Privacy Policy Best Practices for ECommerce Merchants

ECommerce merchants should carefully develop their privacy policies. It is not only a Visa and MasterCard requirement that a privacy policy statement should be made available to website visitors and potential customers but it is also a great way to ensure consumers that their privacy is a top priority for the merchant and that it is adequately protected. Following is a short list of best practices that you should adhere to when designing your own privacy policy:

• Develop a clear, concise statement of your privacy policy. This practice, as well as the following one, may be subject to legal requirements. In order to adequately address consumer concerns about providing personal information, your privacy policy should answer the following questions:
  • What customer information is collected.
  • With whom the information is shared.
  • How customers can opt out.
• Make your privacy statement available to visitors to your website through links on your website. Your customers should be able to easily locate your privacy statement. Consider placing the link into your website's header or footer which, in most cases, will make it accessible from every page of your website.
• Sign up with a privacy organization and post a "seal of approval" on your website. Providing a "seal of approval" from a major privacy program is a great way to assure consumers that you are serious about protecting their personal information and are taking the necessary measures to do so. To obtain such a seal, you can register with a program such as TRUSTe or the Better Business Bureau's BBBOnLine Privacy.

Chargeback Basics

A chargeback is a payment card transaction that a card issuer returns to a merchant processing bank - and most often, to the merchant - as a financial liability. In essence, it reverses a sales transaction, as follows:

• The card issuer subtracts the transaction dollar amount from the cardholder's account. The cardholder receives a credit and is no longer financially responsible for the dollar amount of the transaction.
• The card issuer debits the merchant processing bank for the dollar amount of the transaction.
• The merchant processing bank will, most often, deduct the transaction dollar amount from the merchant's account. The merchant loses the dollar amount of the transaction.

As you can see, for merchants chargebacks can be costly. You lose both the dollar amount of the transaction being charged back and the product or service that was sold. There are also internal costs, associated with the processing of the chargeback. The following posts will discuss, in details, the reasons chargebacks occur, the available chargeback remedies, strategies for avoiding chargebacks and best practices for chargeback monitoring. The various types of chargebacks will also be scrutinized.

Chargeback Reasons

Chargebacks occur for a variety of reasons but there are several that stand out as the most common ones. These reasons include:

• Customer disputes.
• Fraud.
• Processing errors.
• Authorization issues.
• Non-fulfillment of transaction copy requests (only if fraud or illegible).

Chargebacks probably cannot be completely eliminated, yet merchants can take steps to prevent them or reduce them in number. Many of the chargebacks are a result of mistakes on the part of the merchants and can be easily avoided. Merchants who understand and implement proper transaction-processing procedures are much less likely to inadvertently cause a chargeback. Other chargebacks, however, are beyond the control of the merchant. Such chargebacks can be caused by errors made by merchant banks, card issuers, and cardholders. Merchant Responsibility The main interaction in a chargeback process is between the card issuer and the merchant processing bank. The card issuer sends the chargeback to the merchant bank, which may or may not be able to resolve the issue on its own, without involving the merchant. Merchants have a direct responsibility for taking action to remedy and prevent chargebacks. Your financial and administrative liability for chargebacks is spelled out in your merchant services agreement with your processor.

The Chargeback Cycle

The chargeback cycle is a series of interactions between several participants. Following are the stages of the chargeback process.

1. The chargeback process begins with the cardholder disputing a transaction or contacting his or her card issuer with disputed information.
2. The card issuer electronically returns the transaction (charges it back) to the merchant bank (also called acquiring bank or simply Acquirer) through the respective credit card company (e.g. Discover or American Express) or association (Visa or MasterCard).
3. The credit card company or association reviews the eligibility of the transaction to be charged back and, if appropriate, forwards it to the merchant bank.
4. The merchant bank receives the chargeback and either resolves the issue or, if unable to do so, forwards it to the merchant.
5. The merchant receives the chargeback. If the merchant has a proof that the transaction is valid (e.g. a sales receipt), the proof is submitted (represented) to the merchant bank. If the merchant is unable to produce a proof, the chargeback may have to be accepted.
6. The merchant bank receives the represented transaction and sends it on to the credit card company or association.
7. The credit card company or association receives the represented transaction and, if appropriate, forwards it to the card issuer.
8. The card issuer receives the represented transaction and, if appropriate, re-posts it to the cardholder's account. If the chargeback issue is not adequately addressed, the card issuer may submit a dispute with the credit card company or association.
9. The chargeback process ends with the cardholder receiving information resolving his or her dispute and may be re-billed for the item or receive a credit.

