! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !
!"#$%&"'()*' ! !
Welcome Kit Contents 3.
Who is AcceptSafe
Homestead Merchants 5. AcceptSafe Gateway 6. Account Activation 10. Locating the MD5 Hash Value
12. Endurance Merchants 13. AcceptSafe Authnet Gateway 14. Account Activation 20. Mobile Processing 25. General Merchant Information 26. Merchant Statements 27. IRS Regulations 28. PCI Compliance 33. eCommerce Success Tips 34. Data Security 35. Preventing Fraud & Avoiding Chargebacks 40. Frequently Asked Questions 42. Merchant Information Resources
! "#$!%&!'(()*+,-.)/! ! AcceptSafe is the easy & affordable way to accept credit cards. We are your personal advisor for your online business. Don’t think of yourself as an online merchant yet? That’s ok, we’ll help you through every step so you can start earning money through your website and grow your business. When you’re building an online presence, sometimes you need a little guidance. And if you want to sell products through your site, it can seem complicated. That’s why we’re here. AcceptSafe will help you accept payments anywhere your business takes you. Every transaction counts, and AcceptSafe ensures that each one is executed with security and precision. We give you all the tools you need to accept credit cards right away.
! ! ! ! !
! ! ! !
! ! ! ! ! ! ! ! ! ! ! ! !
!"#$%&$'()*$+,-'.&%) ! !
!""#$%&'(#)*'%#+',) ) The AcceptSafe Gateway was developed to provide businesses with the most useful, feature-enriched, and easy to use payment-processing tool on the market. This secure payment gateway will give merchants’ businesses an edge in the industry with a wide range of features and benefits including: •
Built-In Recurring Billing
Full Virtual Terminal
Verified by Visa/MasterCard Secure Code
Integration With Leading Billing Systems
!""#$%&'!"&()*&(#%' ' After registering with AcceptSafe as a Homestead merchant, you must next activate your payment gateway using your login username and activation code; for security reasons, these items are emailed separately. Your first email with the subject “AcceptSafe Gateway Deployment Step 1” will contain your username and an activation link, and your second email with the subject “AcceptSafe Gateway Deployment Step 2” will contain your activation code. Click on the activation link in the first email
On the activation page, enter your username and activation code then click the login button
On the following page, create a password for your account according to the required specifications: In the “Main Contact” field, enter your name In the “Authorized Contacts” section, enter names of any other people that can speak on behalf of the account In the “Secret Code” field, create and enter a PIN number for the account In the “Password Recovery Question” field, create and enter a security question to be used to recover your password if it is lost In the “Password Recovery Answer” field, enter the response to your Password Recovery Question When you call for support, the information you enter on this page will be used to verify ownership of the account. When all required fields are successfully completed, click the submit button
Make a note of your username and MD5 Hash on the next page, and follow the instructions to integrate the gateway with your Homestead store. You will receive an email confirming that the gateway has been activated. If you receive an error when clicking the “Sign in to Homestead” button, you can simply bypass this step and log in to your Homestead site/store the way that you would normally.
After logging in, click the â€œSet up your merchant accountâ€? link.
Go to the Ecommerce section on the side menu.
Click the Enable button.
Enter your Username and MD5 Hash number from the activation process and hit the save button. You can now run a test transaction on your store and log into your gateway at https://gateway.acceptsafe.com/ using the Username and password you created during the activation process. To view the test transaction, you can look under batch reports in after logging into the gateway.
!"#$%"$&"'(%)$*+,$!(-.$ $ The MD5 message-digest algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. This value is needed to integrate the AcceptSafe gateway with Homestead’s SimpleStore. In order to locate the MD5 Hash, visit https://gateway.acceptsafe.com/ and login to your AcceptSafe gateway using your username and the password you created during the activation process. Note: If you cannot remember your password, click the “Lost Password” link.
Once you are logged in, click on the “Processing Settings” link on the left side of the page under the Configuration section.
On the next page, scroll to the bottom of the page and locate the MD5 Hash value.
You can now copy and paste this value and enter it into the field located in the Ecommerce section of your Homestead store along with your username.
! ! ! ! !
! ! ! ! ! ! !
! ! ! ! ! ! ! ! ! !
!"#$%&"'()*(%'+&",-) ! !
The AcceptSafe Gateway powered by, industry-leading Authorize.net, enables merchants to authorize, settle, and manage credit card and electronic check transactions via Web sites, retail stores, mail order/telephone order (MOTO) call centers, and mobile devices. •
Reputation You Can Trust – Merchants trust the AcceptSafe Gateway to manage their payment transactions securely and reliably.
Easy to Integrate – With the AcceptSafe Gateway online merchants can integrate easily into their business’ website.
Free Customer Support – Customer satisfaction is our number one priority. That's why we provide free customer support via toll-free telephone, email, and online chat.
Business Partnerships – We are dedicated to providing products and value-adding services and tools that help merchants minimize risk, reduce costs, and increase revenue.
