Procedure guide

Procedure guide
Procedure
guide
For a smoother operation
Welcome to Barclaycard
Global Payment Acceptance
About this document
This procedure guide along with the Terms and
Conditions and Additional Service Conditions you
subscribed to gives you the information you need
for your business to accept payments.
Barclaycard
Merchant number
This guide contains some critical information about the
risks associated with accepting payments, and gives
details of the steps that you should follow to help raise
your awareness of risks and reduce as far as possible,
your exposure to these risks.
For ease when you contact Barclaycard, please have
your merchant number ready. You can keep a record
of it here:
This forms part of your agreement with us and will
allow you and your business to accept payments. For
your own benefit and protection, we recommend that
you read this document carefully.
Please make sure you keep this guide in a safe place,
where your employees who use it have easy access to
it, but out of reach of your customers and anyone else.
2
Changes to
your business
Protecting you and
your business
Being aware of bogus and
phishing emails
To make sure that you are receiving the services that
are most appropriate for your business, please let us
know if any of the following changes take place
(you can contact our Customer Services team on
0844 811 6666):
We will never email you asking for transaction or card
details. If you receive an email claiming to be from us
and asking for details of your transactions, please do
not respond to the email (known as a phishing email).
Instead, please do the following:
• T
he type of business you have been carrying out
since you signed the original merchant agreement
changes, including changes to the goods or
services you provide
• O
pen a new email and attach the ‘phishing email’.
Do not forward it as this will lose potentially
important information we need to trace
the message
• If you start to use other channels
• If you change the name of your business
• Send
your email with the attachment to:
[email protected]
• If you sell your business or change its legal entity
• If there is a significant change in shareholding
To report any of these instances contact:
[email protected]
• If you stop trading
• If your business enters any form of
insolvency procedure
Transaction laundering and
third-party processing
You will also need to tell us if you change your:
If you are approached with a proposal to buy
card transactions or process another business’
transaction through your facility, please contact
us on 0844 8111 981. This is called laundering and
breaks the terms of your agreement.
• B
usiness address
• C
orrespondence address
• C
ontact details
• P
hone number
We must have up-to-date records on you and
your business so we can contact you if needed.
3
Contents
Payment acceptance
Banking procedures
and other services
Card present
Card not present
Accepting Card Present
transactions
Barclaycard processing equipment
7
Using your own processing equipment
or one supplied by another company
7
Plastic card designs
8
Accepting cards – best practice
9
9
Accepting non-chip cards
9
Accepting contactless payments
17
Completing your merchant voucher
summary (MVS)
17
Posting vouchers
18
Preventing and detecting fraudulent
card-present transactions
18
Returning wanted or recovered cards
18
Reward scheme
19
Other services
Accepting card payments
Accepting cards with a chip
Sales and refund vouchers
10
Dynamic currency conversion (DCC)
19
Accepting Card Not Present (CNP)
transactions – e-commerce, mail and
telephone order
19
Authorising Card Not Present transactions
20
Contactless payments using
other technology and items
10
Shipping goods and providing services
20
High-value payment (HVP)
10
Recurring transactions
20
Transactions entered using the keys
10
Accepting payments over the internet
(e-commerce)20
Verifying card payments
Verifying cardholders using chip and PIN
11
Verifying cardholders by signature
11
Authorisations11
Voice authorisation
11
Code-10 calls for card-present transactions
12
Referrals for card-present transactions
12
Split Sales
12
14
Failure of the chip to read or swipe
16
20
Transaction receipts
21
Using an accredited payment service
provider (PSP) to accept e-commerce payments
22
Accepting payments over the internet using your own software
22
Using our payment gateway for
accepting payments
22
Requirements for merchants not using
the Hosted Payment Page (HPP)
Exchanges13
Processing a fall-back paper voucher
Website information
Security of card data
4
23
Accepting Mail Order and
Telephone Order (MOTO) payments
23
Other organisations that store, transmit
or process your cardholder data
33
Taking telephone orders
23
If you fail to keep to PCI DSS
33
Protecting cardholder information
34
Storing your records
34
Preventing and detecting fraudulent
card-not-present transactions
23
Tools for monitoring fraud
Card Security Code (CSC) and
Address Verification Service (CSC/AVS)
Understanding
your statement
24
Internet authentication (3-D Secure)
Fraud-screening24
Further advice for internet transactions
24
Refunds25
Other services
Dynamic currency conversion for
e-commerce transactions
What will the statement look like
35
Transaction payment advice
35
Periodic statement
35
Advice on the details of the service charge
35
If you have a question about a merchant
invoice and statement you have received
35
25
Exceptional procedures
Chargeback and
retrieval requests
What is a retrieval request?
26
Responding to retrieval requests and
chargeback letters
27
Faxlink service
27
To help reduce the risk of chargebacks
27
Timescales for chargebacks
28
Payment security
29
What is PCI DSS?
29
What information must be securely stored?
29
What information must not
be securely stored at any time?
29
What you must do to keep to PCI DSS
30
Demonstrating that you are
keeping to the PCI DSS
Can I pass charges to my customer?
36
Minimum charging
36
Internet authentication
Authenticating cardholders successfully
37
How do I use the internet
authentication service?
37
Types of authentication
37
Full authentication
37
Attempted authentication
37
Passive authentication
38
The main benefit of authentication
– transferring liability
39
Levels of protection
39
31
Card-scheme-approved
qualified security assessor
Displaying the Verified by Visa
and SecureCode logos
39
32
Using our 3-D Secure solution
Approved scan vendors
32
Your responsibilities
39
Further action you may need to take
32
Our responsibilities
40
Data compromises
32
Message values
40
The results of a data compromise
33
5
Direct to card schemes
40
Pre-authorisation47
Your responsibilities
40
Accidents involving the vehicle
48
Our responsibilities
41
Procedures for dealing with delayed charges
49
Transaction records
41
Accepting split sales
49
Card issuer pop up or in-line window
41
Your refund policy
49
Your authentication merchant information
41
Extended hire
49
Message values
42
Disputed transactions
50
BIN cache
42
Keeping to the card scheme
42
Extra rules for the Visa vehicle-rental
reservation service
50
If authentication fails
43
If authentication fails for Visa transactions
43
Lodging and accommodation
Best practice for reducing chargebacks
52
Taking advance reservations
52
Tips on taking telephone reservations
52
Taking reservations by fax or mail
53
Taking a reservation over the internet
53
If authentication fails for MasterCard and
Maestro transactions
43
Mistake during authentication for
Visa transactions
43
Error during authentication for
MasterCard and Maestro transactions
43
Extra tips for checking genuine customers
54
Passing authentication values
44
Taking advance lodging deposits
54
Error conditions
44
Your cancellation policy
54
Scheme directory server unavailable
44
Guests arrivals and check-in
54
Hosted authentication service not available
44
Pre-authorisation departures and check-out
54
Cardholder browser suppresses pop-up window
45
Express and priority check-out service
55
Own authentication software not available
45
Extended stays
55
Chargeback reason codes included
45
Disputed transactions
55
Replying to requests for information and
notice of chargebacks
55
No show
56
No-show charges
56
Express and priority check-out charges
56
Other charges
56
Contact numbers
57
Glossary and terminology
58
Sector-specific trading
Vehicle rental companies
Best practice for reducing chargebacks
46
Tips on taking reservations over the phone
46
Taking reservations by fax or mail
46
Taking reservations over the internet
47
Extra tips for checking genuine customers
47
Your cancellation policy
47
No-show47
Collecting the vehicle
47
6
Payment acceptance
We can help you to accept payments from your
customers in a number of environments using
various payment methods.
Barclaycard processing
equipment
There are two main environments where payments
can be accepted.
If you are using Barclaycard processing equipment,
please make sure you and your staff read the PDQ
Terminal Operating Guide, see the terminal section of
our website at:
http://www.barclaycard.co.uk/business/existingcustomers/mypdq along with this guide before you
start using the device.
Card Present (CP)
When the cardholder is in front of you and has their
card with them at the time of the transaction and you
take the payment either by reading the chip, by swiping
the card through the processing equipment, or by
using contactless technology.
Please see the Terminal User Guide for important safety
information about the equipment and its use, and for
relevant information on keeping to our conditions.
It is important that you look after your processing
equipment and make sure you keep all liquids away
from the device. If damage to your device results in it
not working, it may need to be repaired before you can
accept transactions. If you damage your processing
equipment, we may charge you to replace it.
Card Not Present (CNP)
When the cardholder and card are not with you at the
time of the transaction. A Card Not Present transaction
can take place:
• O
ver the internet (e-commerce)
• B
y mail order or by telephone order (MOTO)
• A
s a recurring transaction, where the cardholder
gives you authority to charge a fixed or varying
amount at intervals agreed between you and the
cardholder (you would take the agreed amounts
from the cardholder’s card for subscriptions,
membership renewals and regular premiums
Using your own processing
equipment or one supplied by
another company
If you are using your own processing equipment or
one supplied by another company, we will need to test
and approve it before you use the equipment for live
transactions. You must tell us who your supplier is.
You can contact our Customer Services team on
0844 811 6666.
• U
sing ‘tokenisation’, where a cardholder has agreed
that you may take extra payments from their card
at a later date without them having to give you their
card details each time
The transaction types you can accept are shown in
your agreement with us. You must make sure that
you tell us if you want to process any other types
of transaction.
You are responsible for making sure your supplier
keeps to the Payment Card Industry Data Security
Standard (PCI DSS) and for making sure the equipment
meets industry security standards. If the supplier
fails to meet these standards, it will mean you are not
keeping to some of these regulations and the card
schemes may charge you penalties as a result.
Accepting Card Present
transactions
You can accept card payments using processing
equipment that we have either supplied (referred to as
‘Barclaycard processing equipment’) or by using an
approved processing equipment of your own or one
supplied by another company. You must make sure
that your processing equipment can take both chipand-PIN and magnetic-stripe payments.
If you are using your own processing equipment you
must make sure that you regularly carry out ‘asset
management’. Asset management involves recording
all stock and serial numbers for each processing
equipment you have, the location and basic electronic
and physical identification used to authenticate each
processing equipment. Your processing equipment
must keep to the PCI DSS standard.
7
Plastic card designs
There are many different designs for credit and debit
cards. You should become familiar with the basic
features (such as the card number, chip and so on) on
most cards issued by banks and financial institutions.
Most processing equipment allow the cardholder to
insert their card into the device themselves. However,
if you have processing equipment that allows you to
handle the card, there are some visual checks which
you can carry out before accepting the payment.
If you do not follow the basic checks, you may be
accepting a fraudulent card, which may lead to
unavoidable chargebacks.
Visa
Cardholder number
16-digit account
number with first 4
digits printed below
Cardholder’s name
Can be embossed
or not. VPay cards
are printed
MasterCard
Visa symbol or logo
Hologram
Flying dove
(optional on Visa
Electron cards)
Chip
Embedded
microchip
Card type
identification
‘Electronic
use only’ may
appear on
electronic cards
Magnetic stripe
Can be a traditional stripe or a
hologram (one or a number of
flying doves)
CVV2
Can also be on
signature strip
Last four
digits of the
card number
May not
appear on
Visa electron
cards issued
outside UK
V or UV element
Contactless
acceptance
Card valid from
and to dates
Can be embossed
or not. VPay cards
are printed
Cardholder‘s number
16-digit account
number starting with
5 (embossed or not)
with first 4 digits
printed below
Chip
Embedded
microchip
Hologram
Plain silver or gold
background, the dove flies
and changes colour when the
card is tilted. Can appear on
the front of Electron cards
MasterCard symbol
Hologram
MasterCard Globe, which
changes colour, must appear
unless the hologram or
halomag stripe appears on
the back of the card
Magnetic
stripe or
halomag
stripe
Signature strip
Visa repeated. Some international cards
will have a message on the strip and
will not be signed. Ask for ID such as a
driving licence or passport or make a
code 10 call. Strip can be shortened
Maestro cards can carry cheque
guarantee details or branding for an
ATM network. This can be on the front
or back of the card.
Maestro cards can also hold a
photograph of the cardholder and a
signature on the front of the card
CVV2
Can also be on
signature strip
Symbol/Logo
The symbol is linked circles
in red and orange with
MasterCard printed in the
middle of them
Cardholder’s name
Can be embossed or not
JCB
Chip
Embedded
microchip
Card valid
from and to
to dates
Hologram
Can be debit or
global hologram
Card valid from and to dates
Can be embossed or not
Cardholder number
An embossed 15 or
16-digit account
number with first 4
digits printed above
or below
Signature strip
MasterCard repeated. The card must be
signed. Some international cards will have
a message on the strip and will not be
signed. Ask for ID such as a driving licence or
passport or make a code 10 call
Magnetic stripe
Can be a traditional stripe
Hologram
Sun, moon and JCB
characters move when
card is tilted
3-digit card
security code
Symbol or logo
Signature strip
The card must be signed
Cardholder’s name
Always embossed
8
Accepting cards – best practice
Accepting card payments
• M
ake sure that the card is valid and in date
Accepting cards with a chip
• Rub
your thumb over the signature strip (it should
be smooth and level with the surface of the card)
and also check that no part of the card has been
damaged or tampered with
In the UK, cards are issued with a microchip (chip).
However, cards issued outside the UK may have
embedded chips but they may require different
methods of cardholder verification, for
example signature.
• If
you ask the cardholder to sign the transaction
receipt, check that their signature matches that
shown on the back of the card
Chip and PIN is currently one of the most secure
methods of card payment available. Your processing
equipment must be chip enabled and you must
accept transactions using chip and PIN technology
where possible to avoid a higher risk of being liable for
fraudulent transactions.
• Check that the last four digits of the cardholder
number printed on the receipt match the last four
digits of the embossed account number on the
front of the card. If they do not, you must ring for
an authorisation and say, ‘I have a card number
mismatch.’ If you cannot speak freely, just say, ‘I
have a code-10 call.’ (Please see the ‘code-10 calls
for card-present transactions’ section of this guide
on page 12)
The card should be inserted into the chip card reader
(see the ‘Verifying card payments’ section on page 11).
If the processing equipment cannot read the chip, you
are allowed one level of ‘fall-back’ and you may process
the transaction by swiping the magnetic stripe through
your device (see the section on accepting non-chip
cards and using a non-chip-enabled terminal).
• C
heck that the spelling of the signature (if you
can read it) corresponds with that of the name
embossed or printed on the card
You need to make sure that you get authorisation at
the time of processing the transaction. Authorisation
confirms that the account has enough funds for the
transaction and that the card has not been reported
lost or stolen at the time of the transaction. It is not
a guarantee of payment. If the genuine cardholder
disputes the transaction, you may be liable for the
resulting chargeback if you cannot provide a defence.
• C
heck the hologram moves as you tilt the
card back and forth. Counterfeit cards use poor
reproductions so it can be easy to identify a fake
with a quick glance
You must make sure you can accept chip-and-PIN and
magnetic-stripe cards.
Accepting non-chip cards
Your processing equipment should have online access
and read non-chip-enabled cards. If you are presented
with a non-chip-enabled card, swipe the card through
the processing equipment using the magnetic-stripe
reader. You must get an online authorisation.
If the processing equipment cannot read the magnetic
stripe (and the card does not have a chip), ask the
customer for another form of payment. If they do not
have another form of payment, you may process the
transaction as a transaction ‘entered using the keys’.
However, this will increase the risk of processing a
fraudulent transaction and receiving a chargeback claim
(see the section ‘Transactions entered using the keys’
on page 10 of this guide).
9
Accepting contactless payments
Contactless payments using other technology and
items (payment form factors)
A contactless transaction is a transaction that is
processed using near field communications (NFC)
technology, where the payment instructions are
shared securely between a contactless card or other
item and processing equipment which has contactless
technology enabled. The contactless reader can be a
separate reader or part of your processing equipment.
Contactless technology can be embedded into other
technology and items such as watches, wristbands,
mobile phones and key fobs. For these types of
transactions, the processing equipment will go online
to check that funds are available. The processing
equipment will not ask for a PIN as it does not need to
check this. If the transaction fails, the cardholder should
use either the associated card or another method
of payment.
A contactless transaction takes place when the
cardholder places the card, item or device over a secure
reader. They do not need to enter their PIN unless it is
for a high-value payment (HVP).
High-value payment (HVP)
You can identify a contactless card as it will display the
following symbol:
We can configure point-of-sale devices to support
HVP contactless transactions. HVP transactions are
most likely to be made using a mobile phone to carry
out the transaction and they need some method to
confirm the cardholder is genuine, such as a PIN, to
complete the transaction.
There is a limit for an individual contactless-card
transaction. You can find the current limit at:
www.barclaycard.co.uk/simplepayment
Transactions entered using the keys
If the card presented for payment has a magnetic stripe
and fails to swipe through your processing equipment,
you can enter the transaction into the device using the
keys while the customer is with you. Please make sure
you follow the procedure shown in the card chip-read/
swipe failure section in this guide. Make sure that your
processing equipment goes online to get authorisation
for the transaction.
On Barclaycard processing equipment you can also
carry out a contactless refund up to the value of the
current limit.
If the transaction cannot be completed using
contactless technology, carry out a chip-and-PIN
transaction. Or, if the card was issued outside the
UK and does not have a chip, carry out a magneticstripe transaction.
If a transaction fails to swipe, you should call for an
authorisation on 0844 822 2000. If you are suspicious
about the transaction, quote ‘code 10’ as an anti-fraud
measure. If you have a record of an approved code-10
authorisation, this will protect you from chargebacks.
See the ‘Voice authorisation’ section of this guide for
more information.
Occasionally the processing equipment may tell you
to change a contactless transaction to a chip-and-PIN
transaction. This is a security measure aimed at making
sure that the person with the card is authorised to
use it.
Cardholder copies of receipts are optional. We have
configured our processing equipment to only print
a merchant receipt after a contactless transaction.
For information on how to print a cardholder receipt,
please see your Terminal Operating Guide.
10
Authorisations
Please remember
You cannot enter transactions using the keys for
Maestro, Visa Electron, V Pay and unembossed cards.
If chip and PIN or swipe (or both) fail for these types
of card, you should ask the cardholder for another
method of payment.
