May 2013

Merchant Services Best Practices Guide.Rethink banking.Powered by Citi.

Merchant Best Practices Guide

1

Contents1. How to reduce the risk of card present fraud 2

2. How to reduce the risk of card not present fraud 7

3. Risk Mitigation for Online Merchants 10

4. Delivering the goods 12

5. Refunding 13

6. Third Party Processing 13

7. What to do if you suspect or identify a fraudulent transaction 13

8. Chargebacks 15

9. Points to Remember 16

10. Securing Your EFTPOS Terminal 16

2 Merchant Best Practices Guide

1. How to reduce the risk of card present fraud When the card is present at the point of sale, take a good look at the card to ensure that it is genuine. Ensure that you maintain possession of the card until the transaction has been completed.

Check card details

• Doesthecardappeargenuine?Istheembossingclearandevenanddoestheprintinglookprofessional?

• Embossing-thecardnumbersshouldberaised,clearandstraight

• VisaandMasterCardhavethefirstfourcardnumbersprintedundertheembossing

Note-Thenumbersareoftenmismatchedoralteredoncounterfeitcards

• Checkthefrontandbacktoensurethecardcontains:

-CardIssuer’slogo

-Cardholdername

-Cardnumber

-Expirydate

-Signature

-CVV2/CVC2–The3digitvaluelocatedonornearthesignaturepanelofthecredit card.

-Hologramsshouldappearthree-dimensionalandchangecolourwhentilted-lookfortheVisaDoveorMasterCardWorldwideMap

• Checkthecardholder’ssignatureonthereceiptagainsttheactualcreditcard.

• SignaturePanel-thewords`MasterCard`or`Visa`areprintedrepeatedlyata45degreeangle-thepanelisdesignedtorevealtampering

• Checkexpirationdatesonallcreditcards.Neveracceptanexpiredcreditcard.

• Ensurethenumberembossedonthefrontofthecardmatchesthetruncatednumber on the receipt.

• Doesthenamematchthecustomer?Doesthegenderofthepresentermatchthenameprintedonthecard?Askforphotoidtoconfirmdetailsifsuspicious.

Always swipe or dip the card

• Nevermanuallyenterthecreditcardnumber.Takeextracautionifthecustomer requests you to manually key a transaction.

3

Terminal Location and PIN PrivacyChip card processing

ChipcardsareMasterCardandVisa(creditanddebit)cardsthatareembeddedwith a security microchip that provides further protection to assist in decreasing the risk of fraudulent transactions and chargeback disputes. Look at the card and ifthereisachip,alwaysinsertthecardintothechipreaderatthefirstinstance.Aswithanyothertransaction,adegreeofcautionmustalsobeexhibitedwhenprocessingchipcardtransactions.If,

• Theterminaldisplays‘InsertChip’whenthecardisswipedthroughtheterminal and the card in question does not have a chip on it, do not proceed with the transaction

• Theterminaldisplays‘InsertChip’andthechipwheninsertedcannotbereadby the terminal, do not proceed with the transaction

What to look out for

Being vigilant about unusual credit card spending can help you avoid becoming a victimofapotentialfraudattack.Lookoutfor:

• Customerswhoappearnervousoranxious,orhurryyouatclosingtime.

• Customerswhoseemtonotcareabouttheitemtheyarepurchasing.Forexample,thosewhodonotcheckthesizeorthepriceofanitem,grabseveralitems quickly, or do not worry about the warranty.

• Customerswhorequestimmediatedelivery,thatis,theywanttotakelargeandexpensiveitemsimmediately.

• Customerswhorequestyoutomanuallykeythecardnumber.

• Multiplecardspresented.Bewaryofcustomerswhogiveyoumorethantwocard numbers, or try to split the order.

Double swiping at the terminal

Double swiping refers to the act of a merchant completing a second swipe of a card at the terminal after the card has already been swiped and the transaction is being processed.

Double-swipinghasbeenidentifiedastherootcauseinseverallargedatacompromise events globally.

MerchantsmaybesubjectedtofinesandotherrecoveryfeesbyCitibankiftheyare found to be conducting this type of activity.

4 Merchant Best Practices Guide

Further instructions:

• Donotacceptdeclinedtransactions.Donotsplitadeclinedtransaction into smaller amounts.

• Beonthealertforcounterfeitcards.Checkthechiponthecardtoensurethat it is embedded in the card and not protruding on the surface. You can conductasimpletestbyrunningyourfingeracrossthesurfaceofthechip.

