you process the delayed or amended charge transaction, the cardholder can dispute the charge. To process a delayed charge (such as for damage, fuel, insurance fee, parking tickets, excessive mileage, extra rental and so on) the cardholder must have agreed by signing the rental agreement and agreeing to the Terms and Conditions. These must state that the cardholder will be legally responsible for the charges and they will be taken from the card originally used to pay for the rental. The cardholder’s signature must be on the same page of the car rental agreement as the Terms and Conditions that allows you to charge for delayed charges. If the cardholder’s signature is on a separate page, we may not be able to defend you from a chargeback if the cardholder claims that they never agreed to their card being charged for any delayed charges. You must wait 20 business days from the date of the confirmation receipt given to the cardholder before processing a change for damages. A business day is Monday to Friday from 9am to 5pm. Accepting split sales Occasionally, customers ask to split payments between cards, cash or cheques, sometimes to share costs between partners. Although these transactions are acceptable, a high number of chargebacks result from them. So you must always get authorisation no matter what your floor limit. You must always tell the authorisation operator at the start of the call that the transaction is part of a split sale. Only process one transaction for each card. Any charges must be processed within 90 days of the original transaction date – and you must get further authorisation. The charge must be made using a separate transaction, with the words ‘Signature on file’ clearly visible. You must tell the cardholder in writing about any delayed charges – sent to the address on the rental agreement. Also, you must give them any extra documents to support the charge, for example, if the customer was responsible for a traffic offence, send them: Your refund policy If you operate a no-refund policy, you must make this clear to the cardholder when they make the reservation. If you do agree to refunds, beware of any opportunities for fraudsters. You must credit all refunds to the same card used to make the booking. If you make a charge to a card by mistake, you must refund it to the card within 30 calendar days. Under no circumstances refund by cash, cheque or other payment as this is likely to result in chargebacks. • A copy of the rental agreement • D ocuments on the offence • T he licence number of the rental vehicle • T he law which has been broken and (if it applies) a copy of the authority’s accident report • N otice of the amount to be charged If you are using Barclaycard processing equipment that is set up for contactless payments, you can carry out contactless refunds up to the value of the current limit. Contactless refunds should not need cardholder verification. For delayed- or amended-charge transactions related to damage, you must provide a written confirmation containing the details of the damage, the cost of the damage and the currency in which the cost of the damage will be charged to the cardholder. You must do this within 10 business days of the return date of the rented car. You must also provide an estimate of repairs from a garage or company authorised to carry out repairs. Extended hire We strongly recommend that you do not allow your customer to hire the vehicle for more than two weeks without settling their bill. Ask hirers who want to extend the lease for more than two weeks to pay the current total due – ideally by the cardholder in person. Failing that, by using the card details provided at the original booking (although there is a risk that this amount could be disputed at a later date if you do not have a signature or PIN). For delayed charge or amended-charge transactions relating to damage where you have written to the cardholder, the cardholder may (at no cost to you) provide written confirmation of another estimate of cost of the damage within 10 business days of receiving your original written confirmation showing the cost of the damage. 49 Disputed transactions Extra rules for the Visa vehicle-rental reservation service If a transaction is later disputed, it is vital to show that the card was present and authorised (if this is needed). Except for contactless transactions, if no signature or PIN was given or if authorisation was not given, we will not be able to defend you from a chargeback. Where possible and except for contactless transactions, it is in your interest to process transactions with the card present and get a signature or PIN. If you or your booking agent accepts European-issued Visa cards or Visa Electron cards, you must ensure a car rental reservation is provided and keep to the following requirements. In return you may choose to charge a no-show fee if a Visa Europe cardholder has not cancelled a reservation in line with your Terms and Conditions. The most common reasons why disputed transactions are charged back for vehicle rental are: 1.You or your booking agent must get the cardholder’s name, account number and expiry date as displayed on the Visa card or Visa Electron card. 1. D elayed or amended charges. 2. H ire reservations by someone committing fraud using the card but never arrives. Often this is because the fraudster is only using your reservation system to check that the card is valid and funds are available. They will then use the card to buy goods from other establishments fraudulently. The first time the genuine cardholder will be aware that their card has been used fraudulently is when they receive their card statement and they see they have been charged your ‘no-show’ charge. 