Procedure guide. For a smoother operation

Transcription

1 Procedure guide For a smoother operation

2 Welcome to Barclaycard Global Payment Acceptance About this document This procedure guide along with the Terms and Conditions and Additional Service Conditions you subscribed to gives you the information you need for your business to accept payments. This guide contains some critical information about the risks associated with accepting payments, and gives details of the steps that you should follow to help raise your awareness of risks and reduce as far as possible, your exposure to these risks. Barclaycard Merchant number For ease when you contact Barclaycard, please have your merchant number ready. You can keep a record of it here: This forms part of your agreement with us and will allow you and your business to accept payments. For your own benefit and protection, we recommend that you read this document carefully. Please make sure you keep this guide in a safe place, where your employees who use it have easy access to it, but out of reach of your customers and anyone else. 2

3 Changes to your business To make sure that you are receiving the services that are most appropriate for your business, please let us know if any of the following changes take place (you can contact our Customer Services team on ): The type of business you have been carrying out since you signed the original merchant agreement changes, including changes to the goods or services you provide If you start to use other channels If you change the name of your business If you sell your business or change its legal entity If there is a significant change in shareholding If you stop trading If your business enters any form of insolvency procedure You will also need to tell us if you change your: Business address Correspondence address Contact details Phone number We must have up-to-date records on you and your business so we can contact you if needed. Protecting you and your business Being aware of bogus and phishing s We will never you asking for transaction or card details. If you receive an claiming to be from us and asking for details of your transactions, please do not respond to the (known as a phishing ). Instead, please do the following: Open a new and attach the phishing . Do not forward it as this will lose potentially important information we need to trace the message Send your with the attachment to: internetsecurity@barclays.com To report any of these instances contact: internetsecurity@barclays.com Transaction laundering and third-party processing If you are approached with a proposal to buy card transactions or process another business transaction through your facility, please contact us on This is called laundering and breaks the terms of your agreement. 3

4 Contents Payment acceptance Card present Card not present Accepting Card Present transactions Barclaycard processing equipment 7 Using your own processing equipment or one supplied by another company 7 Plastic card designs 8 Accepting cards best practice 9 Accepting card payments Accepting cards with a chip 9 Accepting non-chip cards 9 Accepting contactless payments 10 Contactless payments using other technology and items 10 High-value payment (HVP) 10 Transactions entered using the keys 10 Verifying card payments Verifying cardholders using chip and PIN 11 Verifying cardholders by signature 11 Authorisations 11 Voice authorisation 11 Code-10 calls for card-present transactions 12 Referrals for card-present transactions 12 Split Sales 12 Exchanges 13 Processing a fall-back paper voucher 14 Failure of the chip to read or swipe 16 Banking procedures and other services Sales and refund vouchers 17 Completing your merchant voucher summary (MVS) 17 Posting vouchers 18 Preventing and detecting fraudulent card-present transactions 18 Returning wanted or recovered cards 18 Reward scheme 19 Other services Dynamic currency conversion (DCC) 19 Accepting Card Not Present (CNP) transactions e-commerce, mail and telephone order 19 Authorising Card Not Present transactions 20 Shipping goods and providing services 20 Recurring transactions 20 Accepting payments over the internet (e-commerce) 20 Website information 20 Transaction receipts 21 Using an accredited payment service provider (PSP) to accept e-commerce payments 22 Accepting payments over the internet using your own software 22 Using our payment gateway for accepting payments 22 Requirements for merchants not using the Hosted Payment Page (HPP) Security of card data 23 4

5 Accepting Mail Order and Telephone Order (MOTO) payments 23 Taking telephone orders 23 Preventing and detecting fraudulent card-not-present transactions 23 Tools for monitoring fraud Card Security Code (CSC) and Address Verification Service (CSC/AVS) 24 Internet authentication (3-D Secure) Fraud-screening 24 Further advice for internet transactions 24 Refunds 25 Other services Dynamic currency conversion for e-commerce transactions 25 Chargeback and retrieval requests What is a retrieval request? 26 Responding to retrieval requests and chargeback letters 27 Faxlink service 27 To help reduce the risk of chargebacks 27 Timescales for chargebacks 28 Payment security 29 What is PCI DSS? 29 What information must be securely stored? 29 What information must not be securely stored at any time? 29 What you must do to keep to PCI DSS 30 Demonstrating that you are keeping to the PCI DSS 31 Card-scheme-approved qualified security assessor 32 Approved scan vendors 32 Further action you may need to take 32 Data compromises 32 The results of a data compromise 33 Other organisations that store, transmit or process your cardholder data 33 If you fail to keep to PCI DSS 33 Protecting cardholder information 34 Storing your records 34 Understanding your statement What will the statement look like 35 Transaction payment advice 35 Periodic statement 35 Advice on the details of the service charge 35 If you have a question about a merchant invoice and statement you have received 35 Exceptional procedures Can I pass charges to my customer? 36 Minimum charging 36 Internet authentication Authenticating cardholders successfully 37 How do I use the internet authentication service? 37 Types of authentication 37 Full authentication 37 Attempted authentication 37 Passive authentication 38 The main benefit of authentication transferring liability 39 Levels of protection 39 Displaying the Verified by Visa and SecureCode logos 39 Using our 3-D Secure solution Your responsibilities 39 Our responsibilities 40 Message values 40 5

6 Direct to card schemes 40 Your responsibilities 40 Our responsibilities 41 Transaction records 41 Card issuer pop up or in-line window 41 Your authentication merchant information 41 Message values 42 BIN cache 42 Keeping to the card scheme 42 If authentication fails 43 If authentication fails for Visa transactions 43 If authentication fails for MasterCard and Maestro transactions 43 Mistake during authentication for Visa transactions 43 Error during authentication for MasterCard and Maestro transactions 43 Passing authentication values 44 Error conditions 44 Scheme directory server unavailable 44 Hosted authentication service not available 44 Cardholder browser suppresses pop-up window 45 Own authentication software not available 45 Chargeback reason codes included 45 Pre-authorisation 47 End of hire period 47 Accidents or damage to the vehicle 48 How to deal with delayed charges 48 Accepting split sales 49 Your refund policy 49 Extended hire 49 Disputed transactions 50 Lodging and accommodation Best guide for reducing chargebacks 50 Advance booking tips 50 Tips for phone bookings 50 Tips for fax or mail bookings 50 Tips for online bookings 50 Extra checks for all transactions 50 MasterCard guaranteed reservations 50 Visa guaranteed reservations 51 Taking advance lodging deposits 51 Your cancellation policy 51 Guests arrival and check-in 51 Pre-authorisation 51 Pre-authorisation departures and check out 51 Express and priority check out 51 Extended stays 51 Vehicle rental companies Best practice guide for reducing chargebacks 46 Tips for phone reservations 46 Tips for taking fax or mail reservations 46 Tips for taking online reservations 46 Extra checks for all transactions 46 Guaranteed reservation for Visa 46 Your cancellation policy 47 Your no-show policy 47 Collecting the vehicle 47 Processing delayed or amended charges 51 Disputed transactions 52 Information and chargeback requests 52 Your no-show policy 52 No-show charges 52 Express and priority check out charges 52 Other charges 52 Contact numbers 53 Glossary and terminology 54 6

7 Payment acceptance We can help you to accept payments from your customers in a number of environments using various payment methods. There are two main environments where payments can be accepted. Card Present (CP) When the cardholder is in front of you and has their card with them at the time of the transaction and you take the payment either by reading the chip, by swiping the card through the processing equipment, or by using contactless technology. Card Not Present (CNP) When the cardholder and card are not with you at the time of the transaction. A Card Not Present transaction can take place: Over the internet (e-commerce) By mail order or by telephone order (MOTO) As a recurring transaction, where the cardholder gives you authority to charge a fixed or varying amount at intervals agreed between you and the cardholder (you would take the agreed amounts from the cardholder s card for subscriptions, membership renewals and regular premiums Using tokenisation, where a cardholder has agreed that you may take extra payments from their card at a later date without them having to give you their card details each time The transaction types you can accept are shown in your agreement with us. You must make sure that you tell us if you want to process any other types of transaction. Accepting Card Present transactions You can accept card payments using processing equipment that we have either supplied (referred to as Barclaycard processing equipment ) or by using an approved processing equipment of your own or one supplied by another company. You must make sure that your processing equipment can take both chipand-pin and magnetic-stripe payments. If you are using your own processing equipment you must make sure that you regularly carry out asset management. Asset management involves recording all stock and serial numbers for each processing equipment you have, the location and basic electronic and physical identification used to authenticate each processing equipment. Your processing equipment must keep to the PCI DSS standard. Barclaycard processing equipment If you are using Barclaycard processing equipment, please make sure you and your staff read the PDQ Terminal Operating Guide, see the terminal section of our website at: along with this guide before you start using the device. Please see the Terminal User Guide for important safety information about the equipment and its use, and for relevant information on keeping to our conditions. It is important that you look after your processing equipment and make sure you keep all liquids away from the device. If damage to your device results in it not working, it may need to be repaired before you can accept transactions. If you damage your processing equipment, we may charge you to replace it. Using your own processing equipment or one supplied by another company If you are using your own processing equipment or one supplied by another company, we will need to test and approve it before you use the equipment for live transactions. You must tell us who your supplier is. You can contact our Customer Services team on You are responsible for making sure your supplier keeps to the Payment Card Industry Data Security Standard (PCI DSS) and for making sure the equipment meets industry security standards. If the supplier fails to meet these standards, it will mean you are not keeping to some of these regulations and the card schemes may charge you penalties as a result. 7

8 Plastic card designs There are many different designs for credit and debit cards. You should become familiar with the basic features (such as the card number, chip and so on) on most cards issued by banks and financial institutions. If you do not follow the basic checks, you may be accepting a fraudulent card, which may lead to unavoidable chargebacks. Most processing equipment allow the cardholder to insert their card into the device themselves. However, if you have processing equipment that allows you to handle the card, there are some visual checks which you can carry out before accepting the payment. Visa Cardholder number 16-digit account number with first 4 digits printed below Visa symbol or logo Magnetic stripe Can be a traditional stripe or a hologram (one or a number of flying doves) Chip Embedded microchip Hologram Flying dove (optional on Visa Electron cards) CVV2 Can also be on signature strip Card type identification Electronic use only may appear on electronic cards Cardholder s name Can be embossed or not. VPay cards are printed Card valid from and to dates Can be embossed or not. VPay cards are printed V or UV element Contactless acceptance Hologram Plain silver or gold background, the dove flies and changes colour when the card is tilted. Can appear on the front of Electron cards Last four digits of the card number May not appear on Visa electron cards issued outside UK Signature strip Visa repeated. Some international cards will have a message on the strip and will not be signed. Ask for ID such as a driving licence or passport or make a code 10 call. Strip can be shortened MasterCard Chip Embedded microchip Cardholder s number 16-digit account number starting with 5 (embossed or not) with first 4 digits printed below MasterCard symbol Hologram MasterCard Globe, which changes colour, must appear unless the hologram or halomag stripe appears on the back of the card Magnetic stripe or halomag stripe Maestro cards can carry cheque guarantee details or branding for an ATM network. This can be on the front or back of the card. Maestro cards can also hold a photograph of the cardholder and a signature on the front of the card Symbol/Logo The symbol is linked circles in red and orange with MasterCard printed in the middle of them CVV2 Can also be on signature strip Cardholder s name Can be embossed or not Card valid from and to dates Can be embossed or not Hologram Can be debit or global hologram Signature strip MasterCard repeated. The card must be signed. Some international cards will have a message on the strip and will not be signed. Ask for ID such as a driving licence or passport or make a code 10 call JCB Cardholder number An embossed 15 or 16-digit account number with first 4 digits printed above or below Magnetic stripe Can be a traditional stripe Chip Embedded microchip Card valid from and to to dates Hologram Sun, moon and JCB characters move when card is tilted Symbol or logo 3-digit card security code Cardholder s name Always embossed Signature strip The card must be signed 8

9 Accepting cards best practice Make sure that the card is valid and in date Rub your thumb over the signature strip (it should be smooth and level with the surface of the card) and also check that no part of the card has been damaged or tampered with If you ask the cardholder to sign the transaction receipt, check that their signature matches that shown on the back of the card Check that the last four digits of the cardholder number printed on the receipt match the last four digits of the embossed account number on the front of the card. If they do not, you must ring for an authorisation and say, I have a card number mismatch. If you cannot speak freely, just say, I have a code-10 call. (Please see the code-10 calls for card-present transactions section of this guide on page 12) Check that the spelling of the signature (if you can read it) corresponds with that of the name embossed or printed on the card Check the hologram moves as you tilt the card back and forth. Counterfeit cards use poor reproductions so it can be easy to identify a fake with a quick glance You must make sure you can accept chip-and-pin and magnetic-stripe cards. Accepting card payments Accepting cards with a chip In the UK, cards are issued with a microchip (chip). However, cards issued outside the UK may have embedded chips but they may require different methods of cardholder verification, for example signature. Chip and PIN is currently one of the most secure methods of card payment available. Your processing equipment must be chip enabled and you must accept transactions using chip and PIN technology where possible to avoid a higher risk of being liable for fraudulent transactions. The card should be inserted into the chip card reader (see the Verifying card payments section on page 11). If the processing equipment cannot read the chip, you are allowed one level of fall-back and you may process the transaction by swiping the magnetic stripe through your device (see the section on accepting non-chip cards and using a non-chip-enabled terminal). You need to make sure that you get authorisation at the time of processing the transaction. Authorisation confirms that the account has enough funds for the transaction and that the card has not been reported lost or stolen at the time of the transaction. It is not a guarantee of payment. If the genuine cardholder disputes the transaction, you may be liable for the resulting chargeback if you cannot provide a defence. Accepting non-chip cards Your processing equipment should have online access and read non-chip-enabled cards. If you are presented with a non-chip-enabled card, swipe the card through the processing equipment using the magnetic-stripe reader. You must get an online authorisation. If the processing equipment cannot read the magnetic stripe (and the card does not have a chip), ask the customer for another form of payment. If they do not have another form of payment, you may process the transaction as a transaction entered using the keys. However, this will increase the risk of processing a fraudulent transaction and receiving a chargeback claim (see the section Transactions entered using the keys on page 10 of this guide). 9