For card-present transactions, you must get an
authorisation at the time of the transaction, either
as a pre-authorisation for the expected value of
a transaction (such as a hotel or car-hire bill) or
as authorisation of the actual amount. For more
information on how to complete a pre-authorisation,
see your Terminal User Guide.
To prove you saw the card at the time of the
transaction, take an imprint of the card using your
manual imprinter. This will help you provide a defence if
the card issuer raises a chargeback claim against you.
Authorisations are either done online through your
processing equipment or you can phone for an
authorisation on 0844 822 2000.
1. F
ill in the voucher details in full and get the
cardholder’s signature on the paper voucher.
You do not need authorisation for offline devices if the
transaction value is below the agreed floor limit. For
transactions that are over the floor limit, the processing
equipment will try to get online authorisation and may
instruct you to get authorisation by phone.
2. E
nter the card details into the electronic processing
equipment using the keys.
You will automatically be credited for transactions
entered using the keys on your processing equipment,
so you do not need to send the paper voucher
for processing. But make sure you keep the paper
vouchers for 13 months along with the processing
equipment receipts so you can produce them as proof
that you saw the card when the transaction was carried
out, in case you need to. If you cannot provide an
imprinted voucher for these transactions at a later date,
it could mean we will charge the transaction back to
your business.
Voice authorisation
When you process a card payment electronically,
in most instances your processing equipment will
automatically communicate with the card issuer for
an authorisation. However, your processing equipment
may instruct you to call our authorisation service or you
may choose to call the authorisation service without
having received an instruction.
Verifying card payments
A voice authorisation asks for confirmation that the
cardholder has enough funds available on their account
and checks the card has not been reported lost or
stolen at the time of the transaction.
Verifying cardholders using chip and PIN
When a card with a chip is inserted into the chipcard reader, the processing equipment will ask the
cardholder to enter their PIN (personal identification
number) to confirm the transaction. The processing
equipment will ask for authorisation for all chip-and-PIN
transactions.
You may need to get a voice authorisation for one or
more of the following reasons:
• If the sale is more than your floor limit
• If you are suspicious in any way about the card
or cardholder (see ‘Code-10 calls for card-present
transactions’ for details)
If authorisation is declined, do not go ahead with the
transaction as we will not be able to defend you if the
transaction is charged back at a later date. Ask the
customer for another method of payment. Do not
swipe the card or enter the details using the keys on
the device.
• If your processing equipment instructs you to
• If you have to use fall-back vouchers due to a fault
with your processing equipment
A voice authorisation does not confirm the cardholder’s
identity or guarantee payment.
If your point of sale equipment is not able to read
the chip, you should complete the transaction as a
‘magnetic stripe’ transaction and confirm it using the
customer’s signature.
If you need to change the amount of the transaction
after the authorisation, cancel the original transaction
and get a new authorisation for the new amount. This
will make sure the correct amount is taken out of the
cardholder’s account.
Verifying cardholders by signature
There may be instances where you cannot check the
identity of the cardholder using their PIN and so you
may need a signature to confirm their identity.
For more information on our voice authorisations,
please see our website:
http://www.barclaycard.co.uk/business/
existing-customers/voice-authorisations
11
Code-10 calls for Card Present transactions
Split sales
If you or your staff are in any way suspicious about
a card, the person making the payment or the
circumstances surrounding a transaction, you must call
for an authorisation on 0800 161 5382. This may mean
you can then defend any fraudulent transaction from
being charged back to your business:
Sometimes, a cardholder will ask to split the payment
for something between several cards, or between
a card and cash or a cheque. It is important that
you follow the instructions below to make sure you
understand when you can and when you cannot split
a transaction as instructions vary depending on each
possible scenario.
• Y
ou will be asked for your merchant number and
then for the type of transaction
1. If several cardholders ask you to split a transaction
amount into smaller amounts so that they all
pay part of a bill, this is allowed. For example, in
a group booking in a restaurant, each person will
ask to pay either their own bill or part of the total
bill. You are allowed to split the total bill between
each cardholder. To prevent future disputes,
always make sure each cardholder agrees the
amount they will pay by making sure that you
process separate transactions for each card. Each
transaction must be verified by the cardholder’s
PIN or signature as prompted by your processing
equipment. Please make sure
each cardholder receives a copy of the transaction
receipt which applies to the agreed amount. This
may or may not include a gratuity (tip) as agreed
by the cardholder.
• If
you are suspicious and cannot speak freely and
want to avoid a confrontation, you will be given the
option to say, ‘This is a code-10 call’ or press 9
• Y
ou will be asked for the card number, followed
by the expiry date and the issue number (if this
applies) and will be given options to choose from
depending on the type of call you are making
• A
fter this, you will be connected to an operator
who will ask a series of questions which you should
answer with a yes or no
• R
emember to keep the card and the goods out
of reach of the customer
• If you have any surveillance equipment, switch it on
If the operator asks you to keep the card, tell the
customer politely. Code 10 is only available for Card
Present transactions where we may ask to speak to
the cardholder. It is not available for transactions where
the cardholder is not present, such as mail, telephone
and e-commerce transactions. In card-not-present
circumstances, we cannot guarantee that the person
carrying out the transaction is the genuine cardholder.
2. If one cardholder asks you to split a transaction
amount across more than one card (possibly
issued by different card issuers), you may go
ahead as follows:
• O
nly go ahead with the transaction if you are
not suspicious of the transaction or person with
the card
Referrals for
Card Present transactions
• Make sure each card is issued in the same
cardholder name (if the name appears on
each card)
Occasionally, when processing transactions, the
company which issued the card may ask for a referral
and the processing equipment will instruct you to call
for an authorisation.
• F
ollow the normal card-acceptance procedures as
shown in this guide
A referral may happen when the card issuer asks us
to contact them before releasing a decision.
Our aim is to process the referral in a quick and
efficient way to reduce the time spent processing
the transaction.
On most occasions we will ask you to put the
cardholder on the phone. Simply follow our customer
service advisor’s instructions, and once we have spoken
to the person who has given you the card and the card
issuer, we will give you a decision.
12
Exchanges
Split sales may usually take place when accepting largevalue transactions where the cardholder may not have
enough credit available on one card. The cardholder
may ask to pay part of the total amount by cash or
cheque. Make sure any cheque payment is also issued
in the cardholder’s name. We recommend you only
allow a cardholder to split a transaction over more than
one card if:
• Y
ou do not need to carry out any other procedure
if a cardholder exchanges a purchase for goods of
the same value
• If the value of the new purchase is less than that
of the original, you will need to make a refund
transaction for the difference of the cost. You
should process refunds on the same card as the
original sale. If the original card has been lost or
stolen, the refund can be applied to the new account
or card. For any other type of card closure (for
example, the cardholder has closed their account),
you must refund the card number used in the
original transaction
• T
he cardholder has their card with them in front of
you (we strongly recommend you do not split a
sale on several cards for any telephone, mail-order
or e-commerce transaction as you cannot confirm
that your customer is the genuine cardholder and
so you may be at risk of chargeback claims if the
transaction is fraudulent)
• If the value of the new purchase is more than
the original, carry out a sale for the difference in
cost. You will need to get authorisation even if the
amount is below your floor limit. Please remember,
you cannot make refunds using cash or cheque
• E
ach transaction is authorised (no matter what
floor limit you may operate)
• T
he cardholder clearly agrees to how much is
charged to each card and is given transaction
receipts
3. If authorisation is refused on a transaction, do not
split the transaction into smaller amounts in an
attempt to get authorisation as this may result in
chargeback claims against you.
If you try to split a sale, any transaction may be
charged back. We will not be able to defend you from
these chargebacks.
13
Processing a fall-back paper voucher
If you are using Barclaycard processing equipment,
we will give you a manual imprinter in case your
processing equipment fails. Please make sure that your
imprinter and paper vouchers are to hand and you get
a telephone authorisation for each transaction.
9.Check that the signature on the sales voucher
matches the signature on the back of the card.
10.Check that the spelling of the signature (if you can
read it) matches that of the name embossed on
the card and check that the card is in date. If a title
is shown on the card, make sure it matches the
sex of the person giving you the card.
You should only use the fall-back paper vouchers
in exceptional circumstances, for example, if your
processing equipment is out of use because:
11.Check the signature strip to make sure that
no attempt has been made to disguise the
original signature.
• Y
our phone line is faulty
• T
he device itself is faulty
12.You must get voice authorisation by calling
authorisations on 0800 161 5382. Ask for a
‘standard authorisation’.
You cannot process Maestro, Visa Electron, VPay and
unembossed cards using paper vouchers. You can only
process these cards electronically.
13.If the transaction is authorised, you will be given
an alphanumeric (a mix of numbers and letters)
authorisation code by a voice-response service.
Write the code in the appropriate box on the sales
voucher. Tear off the cardholder copy of the sales
voucher and hand it to the customer with their
card and goods.
Please remember authorisation from the card issuer
is not a guarantee of payment nor does it confirm
that the person who presents the card is the genuine
cardholder. The card issuer can charge the card
payment back to you even if it has been authorised and
particularly if you did not follow the correct procedures.
If you rent Barclaycard processing equipment,
you must report all faults to our Customer Services
Department on 0800 161 5350.
14.If the request is refused, no reason will be given
and you should return the card to the customer
unless the operator tells you otherwise – and ask
for another form of payment.
1. C
arry out all normal checks of the card. Please see
the ‘Plastic card designs’ section of this guide on
page 8.
15.If the transaction is referred to an operator, you
should follow their instructions, including passing
the phone to the cardholder if needed.
2. Place the card face up on the imprinter .
16.Once the procedure has been completed and
all the necessary checks have been carried out,
you must make sure that you have recorded the
details of the transaction on all copies of the sales
voucher. You should then tear off the cardholder
copy of the voucher and hand it to the customer
with their card and goods.
3. P
lace the sales voucher , face up, over the
card  and operate the imprinter .
4. Remove the sales voucher and card from
the imprinter.
5. U
sing a ballpoint pen write the following
details clearly:
17.Key in the transaction when your processing
equipment is working again. If you are using
Barclaycard processing equipment, you
should do this as a forced sale (at the READY
prompt, press MENU and select Force Sale
from the TRANSACTION MENU then follow the
terminal instructions). This will prevent a second
authorisation code being given or the transaction
being refused. Take care when keying the card
details in to make sure that they are correct. If at a
later date, the transaction is charged back due to
invalid details being put in, your company may
have a chargeback taken.
• The date
• The amount of each item
• T
he transaction total (you must not split a sale
– split sales are at your own risk and could be
charged back)
• Details of what was bought. Please do not just write
‘Goods’ as this is not acceptable
6. If the customer is using a purchasing card,
they may need a customer reference number
to be recorded in the relevant boxes on the
sales voucher.
18.If the transaction is accepted, store the sales
voucher somewhere safe in case there is a
dispute about it. Do not bank the voucher as the
processing equipment will credit the amount into
your bank account.
7. If you are selling fuel, use the ‘For Merchant Use
Only’ boxes on the sales voucher to record the
vehicle registration number.
8. A
sk the cardholder to sign the sales voucher in
the box shown. Hold the card and watch while the
voucher is being signed.
14
19.If when entering the transaction using the keys
you receive a ‘Declined Authorisation’ message,
fill in the sales voucher and send the sales voucher
to us for processing. See the ‘Sales and refund
vouchers’ section in this guide We may honour
the transaction as long as you have authorisation
where needed (in other words, at the time the
transaction was carried out with the cardholder
present, you followed all the procedures correctly
and reported the fault to us, so that it shows on
our log reports).
Remember, we will not accept altered vouchers. If
you make a mistake when entering the details of a
transaction, you must destroy the incorrect voucher
and start again.
Never pin, staple, fold or damage vouchers as this may
cause processing problems.
If you are suspicious about the card, the person using
it or the circumstances of the transaction, you must
follow the Code 10 procedure.
20.If you have not been able to key in any vouchers
to your point-of-sale processing equipment,
pay the vouchers into your bank account within
two banking days (see the ‘Sales and refund
vouchers’ section of this guide).



Card imprinter

Sales voucher
15
Failure of the chip to read
or swipe
To protect your business from losses and reduce the
risk of chargebacks when a card fails to be read by your
electronic processing equipment, you should do the
following:
The following information will help you and your
company reduce losses through counterfeit fraud. Most
of your card transactions will be chip-read or swiped
through your electronic processing equipment with no
problems. However, there may be times when your
processing equipment cannot read the chip or magnetic
stripe. You are allowed one level of fall-back, so if the
device cannot read the chip, you can fall back to using
the magnetic stripe. Or, for a non-chip card, if the device
cannot read the magnetic stripe, you may need to
manually enter the card number embossed on the front
of the card using the processing equipment keys.
• E
nter the card number, embossed on the front of
the card, using the processing equipment keys and
get authorisation
• A
s well as manually entering the card number
into the processing equipment, imprint a sales
voucher and fully fill in the verification voucher.
(This must be signed by the customer and you
should write the words ‘For verification only – this
voucher is not for banking’ on the voucher.) Pass
the customer copy to the customer along with the
processing equipment receipt. If you need a supply
of pre-printed verification vouchers, please call
0800 161 5363
If you have chip-enabled processing equipment, you
should find chip cards will not usually fail to read the
chip. You may find that if you enter the details using
the keys or swipe the magnetic stripe on a chip card
the issuer may refuse the card. This is for increased
security. If this is the case, follow the processing
equipment prompts, which may mean you have to
speak to our authorisation department. Please make
sure you follow their instructions. Only give the card
back to the customer if you are not asked to keep it.
• P
lease do not bank the verification (or sales)
voucher as your processing equipment will still
process the transaction in the usual way
• B
anking the verification or sales voucher will cause
the cardholder’s account to be debited twice. The
voucher is simply your proof that the card was
present at the point of sale. You can then use it to
prove the transaction was valid if the customer then
disputes it
When a card transaction is processed in this way, a
number of very important security checks, usually
carried out by the electronic processing equipment,
are avoided. It is clear that some fraudsters are aware
of this and are taking advantage of the opportunities.
Under Visa and MasterCard Card Scheme Regulations,
a card issuer has the right to ask to see an imprinted
verification voucher signed by the cardholder. If you fail
to provide this, the card issuer has the right to charge
the transaction back to you.
• Y
ou should keep the merchant copy of the
processing equipment receipt and the verification
(or sales) voucher together in case of any future
query. If you fail to provide copies and a card issuer
does have a query, it could result in a chargeback
and losses to your business. You need to fill in the
verification voucher fully and include full details of
the goods or services bought. Do not just write
‘Goods’. Make sure you write the authorisation
code provided by the authorisation department
16
Banking procedures and
other services
You can only process Maestro card transactions and
Visa electron and V Pay cards that are un-embossed
electronically (by swiping the magnetic stripe or reading
the chip). You cannot enter the details using the keys for
printed cards as you will not be able to take an imprint
of the card as proof of the card and cardholder being
present at the time of the transaction. If a Maestro,
Visa electron or VPay card fails to chip-read or swipe
through, you should ask your customer for another
form of payment as there is no chargeback defence if
the card fails to swipe.
Please make sure that you follow the end-of-day
banking procedure (as shown in your Terminal
Operating Guide) to make sure you receive payment
for all transactions. It is essential that you send all
transactions for payment within two working days of
being accepted.
If you send a transaction after two working
days, the card issuer may reject the transaction,
resulting in it being charged back. We will not be
able to defend you from these chargebacks:
• If
your processing equipment is not working,
please make sure that you follow the procedure in
‘Transactions entered using the keys’ section of this
guide on page 10, so you can receive the payment.
To bank any voucher that cannot be processed
by your processing equipment, please follow the
procedures below
• C
omplete the three-part merchant voucher
summary (MVS) before handing the bank copy of
your sales and refund vouchers into any branch of
Barclays Bank
Each batch of vouchers must be accompanied by part
three (the white copy) of the completed MVS. No more
than 20 vouchers should accompany each MVS.
Sales and refund vouchers
If your processing equipment is not working, please
make sure you follow the procedure in ‘Transactions
entered with the keys’ section of this guide on page 10.
These vouchers provide three copies of the sale or
refund details, one for your own use, one for the bank
to process and one for the cardholder.
• M
erchant copy – the top copy of the
completed sales or refund voucher is your record of
the transaction
• B
ank processing copy – the middle copy of the
sales or refund voucher should be handed into your
local branch of Barclays Bank. You should hand
in vouchers on the day of the transaction and no
more than two banking days afterwards
• C
ardholder copy – the bottom copy must be
given to the cardholder for his or her records or, in
the case of a mail or phone order, it must be posted
to the cardholder
17
Completing your merchant voucher
summary (MVS)
2. If your processing equipment has a contactless
reader, you will also be able to accept contactless
transactions with no verification (please see the
section on contactless transactions on page 10).
• W
rite your merchant name and number (this is
normally shown on the top line of your imprinter
plate) clearly on the MVS, with the paying-in date
If your customer cannot remember their PIN, ask for
another method of payment.
• List
the value of each sales voucher and refund
voucher on the back of the MVS in the boxes shown
In these instances, if your processing equipment is
chip and PIN capable, and the transaction has been
taken using the chip and PIN, you will be protected
against possible counterfeit, lost and stolen cards, and
intercepted card fraud.
• W
rite the total of each column in the boxes at
the bottom
• W
rite the total number and value of both sales
vouchers and refund vouchers on the front of
the MVS
Card-fraud statistics show there is increased fraud with
non-PIN cards. Be aware of the security checks you
should make to reduce this type of fraud:
• If possible, vouchers should be deposited on the
day of the transaction and no more than two
banking days afterwards
• Keep hold of the card at all times
• Keep the goods out of reach of the customer
If you have any questions about the credit to your
bank account, you should call our Customer Services
Department on 0800 161 5350.
• C
heck the ‘valid from’ date. If the card is newly
issued, be extra careful
• W
atch out for hesitancy when the customer signs
and make sure that the signature they give matches
the signature on the card
Posting vouchers
If you are in a remote area and cannot get to a branch
of Barclays Bank, you may post your vouchers to us for
processing. You should send the MVS bank-processing
copies of your sales and refund vouchers to:
• B
e careful not to be distracted during a transaction.