• Customerswhopresentacardnotintheirnameandwhenquestionedadvisethatitistheirpartner’sorfriend’scard.

Ifthecustomerdoesnotcooperateorthedetailsdonotmatch,donotproceedwith the transaction and ask for another form of payment.

Intheeventthatacustomerortransactionappearssuspicious,beforedecidingwhether or not to proceed with the transaction, the staff member should contact Citibank Merchant Services on 1300 550 298 selecting option 2 and advise the operatorthatthisisan‘Extension10call’.

Atrainedsupervisorwillrequestthecardnumber,andthenaskthestaffmemberconcernedanumberofYes/Noquestionsthatwillassistindeterminingwhether or not the credit card is genuine.

5

Common Card Designs

Merchant Services Best Practices Guide6

7

2. How to reduce the risk of Card not

present fraud Card not present transactions are those where neither the card nor the cardholderarepresentatthepointofsale,suchasinternetormailorder/telephone order purchases. Merchants who accept card not present transactions face a higher risk of becoming victims of fraud as the anonymity of card not present transactions make them appealing targets for fraudsters. The following tipsmayhelpreducethepossibilityoffraudulentcardnotpresenttransactions:

• Obtainasmuchinformationaspossible:thecreditcardnumber,nameofbank,fullname,address,expirydate,CVV2/CVC2andcontacttelephonenumber(includinglandline).Ifprocessingthetransactionviaaterminalensure you enter the card details correctly as per the operating guides for MOTO transactions.

• Usesomeformofadditionalvalidations,suchastheelectronicwhitepagestocross check details provided.

• Callthecustomeronthequotedcontacttelephonenumbertoconfirmdetailsoftheorder,especiallyforlargeand/orsuspiciousorders.

• Requestfurtheridentificationsuchasaphotocopyofthefrontandbackofthe card. This will ensure the person has the card in their possession. Ensure it is a genuine photocopy, not a photo shopped image.

• Ifyoutakepaymentsviaawebsite,contactyourgatewayproviderandseeifthey have any fraud prevention software which you can utilise.

• Keepallcopiesofcorrespondenceincludinginvoices,emails,quotations,faxes,proofofdelivery,etc.

Alwaysobtainauthorisationforallcardnotpresenttransactions,regardlessofvalue, and for the full amount of the transaction.

Remember, an authorisation only confirms that funds are available at the time of the call and that the card has not been reported lost or stolen. It does not guarantee that the person quoting the card number is the owner of the card or is entitled to use the card.

Merchant Services Best Practices Guide8

What to look out for:

• Itemsorderedofanunusualquantityormultipleordersofthesameitem.

• Bigticketitemsorordersthatarelargerthannormalforyourbusiness.

• Ordersrequestedasurgentorforovernightdelivery.

• Whenordersarecancelledandcustomerisrequestingatransferofmoneytoacardormethodotherthanbacktotheoriginalcreditcard.(e.g.Moneyorder,moneytransfer).Thisisnotpermitted.

• Differentcardsareprovided(includingdifferentcardholdernames)butsamedelivery address given.

• Multiplecardspresented.

• Iftheydogiveyoumultiplecardnumberslookattheactualnumbers,arethefirst12digitsthesamethentheychangethelastfour?Forexampleyouhavebeengiventhreecards:

5123 5432 1234 1145, 5123 5432 1234 5269, 5123 5432 1234 8537

Noticethatthecardnumbersonlyvarybythelastfourdigits.

• Bewaryofinternetordersusinggenericinternetaddressesusingfreeemailservices.

• EmailmessageswritteninpoororchildlikeEnglish.

• Multipletransactionschargedtoonecardoverashortperiodoftime.

Further instructions:

• Takenoteofvaryingdeliveryaddressesforrepeatcustomers

• Bemindfulofyourstatescrimehotspotsanddeliveryofgoodstothesehotspots

• Exercisecautionwhentakingforeignorders,suchasordersfromAsia,theMiddleEastandAfricawhichmaypresentahigherrisk.

Remember, the liability for all card not present transactions rests with the merchant. Therefore the more information you gather to satisfy yourself that the transaction is valid the more chance you have of identifying fraud and reducing the chargeback risk.

9

Merchant Services Best Practices Guide10

3. Risk mitigation for online merchantsSecure your customers’ data

AtCitibank,wearecommittedtoprovidingourmerchantsassistancetohelpprotect their business, and their customers, from the growing threat posed by online fraudsters. Without a doubt this is one of the biggest challenges faced by business today.