10 Accepting contactless payments A contactless transaction is a transaction that is processed using near field communications (NFC) technology, where the payment instructions are shared securely between a contactless card or other item and processing equipment which has contactless technology enabled. The contactless reader can be a separate reader or part of your processing equipment. A contactless transaction takes place when the cardholder places the card, item or device over a secure reader. They do not need to enter their PIN unless it is for a high-value payment (HVP). You can identify a contactless card as it will display the following symbol: There is a limit for an individual contactless-card transaction. You can find the current limit at: On Barclaycard processing equipment you can also carry out a contactless refund up to the value of the current limit. If the transaction cannot be completed using contactless technology, carry out a chip-and-pin transaction. Or, if the card was issued outside the UK and does not have a chip, carry out a magneticstripe transaction. Occasionally the processing equipment may tell you to change a contactless transaction to a chip-and-pin transaction. This is a security measure aimed at making sure that the person with the card is authorised to use it. Cardholder copies of receipts are optional. We have configured our processing equipment to only print a merchant receipt after a contactless transaction. For information on how to print a cardholder receipt, please see your Terminal Operating Guide. Contactless payments using other technology and items (payment form factors) Contactless technology can be embedded into other technology and items such as watches, wristbands, mobile phones and key fobs. For these types of transactions, the processing equipment will go online to check that funds are available. The processing equipment will not ask for a PIN as it does not need to check this. If the transaction fails, the cardholder should use either the associated card or another method of payment. High-value payment (HVP) We can configure point-of-sale devices to support HVP contactless transactions. HVP transactions are most likely to be made using a mobile phone to carry out the transaction and they need some method to confirm the cardholder is genuine, such as a PIN, to complete the transaction. Transactions entered using the keys If the card presented for payment has a magnetic stripe and fails to swipe through your processing equipment, you can enter the transaction into the device using the keys while the customer is with you. Please make sure you follow the procedure shown in the card chip-read/ swipe failure section in this guide. Make sure that your processing equipment goes online to get authorisation for the transaction. If a transaction fails to swipe, you should call for an authorisation on If you are suspicious about the transaction, quote code 10 as an anti-fraud measure. If you have a record of an approved code-10 authorisation, this will protect you from chargebacks. See the Voice authorisation section of this guide for more information. 10

11 Please remember You cannot enter transactions using the keys for Maestro, Visa Electron, V Pay and unembossed cards. If chip and PIN or swipe (or both) fail for these types of card, you should ask the cardholder for another method of payment. To prove you saw the card at the time of the transaction, take an imprint of the card using your manual imprinter. This will help you provide a defence if the card issuer raises a chargeback claim against you. 1. Fill in the voucher details in full and get the cardholder s signature on the paper voucher. 2. Enter the card details into the electronic processing equipment using the keys. You will automatically be credited for transactions entered using the keys on your processing equipment, so you do not need to send the paper voucher for processing. But make sure you keep the paper vouchers for 13 months along with the processing equipment receipts so you can produce them as proof that you saw the card when the transaction was carried out, in case you need to. If you cannot provide an imprinted voucher for these transactions at a later date, it could mean we will charge the transaction back to your business. Verifying card payments Verifying cardholders using chip and PIN When a card with a chip is inserted into the chipcard reader, the processing equipment will ask the cardholder to enter their PIN (personal identification number) to confirm the transaction. The processing equipment will ask for authorisation for all chip-and-pin transactions. If authorisation is declined, do not go ahead with the transaction as we will not be able to defend you if the transaction is charged back at a later date. Ask the customer for another method of payment. Do not swipe the card or enter the details using the keys on the device. If your point of sale equipment is not able to read the chip, you should complete the transaction as a magnetic stripe transaction and confirm it using the customer s signature. Verifying cardholders by signature There may be instances where you cannot check the identity of the cardholder using their PIN and so you may need a signature to confirm their identity. Authorisations For card-present transactions, you must get an authorisation at the time of the transaction, either as a pre-authorisation for the expected value of a transaction (such as a hotel or car-hire bill) or as authorisation of the actual amount. For more information on how to complete a pre-authorisation, see your Terminal User Guide. Authorisations are either done online through your processing equipment or you can phone for an authorisation on You do not need authorisation for offline devices if the transaction value is below the agreed floor limit. For transactions that are over the floor limit, the processing equipment will try to get online authorisation and may instruct you to get authorisation by phone. Voice authorisation When you process a card payment electronically, in most instances your processing equipment will automatically communicate with the card issuer for an authorisation. However, your processing equipment may instruct you to call our authorisation service or you may choose to call the authorisation service without having received an instruction. A voice authorisation asks for confirmation that the cardholder has enough funds available on their account and checks the card has not been reported lost or stolen at the time of the transaction. You may need to get a voice authorisation for one or more of the following reasons: If the sale is more than your floor limit If you are suspicious in any way about the card or cardholder (see Code-10 calls for card-present transactions for details) If your processing equipment instructs you to If you have to use fall-back vouchers due to a fault with your processing equipment A voice authorisation does not confirm the cardholder s identity or guarantee payment. If you need to change the amount of the transaction after the authorisation, cancel the original transaction and get a new authorisation for the new amount. This will make sure the correct amount is taken out of the cardholder s account. For more information on our voice authorisations, please see our website: existing-customers/voice-authorisations 11

12 Code-10 calls for Card Present transactions If you or your staff are in any way suspicious about a card, the person making the payment or the circumstances surrounding a transaction, you must call for an authorisation on This may mean you can then defend any fraudulent transaction from being charged back to your business: You will be asked for your merchant number and then for the type of transaction If you are suspicious and cannot speak freely and want to avoid a confrontation, you will be given the option to say, This is a code-10 call or press 9 You will be asked for the card number, followed by the expiry date and the issue number (if this applies) and will be given options to choose from depending on the type of call you are making After this, you will be connected to an operator who will ask a series of questions which you should answer with a yes or no Remember to keep the card and the goods out of reach of the customer If you have any surveillance equipment, switch it on If the operator asks you to keep the card, tell the customer politely. Code 10 is only available for Card Present transactions where we may ask to speak to the cardholder. It is not available for transactions where the cardholder is not present, such as mail, telephone and e-commerce transactions. In card-not-present circumstances, we cannot guarantee that the person carrying out the transaction is the genuine cardholder. Referrals for Card Present transactions Occasionally, when processing transactions, the company which issued the card may ask for a referral and the processing equipment will instruct you to call for an authorisation. A referral may happen when the card issuer asks us to contact them before releasing a decision. Our aim is to process the referral in a quick and efficient way to reduce the time spent processing the transaction. On most occasions we will ask you to put the cardholder on the phone. Simply follow our customer service advisor s instructions, and once we have spoken to the person who has given you the card and the card issuer, we will give you a decision. Split sales Sometimes, a cardholder will ask to split the payment for something between several cards, or between a card and cash or a cheque. It is important that you follow the instructions below to make sure you understand when you can and when you cannot split a transaction as instructions vary depending on each possible scenario. 1. If several cardholders ask you to split a transaction amount into smaller amounts so that they all pay part of a bill, this is allowed. For example, in a group booking in a restaurant, each person will ask to pay either their own bill or part of the total bill. You are allowed to split the total bill between each cardholder. To prevent future disputes, always make sure each cardholder agrees the amount they will pay by making sure that you process separate transactions for each card. Each transaction must be verified by the cardholder s PIN or signature as prompted by your processing equipment. Please make sure each cardholder receives a copy of the transaction receipt which applies to the agreed amount. This may or may not include a gratuity (tip) as agreed by the cardholder. 2. If one cardholder asks you to split a transaction amount across more than one card (possibly issued by different card issuers), you may go ahead as follows: Only go ahead with the transaction if you are not suspicious of the transaction or person with the card Make sure each card is issued in the same cardholder name (if the name appears on each card) Follow the normal card-acceptance procedures as shown in this guide 12

13 Split sales may usually take place when accepting largevalue transactions where the cardholder may not have enough credit available on one card. The cardholder may ask to pay part of the total amount by cash or cheque. Make sure any cheque payment is also issued in the cardholder s name. We recommend you only allow a cardholder to split a transaction over more than one card if: The cardholder has their card with them in front of you (we strongly recommend you do not split a sale on several cards for any telephone, mail-order or e-commerce transaction as you cannot confirm that your customer is the genuine cardholder and so you may be at risk of chargeback claims if the transaction is fraudulent) Each transaction is authorised (no matter what floor limit you may operate) The cardholder clearly agrees to how much is charged to each card and is given transaction receipts 3. If authorisation is refused on a transaction, do not split the transaction into smaller amounts in an attempt to get authorisation as this may result in chargeback claims against you. If you try to split a sale, any transaction may be charged back. We will not be able to defend you from these chargebacks. Exchanges You do not need to carry out any other procedure if a cardholder exchanges a purchase for goods of the same value If the value of the new purchase is less than that of the original, you will need to make a refund transaction for the difference of the cost. You should process refunds on the same card as the original sale. If the original card has been lost or stolen, the refund can be applied to the new account or card. For any other type of card closure (for example, the cardholder has closed their account), you must refund the card number used in the original transaction If the value of the new purchase is more than the original, carry out a sale for the difference in cost. You will need to get authorisation even if the amount is below your floor limit. Please remember, you cannot make refunds using cash or cheque 13

14 Processing a fall-back paper voucher If you are using Barclaycard processing equipment, we will give you a manual imprinter in case your processing equipment fails. Please make sure that your imprinter and paper vouchers are to hand and you get a telephone authorisation for each transaction. You should only use the fall-back paper vouchers in exceptional circumstances, for example, if your processing equipment is out of use because: Your phone line is faulty The device itself is faulty You cannot process Maestro, Visa Electron, VPay and unembossed cards using paper vouchers. You can only process these cards electronically. Please remember authorisation from the card issuer is not a guarantee of payment nor does it confirm that the person who presents the card is the genuine cardholder. The card issuer can charge the card payment back to you even if it has been authorised and particularly if you did not follow the correct procedures. If you rent Barclaycard processing equipment, you must report all faults to our Customer Services Department on Carry out all normal checks of the card. Please see the Plastic card designs section of this guide on page Place the card face up on the imprinter. 3. Place the sales voucher, face up, over the card and operate the imprinter. 4. Remove the sales voucher and card from the imprinter. 5. Using a ballpoint pen write the following details clearly: The date The amount of each item The transaction total (you must not split a sale split sales are at your own risk and could be charged back) Details of what was bought. Please do not just write Goods as this is not acceptable 6. If the customer is using a purchasing card, they may need a customer reference number to be recorded in the relevant boxes on the sales voucher. 7. If you are selling fuel, use the For Merchant Use Only boxes on the sales voucher to record the vehicle registration number. 8. Ask the cardholder to sign the sales voucher in the box shown. Hold the card and watch while the voucher is being signed. 9. Check that the signature on the sales voucher matches the signature on the back of the card. 10. Check that the spelling of the signature (if you can read it) matches that of the name embossed on the card and check that the card is in date. If a title is shown on the card, make sure it matches the sex of the person giving you the card. 11. Check the signature strip to make sure that no attempt has been made to disguise the original signature. 12. You must get voice authorisation by calling authorisations on Ask for a standard authorisation. 13. If the transaction is authorised, you will be given an alphanumeric (a mix of numbers and letters) authorisation code by a voice-response service. Write the code in the appropriate box on the sales voucher. Tear off the cardholder copy of the sales voucher and hand it to the customer with their card and goods. 14. If the request is refused, no reason will be given and you should return the card to the customer unless the operator tells you otherwise and ask for another form of payment. 15. If the transaction is referred to an operator, you should follow their instructions, including passing the phone to the cardholder if needed. 16. Once the procedure has been completed and all the necessary checks have been carried out, you must make sure that you have recorded the details of the transaction on all copies of the sales voucher. You should then tear off the cardholder copy of the voucher and hand it to the customer with their card and goods. 17. Key in the transaction when your processing equipment is working again. If you are using Barclaycard processing equipment, you should do this as a forced sale (at the READY prompt, press MENU and select Force Sale from the TRANSACTION MENU then follow the terminal instructions). This will prevent a second authorisation code being given or the transaction being refused. Take care when keying the card details in to make sure that they are correct. If at a later date, the transaction is charged back due to invalid details being put in, your company may have a chargeback taken. 18. If the transaction is accepted, store the sales voucher somewhere safe in case there is a dispute about it. Do not bank the voucher as the processing equipment will credit the amount into your bank account. 14

15 19. If when entering the transaction using the keys you receive a Declined Authorisation message, fill in the sales voucher and send the sales voucher to us for processing. See the Sales and refund vouchers section in this guide We may honour the transaction as long as you have authorisation where needed (in other words, at the time the transaction was carried out with the cardholder present, you followed all the procedures correctly and reported the fault to us, so that it shows on our log reports). 20. If you have not been able to key in any vouchers to your point-of-sale processing equipment, pay the vouchers into your bank account within two banking days (see the Sales and refund vouchers section of this guide). Remember, we will not accept altered vouchers. If you make a mistake when entering the details of a transaction, you must destroy the incorrect voucher and start again. Never pin, staple, fold or damage vouchers as this may cause processing problems. If you are suspicious about the card, the person using it or the circumstances of the transaction, you must follow the Code 10 procedure. Card imprinter Sales voucher 15

16 Failure of the chip to read or swipe The following information will help you and your company reduce losses through counterfeit fraud. Most of your card transactions will be chip-read or swiped through your electronic processing equipment with no problems. However, there may be times when your processing equipment cannot read the chip or magnetic stripe. You are allowed one level of fall-back, so if the device cannot read the chip, you can fall back to using the magnetic stripe. Or, for a non-chip card, if the device cannot read the magnetic stripe, you may need to manually enter the card number embossed on the front of the card using the processing equipment keys. If you have chip-enabled processing equipment, you should find chip cards will not usually fail to read the chip. You may find that if you enter the details using the keys or swipe the magnetic stripe on a chip card the issuer may refuse the card. This is for increased security. If this is the case, follow the processing equipment prompts, which may mean you have to speak to our authorisation department. Please make sure you follow their instructions. Only give the card back to the customer if you are not asked to keep it. When a card transaction is processed in this way, a number of very important security checks, usually carried out by the electronic processing equipment, are avoided. It is clear that some fraudsters are aware of this and are taking advantage of the opportunities. Under Visa and MasterCard Card Scheme Regulations, a card issuer has the right to ask to see an imprinted verification voucher signed by the cardholder. If you fail to provide this, the card issuer has the right to charge the transaction back to you. To protect your business from losses and reduce the risk of chargebacks when a card fails to be read by your electronic processing equipment, you should do the following: Enter the card number, embossed on the front of the card, using the processing equipment keys and get authorisation As well as manually entering the card number into the processing equipment, imprint a sales voucher and fully fill in the verification voucher. (This must be signed by the customer and you should write the words For verification only this voucher is not for banking on the voucher.) Pass the customer copy to the customer along with the processing equipment receipt. If you need a supply of pre-printed verification vouchers, please call Please do not bank the verification (or sales) voucher as your processing equipment will still process the transaction in the usual way Banking the verification or sales voucher will cause the cardholder s account to be debited twice. The voucher is simply your proof that the card was present at the point of sale. You can then use it to prove the transaction was valid if the customer then disputes it You should keep the merchant copy of the processing equipment receipt and the verification (or sales) voucher together in case of any future query. If you fail to provide copies and a card issuer does have a query, it could result in a chargeback and losses to your business. You need to fill in the verification voucher fully and include full details of the goods or services bought. Do not just write Goods. Make sure you write the authorisation code provided by the authorisation department 16