!""#$%&'!"&()*&(#%' ' ' Activating Your Account Your gateway welcome e-mail includes a link for beginning the activation process. Clicking this link will take you to the Merchant Interface, a secure Web site that provides administrative access to your payment gateway account and its settings. This interface will become your most useful tool for managing and protecting your payment gateway account. Through the Merchant Interface you can view and search current and settled transactions, process transactions manually, and change security and account settings. In the event that you lose the account activation link, please contact merchant services for assistance. The account activation process should be completed by the person who will have primary responsibility for the payment gateway account. During activation, this person will be established as an Account Owner. An Account Owner has access permissions to all of the Merchant Interface features and functionality and will be responsible for managing the users of the account. In addition, the Account Owner is responsible for properly configuring your payment gateway account processing and security settings. Activation Step 1: Identity Verification You will be asked to provide your Social Security Number or companyâ€™s Tax ID Number. The payment gateway will validate this value against the information provided when you signed up for your payment gateway account.
Activation Step 2: User Information Next, you will be prompted to provide your user information, including your First Name, Last Name, Title, Phone Number, Extension, and E-mail Address. You will also be required to establish a Login ID, Password, and Secret Question and Answer for your individual user account. IMPORTANT: These values safeguard access to your Merchant Interface account and payment gateway configuration and are extremely sensitive. Do NOT share them with anyone. Each subsequent user that is set up for your payment gateway account will be prompted to create their own Login ID, Password, and Secret Question and Answer.
Activation Step 3: Account Information This step in the activation process prompts you to verify business and account owner information provided when you signed up for your payment gateway account. Be sure to verify that all of the information on this page is complete and accurate. If necessary, update any incorrect information and/or add any missing information you would like to include. When you have finished, click the â€œI verify the account information above is correctâ€? check box, and click Submit.
Activation Step 4: Terms and Conditions At this point, you will be prompted to accept the Payment Gateway Merchant Service Agreement. Carefully read the agreement, review the fees associated with your payment gateway services, and enter your Name and Social Security Number or Tax ID Number in the appropriate text fields to validate your acceptance of the terms and conditions. Click the check box indicating that you have the authority to accept the terms and conditions of the agreement on behalf of the merchant or company. Click “I Accept” or “I Decline” to accept or decline the Payment Gateway Merchant Service Agreement. If you choose to decline, your activation session will be terminated. If you would like to accept the Payment Gateway Merchant Service Agreement later, you will need to contact merchant services to reinitiate the account activation process. Value-Adding Service Addendums If you have signed up for any value-adding services in addition to your payment gateway account, the terms and conditions for these services accompany the Payment Gateway Merchant Service Agreement. At the bottom of the page, you may select the check boxes next to any value-adding service agreement addendums you would like to accept at the same time as the Payment Gateway Merchant Service Agreement. If you choose not to agree to these addendums at this time, you may leave the check box deselected to defer signing up for the service(s). To view service agreement addendums for valueadding services, click the hyperlinked name(s) of the service(s). Be sure to review addendums and fees for value-adding services carefully.
Activation Step 5: Billing Information Next, provide the bank and credit card payment information that will be used for your account billing. Credit card information will only be used in the event that attempts to bill your bank account are unsuccessful. To finish the activation process, enter your name and title to verify that you are authorized to input billing information on behalf of your company and click Submit. Your account activation is now complete.
!"#$%&'()"*&++$,-' ' ' PayFox® Mobile card swipe is one of the newest technologies available in the secure electronic payments industry. AcceptSafe offer a mobile processing solution with PayFox®, an exciting application that can help grow your business. Like so many other functions today, processing credit card transactions from a mobile device or cell phone is as easy as downloading an app that puts the power to profit in the palm of your hand. PayFox works with iPhone® 3GS/4/4S/5, iPad®, and Android® and turns your device into a “terminal on the go” that can securely and efficiently process Visa®, MasterCard®, Discover®, and American Express® credit cards as well as signature debit cards. Features and Benefits • • • • • • • • • •