Fraudsters may try to hurry you, or draw your
attention away from making card checks
Barclaycard Financial Exceptions, Dept FX,
Barclaycard House, 1234 Pavilion Drive, Brackmills,
Northampton NN4 7SG.
• C
heck the name on the card and check that it
matches the sex of the person giving you the card if
this is possible to tell
For a supply of our prepaid envelopes, call our
Customer Services Department on 0800 161 5350.
• B
e sure not to process transactions on behalf of
anyone else. This would be breaking your merchant
agreement and could lead to transactions being
charged back to you
Preventing and detecting
fraudulent Card Present
transactions
Returning wanted or recovered cards
If our authorisation operator asks you to destroy a
card and return it to us, please follow the procedure
described below. You should politely tell your customer
what you have been asked to do.
To prevent fraudulent transactions being charged back
at a later date, you should have chip-and-PIN-enabled
processing equipment and accept transactions by
reading the chip.
1. To preserve fingerprints and other forensic
evidence, handle the card as little as possible and
only by the edges.
You must make sure you get authorisation on any
transaction where the card details are not captured
using the chip (for example, when presented with a
magnetic-stripe card transaction) to avoid the risk of
loss due to card fraud.
2. With the card facing you, cut off only the bottom
left-hand corner.
3. Make sure the signature strip, magnetic stripe, chip
and hologram are intact.
1. If your processing equipment is chip-and-PINenabled you could be presented with a number of
different scenarios, all of which you can accept:
4. You will find a recovered-card form in your
welcome pack.
• M
agnetic stripe and signature verification (for
example, from an overseas customer where
the country has yet to upgrade to chip-andPIN technology)
• C
hip and signature verification (for example, from a
disabled customer who cannot use PIN technology)
• C
hip-and-PIN verification
18
Other services
You can get more recovered-card forms by calling our
Customer Services Department on 0844 811 6666
Dynamic currency conversion (DCC)
• Y
ou must fill in the form in full and keep the cut-off
slip of the filled-in form in your files
If your business takes payments from cards
issued outside of the UK, your processing equipment
may be configured for DCC. DCC offers Visa and
MasterCard international cardholders the choice and
convenience of paying for goods and services using
their home currency.
• Y
ou should send the top section of the form and
both pieces of the card to:
Recovered Card Services, Barclaycard,
Department RC, Northampton NN4 7SG
If you are returning a Visa Electron card, please
also enclose a copy of the processing equipment
declined receipt.
Your international customers benefit from a clear
and competitive exchange rate for credit and debit
card purchases made abroad with this service. Once
the cardholder uses their card abroad they will be
presented with the option to pay using the currency
of the card or the local currency. The transaction will
stay in that currency throughout the entire transaction
and settlement process. As such, both you and your
customer know the exact amount of the purchase at
the time you make the sale.
Reward scheme
We may pay a £50 reward to your business for
returning a wanted card. You can then decide whether
to pass the reward payment on to the person who
actually recovered the card.
If the police need to keep a wanted card or sales
voucher for investigation (for example, if a stolen card is
presented), you will need to keep certain details in case
there is a question about it. Please make sure you have
a copy of the sales voucher (a good photocopy will be
acceptable), as well as:
• T
he card number
• T
he expiry date
• T
he name embossed on the card
• T
he date the card was recovered
• T
he crime reference number
• D
etails of the officer and police station dealing with
the case
You can still claim a reward if the police take the card
for evidence.
19
Accepting Card
Not Present (CNP)
transactions –
e-commerce, mail and
telephone order
You should not:
• R
elease goods to anyone claiming to have been
sent by the cardholder (for example, a taxi driver) to
collect the goods
• A
llow a cardholder to pick up goods paid for with a
Card Not Present transaction. If a cardholder pays
using an e-commerce or MOTO transaction and
collects the goods later, you should cancel the Card
Not Present transaction and carry out a new Card
Present transaction. Make sure you also carry out
the full Card Present procedures
It is important that you understand the risks associated
with accepting Card Not Present transactions. There
are increased risks of chargebacks for Card Not Present
transactions because the customer and card are not
present at the time of transaction and so cannot always
be verified.
Authorising Card Not Present
transactions
Card Not Present transactions must get an
authorisation at the time of the transaction, either
as a pre-authorisation for the expected value of a
transaction (such as a hotel or car-hire bill) or as
authorisation of the actual amount.
When processing Card Not Present orders you must
make sure you get:
• T
he card number
• T
he card expiry date
• T
he gross amount (in other words, including
postage, packaging and VAT) of the transaction
Shipping goods and providing services
Visa transactions must get an authorisation on any
day up to seven calendar days before the transaction
date (the date the goods are shipped or services are
provided). This authorisation is valid if the transaction
amount is within 15% of the authorised amount, as long
as the extra amount represents shipping costs.
• T
he customer reference number, if quoted – for a
Visa transaction only
• T
he card security code (CSC), otherwise known
as card verification value (CVV or CVV2), card
verification value code (CVVC), card verification
code (CVC or CVC2), verification code (V-code or
V code), card code verification (CCV), or signature
panel code (SPC)
You must get authorisation for MasterCard transactions
on the day the cardholder contacts you to place an
order. When the goods or services are ready to be
delivered, you should then process the transaction.
This should not be for more than the original
authorisation amount. MasterCard consider the date
you ship the goods or provide the service as the
transaction date. If you are shipping goods more than
seven days after the original authorisation request,
we recommend you get a second authorisation. When
presenting the transaction for processing, please quote
the original authorisation code, but keep the second
one in case there is a dispute about the transaction.
If you would like to accept e-commerce Maestro
transactions, you must be enrolled with MasterCard
SecureCode.
When processing Card Not Present orders you
should also get:
• T
he cardholder’s full name and address, as held
by their card issuer, including the postcode and
phone number
• The cardholder’s signature, for mail order
Recurring transactions
• T
he delivery address and name of the person
receiving the goods if different from that of
the cardholder
A recurring transaction is one where the cardholder
grants permission, in writing or electronically, to a
merchant to periodically bill their account for goods
or services delivered over a period of time. There
cannot be more than 365 days between transactions.
For example, merchants who may benefit from
recurring transactions are vehicle breakdown services,
insurance providers, and those issuing memberships
and subscriptions.
Please remember an authorisation does not guarantee
payment. It only confirms that there are enough funds
available in the account and that the card has not
been reported as lost or stolen at the time of the
transaction. We cannot guarantee that the person
presenting the card details is the genuine cardholder
and so you may be at risk of chargebacks following
fraudulent transactions.
Issuers may refuse a recurring transaction taken on a
Visa card if the expiry date is missing, not valid, or has
expired. You must provide the correct card expiry date
for each recurring transaction.
20
If the cardholder wants to cancel a recurring transaction,
they may either contact you or they may contact their
card issuer direct. If the cardholder cancels the recurring
payment through their issuer, you may not know until
the next payment fails.
Transaction receipts
Recurring transactions must not be carried out using a
Maestro card.
• An
instruction to print or keep the receipt for
future reference
You must give your customers a transaction receipt as
part of an order confirmation notice at the time of the
purchase. The receipt must include:
• Your company name, address and phone number
for customer contacts
Accepting payments over the
internet (e-commerce)
• Your website address
You can accept payments over the internet using a
Barclaycard payment gateway which can be integrated
in your website. Or, you can use your own software or
another payment service provider (PSP).
• The
total cost of the purchase, and the currency it is
made in
Website information
• A unique transaction reference number
• T
he transaction date and type (for example,
whether it is a sale or refund)
You are responsible for designing your own web page
but you must make sure you display:
• The name of the purchaser
• The authorisation code
• Y
our company name, registered office address,
phone number and email address
• A
complete description of all goods and
services bought
• Y
our company registration number and
VAT number
• Clear information on your Terms and Conditions,
cancellation, return and refund policy (if restricted)
• A
complete description and price of all goods and
services, clearly stated, including all extra costs such
as taxes and delivery costs
• T
he exact date any free trial period ends,
if offered
The receipt must only include the last four digits and
not the full card number. For MasterCard transactions,
the expiry date must not be quoted:
• C
lear information on your company’s refund and
cancellation policies
• A
statement to describe the type of transaction
security that you provide
• Keep
a record of the cardholder’s name and
address in case of any questions in the future
• A
privacy statement
• It
is your responsibility to check the card when the
goods are delivered. You should make sure that the
card number and the expiry date quoted agree with
the card presented
• Y
our transaction currency
• T
he merchant outlet country at the time of
presenting payment options to the cardholder
• It is also your responsibility to get a signature and
make sure the signature on the card matches the
one from your customer
• T
he scheme logos of the type of cards you accept
• Y
our delivery policy
• A
ny export restrictions
• If an order is to be collected, you must cancel the
original transaction and start a new one as a Card
Present transaction. See the ‘Card Not Present
procedures and chargebacks’ section of this guide
Please remember that you must give the customer a
transaction receipt.
21
Using an accredited payment
service provider (PSP) to accept
e-commerce payments
Using our payment gateway for
accepting payments
Our e-commerce service provides quick and secure
transaction processing to authorise and settle card
payments. It allows you to accept and process card
transactions from your website 24 hours a day, 365
days a year. Your customers simply browse your
website, choose the goods or services, and enter their
card details as directed.
We can accept your internet card payments via a
recognised PSP. However, you must make sure that
the PSP meets the minimum security measures
shown in this procedure guide and that they can offer
the communication links needed. It is important to
stress that you have the responsibility for keeping
to the internet merchant procedures within this
procedure guide for us to accept internet card-payment
transactions as we will not enter into any contract with
the PSP on your behalf.
Hosted Payment Pages (HPPs) are simple solutions
for accepting card payments over the internet, and
they keep to the Payment Card Industry Data Security
Standard (PCI DSS). We host your payment page for
you so you don’t see any sensitive card data; keeping
you safe and secure.
You must make sure the PSP keeps to the Payment
Card Industry Data Security Standard (PCI DSS), which
is a requirement introduced by the major card schemes
to help you reduce, as far as possible, the possibility of
suffering from a security breach. Please see the section
on ‘PCI DSS’ in this guide for more details.
If you prefer, you can control the whole process and
host your own payment pages. To do this you can
integrate with our Application Programme Interface
(API), which allows you to take full responsibility for
collecting cardholder details and communicate directly
with our gateway. (We will give you a guide on how to
do this.)
If your chosen PSP offers fraud screening, we
would recommend that you use their fraudmanagement service.
If you choose not to use a Barclays-owned submission
product, you must correctly flag every transaction
by using the correct level of APACS software. You
must maintain the level of software in line with APACS
standards. If you fail to keep to this condition, you
will be liable for any fines or penalties from the card
schemes, which may result from not keeping to
the conditions.
The services that your chosen PSP offers and the
charges that they apply are part of the agreement
between you and your chosen PSP, which is separate
from your agreement with us.
Accepting payments
over the internet using
your own software
You can use your own equipment or software to accept
payments over the internet. You are responsible for
making sure that we can approve the equipment or
software and that it keeps to the necessary cardscheme rules.
You must make sure the PSP keeps to the Payment
Card Industry Data Security Standards (PCI DSS). The
application must be PA DSS (Payment Application Data
Security Standard) compliant where necessary, and the
business must be compliant with the PCI DSS.
22
Requirements for merchants
not using the Hosted Payment
Page (HPP)
Preventing and detecting fraudulent
Card Not Present transactions
If most of the transactions you are accepting are mail,
telephone or internet transactions, you must use an
appropriate e-commerce or MOTO solution. You cannot
accept e-commerce transactions using your face-toface chip-and-PIN processing equipment.
Security of card data
Any merchant accepting e-commerce payments,
whether using our payment gateway, an alternative,
or their own software, must have minimum security
measures before processing card transactions from
an internet site. Your payment security responsibilities
increase if you use other methods than a Hosted
Payment Page (HPP). For more information on these
requirements, please see the ‘PCI DSS’ section of
this guide.
You need to take extra care when taking transactions
over the internet, over the phone or by mail order.
You need to consider the risks before accepting a
Card Not Present payment:
• A
Card Not Present transaction means that a
cardholder and the card are not present with
you at the time of the transaction. These are not
like a normal face-to-face situation where you
can check that the card is genuine and that the
‘customer’ is not just using a stolen card number.
In these situations, the genuine cardholder may
not be aware that their card number has been
compromised, for example, a fraudster
has taken the card details from a customer’s
discarded receipt
Accepting Mail Order and
Telephone Order (MOTO)
payments
Maestro cards cannot be accepted for mail or telephone
orders except when the merchant and card issuers are
from the same country in the UK, Ireland or France.
• e
-commerce transactions can be authenticated
by the cardholder to prove they are a genuine
customer, when you use internet authentication
(in other words, Verified by Visa or MasterCard or
Maestro SecureCode) – this is the same as entering
the PIN at a physical point of sale. If you cannot
prove that the cardholder is genuine, you cannot
guarantee that the card information provided
relates to the genuine cardholder
Taking telephone orders
• P
lease keep a record of the cardholder’s name and
address in case of questions in the future
• It is your responsibility to check the card upon
collection or delivery. You should make sure that the
card number and the expiry date quoted agree with
the card presented
• It is also your responsibility to get a signature and
make sure the signature on the card matches the
one from your customer
• N
ever release goods to anyone else (this includes
taxi drivers or delivery firms hired by the customer).
Always make sure that goods are sent to the
person named on the card
• If
an order is to be collected, you must cancel the
original Card Not Present transaction and start a
new one as a Card Present transaction. See the
‘Card Not Present procedures’ and ‘Chargebacks’
section of this guide on pages 19 and 26
• If
a cardholder comes to collect the goods in
person, cancel the Card Not Present payment and
process it as a Card Present transaction
• If
you key in a transaction following a telephone
order, you will not be able to guarantee that the
customer is the genuine cardholder and so you
may be at risk of a chargeback if the transaction is
confirmed as fraud
Authorisation only confirms that the issuer of the card
agrees there are enough funds to pay for the goods
and to confirm the card has not been reported lost or
stolen at the time of the transaction. An authorisation
does not guarantee payment.
Please remember, you must still give a customer a
transaction receipt. We recommend that the cardholder
copy must display only the last four digits of the card
number. For MasterCard transactions do not quote the
expiry date.
Questions you need to ask yourself before accepting
the transactions:
• Are the goods high value or easily resold?
• Is the transaction out of character compared
to your usual orders or is the customer ordering
many different items and do they seem unlike your
usual customer?
Please remember, an authorisation does not guarantee
payment. It only confirms that there are enough funds
in the account and that the card has not been reported
as lost or stolen at the time of the transaction.
• D
oes the address provided seem suspicious or has
the delivery address been used before with different
customer details?
23
Fraud-screening
• Is
the customer being prompted by someone else
while on the phone?
Using rule-based tools can help to check the validity of
transactions. A system which allows you to cross-check
the name, address, phone numbers, card details, email
address and IP address with past and daily records
could help you to reduce the risk to your business.
• Is the customer trying to use more than one card in
order to split the value of the sale?
• D
oes the customer seem to lack knowledge of
their account? Are they providing details of
someone else’s card (for example, that of a client or
family member)?
Constantly cross-checking this type of information will
identify any duplication of information which may show
that a fraudster is attempting to use similar details
elsewhere. For example they may quote different card
numbers but use the same name or address or may
quote entirely different details but still be seen to come
from the same IP address.
• Does
the customer seem to have a problem
remembering their home address or phone number
or do they sound as if they are referring to notes?
Tools for monitoring fraud
You should reject any suspicious instance of duplication
(also known as velocity checking) and check further
before accepting the order or request.
You should use security checks, as recommended
by the card schemes, as they can help you identify
possible fraudulent transactions. However, they
do not prevent fraud or shift the legal responsibility
for fraudulent transactions, which may result in
chargeback claims.
Barclaycard’s payment gateway offers extra fraudscreening tools such as those mentioned above. There
are also a number of other providers who can offer help
with checking the authenticity of customer information.
If you would like more information on these providers,
please contact our Customer Services Department on
0844 811 6666.
Card Security Code (CSC) and Address Verification
Service (CSC/AVS)
There are services that can help reduce Card Not
Present fraud by asking for a small amount of extra
information from the cardholder:
Further advice for internet transactions
• The Card Security Code, which is a condition of
the card schemes (the last three numbers on the
signature strip on the card or the three digits in a
white box next to the signature panel). You must not
store the Card Security Code after the transaction
has been authorised
To add to existing velocity checks:
• Check for sequential card numbers
• Review orders made using cards not issued in
the UK
• R
eview orders where the IP address does not
match the delivery address (country)
• A
ddress Verification Service (AVS);
a) T
he first five numbers of the cardholder’s full
statement address
• Review orders going to and coming from the same
customer – name, address and card number
b) The numbers in the cardholder’s postcode
• R
eview or refuse all or new orders going to a
different delivery address other than the registered
card address
Internet authentication
(3-D Secure)
• Review or refuse duplicate purchases
Internet authentication (Verified by Visa, Mastercard
SecureCode) uses 3 D-Secure protocol to authenticate
card users as they need to have a password log-on.
The cardholder registers for the authentication service
with a password they choose, which guarantees
that the user is authentic. Please see the internet
authentication section of this guide for more details.
• R
eview or refuse the order if the postcode does
not match
• Refuse the order if the CSC does not match
• Refuse new orders with an invalid card expiry date
Use the ‘chargeback data’ you receive to:
MasterCard SecureCode must be supported for all
Maestro transactions.
• Highlight possible problem names, addresses and
IP addresses
• Always make sure that you respond promptly to
‘request for information letters’ as you may be able
to prevent the chargeback
• U
se internet authentication (3-D Secure) and CSC/
AVS for added security
You can find more information on our website
to help with your staff’s awareness of fraud:
www.barclaycard.co.uk/paymentacceptance
24
Refunds
Other services
The Distance Selling Regulations (DSRs) and
e-commerce Regulations (ECRs) apply if you sell
products or services to customers without face-toface contact (for example, e-commerce and MOTO
transactions) and where the customer has not had an
opportunity to examine the goods before buying or
discuss the service in person.
Dynamic currency conversion for
e-commerce transactions
If your business takes payments from cards issued
outside of the UK, your processing equipment may be
configured for DCC. DCC offers Visa and MasterCard
international cardholders the choice and convenience
of paying for goods and services using their
home currency.