Ifyouareamerchantwhohasaccessto,orstorescreditcarddetailsinanyformat, or if you use a service provider who does, it is your responsibility to ensurethatyourcustomers’paymentdetailsremainsecure.

Itisimportantthatyouunderstandthemeasureswhichneedtobetakentoensurethesecurityofhighlysensitivepersonalfinancialinformation.

Website requirements

AllmerchantsusinganInternetMerchantFacilitymustcomplywithCitibank’swebsite standards.

Citibank reserves the right to decline, deactivate access or terminate merchants who do not comply with these requirements for the duration of the facility.

1. Yourwebsitemustsatisfyallofthefollowingcriteria:

•ThetradingnameandtheURLmustnothaveanysubstantialdifferencesinwording. This will maintain consistency and reduce any potential cardholder confusion.

•Acleardescriptionofthegoodsandservicesofferedforsale.

•Contactinformation–tradingname,AustralianBusinessNumber(whererequired),address.

•Telephonenumberandfaxnumberwhereavailable.

•Aclearexplanationofshippingpracticesanddeliverypolicy/timeframe.

•Transactioncurrency:CitibankmerchantscanprocessAUDamountsonlyandmaysettleintoAUDaccountsonly.

•Totalcostofthegoodsorservicespurchased,inclusiveofallshippingcharges.

•Cardschemebrandmarksaredisplayedwhereverpaymentoptionsarepresented.

•Exportrestrictions(ifany)–countriestowhichthemerchantdoesnotship.

•Aclearrefund/returnpolicy.

•Consumerdataprivacypolicy–adviseswhatyouplantodowithinformationcollected from your customers.

•Securitycapabilitiesandpolicyfortransmissionofpaymentcarddetails.

11

•Eachmerchantdomainnamemustutiliseseparatepaymentpages.Itisnecessary to check that website links do not go to another domain name from which payments can be made in relation to goods or services offered throughthefirstwebsite.

•Allinformationmustbeaccurateinallrespects.

2. Yourwebsitemustnot:

•Containanythingthatconstitutesorencouragesaviolationofany applicable law or regulations, including but not limited to the sale of illegal goodsortheviolationofexportcontrols,obscenitylawsorgamblinglaws.

•Containanyadultorpornographiccontent.

•Offerforsalegoodsorservices,orusetodisplaymaterials,whichmaybe considered by a reasonable person to be obscene, vulgar, offensive, dangerous, or are otherwise inappropriate.

•Useunaccreditedpaymentpages.

•Failtousedigitalcertificatestoestablishasecurebrowsersession.

3. Payment pages must be accredited by Citibank or a Citibank accredited service provider and must adhere to our security requirements.

4. Youmustusedigitalcertificatestoestablishasecurebrowsersessionbetween you and your customer.

5. You should not change the types of goods or services sold through your merchantfacilitywithoutfirstprovidingCitibankwithwrittennotice, andthenreceivingwrittenconsentfromCitibankconfirmingthechange has been approved.

For further information on data security standards please refer to following website pcisecuritystandards.org/merchants/

Merchant Services Best Practices Guide12

3D Secure - online authentication tool

3D Secure is an online service designed to make online shopping transactions saferbyauthenticatingacardholder’sidentityatthetimeofpurchase.ThisserviceisknownasVerifiedbyVisaandMasterCardSecureCode.

AtransactionusingVerifiedbyVisa/SecureCodewillredirectcardholderstothe website of their card issuing bank. The cardholder may then be requested bytheirbanktoenterapasswordtobeauthenticated.Ifacustomerisnotregistered with 3D Secure then they are still able to make a purchase from you website.

Followingconfirmation,thewindowdisappearsandthecardholderisreturnedtothecheckoutscreen.Ifthecardholderisnotconfirmed,thetransactionwillbedeclined.

Participating merchants are protected by their merchant bank from receiving certainfraud-relatedchargebacks.

ForfurtherinformationaboutVerifiedbyVisaandMasterCardSecureCode,please contact Citibank Merchant Services on 1300 550 298.

Note:IfyouareoperatingviaathirdpartyonlinePaymentServiceProvider(PSP),itisyourresponsibilitytoensurethatthecorrectriskmanagementrulesare applied to your payment facility.