17 You can only process Maestro card transactions and Visa electron and V Pay cards that are un-embossed electronically (by swiping the magnetic stripe or reading the chip). You cannot enter the details using the keys for printed cards as you will not be able to take an imprint of the card as proof of the card and cardholder being present at the time of the transaction. If a Maestro, Visa electron or VPay card fails to chip-read or swipe through, you should ask your customer for another form of payment as there is no chargeback defence if the card fails to swipe. Banking procedures and other services Please make sure that you follow the end-of-day banking procedure (as shown in your Terminal Operating Guide) to make sure you receive payment for all transactions. It is essential that you send all transactions for payment within two working days of being accepted. If you send a transaction after two working days, the card issuer may reject the transaction, resulting in it being charged back. We will not be able to defend you from these chargebacks: If your processing equipment is not working, please make sure that you follow the procedure in Transactions entered using the keys section of this guide on page 10, so you can receive the payment. To bank any voucher that cannot be processed by your processing equipment, please follow the procedures below Complete the three-part merchant voucher summary (MVS) before handing the bank copy of your sales and refund vouchers into any branch of Barclays Bank Each batch of vouchers must be accompanied by part three (the white copy) of the completed MVS. No more than 20 vouchers should accompany each MVS. Sales and refund vouchers If your processing equipment is not working, please make sure you follow the procedure in Transactions entered with the keys section of this guide on page 10. These vouchers provide three copies of the sale or refund details, one for your own use, one for the bank to process and one for the cardholder. Merchant copy the top copy of the completed sales or refund voucher is your record of the transaction Bank processing copy the middle copy of the sales or refund voucher should be handed into your local branch of Barclays Bank. You should hand in vouchers on the day of the transaction and no more than two banking days afterwards Cardholder copy the bottom copy must be given to the cardholder for his or her records or, in the case of a mail or phone order, it must be posted to the cardholder 17

18 Completing your merchant voucher summary (MVS) Write your merchant name and number (this is normally shown on the top line of your imprinter plate) clearly on the MVS, with the paying-in date List the value of each sales voucher and refund voucher on the back of the MVS in the boxes shown Write the total of each column in the boxes at the bottom Write the total number and value of both sales vouchers and refund vouchers on the front of the MVS If possible, vouchers should be deposited on the day of the transaction and no more than two banking days afterwards If you have any questions about the credit to your bank account, you should call our Customer Services Department on Posting vouchers If you are in a remote area and cannot get to a branch of Barclays Bank, you may post your vouchers to us for processing. You should send the MVS bank-processing copies of your sales and refund vouchers to: Barclaycard Financial Exceptions, Dept FX, Barclaycard House, 1234 Pavilion Drive, Brackmills, Northampton NN4 7SG. For a supply of our prepaid envelopes, call our Customer Services Department on Preventing and detecting fraudulent Card Present transactions To prevent fraudulent transactions being charged back at a later date, you should have chip-and-pin-enabled processing equipment and accept transactions by reading the chip. You must make sure you get authorisation on any transaction where the card details are not captured using the chip (for example, when presented with a magnetic-stripe card transaction) to avoid the risk of loss due to card fraud. 1. If your processing equipment is chip-and-pinenabled you could be presented with a number of different scenarios, all of which you can accept: Magnetic stripe and signature verification (for example, from an overseas customer where the country has yet to upgrade to chip-and- PIN technology) Chip and signature verification (for example, from a disabled customer who cannot use PIN technology) Chip-and-PIN verification 2. If your processing equipment has a contactless reader, you will also be able to accept contactless transactions with no verification (please see the section on contactless transactions on page 10). If your customer cannot remember their PIN, ask for another method of payment. In these instances, if your processing equipment is chip and PIN capable, and the transaction has been taken using the chip and PIN, you will be protected against possible counterfeit, lost and stolen cards, and intercepted card fraud. Card-fraud statistics show there is increased fraud with non-pin cards. Be aware of the security checks you should make to reduce this type of fraud: Keep hold of the card at all times Keep the goods out of reach of the customer Check the valid from date. If the card is newly issued, be extra careful Watch out for hesitancy when the customer signs and make sure that the signature they give matches the signature on the card Be careful not to be distracted during a transaction. Fraudsters may try to hurry you, or draw your attention away from making card checks Check the name on the card and check that it matches the sex of the person giving you the card if this is possible to tell Be sure not to process transactions on behalf of anyone else. This would be breaking your merchant agreement and could lead to transactions being charged back to you Returning wanted or recovered cards If our authorisation operator asks you to destroy a card and return it to us, please follow the procedure described below. You should politely tell your customer what you have been asked to do. 1. To preserve fingerprints and other forensic evidence, handle the card as little as possible and only by the edges. 2. With the card facing you, cut off only the bottom left-hand corner. 3. Make sure the signature strip, magnetic stripe, chip and hologram are intact. 4. You will find a recovered-card form in your welcome pack. 18

19 You can get more recovered-card forms by calling our Customer Services Department on You must fill in the form in full and keep the cut-off slip of the filled-in form in your files You should send the top section of the form and both pieces of the card to: Recovered Card Services, Barclaycard, Department RC, Northampton NN4 7SG If you are returning a Visa Electron card, please also enclose a copy of the processing equipment declined receipt. Reward scheme We may pay a 50 reward to your business for returning a wanted card. You can then decide whether to pass the reward payment on to the person who actually recovered the card. If the police need to keep a wanted card or sales voucher for investigation (for example, if a stolen card is presented), you will need to keep certain details in case there is a question about it. Please make sure you have a copy of the sales voucher (a good photocopy will be acceptable), as well as: The card number The expiry date The name embossed on the card The date the card was recovered The crime reference number Details of the officer and police station dealing with the case You can still claim a reward if the police take the card for evidence. Other services Dynamic currency conversion (DCC) If your business takes payments from cards issued outside of the UK, your processing equipment may be configured for DCC. DCC offers Visa and MasterCard international cardholders the choice and convenience of paying for goods and services using their home currency. Your international customers benefit from a clear and competitive exchange rate for credit and debit card purchases made abroad with this service. Once the cardholder uses their card abroad they will be presented with the option to pay using the currency of the card or the local currency. The transaction will stay in that currency throughout the entire transaction and settlement process. As such, both you and your customer know the exact amount of the purchase at the time you make the sale. 19

20 Accepting Card Not Present (CNP) transactions e-commerce, mail and telephone order It is important that you understand the risks associated with accepting Card Not Present transactions. There are increased risks of chargebacks for Card Not Present transactions because the customer and card are not present at the time of transaction and so cannot always be verified. When processing Card Not Present orders you must make sure you get: The card number The card expiry date The gross amount (in other words, including postage, packaging and VAT) of the transaction The customer reference number, if quoted for a Visa transaction only The card security code (CSC), otherwise known as card verification value (CVV or CVV2), card verification value code (CVVC), card verification code (CVC or CVC2), verification code (V-code or V code), card code verification (CCV), or signature panel code (SPC) If you would like to accept e-commerce Maestro transactions, you must be enrolled with MasterCard SecureCode. When processing Card Not Present orders you should also get: The cardholder s full name and address, as held by their card issuer, including the postcode and phone number The cardholder s signature, for mail order The delivery address and name of the person receiving the goods if different from that of the cardholder Please remember an authorisation does not guarantee payment. It only confirms that there are enough funds available in the account and that the card has not been reported as lost or stolen at the time of the transaction. We cannot guarantee that the person presenting the card details is the genuine cardholder and so you may be at risk of chargebacks following fraudulent transactions. You should not: Release goods to anyone claiming to have been sent by the cardholder (for example, a taxi driver) to collect the goods Allow a cardholder to pick up goods paid for with a Card Not Present transaction. If a cardholder pays using an e-commerce or MOTO transaction and collects the goods later, you should cancel the Card Not Present transaction and carry out a new Card Present transaction. Make sure you also carry out the full Card Present procedures Authorising Card Not Present transactions Card Not Present transactions must get an authorisation at the time of the transaction, either as a pre-authorisation for the expected value of a transaction (such as a hotel or car-hire bill) or as authorisation of the actual amount. Shipping goods and providing services Visa transactions must get an authorisation on any day up to seven calendar days before the transaction date (the date the goods are shipped or services are provided). This authorisation is valid if the transaction amount is within 15% of the authorised amount, as long as the extra amount represents shipping costs. You must get authorisation for MasterCard transactions on the day the cardholder contacts you to place an order. When the goods or services are ready to be delivered, you should then process the transaction. This should not be for more than the original authorisation amount. MasterCard consider the date you ship the goods or provide the service as the transaction date. If you are shipping goods more than seven days after the original authorisation request, we recommend you get a second authorisation. When presenting the transaction for processing, please quote the original authorisation code, but keep the second one in case there is a dispute about the transaction. Recurring transactions A recurring transaction is one where the cardholder grants permission, in writing or electronically, to a merchant to periodically bill their account for goods or services delivered over a period of time. There cannot be more than 365 days between transactions. For example, merchants who may benefit from recurring transactions are vehicle breakdown services, insurance providers, and those issuing memberships and subscriptions. Issuers may refuse a recurring transaction taken on a Visa card if the expiry date is missing, not valid, or has expired. You must provide the correct card expiry date for each recurring transaction. 20

21 If the cardholder wants to cancel a recurring transaction, they may either contact you or they may contact their card issuer direct. If the cardholder cancels the recurring payment through their issuer, you may not know until the next payment fails. Recurring transactions must not be carried out using a Maestro card. Accepting payments over the internet (e-commerce) You can accept payments over the internet using a Barclaycard payment gateway which can be integrated in your website. Or, you can use your own software or another payment service provider (PSP). Website information You are responsible for designing your own web page but you must make sure you display: Your company name, registered office address, phone number and address Your company registration number and VAT number A complete description and price of all goods and services, clearly stated, including all extra costs such as taxes and delivery costs Clear information on your company s refund and cancellation policies A statement to describe the type of transaction security that you provide A privacy statement Your transaction currency The merchant outlet country at the time of presenting payment options to the cardholder The scheme logos of the type of cards you accept Your delivery policy Any export restrictions Transaction receipts You must give your customers a transaction receipt as part of an order confirmation notice at the time of the purchase. The receipt must include: An instruction to print or keep the receipt for future reference Your company name, address and phone number for customer contacts Your website address The total cost of the purchase, and the currency it is made in The transaction date and type (for example, whether it is a sale or refund) A unique transaction reference number The name of the purchaser The authorisation code A complete description of all goods and services bought Clear information on your Terms and Conditions, cancellation, return and refund policy (if restricted) The exact date any free trial period ends, if offered The receipt must only include the last four digits and not the full card number. For MasterCard transactions, the expiry date must not be quoted: Keep a record of the cardholder s name and address in case of any questions in the future It is your responsibility to check the card when the goods are delivered. You should make sure that the card number and the expiry date quoted agree with the card presented It is also your responsibility to get a signature and make sure the signature on the card matches the one from your customer If an order is to be collected, you must cancel the original transaction and start a new one as a Card Present transaction. See the Card Not Present procedures and chargebacks section of this guide Please remember that you must give the customer a transaction receipt. 21

22 Using an accredited payment service provider (PSP) to accept e-commerce payments We can accept your internet card payments via a recognised PSP. However, you must make sure that the PSP meets the minimum security measures shown in this procedure guide and that they can offer the communication links needed. It is important to stress that you have the responsibility for keeping to the internet merchant procedures within this procedure guide for us to accept internet card-payment transactions as we will not enter into any contract with the PSP on your behalf. You must make sure the PSP keeps to the Payment Card Industry Data Security Standard (PCI DSS), which is a requirement introduced by the major card schemes to help you reduce, as far as possible, the possibility of suffering from a security breach. Please see the section on PCI DSS in this guide for more details. If your chosen PSP offers fraud screening, we would recommend that you use their fraudmanagement service. The services that your chosen PSP offers and the charges that they apply are part of the agreement between you and your chosen PSP, which is separate from your agreement with us. Accepting payments over the internet using your own software You can use your own equipment or software to accept payments over the internet. You are responsible for making sure that we can approve the equipment or software and that it keeps to the necessary cardscheme rules. You must make sure the PSP keeps to the Payment Card Industry Data Security Standards (PCI DSS). The application must be PA DSS (Payment Application Data Security Standard) compliant where necessary, and the business must be compliant with the PCI DSS. Using our payment gateway for accepting payments Our e-commerce service provides quick and secure transaction processing to authorise and settle card payments. It allows you to accept and process card transactions from your website 24 hours a day, 365 days a year. Your customers simply browse your website, choose the goods or services, and enter their card details as directed. Hosted Payment Pages (HPPs) are simple solutions for accepting card payments over the internet, and they keep to the Payment Card Industry Data Security Standard (PCI DSS). We host your payment page for you so you don t see any sensitive card data; keeping you safe and secure. If you prefer, you can control the whole process and host your own payment pages. To do this you can integrate with our Application Programme Interface (API), which allows you to take full responsibility for collecting cardholder details and communicate directly with our gateway. (We will give you a guide on how to do this.) If you choose not to use a Barclays-owned submission product, you must correctly flag every transaction by using the correct level of APACS software. You must maintain the level of software in line with APACS standards. If you fail to keep to this condition, you will be liable for any fines or penalties from the card schemes, which may result from not keeping to the conditions. 22

23 Requirements for merchants not using the Hosted Payment Page (HPP) Security of card data Any merchant accepting e-commerce payments, whether using our payment gateway, an alternative, or their own software, must have minimum security measures before processing card transactions from an internet site. Your payment security responsibilities increase if you use other methods than a Hosted Payment Page (HPP). For more information on these requirements, please see the PCI DSS section of this guide. Accepting Mail Order and Telephone Order (MOTO) payments Maestro cards cannot be accepted for mail or telephone orders except when the merchant and card issuers are from the same country in the UK, Ireland or France. Taking telephone orders Please keep a record of the cardholder s name and address in case of questions in the future It is your responsibility to check the card upon collection or delivery. You should make sure that the card number and the expiry date quoted agree with the card presented It is also your responsibility to get a signature and make sure the signature on the card matches the one from your customer If an order is to be collected, you must cancel the original Card Not Present transaction and start a new one as a Card Present transaction. See the Card Not Present procedures and Chargebacks section of this guide on pages 19 and 26 If you key in a transaction following a telephone order, you will not be able to guarantee that the customer is the genuine cardholder and so you may be at risk of a chargeback if the transaction is confirmed as fraud Please remember, you must still give a customer a transaction receipt. We recommend that the cardholder copy must display only the last four digits of the card number. For MasterCard transactions do not quote the expiry date. Please remember, an authorisation does not guarantee payment. It only confirms that there are enough funds in the account and that the card has not been reported as lost or stolen at the time of the transaction. Preventing and detecting fraudulent Card Not Present transactions If most of the transactions you are accepting are mail, telephone or internet transactions, you must use an appropriate e-commerce or MOTO solution. You cannot accept e-commerce transactions using your face-toface chip-and-pin processing equipment. You need to take extra care when taking transactions over the internet, over the phone or by mail order. You need to consider the risks before accepting a Card Not Present payment: A Card Not Present transaction means that a cardholder and the card are not present with you at the time of the transaction. These are not like a normal face-to-face situation where you can check that the card is genuine and that the customer is not just using a stolen card number. In these situations, the genuine cardholder may not be aware that their card number has been compromised, for example, a fraudster has taken the card details from a customer s discarded receipt e-commerce transactions can be authenticated by the cardholder to prove they are a genuine customer, when you use internet authentication (in other words, Verified by Visa or MasterCard or Maestro SecureCode) this is the same as entering the PIN at a physical point of sale. If you cannot prove that the cardholder is genuine, you cannot guarantee that the card information provided relates to the genuine cardholder Never release goods to anyone else (this includes taxi drivers or delivery firms hired by the customer). Always make sure that goods are sent to the person named on the card If a cardholder comes to collect the goods in person, cancel the Card Not Present payment and process it as a Card Present transaction Authorisation only confirms that the issuer of the card agrees there are enough funds to pay for the goods and to confirm the card has not been reported lost or stolen at the time of the transaction. An authorisation does not guarantee payment. Questions you need to ask yourself before accepting the transactions: Are the goods high value or easily resold? Is the transaction out of character compared to your usual orders or is the customer ordering many different items and do they seem unlike your usual customer? Does the address provided seem suspicious or has the delivery address been used before with different customer details? 23