The aim of the DSRs and ECRs is to make sure there
is a minimum level of consumer protection across the
European Union (EU) although other EU countries may
put the regulations into practice differently.
Your international customers benefit from a clear
and competitive exchange rate for credit and debitcard purchases made abroad with this service. Once
the cardholder uses their card abroad they will be
presented with the option to pay using the currency
of the card or the local currency. The transaction will
stay in that currency throughout the entire transaction
and settlement process. As such, both you and your
customer know the exact amount of the purchase at
the time you make the sale.
Keeping to the DSRs and ECRs is a legal requirement
and the courts can take action against you if you break
the DSRs and ECRs.
You should include these regulations in your
e-commerce or MOTO returns policy – to find out
more about the DSRs and ECRs, please visit:
http://dshub.tradingstandards.gov.uk.
Each time you submit an authorisation request to
us or our authorised representative, you will use the
correct conversion rate that applies on such date. If
you are entitled to submit to us or our authorised
representative more than one authorisation request
for the same transaction, you will use the correct
conversion rate that applies on the date that you
submit the final authorisation request to us or our
authorised representative, regardless of any other
conversion rate(s) previously applied by you and
communicated to your customer in respect of the
same transaction. You will be solely responsible for
any indicative conversion rate(s) that you may have
provided to your customers.
If you want to perform a refund for an e-commerce
or MOTO transaction, you must make sure that the
refund is processed to the card used in the original
sale and does not go over the original sale amount.
If the card or account used in the original transaction
is closed, another card or account can be used. If the
customer has no other card, you should credit the
refund to the customer’s bank account in line with
your own procedure.
You cannot make refunds to the cardholder’s account to
credit winnings from gaming.
25
Chargebacks and retrieval requests
A chargeback usually takes place when a cardholder
disputes a transaction shown on their statement or
you process a transaction outside the terms of your
merchant agreement. Chargebacks result when a
transaction is treated as invalid – for example, if a
cardholder questions a transaction shown on their
statement and the card issuer, after investigation,
agrees to refund the amount. Chargebacks also
happen for technical issues such as duplications
and no authorisation.
• T
he goods or services provided were faulty, not as
described, or not received
• A
transaction was processed on behalf of someone
else who could not process the transaction
themselves. This is called laundering and breaks
your merchant agreement
If you take a Card Present transaction and your
processing equipment is not chip-and-PIN-enabled,
you will be legally responsible for any fraudulent
transactions and these will be charged back to you.
We have a dedicated Chargeback Education Team
who can give you advice on the steps you can take to
reduce the risk of transactions being charged back.
If you want to receive free advice, please contact
our dedicated team on 0844 755 0094 or email:
[email protected]
barclaycard.co.uk
All Barclaycard contactless processing equipment are
chip-and-PIN-enabled.
You may also receive a chargeback if you have not
followed any of the terms of the agreement between
you and us, including any of the instructions in this
procedure guide.
The most common reasons for chargebacks are:
What is a retrieval request?
• The
cardholder does not recognise the transaction
(for example, they claim their card details have been
used fraudulently)
A retrieval request or request for information (RFI) is
when a cardholder asks for a copy of the transaction
details. This is usually because they do not recognise a
transaction on their statement or need more details for
their records (for example, an expenses claim or
tax return).
• The
transaction has been processed outside of
your merchant agreement (for example, you did
not get authorisation when needed)
• A
fraudulent mail, telephone or e-commerce
transaction (please see the ‘Preventing and
detecting fraudulent card-not-present transactions’
section of this guide on page 23 for more
information and guidance on how to avoid these
types of chargebacks)
Another reason cardholders ask for a copy of the
transaction receipt is because the description shown
on their statement does not match the name of
your company. So, if you seem to be getting a lot of
retrievals, check what is being shown on the cardholder
statements. You can change the description by
contacting our Customer Services Department on
0844 811 6666.
• Y
ou did not respond in time to a request for a copy
of a transaction (retrieval request)
• T
he card was not valid when the transaction
was made, in other words, the transaction was
made before the ‘valid from’ date or after the
‘expiry date’
It is a requirement of Visa and MasterCard that if you
are mainly carrying out mail or telephone orders,
you should include a contact number rather than
location within the description. For instance, ‘The E
Shop,London’, should be shown as ‘The E Shop, 01207
123 4568’. This encourages people simply to call you
to identify their transaction, rather than disputing
this with their card issuer. Likewise, if you are carrying
out e-commerce transactions, you must display
your internet website address or email address on
cardholders’ statements so that customers can
contact you.
• T
he amount of the sale is more than your floor
limit and you did not ask for authorisation, for
whatever reason
• T
he signature on the processing equipment receipt
or sales voucher does not match the signature
shown on the card itself
• A
transaction was taken on a card that should
only be used in an automated teller machine (cash
machine)
As you are simply providing information, there is no
loss to your business. However, if you don’t supply a
clear and legible copy of the transaction within the time
requested (usually 14 days), the card issuer may charge
the transaction back to us. We will then pass the cost
on to you in the form of a chargeback.
• Y
ou accepted a card that should have been verified
by the PIN after the chip was inserted but you do
not have processing equipment that can carry out
these checks
If a transaction is charged back, it will become a loss to
your business.
• T
wo or more card transactions have been
completed for one sale over the floor limit (split
sale) and you did not get authorisation
26
To help reduce the risk
of chargebacks
Chargebacks can cause you hassle and cost
your business time and money. Following the
correct procedures in this guide will help you avoid
chargebacks, so you can gain the full sales benefits
of accepting payments by card.
• U
se chip-and-PIN-enabled processing equipment
to help protect your business against fraud. Using
chip and PIN helps to check that a card is genuine
and that the person using it is the true owner. The
chip makes it difficult to counterfeit or copy the
card, while the PIN makes it harder for a criminal to
use a lost or stolen card. And because, instead of
signing, the customer authorises the transaction by
keying in a 4-digit PIN only they know, the risk from
forgery is reduced. For contactless transactions, as
long as you process transactions in line with cardscheme regulations and follow the procedures laid
out in this guide, we will offer you the same level of
protection
Responding to retrieval requests and
chargeback letters
• P
lease make sure we receive a reply by the
date quoted, by fax, by post, or whatever other
method we have explicitly agreed with you, as not
responding within these timescales will usually
result in a chargeback
• P
lease remember to send all relevant documents
that support the transaction, in other words, Terms
and Conditions and details of authorisation codes,
dates and times, where appropriate
• M
ake sure that all transactions are correctly
processed according to the type of card
• R
emember, transaction copies and all details
provided need to be clear, because chargebacks can
also take place when transaction copies cannot be
read clearly
• M
ake sure you only accept cards which you have
an agreement to process, as some cards perform
several functions
lease ask for details of our Faxlink service, which
P
provides a quick and simple way of dealing with
retrieval and chargeback letters via a fax machine (see
Faxlink service section below).
• D
o not accept mail, telephone or e-commerce
transactions unless you are aware of the possible
risks surrounding this type of transaction. If you
see an increase in this type of transaction, please
let us know so that we can make sure you have the
correct agreement in place
• If
you are already registered and using the Faxlink
service, we provide templates you can use. To
ask for a copy of the template relevant to your
business, please contact 0844 755 0094
• F
ollow your instincts – if something about a card
or the person using it or the transaction itself
does not seem genuine, make a code-10 call to our
authorisation department. Please remember that
authorisation is not a guarantee of payment and
code-10 calls are only for Card Present transactions
Faxlink service
This service lets you send and receive all chargeback
and retrieval information by fax, avoiding postal delays
and speeding up the process. There are no extra
charges for using this service.
• K
eep copies of all transaction records. To settle any
dispute, you may be asked to provide evidence of
a transaction. If you fail to do this, we may make
a chargeback to your business. You must keep all
receipts for at least six months, and keep copies of
transactions for another seven months
• R
emember to display a limited returns policy on
your receipts and at the point of sale, to avoid
disputes which could lead to a chargeback
27
Timescales for chargebacks
We will give you notice of the chargebacks either by
letter, or by fax if you have signed up to our Faxlink
service or by whatever other method we have explicitly
agreed with you. For disputes where it is likely that you
will have extra information that may allow us to defend
the dispute, you will have 14 days after receiving the
notice to supply the information. For disputes where
it is unlikely you will be able to defend the dispute,
for example, if you did not get authorisation, we may
take the amount from your account at this time. If you
disagree with the dispute, it is important that you give
us your reasons in writing within 14 days. If you fail to
respond within the 14 days, or your reply is unclear or
we cannot read it, we may not be able to defend you
from the chargeback.
Most disputes are raised because the genuine
cardholder disputes the transaction on their statement.
As cardholders are only sent card statements once a
month, it can be up to one month before a cardholder
will receive their statement and so dispute the
transaction with their card issuer (for example, MBNA,
Capital One, NatWest, Barclaycard and so on).
In cases where the cardholder claims neither to
have carried out or authorised a transaction, the
card issuer will ask the cardholder to complete and
sign a ‘disclaimer’. This is a legal document where
the cardholder declares they did not carry out the
transaction. The cardholder can also dispute the
transaction by email.
Our Chargeback Portfolio Managers can provide
tailored advice as to when you should be replying and
with what. They can also provide general advice on all
matters relating to chargebacks. For advice for your
own business, please call us on 0844 755 0094 (9am
to 5pm, Monday to Friday. We are closed on bank
holidays). Or email us at chargebackteamportfolio.
[email protected] and we will get back
to you within 48 hours. Please provide your contact
details and Barclaycard merchant number (you can find
these on your statement).
The card issuer does not tell us about the dispute until
they have received all the documents they need from
the cardholder. The card schemes have strict time
limits in which card issuers must let us know about
any dispute along with rules for what documents must
be provided. We will automatically protect you from a
dispute if the correct documents are not supplied by
the card issuing company or if the correct time limits are
not kept to.
As soon as we receive notice of the disputed
transaction, we will let you know. The maximum time
allowed is 120 days from the processing date of the
transaction to dispute the transaction. For transactions
relating to delayed travel (for example, holidays), we
work out the time limit from the date of travel and not
the date of the transaction.
28
Payment security
What information must not be stored
at any time?
As a member of the card schemes we need you to keep
to the Payment Card Industry Data Security Standard
(PCI DSS). This section sets out the responsibilities you
must keep to.
You must not store:
• T
he contents of the magnetic stripe, also known as
Track 2 Data
• T
he card verification value or CVV contained in the
magnetic stripe
What is PCI DSS?
This is an auditable set of controls designed to make
sure that certain card information is stored securely by
your company and anyone else who stores, transmits
or processes the payment cardholder information on
your behalf.
• T
he card verification value contained in the
magnetic stripe image in a chip known as the iCVV
• T
he card security code, also known as CVV2,
printed on the back of the card in or next to the
signature panel
What information must be securely stored?
• T
he PIN verification value or PVV, which is contained
in the magnetic stripe
Any information that is necessary to process card
transactions correctly, including any information which
is recorded electronically or otherwise on any payment
card and includes the following:
• A
ny information that is used to authenticate a card
payment, including the card number, expiry date,
issue number, passwords, pass phrases and any
other unique information supplied as part of the
card payment
• A
ny information that could identify individual
cardholders and their purchases. This includes
name, address, description of the purchase,
amount and other details of the card payment
We will call this cardholder data in the rest of
this section.
29
What you must do to keep to PCI DSS
In keeping to the requirements set out above, you must
meet the standard shown in the PCI Standard Security
Council (PCI SSC) and set by the card schemes. The
current standards that you must keep to in meeting the
above requirements are set out in ‘The Payment Card
Industry (PCI) Data Security Standard’ (DSS).
PCI DSS sets out a number of requirements which
you must keep to make sure that cardholder data is
securely stored. You must:
1.
Install and maintain a firewall to protect
cardholder data.
This is available for download from the
PCI Security Standards Council website at:
www.pcisecuritystandards.org
2.
Not use vendor-supplied defaults for passwords
or other security measures.
For more information and useful tools to help you keep
to the standard, please see our PCI DSS website at:
www.barclaycard.co.uk/pcidss
3.Protect stored cardholder data.
4.
Encrypt the transmissions of cardholder data and
sensitive information across public networks.
5.
Use and regularly update anti-virus software.
6.
Develop and maintain secure systems
and applications.
7.
Restrict access to cardholder data to only those
who need to know.
8.
Give each person with computer access their
own ID.
9.
Restrict people’s access to network resources and
cardholder data.
10.Track and monitor all access to network resources
and cardholder data.
11.Regularly test security systems and processes.
12.Maintain a policy that deals with
information security.
30
Demonstrating that you are keeping to the PCI DSS
We need you to show that you are keeping to PCI DSS. How you do this will depend on the type and volume of
card transactions that we process on your behalf. The responsibilities you must keep to depend on your merchant
level which we will decide on using our records.
If your business is not keeping to the PCI DSS, you may be legally responsible for paying charges and penalties.
Plus, you may have to pay other card-scheme penalties and costs.
You will need to get validation that you are keeping to PCI DSS every year and you may need to pass vulnerability
scans every three months to keep to the standards. The action you need to take will depend on your merchant
level as follows.
Level
Definition
Actions needed to keep to the standards
1
If you process over
6 million Visa
or MasterCard
transactions a year
(see note1 below)
•• The way you report that you are keeping to PCI DSS will be managed
by the Barclaycard Payment Security team
•• Yearly on-site security assessment by PCI SSC-accredited qualified
security assessor
•• A network scan every three months (if in e-commerce)
•• Yearly penetration testing
•• Security policies put into practice
2
If you process 1
to 6 million Visa
or MasterCard
transactions a year
•• The way you report that you are keeping to PCI DSS will be managed
by the Barclaycard Payment Security team
•• Yearly self assessment questionnaire by a PCI SSC-accredited internal
security assessor or a yearly on-site security assessment by
PCI SSC-accredited qualified security assessor (see note2 below)
•• A network scan every three months (if in e-commerce)
•• Yearly penetration testing
•• Security policies put into practice
3
If you process 20,000
to 1 million VISA or
MasterCard
e-commerce
transactions a year
4
If you only process
e-commerce and
process fewer
than 20,000 VISA
or MasterCard
transactions a year
•• The way you report that you are keeping to PCI DSS will be managed
by Barclaycard’s Data Security Manager (DSM) service
•• We will send details of the DSM to new customers no earlier than four
months from setting up the account, including details of a possible
monthly charge for the DSM service
•• Complete the online profile and follow-up steps to complete your
self-assessment and compliance validation each year. Or, in the
DSM profile, upload a self-assessment questionnaire (SAQ) and
confirmation that has been validated by a qualified security assessor
(QSA) each year
•• If, as part of your validation, you have to run vulnerability scans every
three months, they must be carried out by an approved scan vendor
(ASV). This can be done using the Barclaycard DSM service. Or if
you prefer, you can use an ASV listed with the PCI security standards
organisation (see below for details). If you use another ASV, every
three months you must upload to the portal the technical report
demonstrating a pass status
If you do not process
e-commerce
transactions and
process up to 1 million
VISA or MasterCard
transactions a year
1. If you operate in more than one country or region and meet level-one criteria in any Visa country or region, we will consider that you are a
global level-one merchant. An exception may apply to global merchants if there is no common infrastructure and if Visa data is not collected
across borders. In these cases, we will validate you according to regional levels.
2. If you are a level-two merchant choosing to complete a yearly self-assessment questionnaire (SAQ), you must make sure that all staff
involved in the self-assessment go on a PCI Security Standard Council (PCI SSC) merchant training programme and pass any associated
accreditation programme each year to continue the option of self-assessment.
31
Further action you may need to take
From time to time we may audit your type and volume
of card transactions. As a result of the audit, or if we are
instructed to do so by a card scheme, we will let you
know which merchant level you are for the purposes
of PCI DSS and you agree that you will keep to the
responsibilities of that level of merchant as described
in the table.
As a result of considering any report that you must
send to prove you are keeping to the PCI DSS (as set
out above), we may:
• T
ell you that you are a different merchant level (for
example, a level-one merchant rather than a leveltwo merchant) and you agree that you will keep to
the responsibilities of that merchant level
Card-scheme-approved qualified
security assessor
• T
ell you to take extra security measures to make
sure you keep to PCI DSS within an agreed period
of time We are not unique in making sure our
merchants keep to the PCI DSS. All card acquirers
have the same responsibility to the card schemes
(for example, Visa and MasterCard)
The specialist organisations which are qualified to carry
out on-site audits to check you are keeping to PCI DSS
are those the card schemes will tell you about from time
to time. You can find details of the current
card-scheme-approved specialist organisations at:
www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf
Data compromises
Approved scan vendors
If any unauthorised person has access to any
cardholder data, or cardholder data is lost, stolen
or revealed (we call this a data compromise), or you
suspect that either has happened, you must tell us as
soon as reasonably possible.
The specialist organisations which are qualified to
carry out network vulnerability scans are those the
card schemes will tell you about from time to time. You
can find details of the current card-scheme-approved
specialist organisations at:
www.pcisecuritystandards.org/pdfs/asv_report.html
32
Other organisations that store, transmit or
process your cardholder data
The results of a data compromise
If we are told that you have suffered any data
compromise or suspected data compromise (whether
you tell us or any card scheme), you will have to tell
an industry approved forensics investigator (QFI) to
carry out a forensic investigation at your company
about the data compromise. The QFI will review the
whole end-to-end process of handling cardholder data
and will give you a report on their findings, and set out
recommendations for action for you to take as a result.
The PCI DSS standards apply to all merchants and the
linked organisations that store, process or transmit
cardholder data. The standard applies equally to
manual processing and storing cardholder information
(for example, processing equipment and imprinters) as
well as to electronic methods of storage (for example,
EPOS, PC).
If you suffer a data compromise, you will have
to pay the costs of the QFI as a result of any
data compromise.
Keeping to the standards applies to your whole set-up.
You can only be treated as keeping to the standards if
any organisations you use also keep to the standards.
You must check this every year:
If you suffer a data compromise, we may tell you
that we have reclassified you as a level-one merchant
and that you must keep to the obligations of that
merchant level.