Faster transaction time Reduced Errors Improved Security Single-screen entry SSL Connection Instant Transaction Authorization Advanced fraud detection Address verification Support Gratuities Options Lower Card-Present Processing Rates
Trademarks are the property of their registered owners and are not necessarily associated with AcceptSafe
!"#$%&'()*++%,-./(01/,%2/(3.425.6( ( ( AT&T • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • •
Acer Iconia Tab A501 (A501) HTC Aria (LIBERTY) HTC Lele (HTCPH06130) HTC Nexus One (NEXUSONE) HTC One VX (HTCPM36100) HTC One X (HTCONEX) HTC Status (HTCSTATUS) HTC Vivid (HTCPH39100) Huawei Impulse 4G (HUAWEIU8800-51) LG Eclipse (LG-E970) LG Escape 4G (LG-P870) LG Nitro HD (LG-P930) LG Phoenix (LG-P505) LG Thrill 3D (LG-P925) LG Thrive (LG-P506) Motorola Atrix 2 (MB865) Motorola Atrix 3 (MB886) Motorola Bravo MB520 (MB520) Motorola FlipSide (MB508) Pantech Crossover (PANTECHP8000) Samsung Captivate (SAMSUNG-SGH-I897) Samsung Captivate Glide (SAMSUNG-SGH-I927) Samsung Galaxy Express (SAMSUNG-SGH-I437) Samsung Galaxy Note (SAMSUNG-SGH-I717) Samsung Galaxy Note II (SGH-I317) Samsung Galaxy Rugby Pro (SAMSUNG-SGH-I547) Samsung Galaxy S II (SAMSUNG-SGH-I777) Samsung Galaxy S III (SAMSUNG-SGH-I747) Samsung Galaxy S4 (SAMSUNG-SGH-I337) Samsung Galaxy Tab 8.9 (SGH-I957) Samsung Galaxy Tab 8.9 (SAMSUNG-SGH-I957) Samsung Rugby (SAMSUNG-SGH-I847) Samsung SkyRocket (SAMSUNG-SGH-I727) Sony Xperia T (LT30AT)
HTC EVO 3D (ISW12HT)
Minor Carriers / Other • • • • • •
LG Nexus 4 (NEXUS4) LG Optimus One (LG-P500) Motorola RAZR i (XT890) Samsung Galaxy Ace (GT-S5830) Samsung Galaxy SII LTE (SGH-I727R) Samsung Galaxy S III (GT-I9300)
• • • • • • • • • • • • • • • • • • • • • • • •
HTC EVO 3D (PG86100) HTC EVO 4G (PC36100) HTC EVO 4G LTE (EVO) HTC EVO Shift 4G (PG06100) HTC EVO View 4G (PG41200) HTC Hero (HERO200) HTC One (HTCONE) Kyocera ECHO (M9300) Kyocera Torque (TORQUE) LG Optimus S (LS670) Motorola XPRT (MB612) Samsung Conquer 4G (SPH-D600) Samsung Epic (SPH-D700) Samsung Epic 4G (SPH-D700) Samsung Epic 4G Touch (SPH-D710) Samsung Galaxy Note II (SPH-L900) Samsung Galaxy S III (SPH-L710) Samsung Galaxy S 4 (SPH-L720) Samsung Galaxy Tab 7.0 (SPH-P100) Samsung Intercept (SPH-M910) Samsung Nexus S 4G (NEXUSS4G) Samsung Replenish (SPH-M580) Samsung Transform (SPH-M920) ZTE Fury (N850)
T-Mobile • • • • • • • • • • •
Dell Streak 7 (DELLSTREAK7) HTC Desire Z (HTCVISION) HTC G2 (T-MOBILEG2) HTC ONE X+ (HTCPM63100) HTC One S (HTCVLE_U) HTC Sensation (HTCSENSATION) HTC Sensation 4G (HTCSENSATION4G) HTC myTouch 3G Slide (T-MOBILEMYTOUCH3GSLIDE) HTC myTouch 4G (HTCGLACIER) HTC myTouch 4G Slide (MYTOUCH_4G_SLIDE) Huawei SpringBoard (SPRINGBOARD)
• • • • • • • • • • • • • • •
LG myTouch (LG-E739) LG Optimus L9 (LG-P769) Samsung Exhibit 4G (SGH-T759) Samsung Exhibit II 4G (SGH-T679) Samsung Galaxy Note II (SGH-T889) Samsung Galaxy S 4G (SGH-T959V) Samsung Galaxy S Blaze 4G (SGH-T769) Samsung Galaxy S II (SGH-T989) Samsung Galaxy S III (SGH-T999) Samsung Galaxy Tab 10.1 (SGH-T859) Samsung Galaxy Tab 7.0 Plus (SGH-T869) Samsung Nexus S (NEXUSS) Samsung Sidekick 4G (SGH-T839) Samsung Vibrant (SGH-T959) T-Mobile myTouch Q 4G (T-MOBILEMYTOUCHQ)
Samsung Galaxy Note (SGH-I717D)
US Cellular • • • • •
HTC Merge (ADR6325) HTC One V (HTCONEV) Motorola Electrify M (XT901) Samsung Galaxy Note II (SCH-R950) Samsung Galaxy S III (SCH-R530U)
Verizon • • • • • • • • • • • • • • • • • •
HTC Droid DNA (HTC6435LVW) HTC Droid Eris (ERIS) HTC Droid Incredible 4G (ADR6410LVW) HTC Incredible (ADR6300) HTC Incredible 2 (ADR6350) HTC Merge (ADR6325) HTC Rezound (ADR6425LVW) HTC Rhyme (ADR6330VW) LG Ally (ALLY) LG Enlighten (LG-VS700) LG Spectrum 2 (VS9304G) LG Vortex (VORTEX) Motorola Droid (DROID) Motorola Droid 2 (DROID2) Motorola Droid 2 Global (DROID2GLOBAL) Motorola Droid 3 (DROID3) Motorola Droid 4 (DROID4) Motorola Droid Bionic (DROIDBIONIC)
• • • • • • • • • • • • • • • • • • • • •
WiFi • • • • • • • • • • • • •
Motorola Droid Pro (DROIDPRO) Motorola Droid RAZR (DROIDRAZR) Motorola Droid RAZR HD (DROIDRAZRHD) Motorola Droid RAZR M (XT907) Motorola Droid RAZR MAXX (DROIDRAZR) Motorola Droid X (DROIDX) Motorola Droid X2 (DROIDX2) Motorola Droid XYBoard 10.1 (MZ617) Motorola Milestone (MILESTONE) Motorola Xoom Tab (XOOM) Samsung Continum (SCH-I400) Samsung Droid Charge 4G (SCH-I510) Samsung Fascinate (SCH-I500) Samsung Galaxy Nexus (GALAXYNEXUS) Samsung Galaxy S III (SCH-I535) Samsung Galaxy Tab 2 10.1 (SCH-I915) Samsung Galaxy Tab 10.1 (SCH-I905) Samsung Galaxy Tab 7.0 (SCH-I800) Samsung Galaxy Tab 7.7 (SCH-I815) Samsung Illusion (SCH-I110) Samsung Stratosphere (SCH-I405)
ASUS Eee Pad Transformer Prime TF201 (TRANSFORMERPRIMETF201) ASUS Eee Pad Transformer TF101 (TRANSFORMERTF101) ASUS Tough (ETBW11AA) ASUS Transformer Pad Infinity (ASUSTRANSFORMERPADTF700T) Huawei MediaPad (HUAWEIMEDIAPAD) Lenovo ThinkPad Tablet (THINKPADTABLET) Samsung Galaxy Note 10.1 (GT-N8000) Samsung Galaxy Tab 10.1 (GT-P7510) Samsung Galaxy Tab 2 10.1 (GT-P5113) Samsung Galaxy Tab 2 7.0 (GT-P3113) Samsung Galaxy Tab 2 7.0 (GT-P3110) Samsung Galaxy Tab 8.9 (GT-P7310) Toshiba Excite (AT300)
! ! ! ! !