24 Is the customer being prompted by someone else while on the phone? Is the customer trying to use more than one card in order to split the value of the sale? Does the customer seem to lack knowledge of their account? Are they providing details of someone else s card (for example, that of a client or family member)? Does the customer seem to have a problem remembering their home address or phone number or do they sound as if they are referring to notes? Tools for monitoring fraud You should use security checks, as recommended by the card schemes, as they can help you identify possible fraudulent transactions. However, they do not prevent fraud or shift the legal responsibility for fraudulent transactions, which may result in chargeback claims. Card Security Code (CSC) and Address Verification Service (CSC/AVS) There are services that can help reduce Card Not Present fraud by asking for a small amount of extra information from the cardholder: The Card Security Code, which is a condition of the card schemes (the last three numbers on the signature strip on the card or the three digits in a white box next to the signature panel). You must not store the Card Security Code after the transaction has been authorised Address Verification Service (AVS); a) The first five numbers of the cardholder s full statement address b) The numbers in the cardholder s postcode Internet authentication (3-D Secure) Internet authentication (Verified by Visa, Mastercard SecureCode) uses 3 D-Secure protocol to authenticate card users as they need to have a password log-on. The cardholder registers for the authentication service with a password they choose, which guarantees that the user is authentic. Please see the internet authentication section of this guide for more details. MasterCard SecureCode must be supported for all Maestro transactions. Fraud-screening Using rule-based tools can help to check the validity of transactions. A system which allows you to cross-check the name, address, phone numbers, card details, address and IP address with past and daily records could help you to reduce the risk to your business. Constantly cross-checking this type of information will identify any duplication of information which may show that a fraudster is attempting to use similar details elsewhere. For example they may quote different card numbers but use the same name or address or may quote entirely different details but still be seen to come from the same IP address. You should reject any suspicious instance of duplication (also known as velocity checking) and check further before accepting the order or request. Barclaycard s payment gateway offers extra fraudscreening tools such as those mentioned above. There are also a number of other providers who can offer help with checking the authenticity of customer information. If you would like more information on these providers, please contact our Customer Services Department on Further advice for internet transactions To add to existing velocity checks: Check for sequential card numbers Review orders made using cards not issued in the UK Review orders where the IP address does not match the delivery address (country) Review orders going to and coming from the same customer name, address and card number Review or refuse all or new orders going to a different delivery address other than the registered card address Review or refuse duplicate purchases Review or refuse the order if the postcode does not match Refuse the order if the CSC does not match Refuse new orders with an invalid card expiry date Use the chargeback data you receive to: Highlight possible problem names, addresses and IP addresses Always make sure that you respond promptly to request for information letters as you may be able to prevent the chargeback Use internet authentication (3-D Secure) and CSC/ AVS for added security You can find more information on our website to help with your staff s awareness of fraud: 24

25 Refunds The Distance Selling Regulations (DSRs) and e-commerce Regulations (ECRs) apply if you sell products or services to customers without face-toface contact (for example, e-commerce and MOTO transactions) and where the customer has not had an opportunity to examine the goods before buying or discuss the service in person. The aim of the DSRs and ECRs is to make sure there is a minimum level of consumer protection across the European Union (EU) although other EU countries may put the regulations into practice differently. Keeping to the DSRs and ECRs is a legal requirement and the courts can take action against you if you break the DSRs and ECRs. You should include these regulations in your e-commerce or MOTO returns policy to find out more about the DSRs and ECRs, please visit: If you want to perform a refund for an e-commerce or MOTO transaction, you must make sure that the refund is processed to the card used in the original sale and does not go over the original sale amount. If the card or account used in the original transaction is closed, another card or account can be used. If the customer has no other card, you should credit the refund to the customer s bank account in line with your own procedure. You cannot make refunds to the cardholder s account to credit winnings from gaming. Other services Dynamic currency conversion for e-commerce transactions If your business takes payments from cards issued outside of the UK, your processing equipment may be configured for DCC. DCC offers Visa and MasterCard international cardholders the choice and convenience of paying for goods and services using their home currency. Your international customers benefit from a clear and competitive exchange rate for credit and debitcard purchases made abroad with this service. Once the cardholder uses their card abroad they will be presented with the option to pay using the currency of the card or the local currency. The transaction will stay in that currency throughout the entire transaction and settlement process. As such, both you and your customer know the exact amount of the purchase at the time you make the sale. Each time you submit an authorisation request to us or our authorised representative, you will use the correct conversion rate that applies on such date. If you are entitled to submit to us or our authorised representative more than one authorisation request for the same transaction, you will use the correct conversion rate that applies on the date that you submit the final authorisation request to us or our authorised representative, regardless of any other conversion rate(s) previously applied by you and communicated to your customer in respect of the same transaction. You will be solely responsible for any indicative conversion rate(s) that you may have provided to your customers. 25

26 Chargebacks and retrieval requests A chargeback usually takes place when a cardholder disputes a transaction shown on their statement or you process a transaction outside the terms of your merchant agreement. Chargebacks result when a transaction is treated as invalid for example, if a cardholder questions a transaction shown on their statement and the card issuer, after investigation, agrees to refund the amount. Chargebacks also happen for technical issues such as duplications and no authorisation. We have a dedicated Chargeback Education Team who can give you advice on the steps you can take to reduce the risk of transactions being charged back. If you want to receive free advice, please contact our dedicated team on or chargebackteamportfolio.managers@ barclaycard.co.uk The most common reasons for chargebacks are: The cardholder does not recognise the transaction (for example, they claim their card details have been used fraudulently) The transaction has been processed outside of your merchant agreement (for example, you did not get authorisation when needed) A fraudulent mail, telephone or e-commerce transaction (please see the Preventing and detecting fraudulent card-not-present transactions section of this guide on page 23 for more information and guidance on how to avoid these types of chargebacks) You did not respond in time to a request for a copy of a transaction (retrieval request) The card was not valid when the transaction was made, in other words, the transaction was made before the valid from date or after the expiry date The amount of the sale is more than your floor limit and you did not ask for authorisation, for whatever reason The signature on the processing equipment receipt or sales voucher does not match the signature shown on the card itself A transaction was taken on a card that should only be used in an automated teller machine (cash machine) You accepted a card that should have been verified by the PIN after the chip was inserted but you do not have processing equipment that can carry out these checks Two or more card transactions have been completed for one sale over the floor limit (split sale) and you did not get authorisation The goods or services provided were faulty, not as described, or not received A transaction was processed on behalf of someone else who could not process the transaction themselves. This is called laundering and breaks your merchant agreement If you take a Card Present transaction and your processing equipment is not chip-and-pin-enabled, you will be legally responsible for any fraudulent transactions and these will be charged back to you. All Barclaycard contactless processing equipment are chip-and-pin-enabled. You may also receive a chargeback if you have not followed any of the terms of the agreement between you and us, including any of the instructions in this procedure guide. What is a retrieval request? A retrieval request or request for information (RFI) is when a cardholder asks for a copy of the transaction details. This is usually because they do not recognise a transaction on their statement or need more details for their records (for example, an expenses claim or tax return). Another reason cardholders ask for a copy of the transaction receipt is because the description shown on their statement does not match the name of your company. So, if you seem to be getting a lot of retrievals, check what is being shown on the cardholder statements. You can change the description by contacting our Customer Services Department on It is a requirement of Visa and MasterCard that if you are mainly carrying out mail or telephone orders, you should include a contact number rather than location within the description. For instance, The E Shop,London, should be shown as The E Shop, This encourages people simply to call you to identify their transaction, rather than disputing this with their card issuer. Likewise, if you are carrying out e-commerce transactions, you must display your internet website address or address on cardholders statements so that customers can contact you. As you are simply providing information, there is no loss to your business. However, if you don t supply a clear and legible copy of the transaction within the time requested (usually 14 days), the card issuer may charge the transaction back to us. We will then pass the cost on to you in the form of a chargeback. If a transaction is charged back, it will become a loss to your business. 26

27 Chargebacks can cause you hassle and cost your business time and money. Following the correct procedures in this guide will help you avoid chargebacks, so you can gain the full sales benefits of accepting payments by card. Responding to retrieval requests and chargeback letters Please make sure we receive a reply by the date quoted, by fax, by post, or whatever other method we have explicitly agreed with you, as not responding within these timescales will usually result in a chargeback Please remember to send all relevant documents that support the transaction, in other words, Terms and Conditions and details of authorisation codes, dates and times, where appropriate Remember, transaction copies and all details provided need to be clear, because chargebacks can also take place when transaction copies cannot be read clearly Please ask for details of our Faxlink service, which provides a quick and simple way of dealing with retrieval and chargeback letters via a fax machine (see Faxlink service section below). If you are already registered and using the Faxlink service, we provide templates you can use. To ask for a copy of the template relevant to your business, please contact Faxlink service This service lets you send and receive all chargeback and retrieval information by fax, avoiding postal delays and speeding up the process. There are no extra charges for using this service. To help reduce the risk of chargebacks Use chip-and-pin-enabled processing equipment to help protect your business against fraud. Using chip and PIN helps to check that a card is genuine and that the person using it is the true owner. The chip makes it difficult to counterfeit or copy the card, while the PIN makes it harder for a criminal to use a lost or stolen card. And because, instead of signing, the customer authorises the transaction by keying in a 4-digit PIN only they know, the risk from forgery is reduced. For contactless transactions, as long as you process transactions in line with cardscheme regulations and follow the procedures laid out in this guide, we will offer you the same level of protection Make sure that all transactions are correctly processed according to the type of card Make sure you only accept cards which you have an agreement to process, as some cards perform several functions Do not accept mail, telephone or e-commerce transactions unless you are aware of the possible risks surrounding this type of transaction. If you see an increase in this type of transaction, please let us know so that we can make sure you have the correct agreement in place Follow your instincts if something about a card or the person using it or the transaction itself does not seem genuine, make a code-10 call to our authorisation department. Please remember that authorisation is not a guarantee of payment and code-10 calls are only for Card Present transactions Keep copies of all transaction records. To settle any dispute, you may be asked to provide evidence of a transaction. If you fail to do this, we may make a chargeback to your business. You must keep all receipts for at least six months, and keep copies of transactions for another seven months Remember to display a limited returns policy on your receipts and at the point of sale, to avoid disputes which could lead to a chargeback 27

28 Timescales for chargebacks Most disputes are raised because the genuine cardholder disputes the transaction on their statement. As cardholders are only sent card statements once a month, it can be up to one month before a cardholder will receive their statement and so dispute the transaction with their card issuer (for example, MBNA, Capital One, NatWest, Barclaycard and so on). In cases where the cardholder claims neither to have carried out or authorised a transaction, the card issuer will ask the cardholder to complete and sign a disclaimer. This is a legal document where the cardholder declares they did not carry out the transaction. The cardholder can also dispute the transaction by . The card issuer does not tell us about the dispute until they have received all the documents they need from the cardholder. The card schemes have strict time limits in which card issuers must let us know about any dispute along with rules for what documents must be provided. We will automatically protect you from a dispute if the correct documents are not supplied by the card issuing company or if the correct time limits are not kept to. As soon as we receive notice of the disputed transaction, we will let you know. The maximum time allowed is 120 days from the processing date of the transaction to dispute the transaction. For transactions relating to delayed travel (for example, holidays), we work out the time limit from the date of travel and not the date of the transaction. We will give you notice of the chargebacks either by letter, or by fax if you have signed up to our Faxlink service or by whatever other method we have explicitly agreed with you. For disputes where it is likely that you will have extra information that may allow us to defend the dispute, you will have 14 days after receiving the notice to supply the information. For disputes where it is unlikely you will be able to defend the dispute, for example, if you did not get authorisation, we may take the amount from your account at this time. If you disagree with the dispute, it is important that you give us your reasons in writing within 14 days. If you fail to respond within the 14 days, or your reply is unclear or we cannot read it, we may not be able to defend you from the chargeback. Our Chargeback Portfolio Managers can provide tailored advice as to when you should be replying and with what. They can also provide general advice on all matters relating to chargebacks. For advice for your own business, please call us on (9am to 5pm, Monday to Friday. We are closed on bank holidays). Or us at chargebackteamportfolio. managers@barclaycard.co.uk and we will get back to you within 48 hours. Please provide your contact details and Barclaycard merchant number (you can find these on your statement). 28

29 Payment security As a member of the card schemes we need you to keep to the Payment Card Industry Data Security Standard (PCI DSS). This section sets out the responsibilities you must keep to. What is PCI DSS? This is an auditable set of controls designed to make sure that certain card information is stored securely by your company and anyone else who stores, transmits or processes the payment cardholder information on your behalf. What information must be securely stored? Any information that is necessary to process card transactions correctly, including any information which is recorded electronically or otherwise on any payment card and includes the following: Any information that is used to authenticate a card payment, including the card number, expiry date, issue number, passwords, pass phrases and any other unique information supplied as part of the card payment Any information that could identify individual cardholders and their purchases. This includes name, address, description of the purchase, amount and other details of the card payment We will call this cardholder data in the rest of this section. What information must not be stored at any time? You must not store: The contents of the magnetic stripe, also known as Track 2 Data The card verification value or CVV contained in the magnetic stripe The card verification value contained in the magnetic stripe image in a chip known as the icvv The card security code, also known as CVV2, printed on the back of the card in or next to the signature panel The PIN verification value or PVV, which is contained in the magnetic stripe 29

30 What you must do to keep to PCI DSS PCI DSS sets out a number of requirements which you must keep to make sure that cardholder data is securely stored. You must: 1. Install and maintain a firewall to protect cardholder data. 2. Not use vendor-supplied defaults for passwords or other security measures. 3. Protect stored cardholder data. 4. Encrypt the transmissions of cardholder data and sensitive information across public networks. 5. Use and regularly update anti-virus software. 6. Develop and maintain secure systems and applications. 7. Restrict access to cardholder data to only those who need to know. 8. Give each person with computer access their own ID. 9. Restrict people s access to network resources and cardholder data. 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. 12. Maintain a policy that deals with information security. In keeping to the requirements set out above, you must meet the standard shown in the PCI Standard Security Council (PCI SSC) and set by the card schemes. The current standards that you must keep to in meeting the above requirements are set out in The Payment Card Industry (PCI) Data Security Standard (DSS). This is available for download from the PCI Security Standards Council website at: For more information and useful tools to help you keep to the standard, please see our PCI DSS website at: 30