• A
ny organisations you use that store, process or
transmit payment cardholder data on your behalf
must also be registered on the Visa website at:
http://www.visamerchantagentslist.com
You can find a list of QFIs at:
http://www.visaeurope.com/receiving-payments/
security/downloads-and-resources
These organisations include, but are not limited to:
If customer data which you or someone else has
handled is proven to have been compromised, stolen,
used fraudulently and so on and your business is not
keeping to PCI DSS, you may have to pay fines to the
card scheme and cover losses to the card issuer. The
card schemes may decide to fine you as well for not
keeping to the standards and not storing sensitive
authentication data.
• Till vendors
• Resellers
• EPOS vendors
• Software application providers
• Payment service providers
• Payment processing bureaus
• Data storage providers
• Web-hosting providers
• Shopping-cart providers
• Software vendors
You must tell us about any organisation you use that
stores, processes or transmit cardholder data.
If you fail to keep to PCI DSS
If you fail to keep to PCI DSS or any of the
responsibilities as set out in the operating instructions
and procedure guide, you will be breaking your
agreement with us and:
• W
e have the right to recover any penalties, fees
or fines imposed by any card scheme in line with
our agreement with you (of which these operating
instructions and procedures guide forms part)
• W
e will consider this to be significantly breaking
your agreement and we may use any rights we
have available to us in line with our agreement
with you
• W
e may suspend your acquiring facilities until you
can prove to our reasonable satisfaction that you
are keeping to PCI DSS
33
Protecting cardholder
information
Storing your records
You must keep your original copies of transactions in
an accessible place for at least six months. We also
advise you to keep copies of transactions for another
seven months from that date, although this can be on
microfilm or similar media.
As well as keeping to PCI DSS, you must keep to the
following requirements to protect cardholder data.
If you are using thermal paper to process transactions,
you need to take extra care when storing transaction
copies to make sure they do not fade:
If we need to send a retrieval request, we will give you
the cardholder’s name wherever possible. However, the
card issuer does not have to give us this information so
we may be unable to tell you. As a result, you should
store the transactions by transaction date and not by
cardholder number or name.
• D
o not store them in direct sunlight. Wrap
transaction copies in paper or store them in
brown envelopes
• D
o not store them close to heaters
• S
tore them in a cool, dark and dry environment
It is important that you keep all copy vouchers and till
rolls in a secure place, to prevent any fraudulent use of
the information and in line with PCI DSS requirements. If
you need to clarify your PCI DSS requirements, please
contact Customer Services on 0844 811 0089.
• M
aintain an even temperature and humidity.
(Ideally, a temperature of 20 to 23 degrees and a
relative humidity of 45 to 55%). Do not store in
PVC wallets
For a supply of our prepaid envelopes, call our
Customer Services Department on 0844 811 6666.
34
Understanding your statement
Transaction payment advice
Your monthly statement is a VAT invoice and
a statement.
This provides itemised details of payments made to
you with the dates we processed the transactions and
the payment reference.
If you are a single outlet, or you have asked that
we send separate statements to each outlet, you
will receive:
Periodic settlement
• A
merchant invoice and statement
If you have chosen to be paid periodically (for example,
weekly or twice weekly), please remember that the
figure for the total payments for this period may not
agree with the transaction charges on page 1 of your
statement, as they cover different accounting periods.
Payment for any dates not showing will appear on your
next statement.
• T
ransaction payment advice
If you have asked for statements to be sent to your
head office, your head office will receive:
• A
merchant invoice and statement
• T
ransaction payment advice
• A
dvice on details of the service charge
Advice on the details of the service charge
Your outlets will usually receive nothing.
This shows a breakdown of the invoice for each
outlet and includes a customer reference. Processing
equipment rental charges are shown, giving the number
of processing equipment at outlet and the total charge.
We only send this page to chain head offices.
What will the statement
look like?
Each page number and the total number of pages are
shown in the top right-hand corner. There are three
main headings:
If you have a question about a merchant
invoice and statement you have received
• T
ransactions and other charges if these apply
Contact our Customer Services Department on:
0844 811 6666 quoting your outlet or chain head office
number. Remember to check that all transactions have
been processed and that they show on both your
merchant and bank statements.
• S
tatement of account (including any adjustments)
• T
otal amount due
You must check your monthly service charge statement
against your bank statement regularly to see that
they match. If you do not do this, you may be legally
responsible for any chargebacks for presenting
transactions late.
Registered in London, England, Reg No 1026167
Reg. Office 54 Lombard Street, London EC3P 3AH
MERCHANT INVOICE/STATEMENT
Barclaycard Payment services (Dept CSD) Northampton NN4 7SG
If you have any queries please call Customer Services
Department 0844 811 6666
Period
Outlet No.
Sample Name PLC
Sample Street
Sample Town
Sampleshire
ZZ9 1AA
INVOICE THIS PERIOD
£9.90
£10.05
Charge £
3 MasterCard Credit @ 2.77%
3 MasterCard Credit contactless @ 1.85%
plus £0.81205 per item
2 UK Visa Delta @ £3.36 per item
1 UK Maestro @ £0.40 per item
1 Visa Business Credit @ 2.91%
3 Visa Credit @ 2.59%
£6.50
£3.53
£3.12
£9.57
£42.67
Invoice No.
Account
VAT Reg. No.
Tax Point
VAT £
Total £
0.40
0.09
0.25
Sub Total
4.36
Sub Total
35.00
6.12
41.12
Invoice Total
39.36
6.12
45.48
Other Charges
(Standard Rate VAT 17.5%)
1 epdq Management fee
1 pdq Classic contactless
Summary of
your credit/debit
card transaction
details listed for
all outlets
0.27
0.19
2.44
0.72
4.36
25.00
10.00
STATEMENT OF ACCOUNT
Balance brought forward from last period
Payment – Thank You
Invoice Total (from above)
31.38
31.38 cr
45.48
TOTAL AMOUNT DUE
45.48
Summary of
your account
Summary of
your E-Top Up
commission
earned
This amount will be debited to:
Bank Account 11-11-11 12345678 on or after 01 January 2015
Pre Pay Details
£80.00
£60.00
£50.00
£30.00
£30.00
£250.00
cr
cr
cr
cr
cr
4
4
4
4
4
Pre Pay Three @ 3.45%
Pre Pay EE @ 3.45%
Pre Pay O2 @ 3.45%
Pre Pay Vodafone @ 3.45%
Pre Pay Virgin Mobile @ 3.45%
Total 1
2.76 cr
2.07 cr
1.72 cr
1.03 cr
1.03 cr
4.67 cr
Your E-Top Up
commission
inclusive of VAT
35
Exceptional procedures
Can I pass charges to
my customer?
Under Visa regulations, you cannot add these
surcharges to transactions involving Visa Debit
or Visa Electron cards. However, UK law allows
surcharges on all cards. Scheme rules allow you to
add surcharges to transactions involving MasterCard
and Maestro cards, but you will have to display a sign
to warn customers that you are doing this.
Under the terms of the Credit Cards (Price
Discrimination) Order 1990, you are entitled to apply
a surcharge to any transaction made by credit card.
However, if you decide to do so, you run the risk of
being uncompetitive and upsetting your customers
who will then be paying higher prices than those who
pay with a debit card or by cheque or cash.
3. The amount of the surcharge, which you may add
to your normal cash price, must not be more than
the amount of the merchant service charge that
you will pay us.
If you do apply a surcharge, there are several
procedures you must follow and a number of
restrictions you must keep to.
It is your responsibility to make sure that these
surcharges are only used if allowed by law, even when
the cardholder is not present.
1. Under the terms of the Price Indications (Method
of Payment) Regulations 1991, you must display
the credit card surcharge at the entrance of your
premises, and at the point of sale. If you sell fuel,
the regulations are in the Price Marking (Petrol)
(Amendment) Order 1991.
If you would like copies of the Credit Cards (Price
Discrimination) Order 1990, the Price Indications
(Method of Payment) Regulations 1991 and the Price
Marking (Petrol) (Amendment) Order 1991, please
contact your local Trading Standards Office for
more information.
2. If you operate a mail, telephone or internet
order service, you must make sure you tell your
customers about surcharges before they place
the order. You must also make sure that your
catalogues, advertisements and the order form
carry exact details of your plan to surcharge those
customers who want to pay by credit card.
Minimum charging
You must not set any minimum limit on credit and debitcard transactions. You must treat purchases by card in
exactly the same way as cash purchases except if you
supply a surcharge.
36
Internet authentication
Authenticating cardholders
successfully
Our 3-D Secure solutions fully meet procedure
level 1.0.2.
If you have chosen to get your software from another
source, the source will need to have been approved
by all card schemes we support which take part in the
scheme.
Internet authentication is an e-commerce protocol which
allows you to process secure e-commerce transactions
by authenticating the cardholder’s identity using a
password authentication at the time of purchase.
Types of authentication
We offer the following card-scheme authentication
services and cover them in this procedure guide:
The card schemes use three types of authentication.
These help to identify which level of authentication was
used, and how far you will be liable.
• V
erified by Visa (for Visa transactions)
• SecureCode™
(for MasterCard and
Maestro transactions)
Full authentication
By using authentication services you may be
protected against chargebacks on successfully verified
transactions. There are different rules for different card
schemes, types of card and region. Partial or attempted
authentication transactions may not be protected in the
same way.
This happens when we, the card issuer, cardholder
and merchant all correctly process an authentication
transaction. The cardholder will successfully
authenticate themselves (through a browser pop-up
or in-line window) with their card issuer. This is often
known as ‘Full authentication’ for Visa and ’Full UCAF’
for MasterCard.
You must make sure that you are familiar with how
authentication works before using any of the internet
authentication services.
The card issuer will provide an IAV (issuer authentication
value) to show that authentication took place. This value
is passed in the authorisation process as proof
of authentication.
How do I use the internet
authentication service?
Attempted authentication
You must:
This happens when the cardholder is not registered for
authentication, but you are providing an authentication
request. In this instance, the issuer may still provide an
IAV (sometimes referred to as an attempt) to show that
you successfully tried to authenticate the cardholder.
• H
ave a valid internet merchant relationship with us
to take full advantage of the service
• B
e registered with us to use cardholder
authentication services
• H
ave the authentication software included in your
chosen payment solution. Unless you specifically
ask for an alternative, we will assume you want
to use authentication for all card schemes which
support internet authentication
The card schemes differ with how they deal with
attempted authenticated transactions.
For Visa
The definition of an attempted authentication for Visa
cards is when both the merchant (you) and the acquirer
(us) support authentication and can confirm that
everything has been integrated correctly. The attempt
to authenticate must be successful. The card issuer
must return a response confirming the attempt. If the
card issuer cannot confirm the attempt (for example,
the system went down) you cannot claim attempted
authentication.
The following options are available to you.
1. Use our payment gateway, which is already set up
to present 3-D Secure to cardholders.
2. Use our payment gateway and add 3-D
Secure yourself.
3. Find or develop your own 3-D Secure software
solution, which must meet the 3-D Secure
specification of at least protocol level 1.0.2.
37
A successful attempt for Visa includes:
• T
he cardholder pop-up or in-line window does not
appear due to a mistake by the issuer or cardholder
• C
onfirmation from the BIN Cache or MasterCard or
Maestro directory that the issuer is not taking part
in the scheme
• T
he issuer service is not responding to your
authentication request
• C
onfirmation that the cardholder is not participating
or has not yet enrolled
• A
uthentication fails, but the transaction is
authorised by the card issuer
• A
3-D Secure response of ‘A’ in the PARes
MasterCard and Maestro issuers do not currently send
an IAV for a successfully attempted authentication.
Visa card issuers must send an IAV for successfully
authenticated transactions and may decide to send an
IAV for a successfully attempted authentication.
Whether you gain ‘Full UCAF’ or ‘Merchant UCAF’
depends on the MasterCard or Maestro equivalent of
the ECI. This must be passed in your payment solution
to make sure you are not liable for the transaction.
For MasterCard and Maestro
The definition of an attempted authentication for
MasterCard and Maestro cards is when both the
merchant (you) and the acquirer (us) support
authentication and can confirm that everything has
been done correctly. The attempt to authenticate must
be successful. The card issuer must return a response
confirming the attempt. The term for this is ‘Merchant
UCAF’ which simply means that you are taking part in
the SecureCode™ scheme.
You cannot claim attempted authentication on
a SecureCode™ transaction for Maestro cards
issued outside the UK.
Passive authentication
An issuer may present a 3-D Secure window but
decide to not prompt the cardholder to authenticate
the transaction. The cardholder will go back to the
merchant site without authenticating the transaction.
Passive authentication provides full 3-D Secure benefits
when completed.
You can claim attempted authentication on a
MasterCard or Maestro SecureCode™ transaction when
you make any attempt to authenticate the cardholder.
Ideally, you should receive a 3-D Secure message
response from the card issuer confirming the attempt.
However, if not, you can still claim you should not be
liable as you have correctly used your chosen 3-D
Secure solution and successfully sent the authentication
request. This might happen when:
• Y
ou receive confirmation from the BIN Cache or
MasterCard or Maestro directory that the Issuer is
not taking part in the scheme
• Y
ou receive confirmation that the cardholder is not
taking part or has not yet enrolled in the scheme
38
The main benefit of authentication –
transferring liability
Displaying the Verified by Visa and
SecureCode™ logos
In the past, e-commerce transactions have carried a
higher risk than standard high-street transactions. This
is because neither the cardholder nor the card can be
positively identified at the time of the purchase. If a
card was used fraudulently or the cardholder disputed
the transaction, the card issuer would charge the
transaction back to us.
Both card schemes need the logos to be displayed on
e-commerce payment pages as evidence that they take
part in the service. If the logos are not automatically
added to your payment page, you should add them
yourself. This will give your customers the assurance
that you are taking part in the scheme and have been
fully registered to take part. If at any stage you ask
not to use the authentication service, you should
remove both logos from your payment page if they
are not automatically removed. The logos will be made
available to you when you apply for 3-D Secure.
If we receive a chargeback for a transaction you have
processed, we will ask for evidence to support the
transaction. In most cases evidence can be provided
that the card was used, but not that the genuine
cardholder was using the card. In this situation, the
card issuer would charge the transaction back to you
(a chargeback), resulting in you losing the goods or
services plus the cost of the transaction.
Using our 3-D Secure solution
Your responsibilities
We control the authentication process within the HPP
and will make sure you have as little disruption as
possible to your current transaction processing.
With cardholder authentication you can prove
that the cardholder used their card at the time of
the transaction.
You must:
Cardholder authentication helps prevent chargebacks
where cards are used fraudulently, or where the
cardholder denies using the card. The liability shifts
from you, back to the card issuer.
• C
orrectly integrate the HPP in line with instructions
given to you when signing up
• R
ead and understand how the HPP handles
authenticated transactions – this information is
provided in the integration guide
Reducing as far as possible the risk of fraud is essential
and you should use internet authentication along with,
and not instead of, any other fraud checks that you
should have in place. It is important that you maintain
your existing fraud checks. If you do not carry out your
existing fraud checks, it could result in you receiving
chargebacks.
• S
et up any 3-D Secure fraud-detection settings in
your back-office
Levels of protection
Cardholder authentication protects you against specific
types of chargeback. Depending on where the card
is issued, and the type of authentication gained (see
above) who is liable will be different. However, for you
to transfer liability, you must strictly keep to the 3-D
Secure protocol.
Card scheme
Visa
MasterCard
Types of card it applies to
Level of cover
••
••
••
••
•• Full worldwide cover (Visa Intra and Inter
Regional) for fully authenticated transactions
•• Full worldwide cover (Visa Intra and Inter
Regional) for successfully attempted
authentication.
Visa Credit
Visa Debit
Visa Electron
Visa Commercial
•• MasterCard Credit (including
commercial cards)
•• Worldwide cover for both full and successfully
attempted authentication
•• Worldwide cover for full authentication
•• Successfully attempted authentication for UK
domestic transactions where both the card
issuer and the merchant are based in the UK
Maestro
Visa commercial cards issued in the USA are not protected.
39
Our responsibilities
Your responsibilities
We will:
You must:
• R
egister you with each card scheme we support
• S
ign up for authentication, providing details of your
chosen payment solution, and must say that you
only want to be registered for the service
• P
rovide you with the relevant integration guides
• C
ontrol the processing of authentication
transactions
• M
ake sure we have approved your chosen payment
solution (if not a Barclaycard e-commerce solution)
to process internet authentication transactions
• K
eep to relevant card-scheme policies
• P
rocess transactions according to your 3-D Secure
fraud-detection settings
• C
orrectly build and put into practice your
authentication and payment solution in line
with the latest 3-D Secure procedure and
APACS standards
• M
aintain a full audit trail and provide transaction
evidence to the card issuer if there is a chargeback
where we believe authentication was correctly
carried out and your responsibility should be
transferred to the card issuer (this does not include
a request for information (RFI)
• G
et full approval from us to use the APACS
standards at the necessary level
• M
ake sure that the authentication responses
returned by your authentication solution are
correctly passed to your payment solution to be
provided in the authorisation message
• M
ake sure the correct authentication values are
attached to both the authorisation and clearing
message where appropriate
• M
ake sure that the IAV (CAVV for Visa, AAV
for SecureCode™) is correctly passed in the
authorisation message
• M
aintain authentication transaction records on
your behalf and use these to provide evidence
that the transaction was authenticated if there is
a chargeback. It will be our responsibility to make
sure that the correct IAV (CAVV, AAV) ECI, and XID
(for Visa) value is attached to both the authorisation
and settlement transaction
• M
ake sure any other data is passed in the
authorisation message
• M
ake sure any extra data is passed in the
clearing message
• M
anage the process around the cardholder
pop-up or in-line window (in other words, size,
time outs)
Message values
Cardholder authentication generates new message
values to show the level of security used, plus the
result of the authentication. We will make sure the HPP
processes all new message values correctly. There
may be times where authentication is not possible (for
example, the in-line window does not appear). You
must decide if you want to continue processing the
transaction. You can set this on the HPP. You can find
full instructions in the HPP integration guide.