! ! ! !
! ! ! !
! ! ! ! ! ! ! ! ! ! ! ! !
!"#"$%&'("$)*%#+',#-.$/%+0.#' ! !
!"#$%&'()*(&("+"'(,) ) ) As a dedicated AcceptSafe merchant, you will have the benefit of receiving detailed monthly statements for your account.
A – Merchant-specific account details B – Merchant name and address information C – Total amount due, to be deducted on the 10th of the month D – Summary of processing by card type E – Breakdown of the transaction batch deposits by day F – Breakdown of fees to be deducted from account G – Total of all discount and miscellaneous fees that will be deducted
!"#$"%&'()*+,-.$ $ $ New IRS Regulations and How They May Impact You IRS Section 6050W went into effect at the beginning of 2011 and significantly impacts the payment card industry. Under this mandate, all payment settlement entities — including merchant services providers — are required to report their merchants’ annual gross credit, debit and third-party network payment card transactions to the IRS on Form 1099-K. We will send you a copy of this form on or before January 31 for all activity in the previous year, and will also send it to the IRS to comply with the mandate. What this means for merchants In order to comply with the mandate, we will need to have up-to-date records of your legal business name, address and taxpayer identification number (TIN). This information must match your filed tax forms in order to be valid. Please keep in mind that merchants who fail to provide their taxpayer ID number could be subject to a backup withholding equal to 28% of their gross payment card transactions. As a merchant services provider, we are responsible for complying with IRS Section 6050W. We have taken several steps to make it easy and convenient for you to understand the mandate and how it impacts you. For example:
We have assembled a team of professionals with expertise in tax regulations to ensure that necessary steps are taken by Merchant Services to comply with the mandate
We submit merchant information to the IRS via its secure electronic service
If we do not have your current information on file, we will contact you with instructions on how you can provide it to us. If you have additional questions regarding this new regulation and how it may impact you and your business, please seek advice from your own tax professional.
!"#$"%&'()*+,-$ $ $ Are you PCI compliant? Your answer could mean the difference between business success and business disaster. The number of data security breaches has dramatically increased in the past few years – and every business is at risk. To try to minimize the threat, the payment card industry is taking action. • About 85 percent of data security breaches occur in Level 4 businesses with fewer than 20,000 card transactions annually • Some businesses that experience breaches can be fined up to $500,000 The Bottom Line: All merchants that accept, process, transmit or store payment card information must now be PCI compliant. That means following a series of steps designed to minimize risk. And additional breach coverage may be purchased if you wish to more fully protect your business, in the event a breach occurs even after you are PCI compliant. Become compliant and help protect your business and your customers from dangerous data breaches – non-compliance could ruin your finances and your reputation. Becoming – and Staying – PCI Compliant AcceptSafe, together with TransFirst, has aligned with ControlScan, a leading provider of compliance services, to help you bring merchants’ businesses into compliance. Merchants can contact their merchant services representative or visit www.compliance101.com/PCI to learn more about compliance, fill out a Self-Assessment Questionnaire, complete a vulnerability scan (for some merchants) and find out if they’re compliant or need to make some changes.
!"#$"%&'()*+,-$./0$ $ $ PCI Data Security Standards and Compliance The Payment Card Industry Data Security Standard (PCI DSS) encompasses a set of requirements established to ensure that all merchants who process, store or transmit credit card information maintain a secure transaction environment. Importantly, PCI DSS compliance protects both the merchants and their customers. The PCI DSS is administered by the independent Payment Card Industry Security Standards Council, or PCI SSC, which was created by the five major payment card brands — Visa, MasterCard, American Express, Discover and JCB International. The cards covered include any debit, credit or pre-paid cards branded with the association or brand logos of those five participants.