31 Demonstrating that you are keeping to the PCI DSS We need you to show that you are keeping to PCI DSS. How you do this will depend on the type and volume of card transactions that we process on your behalf. The responsibilities you must keep to depend on your merchant level which we will decide on using our records. If your business is not keeping to the PCI DSS, you may be legally responsible for paying charges and penalties. Plus, you may have to pay other card-scheme penalties and costs. You will need to get validation that you are keeping to PCI DSS every year and you may need to pass vulnerability scans every three months to keep to the standards. The action you need to take will depend on your merchant level as follows. Level Definition Actions needed to keep to the standards 1 If you process over 6 million Visa or MasterCard transactions a year (see note 1 below) 2 If you process 1 to 6 million Visa or MasterCard transactions a year 3 If you process 20,000 to 1 million VISA or MasterCard e-commerce transactions a year 4 If you only process e-commerce and process fewer than 20,000 VISA or MasterCard transactions a year If you do not process e-commerce transactions and process up to 1 million VISA or MasterCard transactions a year The way you report that you are keeping to PCI DSS will be managed by the Barclaycard Payment Security team Yearly on-site security assessment by PCI SSC-accredited qualified security assessor A network scan every three months (if in e-commerce) Yearly penetration testing Security policies put into practice The way you report that you are keeping to PCI DSS will be managed by the Barclaycard Payment Security team Yearly self assessment questionnaire by a PCI SSC-accredited internal security assessor or a yearly on-site security assessment by PCI SSC-accredited qualified security assessor (see note 2 below) A network scan every three months (if in e-commerce) Yearly penetration testing Security policies put into practice The way you report that you are keeping to PCI DSS will be managed by Barclaycard s Data Security Manager (DSM) service We will send details of the DSM to new customers no earlier than four months from setting up the account, including details of a possible monthly charge for the DSM service Complete the online profile and follow-up steps to complete your self-assessment and compliance validation each year. Or, in the DSM profile, upload a self-assessment questionnaire (SAQ) and confirmation that has been validated by a qualified security assessor (QSA) each year If, as part of your validation, you have to run vulnerability scans every three months, they must be carried out by an approved scan vendor (ASV). This can be done using the Barclaycard DSM service. Or if you prefer, you can use an ASV listed with the PCI security standards organisation (see below for details). If you use another ASV, every three months you must upload to the portal the technical report demonstrating a pass status 1. If you operate in more than one country or region and meet level-one criteria in any Visa country or region, we will consider that you are a global level-one merchant. An exception may apply to global merchants if there is no common infrastructure and if Visa data is not collected across borders. In these cases, we will validate you according to regional levels. 2. If you are a level-two merchant choosing to complete a yearly self-assessment questionnaire (SAQ), you must make sure that all staff involved in the self-assessment go on a PCI Security Standard Council (PCI SSC) merchant training programme and pass any associated accreditation programme each year to continue the option of self-assessment. 31

32 From time to time we may audit your type and volume of card transactions. As a result of the audit, or if we are instructed to do so by a card scheme, we will let you know which merchant level you are for the purposes of PCI DSS and you agree that you will keep to the responsibilities of that level of merchant as described in the table. Card-scheme-approved qualified security assessor The specialist organisations which are qualified to carry out on-site audits to check you are keeping to PCI DSS are those the card schemes will tell you about from time to time. You can find details of the current card-scheme-approved specialist organisations at: Approved scan vendors The specialist organisations which are qualified to carry out network vulnerability scans are those the card schemes will tell you about from time to time. You can find details of the current card-scheme-approved specialist organisations at: Further action you may need to take As a result of considering any report that you must send to prove you are keeping to the PCI DSS (as set out above), we may: Tell you that you are a different merchant level (for example, a level-one merchant rather than a leveltwo merchant) and you agree that you will keep to the responsibilities of that merchant level Tell you to take extra security measures to make sure you keep to PCI DSS within an agreed period of time We are not unique in making sure our merchants keep to the PCI DSS. All card acquirers have the same responsibility to the card schemes (for example, Visa and MasterCard) Data compromises If any unauthorised person has access to any cardholder data, or cardholder data is lost, stolen or revealed (we call this a data compromise), or you suspect that either has happened, you must tell us as soon as reasonably possible. 32

33 The results of a data compromise If we are told that you have suffered any data compromise or suspected data compromise (whether you tell us or any card scheme), you will have to tell an industry approved forensics investigator (QFI) to carry out a forensic investigation at your company about the data compromise. The QFI will review the whole end-to-end process of handling cardholder data and will give you a report on their findings, and set out recommendations for action for you to take as a result. If you suffer a data compromise, you will have to pay the costs of the QFI as a result of any data compromise. If you suffer a data compromise, we may tell you that we have reclassified you as a level-one merchant and that you must keep to the obligations of that merchant level. You can find a list of QFIs at: security/downloads-and-resources If customer data which you or someone else has handled is proven to have been compromised, stolen, used fraudulently and so on and your business is not keeping to PCI DSS, you may have to pay fines to the card scheme and cover losses to the card issuer. The card schemes may decide to fine you as well for not keeping to the standards and not storing sensitive authentication data. Other organisations that store, transmit or process your cardholder data The PCI DSS standards apply to all merchants and the linked organisations that store, process or transmit cardholder data. The standard applies equally to manual processing and storing cardholder information (for example, processing equipment and imprinters) as well as to electronic methods of storage (for example, EPOS, PC). Keeping to the standards applies to your whole set-up. You can only be treated as keeping to the standards if any organisations you use also keep to the standards. You must check this every year: Any organisations you use that store, process or transmit payment cardholder data on your behalf must also be registered on the Visa website at: These organisations include, but are not limited to: Resellers Till vendors EPOS vendors Software application providers Payment service providers Payment processing bureaus Data storage providers Web-hosting providers Shopping-cart providers Software vendors You must tell us about any organisation you use that stores, processes or transmit cardholder data. If you fail to keep to PCI DSS If you fail to keep to PCI DSS or any of the responsibilities as set out in the operating instructions and procedure guide, you will be breaking your agreement with us and: We have the right to recover any penalties, fees or fines imposed by any card scheme in line with our agreement with you (of which these operating instructions and procedures guide forms part) We will consider this to be significantly breaking your agreement and we may use any rights we have available to us in line with our agreement with you We may suspend your acquiring facilities until you can prove to our reasonable satisfaction that you are keeping to PCI DSS 33

34 Protecting cardholder information As well as keeping to PCI DSS, you must keep to the following requirements to protect cardholder data. If you are using thermal paper to process transactions, you need to take extra care when storing transaction copies to make sure they do not fade: Do not store them in direct sunlight. Wrap transaction copies in paper or store them in brown envelopes Do not store them close to heaters Store them in a cool, dark and dry environment Maintain an even temperature and humidity. (Ideally, a temperature of 20 to 23 degrees and a relative humidity of 45 to 55%). Do not store in PVC wallets For a supply of our prepaid envelopes, call our Customer Services Department on Storing your records You must keep your original copies of transactions in an accessible place for at least six months. We also advise you to keep copies of transactions for another seven months from that date, although this can be on microfilm or similar media. If we need to send a retrieval request, we will give you the cardholder s name wherever possible. However, the card issuer does not have to give us this information so we may be unable to tell you. As a result, you should store the transactions by transaction date and not by cardholder number or name. It is important that you keep all copy vouchers and till rolls in a secure place, to prevent any fraudulent use of the information and in line with PCI DSS requirements. If you need to clarify your PCI DSS requirements, please contact Customer Services on

35 Understanding your statement Your monthly statement is a VAT invoice and a statement. If you are a single outlet, or you have asked that we send separate statements to each outlet, you will receive: A merchant invoice and statement Transaction payment advice If you have asked for statements to be sent to your head office, your head office will receive: A merchant invoice and statement Transaction payment advice Advice on details of the service charge Your outlets will usually receive nothing. What will the statement look like? Each page number and the total number of pages are shown in the top right-hand corner. There are three main headings: Transactions and other charges if these apply Statement of account (including any adjustments) Total amount due Period Sample Name PLC Sample Street Sample Town Sampleshire ZZ9 1AA Registered in London, England, Reg No Reg. Office 54 Lombard Street, London EC3P 3AH MERCHANT INVOICE/STATEMENT Barclaycard Payment services (Dept CSD) Northampton NN4 7SG If you have any queries please call Customer Services Department Outlet No. Invoice No. Account VAT Reg. No. Tax Point Transaction payment advice This provides itemised details of payments made to you with the dates we processed the transactions and the payment reference. Periodic settlement If you have chosen to be paid periodically (for example, weekly or twice weekly), please remember that the figure for the total payments for this period may not agree with the transaction charges on page 1 of your statement, as they cover different accounting periods. Payment for any dates not showing will appear on your next statement. Advice on the details of the service charge This shows a breakdown of the invoice for each outlet and includes a customer reference. Processing equipment rental charges are shown, giving the number of processing equipment at outlet and the total charge. We only send this page to chain head offices. If you have a question about a merchant invoice and statement you have received Contact our Customer Services Department on: quoting your outlet or chain head office number. Remember to check that all transactions have been processed and that they show on both your merchant and bank statements. You must check your monthly service charge statement against your bank statement regularly to see that they match. If you do not do this, you may be legally responsible for any chargebacks for presenting transactions late. INVOICE THIS PERIOD Charge VAT Total MasterCard 2.77% MasterCard Credit 1.85% 0.19 plus per item UK Visa 3.36 per item UK 0.40 per item Visa Business 2.91% Visa 2.59% Sub Total Summary of your credit/debit card transaction details listed for all outlets Other Charges (Standard Rate VAT 17.5%) 1 epdq Management fee 1 pdq Classic contactless Sub Total STATEMENT OF ACCOUNT Balance brought forward from last period Payment Thank You Invoice Total (from above) Invoice Total cr Summary of your account TOTAL AMOUNT DUE This amount will be debited to: Bank Account on or after 01 January 2015 Pre Pay Details cr 4 Pre Pay 3.45% cr 4 Pre Pay 3.45% cr 4 Pre Pay 3.45% cr 4 Pre Pay 3.45% cr 4 Pre Pay Virgin 3.45% 2.76 cr 2.07 cr 1.72 cr 1.03 cr 1.03 cr Summary of your E-Top Up commission earned Total cr Your E-Top Up commission inclusive of VAT 35

36 Exceptional procedures Can I pass charges to my customer? Under the terms of the Credit Cards (Price Discrimination) Order 1990, you are entitled to apply a surcharge to any transaction made by credit card. However, if you decide to do so, you run the risk of being uncompetitive and upsetting your customers who will then be paying higher prices than those who pay with a debit card or by cheque or cash. If you do apply a surcharge, there are several procedures you must follow and a number of restrictions you must keep to. 1. Under the terms of the Price Indications (Method of Payment) Regulations 1991, you must display the credit card surcharge at the entrance of your premises, and at the point of sale. If you sell fuel, the regulations are in the Price Marking (Petrol) (Amendment) Order If you operate a mail, telephone or internet order service, you must make sure you tell your customers about surcharges before they place the order. You must also make sure that your catalogues, advertisements and the order form carry exact details of your plan to surcharge those customers who want to pay by credit card. Under Visa regulations, you cannot add these surcharges to transactions involving Visa Debit or Visa Electron cards. However, UK law allows surcharges on all cards. Scheme rules allow you to add surcharges to transactions involving MasterCard and Maestro cards, but you will have to display a sign to warn customers that you are doing this. 3. The amount of the surcharge, which you may add to your normal cash price, must not be more than the amount of the merchant service charge that you will pay us. It is your responsibility to make sure that these surcharges are only used if allowed by law, even when the cardholder is not present. If you would like copies of the Credit Cards (Price Discrimination) Order 1990, the Price Indications (Method of Payment) Regulations 1991 and the Price Marking (Petrol) (Amendment) Order 1991, please contact your local Trading Standards Office for more information. Minimum charging You must not set any minimum limit on credit and debitcard transactions. You must treat purchases by card in exactly the same way as cash purchases except if you supply a surcharge. 36

37 Internet authentication Authenticating cardholders successfully Internet authentication is an e-commerce protocol which allows you to process secure e-commerce transactions by authenticating the cardholder s identity using a password authentication at the time of purchase. We offer the following card-scheme authentication services and cover them in this procedure guide: Verified by Visa (for Visa transactions) SecureCode (for MasterCard and Maestro transactions) By using authentication services you may be protected against chargebacks on successfully verified transactions. There are different rules for different card schemes, types of card and region. Partial or attempted authentication transactions may not be protected in the same way. You must make sure that you are familiar with how authentication works before using any of the internet authentication services. How do I use the internet authentication service? You must: Have a valid internet merchant relationship with us to take full advantage of the service Be registered with us to use cardholder authentication services Have the authentication software included in your chosen payment solution. Unless you specifically ask for an alternative, we will assume you want to use authentication for all card schemes which support internet authentication The following options are available to you. 1. Use our payment gateway, which is already set up to present 3-D Secure to cardholders. 2. Use our payment gateway and add 3-D Secure yourself. 3. Find or develop your own 3-D Secure software solution, which must meet the 3-D Secure specification of at least protocol level Our 3-D Secure solutions fully meet procedure level If you have chosen to get your software from another source, the source will need to have been approved by all card schemes we support which take part in the scheme. Types of authentication The card schemes use three types of authentication. These help to identify which level of authentication was used, and how far you will be liable. Full authentication This happens when we, the card issuer, cardholder and merchant all correctly process an authentication transaction. The cardholder will successfully authenticate themselves (through a browser pop-up or in-line window) with their card issuer. This is often known as Full authentication for Visa and Full UCAF for MasterCard. The card issuer will provide an IAV (issuer authentication value) to show that authentication took place. This value is passed in the authorisation process as proof of authentication. Attempted authentication This happens when the cardholder is not registered for authentication, but you are providing an authentication request. In this instance, the issuer may still provide an IAV (sometimes referred to as an attempt) to show that you successfully tried to authenticate the cardholder. The card schemes differ with how they deal with attempted authenticated transactions. For Visa The definition of an attempted authentication for Visa cards is when both the merchant (you) and the acquirer (us) support authentication and can confirm that everything has been integrated correctly. The attempt to authenticate must be successful. The card issuer must return a response confirming the attempt. If the card issuer cannot confirm the attempt (for example, the system went down) you cannot claim attempted authentication. 37

