|
• do use any separate merchant identification numbers provided to you for Internet
<br />orders in all your requests for authorization and submission of charges.
<br />• do provide at least 1 month's prior written notice to your acquirer of any change in
<br />your Internet address.
<br />DON'TS
<br />• don't exceed the percentage of your total payment card volume for Card Not
<br />Present sales, as set out in your application.
<br />• don't submit a transaction for processing until after the goods have been shipped
<br />or the service has been provided to the cardholder - the only exception to this is
<br />where the goods have been manufactured to the cardholder's specifications and
<br />the cardholder has been advised of the billing details.
<br />• don't accept card account numbers by electronic mail.
<br />• don't require a cardholder to complete a postcard or other document that displays
<br />the cardholder's account number in clear view when mailed or send any mailing to
<br />a cardholder that displays personal information in clear view.
<br />It is also recommended that, if feasible, you obtain and keep a copy on file of the
<br />cardholder's signature authorizing you to submit telephone and mail order
<br />transactions.
<br />Address Verification Service (AVS) (and other fraud mitigation tools such as Verified
<br />by
<br />Visa@, Mastercard® Secure Code, Discover Protect Buy®, American Express@
<br />SafeKey, Card Validation Codes and Card Identification) does not guarantee
<br />against chargebacks; but, if used properly, they assist you in reducing the risk of
<br />fraud by confirming whether certain elements of the billing address provided by your
<br />customer match the billing address maintained by the card issuing bank. AVS also
<br />may help you avoid incurring additional interchange expenses. AVS is a separate
<br />process from obtaining an authorization and will provide a separate response. A
<br />transaction may be authorized regardless of the AVS response. It is your
<br />responsibility to monitor the AVS responses and use the information provided to
<br />avoid accepting high-risk transactions.
<br />If a disputed charge arises for a transaction conducted over the Internet or
<br />electronically, a chargeback may be exercised for the full amount.
<br />For Discover Network transactions, please refer to Appendix 3 for the Discover
<br />Network protocol for Internet transactions.
<br />Customer - activated terminals and self-service terminals
<br />Transactions processed at customer -activated terminals and self-service terminals
<br />have specific requirements for processing. You must contact Customer Service for
<br />approval and further instructions before conducting customer- activated terminal
<br />transactions or self- service terminal transactions.
<br />DO'S
<br />• do only present for payment valid charges that arise from a transaction with a
<br />bona fide cardholder.
<br />DON'TS
<br />• don't set a minimum transaction amount of more than $10 for any credit cards or
<br />of any amount for debit cards or Alipay transactions.
<br />• don't set a maximum transaction amount for any credit cards.
<br />• don't establish any special conditions for accepting a card.
<br />• don't make any cash disbursements or cash advances to a cardholder as part of a
<br />transaction with the exception of the Discover Network Cash Over service.
<br />• don't accept any direct payments from cardholders for goods or services which
<br />have been included on a sales draft;
<br />• don't require a cardholder to supply any personal information for a transaction (for
<br />example, phone number, address, driver's license number) unless (i) instructed by
<br />the Voice Authorization Center; (ii) presented an unsigned card; or (iii) processing
<br />a Card Not Present transaction. don't submit any transaction representing the
<br />refinance or transfer of an existing cardholder obligation which is deemed
<br />uncollectible, for example, a transaction that has been previously charged back, or
<br />to cover a dishonored check.
<br />• don't submit sales drafts or credit drafts transacted on the personal card of an
<br />owner, partner, officer or employee of your business establishment or of a
<br />guarantor who signed your application form, unless such transaction arises from a
<br />bona fide purchase of goods or services in the ordinary course of your business.
<br />• don't carry out factoring, that is, the submission of authorization requests or sales
<br />drafts for card transactions transacted by another business.
<br />You are responsible for maintaining the security of your POS devices and for
<br />instituting appropriate controls to prevent employees or others from submitting
<br />credits that do not reflect bona fide returns or reimbursements of earlier transactions.
<br />Please comply with the data security requirements shown below:
<br />DO'S
<br />. do install and maintain a secure firewall configuration to protect data.
