Operating Guide

First Data is a trading name of First Data Europe Limited, a private limited company incorporated in England (company number 02012925) with a registered address at Janus
House, Endeavour Drive, Basildon, Essex, SS14 3WF. First Data Europe Limited is authorised by the UK Financial Conduct Authority under the Payment Service Regulations
2009 for the provision of payment services (FCA register No. 582703).

First Data Europe Limited has appointed FDR Limited as payment and collection agent for the services provided under your Merchant Agreement. FDR Limited is a company
incorporated in the State of Delaware, United States, under registration number 22692 35, registered in England as a branch of an overseas company with limited liability
(company number FC015955) and branch number BR001147, whose registered office in the United Kingdom is at Janus House JH/1/D, Endeavour Drive, Basildon, Essex,
SS143WF.

© 2017 First Data Corporation. All Rights Reserved. All trademarks, service marks, and trade names referenced in this material are the property of their respective owners.
CONTENTS
1. INTRODUCTION Split Sales and Transactions
Basic Rules Terminal Fallback
Record Keeping
Banking Procedures 10. CHARGEBACKS
Common Causes of Chargebacks
2. BEFORE YOU ACCEPT CARD PAYMENTS Retrieval Request
Payment Card Recognition Chargeback Reversal Procedure
How to verify the Card?
Commercial Cards 11. OTHER SERVICES
How to Guard Against Fraud Vehicle Rental Services
Hotels, Lodging, Accommodation
3. ACCEPTING CARD PRESENT CARD Dynamic Currency Conversion (DCC)
TRANSACTIONS
Multicurrency & Cross-Border Transaction
Chip and PIN Enabled Cards Acceptance
Contactless Transactions Payment of Debt
Chip and Signature Cards
12. PAYMENT CARD INDUSTRY DATA
SECURITY STANDARD (PCI DSS)
4. ACCEPTING CARD NOT PRESENT CARD
TRANSACTIONS (CNP) Becoming PCI Compliant

Card Security Code (CSC) Implications of Not Complying with PCI DSS

Address Verification Service (AVS) Third Party Obligations

Authorisation Responses Secure Data Storage

Ecommerce Transactions Demonstrating Compliance with PCI DSS

5. AUTHORISATION, PRE-AUTHORISATION 13. KEEPING YOUR POINT OF SALE (POS)

AND REFERRALS DEVICE SAFE

Pre-authorisations Positioning your POS device

Referrals
Code 10 Calls for Card Present 14. QUALIFYING/NON QUALIFYING
TRANSACTIONS

6. PURCHASES WITH CASHBACK

15. VOICING YOUR CONCERNS
7. REFUNDS

16. USEFUL CONTACT INFORMATION

8. PAPER VOUCHERS
Completing a Sales/Refund Voucher
17. CHANGES TO YOUR BUSINESS
Preparing/Submitting Vouchers for Submission

9. EXCEPTIONAL PROCEDURES
Can I Pass Charges to my Customer?

2
1. Introduction
Thank you for choosing First Data. This guide forms a part of your Merchant Agreement and contains the procedures
that need to be followed regarding Card acceptance. Please remember that all businesses that accept payment by
credit and Debit Cards must follow the procedures set out by the Card Schemes, First Data as your Acquirer and the
Payment Card Industry Data Security Standard (PCI DSS). These standards exist to protect you and your
customers. It is important to follow some basic procedures that are strictly enforced by the Card Schemes.

Basic Rules
You Must
 Clearly display Card acceptance logos for your customers to see e.g. Visa, Mastercard and Diners
 Only accept the Card types that you are entitled to take as specified in your Merchant Agreement
 Ensure surcharges added to Card payments are displayed to the Cardholder and be part of the transaction
amount i.e. cannot be charged separately
 Include any taxes in the amount charged on Card Transactions
 Provide a Sales Receipt for the Cardholder to confirm the amount debited from their Payment Card
 Validate your compliance with the PCI DSS (see Section 12)
 Never process any transactions for goods and services that do not directly relate to your Business as
specified in your Merchant Agreement
 Notify us of any changes to your Business (see Section 17)
 Retain a copy of all sale and Refund Receipts for 18 months

You Must Not

 Indicate that any Card Scheme endorses your goods and services
 Submit a Card Transaction that has been previously subject to a Chargeback
 Accept Card Transactions on behalf of third parties
 Manually key a Payment Card Transaction into a Point of Sale Terminal when the Card details have been
provided via an internet shopping cart
 Process Card Transactions without the Cardholder‟s permission if they are not present at that time
 Process Ecommerce transactions unless as specified in your Merchant Agreement
 Leave your Terminal unattended e.g. where fraudsters could have easy access
 Store sensitive Card data (see Section 2)

Record Keeping
 A Card Transaction is only completed on the final delivery of goods or services
 Sale and Refund Receipts should be stored in a secure area in accordance with the PCI DSS (see Section
12)
 Store only the portion of the customer‟s account information that is essential i.e. name, account number and
expiry date
 You must not store the following under any circumstances:
o Full contents of any data from the magnetic stripe or chip
o Card Security Code (CSC) – the three digits printed on the signature panel of the Card
o If requested by us please supply all Sale and Refund Receipts within fourteen (14) Business Days

3
Banking Procedures
Please follow the end of day banking procedures detailed in your Terminal User Guide to ensure you receive
payment for all transactions. It is essential that all transactions are submitted for payment within two (2) working days
of being accepted.

Please note that if a transaction is submitted after 2 working days, the Card Issuer may reject the transaction,
resulting in it being charged back.

2. Before You Accept Card Payments

Your Merchant Agreement with First Data states the Card types you are allowed to accept. It is important that you
and your staff understand how to recognise different Card types to reduce fraud risk. If after checking the Card you
are suspicious of the Card, please call our Authorisation centre requesting a Code 10 Authorisation (see Section 5).

Payment Card Recognition

As the majority of the Cards are processed as PIN verified or contactless, you will not have the sight of the Card. If
signature verification is required, then you will need to ensure the signature on the back of the Card matches the
signature provided by the Cardholder.

With the development of the electronic payment services, there is a variety of Cards available to Cardholders. We
strongly advise you and your staff to familiarise yourselves with the examples we have provided below to recognise
security features, such as Card logo, hologram, Card Security Code, etc.

Newly issued Cards will have a Card type printed on the front of the Card, these will be Debit, Credit, Commercial or
Prepaid.

4
Visa 1 2

Issuer Identification

3 4 5 6 8 7 9 10 11 12

1 14 2
1. Chip
2. Issuer identification
3. First four digits repeated (optional)
4. Primary Account Number (PAN)
5. Cardholder name
Issuer Identification
6. Expiry date
7. Contactless indicator
8. Card Scheme logo
9. Hologram
10. Signature panel
11. Card Security Code (printed or dynamic)
12. Magnetic stripe
13. Debit category identification
14. Visa Debit brand logo
3 4 5 6 8 13 7

V PAY Visa Electron

Visa Prepaid
Visa issue prepaid Cards. These are loaded with funds and often given as gifts. They are not always personalised
with a specific Cardholder name, but you can still accept them as you would any other Visa Card.

5
Visa and Visa Electron Mini Cards
These are miniature Visa and Visa Electron Cards, which carry the logos in a reduced size, positioned in either the
bottom or top right of the Card.

A Visa mini dove hologram will feature on the back or front of the Visa Mini Card. However, this is optional on Visa
Electron Mini Cards.

Other features include:

 Signature Panel - a signature panel will appear on the back of the Card.
 Magnetic Stripe - the magnetic stripe will appear on the back of the Card.
 Card Security Code - A three-digit Card Security Code will be displayed on the back of the Card, either in
the white area next to the signature panel or directly onto the signature panel.
 Cardholder photograph and signature - a photograph of the Cardholder may appear either on the front or the
back of the Card.

Mastercard and Debit Mastercard

1 2

Issuer Identification

1. Chip 3 4 5 6 7 8 9 10 11 12
2. Issuer identification 1 14 2
3. First four digits repeated (optional)
4. Primary Account Number (PAN)
5. Cardholder name
6. Expiry date
7. Contactless indicator Issuer Identification
8. Card Scheme logo
9. Hologram
10. Signature panel
11. Card Security Code (CSC)
12. Magnetic stripe
13. Debit category identification
14. Debit Mastercard brand logo

Maestro
3 4 5 6 13 8

6
Diners Club International and Discover

1 2 8 9

3 4 5 6

1 8 9

3 4 7

1. Card Scheme logo

2. Chip
3. Cardholder name
4. Primary Account Number (PAN)
5. Valid from date
6. Expiry date
7. Card Security Code (CSC)
8. Signature panel
9. Holographic magnetic stripe

How to Verify the Card?