38 A successful attempt for Visa includes: Confirmation from the BIN Cache or MasterCard or Maestro directory that the issuer is not taking part in the scheme Confirmation that the cardholder is not participating or has not yet enrolled A 3-D Secure response of A in the PARes Visa card issuers must send an IAV for successfully authenticated transactions and may decide to send an IAV for a successfully attempted authentication. For MasterCard and Maestro The definition of an attempted authentication for MasterCard and Maestro cards is when both the merchant (you) and the acquirer (us) support authentication and can confirm that everything has been done correctly. The attempt to authenticate must be successful. The card issuer must return a response confirming the attempt. The term for this is Merchant UCAF which simply means that you are taking part in the SecureCode scheme. You can claim attempted authentication on a MasterCard or Maestro SecureCode transaction when you make any attempt to authenticate the cardholder. Ideally, you should receive a 3-D Secure message response from the card issuer confirming the attempt. However, if not, you can still claim you should not be liable as you have correctly used your chosen 3-D Secure solution and successfully sent the authentication request. This might happen when: You receive confirmation from the BIN Cache or MasterCard or Maestro directory that the Issuer is not taking part in the scheme You receive confirmation that the cardholder is not taking part or has not yet enrolled in the scheme The cardholder pop-up or in-line window does not appear due to a mistake by the issuer or cardholder The issuer service is not responding to your authentication request Authentication fails, but the transaction is authorised by the card issuer MasterCard and Maestro issuers do not currently send an IAV for a successfully attempted authentication. Whether you gain Full UCAF or Merchant UCAF depends on the MasterCard or Maestro equivalent of the ECI. This must be passed in your payment solution to make sure you are not liable for the transaction. You cannot claim attempted authentication on a SecureCode transaction for Maestro cards issued outside the UK. Passive authentication An issuer may present a 3-D Secure window but decide to not prompt the cardholder to authenticate the transaction. The cardholder will go back to the merchant site without authenticating the transaction. Passive authentication provides full 3-D Secure benefits when completed. 38

39 The main benefit of authentication transferring liability In the past, e-commerce transactions have carried a higher risk than standard high-street transactions. This is because neither the cardholder nor the card can be positively identified at the time of the purchase. If a card was used fraudulently or the cardholder disputed the transaction, the card issuer would charge the transaction back to us. If we receive a chargeback for a transaction you have processed, we will ask for evidence to support the transaction. In most cases evidence can be provided that the card was used, but not that the genuine cardholder was using the card. In this situation, the card issuer would charge the transaction back to you (a chargeback), resulting in you losing the goods or services plus the cost of the transaction. With cardholder authentication you can prove that the cardholder used their card at the time of the transaction. Cardholder authentication helps prevent chargebacks where cards are used fraudulently, or where the cardholder denies using the card. The liability shifts from you, back to the card issuer. Reducing as far as possible the risk of fraud is essential and you should use internet authentication along with, and not instead of, any other fraud checks that you should have in place. It is important that you maintain your existing fraud checks. If you do not carry out your existing fraud checks, it could result in you receiving chargebacks. Displaying the Verified by Visa and SecureCode logos Both card schemes need the logos to be displayed on e-commerce payment pages as evidence that they take part in the service. If the logos are not automatically added to your payment page, you should add them yourself. This will give your customers the assurance that you are taking part in the scheme and have been fully registered to take part. If at any stage you ask not to use the authentication service, you should remove both logos from your payment page if they are not automatically removed. The logos will be made available to you when you apply for 3-D Secure. Using our 3-D Secure solution Your responsibilities We control the authentication process within the HPP and will make sure you have as little disruption as possible to your current transaction processing. You must: Correctly integrate the HPP in line with instructions given to you when signing up Read and understand how the HPP handles authenticated transactions this information is provided in the integration guide Set up any 3-D Secure fraud-detection settings in your back-office Levels of protection Cardholder authentication protects you against specific types of chargeback. Depending on where the card is issued, and the type of authentication gained (see above) who is liable will be different. However, for you to transfer liability, you must strictly keep to the 3-D Secure protocol. Card scheme Types of card it applies to Level of cover Visa MasterCard Maestro Visa Credit Visa Debit Visa Electron Visa Commercial MasterCard Credit (including commercial cards) Full worldwide cover (Visa Intra and Inter Regional) for fully authenticated transactions Full worldwide cover (Visa Intra and Inter Regional) for successfully attempted authentication. Worldwide cover for both full and successfully attempted authentication Worldwide cover for full authentication Successfully attempted authentication for UK domestic transactions where both the card issuer and the merchant are based in the UK Visa commercial cards issued in the USA are not protected. 39

40 Our responsibilities We will: Register you with each card scheme we support Provide you with the relevant integration guides Control the processing of authentication transactions Keep to relevant card-scheme policies Process transactions according to your 3-D Secure fraud-detection settings Maintain a full audit trail and provide transaction evidence to the card issuer if there is a chargeback where we believe authentication was correctly carried out and your responsibility should be transferred to the card issuer (this does not include a request for information (RFI) Make sure the correct authentication values are attached to both the authorisation and clearing message where appropriate Maintain authentication transaction records on your behalf and use these to provide evidence that the transaction was authenticated if there is a chargeback. It will be our responsibility to make sure that the correct IAV (CAVV, AAV) ECI, and XID (for Visa) value is attached to both the authorisation and settlement transaction Message values Cardholder authentication generates new message values to show the level of security used, plus the result of the authentication. We will make sure the HPP processes all new message values correctly. There may be times where authentication is not possible (for example, the in-line window does not appear). You must decide if you want to continue processing the transaction. You can set this on the HPP. You can find full instructions in the HPP integration guide. If a cardholder cannot authenticate themselves, you must refuse the Visa transaction. If this does happen, depending on the issuer, Barclaycard SmartPay will refuse the transaction. MasterCard and Maestro transactions are allowed to continue. Direct to card schemes If you have chosen to find or build your own authentication solution that communicates directly with the card schemes taking part in the scheme, you are responsible for the whole authentication process and must make sure you keep to the integration and implementation requirements. If you are using another product to carry out internet authentication, you must make sure it can support the requirements shown in this section. Your responsibilities You must: Sign up for authentication, providing details of your chosen payment solution, and must say that you only want to be registered for the service Make sure we have approved your chosen payment solution (if not a Barclaycard e-commerce solution) to process internet authentication transactions Correctly build and put into practice your authentication and payment solution in line with the latest 3-D Secure procedure and APACS standards Get full approval from us to use the APACS standards at the necessary level Make sure that the authentication responses returned by your authentication solution are correctly passed to your payment solution to be provided in the authorisation message Make sure that the IAV (CAVV for Visa, AAV for SecureCode ) is correctly passed in the authorisation message Make sure any other data is passed in the authorisation message Make sure any extra data is passed in the clearing message Manage the process around the cardholder pop-up or in-line window (in other words, size, time outs) Manage the process if an error happens on the pop-up or in-line window (if the cardholder cancels) Secure the authentication merchant information used to register you with the card schemes at all times Make sure the BIN cache for each scheme (if being used) is updated at least every 24 hours Maintain full audit records of authentication transactions (including BIN cache updates) Give us evidence of authentication (in other words, your 3-D Secure logs) if we need this to defend a chargeback. This information must be returned to us within 14 days of our original request 40

41 Our responsibilities We will: Register you with each card scheme taking part in the scheme which we support and you have signed up to Provide you with the appropriate authentication merchant information as registered with the card schemes Accept authorisation and clearing messages from your chosen payment solution containing authentication data Provide transaction evidence to the card issuer if there is a chargeback where we believe authentication was correctly carried out and you can transfer liability based on information we have received from you Provide scheme or procedure updates to you when this applies Transaction records You must keep and store full authentication records to provide evidence in case an authenticated transaction is charged back. The table below shows what evidence will be needed if there is a disputed transaction. Full authentication (Visa) Full UCAF (MasterCard and Maestro) Attempted authentication (Visa) Merchant UCAF (MasterCard and Maestro) ECI value = 5 CAVV Supplied in readable format PAReq/PARes XID ECI value = 6 attempts CAVV Supplied in readable format VEReq/VERes OR PAReq/PARes XID ECI value = 2 AAV Supplied in readable format PAReq/PARes ECI value = 1 AAV (if supplied) VEReq/VERes OR PAReq/PARes If your solution supports BIN cache, you must also supply CRReq/CRRes. We may ask you to provide transaction information to support a card issuer retrieval request. If you do not provide the information we ask for, you may be at risk of being liable for the transaction. Card issuer pop up or in-line window It is your responsibility to present the browser pop-up or in-line window to the cardholder. The card issuer will create the content and will carry out the authentication. You must control the size and conditions relating to time-out and dealing with mistakes associated with the window. It is strongly recommended that you use an in-line window to prevent problems commonly associated with pop ups being suppressed (also referred to as pop-up killers) and avoid situations where customers accidentally close the pop-up window. Whether you use pop-up or in-line, it is your responsibility to present the browser pop-up or in-line window to the cardholder. Your authentication software supplier should provide the recommended size of the pop-up or in-line window. It is recommended that the time out for the pop-up or in-line window is set to a reasonable time to allow cardholders enough time to authenticate themselves. It is your responsibility to set this in line with your website and risk policy. You must make sure you display an adequate error message to the cardholder if you enforce your time-out. There may be times where the cardholder closes, cancels or cannot view the pop-up or in-line window. You must make sure your website can handle the error responses associated with this and must display clear error messages to the cardholders. You should use a balance of informative and non-specific information so you do not encourage potential fraud. Your authentication merchant information We will give you specific data to take part in the service, and will register this with each scheme. This will allow you to process authentication transactions through each scheme. You will need to code these details into your authentication solution and pass them on each authentication request. You must make sure that you correctly include the information we provide, which may be different for each scheme. If you fail to pass the correct details, it could result in a failure of authentication request. Once included, you should not change this information unless we tell you to. If you lose this information or feel it has been compromised in any way, you should contact us immediately. We will issue you with new details and re-register you with the relevant card schemes. This process may take up to 10 working days. We will not give this information to any other payment provider acting on your behalf. We will only give it to you. 41

42 Message values Cardholder authentication generates new message values to show the level of security being used, plus the result of the authentication. You must make sure that you fully understand the responses sent to your authentication solution by the card schemes and pass this to your payment solution in the authorisation and clearing messages. The key value is the issuer authentication value (IAV). For Visa this will be the CAVV and for MasterCard this will be the AAV. The IAV will always be provided by the card issuer and you should not alter it. Your payment solution will also need to make sure you attach the correct e-commerce indicator (ECI) to the authorisation and clearing message. The table below provides a definition of the ECI values used by each card scheme. 5 Authentication is successful. Visa MasterCard and Maestro 6 Authentication is attempted but cardholder was not registered. 7 Authentication is not successful or not attempted (standard e-commerce transaction). 2 Authentication is successful. Full UCAF. 1 Authentication is attempted but cardholder was not registered. Merchant UCAF. 0 Authentication is not successful or not attempted (standard e-commerce transaction). Your authentication software integration guide will provide details on how you should correctly map authentication values into your chosen payment solution. You must make sure your payment solution supports the necessary level of APACS to communicate with our acquiring system. You can get this information by contacting us. BIN cache The BIN cache is a store of BIN ranges that can be held locally on your server. If you want to use the BIN cache, you must contact each scheme directory using the appropriate 3-D Secure requests (CRReq/CRRes) to download the latest version at least every 24 hours. You can check the BIN cache before contacting the relevant scheme directory to check whether a cardholder is taking part in the scheme. This could reduce the number of messages you need to generate. Keeping to the card scheme It is important that you understand any responsibilities you may have when taking part in cardholder authentication. This will vary according to which payment product you use. 42

43 If authentication fails Usually, if a cardholder is registered for authentication, they will be familiar with the process to correctly authenticate themselves. However, there may be times where the cardholder does not follow the correct process, or where a card may be being used fraudulently. The following scenarios may happen. 1. Failed authentication a) The cardholder may fail to enter their correct password (they have up to three attempts). 2. A mistake during authentication a) The cardholder may cancel the pop-up or in-line window. b) The cardholder may close the pop-up or in-line window. If authentication fails for Visa transactions c) The pop-up or in-line window may time out. d) The content of the window may be corrupt due to a mistake by the issuer. e) The cardholder browser may stop the pop-up. The card schemes have set policies on how to deal with failed authentication and mistakes during authentication. What will you receive within the PARes message? N response What should you do? Refuse the transaction and do not process the transaction as the cardholder could not authenticate themselves. If you are using a Barclaycard gateway Our HPP will automatically refuse the transaction for you If authentication fails for MasterCard and Maestro transactions If authentication fails you will receive an N response within the PARes message. You have the option of either refusing the transaction and stopping processing because the cardholder could not authenticate themselves, or continuing with the transaction and attempting authorisation. If you do continue and are given an authorisation code by the card issuer, you will be liable for the transaction. If authorisation is not given, you must refuse the card in the normal way. Error during authentication for MasterCard and Maestro transactions You may choose to carry on with the transaction and must be aware that you will be liable for the transaction (in other words, you could still be charged back). Our Barclaycard e-commerce solution will automatically either refuse or continue the transaction based on the response returned by the issuer and in line with scheme rules. Mistake during authentication for Visa transactions If there is a mistake during authentication, you may choose to carry on with the transaction and must be aware that you will be liable for the transaction (in other words, you could still be charged back). The epdq HPP will either refuse or continue with the transaction based on how you set up the appropriate continuity flags within the epdq technical settings. Our SmartPay Hosted Payment Page will automatically either refuse or continue the transaction based on the response returned by the issuer and in line with scheme rules. 43

44 Passing authentication values You must make sure you keep to our Barclaycard e-commerce solution v You will also need to make sure that you can pass the authentication results in your authorisation and clearing message. You must have included the APACS standard that supports this. You can get information on which standard is used by contacting us. If you use our integrated 3-D Secure solution, you do not have to do this. You must be able to receive and pass: Issuer authentication value (IAV) CAVV for Visa, AAV for SecureCode ECI values XID (for Visa) 3-D Secure procedure messages It is your responsibility to make sure that the values, if received from the card issuer, are not altered in any way and are passed as received. The CAVV or AAV could be incorrectly passed if: The payment solution you are using does not support these values There is a problem with your integration to the hosted authentication service or payment software An incorrect ECI value could be passed if: There is a problem with your integration to the hosted authentication service or payment software (or both) You have registered to take part but have not told us you want to go live You have accidentally hard-coded every ECI value to a set limit (in other words, ECI 7 for standard e-commerce) You must make every attempt to avoid the possible mistakes shown above. If you fail to pass the IAV, or incorrectly pass the ECI value, you will be liable for the transaction. If you deliberately falsify any authentication value, we may end your authentication and merchant agreements. Only the epdq and SmartPay HPPs will automatically process authentication values. The ECI values passed must match for both the authorisation and the clearing message. Error conditions In the unlikely event that you experience an error condition while using cardholder authentication, you need to make sure you can handle the responses. Scheme directory server unavailable You may see a mistake if the HPP, Barclaycard SmartPay, or your own solution cannot connect to the relevant scheme directory. If this is the case, you will be sent a corresponding error message, which you must handle appropriately. If the directory server is not available, this is considered a break in the authentication process as neither a positive (success) or negative (failure) message can be supplied. As such, different rules will apply on who is liable for the transaction. Visa You can continue with the transaction, but must pass an ECI 7 as this was a non-authenticated transaction. You will not benefit from any chargeback protection. MasterCard and Maestro If you have correctly integrated the HPP, Barclaycard SmartPay or your own solution and get this error, you can claim merchant UCAF and still be protected (depending on the conditions in 1.4). The epdq HPP will process transactions based on your settings within the epdq technical setting. Our SmartPay hosted payment page will process the transaction based on the response returned by the issuer and in line with scheme rules. Hosted authentication service not available on a Barclaycard payment Gateway If you cannot authenticate transactions because the hosted authentication service is not operating, we also see this as a break in the process but it has a different outcome. If the hosted authentication service is not available, you should report this to us immediately. Transactions will not be authenticated if this service is down. You can continue with the transaction, but must pass an ECI 7 for Visa or ECI 0 for MasterCard as this was a non-authenticated transaction. You will not benefit from any chargeback protection for either card scheme. If the epdq HPP detects that the hosted authentication service is down, it will process transactions based on your configuration of the epdq technical settings. With Barclaycard SmartPay, if the hosted authentication service is down, transactions will be unable to continue for authorisation. 44