2.You or your booking agent must tell the cardholder about your cancellation and no-show policy and procedures when they are making the reservation. 3.You or your booking agent must provide written confirmation of the reservation to the cardholder by post, fax or email, including: • The reserved car rental rate • The currency of the transaction •The exact name and address of the location from where the car is to be collected 3. N ot replying to requests for information. Under card-scheme rules, the card issuer is entitled to ask for details of any transaction. In most instances, they only need a copy of the final transaction receipt, showing the card was present at the transaction and, except for contactless transactions, was authenticated by the cardholder – either by a signature or PIN. However, the card issuer may need a full breakdown of the charge. The request for information from Barclaycard will give details of what is needed. Please make sure you reply within 14 days as, if you fail to do so, the card issuer may make a chargeback. • The cardholder’s name, account number (shortened so it only displays four digits) and card expiry date as displayed on the Visa card or Visa Electron card • The confirmation code, which the cardholder must keep in case there is a dispute • The exact address of the location from where the car is to be collected • The hours of operation of the collection and return outlet For more information on preventing chargebacks, please go to our website at: http://www.barclaycard.co.uk/business/ existing-customers/chargebacks/guides • Cancellation policy procedures Or, call our dedicated Chargeback team on 0844 755 0094 and ask to speak to our chargeback portfolio managers. 50 4.You or your booking agent must tell the cardholder that you will bill them for a no-show transaction (up to the value of one day’s rental) at the reserved car rental rate if the cardholder has neither: •The fuel status of the rented car when it is returned. If there is no extra fuel charge, this must be clearly shown on the written confirmation and you must not process a delayed charge or amended-charge transaction for extra fuel • Collected the vehicle within the 24 hours of the collection time •The date and time of the return. If there are no extra rental charges as a result of extended time frames, this must be clearly shown on the written confirmation and you must not make a delayed charge or amended-charge transaction for the extra day’s rental • Properly cancelled the reservation in line with your cancellation policy 5.If you want to bill a no-show transaction, you or your booking agent must confirm, in writing, as part of the reservation confirmation, the value and currency of the fee that you will bill the cardholder. 15.If the cardholder returns the car using an express drop-off facility, you must send the written confirmation to the cardholder within five business days of the return date of the rented car. You should tell the cardholder to keep the confirmation receipt in case of a dispute. 6.You or your booking agent must not ask for more than 72 hours’ notice to cancel the rental without penalty. 7.If the cardholder makes a reservation within 72 hours of the scheduled pick-up date, the cancellation deadline must be no earlier than 6pm at the address of your vehicle rental company on the scheduled pick-up date. 16.You may only process a delayed charge or amended-charge transaction if the cardholder has given their permission for those charges. 17.For delayed charge or amended-charge transactions related to damage, you must provide a written confirmation containing the details of the damage, the cost of the damage and the currency in which the cost of the damage will be charged to the cardholder. You should do this within 10 business days of the return date of the rented car. 8.You or your booking agent must give the cardholder a cancellation code (if the reservation is properly cancelled in line with your cancellation policy) and tell the cardholder to keep the code in case there is any dispute. 9.You or your booking agent must send written confirmation of the cancellation to the cardholder within five business days of the cancellation date. 18.For delayed charge or amended-charge transactions relating to damage where you have written to the cardholder, the cardholder may, at no cost to you, provide written confirmation of another estimate of cost of the damage within 10 business days of receiving your original written confirmation showing the cost of the damage. 10.If a cardholder has not claimed or cancelled the car rental by the time you have given, you or your booking agent must keep the car available, according to the reservation, for 24 hours from the collection time. If the cardholder does still not collect the car, you may process a no-show transaction. 19.You and the cardholder may come to an agreement on the cost of the damage before processing the delayed charge or amended-charge transaction. If you cannot reach an agreement with the cardholder for the cost of the damage, and if you process the delayed charge or amended-charge transaction, the cardholder can dispute the charge. 11.If the vehicle you have said you will provide is not available, you must give the cardholder an equivalent or higher-group car at no extra charge. 