• M
anage the process if an error happens
on the pop-up or in-line window (if the
cardholder cancels)
• S
ecure the authentication merchant information
used to register you with the card schemes at
all times
• M
ake sure the BIN cache for each scheme (if being
used) is updated at least every 24 hours
If a cardholder cannot authenticate themselves, you
must refuse the Visa transaction. If this does happen,
depending on the issuer, Barclaycard SmartPay will
refuse the transaction.
• M
aintain full audit records of authentication
transactions (including BIN cache updates)
• G
ive us evidence of authentication (in other words,
your 3-D Secure logs) if we need this to defend a
chargeback. This information must be returned to
us within 14 days of our original request
MasterCard and Maestro transactions are allowed
to continue.
Direct to card schemes
If you have chosen to find or build your own
authentication solution that communicates directly
with the card schemes taking part in the scheme, you
are responsible for the whole authentication process
and must make sure you keep to the integration and
implementation requirements.
If you are using another product to carry out internet
authentication, you must make sure it can support the
requirements shown in this section.
40
Our responsibilities
• A
ccept authorisation and clearing messages
from your chosen payment solution containing
authentication data
We will:
• R
egister you with each card scheme taking part in
the scheme which we support and you have signed
up to
• P
rovide transaction evidence to the card issuer
if there is a chargeback where we believe
authentication was correctly carried out and you
can transfer liability based on information we have
received from you
• P
rovide you with the appropriate authentication
merchant information as registered with the
card schemes
• P
rovide scheme or procedure updates to you when
this applies
Transaction records
You must keep and store full authentication records to provide evidence in case an authenticated transaction is
charged back.
The table below shows what evidence will be needed if there is a disputed transaction.
Full authentication (Visa)
Full UCAF (MasterCard
and Maestro)
Attempted authentication (Visa)
Merchant UCAF (MasterCard
and Maestro)
ECI value = 5 CAVV
Supplied in readable format
PAReq/PARes XID
ECI value = 2 AAV
Supplied in readable format
PAReq/PARes
ECI value = 6 attempts CAVV
Supplied in readable format
VEReq/VERes OR PAReq/PARes
XID
ECI value = 1 AAV (if supplied)
VEReq/VERes OR PAReq/PARes
If your solution supports BIN cache, you must also supply CRReq/CRRes.
We may ask you to provide transaction information to support a card issuer retrieval request. If you do not
provide the information we ask for, you may be at risk of being liable for the transaction.
Card issuer pop up or in-line window
balance of informative and non-specific information so
you do not encourage potential fraud.
It is your responsibility to present the browser pop-up
or in-line window to the cardholder. The card issuer will
create the content and will carry out the authentication.
You must control the size and conditions relating to
time-out and dealing with mistakes associated with
the window.
Your authentication merchant information
We will give you specific data to take part in the service,
and will register this with each scheme. This will allow
you to process authentication transactions through
each scheme.
It is strongly recommended that you use an in-line
window to prevent problems commonly associated
with pop ups being suppressed (also referred to as
pop-up killers) and avoid situations where customers
accidentally close the pop-up window. Whether you use
pop-up or in-line, it is your responsibility to present the
browser pop-up or in-line window to the cardholder.
Your authentication software supplier should provide
the recommended size of the pop-up or in-line window.
You will need to code these details into your
authentication solution and pass them on each
authentication request. You must make sure that
you correctly include the information we provide,
which may be different for each scheme. If you fail to
pass the correct details, it could result in a failure of
authentication request.
It is recommended that the time out for the pop-up
or in-line window is set to a reasonable time to allow
cardholders enough time to authenticate themselves. It
is your responsibility to set this in line with your website
and risk policy. You must make sure you display an
adequate error message to the cardholder if you
enforce your time-out.
Once included, you should not change this information
unless we tell you to. If you lose this information or
feel it has been compromised in any way, you should
contact us immediately. We will issue you with new
details and re-register you with the relevant card
schemes. This process may take up to 10
working days.
There may be times where the cardholder closes,
cancels or cannot view the pop-up or in-line window.
You must make sure your website can handle the error
responses associated with this and must display clear
error messages to the cardholders. You should use a
We will not give this information to any other payment
provider acting on your behalf. We will only give it
to you.
41
Message values
Cardholder authentication generates new message values to show the level of security being used, plus the result
of the authentication. You must make sure that you fully understand the responses sent to your authentication
solution by the card schemes and pass this to your payment solution in the authorisation and clearing messages.
The key value is the issuer authentication value (IAV). For Visa this will be the CAVV and for MasterCard this
will be the AAV. The IAV will always be provided by the card issuer and you should not alter it. Your payment
solution will also need to make sure you attach the correct e-commerce indicator (ECI) to the authorisation
and clearing message.
The table below provides a definition of the ECI values used by each card scheme.
Visa
MasterCard and
Maestro
5
Authentication is successful.
6
Authentication is attempted but cardholder was not registered.
7
Authentication is not successful or not attempted (standard e-commerce transaction).
2
Authentication is successful. Full UCAF.
1
Authentication is attempted but cardholder was not registered. Merchant UCAF.
0
Authentication is not successful or not attempted (standard e-commerce transaction).
Your authentication software integration guide will provide details on how you should correctly map authentication
values into your chosen payment solution.
You must make sure your payment solution supports the necessary level of APACS to communicate with our
acquiring system. You can get this information by contacting us.
BIN cache
Keeping to the card scheme
The BIN cache is a store of BIN ranges that can be
held locally on your server. If you want to use the BIN
cache, you must contact each scheme directory using
the appropriate 3-D Secure requests (CRReq/CRRes) to
download the latest version at least every 24 hours. You
can check the BIN cache before contacting the relevant
scheme directory to check whether a cardholder
is taking part in the scheme. This could reduce the
number of messages you need to generate.
It is important that you understand any responsibilities
you may have when taking part in cardholder
authentication. This will vary according to which
payment product you use.
42
If authentication fails
Usually, if a cardholder is registered for authentication, they will be familiar with the process to correctly
authenticate themselves. However, there may be times where the cardholder does not follow the correct process,
or where a card may be being used fraudulently. The following scenarios may happen.
1. F
ailed authentication
a) The cardholder may fail to enter their correct
password (they have up to three attempts).
c) The pop-up or in-line window may time out.
d) The
content of the window may be corrupt due to
a mistake by the issuer.
2. A mistake during authentication
e) The cardholder browser may stop the pop-up.
a) The
cardholder may cancel the pop-up or
in-line window.
b) T
he cardholder may close the pop-up or
in-line window.
The card schemes have set policies on how to
deal with failed authentication and mistakes
during authentication.
If authentication fails for Visa transactions
What will you receive within the
PARes message?
What should you do?
If you are using a
Barclaycard gateway
‘N’ response
Refuse the transaction and do not
process the transaction as the
cardholder could not authenticate
themselves.
Our HPP will automatically refuse
the transaction for you
If authentication fails for MasterCard
and Maestro transactions
Error during authentication for
MasterCard and Maestro transactions
If authentication fails you will receive an ‘N’ response
within the PARes message. You have the option of
either refusing the transaction and stopping processing
because the cardholder could not authenticate
themselves, or continuing with the transaction and
attempting authorisation.
You may choose to carry on with the transaction
and must be aware that you will be liable for
the transaction (in other words, you could still be
charged back).
Our Barclaycard e-commerce solution will automatically
either refuse or continue the transaction based on the
response returned by the issuer and in line with
scheme rules.
If you do continue and are given an authorisation
code by the card issuer, you will be liable for
the transaction.
If authorisation is not given, you must refuse the card
in the normal way.
Mistake during authentication
for Visa transactions
If there is a mistake during authentication, you may
choose to carry on with the transaction and must be
aware that you will be liable for the transaction (in other
words, you could still be charged back).
The ePDQ HPP will either refuse or continue with the
transaction based on how you set up the appropriate
continuity flags within the ePDQ technical settings.
Our SmartPay Hosted Payment Page will automatically
either refuse or continue the transaction based on
the response returned by the issuer and in line with
scheme rules.
43
Passing authentication values
Error conditions
You must make sure you keep to our Barclaycard
e-commerce solution v1.0.2. You will also need to make
sure that you can pass the authentication results in
your authorisation and clearing message. You must
have included the APACS standard that supports this.
In the unlikely event that you experience an error
condition while using cardholder authentication, you
need to make sure you can handle the responses.
You can get information on which standard is used by
contacting us. If you use our integrated 3-D Secure
solution, you do not have to do this.
You may see a mistake if the HPP, Barclaycard
SmartPay, or your own solution cannot connect to the
relevant scheme directory. If this is the case, you will be
sent a corresponding error message, which you must
handle appropriately.
Scheme directory server unavailable
You must be able to receive and pass:
• Issuer authentication value (IAV) – CAVV for Visa,
AAV for SecureCode™
If the directory server is not available, this is considered
a ‘break’ in the authentication process as neither a
positive (success) or negative (failure) message can be
supplied. As such, different rules will apply on who is
liable for the transaction.
• ECI values
• XID (for Visa)
• 3-D Secure procedure messages
Visa
You can continue with the transaction, but must pass
an ECI 7 as this was a non-authenticated transaction.
You will not benefit from any chargeback protection.
It is your responsibility to make sure that the values, if
received from the card issuer, are not altered in any way
and are passed as received.
The CAVV or AAV could be incorrectly passed if:
MasterCard and Maestro
If you have correctly integrated the HPP, Barclaycard
SmartPay or your own solution and get this error,
you can claim merchant UCAF and still be protected
(depending on the conditions in 1.4). The ePDQ HPP
will process transactions based on your settings within
the ePDQ technical setting. Our SmartPay hosted
payment page will process the transaction based on
the response returned by the issuer and in line with
scheme rules.
• T
he payment solution you are using does not
support these values
• T
here is a problem with your integration
to the hosted authentication service or
payment software
An incorrect ECI value could be passed if:
• T
here is a problem with your integration to the
hosted authentication service or payment software
(or both)
• Y
ou have registered to take part but have not told
us you want to go live
Hosted authentication service not available on a
Barclaycard payment Gateway
• Y
ou have accidentally hard-coded every ECI value
to a set limit (in other words, ECI 7 for standard
e-commerce)
If you cannot authenticate transactions because
the hosted authentication service is not operating,
we also see this as a ‘break’ in the process but it has
a different outcome.
You must make every attempt to avoid the possible
mistakes shown above. If you fail to pass the IAV, or
incorrectly pass the ECI value, you will be liable for the
transaction. If you deliberately falsify any authentication
value, we may end your authentication and merchant
agreements.
If the hosted authentication service is not available,
you should report this to us immediately. Transactions
will not be authenticated if this service is down. You
can continue with the transaction, but must pass an
ECI 7 for Visa or ECI 0 for MasterCard as this was a
non-authenticated transaction. You will not benefit from
any chargeback protection for either card scheme.
Only the ePDQ and SmartPay HPPs will automatically
process authentication values. The ECI values passed
must match for both the authorisation and the
clearing message.
If the ePDQ HPP detects that the hosted authentication
service is down, it will process transactions based on
your configuration of the ePDQ technical settings.
With Barclaycard SmartPay, if the hosted authentication
service is down, transactions will be unable to continue
for authorisation.
44
Cardholder browser suppresses pop-up window
If the cardholder browser does not allow the pop-up to be displayed, this is also considered as a ‘break’ in
the authentication request. As with the scenarios above, you may continue with the transaction but for Visa
transactions you will not benefit from any chargeback protection.
As recommended, you should consider using an in-line window to avoid these mistakes.
Your own authentication software not available
If you cannot authenticate transactions because the hosted authentication service is not operating, we also see
this as a ‘break’ in the process but it has a different outcome. Transactions will not be authenticated if this service
is down. You can continue with the transaction, but must pass an ECI 7 for Visa or ECI 0 for MasterCard as this
was a non-authenticated transaction. You will not benefit from any chargeback protection for either card scheme.
Chargeback reason codes included
You must be aware that each card scheme uses a different ‘reason code’ to charge a transaction back. If you are
using any automated risk tools, you should make sure you cater for each scheme reason code if it applies.
Visa
75
Transaction not recognised – when the cardholder tells you that they do not recognise an item on their
card statement.
83
Fraud card absent environment – the card was not present and a transaction was processed without
the cardholder’s permission, or a fake (card) account number was used.
MasterCard and Maestro
37
No cardholder authorisation – the cardholder denies responsibility for the transaction or the acquirer
lacks evidence of a cardholder’s authentication (in other words, a signature).
63
Cardholder does not recognise – potential fraud. When a cardholder claims he or she does not
recognise a card-not-present transaction (such as an e-commerce transaction). If after being presented
with new information, the cardholder says that they did not authorise the transaction.
You may be asked to provide supporting information to us to defend a transaction (see section on
Retrieval requests on page 26). Protection against this reason code may help to avoid a chargeback
following the request.
One of the critical success factors of the authentication schemes is to remove chargebacks from the system.
Each of the card issuers are adding edits to make sure, wherever possible, that you are not charged back for a
transaction that was authenticated.
You will be liable for the transaction for all chargeback reason codes that are not set out in this document.
45
Sector-specific trading
Vehicle rental companies
These may not prevent all types of fraud but will act as
a deterrent to fraudsters.
Best practice for reducing chargebacks
If your vehicle reservation system allows you to
check the card security code given at the time of the
reservation, you should enter it. However, if you are
using processing equipment that cannot check the card
security code, you should still ask for it as it may deter
potential fraudsters. However, you must not keep or
store the CSC code.
There are certain types of chargebacks that happen
more frequently among vehicle-rental providers. To
support you we have created this best-practice guide
on the correct procedures to deal with chargebacks
and provide advice on how to reduce the cost to your
business.
You must authorise every transaction, but please
remember that authorisation does not guarantee
payment – it only confirms that:
You should discuss and agree the hire rate and get the
caller’s permission to accept your cancellation policy.
The cancellation and no-show policy must be clearly
explained to the customer. Once you have confirmed
that you have accepted their order, please make sure
you send a copy of your Terms and Conditions, written
confirmation of the reservation details together with the
cancellation and no-show policy to the cardholder.
1. The card has not been reported lost or stolen
at the time of the transaction.
2. There are enough funds available at the time
of the transaction.
Except for contactless transactions, you will still
be legally responsible for any Card Not Present
transactions if the genuine cardholder later states that
they did not make or authorise a transaction.
Taking reservations by fax or mail
Like the tips on phone reservations, we recommend
asking for as many details as possible from the
cardholder as previously listed. When taking orders
from company cardholders, you should check that
the fax or letter looks genuine, for example, that it’s on
genuine company-headed paper. Obvious questions
are shown below:
Please remember that any transactions processed
without the card being present may result in a
chargeback if they are later disputed. It is in your own
interest, where possible, to process transactions with
the card present and make sure the cardholder is
verified by their PIN or you get a signature (if the card is
not PIN-enabled).
• Does it contain a company logo?
• Does it contain the correct corporate colours?
Tips on taking reservations over the phone
• D
oes it show a switchboard phone number? Check
by calling the sender (the switchboard operator
would normally announce the company’s name)
As telephone reservations are Card Not Present
transactions, we recommend you take the precaution
of asking for as many details as possible to confirm the
authenticity of the unseen cardholder:
• D
oes it contain a registered address for ‘Ltd’ and
‘PLC’ companies?
• T
he name of the caller
• Is it signed by someone in authority?
• T
heir direct-dial phone number (not a mobile
phone number)
Faxes and mail bookings should contain the same
details needed for telephone reservations – except for
the CSC. You should also make sure that the cardholder
has accepted your cancellation policy.
• T
he name of the person who needs the vehicle
(if not the caller)
• T
heir expected collection date and time
We recommend calling the sender for confirmation of
the reservation, the card details and the CSC.
• T
he number of days they are expected to hire
the vehicle
Ideally you would also reply in writing confirming that
you are accepting the reservation (fax or mail), and
send a copy of your Terms and Conditions, including
your cancellation policy, reservation details and no
show policy.
• T
he card number of the card to be used for
the charges
• T
he card ‘valid from’ date
• T
he card ‘expiry date’
• T
he cardholder’s name
• T
he cardholder’s billing address
• T
he card security code (the last three digits on the
signature strip on the back of the card or the three
digits in the box next to the signature panel)
46
Taking reservations over the internet
However, if the genuine cardholder later claims
that they never made the original reservation, the
transaction may still be charged back. We would not
be able to defend a chargeback in this case.
Transactions over the internet are effectively Card Not
Present transactions and are prone to being disputed
and charged back. It is in your own interests to process
transactions with the card present wherever possible.
Collecting the vehicle
When taking bookings over the internet, you should
use the same procedures and precautions as those
taken by phone. This includes making sure that
cardholders can confirm they accept your Terms and
Conditions, for example, by having a tick box.
Ask to see the customer’s card and ask them to
read your Terms and Conditions and sign the rental
agreement. Then carry out the usual visual checks to
make sure the card is genuine, for example, check the
hologram, and that the signature strip has not been
tampered with.
We strongly recommend that your website uses
‘Internet Authentication’. (Please see the Internet
Authentication section of this document on page 37)
You must not ask the cardholder to sign a blank
transaction receipt in case there are any other charges
or delayed charges.
Extra tips for checking genuine customers
The cardholder must give their permission to be
charged extra or delayed charges.
Set up your reservation system (or a stand-alone
computer) to check the billing and company
address by comparing it to the Royal Mail address.
See www.royalmail.com. Or, you can invest in PC
software that uses a postcode address to confirm
addresses. Find out more at these websites and
sources of information:
If possible get payment by processing a Card
Present transaction (see the ‘Accepting card-present
transactions’ section of this guide on page 7). If you
already have the payment, make sure you get an
imprint of the card on the car rental agreement as proof
that the cardholder agreed to pay by card.
• w
ww.streetmap.co.uk
If the cardholder asked for a specialised vehicle (in
other words, a vehicle that forms less than 10% of your
fleet or one that you have arranged specifically for the
customer to hire) and it then becomes unavailable, you
must provide the following services at no extra charge.
• C
heck the electoral roll. Companies like
Equifax do this, and will charge for the service
(0845 600 1772 or www.equifax.co.uk).