What are the PCI compliance levels and how are they determined? There are four PCI compliance levels and their compliance requirements vary. Merchants are assigned to a level based on their combined transaction volume — including credit, debit and prepaid cards — over a 12-month period. The four levels (from fewest to most transactions) and their requirements are: •
Level 4: Small businesses that process less than 20,000 eCommerce transactions and less than 1 million other transactions annually. Level 4 businesses must complete an annual risk assessment using the appropriate PCI Self-Assessment Questionnaire (SAQ). Quarterly PCI scans, administered by an approved scanning vendor, may also be required. Level 3: Mid-sized companies — those with between 20,000 and 1 million transactions annually — fall into this level. Level 3 companies are required to complete an annual risk assessment using the appropriate SAQ. Quarterly PCI scans, administered by an approved scanning vendor, may also be required. Level 2: Level 2 companies conduct between 1 million and 6 million transactions yearly. These companies are required to undergo a risk assessment every year, using the appropriate SAQ. Quarterly PCI scans, administered by an approved scanning vendor, may also be required. Level 1: “Big box” stores and major corporations are Level 1 companies, which are defined as having a minimum of 6 million transactions per year. In addition to an annual internal audit conducted by a qualified PCI auditor, Level 1 companies may also be required to undergo quarterly PCI scans administered by an approved scanning vendor.
What are the penalties for noncompliance? Your merchant account agreement should outline your specific exposure if you are noncompliant, so check it to make sure you understand your position. Generally speaking, penalties for noncompliance are numerous and both direct and indirect. First Issuing banks and credit card processors can be fined up to $500,000 for regulatory compliance violations; typically, these fines are passed along to individual merchants in the form of increased transaction fees. In addition to fines, noncompliant businesses that suffer a breach in security face card replacement costs, expensive forensic audits and damage to their reputation. Additionally, a noncompliant merchant may lose his or her merchant account and languish in the Terminated Merchant File for several years, during which time they cannot accept credit cards. This final blow usually causes massive, often insurmountable, damage to the merchant’s credibility, customer loyalty and business.
Must organizations that use a service provider be compliant? Absolutely! As defined by Payment Card Industry (PCI) guidelines, a service provider is a third party that stores, processes or transmits cardholder data on behalf of another entity. While using a service provider may reduce a merchant’s risk of exposure and the effort needed to validate compliance, it does not exclude that merchant from PCI compliance. Compliance equates with security, and therefore should always be a top priority for any business.
Do debit card transactions fall under the scope of PCI compliance? Yes, debit cards — along with credit and prepaid cards — that are branded with a logo of one of the five members in PCI SSC are in scope for PCI compliance. The five members are Visa, MasterCard, Discover, American Express and JCB International.
How is “merchant” defined? Simply put — and for the purposes of PCI DSS — a merchant is an entity that accepts payment cards (credit, debit or prepaid) with the logo of any of the five members of PCI SSC as payment for goods and/or services. Under the terms of PCI compliance, a merchant is charged with securely storing, processing and transmitting cardholder data.
How is “cardholder data” defined? Cardholder data is the personally identifiable data associated with a cardholder — his or her name and address, account number and expiration date, card verification value (CVV) code, personal identification number (PIN) and Social Security number. This information is embedded in the magnetic stripe on the backs of credit and debit cards or appears on the card itself. If it is made vulnerable by a noncompliant merchant, fraud may occur. The current mandates of the Payment Card Industry Data Security Standards state that merchant software should never store any of this information permanently.
Do I need vulnerability scanning to validate my compliance? Businesses that electronically store cardholder data post authorization or have processing systems connected to the Internet may be required to have a PCI SSC Approved Scanning Vendor (ASV) perform a quarterly scan.
What is a network security scan? A network security scan is performed by an Approved Scanning Vendor (ASV) using an automated tool to remotely and non-intrusively check a merchant or service provider’s networks and web applications for vulnerabilities in operating systems, services and devices that hackers could use to target the company. Merchants with external-facing Internet protocol (IP) addresses may be required to pass quarterly scans to validate their PCI compliance.
How often should a security scan be performed? A security scan should be performed quarterly (every 90 days) by a PCI SSC Approved Scanning Vendor (ASV). Service providers and merchants should submit their successful scan reports according to the timetable established by their acquirer.
I run a very small business. Am I really at serious risk of being hacked? Unfortunately, yes. In fact, hackers will often target small and home-based users precisely because they are less likely to take protection seriously. Open broadband connections, Internet games, chat and file sharing applications all make the average home user more vulnerable to attack from the outside. Regular security scans of desktop and laptop computers can identify and fix loopholes, stopping fraudsters in their tracks.
What if a merchant refuses to cooperate with PCI compliance? There is no law requiring PCI DSS compliance. It is a standard created by the major card brands that comprise the Payment Card Industry Security Standards Council (PCI SSC). However, merchants who not comply with PCI DSS and suffer a breach event may be subject to fines, card replacement costs, costly forensic audits and damage to their brand and reputation. PCI compliance doesnâ€™t cost a lot or require a lot of effort from a merchant, and the benefits are priceless â€” security and peace of mind.
How do I login to begin my Self-Assessment Questionnaire? When you arrive at the login screen, you will be prompted to enter your username and password. Use your current merchant number as your username; you will find it in the top right-hand corner of your monthly statement. Your password for your first login is compliance101; you will be prompted to change the password after your first login.
I have already begun the process of PCI compliance. Do I need to let you know? If you have completed or are in the process of determining your businessâ€™s PCI compliance, you will need to let us know. Please contact your merchant services representative and ask him/her to fax or e-mail you a Merchant PCI Verification Questionnaire. Fill out this form and fax it back to us at 303.482.0347. Once your PCI compliance status is confirmed, you will receive notification of any necessary credits to your account.