4. Delivering the goodsAcommonpointoffraudulenttransactionsisallowingsomeone,particularlya third party, to pick up the goods from your store after a telephone order has been placed without the credit card being presented, a card imprint taken or signature obtained. Deliveries should always be made by your carrier or by a reputable courier engaged by you, not by your customer.

Fordeliveriesthefollowingproceduresarerecommended:

• Ensurethepersonmakingthedeliverydeliversthegoodstoaperson inside the premises, not someone waiting outside.

• Thedeliverershouldalwaysobtainthesignatureofthepersontaking the delivery.

• Neverdelivertocarparksorparks.

• Trytodeliveronlytophysicaladdresses,takeextracautionwhen delivering to hotels and PO BOX addresses.

• Bewaryofordersgoingoverseas,recentfraudtrendshaveindicated AfricaandAsiafraudsterstargetingAustralianmerchantswithstolen credit card numbers.

13

• Sitethecardwhereverpossibleupondeliveryofthegoods.

• Checkinternetmapsandstreetviewstoverifybusiness.

5. RefundingYouarenotpermittedto:

• Refundatransactionbacktoacardotherthantheoneusedtomaketheoriginal purchase.

• SendtherefundedamounttothecustomerviatheInternet,moneyorderorinternational money transfer.

• Itisalsobeneficialtomonitorallrefundsprocessed.Anincreasinglycommonform of fraud involves employees using your EFTPOS solution to process refunds to their own cards. Ensure only authorised staff have access to process refunds and be aware of your refund limits.

• Regularlychangeyourrefundpassword.Donotuseagenericpasswordsuchas 9999

6. Third party processing

Third party processing is forbidden.

Third party processing is where you process a transaction on behalf of another companyorperson.Ifanytransactionsaredeemedasfraudulent,youwillbe responsible for the chargeback of that transaction. Here are some typical scenariosofthirdpartyprocessing:

‘IfyouprocessthesetransactionsIwillgiveyou15%ofthetotalsales’.

‘Myterminalisbrokenandthebankcan’tfixittilllaterthisweek,canyoupleaseprocessthistransactionformeasIwilllosethesale?’.

7. What to do if you suspect or identify a fraudulent transaction

Contact the Citibank Merchant Services by calling us on 1300 550 298 if you suspect or identify fraud.

Ifyouidentifyalostorstolencardattempttoretainthecardandcallthefraudteam or the police.

Yoursafetycomesfirst–donottakeanyrisks.

Merchant Services Best Practices Guide14

15

8. Chargebacks

Achargebackisareversalofacreditcardtransactionandusuallyoccurswhenacustomerraisesadisputewiththeirfinancialinstitution(alsoknownastheIssuer)inrelationtoapurchasemadeontheircreditcard.Achargebackmaycause the amount of the original sale and a chargeback fee to be deducted from themerchant’saccount.

The reasons why chargebacks arise vary greatly but are generally the result of acustomerbeingdissatisfiedwiththeirpurchaseorduetoillegalorfraudulentactivity/useoftheircard.

Common chargeback reasons:

• Transactionnotrecognisedbythecardholder

• Transactionnotauthorisedbythecardholder

• Duplicatedtransactions

• Cancelledrecurring/directdebittransactions

• Goods/servicesnotreceivedorfaulty

• Goods/servicesnotasdescribed

• Noauthorisationobtained

• Fraudenquiries

• Legalproceedings

• Point-of-Saleerrors

The Chargeback process

1. Transactionisdisputed.Cardholderraisesproblemwiththeirfinancialinstitution(knownastheIssuer)ortheIssuerdiscoversabreachofthecardscheme rules.

2. IssueradvisesCitibankMerchantServices.

3. Citibank Merchant Services may request documentation from the merchant to verify the transaction. The merchant has a set timeframe to respond to retrieval requests, usually 14 days.

4. Ifthechargebackisinvalid,CitibankMerchantServiceswilldeclinethechargebackandreturnittotheIssuer.

5. Ifthechargebackisvalid,thechargebackamountisdebitedfromthemerchant’saccountandwrittennotificationisprovidedtothemerchant. Achargebackfeemayalsobechargedtothemerchantsaccount.

Merchant Services Best Practices Guide16

9. Points to remember

• Ifyouaresuspicious,contacttheCitibankMerchantServicesFraudteampriorto the processing and dispatching of the goods.

• Alwaysobtainauthorisation,especiallyforonlinetransactions,regardlessofvalue and for the full transaction amount.