45 Cardholder browser suppresses pop-up window If the cardholder browser does not allow the pop-up to be displayed, this is also considered as a break in the authentication request. As with the scenarios above, you may continue with the transaction but for Visa transactions you will not benefit from any chargeback protection. As recommended, you should consider using an in-line window to avoid these mistakes. Your own authentication software not available If you cannot authenticate transactions because the hosted authentication service is not operating, we also see this as a break in the process but it has a different outcome. Transactions will not be authenticated if this service is down. You can continue with the transaction, but must pass an ECI 7 for Visa or ECI 0 for MasterCard as this was a non-authenticated transaction. You will not benefit from any chargeback protection for either card scheme. Chargeback reason codes included You must be aware that each card scheme uses a different reason code to charge a transaction back. If you are using any automated risk tools, you should make sure you cater for each scheme reason code if it applies. Visa Transaction not recognised when the cardholder tells you that they do not recognise an item on their card statement. Fraud card absent environment the card was not present and a transaction was processed without the cardholder s permission, or a fake (card) account number was used. MasterCard and Maestro No cardholder authorisation the cardholder denies responsibility for the transaction or the acquirer lacks evidence of a cardholder s authentication (in other words, a signature). Cardholder does not recognise potential fraud. When a cardholder claims he or she does not recognise a card-not-present transaction (such as an e-commerce transaction). If after being presented with new information, the cardholder says that they did not authorise the transaction. You may be asked to provide supporting information to us to defend a transaction (see section on Retrieval requests on page 26). Protection against this reason code may help to avoid a chargeback following the request. One of the critical success factors of the authentication schemes is to remove chargebacks from the system. Each of the card issuers are adding edits to make sure, wherever possible, that you are not charged back for a transaction that was authenticated. You will be liable for the transaction for all chargeback reason codes that are not set out in this document. 45

46 Best practice guide for reducing chargebacks There are certain types of chargebacks that happen most often for vehicle-rental providers. So to help reduce practice tips over the next few pages. Authorise every transaction It s important to do this, just remember that authorisation hasn t been reported as lost or stolen and that there are enough funds available to make the transaction. You ll still be legally responsible if the cardholder later states they didn t make a Card Not Present transaction. There s a greater risk of chargebacks if you take Card Not Present transactions. So we d recommend that you always try to process Card Present transactions where possible. Tips for phone reservations As these are Card Not Present transactions, you should ask for as many details as possible to check that the cardholder s authentic. This won t prevent all types of fraud, but it will help to deter some fraudsters. Ask for: the caller s name and the name of the person who needs the vehicle (if it s not the caller) their direct-dial phone number (not a mobile) the number of days they re going to rent the vehicle the card number and the cardholder s name the cardholder s billing address the card valid from and expiry dates the card security code or CSC (the last three digits on the back of the card) If your vehicle registration system allows you to check the card security code, you should enter it at the time of the transaction. Just make sure you don t keep or store this. Info to give your customer: reserved car rental rate the currency of the transaction the exact name and physical address of the location from where the car is to be collected the expected collection date and time the number of days they re expected to hire the vehicle You should also send them a copy of the rental agreement including the Terms and Conditions You should clearly explain and agree the hire rate and get the caller s permission to accept your cancellation and accepted their order, send the cardholder a copy of your reservation details, along with the cancellation and no-show policy. Tips for taking fax or mail reservations Just like taking phone reservations, we recommend taking as many details as possible. Use the checklist on the left except for taking the CSC. When taking orders from company cardholders, check that the fax or letter looks genuine. You should also check if: the company logo looks real the corporate colours are correct the switchboard number is real by calling them it contains a registered address for Ltd and PLC companies it s signed by someone in authority Ideally, you d also reply in writing (can be by ) to a copy of your Terms and Conditions, including your cancellation policy, reservation details and no-show policy. Tips for taking online reservations Card Not Present transactions and likely to be charged back. That s why we d recommend using internet authentication so you can check the cardholder s genuine (see page 21). You should also use the same procedures and precautions as you do for phone reservations (see our checklist on the your Terms and Conditions, e.g. by having a tick box. Extra checks for all transactions You can check that the billing and company address are correct by comparing it to the address listed by the Royal Mail at royalmail.com. Use your reservation system (or stand-alone computer) to do this. Or you can even invest in PC software to do this for you. You can also check: streetmap.co.uk the Electoral Roll. Companies like Equifax do this and will charge for the service ( or equifax.co.uk). Or you can buy and install Electoral Roll software Guaranteed reservations for Visa When a cardholder makes a reservation and gives you their card details, but no payment is taken. Cardholders have at least a 24-hour window to cancel their booking your Terms and Conditions clearly spell this out, and we validate their card. Not sure how to verify an account or card? Speak to your payment solution provider, who will be able to help. (Just so you know, you may be charged an authorisation fee for this.) 46

47 Your cancellation policy You can have a cancellation policy in your Terms and Conditions (which you ll need to clearly explain to your customer), but you can t charge a cancellation fee to the card used for the reservation. If you do, we won t be able to defend you for any chargebacks. For MasterCard transactions, cardholders can cancel their reservation up to 72 hours before the scheduled collection time and date of booking. For Visa transactions, Visa require that your cancellation 24-hour window to cancel their booking from the time Your no-show policy If the cardholder doesn t arrive or doesn t cancel their reservation, you can charge one day s hire to the card (at the end of hire period,) given when the reservation was made. If this happens, send a copy of the transaction receipt with a copy of your Terms and Conditions to the billing address you ve been given. No-show must be clearly written in the space where the cardholder would usually sign the transaction receipt this should also show the card number, expiry date and cardholder name. It s important your Terms and Conditions clearly show a no-show charge will be made for one days hire. When you charge for a no-show, you must send the transaction receipt, along with a copy of the invoice, to the cardholder. If you don t send these to the customer, the cardholder may dispute the transaction with their card issuer, which could lead to a chargeback to you. Collecting the vehicle When your customer comes to collect the vehicle you should: ask to see their card ask them to read your Terms and Conditions, and then sign the rental agreement explain your cancellation or no show policy and ask the cardholder s permission to be charged extra or delayed charges get payment by processing a Card Present transaction if possible (see page 9 for more on how to accept these). If you already have payment you should get an imprint of the card on the card rental agreement as proof that they ve agreed to pay by card You can t ask them to sign a blank transaction receipt, just in case there are any other charges. If you can t honour the reservation, you ll need to provide the agreed or comparable vehicle at no additional cost to the cardholder. Pre-authorisation After you ve accurately estimated the value of the goods or services being provided, a pre-authorisation lets you account. It s sometimes called an estimated authorisation and is something the cardholder needs to agree to beforehand. Preauthorisations have to be processed within 30 days for MasterCard tranactions. For Visa transactions you need the end of the rental. You should base your estimate on: how long the customer plans to rent the car the rental rate and tax and the mileage rates You can t use this to cover possible damage or other insurance excess amounts. Pre-authorisations are valid for the length of the rental period. But for extended hire, we d recommend you close the customer s account after 14 days and bill them every two weeks. You can update estimates as often as you need, up to and including the date the vehicle s returned to you. When you issue a new estimate, make sure it doesn t include amounts that have already been authorised. How to make pre-authorisations The cardholder will need to verify that they re the genuine cardholder by using their PIN. We ve explained how to do this on page 9. Useful tips for pre-authorisations Make sure your transaction receipt always includes the details of the authorisation code, the dates and the amounts Always tell the customer how much you ve estimated, as it will reduce the funds available on their card. Explain that they ve not been charged yet, and their End of the hire period If you ve pre-authorised an amount, you might not need to get another authorisation code when the hire period s the card scheme you re using. For Visa transactions: You can use the code provided during the of that amount haven t got a previous authorisation is more than the sum of all the estimated authorisations you ve already received for the hire period 47

48 For MasterCard transactions: Accidents or damage to the vehicle If the hire vehicle s involved in an accident, you can charge cardholders for the damage. You ll need to get an estimate of the cost from an organisation that can legally provide these services and then send this estimate to the customer. If you d like to do this for Visa cardholders, you ll need to meet the following conditions. The customer must have agreed in writing to pay the charges by a Visa card (the permission should be part of your rental agreement). It s essential that your car rental agreement clearly states that any extra or collision charges will be charged to the card they originally paid with They ll need to sign to agree that they accept these Terms and Conditions and their signature must be on the same page of the car rental agreement as the Terms and Conditions that state that you can charge them. If this doesn t happen, we might not be able to defend any chargeback claims The charge must be made within 90 days of the rental return date There s a bigger risk of chargeback if you don t let the customer know about the charge so you should tell them this is happening For MasterCard cardholders, you ll need to meet the below condition. You should get a separate cardholder signed authority by processing a Card Present transaction. If the card is disputed later, you can use this as proof that the cardholder authorised the extra charge How to deal with delayed charges Additional charges can be given to the cardholder at the agreement. This needs to include details of the damage, the cost and the currency in which the damage will be charged to them and an estimate of the cost of repairs from an organisation who can legally provide these services You ll also need to provide written documentation that: explains the charge and links it to the cardholder s use of the good or services during the rental period includes any accident, police or insurance reports (if applicable) for rental cars and trucks give at least two quotes from companies that are legally permitted to perform repairs shows the amount of damage or loss that will be paid by insurance, and the reasons why the cardholder is liable for the amount claimed tells the cardholder that payment for loss or damage with their card is optional and not an obligation or default option Once they receive this from you, the customer can reply with another estimate for the cost of repairs. They ll need to do this within 10 working days of receiving your letter. It s then up to you to agree on the estimated cost before you process the delayed or amended transaction. If you do this without agreeing the cost with the customer, you ll be liable for chargeback claims. You need to wait 20 working days from the date you the charges. you ll need to send us: a copy of the rental agreement the licence number of the rental vehicle the law which has been broken and (if applicable) a copy of the authority s accident report and notice of the amount they ll be charged and insurance. However, the cardholder must give their consent to receive them, by signing the rental agreement and agreeing to the Terms and Conditions. You ll also have to meet the below conditions. Your Terms and Conditions will need to clearly explain that the cardholder is legally responsible for the charges and that they ll be taken from the card they originally paid with Their signature must be on the same page of the car rental agreement as the Terms and Conditions that states this. If not, we might not be able to defend any chargeback claims Charges must be processed within 90 days of the rental return date and you must get further authorisation The charge must be made using a separate transaction, You ll need to send a copy of the transaction receipt to the cardholder You ll also need to write to the cardholder about any damage charges within 10 working days of the vehicle s return date sending it to the address on their rental 48

49 Accepting split sales You can accept split sales that s where a customer asks to split payments between cards, cash or cheques, or to share costs with other customers. Just bear in mind that these can result in a high number of chargebacks. That s why you must always get authorisation no authorisation operator that the transaction s part of a split sale at the beginning of the call. And you can only process one transaction for each card. Your refund policy If you operate a no-refund policy, you must make this clear to your customers when they make a reservation. And if you do agree to refunds, be aware of opportunities for fraudsters. To avoid these you should: always credit refunds to the card that made the booking never refund by cash, cheque or other payment types If you make a charge to a card by mistake, you need to refund it to them within 30 days. If you re using Barclaycard processing equipment that s contactless-enabled, you can make contactless refunds up to the value of the current limit. These won t need Extended hire We d strongly recommend that you don t allow your customer to hire the vehicle for more than two weeks without settling their bill. You can ask customers who want to extend the lease for more than two weeks to pay the current total due ideally by doing this in person. Failing that, they can use the card details provided at the original booking (although there s a risk that this amount could be disputed at a later date if you don t have a signature or PIN). Disputed transactions If a transaction is disputed, it s essential for you to show that the card was present and authorised (if needed). Unless it s a contactless transaction, we won t be able to defend you from chargebacks if a PIN, signature or authorisation wasn t given. The most common reasons why disputed transactions are charged back for vehicle rentals are: for delayed or amended charges when a fraudster makes a reservation with a card but never arrives. Usually that s because the fraudster is making the reservation to check that the card is valid and funds are available. The genuine cardholder will only if you don t reply to requests for information within 14 days. In most cases, the card scheme just needs the card was present and (except for contactless) the transaction was authenticated by the cardholder. But sometimes they might need a full breakdown of the charge. We ll always let you know what s needed when we get in touch Head to barclaycard.co.uk/business to learn more about chargebacks and how to avoid them. Or give our dedicated Chargeback team a call on and we ll be happy to help. 49