Or, you can buy and install electoral-roll software
• C
heck the Yellow Pages or BT Telephone Directory
for the customer’s listing. Then call and ask for the
person who sent the fax
• A
similar vehicle at another car rental establishment
for the reservation period
• Transportation to the other outlet
Your cancellation policy
Pre-authorisation
While you may have a cancellation policy in your
Terms and Conditions (which you must clearly tell your
customer about), you may not charge any cancellation
fee to the card used for the reservation. If you do make
a charge to the card, we will not be able to defend you
from any chargeback.
Pre-authorisation lets you estimate the final transaction
amount, get authorisation and reserve the payment
while the vehicle is still on hire. Base your estimate on:
• The cardholder’s intended rental period
• The rental rate and tax which applies
You cannot demand more than 72 hours
cancellation before the scheduled collection time
and date of booking.
• Mileage rates
No-show
You cannot use pre-authorisation with Maestro cards,
and it does not apply to possible vehicle damage or
other insurance excess amounts.
If a cardholder doesn’t turn up, having failed to cancel
their hire vehicle, you are then entitled to charge one
day’s rental at the reserved vehicle rate. You can simply
charge the card given at reservation.
Pre-authorisations are valid for the length of the rental
period. However, for extended hire we recommend you
close the customer’s account after 14 days and bill them
every two weeks.
Send a copy of the transaction receipt and a copy of
your Terms and Conditions to the cardholder at their
billing address. You need to make sure that ‘No show’ is
clearly written in the space where the cardholder would
normally sign the transaction receipt. The transaction
receipt should also clearly show the card number, expiry
date and cardholder’s name.
The operating guide for your processing equipment
includes instructions for pre-authorisations, including
chip-and-PIN card transactions, when the hirer will
need to enter their PIN number to confirm they are the
genuine cardholder.
47
You can update estimates as often as you need, up to
and including the date the vehicle is returned. When
you issue a new estimate, make sure it does not include
amounts which have already been authorised.
Useful tips
The pre-authorisation will apply for the length of
the rental. However, we recommend that you close
the customer’s account after two weeks and bill the
customer every two weeks.
• M
ake sure your transaction receipt always includes
the details of the authorisation code, the dates and
the amounts
• T
he operating guide for your processing equipment
contains instructions for carrying out preauthorisation. This can include carrying out a
pre-authorisation using a card with a chip and PIN.
The cardholder will have to put in their PIN number
at the time of the pre-authorisation to confirm they
are the genuine cardholder
• A
lways tell the hirer how much you have estimated,
as it will reduce the funds available on their card.
Explain that they have not yet been charged, and
that their final bill is unlikely to be exactly the same
as the estimate
• If your customer unexpectedly decides to reduce
the hire period, simply provide the appropriate
refund. Refunds must always be applied to the
same card used for the original payment
• Estimate the final amount and get pre-authorisation
• D
o tell the hirer how much you have pre-authorised,
as this will reduce the funds they have available
on the card. Explain to the hirer that no charge
has actually been made at this point, and that it is
unlikely that the final bill will be exactly the same as
the pre-authorised amount
Pre-authorisation – end of hire
For Visa:
• If the final bill is within 15% of the estimated
amount you can use the code provided during the
estimated authorisation
Accidents or damage involving the vehicle
However, you will need a final authorisation code if:
If the vehicle is involved in an accident, you may
charge Visa cardholders for the damage to the vehicle.
You must also get an estimate of the cost from an
organisation which can legally provide these services.
You should always send the estimate to the cardholder
if you are making a charge for damage. The following
conditions also apply:
• T
he final transaction amount is above your floor
limit and you have not got a previous authorisation
• T
here is more than 15% difference between the final
bill and the pre-authorisation amount
• T
he hirer is paying by Visa Electron and the final
bill is more than the sum of all the estimated
authorisations you have already received for their
hire period
• T
he cardholder must have agreed in writing to pay
the charges by Visa card (this permission should
make up part of your rental agreement). It is critical
that your car rental agreement clearly states that
any extra or collision charges will be charged to
the Visa card used to pay for hiring the car. The
cardholder must sign to agree that they accept
these Terms and Conditions. The cardholder’s
signature must be on the same page of the car
rental agreement as the Terms and Conditions
that allow you to charge the Visa card. If the
cardholder’s signature is on a separate page, we
may not be able to defend you from a chargeback
if the cardholder claims that they never agreed to
their Visa card being charged for any extra charges
For MasterCard:
• If the final bill is greater than the estimated
authorisation amount, you will need a further
authorisation code for the difference
Handling pre-authorisation
Pre-authorisation allows you to estimate the final
transaction amount and allows you to reserve the
funds on the card by receiving an authorisation while
the vehicle is still being hired. However, this does not
apply to Maestro cards. Instead we recommend you
get full payment when the vehicle is collected, for the
expected hire value. If the customer unexpectedly
decides to reduce the length of hire, you can then
simply provide the appropriate refund.
• T
he charge must be made within 90 calendar days
of the date of the transaction
• There is a bigger risk of chargeback if you do not let
the cardholder know about the charge
The value should be based on the cardholder’s intended
rental period, the rental rate with tax which applies
and the mileage rates. You can update the estimates
as often as you need, up to and including the date the
vehicle is returned. Each extra pre-authorisation request
must not include previously authorised amounts. And
you may not try to gain pre-authorisation for potential
vehicle damage or the insurance excess.
Note about MasterCard: To apply extra charges to a
MasterCard, you must get a separate cardholder signed
authority by processing a Card Present transaction. If
the charge is disputed later, this will be needed as proof
that the cardholder authorised the extra charge.
48
Procedure for dealing with delayed charges
You and the cardholder may come to an agreement
on the cost of the damage before processing the
delayed or amended charge transaction. If you and the
cardholder cannot agree on the cost of the damage,
and if you process the delayed or amended charge
transaction, the cardholder can dispute the charge.
To process a delayed charge (such as for damage, fuel,
insurance fee, parking tickets, excessive mileage, extra
rental and so on) the cardholder must have agreed
by signing the rental agreement and agreeing to the
Terms and Conditions. These must state that the
cardholder will be legally responsible for the charges
and they will be taken from the card originally used to
pay for the rental. The cardholder’s signature must be
on the same page of the car rental agreement as the
Terms and Conditions that allows you to charge for
delayed charges. If the cardholder’s signature is on a
separate page, we may not be able to defend you from
a chargeback if the cardholder claims that they never
agreed to their card being charged for any
delayed charges.
You must wait 20 business days from the date of the
confirmation receipt given to the cardholder before
processing a change for damages.
A business day is Monday to Friday from 9am to 5pm.
Accepting split sales
Occasionally, customers ask to split payments between
cards, cash or cheques, sometimes to share costs
between partners. Although these transactions are
acceptable, a high number of chargebacks result
from them. So you must always get authorisation no
matter what your floor limit. You must always tell the
authorisation operator at the start of the call that the
transaction is part of a split sale. Only process one
transaction for each card.
Any charges must be processed within 90 days of
the original transaction date – and you must get
further authorisation. The charge must be made
using a separate transaction, with the words ‘Signature
on file’ clearly visible. You must tell the cardholder
in writing about any delayed charges – sent to the
address on the rental agreement. Also, you must give
them any extra documents to support the charge, for
example, if the customer was responsible for a traffic
offence, send them:
Your refund policy
If you operate a no-refund policy, you must make this
clear to the cardholder when they make the reservation.
If you do agree to refunds, beware of any opportunities
for fraudsters. You must credit all refunds to the same
card used to make the booking. If you make a charge to
a card by mistake, you must refund it to the card within
30 calendar days. Under no circumstances refund by
cash, cheque or other payment as this is likely to result
in chargebacks.
• A
copy of the rental agreement
• D
ocuments on the offence
• T
he licence number of the rental vehicle
• T
he law which has been broken and (if it applies)
a copy of the authority’s accident report
• N
otice of the amount to be charged
If you are using Barclaycard processing equipment
that is set up for contactless payments, you can
carry out contactless refunds up to the value of the
current limit. Contactless refunds should not need
cardholder verification.
For delayed- or amended-charge transactions
related to damage, you must provide a written
confirmation containing the details of the damage, the
cost of the damage and the currency in which the cost
of the damage will be charged to the cardholder. You
must do this within 10 business days of the return date
of the rented car. You must also provide an estimate of
repairs from a garage or company authorised to carry
out repairs.
Extended hire
We strongly recommend that you do not allow your
customer to hire the vehicle for more than two weeks
without settling their bill. Ask hirers who want to extend
the lease for more than two weeks to pay the current
total due – ideally by the cardholder in person. Failing
that, by using the card details provided at the original
booking (although there is a risk that this amount
could be disputed at a later date if you do not have a
signature or PIN).
For delayed charge or amended-charge transactions
relating to damage where you have written to the
cardholder, the cardholder may (at no cost to you)
provide written confirmation of another estimate
of cost of the damage within 10 business days of
receiving your original written confirmation showing
the cost of the damage.
49
Disputed transactions
Extra rules for the Visa vehicle-rental
reservation service
If a transaction is later disputed, it is vital to show that
the card was present and authorised (if this is needed).
Except for contactless transactions, if no signature or
PIN was given or if authorisation was not given, we will
not be able to defend you from a chargeback. Where
possible and except for contactless transactions, it is
in your interest to process transactions with the card
present and get a signature or PIN.
If you or your booking agent accepts European-issued
Visa cards or Visa Electron cards, you must ensure
a car rental reservation is provided and keep to the
following requirements.
In return you may choose to charge a no-show fee if a
Visa Europe cardholder has not cancelled a reservation
in line with your Terms and Conditions.
The most common reasons why disputed transactions
are charged back for vehicle rental are:
1.You or your booking agent must get the
cardholder’s name, account number and expiry
date as displayed on the Visa card or Visa
Electron card.
1. D
elayed or amended charges.
2. H
ire reservations by someone committing
fraud using the card but never arrives. Often
this is because the fraudster is only using your
reservation system to check that the card is valid
and funds are available. They will then use the
card to buy goods from other establishments
fraudulently. The first time the genuine cardholder
will be aware that their card has been used
fraudulently is when they receive their card
statement and they see they have been charged
your ‘no-show’ charge.
2.You or your booking agent must tell the cardholder
about your cancellation and no-show policy and
procedures when they are making the reservation.
3.You or your booking agent must provide written
confirmation of the reservation to the cardholder
by post, fax or email, including:
•
The reserved car rental rate
•
The currency of the transaction
•The exact name and address of the location from
where the car is to be collected
3. N
ot replying to requests for information. Under
card-scheme rules, the card issuer is entitled
to ask for details of any transaction. In most
instances, they only need a copy of the final
transaction receipt, showing the card was present
at the transaction and, except for contactless
transactions, was authenticated by the cardholder
– either by a signature or PIN. However, the card
issuer may need a full breakdown of the charge.
The request for information from Barclaycard will
give details of what is needed. Please make sure
you reply within 14 days as, if you fail to do so, the
card issuer may make a chargeback.
•
The cardholder’s name, account number
(shortened so it only displays four digits) and card
expiry date as displayed on the Visa card or Visa
Electron card
•
The confirmation code, which the cardholder must
keep in case there is a dispute
•
The exact address of the location from where the
car is to be collected
•
The hours of operation of the collection and
return outlet
For more information on preventing chargebacks,
please go to our website at:
http://www.barclaycard.co.uk/business/
existing-customers/chargebacks/guides
•
Cancellation policy procedures
Or, call our dedicated Chargeback team on
0844 755 0094 and ask to speak to our
chargeback portfolio managers.
50
4.You or your booking agent must tell the cardholder
that you will bill them for a no-show transaction
(up to the value of one day’s rental) at the reserved
car rental rate if the cardholder has neither:
•The fuel status of the rented car when it is returned.
If there is no extra fuel charge, this must be clearly
shown on the written confirmation and you must
not process a delayed charge or amended-charge
transaction for extra fuel
•
Collected the vehicle within the 24 hours of the
collection time
•The date and time of the return. If there are no
extra rental charges as a result of extended time
frames, this must be clearly shown on the written
confirmation and you must not make a delayed
charge or amended-charge transaction for the extra
day’s rental
•
Properly cancelled the reservation in line with your
cancellation policy
5.If you want to bill a no-show transaction, you or
your booking agent must confirm, in writing, as
part of the reservation confirmation, the value and
currency of the fee that you will bill the cardholder.
15.If the cardholder returns the car using an express
drop-off facility, you must send the written
confirmation to the cardholder within five business
days of the return date of the rented car. You should
tell the cardholder to keep the confirmation receipt
in case of a dispute.
6.You or your booking agent must not ask for
more than 72 hours’ notice to cancel the rental
without penalty.
7.If the cardholder makes a reservation within
72 hours of the scheduled pick-up date, the
cancellation deadline must be no earlier than 6pm
at the address of your vehicle rental company on
the scheduled pick-up date.
16.You may only process a delayed charge or
amended-charge transaction if the cardholder has
given their permission for those charges.
17.For delayed charge or amended-charge
transactions related to damage, you must provide
a written confirmation containing the details of the
damage, the cost of the damage and the currency
in which the cost of the damage will be charged
to the cardholder. You should do this within 10
business days of the return date of the rented car.
8.You or your booking agent must give the
cardholder a cancellation code (if the reservation
is properly cancelled in line with your cancellation
policy) and tell the cardholder to keep the code in
case there is any dispute.
9.You or your booking agent must send written
confirmation of the cancellation to the cardholder
within five business days of the cancellation date.
18.For delayed charge or amended-charge
transactions relating to damage where you have
written to the cardholder, the cardholder may, at no
cost to you, provide written confirmation of another
estimate of cost of the damage within 10 business
days of receiving your original written confirmation
showing the cost of the damage.
10.If a cardholder has not claimed or cancelled the
car rental by the time you have given, you or
your booking agent must keep the car available,
according to the reservation, for 24 hours from
the collection time. If the cardholder does still
not collect the car, you may process a no-show
transaction.
19.You and the cardholder may come to an agreement
on the cost of the damage before processing the
delayed charge or amended-charge transaction. If
you cannot reach an agreement with the cardholder
for the cost of the damage, and if you process the
delayed charge or amended-charge transaction, the
cardholder can dispute the charge.
11.If the vehicle you have said you will provide is
not available, you must give the cardholder an
equivalent or higher-group car at no extra charge.
12.You must make sure that you tell the cardholder
at the time they make the reservation that a
confirmation receipt is available during your hours
of operation when they return the rented vehicle.
This confirmation receipt confirms the conditions
of the rented car when it is returned.
20.You must wait 20 business days from the date of
the confirmation receipt provided to the cardholder
before processing a charge for damages.
A business day is Monday to Friday from 9am to 5pm.
13.You must give the cardholder written confirmation
of their decision of whether to ask for a
confirmation receipt as part of the reservation
confirmation.
14.You must give the cardholder written confirmation
of all of the following:
•The visible damage status of the rented car when
it is returned. If there is no visible damage, this
must be clearly shown on the written confirmation
and you must not process a delayed charge
or amended-charge transaction for any visible
damage to the rented car
51
Lodging and accommodation
Best practice for reducing chargebacks
Tips on taking telephone reservations
There are certain types of chargebacks that happen
more often among hotel, lodging and accommodation
providers. To support you, we have created this bestpractice guide to help you understand the correct
procedures for dealing with chargebacks and provide
advice on how to reduce the cost to your business.
As telephone reservations are Card Not Present
transactions, we recommend you take the precaution
of asking for as many details as possible to check the
authenticity of the unseen cardholder. Ask for:
• The name of the caller
• T
heir direct-dial phone number (not a
mobile number)
You must authorise every transaction but please
remember that this does not guarantee payment. The
authorisation confirms only that:
• T
he name of the person who needs the
accommodation or lodging (if not the caller)
1. The card has not been reported lost or stolen at
the time of the transaction.
• Their expected arrival date and time
• The number of nights they are expected to stay
2. There is enough funds available at the time of
the transaction. As the rules stand, except for
contactless transactions, you will still be legally
responsible for any transactions if the genuine
cardholder later says that they did not make
or authorise a transaction. Card Not Present
transactions are particularly prone to chargebacks
at a later date.
• T
he card number of the card to be used for
the charges
• The card expiry date
• The cardholder’s name
• T
he cardholder’s billing address (this may not be
the company address)
If there is no signature on the final bill, we may not be
able to defend you if there is a chargeback. There is
still an element of risk if the guest is allowed to check
out using the priority check-out service.
• T
he card security code (the last three digits on the
signature strip on the back of the card or the three
digits in the box next to the signature panel). See
the note below
Taking advance reservations
If the booking is for corporate purposes, you should
also take:
Wherever possible, you should ask the person needing
accommodation or lodging to make the reservation
themselves. Of course, for practical reasons you may
need to accept reservations from other people, such as
secretaries acting on behalf of their bosses.
• T
he caller’s name and position in the company
or organisation
• The name of the company or organisation
• T
he company or organisation switchboard
telephone number
Note: If your reservation system allows you to
check the card security code given at the time of the
reservation, enter it. Even if you use POS processing
equipment that cannot check the card security code,
still ask for it as this may deter fraudsters. Also, you
should discuss and agree the room rate and the hotel
cancellation policy. You must ask the caller to agree to
the cancellation policy. Once the caller has accepted,
you can then issue a reservation code.
If the reservation is made through someone else,
for example, a travel agent, make sure they tell the
customer about your Terms and Conditions. You should
then ask the caller to confirm the reservation in writing,
either by fax or mail.
52
Taking reservations by fax or mail
Taking a reservation over the internet
Double check that the fax or letter looks genuine, for
example, that it’s on genuine company-headed paper.
Below are some obvious questions to ask yourself.
Transactions over the internet are effectively Card
Not Present transactions, so are more likely to result
in a chargeback. It is in your own interests to process
transactions with the card present, whenever possible.
• D
oes it contain a company logo and show the
correct corporate colours (you can check on the
internet)?
When taking an e-commerce booking, you should use
the same procedures and precautions as those for
reservations taken by phone. This includes making sure
that cardholders can confirm that they accept your
Terms and Conditions, for example, in a tick box. We
strongly recommend that your website allows ‘Internet
authentication’. You can get this service from us and it
allows you to confirm that reservations are being made
by genuine cardholders.
• D
oes it show a switchboard telephone number?