!"#$$!%&!'()&&!**'+,-*' ' ' AcceptSafe’s Top 10 Tips to eCommerce Success 1. Have complete knowledge of your business plan. Identify all of your potential revenue sources and set milestones for yourself. Secure backup plans for what to do when it’s time to expand your business and add additional sources of revenue, or what to do if your company hits turbulent times. 2. Know your customers. Once you understand your target market’s wants and needs, you can increase revenue by creating a selling platform that meets their demand. 3. Create an online store that stands out. Increase your brand recall by offering a userfriendly, easy-to-navigate shopping area that attractively displays your products. Highlight your best selling items and show clear, flattering product images. 4. Be unforgettable. Build a strong customer base and stay in touch with them through email promotions, social media, and newsletters. 5. Increase your web presence. Perform a search engine optimization (SEO) analysis for your site and utilize internet marketing to make your brand more visible. Associate yourself with websites and brands that compliment your products and services. 6. Offer great customer service. It takes more effort to attract new customers than it does to keep the ones you already have. So make them happy! Provide top notch assistance to them with a positive attitude and tell them how grateful you are to have them as your customer. 7. Surprise your customers. Switch up your business offerings with enough frequency to give them a reason to keep coming back. Add incentives, promotions, limited time offers, and gifts for your most valued customers. 8. Suggest items your customer may like. Utilize your knowledge of your customers’ likes as upsell and cross sell opportunities. This can be done through personalized emails, upgrade options at checkout, or discounts for adding complementary products. 9. Offer free shipping. Promote limited time offers on your website that provide free shipping with orders that meet a certain minimum. This will entice customers to enlarge their orders, in turn spending more money. 10. Be open to feedback. Encourage your customers to voice their opinions of their shopping experience with your company. Social media is a great way to find out what’s working and what’s not – straight from your customers. Use the feedback constructively to fix what’s not quite working and enhance the features that are the most favored.
!"#"$%&'()*#+$ $ $ Protect your good reputation and keep your customers happy With the explosive growth of identity theft, data security has become more than just important – it’s mandatory. Visa, MasterCard, and Discover Network Operating Regulations now require merchants to store cardholder account information in a secure manner to prevent it from being accessible to criminals. Identity theft is a topic about which most consumers are well-informed. They know it can be devastating to their credit. Media reports about hackers and stolen credit card information have consumers on high alert. They want assurance that their card information is safe with businesses they choose to shop at.
In the “brick and mortar” world If you need to check a cardholder’s identification, you shouldn’t write down any information such as a driver's license number or Social Security number. This type of data could be used to commit identity theft. Unless directed to do so by the voice authorization center, there is no need to check a customer’s ID as long as the card is signed. The CARDHOLDER copy of your electronic sales receipts should only display the last four digits of the account number. Visa and MasterCard Operating Regulations mandate that all but the last four digits of the cardholder account number, and the entire expiration date, be suppressed on the cardholder copy of all transaction receipts generated from electronic terminals. Please contact us if you need your software or equipment updated or upgraded to comply with these regulations. Keep the MERCHANT copy of your receipts in a secure location, and limit their access to select members of your organization. Merchant copies will still display the full card account number in many cases, plus the card expiration date and the cardholder’s signature. Information of this nature cannot be allowed to fall into the wrong hands!
Identity theft can be an “inside crime” Employees who will have access to sensitive cardholder data should be carefully screened before they are hired and periodically thereafter. Unauthorized electronic equipment – such as laptop computers – that can be used to steal or replicate account information should not be allowed in the workplace. Protected cardholder data can lead to higher profits and greater customer loyalty!
!"#$#%&'%()*"+,-).)/0+"(#1+234) ) ) Preventing Fraud and Avoiding Chargebacks Bankcard processing has the potential to help you increase your revenue stream as well as offer more convenience to your customers. To ensure that your bankcard processing transactions go as smoothly as possible, we’ve included some tips on avoiding chargebacks and fraudulent and/or criminal activity. For your own protection, please read the following pages thoroughly and keep this manual handy for future reference and training. Recognizing Fraudulent Behavior when Conducting Business Face to Face with Your Customer Certain customer behavior could point to bankcard fraud, but remember, it does not necessarily indicate criminal activity. In particular, watch for customers who: • • • • •
Purchase several of the same items or purchase very expensive items and do not ask any questions about the items. Purchase a lot of merchandise without regard to size, color, or price. Try to distract or rush you during the sale. Make purchases, leave the store, and return to make additional purchases. Make purchases right at opening or at the last minute when the store is closing.
Recognizing Fraudulent Behavior when Conducting Business via Telephone Orders, Mail Orders or Over the Internet with Your Customer Because the credit card and cardholder are not present, you, the merchant, often take the loss from a bad transaction. There are people that intend to obtain products and services by deceptive practices. By using lost or stolen cards, or card numbers generated by fraud schemes, they order goods and have them shipped to an address to be picked up by themselves or someone they call a “runner.” When the charge appears on the true cardholder’s statement, they will request a copy of the draft or it will be charged back right away. If this is an order made over the telephone, through the mail or via the Internet, these chargebacks are very hard to fight because there is no imprint or signature.