50 Best practice guide for reducing chargebacks There are certain types of chargebacks that happen most often to hotel, lodging and accommodation businesses. To help you avoid chargebacks, we ve created this bestpractice guide. It takes you through the right chargeback procedures step-by-step and also gives you handy hints on how to cut back on potential chargeback costs. Authorise every transaction It s important to do this, just remember that authorisation hasn t been reported as lost or stolen and that there are enough funds available to make the transaction. You ll still be legally responsible if the cardholder later states they didn t make a Card Not Present transaction and we might not be able to defend you if there isn t a checks out using a priority check-out service. Advance booking tips When you can, ask guests to make their own reservations, rather than through a third party. It goes without saying this might not always be possible and you might have to take bookings from secretaries, for example. Tips for phone bookings As telephone reservations are Card Not Present transactions, ask for as many details as possible to check if the cardholder is genuine. You should ask for: the caller s name their direct-dial number rather than a mobile number the name of the guest the accommodation is for (if it s not the caller) their arrival date and time the number of nights they re staying the card number they ll be using to pay the card expiry date the cardholder s name and their billing address this might not match the company address the card security code (CSC) this is the last three digits of the signature strip, or in the box next to it, on the back of the card If it s a corporate booking, you should also ask for: the caller s name and job title the name of the company or organisation the company or organisation switchboard number to validate their card. Not sure how to verify an account or card? Speak to your payment solution provider, who ll be able to help. (Just so you know, you may be charged an authorisation fee for this.) If the booking is made by a third party, for example a travel agent, make sure they tell their customer about the reservation in writing by fax or . Tips for fax or mail bookings Double check the fax or letter looks genuine. Some obvious things to look out for are: is there a company logo in the correct corporate colours? You can check on the internet is there a switchboard telephone number? If so, call it should be answered with the company name is there a registered address for Ltd and PLC companies? has it been signed by someone in authority? Bookings by fax or post should include the same details as telephone reservations except for the CSC. your cancellation policy. Our advice is to call the sender to or post, and include a copy of your Terms and Conditions along with your cancellation policy. Tips for taking online bookings Internet transactions are, in a nutshell, Card Not Present transactions and more likely to end up as a chargeback. That s why we d recommend using internet authentication genuine cardholders (see page 21 for more on this). You should also use the same procedures and precautions as you do for phone reservations (see our they accept your Terms and Conditions, e.g. by having a tick box. Extra checks for all transactions You can check that the billing and company address are correct by comparing it to the address listed by the Royal Mail at royalmail.com. Use your reservation system (or stand-alone computer) to do this. Or you can even invest in PC software to do this for you. You can also check: streetmap.co.uk the Electoral Roll. Companies like Equifax do this and will charge for the service ( or equifax.co.uk). Or you can buy and install Electoral Roll software MasterCard guaranteed reservation When a cardholder makes a reservation and gives you their card details, but no payment is taken. Cardholders have 72 hours before they re due to arrive to cancel their booking. Make sure your Terms and Conditions clearly You should also discuss and agree the room rate and your cancellation policy and ask the caller to accept these terms. Once the caller s agreed, you can give them their reservation code. 50

51 Visa guaranteed reservation Cardholders have at least a 24-hour window to cancel their You need to make sure your Terms and Conditions clearly If you can, carry out an account transaction check If a guest cancels their reservation within your policy timeframe, give them a cancellation code for their records, and yours. Your cancellation policy above, you risk getting chargebacks The cancellation policy only applies when your customer pays by Visa, MasterCard or JCB cards Maestro cards won t pay for hotel cancellations Taking advanced booking desposits If you take advanced deposits under the MasterCard rules, this is the only amount you re allowed to take from the customer s card. You ll also give up your right to charge a one night s no show payment. Operate a no-refund policy? You have to make the cardholder aware of this when they book. Any customer refunds need to be credited to the card used for the booking never give cash or cheques. Don t forget Maestro cards can only be used when the cardholder is present, as it has to be processed electronically using the magnetic stripe or embedded chip. Guest arrival and check-in When it comes to check-in, ask to see the card your registration form. Your registration form should point out any paid extras like newspapers, room service, and so on. Pre-authorisation After you ve accurately estimated the value of the goods or services being provided, a pre-authorisation lets you account while the guest is staying with you. It s sometimes called an estimated authorisation and is something the cardholder needs to agree to beforehand. To do this: tell your guest how much you ve pre-authorised as this will reduce the funds they have available, explain that check the registration form and card signatures match up. Give the card s hologram and signature strip the once over, too have they been tampered with? Pre-authorisation departures and check out If you ve pre-authorised an amount, you might not need to get another authorisation code when your guest checks card scheme you re using your industry and what the extra amount is for. you can use the same pre-authorisation code for up to 15% more. This can go up to 20% if the pre-authorised amount is exceeded because of a gratuity. the estimated amount, you can go ahead and use the estimated amount, you ll need another authorisation Express and priority check out We re sorry, but if you have an express or priority check out service, we may not be able to defend you from a chargeback if a cardholder denies any transactions. Extended stays We d recommend that you ask guests staying longer than two weeks to settle their bill. And if they need to stay longer, they can pay the current total due. Or you can use the card details they gave you at check in although there s a risk the amount could be disputed at a later date without getting their signature or PIN. If your guest used a Maestro card or MasterCard and there are extra charges, get a separate signed and swiped voucher or printed document to prove the cardholder agreed to the charges. Processing delayed or amended charges Additional charges can be given to the cardholder after check-out for things like room charges, mini-bar charges, and breakfast on the last day. However, the cardholder must give their consent to receive them. Delayed or amended charges must be made to the cardholder s account within 90 days of check-out date. We recommend you include these details in your Terms and Conditions to cut down the chance of chargebacks. You ll need to send a copy of the transaction receipt with should also send a copy of the Hotel Registration Form (clearly showing the cardholder s signature and their acceptance of any additional charges being charged) to their credit card account. You shouldn t process charges for damages to the guest s room. Important we recommend that you process additional charges separately, with the cardholder s authority. This helps safeguard you from the total bill (including accommodation) being charged back. To apply any additional charges to a MasterCard, a separate cardholder-signed authority must be given by processing a Card Present transaction. If the charge is disputed later, this will be used as proof that the cardholder knowingly authorised the charge. 51

52 Disputed transactions If a transaction is disputed, it s essential for you to show that the card was present and authorised (if needed). Unless it s a contactless transaction, we won t be able to defend you from chargebacks if a PIN, signature or authorisation wasn t given. The most common reasons disputed transactions are charged back for lodging or accommodation businesses are when: the booking was made fraudulently with a card, so the guest doesn t show up. This is usually because the fraudster s using your booking system to check the card is valid and funds are available. The genuine cardholder won t be aware it s been used until you charge them a no-show fee you don t reply to requests for information within 14 days. In most cases, the card scheme just needs the card was present and (except for contactless) the transaction was authenticated by the cardholder. But sometimes they might need a full breakdown of the charge. We ll always let you know what s needed when we get in touch Express and priority check out charges Got a dispute about an express or priority check out and you didn t get a signature? Please send us: a copy of the check-in receipt proving the card was present and you carried out a pre-authorisation a copy of their registration form with their signature and proof they agreed to the charge for their stay, plus any other relevant details Other charges If the cardholder disputes charges made after they ve checked out so for minibars, breakfast and so on written in the cardholder signature box. Include a copy of their registration form with their signature and proof they agreed to pay any extra charges. For other handy hints on preventing chargebacks, check out barclaycard.co.uk/business/chargebacks. Or give our dedicated Chargeback team a call on and we ll be happy to help. Information and chargeback requests If we let you know a cardholder is disputing a charge, make sure you always give us the right information to help us defend the challenge. Your no-show policy If the cardholder doesn t arrive, or doesn t cancel their reservation or purchase, you can charge them for one day s rental or lodging, in line with your Terms and Conditions. If this happens, send a copy of the transaction receipt and the invoice, with a copy of your Terms and Conditions to the billing address you ve been given. It s important your Terms and Conditions clearly show a booking. If you don t send these to the customer, they may dispute the transaction with their card issuer and this could lead to a chargeback to you. Not got the cardholder s CSC code? The capture of CSC is mandatory for all card not present transactions. However, Visa have made an exception to the rule for no show and delayed transactions. You can bypass the CSC code for no-show transactions. Write No-show in the space where the cardholder would usually sign the transaction receipt. This copy should also show the card number, expiry date and cardholder name. for customer not present transactions, we recommend you select customer present and write no-show on the signature line. 52

53 Contact numbers Customer Services * Monday to Sunday: 8.00am to midnight Bank holidays: 9.00am to 6.00pm (Closed Christmas Day) For help with: Additional processing equipment Statement queries More literature and point of sale materials More information on products and services Changing your details Any other queries or problems PDQ Helpdesk * Monday to Sunday: 8.00am to midnight Bank holidays: 9.00am to 6.00pm (Closed Christmas Day) For help with: Faults with processing equipment PDQ transaction queries Any other queries or problems relating to PDQ Authorisation * For help with: A Suspicions on card activity, transactions or a card presenter Card validity concerns Multiple mail and telephone order transactions * Open 24 hours a day, 7 days a week (including Christmas Day) For help with: Authorisation of more than one mail or telephone order transaction at a time Cheque validation/guarantee * For help with: Validation of Barclays Bank cheques guaranteed by a Barclays Connect card, Barclaycard Visa card or Barclay Premier card Sales Centre * Monday to Friday: 8.30am to 6.00pm (Closed Saturdays, Sundays and Bank Holidays) For help with: Plans to extend your existing business or a new business Chargeback Department * For help with: Any questions about chargebacks or retrievals ecommerce Team * Monday to Sunday: 8.00am to midnight (closed Bank holidays) For help with: Information or assistance about trading over the internet Complaints handling * For help with: Any problems in service from us You can also

54 Glossary and terminology 3 D Secure 3 Domain secure. Covering the many domains involved during internet authentication (between us, you and the cardholder s issuer). The protocol behind the internet authentication process. AAV Account holder authentication value. This is a unique reference generated by MasterCard and Maestro card issuers during the internet authentication process to prove that authentication took place. ACS Access control server. This is the server used by the card issuing bank to manage the 3 D secure processes. APACs Association for Payment Clearing Services now known as UK Payments Administration Ltd (UKPA) sets UK industry standards for payments. BIN cache A record of issuer BIN ranges stored locally on your authentication system. This should be regularly updated to make sure local information on cardholders taking part in the scheme and card issuers is correct. Card acquirer of the card schemes such as Visa or MasterCard. Acquirers enter into agreements with merchants to process card transactions on their behalf and arrange to pay authorised funds. Card issuer institution that issues credit or debit cards. Card not present This refers to card transactions carried out when the cardholder and the card is not present at the point of sale, for example, a card transaction that takes place over the internet. Card schemes A card scheme is a payment card organisation, such as MasterCard and Visa. postcode and card security code as part of the authorisation process. CAVV a unique reference generated during the 3 D secure process by Visa card issuers to prove authentication took place or was attempted. Chargebacks Chargebacks can be initiated by the cardholder or card issuer. Occasionally, a cardholder will dispute with the card issuer a transaction shown on their statement. If the cardholder s complaint is valid, the amount of the transaction may be charged back to us and passed on to you. Chip and PIN The cardholder enters a unique 4 digit personal This is standard technology in the UK. The main aim is to reduce fraudulent transactions at a cost to businesses and the banking industry. Chip cards These are payment cards with a computer microchip built into them. The microchip provides a method of securely storing cardholder information. Code 10 calls If you are suspicious about a card or the person presenting it, you must ring our Authorisation Department immediately on If you cannot speak freely because the customer is nearby, tell the operator that you are making a code 10 call. You will then be asked various questions and told what steps to take. Compromised card numbers (card number mismatch) Compromised card numbers are those illegally copied from genuine cards. Fraudsters are currently encoding these numbers into the black magnetic stripe on the back of stolen cards, to produce what appears to be a valid card. Invariably, the embossed number will be this will show on the processing equipment receipt. You must compare these details when you carry out a transaction. Contactless transaction communications (NFC) technology, where the payment instructions are securely exchanged between a chip card and specially adapted point of sale processing equipment. The value of any single transaction is limited to a certain amount CRReq Card range request. A type of 3 D secure procedure CRRes Card range response. A type of 3 D secure procedure message that contains the list of BIN ranges which are taking part in 3D secure. Directory server (DS) The servers hosted by the card schemes, Visa and MasterCard, that contain details on the cardholders and card issuers enrolled in 3D secure. 54

55 ECI you are during the internet authentication process for an internet transaction. Embossed cards Cards with raised letters and numbers which can be felt and imprinted on a slip if necessary. Encryption The process of converting a message so that it cannot be read. Firewall Computer hardware, software and physical measures which prevent unauthorised access to and from a private network or server. Floor limit HPP Hosted payment page the web page used to collect the cardholder s credit or debit card details, hosted securely by another organisation. HVP High value payments. This relates to contactless transactions that are over the current limit we have set. IAV Issuer authentication value. A general term that corresponds to either the Visa CAVV or MasterCard AAV. Internet transaction Any payment transaction made by a cardholder, using an electronic network, when the merchant is not present. MasterCard directory A system operated by MasterCard which decides part in an authentication scheme, and if so, it returns the URL of the appropriate access control server to your 3D secure service to allow you to correctly direct your cardholder to the card issuer to authenticate a transaction or enrol in an authentication scheme. Merchant voucher summary (MVS) The summary voucher which must accompany any sales and refund vouchers when they are paid into a Barclays branch or posted to the Financial Exceptions Department for processing. NFC for devices, such as point of sale processing equipment and contactless cards, to establish radio communication with each other by touching them together or bringing them close together. PAReq Payer authentication request. A type of 3 D secure procedure message. The message you send to the ACS, containing relevant transaction details, when the cardholder is redirected to the card issuing bank for authentication or to be enrolled in an authentication scheme. PARes Payer authentication response. A type of 3 D secure procedure message. The message returned to you by of the internet authentication process. Payment service providers (PSPs) e commerce transactions to businesses who want to trade over the internet. PIN are the true cardholder. Pop up An internet browser pop up window, displayed within the main browser page. Pre authorisation and reserve those funds on the card. It is the process of authorising a credit or debit card without actually receiving the funds immediately. This is usually used for hotel booking or car hire. Processing equipment Processing equipment means any item of PIN-processing equipment including PEDs (PIN entry device) you use to process any face-to-face transaction. Recurring transactions Regular card payments for goods or services such as insurance premiums. These cannot be made with Maestro cards. Retrieval requests or Request for information (RFI) This is a request from a card issuer for more information or a copy of a transaction. In the case of a postal or telephone order, this will be details of the cardholder s authority to take money from their account, together with a copy of the sales voucher or processing equipment receipt. SecureCode MasterCard s term for their 3D secure internet authentication service for MasterCard branded cards and Maestro branded cards. Server A central computer that makes services and data available. Split sale A transaction which is split between more than one card, or a combination of card, cash or cheque. 55

56 Supervisor control A plastic card or a PIN code that is supplied with your point of sale processing equipment that is used to carry out supervisor actions on the device, for example, to carry out the end of day banking procedure or to process a refund. Transaction laundering This is the unacceptable practice of processing someone else s card transactions using your merchant number. UCAF the AAV. VbV authentication service for Visa branded cards. VEReq Verify enrolment request. A type of 3 D secure procedure message. The message sent to Visa or status of an individual cardholder. VERes Verify enrolment response. A type of 3 D secure procedure message. The message returned by Visa or status of an individual cardholder. We, us, our Barclays Bank PLC, Barclaycard. XID 3D secure process to link the 3D secure protocol messages together. You, your The person, people or organisation shown as the merchant or any agent or sub contractor we have approved. If two or more people are shown as the merchant, each of you is responsible to us individually as well as jointly. 56

57 Correct at time of publication (April 2015) This document is also available in large print, in Braille and in audio format by calling *. We also offer a text relay or sign video service. For more information visit barclaycard.co.uk/accessibility *Calls may be monitored or recorded in order to maintain high levels of security and quality of service. For BT business customers, calls to numbers will cost no more than 5.5p per minute, with a call costing at least 6p (current at April 2015). The price on non-bt phone lines may be different. Barclaycard is a trading name of Barclays Bank PLC. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register number: ). Barclays Bank PLC subscribes to the Lending Code which is monitored and enforced by the Lending Standards Board. Registered in England No Registered Office: 1 Churchill Place, London E14 5HP. BCD112079BROB1