12.You must make sure that you tell the cardholder at the time they make the reservation that a confirmation receipt is available during your hours of operation when they return the rented vehicle. This confirmation receipt confirms the conditions of the rented car when it is returned. 20.You must wait 20 business days from the date of the confirmation receipt provided to the cardholder before processing a charge for damages. A business day is Monday to Friday from 9am to 5pm. 13.You must give the cardholder written confirmation of their decision of whether to ask for a confirmation receipt as part of the reservation confirmation. 14.You must give the cardholder written confirmation of all of the following: •The visible damage status of the rented car when it is returned. If there is no visible damage, this must be clearly shown on the written confirmation and you must not process a delayed charge or amended-charge transaction for any visible damage to the rented car 51 Lodging and accommodation Best practice for reducing chargebacks Tips on taking telephone reservations There are certain types of chargebacks that happen more often among hotel, lodging and accommodation providers. To support you, we have created this bestpractice guide to help you understand the correct procedures for dealing with chargebacks and provide advice on how to reduce the cost to your business. As telephone reservations are Card Not Present transactions, we recommend you take the precaution of asking for as many details as possible to check the authenticity of the unseen cardholder. Ask for: • The name of the caller • T heir direct-dial phone number (not a mobile number) You must authorise every transaction but please remember that this does not guarantee payment. The authorisation confirms only that: • T he name of the person who needs the accommodation or lodging (if not the caller) 1. The card has not been reported lost or stolen at the time of the transaction. • Their expected arrival date and time • The number of nights they are expected to stay 2. There is enough funds available at the time of the transaction. As the rules stand, except for contactless transactions, you will still be legally responsible for any transactions if the genuine cardholder later says that they did not make or authorise a transaction. Card Not Present transactions are particularly prone to chargebacks at a later date. • T he card number of the card to be used for the charges • The card expiry date • The cardholder’s name • T he cardholder’s billing address (this may not be the company address) If there is no signature on the final bill, we may not be able to defend you if there is a chargeback. There is still an element of risk if the guest is allowed to check out using the priority check-out service. • T he card security code (the last three digits on the signature strip on the back of the card or the three digits in the box next to the signature panel). See the note below Taking advance reservations If the booking is for corporate purposes, you should also take: Wherever possible, you should ask the person needing accommodation or lodging to make the reservation themselves. Of course, for practical reasons you may need to accept reservations from other people, such as secretaries acting on behalf of their bosses. • T he caller’s name and position in the company or organisation • The name of the company or organisation • T he company or organisation switchboard telephone number Note: If your reservation system allows you to check the card security code given at the time of the reservation, enter it. Even if you use POS processing equipment that cannot check the card security code, still ask for it as this may deter fraudsters. Also, you should discuss and agree the room rate and the hotel cancellation policy. You must ask the caller to agree to the cancellation policy. Once the caller has accepted, you can then issue a reservation code. If the reservation is made through someone else, for example, a travel agent, make sure they tell the customer about your Terms and Conditions. You should then ask the caller to confirm the reservation in writing, either by fax or mail. 52 Taking reservations by fax or mail Taking a reservation over the internet Double check that the fax or letter looks genuine, for example, that it’s on genuine company-headed paper. Below are some obvious questions to ask yourself. Transactions over the internet are effectively Card Not Present transactions, so are more likely to result in a chargeback. It is in your own interests to process transactions with the card present, whenever possible. • D oes it contain a company logo and show the correct corporate colours (you can check on the internet)? When taking an e-commerce booking, you should use the same procedures and precautions as those for reservations taken by phone. This includes making sure that cardholders can confirm that they accept your Terms and Conditions, for example, in a tick box. We strongly recommend that your website allows ‘Internet authentication’. You can get this service from us and it allows you to confirm that reservations are being made by genuine cardholders. • D oes it show a switchboard telephone number? • C heck by calling the sender (the switchboard operator would normally announce the name of the company) • D oes it contain a registered address for ‘Ltd’ and ‘PLC’ companies? • Is it signed by someone in authority? Faxes and postal bookings should contain the same details needed for telephone reservations – except for the CSC. They should also confirm they have accepted your cancellation policy. We recommend calling the sender for confirmation of the reservation, the card details and the CSC. Ideally you would also reply to say you have accepted the reservation in writing (fax or post), together with a copy of your Terms and Conditions, including your cancellation policy. 