|
• You must restrict physical access to Cardholder information. You must obtain an Authorization Approval C�' ` ' `' d
<br /> • You may not transmit Cardholder account numbers to Cardholders for in Section 5.4)for all transactions.A positive a 6.1.D. - Page 23
<br /> Internet transactions. MasterCard remains valid for seven(7)days for electronic processed trans-
<br /> actions.For true paper merchants for MasterCard and Visa transactions
<br /> • You cannot store or retain Card Validation Codes(three-digit values the Authorization remains valid for thirty(30)days.A positive authorization
<br /> printed in the signature panel of most Cards,and a four digit code response for Discover transactions remains valid for ninety(90)days.
<br /> printed on the front of an American Express Card). Failure to settle within these timeframes,may result in a late presentment
<br /> • You cannot store or retain Magnetic Stripe data,PIN data or AVS data. Chargeback.
<br /> Only Cardholder account number,Cardholder Name and Cardholder Failure to obtain an Authorization Approval Code for a sales transaction
<br /> expiration date can be retained subsequent to transaction authorization. may result in a Chargeback and/or the termination of your Agreement.
<br /> • You must destroy or purge all Media containing obsolete transaction Authorization Approval Codes can be obtained through your POS Terminal
<br /> data with Cardholder information. or a Voice Response Unit("VRU").Any fees related to Authorizations will
<br /> be charged for a request for an Authorization Approval Code,whether or
<br /> • You must keep all systems and Media containing Card account, not the transaction is approved.
<br /> Cardholder or transaction information(whether physical or electronic)
<br /> in a secure manner so as to prevent access by,or disclosure to any Do not attempt to obtain an Authorization Approval Code provided by
<br /> unauthorized party. someone other than us except as described in Section 5.4.If a Cardholder
<br /> or another service provider provides you with either an authorization
<br /> • For Internet transactions,copies of the transaction records may be number or with a telephone number for obtaining Authorizations,the
<br /> delivered to Cardholders in either electronic or paper format. Authorization Approval Code you receive may not be valid.Even if the
<br /> 4.3. You may be subject to ongoing validation of your compliance with transaction is initially processed and funded,it may be charged back at a
<br /> PCI DSS standards.Furthermore,we retain the right to conduct an audit at later date.Also,if you receive a purported Authorization Approval Code
<br /> your expense,performed by us or a third party designated by us to verify from someone other than us,we will not have the supporting records and
<br /> your compliance,or that of your agents or third party providers,with will be unable to verify that you received the authorization if that is later
<br /> security procedures and these Operating Procedures. questioned in a Chargeback.
<br /> 4.4. In the event that transaction data suspected of having been An Authorization Approval Code only indicates the availability of Credit
<br /> accessed or retrieved by any unauthorized person or entity,contact on an account at the time the Authorization is requested.It does not
<br /> Customer Service or your Relationship Manager immediately and in no warrant that the person presenting the Card is the rightful Cardholder,nor
<br /> event more than 24 hours after becoming aware of such activity. is it a promise or guarantee that you will not be subject to a Chargeback.
<br /> 4.5. You must,at your own expense(i)perform or cause to be performed if you obtain Address Verification,you must review the AVS response
<br /> an independent investigation(including a forensics analysis)of any data separately from the authorization response and make your own decision
<br /> security breach of Card or transaction data,(ii)perform or cause to be about whether to accept the transaction.A transaction can receive an
<br /> performed any remedial actions recommended by any such investigation, Authorization Approval Code from the Card Issuer even if AVS is unavailable
<br /> and(iii)cooperate with us in the investigation and resolution of any or reflects that the address provided to you does not match the billing
<br /> security breach. address on file at the Issuer.If the authorized Cardholder disputes such a
<br /> transaction,you will be responsible for the resulting Chargeback.
<br /> 4.6. Required Information for Discover Security Breaches.
<br /> For security breaches involving Discover transactions and/or track data, If you receive a Referral response to an attempted Authorization,you may
<br /> you must provide us and/or Discover with the following information: not submit the transaction without calling for and receiving a voice
<br /> (i)the date of breach;(ii)details concerning the data compromised(e.g., authorization.After receiving a Referral response you may not attempt
<br /> account numbers and expiration dates,Cardholder names and addresses, another Authorization on the same Card through your POS Terminal.
<br /> etc.);(iii)the method of such breach;(iv)your security personnel contacts; If you fail to obtain an Authorization Approval Code or if you submit a Card
<br /> (v)the name of any person(including law enforcement)assisting you with transaction after receiving a decline(even if a subsequent Authorization
<br /> your investigation of such breach;and(vi)any other information which attempt results in an Authorization Approval Code),your transaction may
<br /> we reasonably request from you concerning such breach,including result in a Chargeback and may be assessed fines or fees by the Associa-
<br /> forensics reports.You shall provide such information as soon as tions for which you will be responsible.These currently range from$25 to
<br /> practicable,and the items listed in(i)-(v)shall be provided to us in any $150 per transaction.To avoid these costs and related Chargebacks,always
<br /> event within 48 hours of your initial notification to us of the breach. obtain an Authorization Approval Code directly from your terminal before
<br /> 4.7. Third Parties.The data security standards set forth above also apply submitting a transaction for settlement.
<br /> to any agent or third party provider that you may use to store,process or For Cards other than MasterCard,Visa and Discover(e.g.,American Express,
<br /> transmit Cardholder data.In addition,such agents or third party providers JCB,etc.)or for check acceptance,you must follow the procedures for
<br /> must be registered with the applicable Association.Therefore,you must: authorization and acceptance for each.
<br /> • Notify us in writing of any agent or third party processor that engages You may not attempt to obtain multiple Authorizations for a single
<br /> in,or proposes to engage in,the storing,processing or transmitting of transaction.If a sale is declined,do not take alternative measures with
<br /> Cardholder data on your behalf,regardless of the manner or duration the same Card to obtain an approval of the sale from other authorization
<br /> of such activities. sources.Instead,request another form of payment.If you accept and
<br /> process a transaction that was declined,or attempt multi-transactions
<br /> • Ensure that all such agents or third party processors are(i)registered and/or multi-Authorizations,you are subject to a Chargeback,Association
<br /> with the applicable payment card brands;and(ii)comply with all Fines and/or cancellation of your Agreement.
<br /> applicable data security standards,including,without limitation,the
<br /> PCI DSS. 5.1. Card Not Present Transactions. You should obtain the 3-digit
<br /> Card Validation Code(CW2,CVC2,CID)and submit this Code with all
<br /> You are solely responsible for the compliance of any and all third parties authorization requests with respect to transactions where the Card is not
<br /> that are given access by you,to Cardholder data,and for any third party present(e.g.,telephone,mail or internet sales).However,for recurring
<br /> software that you may use. transaction Authorizations you should submit the Card Validation Code
<br /> with the first authorization request only,and not with subsequent recurring
<br /> transaction authorization requests.(See Section 1.7) NOTE: For each
<br /> Each authorization request you submit to us must fully comply with the Card Not Present Discover transaction,you must also verify the name
<br /> applicable provisions of this Agreement.Submission of an authorization and billing address of the Discover Cardholder using the Address
<br /> request that does not fully comply may result in assessment of additional Verification System(AVS),and if you do not receive a positive match,
<br /> fees to you,a declined authorization response or a Chargeback to you. do not process the Discover Card Not Present transaction.
<br /> WFB1301 9
<br />
|