There are characteristics that may indicate that the transaction may not be legitimate. Individually, these characteristics are seldom cause for alarm; rather, it is when several of these factors characterize a transaction that there may be a problem. In particular, watch for customers who: • • • •
• • • • •
Place orders that are larger than normal when you are not familiar with the customer. Purchase several of the same item or very expensive items. Want orders shipped “rush” or “overnight.” Have orders shipped to an international address, as they cannot be verified by an Address Verification Service and are very risky unless you know your customer very well. Have orders shipped to the same address that were purchased on different cards. Place orders from Internet addresses using free e-mail services. Charge transactions to account numbers that are sequential. Provide multiple card numbers from a single Internet address. Charge multiple transactions to one card over a very short period of time.
Avoiding Chargebacks and Dealing with Retrieval Requests A chargeback is the reversal of a sales transaction previously processed by your business. Your customer or your customer’s bank can initiate a chargeback and the amount of the transaction is deducted from your account. Whether it is for tax purposes, fraud or any variety of reasons, if you receive a “retrieval request” from a cardholder or the cardholder’s bank requesting a copy of a sales draft or mail order form, DO NOT ignore these requests. Failure to comply promptly could result in a nonrecourse chargeback. There are some basic steps you can take to prevent some of the most common errors that may result in unnecessary chargebacks: Receipts and Documentation •
• • • • •
Change printer cartridge routinely to avoid faded, barely visible ink on sales drafts. Card Networks state this is the #1 cause of illegible sales draft copies. Check readability of all sales drafts daily. Position company logo or marketing messages away from the transaction information, as these can make imaged sales draft copies illegible. Always use white non-patterned paper for transaction information, since colored or patterned paper can render an imaged document illegible. Always provide documentation in original-size format. Reduced images result in illegible/blurred documents. Handle carbonless paper and carbon/silver-backed paper carefully, as excessive heat or any pressure during the handling/storage process causes black blotches, making copies illegible.
• • •
Change printer paper when colored streak indicates the end of the roll. The streak diminishes the legibility of transaction information. Return policies must be disclosed on the sales draft in close proximity to the customer signature. Save all sales drafts for 18 months and store the sales draft in a secure place by credit card number and approximate transaction date only (not by cardholder name). We will not be able to give you the customer’s name, because cardholder names are not provided to us.
What You Can Do to Help Prevent Fraud and Chargebacks when Conducting Business Face-to-Face The following tips are intended to help keep you from being the victim of fraud and will help you avoid chargebacks when conducting in-store transactions. • • •
• • • • •
Never accept an expired credit card. Always inspect the card. Keep the card throughout the transaction. Never accept a card that appears to have been altered. Whenever possible, obtain a swipe of the card through the terminal and verify that the card number on the terminal matches the card number on the card. When the card will not swipe and you must manually key in the card number to your terminal, you MUST also get an imprint of the card using an imprinter with your merchant plate and have the customer sign the imprinted sales draft. In addition, if you are handwriting a sales draft, you need to fill out the draft completely with the transaction date and items purchased. Compare the name printed on the electronic sales receipt to the name embossed on the card. The embossing on the card should be clear and straight and the hologram should be smooth with the card and three-dimensional. Make sure the signature panel has not been tampered with. Compare the signature on the sales draft and the back of the card. The card must be signed. If the card is not signed, have the customer sign the card in front of you, and then check the signature on a picture ID. If the signature on the back of the card does not match the signature on the sales draft, do not continue with the sale. Use account number–verifying terminals or visually compare the last four digits of the embossed account number to the four digits printed on the sales receipt to determine they are the same numbers in the same sequence. Also compare the four digits printed on the card with the first four numbers embossed on the card. The first four numbers should always match. If they do not, do not complete the transaction and notify the authorization center.
• • •
Obtain an authorization for the full amount of the sale (hotels may authorize within 15% of the total). If you receive a “call center” or “pick up card” message through your terminal, call the authorization center and follow their instructions. If you receive a “do not honor” or “decline” message through your terminal, do not proceed with the transaction. DO NOT try again for an authorization; there is no protection for a transaction after you have received a “decline” or “do not honor” message, even if you receive an approval code on a second attempt.
If you are suspicious of a sale, ask for a Code 10 authorization. A separate phone call to your authorization center asking for a Code 10 authorization lets the center know you have concerns about a transaction. A Code 10 is a universal code that provides merchants with a way to alert the authorization center that a suspicious transaction is occurring. The Code 10 operator asks a series of questions that can be answered with yes or no responses; just follow the operator’s instructions, and NEVER put your life in danger. REMINDER: Although an authorization code is required on all transactions, it does not guarantee that it is a valid sale made by the legitimate cardholder! An authorization code means that the account is open and has the available credit at that time, but it is not a guarantee of payment. What You Can Do to Help Prevent Fraud and Chargebacks when Conducting Business via Telephone Orders, Mail Orders or Over the Internet The following tips are intended to help keep you from being the victim of fraud and will help you avoid chargebacks when conducting Card-NotPresent business. However, Merchant Services is not always able to prevent chargebacks affiliated with doing business in mail, phone or e-commerce environments. The following information is required on EVERY mail, phone or e-commerce invoice and sales draft: • • • •
The cardholder’s credit card number and the expiration date. The name that appears on the front of the credit card. The cardholder’s billing address and phone number. Description of merchandise and/or services rendered.