 Chip - works together with Cardholder‟s PIN or signature to create more secure payment, look for any
visible damage
 Card Number - usually, (but not limited to) 16 digits long number on the front of the Card. Should be clear to
read and in line
 Cardholder title and name - should be clear to read and in line. Check that the title printed/ embossed on
the Card matches the gender of the customer presenting the Card
 Signature panel - a Card should be signed by the Cardholder once received. If transaction is taken in a way
that requires signature verification, ensure that the signature on the back of the Card matches the one

7
 provided by the customer. Check strip for any visible damages or evidence of writing over previous
signature, etc.
 Card Scheme logo - should be clear and match the examples shown earlier in Section 2
 Expiry date/ Valid from date - only some Cards have valid from date, but all should have an expiry date.
Ensure that Card is not presented to you after the expiry date and/or before the valid from date
 Hologram - 3D image should move when the Card is tilted. It can be located on the front or back of the
Card. Please note that some Visa Electron Cards do not have a hologram. On Visa Cards look for flying
dove; on Mastercard look for the globe and on Maestro look for William Shakespeare‟s head
 Card Security Code – typically located on the back of the Card - on signature panel or the white box next to
it
 Ultraviolet (UV) features – images under the UV light will show: on Visa - a flying dove, on Mastercard -
letters „M‟ and „C‟ and on Diners Club International / Diners - a circle with a vertical line in the middle.
Similarly to the hologram, some Visa Electron and Mastercard Cards issued after October 2015 do not carry
the UV image

Commercial Cards
Commercial Cards bring specific benefits to business-to-business sales transactions. They look like any other Visa or
Mastercard, although many have the description of the Card‟s function on the front of the Card e.g. Business Card,
Corporate Card and Purchasing Card.

How to Guard Against Fraud

There is a risk that exists with taking all types of transactions. This section outlines what we believe to be industry
best practice that will help you to identify and reduce that risk. Remember that the best fraud prevention is well
trained staff. Please ensure that all staff accepting Card payments on your behalf have read and understood the
following procedures or any fraud prevention documents we may send you in the future. This will help reduce
financial losses to your Business and risk of Chargebacks.

IMPORTANT – Please note an Authorisation is not a guarantee of payment, it only confirms

there are enough funds to pay for the goods and that the Card has not been blocked at the
time of the transaction.

Face to Face Transactions (Card Present)

Preventing and Detecting Fraudulent Face to Face Transactions
 Chip and PIN is the most secure type of transaction. As the Cardholder will retain the control of the Card
when processing the transaction you are not required to make visual checks of the Card. You must however
follow the instructions shown on the Terminal
 Despite the fact that nearly all Cards in the UK are chip enabled sometimes you will require the Cardholder‟s
signature as a verification method. Please ensure that the person presenting the Card is the genuine
Cardholder and follow the prompts on your Terminal

Checking the Card

 Never key a Card Number into your Terminal if both Card and Cardholder are present - this may result in a
Chargeback to you
 Verify if the name on the Card matches the signature. Remember to check the condition of the signature
panel; if it looks damaged it may be because the original signature has been covered over
8
  If possible, check the spelling on the Card and on the Sales Voucher
 Compare the last 4 digits of the Card Number to that printed on the Sales Receipt. This check will allow you
to identify a cloned Card
 Check for the special mark on the Card using a UV lamp. If you place the Card under the lamp you should
see a hologram.

Checking the Cardholder

 Check if the title on the Card matches the customer.
 Does the customer seem nervous or hurried?
 The customer insists upon taking the goods immediately e.g. they are not interested in free delivery.
 The customer takes an unusual amount of time to sign and refers to the signature on the back of the Card.
 The customer repeatedly returns to make additional orders in a short period of time.
 If a transaction is declined and the customer then requests a lower value Authorisation attempt.

Checking the Transaction

 The customer makes an order substantially greater than you would normally expect.
 A fraudster may present more than one Card, often to find a Card that will be successfully authorised. If you
are ever suspicious make a „Code 10‟ Authorisation call to the Authorisation centre.

If the appearance of the Card being presented or the behaviour of the person presenting
the Card raises suspicion you must immediately call the Authorisation centre on 0344 257
9400 and state “This is a Code 10 Authorisation” and follow the operator’s instructions.

Returning Wanted or Recovered Cards

 Keep the Card safely at your premises until the end of business on the day when the Card was found.
 If the Cardholder returns to claim the Card, obtain the claimant‟s signature and compare this signature with
that on the Card
 If you are suspicious that the claimant is not the Cardholder, telephone the Authorisation centre and state
“This is a Code 10 Authorisation”
 Only release the Card if you are satisfied that the claimant is the Cardholder
 Unclaimed Cards should be sent to: First Data Investigations, Janus House, Endeavour Drive, Basildon,
Essex SS14 3WF

Card Not Present (CNP) Transactions - Mail Order Telephone Order (MOTO)
CNP transactions are considered as high risk as you cannot check the Card or the customer. Fraudulent CNP
transactions are your liability as they are likely to be charged back to you. Written agreement from First Data is
needed to take this transaction type.

Preventing and Detecting Fraudulent MOTO Transactions

 Goods relating to a CNP transaction should not be collected by the Cardholder. If the Cardholder wishes to
collect the goods they must present the Card for payment at the time of collection
 Never dispatch the goods to anybody other than the Cardholder and be wary if the delivery/customer is
overseas
 Be aware of „social engineering‟. Fraudsters may spend time building up credibility and then place a large
order or make a request for goods or services outside of your usual trade, such as money transfers
9
  To prevent MOTO fraud look for:
o High value orders that can be easy to resell
o First time customers placing multiple orders
o Multiple purchases of the same goods completed on the same Card
o Customers that are hesitant or make errors providing their personal information
o If customers are more interested in speedy delivery than the good‟s price

Preventing and Detecting Fraudulent Ecommerce Transactions

Signs to look out for include:
 Multiple transactions attempts using the same or similar customer details or Card Numbers
 High value purchases which are unusual for your Business
 Mismatching of the Card Security Code (CSC) or Address Verification Service (AVS) check
 Mismatching combination of IP address, Card issue country and the billing currency
 An email address that bears no relation to the shopper name or makes no sense i.e. „[email protected]‟
 Request to bring forward the delivery date after the order has been placed
 Request to alter payments details
 Multiple deliveries to the same address
 Delivery country that is unusual for the purchase
 General inconsistency

Delivery Warning Signals

Here are some danger signs to look out for when arranging delivery of goods:
 Never dispatch the goods to anybody other than the Cardholder and be wary if the delivery/customer is
overseas
 Insist that goods may only be delivered to the Cardholder‟s permanent address. If you agree to send goods
to a different address, take extra care and always keep a written record of the delivery address with your
copy of the Card Transaction details
 Only send goods by registered post or a reputable courier and insist on a signed and dated delivery note

Instruct your Courier

 Make sure the goods are delivered to the specified address and not given to someone who „just happens to
be waiting outside‟. Instruct your courier to return with the goods if they are unable to affect delivery to the
agreed person/address.
 Do not deliver to an address which is obviously unoccupied.
 To obtain signed proof of delivery preferably the Cardholder‟s signature.
 If you have your own delivery service, consider training your driver to check the Card. If you wish to do this
†
please contact the Fraud Department by phoning the Merchant Support Centre on 0345 606 5055 for more
details.

10
3. Accepting Card Present Transactions
Chip and PIN Cards
 Ask the Cardholder to insert the Card into the chip reader and enter the PIN as prompted
 Once the transaction is completed the Cardholder will be prompted to remove the Card
 Cardholders have three attempts to enter their PIN correctly before it is locked
 If this happens inform the Cardholder and ask for an alternative method of payment.

Contactless Transactions
If the Cardholder‟s Card or device e.g. mobile has been enabled for contactless the process is as follows:
 Initiate the transaction as you would normally do using your Terminal
 Ask the Cardholder to hold their contactless payment device within 2 centimeters of the contactless reader
 Follow the Terminal prompt to check the transaction has been completed
 As a further security measure occasionally the Cardholder will be prompted to insert the Card and enter their
PIN
 You cannot offer Cashback on a Contactless transaction

Chip and Signature Cards

 Ask the Cardholder to insert the Card into the chip reader and follow the prompts on the Terminal
 Ask the Cardholder to sign the receipt and check that it matches the one on the Card being used

4. Accepting Customer Not Present Transactions (CNP)

Accepting Customer Not Present Transactions (CNP)
A CNP transaction is when a Card is not presented at the Point of Sale e.g. mail/telephone order, Ecommerce or
Recurring Transactions all of which must be authorised.
 Take extra care to ensure it is the genuine Cardholder placing the order
 To defend any disputes keep a record of any permission to debit the Card e.g. a recurring payment
agreement or a call recording

To process a CNP transaction you must obtain the following information:

 Card Number
 Expiry date
 Card Security Code (except for mail order transactions)
 Cardholder‟s full name and address
 Transaction amount
 Delivery address if different to the Cardholder‟s address

There are increased risks of Chargebacks for CNP transactions as the Cardholder and
Card are not present. If you choose to deliver goods to an address other than the
Cardholders address you are taking additional risk.