• C
heck by calling the sender (the switchboard
operator would normally announce the name of the
company)
• D
oes it contain a registered address for ‘Ltd’ and
‘PLC’ companies?
• Is it signed by someone in authority?
Faxes and postal bookings should contain the same
details needed for telephone reservations – except for
the CSC. They should also confirm they have accepted
your cancellation policy. We recommend calling the
sender for confirmation of the reservation, the card
details and the CSC. Ideally you would also reply to
say you have accepted the reservation in writing (fax
or post), together with a copy of your Terms and
Conditions, including your cancellation policy.
53
Extra tips for checking genuine customers
Guest arrivals and check-in
• S
et up your reservation system (or a stand-alone
computer) to check the billing and company
address by comparing it to the Royal Mail address.
See www.royalmail.com. Or, you can invest in PC
software that uses a postcode address to confirm
addresses. Find out more at this website
When your guests arrive, ask to see the card on
which the booking was made, and ask them to fill in a
registration form. If you allow extra items (newspapers,
restaurant bills and so on) to be charged to guests’
rooms, your registration form should clearly show this.
Pre-authorisation
• w
ww.streetmap.co.uk
Pre-authorisation allows you to estimate the final bill
and reserve those funds on the card account while the
guest is staying with you. But you cannot do this with
Maestro cards. Instead we recommend you get full
payment when they check in.
• C
heck the electoral roll. Companies like
Equifax do this, and will charge for the service
(0845 600 1772 or www.equifax.co.uk). Or, you
can buy and install electoral-roll software
• C
heck the Yellow Pages or BT Phone Book for the
customer’s listing. Then call and ask for the person
who sent the fax
If the customer decides to check out early, simply
provide a refund.
• T
he operating guide for your processing
equipment contains instructions on carrying out
pre-authorisation. This can include carrying out a
pre-authorisation using a chip-and-PIN card. The
cardholder will have to enter their PIN number at the
time of the pre-authorisation to confirm they are
the genuine cardholder
Taking advanced lodging deposits
If you take advanced lodging deposits under the Visa
and MasterCard rules, this is the only amount you
are allowed to take from the customer’s card. You will
also give up your right to charge one night’s no-show
payment. If you operate a no-refund policy, you must
tell the cardholder at the time of the reservation. You
must make any refunds you agree to the card used for
the original booking – never give a refund in cash or by
cheque or other means. You can only accept Maestro
cards when the cardholder is present, as the card must
be processed electronically using the magnetic stripe or
embedded chip.
• Estimate the final amount and get pre-authorisation
• D
o tell your guest how much you have preauthorised, as this will reduce the funds they
have available on the card. Explain to the guest
that no charge has actually been made at this point,
and that it is unlikely that the final bill will be exactly
the same as the pre-authorised amount. Check that
the signature on the registration form matches that
on the back of the card. Also check the hologram,
and make sure the signature strip has not been
tampered with. You can now go through the
pre-authorisation procedures
Your cancellation policy
You must clearly explain your cancellation policy at the
time of the reservation. Ask the customer whether they
accept the policy and to confirm this. The cancellation
deadline should be no earlier than 72 hours before the
guest is expected.
Pre-authorisation departures and check-out
If a reservation has been made within 72 hours of
the expected arrival time, the cancellation deadline
will be 6pm on the arrival date. If you need to know
about a cancellation before 6pm, you must post your
cancellation policy to the cardholder.
For Visa, if the final bill is within 15% of the pre-authorised
amount, you can process the transaction by using the
code given at pre-authorisation. But if the final bill is
more than 15% above the pre-authorised amount, you
will need to get another authorisation code for
the difference.
If the cardholder cancels the reservation within the time
frame shown in your cancellation policy, give them a
cancellation code for their records and yours.
For MasterCard, if the final bill is less than the
pre-authorised amount you can process the transaction
by using the code provided during pre-authorisation. If the
final bill is greater than the pre-authorised amount, you
will need a further authorisation code for the difference.
Note
• If your cancellation policy is different from the
above, you risk receiving chargebacks
• Y
ou can only enforce the cancellation policy
when the customer pays by Visa, MasterCard
or JCB card
(Maestro cards do not allow charges to be made for
hotel cancellation charges).
54
Express and priority check-out service
Disputed transactions
If you operate an express check-out service, we
may not be able to defend you from a chargeback
if the cardholder later denies that they carried out
any transactions.
If a transaction is later disputed, it is vital to show
that the card was present and authorised (if this is
necessary). Except for contactless transactions, if
you did not get a signature or PIN or if authorisation
was not given, we will not be able to defend you
from a chargeback. Where possible and except for
contactless transactions, it is in your interest to process
transactions with the card present and get a signature
or PIN.
Extended stays
We strongly recommend that you do not allow stays of
more than two weeks without asking guests to settle
their bill. You should ask those who need to stay longer
to pay the current total due. Ideally, ask for their card,
or you can use the card details provided at check-in
(although there is a risk that this amount could be
disputed at a later date if you do not get a signature
or PIN). If the bill is more than 15% above the preauthorised amount at check-in, you should get a further
pre-authorisation code for the rest of the stay.
The most common reasons why disputed transactions
are charged back for lodging or accommodation are:
1. Reservations made by someone fraudulently
using a card who never arrives at the hotel.
Often this is because the fraudster is using
your reservation system only to check that the
card is valid and there are funds available. They
will then use the card to get goods from other
retailers fraudulently. The first time the genuine
cardholder will be aware that their card has been
used fraudulently is when they receive their card
statement and they see they have been charged
your no-show charge.
If the transaction was carried out using Maestro,
or MasterCard and there are extra charges, you
must get a separate, signed and swiped voucher or
imprinted document as proof that the cardholder
authorised these charges to debit their account.
2. Not replying to requests for information.
Under card-scheme rules, the card issuer is
entitled to ask for details of any transaction. In
most instances, they need only a copy of the
final transaction receipt, showing the card was
present at the transaction and was authenticated
by the cardholder – either by a signature or PIN.
However, sometimes the card issuer may need
a full breakdown of the charge. Our request for
information will give details of what is needed.
Please make sure you reply within 14 days or you
may have to pay a chargeback.
Replying to requests for information and notice
of chargebacks
If we tell you that a cardholder is disputing a charge,
always make sure you supply the correct information to
help us defend the dispute.
55
No show
Express and priority check-out charges
If a cardholder doesn’t turn up, having failed to cancel
their reservation, you are then entitled to charge
one nights stay at the normal check-out time the
following day. You can simply charge the card given
at reservation. Send a copy of the transaction receipt
and a copy of your Terms and Conditions to the
cardholder at their billing address. ‘No show’ must be
clearly written in the space where the cardholder would
normally sign the transaction receipt. The transaction
receipt should also clearly show the card number, expiry
date and cardholders name.
If the dispute was over an express or priority check-out
where you did not get a signature, please send:
• A
copy of the transaction receipt from check-in
proving the card was present and that you carried
out a pre-authorisation
• A
copy of the hotel registration showing the
cardholder’s signature and that they accepted the
charge for the agreed length of stay and any other
relevant details
Other charges
However, if the genuine cardholder later claims that
they never made the original reservation then the
transaction may still be charged back. We would be
unable to defend a chargeback in this case.
If the dispute was over charges made since the
cardholder checked out (for example, minibar charges,
breakfast on the last day and so on) please send a copy
of the transaction receipt with the words ‘Signature
on file’ in the cardholder signature box. Also, please
send a copy of the hotel registration card showing the
cardholder’s signature and that they accepted that they
may have to pay extra charges.
Please note: You may offer to reserve accommodation
for Maestro Card customers - but be aware that you
cannot debit the card for one night’s lodging if the
customer does not arrive.
No-show charges
For more information on preventing chargebacks,
please see our website at
www.barclaycard.co.uk/business/chargebacks
For no-show charges, please send us a copy of the
transaction receipt or invoice clearly showing the
card details and ‘No Show’ written on the signature
box of any receipt. We also need proof that the
cardholder was told about and accepted your Terms
and Conditions.
56
Contact numbers
Customer Services
Cheque validation/guarantee
0844 811 6666*
0800 515 788*
Monday to Sunday: 8.00am to 12.00 midnight
For help with:
Bank holidays: 9.00am to 6.00pm
(Closed Christmas Day)
• V
alidation of Barclays Bank cheques guaranteed
by a Barclays Connect card, Barclaycard Visa card
or Barclay Premier card
For help with:
• Additional processing equipment
• Statement queries
Sales Centre
• More literature and point of sale materials
0800 61 61 61*
• More information on products and services
Monday to Friday: 8.30am to 6.00pm
• Changing your details
(Closed Saturdays, Sundays and Bank Holidays)
• Any other queries or problems
For help with:
• P
lans to extend your existing business or a
new business
PDQ Helpdesk
0844 811 6666*
Chargeback Department
Monday to Sunday: 8.00am to 12.00 midnight
0844 755 0094*
Bank holidays: 9.00am to 6.00pm
(Closed Christmas Day)
For help with:
For help with:
• Any questions about chargebacks or retrievals
• Faults with processing equipment
• PDQ transaction queries
eCommerce Team
• Any other queries or problems relating to PDQ
0844 822 2099*
Authorisation
Monday to Sunday: 8.00am to 12.00 midnight
(closed Bank holidays)
0844 822 2000*
For help with:
For help with:
• Information or assistance about trading over
the internet
• Authorisations for transactions over your floor limit
• S
uspicions on card activity, transactions or a
card presenter
Complaints handling
• Card validity concerns
0844 811 6666*
For help with:
Multiple mail and telephone
order transactions
0844 811 4470
• Any problems in service from us
• You can also email:
www.barclaycard.co.uk/paymentacceptance
*
Open 24 hours a day, 7 days a week
(including Christmas Day)
For help with:
• A
uthorisation of more than one mail or telephone
order transaction at a time
57
Glossary and terminology
3–D Secure
3–Domain secure. Covering the many domains involved
during internet authentication (between us, you and the
cardholder’s issuer). The protocol behind the internet
authentication process.
Chargebacks
Chargebacks can be initiated by the cardholder or card
issuer. Occasionally, a cardholder will dispute with the
card issuer a transaction shown on their statement. If
the cardholder’s complaint is valid, the amount of the
transaction may be charged back to us and passed on
to you.
AAV
Account–holder authentication value. This is a unique
reference generated by MasterCard and Maestro card
issuers during the internet authentication process to
prove that authentication took place.
Chip and PIN
The cardholder enters a unique 4–digit personal
identification number (PIN) instead of signing a receipt.
This is standard technology in the UK. The main
aim is to reduce fraudulent transactions at a cost to
businesses and the banking industry.
ACS
Access control server. This is the server used by the
card–issuing bank to manage the 3–D secure processes.
Chip cards
These are payment cards with a computer microchip
built into them. The microchip provides a method of
securely storing cardholder information.
APACs
Association for Payment Clearing Services now known
as UK Payments Administration Ltd (UKPA) – sets UK
industry standards for payments.
Code–10 calls
If you are suspicious about a card or the person
presenting it, you must ring our Authorisation
Department immediately on 0844 822 2000. If you
cannot speak freely because the customer is nearby,
tell the operator that you are making a code–10 call.
You will then be asked various questions and told what
steps to take.
BIN cache
A record of issuer BIN ranges stored locally on your
authentication system. This should be regularly
updated to make sure local information on cardholders
taking part in the scheme and card issuers is correct.
Card acquirer
The financial institution, such as us, that is a member
of the card schemes such as Visa or MasterCard.
Acquirers enter into agreements with merchants to
process card transactions on their behalf and arrange
to pay authorised funds.
Compromised card numbers (card number mismatch)
Compromised card numbers are those illegally copied
from genuine cards. Fraudsters are currently encoding
these numbers into the black magnetic stripe on the
back of stolen cards, to produce what appears to be
a valid card. Invariably, the embossed number will be
different from the magnetic stripe details and
this will show on the processing equipment receipt.
You must compare these details when you carry out
a transaction.
Card issuer
A card issuer is a bank, building society or financial
institution that issues credit or debit cards.
Card not present
This refers to card transactions carried out when the
cardholder and the card is not present at the point of
sale, for example, a card transaction that takes place
over the internet.
Contactless transaction
This is a transaction that is processed using near field
communications (NFC) technology, where the payment
instructions are securely exchanged between a chip
card and specially adapted point–of–sale processing
equipment. The value of any single transaction is limited
to a certain amount
Card schemes
A card scheme is a payment–card organisation, such as
MasterCard and Visa.
Card security code and address verification service
A service which confirms the cardholder’s address,
postcode and card security code as part of the
authorisation process.
CRReq
Card range request. A type of 3–D–secure procedure
message used to find the BIN cache.
CAVV
Cardholder authentication verification value. This is
a unique reference generated during the 3 D–secure
process by Visa card issuers to prove authentication
took place or was attempted.
CRRes
Card range response. A type of 3–D–secure procedure
message that contains the list of BIN ranges which are
taking part in 3D secure.
Directory server (DS)
The servers hosted by the card schemes, Visa and
MasterCard, that contain details on the cardholders and
card issuers enrolled in 3D secure.
58
ECI
e-commerce indicator. This confirms how protected
you are during the internet authentication process for
an internet transaction.
PAReq
Payer authentication request. A type of 3–D–secure
procedure message. The message you send to the
ACS, containing relevant transaction details, when
the cardholder is redirected to the card issuing
bank for authentication or to be enrolled in an
authentication scheme.
Embossed cards
Cards with raised letters and numbers which can be felt
and imprinted on a slip if necessary.
PARes
Payer authentication response. A type of 3–D–secure
procedure message. The message returned to you by
the ACS or card–issuing bank confirming the outcome
of the internet authentication process.
Encryption
The process of converting a message so that it cannot
be read.
Firewall
Computer hardware, software and physical measures
which prevent unauthorised access to and from a
private network or server.
Payment service providers (PSPs)
Companies who offer facilities for processing
e–commerce transactions to businesses who want
to trade over the internet.
Floor limit
The card schemes set floor limits. When a transaction is
above your floor limit, you must get authorisation.
PIN
Personal identification number. A unique 4–digit
number a cardholder will use to confirm that they
are the true cardholder.
HPP
Hosted payment page – the web page used to collect
the cardholder’s credit or debit card details, hosted
securely by another organisation.
Pop–up
An internet browser pop–up window, displayed within
the main browser page.
HVP
High–value payments. This relates to contactless
transactions that are over the current limit we have set.
IAV
Issuer authentication value. A general term
that corresponds to either the Visa CAVV or
MasterCard AAV.
Pre–authorisation
Pre–authorisation allows you to estimate the final bill
and reserve those funds on the card. It is the process
of authorising a credit or debit card without actually
receiving the funds immediately. This is usually used for
hotel booking or car hire.
Internet transaction
Any payment transaction made by a cardholder,
using an electronic network, when the merchant is
not present.
Processing equipment
Processing equipment means any item of
PIN-processing equipment including PEDs (PIN entry
device) you use to process any face-to-face transaction.
MasterCard directory
A system operated by MasterCard which decides
whether a specific issuer and card number is taking
part in an authentication scheme, and if so, it returns
the URL of the appropriate access control server to
your 3D–secure service to allow you to correctly direct
your cardholder to the card issuer to authenticate a
transaction or enrol in an authentication scheme.
Recurring transactions
Regular card payments for goods or services such
as insurance premiums. These cannot be made with
Maestro cards.
Retrieval requests or Request for information (RFI)
This is a request from a card issuer for more
information or a copy of a transaction. In the case
of a postal or telephone order, this will be details of
the cardholder’s authority to take money from their
account, together with a copy of the sales voucher or
processing equipment receipt.
Merchant voucher summary (MVS)
The summary voucher which must accompany any
sales and refund vouchers when they are paid into a
Barclays branch or posted to the Financial Exceptions
Department for processing.
SecureCode
MasterCard’s term for their 3D–secure internet
authentication service for MasterCard–branded cards
and Maestro–branded cards.
NFC
Near field communication. A set of standards
for devices, such as point–of–sale processing
equipment and contactless cards, to establish radio
communication with each other by touching them
together or bringing them close together.
Server
A central computer that makes services and
data available.
Split sale
A transaction which is split between more than one
card, or a combination of card, cash or cheque.
59
Supervisor control
A plastic card or a PIN code that is supplied with your
point–of–sale processing equipment that is used to
carry out supervisor actions on the device, for example,
to carry out the end–of–day banking procedure or to
process a refund.
Transaction laundering
This is the unacceptable practice of processing
someone else’s card transactions using your
merchant number.
UCAF
Universal cardholder authentication field. The data
field used by MasterCard and Maestro issuers to send
the AAV.
VbV
Verified by Visa. Visa’s term for their 3D–secure internet
authentication service for Visa–branded cards.
VEReq
Verify enrolment request. A type of 3–D–secure
procedure message. The message sent to Visa or
MasterCard’s directory server to confirm the enrolment
status of an individual cardholder.
VERes
Verify enrolment response. A type of 3–D–secure
procedure message. The message returned by Visa or
MasterCard’s directory server confirming the enrolment
status of an individual cardholder.
We, us, our
Barclays Bank PLC , Barclaycard.
XID
Transaction identifier. A reference used in the
3D–secure process to link the 3D–secure protocol
messages together.
You, your
The person, people or organisation shown as the
merchant or any agent or sub–contractor we have
approved. If two or more people are shown as the
merchant, each of you is responsible to us individually
as well as jointly.
60
Correct at time of publication (April 2015)
This document is also available in large print, in Braille and in audio
format by calling 0844 811 6666*.
We also offer a text relay or sign video service. For more information visit barclaycard.co.uk/accessibility
*Calls may be monitored or recorded in order to maintain high levels of security and quality of service. For BT business customers, calls to
0844 811 numbers will cost no more than 5.5p per minute, with a call costing at least 6p (current at April 2015). The price on non-BT phone
lines may be different.
www.barclaycard.co.uk/paymentacceptance
Barclaycard is a trading name of Barclays Bank PLC. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated
by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register number: 122702). Barclays Bank PLC
subscribes to the Lending Code which is monitored and enforced by the Lending Standards Board. Registered in England No. 1026167.
Registered Office: 1 Churchill Place, London E14 5HP.
BCD112079BROB1
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement