Laserfiche WebLink
• do use any separate merchant identification numbers provided to you for Internet <br />orders in all your requests for authorization and submission of charges <br />• do provide at least 1 month's prior written notice to your acquirer of any change in <br />your Internet address <br />DON'TS <br />• don't exceed the percentage of your total payment card volume for Card Not <br />Present sales. as set out in your application <br />• don't submit a transaction for processing until after the goods have been shipped <br />or the service has been provided to the cardholder - the only exception to this is <br />where the goods have been manufactured to the cardholders specifications and <br />the cardholder has been advised of the billing details <br />• don't accept card account numbers by electronic mail <br />• don't require a cardholder to complete a postcard or other document that displays <br />the cardholder's account number in clear view when mailed or send any mailing to <br />a cardholder that displays personal information in clear view <br />It is also recommended that, if feasible, you obtain and keep a copy on file of the <br />cardholder's signature authorizing you to submit telephone and mail order <br />transactions <br />Address Verification Service (AVS) (and other fraud mitigation tools such as Verified <br />by <br />Visa& Mastercarde Secure Code, Discover Protect Buye American Expresse <br />SafeKey. Card Validation Codes and Card Identification) does not guarantee <br />against chargebacks, but, if used properly, they assist you in reducing the risk of <br />fraud by confirming whether certain elements of the billing address provided by your <br />customer match the billing address maintained by the card issuing bank AVS also <br />may help you avoid incurring additional interchange expenses AVS is a separate <br />process from obtaining an authorization and will provide a separate response A <br />transaction may be authorized regardless of the AVS response It is your <br />responsibility to monitor the AVS responses and use the information provided to <br />avoid accepting high-risk transactions <br />If a disputed charge arises for a transaction conducted over the Internet or <br />electronically. a chargeback may be exercised for the full amount <br />For Discover Network transactions, please refer to Appendix 3 for the Discover <br />Network protocol for Internet transactions <br />Customer - activated terminals and self-service terminals <br />Transactions processed at customer -activated terminals and self-service terminals <br />have specific requirements for processing You must contact Customer Service for <br />approval and further instructions before conducting customer- activated terminal <br />transactions or self- service terminal transactions <br />DO'S <br />. do only present for payment valid charges that arise from a transaction with a <br />bona fide cardholder <br />DON'TS <br />• don't set a minimum transaction amount of more than $10 for any credit cards or <br />of any amount for debit cards or Alipay transactions <br />• don't set a maximum transaction amount for any credit cards <br />• don't establish any special conditions for accepting a card <br />• don't make any cash disbursements or cash advances to a cardholder as part of a <br />transaction with the exception of the Discover Network Cash Over service <br />• don't accept any direct payments from cardholders for goods or services which <br />have been included on a sales draft, <br />• don't require a cardholder to supply any personal information for a transaction (for <br />example, phone number, address, drivers license number) unless (i) instructed by <br />the Voice Authorization Center, (ii) presented an unsigned card, or (iii) processing <br />a Card Not Present transaction don't submit any transaction representing the <br />refinance or transfer of an existing cardholder obligation which is deemed <br />uncollectible, for example. a transaction that has been previously charged back or <br />to cover a dishonored check <br />• don't submit sales drafts or credit drafts transacted on the personal card of an <br />owner, partner officer or employee of your business establishment or of a <br />guarantor who signed your application form, unless such transaction arises from a <br />bona fide purchase of goods or services in the ordinary course of your business <br />• don't carry out factoring, that is, the submission of authorization requests or sales <br />drafts for card transactions transacted by another business <br />You are responsible for maintaining the security of your POS devices and for <br />instituting appropriate controls to prevent employees or others from submitting <br />credits that do not reflect bona fide returns or reimbursements of earlier transactions <br />Please comply with the data security requirements shown below <br />DO'S <br />• do install and maintain a secure firewall configuration to protect data <br />CardCo2305 <br />A TRUE COPY <br />• do protect stored data and do encrypt b� �sQ�� � t {�t � ¢ap�n <br />/public networks, using methods indicate ," el,= UTd-�+ Is r{�0�3a <br />Security Standard (PCI DSS) which is avai6Uea$'l�kTnK cls standards ora <br />• do use and regularly update anti-virus software and keep security patches up-to- <br />date <br />• do restrict access to data by business "need to know' Assign a unique ID to each <br />person with computer access to data and track access to data by unique ID <br />• do regularly test security systems and processes <br />• do maintain a policy that addresses information security for employees and <br />contractors <br />• do restrict physical access to cardholder information <br />• do destroy or purge all media containing obsolete transaction data with cardholder <br />information <br />• do keep all systems and media containing card account, cardholder, or transaction <br />information (whether physical or electronic) in a secure manner so as to prevent <br />access by, or disclosure to any unauthorized party. <br />• do use only those services and devices that have been certified as PCI -DSS <br />compliant by the payment organizations <br />DON'TS <br />• don't use vendor -supplied defaults for system passwords and other security <br />parameters. <br />• don't transmit cardholder account numbers to cardholders for Internet transactions <br />• don't store or retain card verification codes (a three digit code printed on the back <br />of most cards and a four digit code printed on the front of an American Express <br />card) after final transaction authorization. <br />• don't store or retain magnetic stripe data, PIN data, chip data or AVS data - only <br />cardholder account number, cardholder name and cardholder expiration date may <br />be retained subsequent to transaction authorization <br />For Internet transactions. copies of the transaction records may be delivered to <br />cardholders in either electronic or paper format <br />6. TransArmor Services <br />If you are receiving TransArmor services from us, the important DOs and DON'Ts <br />listed below apply to you <br />DO'S <br />• do comply with the payments organization rules. including PCI DSS <br />• do demonstrate and maintain your current PCI DSS compliance certification <br />Compliance must be validated either by a Qualified Security Assessor (OSA) with <br />corresponding Report on Compliance (ROC) or by successful completion of the <br />applicable PCI DSS Self -Assessment Questionnaire (SAQ) or Report on <br />Compliance (ROC), as applicable, and if applicable to your business passing <br />quarterly network scans performed by an Approved Scan Vendor. all in <br />accordance with payments organization rules and PCI DSS <br />• do ensure that all third parties and softwae that you use for payment processing <br />comply with the PCI DSS <br />• do deploy the data protection solution (including implementing any upgrades to <br />such service within a commercially reasonable period of time after receipt of such <br />upgrades) throughout your systems including replacing existing card numbers on <br />your systems with tokens <br />• do use the token instead of card numbers for ALL activities after you receive the <br />authorization response, including settlement processing, retrieval processing, <br />chargeback and adjustment processing, and transaction reviews <br />• do ensure that any POS device, gateway or VAR is certified by us for use with the <br />data protection solution If you are uncertain whether your equipment is compliant, <br />contact a customer service representative at 866-359-0978. <br />• if you send or receive batch files containing completed card transaction <br />information to/ from us, do use the service we provide to enable the files to contain <br />only tokens or truncated information <br />• do use truncated report viewing and data extract creation within reporting tools <br />provided by us <br />• do follow rules or procedures we give you periodically regarding your use of the <br />data protection solution <br />• do promptly notify us of a breach of any these terms <br />DON'TS <br />• don't retain full card numbers. whether in electronic form or hard copy <br />• don't use altered version(s) of the data protection solution <br />• don't use operate or combine the data protection solution or any related software, <br />materials or documentation, or any derivative works thereof with other products <br />materials or services in a manner inconsistent with the uses contemplated in this <br />section <br />When accepting debit cards, you'll need to follow the specific requirements for each <br />debit network. as well as, the general requirements set out in this section <br />DO'S <br />. do read the account number electronically from the magnetic stripe/chip for <br />transactions authenticated with a PIN If the magnetic stripelchip is unreadable <br />you must request another form of payment from the cardholder <br />