11
 Card Security Code (CSC)
The CSC is a 3 or 4 digit code that appears on a Debit/Credit Card that is used as a fraud prevention tool in CNP
transactions (Refer to Section 2 for examples):
 The CSC is not retained in your Terminal if supplied through us
 if a customer provides written Card details you must ensure the details are securely deleted
 Card Numbers and the CSC are valuable data you must never record or accept copies of these
 CSC is not required for the following:
o Reservations
o Corporate and Purchasing Cards
o No show transactions
o Cancellation Refunds
o Charges after check out
o Mail order transactions

CSC cannot be stored; it can be used for one transaction only. Once the transaction has
been authorised, you must not keep a record of the CSC.

Address Verification Service (AVS)

AVS is available on Cards issued in the UK and allows you to check the Cardholder‟s statement address with the
Card Issuer to help reduce fraud. You need to ask the Cardholder for the following information:
 Only the numbers in the postcode of the Cardholders statement address; and
 Up to the first 5 numbers of the Cardholders statement address
 Your Terminal will prompt you to enter the numbers in the three stages below:

CARDHOLDER’S ADDRESS CARD SECURITY CODE POSTCODE NUMERIC ADDRESS NUMERIC*

55 South Street Any Town, Any
000 or 1234 171 55
County SS17 1BL
Flat 3, 21 North Street Any Town,
Any County LM5 7LT 000 or 1234 57 321

The Cottage East Lane Any

000 or 1234 123 Bypass*
Town, Any County SS12 3BL
Apt 62, 2190 West Road, Any
000 or 1234 451 62219
Town, Any County LM45 1LT

*Where a customer address includes only a house name you may bypass this prompt by pressing the ENTER key.

Authorisation Responses
If there are available funds and the Card has not been reported lost or stolen one of the standard responses shown
below will be received. Please remember:
 The final decision to accept the payment or not is yours
 You are responsible should a transaction be confirmed as invalid or fraudulent even if the data matches and
an Authorisation Code is issued
 AVS/CSC does not protect you from a Chargeback. AVS and CSC responses do not consider whether there
are sufficient funds or even if the Card is lost or stolen. You can still get a positive AVS/CSC match on a
declined transaction

12
RESPONSE DEFINITION ACTION TO TAKE
Data Matches / Data Matched Both the AVS and CSC As long as you have been issued with an Authorisation Code
match the Card Issuer‟s and are satisfied the transaction is genuine then unless there
records are other suspicious circumstances you are likely to want to
go ahead with this transaction. As with all CNP transaction
payment is not guaranteed and you bear the risk if the
transaction is disputed.
Data Non Match / Data Not Both of the address and Indicates this could be either a fraudulent transaction or the
Matched postcode details do not details have been entered incorrectly. We recommend you
match the Card Issuer‟s don‟t proceed unless further checks are made to verify the
records Cardholder and the delivery address provided.
CSC Match Only Either house number or
postcode do not match
the Card Issuer record
AVS Match Only Both address and
postcode match but not
the CSC
Not Checked The CSC and AVS have You will have to make a decision based on the information
not been checked. you have. We recommend further checks are made before
going ahead with the transaction.
†
For more information on AVS and CSC please contact our Merchant Support Centre on 0345 606 5055 .

An Authorisation with or without confirmation of AVS/CSC information does not guarantee

payment. If fraud subsequently occurs you will liable for the Chargeback.

Rules for CNP Transactions

When the Cardholder places the order you must obtain an Authorisation and when the goods or services are ready
to be delivered the transaction should be processed. The Authorisation is valid as follows:
 Visa - the transaction amount must be within 15% of the authorised amount and the goods must be shipped
within 31 days otherwise a second Authorisation is required.
 Mastercard & Diners - the transaction amount must equal the authorised amount and the goods must be
shipped within 30 days otherwise a second Authorisation is required.

Ecommerce Transactions
You must make an application to take Ecommerce Transactions with First Data, even if you have an existing
Merchant Agreement.

On approval a new First Data Merchant number will be issued, this is solely for the purpose of acceptance of
Ecommerce transactions for the Business described within the new Application Form.

All Ecommerce transactions are regarded as “Card Not Present Transactions” and are taken at your own risk. In the
case of a dispute we retain the right under the Merchant Agreement to Chargeback any Ecommerce transactions
irrespective of whether an Authorisation Code is obtained.

Website Requirements
The details below should not be considered as a comprehensive list of the information which you may be required to
provide on your Website under applicable legal requirements and should not be seen as a form of legal advice. You
should obtain your own legal advice on the content of and activities carried out on your Website.

13
You should ensure that your Website, its contents and any activities related to it, such as marketing are in
accordance with all local legal requirements and regulations.

You must also comply with the requirements of all data protection legislation, and where you process Personal Data
on your Website, include a Privacy Policy that Cardholders are required to agree to before providing any Personal
Data on your Website.

You need to ensure that your Website provides some basic information about your Business so that the online
shopper can easily identify you. It also needs to display contact details (landline telephone number and
correspondence or email address) so any customers that wish to contact you to resolve a dispute can do so. You
should also clearly state the physical location of your Business and a statement detailing under which legal
jurisdiction your Business operates) before the transaction is completed. Any Trade Association membership,
professional bodies that you are registered with as well as VAT registration number (if applicable) should also be
provided.

The order page on your Website, whether provided by a third party or created by you, must be PCI (Payment Card
Industry) compliant and collect at least the following details:
 Cardholders‟ full name
 Cardholders‟ email address
 Cardholders‟ billing address and postcode
 Delivery address

Payment page (check-out)

Providing Cardholders with sufficient information about their purchases is very important so that they have a good
idea of what is on offer. You should ensure that you provide a description of the following:
 The products and the services as well as total cost (showing any additional cost such as applicable tax,
packaging, delivery charges etc.)
 Your terms and conditions including your return and cancellation policy
 Instructions on how to complete their order

The payment page on your Website whether provided by a third party or created by you must be PCI DSS compliant
and collect at least the following:
 Transaction amount
 Card type box e.g. the Card types detailed in your Merchant Agreement
 Customers‟ Card Number
 Card Expiry date
 CSC

Payments and Refunds

 Cardholders should be provided with clear information on all payment options and clear instructions on how
to pay
 Cardholders should be informed of their cancellation, Refund, replacement and complaint rights at the time
of purchase

14
  Receipts should be provided with the goods on delivery

Receipt Requirements
You must provide a Cardholder receipt by email and/or post which contain the following:
 Partial Cardholder Account Number - for Ecommerce transactions please note the Cardholder account
number, Card Security Code (CSC) and Expiry date must not appear on the transaction receipt ( this is a
PCI DSS requirement)
 Unique Transaction Identifier - to assist in disputes you should assign a unique identification number to the
transaction and display it clearly on the transaction receipt:
o Cardholder name
o Transaction date
o Transaction amount
o Transaction currency
o Authorisation Code
o Description of merchandise or services
o Merchant name
o Website address

Best practice is to provide your Customers with an acknowledgement of their purchase prompting them to either print
or save this document for their own records.

Verified by Visa and Mastercard SecureCode

These are industry wide initiatives introduced to combat Internet fraud, commonly known as Cardholder
Authentication. Cardholders who register for this service with their Card Issuer will be required to use a personal PIN
or password at the time of the transaction to confirm they are the genuine Cardholder. Verified by Visa and
Mastercard SecureCode operate on your Website and interact with both the customer and their Card Issuer. The
whole process takes a few seconds and the online shopper is unlikely to be inconvenienced by it.

Payment Services Provider (PSP)

You must be set up with the First Data Ecommerce Gateway (or a third party PSP) if you want to accept Ecommerce
transactions. Please note if you are using a third party PSP they must be PCI DSS compliant and accredited with
First Data to submit Ecommerce transactions to us. Your chosen PSP will be able to advise you of relevant costs set
up times and how their systems integrate with your Website.

Security
You must ensure Card details are captured and stored securely in accordance with PCI DSS requirements. Card
details should be encrypted and protected by a firewall. Never send full Card details via email as this is not a secure
method for data transfer.