53 Extra tips for checking genuine customers Guest arrivals and check-in • S et up your reservation system (or a stand-alone computer) to check the billing and company address by comparing it to the Royal Mail address. See www.royalmail.com. Or, you can invest in PC software that uses a postcode address to confirm addresses. Find out more at this website When your guests arrive, ask to see the card on which the booking was made, and ask them to fill in a registration form. If you allow extra items (newspapers, restaurant bills and so on) to be charged to guests’ rooms, your registration form should clearly show this. Pre-authorisation • w ww.streetmap.co.uk Pre-authorisation allows you to estimate the final bill and reserve those funds on the card account while the guest is staying with you. But you cannot do this with Maestro cards. Instead we recommend you get full payment when they check in. • C heck the electoral roll. Companies like Equifax do this, and will charge for the service (0845 600 1772 or www.equifax.co.uk). Or, you can buy and install electoral-roll software • C heck the Yellow Pages or BT Phone Book for the customer’s listing. Then call and ask for the person who sent the fax If the customer decides to check out early, simply provide a refund. • T he operating guide for your processing equipment contains instructions on carrying out pre-authorisation. This can include carrying out a pre-authorisation using a chip-and-PIN card. The cardholder will have to enter their PIN number at the time of the pre-authorisation to confirm they are the genuine cardholder Taking advanced lodging deposits If you take advanced lodging deposits under the Visa and MasterCard rules, this is the only amount you are allowed to take from the customer’s card. You will also give up your right to charge one night’s no-show payment. If you operate a no-refund policy, you must tell the cardholder at the time of the reservation. You must make any refunds you agree to the card used for the original booking – never give a refund in cash or by cheque or other means. You can only accept Maestro cards when the cardholder is present, as the card must be processed electronically using the magnetic stripe or embedded chip. • Estimate the final amount and get pre-authorisation • D o tell your guest how much you have preauthorised, as this will reduce the funds they have available on the card. Explain to the guest that no charge has actually been made at this point, and that it is unlikely that the final bill will be exactly the same as the pre-authorised amount. Check that the signature on the registration form matches that on the back of the card. Also check the hologram, and make sure the signature strip has not been tampered with. You can now go through the pre-authorisation procedures Your cancellation policy You must clearly explain your cancellation policy at the time of the reservation. Ask the customer whether they accept the policy and to confirm this. The cancellation deadline should be no earlier than 72 hours before the guest is expected. Pre-authorisation departures and check-out If a reservation has been made within 72 hours of the expected arrival time, the cancellation deadline will be 6pm on the arrival date. If you need to know about a cancellation before 6pm, you must post your cancellation policy to the cardholder. For Visa, if the final bill is within 15% of the pre-authorised amount, you can process the transaction by using the code given at pre-authorisation. But if the final bill is more than 15% above the pre-authorised amount, you will need to get another authorisation code for the difference. If the cardholder cancels the reservation within the time frame shown in your cancellation policy, give them a cancellation code for their records and yours. For MasterCard, if the final bill is less than the pre-authorised amount you can process the transaction by using the code provided during pre-authorisation. If the final bill is greater than the pre-authorised amount, you will need a further authorisation code for the difference. Note • If your cancellation policy is different from the above, you risk receiving chargebacks • Y ou can only enforce the cancellation policy when the customer pays by Visa, MasterCard or JCB card (Maestro cards do not allow charges to be made for hotel cancellation charges). 54 Express and priority check-out service Disputed transactions If you operate an express check-out service, we may not be able to defend you from a chargeback if the cardholder later denies that they carried out any transactions. If a transaction is later disputed, it is vital to show that the card was present and authorised (if this is necessary). Except for contactless transactions, if you did not get a signature or PIN or if authorisation was not given, we will not be able to defend you from a chargeback. Where possible and except for contactless transactions, it is in your interest to process transactions with the card present and get a signature or PIN. Extended stays We strongly recommend that you do not allow stays of more than two weeks without asking guests to settle their bill. You should ask those who need to stay longer to pay the current total due. Ideally, ask for their card, or you can use the card details provided at check-in (although there is a risk that this amount could be disputed at a later date if you do not get a signature or PIN). If the bill is more than 15% above the preauthorised amount at check-in, you should get a further pre-authorisation code for the rest of the stay. The most common reasons why disputed transactions are charged back for lodging or accommodation are: 1. Reservations made by someone fraudulently using a card who never arrives at the hotel. Often this is because the fraudster is using your reservation system only to check that the card is valid and there are funds available. They will then use the card to get goods from other retailers fraudulently. The first time the genuine cardholder will be aware that their card has been used fraudulently is when they receive their card statement and they see they have been charged your no-show charge. If the transaction was carried out using Maestro, or MasterCard and there are extra charges, you must get a separate, signed and swiped voucher or imprinted document as proof that the cardholder authorised these charges to debit their account. 2. Not replying to requests for information. Under card-scheme rules, the card issuer is entitled to ask for details of any transaction. In most instances, they need only a copy of the final transaction receipt, showing the card was present at the transaction and was authenticated by the cardholder – either by a signature or PIN. However, sometimes the card issuer may need a full breakdown of the charge. Our request for information will give details of what is needed. Please make sure you reply within 14 days or you may have to pay a chargeback. Replying to requests for information and notice of chargebacks If we tell you that a cardholder is disputing a charge, always make sure you supply the correct information to help us defend the dispute. 55 No show Express and priority check-out charges If a cardholder doesn’t turn up, having failed to cancel their reservation, you are then entitled to charge one nights stay at the normal check-out time the following day. You can simply charge the card given at reservation. Send a copy of the transaction receipt and a copy of your Terms and Conditions to the cardholder at their billing address. ‘No show’ must be clearly written in the space where the cardholder would normally sign the transaction receipt. The transaction receipt should also clearly show the card number, expiry date and cardholders name. If the dispute was over an express or priority check-out where you did not get a signature, please send: • A copy of the transaction receipt from check-in proving the card was present and that you carried out a pre-authorisation • A copy of the hotel registration showing the cardholder’s signature and that they accepted the charge for the agreed length of stay and any other relevant details Other charges However, if the genuine cardholder later claims that they never made the original reservation then the transaction may still be charged back. We would be unable to defend a chargeback in this case. If the dispute was over charges made since the cardholder checked out (for example, minibar charges, breakfast on the last day and so on) please send a copy of the transaction receipt with the words ‘Signature on file’ in the cardholder signature box. Also, please send a copy of the hotel registration card showing the cardholder’s signature and that they accepted that they may have to pay extra charges. Please note: You may offer to reserve accommodation for Maestro Card customers - but be aware that you cannot debit the card for one night’s lodging if the customer does not arrive. No-show charges For more information on preventing chargebacks, please see our website at www.barclaycard.co.uk/business/chargebacks For no-show charges, please send us a copy of the transaction receipt or invoice clearly showing the card details and ‘No Show’ written on the signature box of any receipt. We also need proof that the cardholder was told about and accepted your Terms and Conditions. 56 Contact numbers Customer Services Cheque validation/guarantee 0844 811 6666* 0800 515 788* Monday to Sunday: 8.00am to 12.00 midnight For help with: Bank holidays: 9.00am to 6.00pm (Closed Christmas Day) • V alidation of Barclays Bank cheques guaranteed by a Barclays Connect card, Barclaycard Visa card or Barclay Premier card For help with: • Additional processing equipment • Statement queries Sales Centre • More literature and point of sale materials 0800 61 61 61* • More information on products and services Monday to Friday: 8.30am to 6.00pm • Changing your details (Closed Saturdays, Sundays and Bank Holidays) • Any other queries or problems For help with: • P lans to extend your existing business or a new business PDQ Helpdesk 0844 811 6666* Chargeback Department Monday to Sunday: 8.00am to 12.00 midnight 0844 755 0094* Bank holidays: 9.00am to 6.00pm (Closed Christmas Day) For help with: For help with: • Any questions about chargebacks or retrievals • Faults with processing equipment • PDQ transaction queries eCommerce Team • Any other queries or problems relating to PDQ 0844 822 2099* Authorisation Monday to Sunday: 8.00am to 12.00 midnight (closed Bank holidays) 0844 822 2000* For help with: For help with: • Information or assistance