<br />CardCo2305
<br />A TRUE COPY
<br />CERTIFICATION ON LAST PAGE
<br />• do protect stored data, and do encrypt trainsmissions &ClAaRsent across open
<br />/public networks, using methods indicated in the Payment Card Industry Data
<br />Security Standard (PCI DSS) which is available at: www.pcisecuritystandards.orc.
<br />• do use and regularly update anti-virus software and keep security patches up-to-
<br />date.
<br />• do restrict access to data by business "need to know". Assign a unique ID to each
<br />person with computer access to data and track access to data by unique ID.
<br />• do regularly test security systems and processes.
<br />• do maintain a policy that addresses information security for employees and
<br />contractors.
<br />• do restrict physical access to cardholder information.
<br />• do destroy or purge all media containing obsolete transaction data with cardholder
<br />information.
<br />• do keep all systems and media containing card account, cardholder, or transaction
<br />information (whether physical or electronic) in a secure manner so as to prevent
<br />access by, or disclosure to any unauthorized party.
<br />• do use only those services and devices that have been certified as PCI -DSS
<br />compliant by the payment organizations.
<br />DON'TS
<br />• don't use vendor -supplied defaults for system passwords and other security
<br />parameters.
<br />• don't transmit cardholder account numbers to cardholders for Internet transactions.
<br />• don't store or retain card verification codes (a three digit code printed on the back
<br />of most cards and a four digit code printed on the front of an American Express
<br />card) after final transaction authorization.
<br />• don't store or retain magnetic stripe data, PIN data, chip data or AVS data - only
<br />cardholder account number, cardholder name and cardholder expiration date may
<br />be retained subsequent to transaction authorization.
<br />For Internet transactions, copies of the transaction records may be delivered to
<br />cardholders in either electronic or paper format.
<br />If you are receiving TransArmor services from us, the important DOs and DON'TS
<br />listed below apply to you:
<br />DO'S
<br />• do comply with the payments organization rules, including PCI DSS.
<br />• do demonstrate and maintain your current PCI DSS compliance certification.
<br />Compliance must be validated either by a Qualified Security Assessor (QSA) with
<br />corresponding Report on Compliance (ROC) or by successful completion of the
<br />applicable PCI DSS Self -Assessment Questionnaire (SAQ) or Report on
<br />Compliance (ROC), as applicable, and if applicable to your business, passing
<br />quarterly network scans performed by an Approved Scan Vendor, all in
<br />accordance with payments organization rules and PCI DSS
<br />• do ensure that all third parties and softwae that you use for payment processing
<br />comply with the PCI DSS.
<br />• do deploy the data protection solution (including implementing any upgrades to
<br />such service within a commercially reasonable period of time after receipt of such
<br />upgrades) throughout your systems including replacing existing card numbers on
<br />your systems with tokens.
<br />• do use the token instead of card numbers for ALL activities after you receive the
<br />authorization response, including settlement processing, retrieval processing,
<br />chargeback and adjustment processing, and transaction reviews.
<br />• do ensure that any POS device, gateway or VAR is certified by us for use with the
<br />data protection solution. If you are uncertain whether your equipment is compliant,
<br />contact a customer service representative at 866-359-0978.
<br />• if you send or receive batch files containing completed card transaction
<br />information to/ from us, do use the service we provide to enable the files to contain
<br />only tokens or truncated information.
<br />• do use truncated report viewing and data extract creation within reporting tools
<br />provided by us.
<br />• do follow rules or procedures we give you periodically regarding your use of the
<br />data protection solution.
<br />• do promptly notify us of a breach of any these terms.
<br />DON'TS
<br />• don't retain full card numbers, whether in electronic form or hard copy.- --
<br />• don't use altered version(s) of the data protection solution.
<br />• don't use, operate or combine the data protection solution or any related software,
<br />materials or documentation, or any derivative works thereof with other products,
<br />materials or services in a manner inconsistent with the uses contemplated in this
<br />section.
<br />i. t -
<br />When accepting debit cards, you'll need to follow the specific requirements for each
<br />debit network, as well as, the general requirements set out in this section.
<br />DO'S
<br />• do read the account number electronically from the magnetic stripe/chip for
<br />transactions authenticated with a PIN. If the magnetic stripe/chip is unreadable,
<br />you must request another form of payment from the cardholder.
<br />
|