Delivery and guarantees

 Delivery dates/times should be clearly stated and agreed with the Cardholder. If it is not possible to deliver
on the agreed date/time another delivery should be arranged. If this is not possible the Cardholder should be
offered a Refund
 You should capture both billing address details and delivery address details
 In the event of a non-delivery it is the Merchant ‟s responsibility to prove receipt of the goods by the

15
 Cardholder
 Apart from deposits, full payment for goods and services must not be debited from a Cardholder‟s Account
until the goods have been dispatched or the service provided. Should you wish to be able to take deposits
on goods and services, you must get agreement from First Data for this before any deposits are taken.

Recurring and Instalment Transactions

 Recurring Transaction - payment for goods or services that are received over time e.g. insurance or
subscription
 Instalment Transaction - a regular payment against a single purchase e.g. car or loan. Written agreement
from First Data is needed to take these transaction types

RECURRING TRANSACTION INSTALMENT TRANSACTION

The Cardholder must consent to periodic charges for You must provide and the Cardholder must consent to the
recurring merchandise or services at the time of the first merchandise or services and all of the following in writing at
transaction. This permission must include at least all of the the time of the first Transaction:
following, in writing, and must be provided to the Cardholder:
 Terms of service
 Transaction amount
 Timing of delivery to Cardholder
 Fixed dates on or intervals at which the Recurring
Transactions will be processed  Transaction amount

 Duration for which Cardholder permission is  Total purchase price

granted  Terms of future payments, including the dates and
 Cancellation and Refund policies amounts

You must retain the Cardholder's permission for the duration  Cancellation and Refund policies
of the recurring merchandise or services

A Recurring Transaction amount must not An instalment transaction amount must be less than the total
price of the merchandise or services purchased and may
 Include partial payment for merchandise or include interest charges.
 services purchased in a single Transaction
 Include finance charges
Authorisation is required for each individual Recurring Authorisation is required for each individual instalment
Transaction transaction. If a request for a subsequent payment is declined
you must notify the Cardholder in writing and allow the
Cardholder at least 7 days to pay by other means.

A Merchant must not process an initial instalment Transaction

until the merchandise or services have been provided to the
Cardholder.

You must provide an online cancellation procedure if the: If the Cardholder cancels within the terms of the cancellation
policy, you must provide to the Cardholder both of the
 Cardholder's request for merchandise or services following within 3 Business Days:
was initially accepted online
 Cancellation or Refund confirmation in writing
 Not complete a Recurring Transaction beyond the
duration expressly authorised by the Cardholder or  Credit Transaction Receipt for the amount specified
if it receives either a cancellation notice from the in the cancellation policy
Cardholder or a Decline Response

Visa Account Updater (VAU) and Mastercard Account Billing VAU and ABU are not available for instalment transactions
Updater (ABU) must be implemented to pre- validate Card
details prior to the submission of a Recurring Transaction
(please see VAU and ABU section for further information)

If you do not process a recurring or instalment transaction at the time of entering into the agreement with the Cardholder you
must:
 Submit an Account Number Verification Transaction Authorisation
 Identify the Account Number Verification Transaction as a Recurring or Instalment transaction in the Authorisation.
 Please contact your Payment Service Provider (PSP) to enable Account Number Verification Transaction
Authorisation.

16
VAU and ABU
Visa and Mastercard provide services that allow a Merchant to verify Card details prior to a Recurring Transaction
being submitted.

Visa Account Updater (VAU) and Mastercard Account Billing Updater (ABU) maintain databases that consist of
participating issuer Card information. These databases enable Merchant s to validate a recurring payment
agreement has not been cancelled and the Card Number/ expiry date is valid. Further information is available on
request.

Instalment Transactions
Instalment Transactions work in a similar way to Recurring Transactions with the exception of instalment transactions
that represent a single purchase, with payment occurring on a schedule agreed between a Cardholder and Merchant
e.g. Loan/Car/Debt repayment transactions over a set period of time.

5. Authorisation, Pre-authorisation and Referrals

An Authorisation must be obtained at the time of the transaction. You should not proceed when your request for
Authorisation is declined. Multiple Authorisation attempts following a decline is not permitted. Please remember that
it is your responsibility to ensure that all transactions are authorised in accordance with your Merchant Agreement

Authorisation is a check that is undertaken with the Card Issuer to confirm if they will
approve the transaction. Authorisation from the Card Issuer is not a guarantee of payment.

Pre-authorisations
If you do not know the final amount that you will submit the transaction for you should be sending an estimated
Authorisation request. An estimated Authorisation amount should be used when your customer is booking a
room/vehicle/equipment and you are not sure if there will be additional charges to be applied later. Estimated
Authorisation may also be used where orders for goods are placed and multiple items within the order will be
dispatched separately. Please remember always to advise the Cardholder of the amount you are pre-authorising as
these funds will be unavailable on their account.

Referrals
A referral occurs when a Card Issuer requires First Data to contact them prior to providing a response to an
Authorisation request. This may be prompted by an unusual spending pattern for the Cardholder or a large value that
triggers the issuer‟s fraud detection rules. Your Terminal will prompt you to call for Authorisation in this instance.
Generally it will be necessary for the Cardholder to come to the telephone to answer some security questions. You
should follow the instructions given by the Authorisation operator and at the end of the call if Authorisation is granted
you will be issued with a code to key into your Terminal.

For Authorisation, please telephone: 0344 257 9400 Lines open 24-hours a day, 7 days a week

17
Code 10 Calls for Card Present
If you suspect something is wrong then you must telephone the Authorisation Centre on 0344 257 9400, before
swiping the Card through the Terminal and state that “This is a Code 10 Authorisation”. Then follow their instructions.

Code 10 Authorisation applies in the following circumstances

 The Card Number embossed on the front of the Card is different from the one printed on the signature panel
on the back of the Card
 The Cardholder‟s signature differs from that on the Card
 The title on the Card does not match the customer
 The signed name is not the same as that embossed on the front of the Card
 The word „void‟ is visible on the signature panel or there is any indication that the panel has been tampered
with
 There has been any attempt to disguise or amend the signature
 The Card is unsigned
 There is no „flying V‟ or „offset MC‟ on the Card being presented
 The hologram is damaged or missing
 The Card has been mutilated in any way
 You have a reason to be suspicious about the sale, the Card or the customer
 The amount of the Card Transaction is significantly higher than normal for your Business
 Your Terminal requests that you call the Authorisation Centre

Hold on to the Card and goods and telephone the Authorisation Centre immediately – you should not call the Police
unless instructed to do so by the Authorisation Centre.

When you make a „Code 10‟ Authorisation call, have the following details ready:
 The Cardholder Number
 The Card issue number (if applicable)
 Your Merchant number
 The exact amount of the Card Transaction, in pounds and pence
 The Card expiry date

Say to the Operator: “This is a Code 10 Authorisation”

This will alert the Authorisation Centre and you will be asked the relevant questions, most of which will require “Yes”
or “No” answers (to avoid difficulty or embarrassment if the customer is waiting close by).

The operator may instruct you to call the Police or advise you that the Police have been notified. Police involvement
is not always necessary – please do not contact the Police unless instructed to do so.

18
6. Purchase with Cashback
Purchase with Cashback allows your customers to request Cashback when purchasing goods using their Debit Card.
Written agreement from First Data is needed to take this transaction type the following rules apply:
 Can only be to customers who make a purchase with their Card
 Must be via an electronic Terminal , not a manual imprint machine
 Must not exceed the maximum Cashback amount confirmed in your written notification from First Data
 Enter the purchase and Cashback amounts separately as prompted by your Terminal
 Cashback can be offered on Visa Debit, Visa Electron, Maestro, Debit Mastercard issued in Europe only
 Follow the Terminal prompts it will tell you whether the Purchase with Cashback has been approved

7. Refunds
You are only permitted to make a Card Refund when the original sale was on the same Card. The refunded amount
will be credited to the Cardholders Card and debited from your account.

When processing Refund transactions:

 You must check that the Card presented for the refund is the same one used for the original sale
 You should never make a refund on the Card where the original sale was made by cash or cheque
 You should never make a refund by cash or cheque where the original sale was on a Card
 You should never make a Card Refund for amount higher than the original sale

8. Paper Vouchers
If you are unable to use your Card Terminal for Sale and Refund transactions follow the procedures below. The
Paper Vouchers contain the following copies:
 Merchant /Top Copy - you must retain this for 18 months from the date of the Card or last recurring Card
Transaction (to defend a disputed transaction)
 Processing/Middle Copy - you must post this to First Data
 Cardholder/Bottom Copy - this is the record of the Card Transaction to be given to the Cardholder

Please note the voucher for a Sale is printed with black text and the voucher for a Refund has red text and is clearly
marked Refund voucher

Completing a Sales/Refund Voucher

1. Fully complete all the information fields on the voucher
2. Do not mark copies with pencil or paper clips as these can transfer through the carbons and obscure details
3. Check the details are clear on all three copies to avoid the risk of a Chargeback
4. If you make a mistake you must complete a new Sale/Refund Voucher and destroy the old one
5. For a sale ask the Cardholder to sign the Sale Voucher and check that the signature matches the one on
the back of the Card presented. Failure to do so may result in a Chargeback
6. For a Refund you must sign the Refund Voucher
7. For both a Sale and Refund you must telephone the Authorisation Centre on 0344 257 9400 for an
Authorisation Code for each sale/Refund and write the code provided on the Sale/Refund Voucher
8. You cannot alter the Sale/Refund Voucher once you have the Authorisation code to avoid the risk of a
Chargeback

19
The Sales Voucher must always be completed in Pounds Sterling (£) unless you have made arrangements with First
Data to accept different currencies. An example of correctly completed sales voucher is shown below:

Preparing/Submitting Vouchers for Submission

You must complete the Merchant Summary Voucher to submit your Sale/Refund Vouchers retaining the top and
middle copies and submitting the bottom copy for processing.
 Fully complete all the information fields on the voucher including your Merchant number and Business
name
 Do not submit more than 200 Vouchers on one Merchant summary voucher
 All Vouchers must be posted to First Data at Parseq, Lowton Way, Hellaby, South Yorkshire, S66 8RY. This
copy is electronically processed, therefore please do not fold, damage, pin or staple and ensure the
necessary details are clearly recorded
 To avoid an increase in your processing charges these must be received by us no later than three (3)
Business Days from the transaction date
 If you do not submit your Vouchers within this timescale the Card Issuers may reject the Card Transactions,
even though you may otherwise have followed the proper Authorisation procedures and/ or you may be
subject to a surcharge and/or a Chargeback

Warning: Do not submit Vouchers when the Card Transactions have already been processed through an
†
electronic Terminal. If in doubt, please telephone the Merchant Support Centre on 0345 606 5055 .

9. Exceptional Procedures
Can I Pass Charges to my Customer?
Surcharging is permitted in accordance with local law. If you indicate a price to a Cardholder which is not applicable
to all methods of payment then before you accept the Card Transaction you must display a statement explaining any
methods of payment to which the indicated price does not apply, including the difference in price either as an amount
or a percentage.
 For all payments made in store or by telephone, you must inform the customer of the charge amount before
they authorise the Card payment
 For payments in store you must clearly display a statement regarding any surcharges at the Point of Sale
 For Card Not Present payments you must display a statement explaining the charges on your website,
20
 catalogues, advertisements and any order forms
 Any surcharge amount must be included in the Transaction amount and not collected separately
 You must comply with any legal requirements limiting the amount you can charge and what you must tell
your customers about the charge. It is your responsibility to check these requirements yourself. Please
contact your local Trading Standards Office or equivalent body if you need further information

Split Sales and Transactions

There may be occasions when a Cardholder will request to split payments between several Cards, or between a
Card and cash or cheque.

If several Cardholders wish to split the transaction amount into small amounts in order to pay a proportion of a bill,
this is permitted; for example, in a restaurant when individuals pay their own bill or a proportion of the total bill. You
are permitted to split the total bill between each Cardholder.

However if one Cardholder requests you to split a transaction amount between several Cards e.g. where the
Cardholder may not have sufficient funds on one Card you should proceed as follows:
 Only conduct the transaction if you are not suspicious of the transaction or the person presenting the Card
 Ensure all Cards presented are issued with the same Cardholder name
 Follow the normal Card acceptance procedures as detailed in Section 3
 First Data recommend you only split a transaction over more than one Card when it is a Card Present
Transaction and each transaction is verified by either Chip and PIN or signature (as requested by the
Terminal )

Warning – If a sale transaction is declined you should not then split the sale over multiple smaller
transactions as this could indicate fraudulent activity and result in a Chargeback.

Terminal Fallback
If it is impossible for the Terminal to read the chip on the Card or the Terminal has a malfunction you should contact
your Terminal supplier helpdesk immediately to report the fault. A representative will try to resolve the problem
remotely or failing this will arrange for a new Terminal to be sent to your premises on the next working day, provided
the fault is reported prior to 16:00. This does not include premises situated in the Highlands and Islands where
replacement may take two (2) to four (4) working days. In the interim follow the guidelines below:

21
 REVERT TO REVERT TO REVERT TO
CARD TYPE CHIP AND COMMENTS
MAGNETIC STRIP PAN KEY
SIGNATURE
Maestro and Visa Electron &
Electronic Use only Cards Seek alternative
N/A N/A No
payment method
Unable to read magnetic strip

Diners Club & Discover Cards Yes Yes Yes

All Other Card types Chip Cards PIN

not enabled. Unable to read chip N/A Yes No

All Other Card types Chip and PIN

enabled Cards. PIN Pad fault.
Yes No No
Unable to accept PIN entry

All Other Card types Magnetic strip

Cards only. Unable to read Magnetic N/A N/A Yes
strip

You are liable for swiped or key entered chip Card Transactions that are proven to be
fraudulent.

10. Chargebacks
A Chargeback occurs when a Card Issuer raises a disputed transaction on behalf of the Cardholder. The following
section describes the procedures which you should follow together with suggestions which will help you reduce the
risk of Chargebacks being debited to your Merchant Account.

Remember you may be liable for a Chargeback in some circumstances even if you
obtained Authorisation for a Card Transaction.

22
Common Causes of Chargebacks
The most common causes for Chargebacks are:
 A fraudulent mail, telephone or Ecommerce transaction
 You do not respond in time to a request for a copy of the transaction (retrieval request)
 The Card was not valid at the time of the transaction (this could be before the valid date or after the expiry
date)
 Authorisation was not obtained
 The signature on the transaction receipt does not match what is on the Card
 If the goods or services provided were not as described, defective or not received

Retrieval Requests
In many cases before a Chargeback is initiated the Card Issuer requests a copy of the Sales Voucher via a „retrieval
request‟. Once a retrieval request is received we will respond by sending a copy of the Card Transaction if available.

Where you hold electronic Sales Receipts or Terminal Sales Receipts for electronically processed Card Transactions
it is your responsibility to respond to all retrieval requests received within 14 calendar days of our initial request. You
are responsible for retaining and providing copies of Sales Receipts and any Refund Receipts for a minimum of 18
months from the original Card Transaction Date. If First Data does not receive a clear legible copy of the Sales
Receipt on time you may be subject to the Chargeback simply by failing to meet the Card Scheme timescale.

Chargeback Reversal Procedure

When a Chargeback is received we will debit the disputed amount from your account and contact you with details of
the Card Transaction together with the information/documentation we require from you and the deadline we require it
by.

If the information provided is sufficient to warrant a reversal of the Chargeback and within the applicable timescale
we will attempt to defend the Chargeback. However reversal is contingent upon acceptance by the Card Issuer under
the applicable Card Schemes guidelines. If the Chargeback is successfully reversed the Card Issuer has the right to
present the Chargeback a second time and your Merchant Account will be debited again if you have not complied
fully with the terms of your Merchant Conditions and this Operating Guide. We will do our best to help you to defend
a Chargeback. However, due to the short timeframes and the supporting documentation necessary to successfully
(and permanently) reverse a Chargeback in your favour we strongly recommend the following:
 Ensure Card Transactions are completed in accordance with the terms of your Merchant Conditions and
this Operating Guide
 If you do receive a Chargeback send us the requested documentation within the required timescale
 Whenever possible contact the Cardholder directly to resolve the inquiry/dispute but still comply with the
request for information in case this does not fully resolve the matter

23
11. Other Services
Vehicle Rental Services
If you are a vehicle rental company or a third-party that accepts guarantee rental reservation, using pre-authorisation
when taking Card payments will add additional security to the transactions as the Card will be checked before the
customer takes the vehicle. Please remember that the pre-authorisation from the Card Issuer is not a guarantee of
payment it is only a check that the Card has not been reported lost or stolen and that there are sufficient funds at the
time of the transaction. Written agreement from First Data is needed to take this transaction type.

Please read carefully the guidelines below to understand regulations and risks associated with taking Vehicle Rental
Service Card payments.

Information to obtain from the Cardholder:

 Name of the person making the reservation
 Telephone number
 Name of person(s) requiring the vehicle
 Expected collection date and time
 Number of days of expected vehicle hire
 Card Number
 Card Expiry date
 Cardholder name
 Cardholder billing address
 Card security code (only for telephone and Ecommerce transactions)

You should discuss and agree the terms of hire this should include but is not limited to hire rates, cancellation and
„no-show‟ policy and procedures, any additional charges that may be applied such as damages or parking tickets .

Procedure for completing Vehicle Rental Transaction

Pre-authorisation
You can pre-authorise the transaction before the car rental period begins. It allows you to estimate the final
transaction amount, gain Authorisation and reserve the funds before the hired vehicle is returned. The estimation
should be based on the intended rental period, rental rate and applicable tax and mileage rate. Please remember
that the estimation cannot include potential vehicle damage.

Your Terminal User Guide should provide instruction of how to perform the pre-authorisation. Ensure that your
customer understands that the pre-authorised amount will be deducted from the available funds on the Card. You
should process the payment AFTER the vehicle is returned. The payment should not include any additional charges
such as vehicle damage these charges should be processed separately. The Authorisation code received for an
approved pre-authorisation should be used to complete the transaction. If the final bill is more than the pre-
authorised amount you must obtain another Authorisation code for the difference with the exception of Visa where
the bill can be within 15% of the authorised amount.

24
Cancellation policy
Please note that whilst you may have a cancellation policy within your terms and conditions (which you must clearly
communicate to your customer) you must not charge any cancellation fee if the Cardholder cancelled the reservation
in accordance with the outlined procedures.

Within your cancellation period you must not require cancellation notification of more than 72 hours to the sche duled
collection time and date of the booking without penalty. If the Cardholder makes a reservation within 72 hours of the
scheduled pick up date the cancellation deadline must be no earlier than 6pm at the address of the scheduled pick
up date.

If a reservation has been properly cancelled in accordance with the communicated cancellation policy you are
required to provide the Cardholder with a cancellation code and advise them to retain it for their records. You must
then send a written confirmation of the cancellation to the Cardholder within 5 Business Days.

No Show
If the Cardholder does not turn up within 24hrs of collection time and they did not cancel the reservation in
accordance with your terms and conditions you may charge the customer for the maximum value of the one day
rental. To do so you will need to perform Card Not Present Transaction writing on the receipt „no show‟ and send a
copy of a „no show receipt‟ to the billing address provided at the time of booking.

Refund Policy
If you operate a no refund policy this must be made clear to the Cardholder when discussing the reservation. If you
do agree to refunds you must credit to the same Card as used to make the reservation. Where a charge is made to a
Card in error the reversal must be applied to the Card within thirty (30) calendar days. Do not refund by cash or other
payment methods as this could result in Chargebacks.

Delayed charges
For you to process a delayed charge e.g. damage to the vehicle, fuel, insurance fee, parking tickets, excessive
mileage etc. the Cardholder must have given their consent by signing the rental agreement and agreeing to your
terms and conditions. Any delayed charges must be processed within 90 days of the original transaction date and
you must obtain further Authorisation. These charges must be submitted as a separate transaction with „signature on
file‟ clearly visible. The Cardholder must be notified in writing of any delayed charges.

Providing evidence to the Cardholder

Before you process any additional charges you need to inform your customer and provide evidence to support the
claim. You need to provide:
 Details of the violation
 Time and place of violation
 The law violated and if applicable a copy of the accident report
 Copy of parking tickets
 The license number of the rental vehicle
 The amount of the charge
 A copy of rental agreement
 Evidence the Cardholder read the terms and conditions agreeing responsibility to pay any additional
charges
 Proof that the car was damaged/ shortage of fuel etc. on return.
25
Car rental damage - Visa Cardholders
 You need to provide written confirmation to the Cardholder within ten (10) Business Days from the return of
the vehicle advising of the damage and the cost.
 Within ten (10) Business Days from receiving written confirmation the Cardholder has the right to provide an
alternative estimate for the cost of repairing the damage. A Cardholder has the right to raise a Chargeback if
the agreement is not reached and the additional charges are debited.
 You need to wait twenty (20) Business Days before processing the delayed/additional charges.

Car rental damage - Mastercard Cardholders

To apply additional charges to a Mastercard you must obtain a separate Cardholder signed authority by processing a
Card Present Transaction. If the charge is disputed at a later date this will be required as proof that the Cardholder
authorised the additional charge.

Processing transactions differently may result in a Chargeback and therefore losses to your company. As in any
other cases, we will try to defend a Chargeback. We may ask you do provide us with:
 A copy of the rental agreement, stating vehicle rental period
 A copy of the document signed by the Cardholder agreeing to accept responsibility for the delayed charges
 A copy of the original notification you have sent to the Cardholder informing him/her about the charges
 A proof of cost estimation
 A proof of law validation such a parking fine ticket, speeding fine ticket, etc.
 Any supportive documentation such as police reports, insurance policy of the rental vehicle, etc.
demonstrating Cardholder liability

Not receiving requested documentation in time, may prevent us from defending the dispute and may result in a debit
to your account.

Hotels, Lodging and Accommodation

Advanced Reservation
To be able to take advanced reservation you will need to have an agreement with First Data to process MOTO and
Ecommerce transactions. Wherever possible the Cardholder requiring accommodation or lodging should be asked to
make the reservation. However, for practical reasons, you may need to accept reservations from third parties, for
example secretaries acting on behalf of their managers. Advanced reservation allows your customers to book a room
in advance. As you will obtain the Card detail, you will be able to charge the Cardholder should they not turn up or do
not provide you with sufficient cancellation notice.

Information to obtain from the Cardholder:

 Name of the person making the reservation
 Telephone number
 Name of person(s) who will be using the room
 Expected arrival date and time
 Number of days of expected to stay
 Card Number
 Card Expiry date
 Cardholder name
 Cardholder billing address
26
  Card security code (only for telephone and Ecommerce transactions)
 If the booking is for corporate purposes, you should also collect the following information:
 The caller‟s name and position in the company/organisation
 The name of the company/organisation
 The company/organisation switchboard telephone number

You should discuss and agree the room rate and obtain Cardholder consent to your cancellation and „no show‟
policy. This must be clearly explained to the customer.

Advanced Deposits
Please note if you take advanced deposits for a room reservation, under Card Scheme regulations, this is the only
amount you can debit the customer. You will also forfeit your right to charge one night‟s “No Show” payment. If you
operate a “No refund” policy you must make it perfectly clear to the Cardholder at the time of the reservation. Any
Refunds must be made to the Card used for the original booking. You must not Refund by cash, cheque or other
means.

Once you and the Cardholder have agreed on the deposit please inform the Cardholder of the following:
 Room rate (including tax)
 Amount of advanced deposit that will be billed on the Card (which must not exceed the cost of 14 nights‟
accommodation)
 Explain that the deposit will be deducted from the final bill
 Explain that the accommodation will be held for the period covered by the advance deposit

No Show or Invalid Cancellation

If the reservation is not done in accordance with your cancellation policy (late cancellation) or the customer does not
show up you may charge one night‟s stay. To do so, you will need to perform a Card Not Present Transaction and
send a copy of the final bill to the billing address provided at the time of booking.

Guest Arrival/Check-In
Upon arrival of your guest, request to see the Card that the booking was made with and ask them to complete a
registration form. If you wish to charge additional services/items to the guest‟s room such as newspapers and bar
charges your registration form must clearly show this.

Pre-authorisation
Pre-authorisation allows you to estimate the final bill and reserve funds on the Card for that amount whilst your guest
is staying with you. We recommend that you obtain full payment upon check-in for the expected number of night‟s
stay. The Cardholder‟s total charges can be estimated based on:
 Expected length of stay
 Room rate (including tax)
 Estimated miscellaneous charges

Please advise the Cardholder how much you have pre-authorised as this will reduce the amount of funds they have
available on their account. The pre-authorisation helps protect you from fraudulent Card use and confirms if the
Cardholders Account is valid and has sufficient funds available. Authorisation from the Card Issuer is not a guarantee
of payment
27
Departures/Check-Out
When the Cardholder wishes to check out calculate the final bill amount and compare this with the pre-authorisation.
If the final bill is more than the pre-authorised amount you must obtain another Authorisation code for the difference
with the exception of Visa where the bill can be within 15% of the authorised amount.

Express Checkout
You may want to offer your customer the option to leave the key and check-out without waiting for the bill. If you
decide to offer your guest an express/priority checkout service (the Card is no longer present), be aware that we may
not be able to defend you from a Chargeback if a Cardholder later denies any transactions.

If the Cardholder requests priority check-out, at check-in you must:

 Record the Card Number, expiry date and Cardholder name
 Inform the Cardholder of your policy regarding any charges discovered after check-out
 Give the Cardholder a priority check-out agreement to complete. When the Cardholder returns the
agreement, ensure that:
o It is signed
o It includes the mailing address
o The Card Number on the check-out agreement matches the Card Number on the pre-authorisation

Upon check-out, you must complete the transaction for the total charges incurred during the Cardholders stay. If the
final bill is more than the pre-authorised amount you must obtain another Authorisation code for the difference with
the exception of Visa where the bill can be within 15% of the authorised amount.