about trading over the internet • Authorisations for transactions over your floor limit • S uspicions on card activity, transactions or a card presenter Complaints handling • Card validity concerns 0844 811 6666* For help with: Multiple mail and telephone order transactions 0844 811 4470 • Any problems in service from us • You can also email: www.barclaycard.co.uk/paymentacceptance * Open 24 hours a day, 7 days a week (including Christmas Day) For help with: • A uthorisation of more than one mail or telephone order transaction at a time 57 Glossary and terminology 3–D Secure 3–Domain secure. Covering the many domains involved during internet authentication (between us, you and the cardholder’s issuer). The protocol behind the internet authentication process. Chargebacks Chargebacks can be initiated by the cardholder or card issuer. Occasionally, a cardholder will dispute with the card issuer a transaction shown on their statement. If the cardholder’s complaint is valid, the amount of the transaction may be charged back to us and passed on to you. AAV Account–holder authentication value. This is a unique reference generated by MasterCard and Maestro card issuers during the internet authentication process to prove that authentication took place. Chip and PIN The cardholder enters a unique 4–digit personal identification number (PIN) instead of signing a receipt. This is standard technology in the UK. The main aim is to reduce fraudulent transactions at a cost to businesses and the banking industry. ACS Access control server. This is the server used by the card–issuing bank to manage the 3–D secure processes. Chip cards These are payment cards with a computer microchip built into them. The microchip provides a method of securely storing cardholder information. APACs Association for Payment Clearing Services now known as UK Payments Administration Ltd (UKPA) – sets UK industry standards for payments. Code–10 calls If you are suspicious about a card or the person presenting it, you must ring our Authorisation Department immediately on 0844 822 2000. If you cannot speak freely because the customer is nearby, tell the operator that you are making a code–10 call. You will then be asked various questions and told what steps to take. BIN cache A record of issuer BIN ranges stored locally on your authentication system. This should be regularly updated to make sure local information on cardholders taking part in the scheme and card issuers is correct. Card acquirer The financial institution, such as us, that is a member of the card schemes such as Visa or MasterCard. Acquirers enter into agreements with merchants to process card transactions on their behalf and arrange to pay authorised funds. Compromised card numbers (card number mismatch) Compromised card numbers are those illegally copied from genuine cards. Fraudsters are currently encoding these numbers into the black magnetic stripe on the back of stolen cards, to produce what appears to be a valid card. Invariably, the embossed number will be different from the magnetic stripe details and this will show on the processing equipment receipt. You must compare these details when you carry out a transaction. Card issuer A card issuer is a bank, building society or financial institution that issues credit or debit cards. Card not present This refers to card transactions carried out when the cardholder and the card is not present at the point of sale, for example, a card transaction that takes place over the internet. Contactless transaction This is a transaction that is processed using near field communications (NFC) technology, where the payment instructions are securely exchanged between a chip card and specially adapted point–of–sale processing equipment. The value of any single transaction is limited to a certain amount Card schemes A card scheme is a payment–card organisation, such as MasterCard and Visa. Card security code and address verification service A service which confirms the cardholder’s address, postcode and card security code as part of the authorisation process. CRReq Card range request. A type of 3–D–secure procedure message used to find the BIN cache. CAVV Cardholder authentication verification value. This is a unique reference generated during the 3 D–secure process by Visa card issuers to prove authentication took place or was attempted. CRRes Card range response. A type of 3–D–secure procedure message that contains the list of BIN ranges which are taking part in 3D secure. Directory server (DS) The servers hosted by the card schemes, Visa and MasterCard, that contain details on the cardholders and card issuers enrolled in 3D secure. 58 ECI e-commerce indicator. This confirms how protected you are during the internet authentication process for an internet transaction. PAReq Payer authentication request. A type of 3–D–secure procedure message. The message you send to the ACS, containing relevant transaction details, when the cardholder is redirected to the card issuing bank for authentication or to be enrolled in an authentication scheme. Embossed cards Cards with raised letters and numbers which can be felt and imprinted on a slip if necessary. PARes Payer authentication response. A type of 3–D–secure procedure message. The message returned to you by the ACS or card–issuing bank confirming the outcome of the internet authentication process. Encryption The process of converting a message so that it cannot be read. Firewall Computer hardware, software and physical measures which