Additionally, the following steps should be taken for every transaction: •
Use an Address Verification Service (AVS) during authorization to verify the cardholder’s billing address. Address Verification compares the shipping address given to the merchant with the customer’s billing address with their issuing bank. If the addresses do not match, do not ship the merchandise. You are putting yourself at risk of taking a loss.
• • •
• • •
• • •
To verify the card's authenticity, ask for the CVV 2 code on the back of the card if it is a Visa, the CVC 2 code if it is a MasterCard, or the CID code if it is a Discover Network card. This information is frequently missing on fraudulent payment cards, and it would be unavailable in the case of compromised card numbers or generated account number schemes. This three-digit number is found on the back of the card on the signature panel after the card number. While this code does not provide protection against fraud, it does allow the merchant an additional level of security in processing the transaction. Ask the customer for additional information. For example, ask for a day and evening phone number, and call the customer back later. Ask for the bank name on the front of the card, and the bank’s customer service number from the back of the card. Separately confirm the order with the customer. If you do not use an AVS, send a note via the billing address, rather than the “ship to” address, before shipping the order. When you ship the merchandise, ship only to the cardholder’s billing address; NEVER ship to any other address that the customer may request. You may want a certified signature as proof that the merchandise was delivered. Merchants who ship merchandise outside the United States have a greater risk of credit card fraud because the AVS service will only verify addresses within the United States. Ask Merchant Services to include your customer service telephone number in the billing name that appears on your customer’s credit card statement. This allows your customers the ability to contact you directly if they have questions regarding the sale. Provide cardholder name and merchant contact details in the sales transaction data. Clearly link credits and refunds you have issued with the original sale information. Include invoice number and settlement information. If you have a VERY unusual mail, phone or Internet transaction to be shipped, and are uneasy about the transaction, you can call Merchant Services Support. We will try to assist you in verifying the transaction with the issuing bank BEFORE you ship the merchandise.
Now that you’ve read these helpful tips, we recommend reading them again and having any company employees who will be handling bankcard transactions study them carefully as well. Following these precautions can help to greatly reduce chargebacks and lower your risk of fraudulent charges. If you have questions regarding this information, please contact Merchant Services Support.
!"#$ $ $ Frequently Asked Questions How long will it take to receive funds to my account once a transaction is processed? Typically this takes between 24 – 48 business hours. I cannot locate my Transaction Key and API Login ID. What do I do? Please visit https://account.authorize.net/, click on the Account tab, and you will see this information in the body of that page. What is “interchange” and how does it affect my fees? Interchange is the largest portion of your Discount Rate. Interchange is the fee charged by the card issuer to reimburse them for the expense of processing the transaction through their settlement systems. Visa, MasterCard, and Discover Network have more than 100 different interchange pricing levels. The qualification requirements for each level vary depending on the card type (consumer, business, purchasing, international, rewards, etc.), the merchant type (retail, hospitality, fuel, etc.) and how the card was presented and processed by the merchant (swiped, key entered, Internet, etc.). Discount Rate For retail merchants, the Discount Rate charged on your merchant statement assumes that qualification requirements are met. The requirements include: • • • • •
The credit card is swiped for authorization. The cardholder signs the receipt. The transaction is batched out (settled) within 24 hours. The authorization amount and settlement amount are equal. The credit card is a consumer card without a reward program.
A consumer card has the cardholder's name instead of a business name, does not have “purchasing” or “business” on the front, and is associated with an individual instead of a company. When a card does not meet the requirements of the Discount Rate criteria, it is processed at higher interchange fees. These fees are captured in the line item on your statement and may be labeled several things, including “NonQualified”.
Non-Qualified Transaction Fees: Transactions that fail to meet the Discount Rate requirements may be settled at a Non-Qualified rate. This “downgrade” in qualifications can be caused by any combination of reasons. Merchants that have a portion of their transactions qualifying as Non-Qualified should make sure that they are: • • • •
Swiping cards instead of hand-keying in the card number. Entering AVS (address information) for the billing address. Settling (closing) the batch in a timely manner, usually within 24 hours. Not over-settling transactions. Over-settling means that a merchant obtains an authorization for $5.00 and settles the transaction for $10.00. This practice is most common with mail order merchants that charge shipping “after the fact.” These merchants should re-authorize the card for the appropriate amount. Entering invoice numbers when prompted. Entering tax amount and customer code when prompted.
When will I receive the money from the batch deposits made through my point of sale unit? Funding generally occurs anywhere from two to five business days from the time of the batch deposit. The actual number of days depends upon the setup of your account. What information is required when I call Merchant Support for service? You should have your Merchant ID number readily available to expedite your service. If this is not available, you should be prepared to answer questions specific to your account establishment for security purposes.
!"#$%&'()*'+,#-&(.,')/"0,1#$"0) ) ) Homestead Merchants Assistance with Activation: 800-710-1998
Ecommerce Merchants Assistance with Activation: 877-447-3938
Mobile Merchants Assistance with Activation: 800-654-9256
Assistance with Activation: 800-654-9256
General Contact Information www.acceptsafe.com Phone: 888-259-3737 Support: email@example.com Sales: firstname.lastname@example.org
American Express 800-528-2121
For card decals and other promotional items, visit: Visa: www.visafulfillment.com MasterCard: http://www.mastercard.us/merchants/support/signage-artwork.html Discover: http://www.discovernetwork.com/merchants/signage-logos/