Extended Stays
Those requiring longer stays should be asked to pay the current total due. You can ask for their Card, or you can use
the Card details provided during check-in. However, please be aware that there is a risk that this amount could be
disputed at a later date if no signature or PIN is obtained.

Pre-authorisations are not supported for Maestro Cards. We recommend that you obtain
full payment for the expected number of nights stay. If the Cardholder decides to check-
out early, simply provide a Refund.

If the bill is more than 15% above the pre-authorised amount or Mastercard is being used, you must obtain another
Authorisation code for the remainder of the stay.

Additional Charges
Please remember that any additional charges following check out must be processed within 90 days from the date of
departure. You will need to write on the transaction receipt „Signature on File‟ and send a copy to the Cardholder‟s
address given to you during reservation.

Additional Checks
In some circumstances (depending on country specific scheme processing regulations) you will be required to ask
the Cardholder for secondary proof of identification.
 Ask the Cardholder to provide a second form of identification. This should be a passport or a full driving
licence

28
  Check that the photograph of the document resembles person who presented it to you and that there are no
visible changes to the picture that may indicate the document is not genuine
 Check that the second identification document it is not out of date and that it shows the Cardholder‟s
signature
 On the front of the receipt you record the description of the identification i.e. driving licence, passport etc.
and include the serial number displayed on the identification. Additionally if a photo is present also annotate
the receipt with „photo Card presented‟ which proves the Cardholder‟s identity was verified by photograph
 The first four digits of the Card Number (if present) are printed immediately below the Card Number. These
first 4 digits must be recorded on the front of the transaction receipt to validate they have been checked.

Remember:
 Never process Maestro Cards
 You must always obtain an Authorisation
 Never progress taking a transaction if the Cardholder is unable to provide an acceptable second form of ID
as these transactions may be charged back to you and debited from your account
 Any fees to be charged must be included within the total transaction value and disclosed to the Cardholder)
prior to completing the transaction
 It is your responsibility to undertake the additional identity checks

Dynamic Currency Conversion (DCC)

DCC provides you with the ability to offer overseas Visa and Mastercard Cardholders the option to pay for goods or
services in the currency their Card is issued. The price of goods and services will be shown to the Cardholder in GB
Pounds (£) and in their own currency along with the exchange rate used. Exchange rates held in your Terminal are
updated automatically.

You Must
 Inform the Cardholder that DCC is optional
 Not impose any additional requirements on the Cardholder to have the transaction processed in the local
currency
 Not use any language or procedures that may cause the Cardholder to choose DCC by default

Receipt Requirements
DCC transaction receipts must show the following:
 Currency symbol of the local currency of your outlet
 The transaction amount of the goods or services purchased in the local currency of your outlet
 Exchange rate used to determine the Cardholder currency transaction amount
 Total transaction amount charged by you in the transaction currency, followed by the words “Transaction
Currency”
 A statement, easily visible to the Cardholder, that specifies the following:
o The Cardholder has been offered a choice of currencies for payment including the local currency of
your outlet
o That the currency selected by the Cardholder is the transaction currency
o Indicate that the DCC is conducted by you. Written agreement from First Data is needed to take this
transaction type

29
Multicurrency & Cross-Border Transaction Acceptance
This functionality allows you to operate across several European countries and centralise your payment Card
processing arrangements. Written agreement from First Data is needed to take these transaction types.

Permitted Merchant Location Countries

The Merchant location is either the physical premises where a transaction is completed or an Ecommerce or MOTO
transaction where all the following occur:
 There is a permanent establishment through which transactions are completed. In the absence of a
permanent establishment a Merchant that provides only digital goods must use the country where the
Principals of the company work
 Merchant holds a valid business license for the Merchant location
 Merchant has a local address for correspondence and legal process
 The Merchant outlet pays taxes relating to the sales activity

Available Funding and Settlement Currencies

Transactions can be accepted in any currency and settled to you in Great British Pound (GBP), Euro or US Dollar
(USD). You can also receive settlement in any of the currencies below, provided the transaction currency is the
same:
 GBP  Norwegian Krone
 Euro  Swedish Krona
 USD  Denmark Krone
 Australian Dollars  Hong Kong Dollar
 Canadian Dollars  New Zealand Dollar
 Swiss Franc  South African Rand
 Japanese Yen

If you are interested in expanding your Business by offering this service to your customers, please contact our
†
Merchant Support Centre on 0345 606 5055

Payment of Debt
You may accept Visa Debit, Visa Electron and Mastercard Cards for the payment of mortgages and loans. However
during the transaction you must:
 Obtain Authorisation, providing additional data. For more information please contact our Merchant Support
†
Centre on 0345 606 5005
 Complete the transaction as a purchase flagged as instalment payment
 Write the type of payment made on the receipt e.g. “Loan” or “Mortgage”
 On the signature line of the receipt, write “Instalment Transaction”

12. Payment Card Industry Data Security Standard (PCI DSS)

This standard is managed by the Payment Card Industry Security Standards Council set up by the Payment Card
brands (Mastercard, Visa, American Express, Discover and JCB). PCI DSS outlines the minimum security
requirements to help businesses handle payment information securely. The Card brands require that any business
accepting Cards for payment of goods or services must be compliant with the PCI DSS.

30
Becoming PCI Compliant
To report your PCI DSS compliance for your Business you need to identify and complete the appropriate Self-
Assessment Questionnaire. Securing your Business requires the following steps:
 Analyse your Business practice and processes
 Research the appropriate security solutions for your Business
 Implement and maintain security solutions

Central to this is that you protect your customers‟ payment Card data. You must make sure that you have security
controls in place at all times to maintain your compliance. Your customers trust you to keep their information safe;
you need to repay that trust with at the very least compliance.

PCI DSS requirements as set out by the Card Schemes:

1. Build and maintain a secure network
2. Install and maintain a firewall configuration to protect Cardholder data
3. Do not use vendor-supplied defaults for system passwords and other security parameters
4. Protect Cardholder data
5. Protect stored data
6. Encrypt transmission of Cardholder data across open public networks
7. Maintain a vulnerability management program
8. Use and regularly update anti-virus software or programs
9. Develop and maintain secure systems and applications
10. Implement strong access control measures
11. Restrict access to Cardholder data by business need-to-know
12. Assign a unique ID to each person with computer access
13. Restrict physical access to Cardholder data
14. Regularly monitor and test networks
15. Track and monitor all access to network resources and Cardholder data
16. Regularly test security systems and processes
17. Maintain an information security policy
18. Maintain a policy that addresses information security for all personnel

Implications of Not Complying with the PCI DSS

Not being compliant with the PCI DSS can leave your Business at risk of a data breach and related costs. Most
people don‟t realise that these can be quite substantial and can include Card Scheme fines and Card replacement
costs.

Other factors include loss of customer confidence and damage to the reputation of your Business, not to mention
your Business being open to lawsuits and audits. You may also be subject to non-compliance fees.

Third Party Obligations

You are responsible for making sure that all third party service providers that come into contact with your customers
Cardholder data are compliant with the PCI DSS at all times. This may include any web hosting provider, software
application provider, PSP, processing bureau, vendor etc. used by your Business. If these third parties could impact
the ways that you process Card payments then they must be compliant with the PCI DSS. Remember, their
compliance status directly impacts your compliance status.
32
Secure Data Storage
It is potentially much easier for a hacker to break into a business network than it is for a burglar to break into a
business premises. Any stored payment Card data must be encrypted, as set out by the PCI DSS. Storing
unencrypted Card data electronically is strictly prohibited. If you have to store data to process Card Transactions
then you must do so securely. This could relate to any stored data, be it paper copies, digital or electronic files, audio
or voice recordings.

If you can demonstrate that storing your customer‟s Card data is necessary for your Business, then you must have
process in place to do so securely. The only data that you are allowed to store includes:
 The long Card Number and Expiry date
 Passwords, pass phrases and any other unique Card data supplied as part of the Card payment
 The name, address, description of the purchase, amount and any other detail that may identify the customer
and their purchases

You may not, under any circumstances store certain types of data, this includes:
 The CVV2, also called the Card Security Code (CSC) which is printed on the back of the Card, in or next to
the signature panel
 The CVV number – contained in the magnetic strip
 The CVV number contained in the chip
 The contents of the magnetic strip - also called Track 2 Data
 The customers PIN which is contained in the magnetic strip (PIN Verification Value PVV)

Demonstrating Compliance with PCI DSS

You must show that you are compliant – by reporting annually. To make reporting your compliance as easy as
possible for you, we have provided you with the First Data PCI DSS Compliance Program. You will receive your
personal access details by letter and instructions for logging in.