prevent unauthorised access to and from a private network or server. Payment service providers (PSPs) Companies who offer facilities for processing e–commerce transactions to businesses who want to trade over the internet. Floor limit The card schemes set floor limits. When a transaction is above your floor limit, you must get authorisation. PIN Personal identification number. A unique 4–digit number a cardholder will use to confirm that they are the true cardholder. HPP Hosted payment page – the web page used to collect the cardholder’s credit or debit card details, hosted securely by another organisation. Pop–up An internet browser pop–up window, displayed within the main browser page. HVP High–value payments. This relates to contactless transactions that are over the current limit we have set. IAV Issuer authentication value. A general term that corresponds to either the Visa CAVV or MasterCard AAV. Pre–authorisation Pre–authorisation allows you to estimate the final bill and reserve those funds on the card. It is the process of authorising a credit or debit card without actually receiving the funds immediately. This is usually used for hotel booking or car hire. Internet transaction Any payment transaction made by a cardholder, using an electronic network, when the merchant is not present. Processing equipment Processing equipment means any item of PIN-processing equipment including PEDs (PIN entry device) you use to process any face-to-face transaction. MasterCard directory A system operated by MasterCard which decides whether a specific issuer and card number is taking part in an authentication scheme, and if so, it returns the URL of the appropriate access control server to your 3D–secure service to allow you to correctly direct your cardholder to the card issuer to authenticate a transaction or enrol in an authentication scheme. Recurring transactions Regular card payments for goods or services such as insurance premiums. These cannot be made with Maestro cards. Retrieval requests or Request for information (RFI) This is a request from a card issuer for more information or a copy of a transaction. In the case of a postal or telephone order, this will be details of the cardholder’s authority to take money from their account, together with a copy of the sales voucher or processing equipment receipt. Merchant voucher summary (MVS) The summary voucher which must accompany any sales and refund vouchers when they are paid into a Barclays branch or posted to the Financial Exceptions Department for processing. SecureCode MasterCard’s term for their 3D–secure internet authentication service for MasterCard–branded cards and Maestro–branded cards. NFC Near field communication. A set of standards for devices, such as point–of–sale processing equipment and contactless cards, to establish radio communication with each other by touching them together or bringing them close together. Server A central computer that makes services and data available. Split sale A transaction which is split between more than one card, or a combination of card, cash or cheque. 59 Supervisor control A plastic card or a PIN code that is supplied with your point–of–sale processing equipment that is used to carry out supervisor actions on the device, for example, to carry out the end–of–day banking procedure or to process a refund. Transaction laundering This is the unacceptable practice of processing someone else’s card transactions using your merchant number. UCAF Universal cardholder authentication field. The data field used by MasterCard and Maestro issuers to send the AAV. VbV Verified by Visa. Visa’s term for their 3D–secure internet authentication service for Visa–branded cards. VEReq Verify enrolment request. A type of 3–D–secure procedure message. The message sent to Visa or MasterCard’s directory server to confirm the enrolment status of an individual cardholder. VERes Verify enrolment response. A type of 3–D–secure procedure message. The message returned by Visa or MasterCard’s directory server confirming the enrolment status of an individual cardholder. We, us, our Barclays Bank PLC , Barclaycard. XID Transaction identifier. A reference used in the 3D–secure process to link the 3D–secure protocol messages together. You, your The person, people or organisation shown as the merchant or any agent or sub–contractor we have approved. If two or more people are shown as the merchant, each of you is responsible to us individually as well as jointly. 60 Correct at time of publication (April 2015) This document is also available in large print, in Braille and in audio format by calling 0844 811 6666*. We also offer a text relay or sign video service. For more information visit barclaycard.co.uk/accessibility *Calls may be monitored or recorded in order to maintain high levels of security and quality of service. For BT business customers, calls to 0844 811 numbers will cost no more than 5.5p per minute, with a call costing at least 6p (current at April 2015). The price on non-BT phone lines may be different. www.barclaycard.co.uk/paymentacceptance Barclaycard is a trading name of Barclays Bank PLC. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register number: 122702). Barclays Bank PLC subscribes to the Lending Code which is monitored and enforced by the Lending Standards Board. Registered in England No. 1026167. Registered Office: 1 Churchill Place, London E14 5HP. BCD112079BROB1
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project
advertisement
© 2021