• LookatthedeclinecodesontheEFTPOSterminalwhenatransactionrejects,doesthecodeindicatethecardislostorstolen?Ifsoretainthecard.Isthecardnumbervalid?Ifnotdonotproceedwiththetransactionoracceptanother card.

• Donotlowertheamounts,splitsalesoracceptcardaftercard.

• Bemindfulofoverseasorders.

• Neverconductthirdpartyprocessing.

• Storeyourcustomer’sinformationsecurely.Ensureallyourcomputersystemsare password protected and data maintained on databases should be encrypted. Ensureallpaperrecordsaresecurelystoredwithrestrictedaccess.NeverstoretheCVV2/CVC2orfullcardtrackdata.Reportallsecurityincidents.

• Trainyourstaff.Ensureyourstaffareawareandvigilantofpotentialfraudsters.

• Beawareofwhatyourstaffareprocessing.Staffhavebeenfoundtobeinvolved in fraudulent activity. Look out for staff refunding to their own credit cards or storing unnecessary customer information.

• Beextracautiousonhighrisktransactionsincluding:cardnotpresent,manually keyed, no authorisation obtained or fallback transactions.

Adoptingthesesuggestionsmayhelpreducefraudbutwillnotguaranteethatyou will not be a victim of credit card fraud.

Itisyourresponsibilitytoconfirmthatthepurchaseristhegenuinecardholder,as you may be liable for the transaction in the case of a chargeback under your merchant agreement terms and conditions. Merchants should be aware of their responsibilities under their Citibank Merchant Terms & Conditions.

10. Securing your terminalFraud and misuse of credit or debit card information is a growing problem for many merchants globally. The loss of customer card data and subsequent misuse mayunderminecustomerconfidenceandpotentiallyreducecardusageatyourbusiness.

AspartofCitibank’songoingcommitmenttoprovidingthemostuptodateinformation on terminal and cardholder data security, we have outlined a list of bestpracticesforprotectingyourterminalsandyourcustomer’sinformation.

17

YourCitibankmerchantterminalisequippedwithanumberofin-builtsecurityfeatureswhicharedesignedtoprotectyourcustomers’information.Byimplementing the recommended best practices below, you can protect your business, your customers and your reputation from credit and debit card fraud or misuse.

Recommended best practices

• Alwaysensurethatterminalsaresecureandundersupervisionduringoperatinghours(includinganyspareorreplacementterminalsyouhave)

• Secureyourequipment–donotleaveterminalsunattended.

• Ensurethatonlyauthorisedemployeeshaveaccesstoyourterminalsandarefully trained on their use when closing your store or kiosk, always ensure that yourterminalsaresecurelylockedandnotexposedtounauthorisedaccess.

• Neverallowyourterminaltobemaintained,swappedorremovedwithoutadvance notice from Citibank. Be aware of unannounced terminal service visits.

• OnlyallowauthorisedCitibankpersonneltomaintain,swaporremoveyourterminal,andalwaysensurethatsecurityidentificationisprovided.

• Inspectyourterminalsonaregularbasis,toensurethattheterminalcasing iswholewithexternalsecuritystickersremainingunbrokenandofahigh print quality.

• Ensurethattherearenoadditionalcablesrunningfromyourterminal

• MakesurethatanyCCTVorothersecuritycameraslocatednearyourterminal(s)can’tobserveCardholdersenteringdetails.

• ItisimportanttonotifyCitibankMerchantServiceson1300 550 298 immediatelyif:

-Yourterminalismissing

-You,oranymemberofyourstaff,isapproachedtoperformmaintenance,swaporremoveyourterminalwithoutpriornotificationfromCitibank and/orsecurityidentificationisnotprovided

-Yourterminalprintsincorrectreceiptsorhasincorrectdetails

-Yourterminalisdamagedorappearstobetamperedwith.

Hints

•Trustyourinstincts!Ifasaleseemstoogoodtobetrue,itprobablyis.

•Alltoooftenwhatamerchantmightthinkisagreatsalewillturnouttoinvolvesometypeoffraud.

•Takethetimetoproperlyinvestigateoverseasordersfromcustomerswithwhomyouhaveneverdone business.

•Thatbitofextraworkmaywellpreventyoufrombecomingthevictimofafraudschemeandhaving to bare any associated chargebacks.

Formoreinformationcall:1300 550 298

MCG14421_(0213) © 2013 Citigroup Pty Limited ABN 88 004 325 080, AFSL No. 238098, Australian credit licence 238098. Citibank®, Citi® and Arc Design® are service marks of Citigroup Inc.