STEP 1 STEP 2 STEP 3

 Log into the online portal.  We will help you to  You will be asked to
understand how to protect confirm and validate all of
 We will ask you a few
your Business. your responses and any
questions. tasks that you may have to
 This will help you
 These questions are understand and identify
undertake.
focused around how your areas of your Business that  PCI DSS refer to this as
Business is set up to might be at risk. your Attestation of
handle credit and Debit Compliance (AoC)
Card payments.  You will be taken through
the security assessment
 Using dynamic profiling, we
that matches your Business
will only ask questions that type including any scanning
are relevant to your if needed.
Business to figure out your
security risk level.

33
 Make sure that you answer the questions accurately as this determines the method of
validation you must undertake. Whether you need to self-evaluate using our online portal
or if you need to submit a Report on Compliance (ROC) which requires a Qualified Security
Assessor, First Data Compliance Program will direct you through both methods. Once you
have finished your reporting, remember as PCI DSS compliance is an on-going process in
order to maintain compliance maintenance task reminders may be sent to you throughout
the year. You must make sure that you validate your compliance on an annual basis; we
will send you reminders in advance of your renewal date.

13. Keeping Your Point of Sale (POS) Device Safe

Chip and PIN has significantly reduced fraud; however POS devices will continue to be targeted by criminals wanting
to commit fraud. You must take care to ensure that no one, other than an authorised engineer, has the opportunity to
tamper with your POS device.

Criminals use stolen Card and PIN details to produce fake magnetic swipe Cards for use abroad, where Chip and
PIN is not used or to use in cash machines. A criminal may pose as an engineer to gain entry to your POS device,
they may try to replace certain components of your device with bogus parts fitted with data capture devices or insert
a pinhole camera to photograph Card and PIN detail. They may even try to replace the whole device with one that is
already equipped with data capture equipment.

Please note a legitimate engineer will never visit your premises without contacting you
first. This may be via the Terminal vendor or an employee from First Data. Never disclose
your Merchant number or your Terminal details to anyone else.

Recommendations:
 Do not allow anyone other than a legitimate engineer or a direct employee of First Data to remove your
Terminal from your premises
 In the event you suffer a communication failure in your premises, the Terminal will store up to five
transactions until it is next able to go online. Although this poses minimal risk, a criminal may try to steal
your POS device to extract any data stored. A PIN stand secured to your counter top is a good deterrent
against theft, although these must allow access in accordance with the Disability Discrimination ACT 1995
 A criminal may try to force or bribe a staff member to allow them access to the POS device in order to f it a
data capture device
 Your staff should be trained regularly on POS security and must report any incident they feel is a threat to
the device
 You should carry out some simple checks on a daily basis to ensure that your POS device has not been
tampered with
 Check that your device isn‟t damaged
 Check no additional stickers are on the device that were not attached at the time of installation
 Ensure your POS device has not been modified and there are no additional components that were not there
previously

If you detect anything suspicious with your POS device do not use it and report it immediately to our
†
Merchant Support Centre on 0345 606 5055 .

34
Positioning your POS Device
You must consider Cardholder privacy when positioning your POS device.
 The POS should be placed in a position where the Cardholder cannot be overlooked whilst entering their
PIN details
 The POS must not be positioned directly in view of CCTV cameras
 If a PIN shield is provided with your POS it should be used

14. Qualifying/Non Qualifying Transactions

As shown in your Merchant Agreement Charges Schedule your transactions may incur a Non Qualifying charge.
Depending on type of Card used and how you take the payment your transactions will be categorised as either
Qualifying or Non Qualifying.

Card Present:
Qualifying Transactions are:
 Chip and PIN, contactless and swiped transactions submitted for processing within two (2) Business Days
Non Qualifying Transactions are:
 Payment with a Visa Business Debit Card
 A Card Not Present (CNP) transaction

Card Not Present MOTO:

Qualifying Transactions are:
 MOTO transactions that capture the Card Security Code (CSC) submitted for processing within two (2)
Business Days of the transaction
Non Qualifying Transactions are:
 Transaction which does not capture the Card‟s CSC number
 Payment with an EU or International Mastercard or Maestro Card, Mastercard Reward, World Elite or World
Cards, Debit Mastercard
 Payment with a Visa Business Debit Card or International Visa Card

Card Not Present Ecommerce:

Qualifying Transactions are:
 3D secure enabled Ecommerce transactions submitted for processing within two (2) Business Days of the
transaction
Non Qualifying transactions are:
 MOTO, Face to Face (Card Present) or Recurring Transactions
 Payment with a Visa Consumer Charge Cards,
 Payment with Mastercard World Signia and World Cards

35
15. Voicing Your Concerns
First Data are authorised and regulated by the Financial Conduct Authority (FCA). If you have reason to complain we
will take a balanced and fair view of the situation and take whatever action is necessary to resolve your complaint.
The Financial Services and Markets Act 2000 lay down a standard procedure which we follow to handle all
complaints and you can contact our Client Service Team as follows:

Complaints Team:
First Data Complaints, Janus House, Endeavour Drive, Basildon, Essex SS14 3WF or
†
Telephone: 0345 606 5055 , Mon-Sat, 8am-9pm or contact us at [email protected]

We take all complaints seriously and whilst many can be dealt with straight away some take more time to investigate.
The FCA gives us eight (8) weeks to resolve all complaints but if you are not happy with the outcome please contact
us explaining what you think we can do to put it right. If you remain dissatisfied after we have tried to put things right
you can ask The Financial Ombudsman to look at your case for free and they can be contacted at:
 Address: The Financial Ombudsman Service Exchange Tower, London E14 9SR
 Telephone: 0800 023 4567 / 0300 123 9123
 Email: [email protected]
 Website: www.financial-ombudsman.org.uk

36
16. Useful Contact Information
Authorisation Service
Tel: 0344 257 9400 or 01268 823 130 (Open 24-hours 7 days a week)

Merchant Support Centre

†
For any queries about your First Data service please call 0345 606 5055 (Open 8am-9pm Monday-Saturday).
Alternatively write to us at: First Data, Janus House, Endeavour Drive, Basildon, Essex SS14 3WF

PCI DSS Compliance Program

†
For queries regarding your PCI DSS compliance status please call the PCI DSS Helpdesk on 0330 808 1606 (Open
9am-5pm Monday-Friday)

First Data Global Leasing

†
For queries regarding your Terminal Lease please call First Data Global Leasing on 0345 841 2442 (Open 9am-
5pm Monday-Friday) or email [email protected]

Terminal Manufacturers
Clover™ Support Tel: 0345 605 0615 (Open 7 Days a week 8am – 9pm) or email [email protected]
†
Spire, Verifone, Ingenico and First Data Terminal Helpdesk Tel: 0345 606 5055 (Open 8am-12pm Monday-Saturday
and 9am-5pm on Sunday and Bank Holiday)

Business Track/ClientLine
For queries regarding please call the Helpdesk on 01268 567128 (Open 8am-9pm Monday-Saturday)

Dynamic Currency Conversion

†
For queries regarding DCC please call the Merchant Support Centre on 0345 606 5055 (Open 8am-9pm Monday-
Saturday)

American Express
For queries regarding American Express please call the American Express Helpdesk on 01273 675533 (Open 8am-
6pm Monday-Friday and 9am-5pm on Saturday)

Stationery
Stocks of stationery e.g. Sales, Refund and Merchant Summary Vouchers and deposit envelopes can be ordered
†
by calling the Merchant Support Centre on 0345 606 5055

Point of Sale and Display Material

†
Point of Sale material is available by telephoning the Merchant Support Centre on 0345 606 5055

37
17. Changes to Your Business
It is vital that you keep us updated with any material changes to your Business including (but not limited to):
 Bank details (e.g. Account Number, Sort Code, Branch address)
 Contact Names; Phone Numbers (Landline and Mobiles); Email Addresses; and Website Addresses
 Legal entity of the Business and/or Trading Name
 Business Closure (including outlets) or Change of Ownership (e.g. changes to the Directors or Directors Names;
changes to voting control or shareholding)
 Products or Services your Business provides and/or take Card payments for
 Methods you take Card payments by
 New and/or additional outlets
 Any Insolvency event affecting your Business; arrangement with creditors; or if you experience any financial
difficulties

Please notify us immediately of any changes by writing to First Data, Janus House, Endeavour Drive, Basildon, Essex
SS14 3WF.

This Operating Guide forms part of your Merchant Agreement so please read it carefully and keep it in a safe place
for future reference.

Merchant Support Centre:

†
0345 606 5055
Lines open 8am-9pm, Monday-Saturday
†
Telephone calls may be recorded for security purposes and monitored under quality control process.

38