|
• You may ` ' " ` `- `�r processing until after the merchan- American Express ESA 1-800-528-5200
<br /> dise has 6.1.D. - Page 22 �has been provided to the customer. American Express OnePoint 1-800-451-5817
<br /> (The Associations will permit the immediate billing of inerchandise JCB,International 1-800-366-4522
<br /> manufactured to the customer's specifications[i.e.,special/custom TeleCheck 1-800-366-1054
<br /> orders]provided the Cardholder has been advised of the billing details.) Voyager 1-800-987-6591
<br /> • You should provide a copy of the Sales Draft to the Cardholder at the � , ,
<br /> time of delivery.You must also obtain proof of delivery of the goods or
<br /> services to the address designated by the Cardholder(i.e.,by getting a THE FOLLOWING IS IMPORTANT INFORMATION REGARDING THE
<br /> signature of the Cardholder or person designated by the Cardholder PROTECTION OF CARDHOLDER DATA.PLEASE REVIEW CAREFULLY AS
<br /> through the delivery carrier).If the Cardholder visits one of your FAILURE TO COMPLY CAN RESULT IN SUBSTANTIAL FINES AND LIABIL-
<br /> locations to receive the goods or services purchased,obtain an imprint �TIES FOR UNAUTHORIZED DISCLOSURE AS WELL AS TERMINATION
<br /> of the card and the Cardholder's signature. OF THIS AGREEMENT.
<br /> 4.1. Payment Card Industry Data Security Standards(PCI D55).
<br /> • Notify the Cardholder of delivery time frames and special handling Visa,MasterCard,American Express,Discover and JCB aligned data security
<br /> and/or of cancellation policies.Merchandise shipping dates must be requirements to create a global standard for the protection of Cardholder
<br /> within seven(7)days of the date Authorization was obtained.If,after data.The resulting Payment Card Industry Data Security Standards(PCI
<br /> the order has been taken,additional delays will be incurred(e.g.,out of DSS)defines the requirements with which all entities that store,process,
<br /> stock),notify the Cardholder and reauthorize the transaction. or transmit payment card data must comply.PCI DSS is the name used to
<br /> • You may not require a Cardholder to complete a postcard or other identify those common data security requirements.The Cardholder
<br /> document that displays the Cardholder's account number in clear view Information Security Program(CISP)is Visa USA's data security program,
<br /> when mailed. the Site Data Protection(SDP)program is MasterCard's data security
<br /> • If you accept orders via the Internet,your web site must include the program and Discover Information Security and Compliance(DISC)is
<br /> Discover's data security program,each based on the PCI DSS and industry
<br /> following information in a prominent manner: aligned validation requirements.PCI DSS PCI compliance validation is
<br /> — Complete description of the goods or services offered focused on any system(s)or system component(s)where Cardholder data
<br /> — Description of your merchandise return and CrediUrefund policy; is retained,stored,or transmitted,including:
<br /> — Customer service contact,including email address and/or • All external connections into your network(i.e.,employee remote
<br /> telephone number; access,third party access for processing,and maintenance).
<br /> — Transaction currency(U.S.dollars,unless permission is otherwise • All connections to and from the Authorization and settlement
<br /> received from Servicers); environment(i.e.,connections for employee access or for devices such
<br /> as firewalls,and routers);and
<br /> — Any applicable export or legal restrictions; • Any data repository outside of the Authorization and settlement
<br /> — Delivery policy; environment.
<br /> — Consumer data privacy policy; The Associations or we may impose fines or penalties,or restrict you from
<br /> — A description of the transaction security used on your website;and accepting Cards if it is determined that you are not compliant with the
<br /> applicable data security requirements.We may in our sole discretion,
<br /> — The sale or disclosure of databases containing Cardholder account suspend or terminate Card processing Services under your Merchant
<br /> numbers,personal information,or other Card transaction Agreement for any actual or suspected data security compromise.
<br /> information to third parties is prohibited.
<br /> Detailed information about DISC can be found at the PCI DSS Counsel's
<br /> • You may not accept Card Account Numbers through Electronic Mail website:www.pcisecuritystandards.orq.Detailed information about Visa's
<br /> over the Internet. CISP program can be found at Visa's CISP website:www.visa.com/cisp.
<br /> NOTE: Address Verification Service("AVS"),does not guarantee against Detailed information about MasterCard's SDP program can be found at
<br /> Chargebacks,but used properly it assists in reducing the risk of fraud by the MasterCard SDP website:https://sdp.mastercardintl.com.
<br /> confirming whether certain elements of the billing address provided by Detailed information about DISC can be found at Discover DISC website:
<br /> your customer match the billing address maintained by the Issuer.AVS also http://www.discovernetwork.com/fraudsecurity/disc.html.The PCI Data
<br /> may help you avoid incurring additional interchange expenses.AVS is a Security Standard and detailed information about SDP,including the
<br /> separate process from obtaining an Authorization and will provide a MasterCard Security Self-Assessment which you should complete,can be
<br /> separate response.A transaction may not match addresses when submitted found at MasterCard's SDP website:https://sdp.mastercardintl.com.
<br /> for AVS and still receive an Authorization.It is your responsibility to Detailed information about American Express Data Security Operating Policy
<br /> monitor the AVS responses and use the information provided to avoid (DSOP)can be found at:https://www.americanexpress.com/datasecurity.
<br /> high-risk transactions.
<br /> 4.2. You must comply with the data security requirements
<br /> 3.2.1. Discover Protocol for Internet Transactions. Each Internet shown below:
<br /> Discover Card transaction accepted by you and submitted to us shall
<br /> comply with Discover standards,including,without limitation,Discover ' You must install and maintain a secure network firewall to protect data
<br /> standards governing the formatting,transmission and encryption of data, across public networks.
<br /> referred to as the"designated protocol:'You shall accept only those • You must encrypt stored data and data sent across networks.
<br /> Internet Discover Card transactions that are encrypted in accordance with . You must use and regularly update anti-virus software and keep
<br /> the designated protocol.As of the date of these Operating Procedures, security patches up-to-date.
<br /> the designated protocol for the encryption of data is Secure Socket Layer , You must restrict access to data by business"need to know;'assign a
<br /> (SSL).We may,at our discretion,withhold Settlement until security
<br /> unique ID to each person with computer access to data and track
<br /> standards can be verified.However,the designated protocol,including access to data by unique ID.
<br /> any specifications with respect to data encryption,may change at any
<br /> time upon thirty(30)days advance written notice.You shall not accept • Don't use vendor-supplied defaults for system passwords and other
<br /> any Internet Discover Card transaction unless the transaction is sent by security parameters.
<br /> means of a browser which supports the designated protocol. • You must regularly test security systems and processes.
<br /> 3.3. Customer Service Telephone Numbers for Card types which are • You must maintain a policy that addresses information security for
<br /> funded by individual non-bank Associations include: employees and contractors.
<br /> WFB1301 8
<br />
|