Processing of Transaction Receipts

Merchants should establish a process for handling sales receipts to ensure their proper processing, in order to minimize customer disputes and chargebacks. The following best practices should be included in this process:

• Merchants should make sure that transactions are entered into their point-of-sale or virtual terminals only once and are deposited only once. Duplicate transactions are very likely to result in chargebacks if merchants:
  • Enter the same transaction more than once.
  • Deposit both the merchant copy and bank copy of a sales receipt with their merchant processing bank.
  • Deposit the same transaction with more than one merchant processing bank.
• Merchants should make sure that whenever incorrect or duplicate sales receipts are detected, they are promptly voided and that transactions are processed only once.
• Merchants should deposit sales receipts with their merchant processing bank as quickly as possible, preferably within one to five days of the transaction date. Merchants should not hold on to them.
• Merchants should deposit credit receipts with their merchant processing bank as quickly as possible, preferably the same day the credit transaction is generated.
• For card-not-present transactions, merchants should not deposit sales receipts with their merchant processing bank until the merchandise has been shipped. If customers see a transaction on their monthly credit card statement before they receive the merchandise, they may contact their card issuers to dispute the charge. Similarly, if delivery is delayed on a card-present transaction, merchants should not deposit the sales receipt until the merchandise has been shipped.
• If a customer requests cancellation of a transaction that is billed periodically (monthly, quarterly, or annually), the merchant should cancel the transaction immediately or as specified by the customer. Following the cancellation, the merchant should inform the customer in writing that the service, subscription, or membership has been canceled and state the effective date of the cancellation.

Visa Chargeback Monitoring Programs

Visa monitors the chargeback activity of all merchants accepting their cards on a monthly basis and alerts acquirers when any one of their merchants reaches excessive chargeback levels. Typically, chargeback rates of 1% or greater are considered excessive. Once notified of a merchant with excessive chargeback rates, merchant banks (acquirers) are expected to take appropriate steps to reduce the merchant's chargebacks. Remedial actions depend on various factors, including merchant type, sales volume, geographic location, and other risk factors. Often merchants need to provide their sales staff with additional training on card acceptance procedures. Merchants may also be required to work with their merchant services providers to develop a detailed chargeback-reduction plan. Visa may impose financial penalties on acquirers that fail to reduce excessive merchant-chargeback rates. Visa has two chargeback monitoring programs:

• Merchant Chargeback Monitoring Program. The Merchant Chargeback Monitoring Program (MCMP) monitors chargeback rates for all acquirers and merchants on a monthly basis. If a merchant reaches excessive chargeback rates, Visa notifies its merchant bank in writing. MCMP applies to all merchants with more than 100 total transactions per month - sales, credits, etc. - more than 100 chargebacks, and an overall chargeback-to-transaction rate of one percent or greater. First notification of excessive chargebacks for a specific merchant is considered a warning. Visa imposes fines only if remedial actions are not taken within an appropriate period of time to return chargeback rates to acceptable levels.
• High-Risk Chargeback Monitoring Program. The High Risk Chargeback Monitoring Program (HRCMP) is specifically designed to reduce excessive chargebacks by high-risk merchants. High-risk merchants include direct marketers, travel services, outbound telemarketers, inbound teleservices, and betting establishments. HRCMP applies to all high-risk merchants with more than 100 total transactions per month - sales, credits, etc. - more than 100 chargebacks, and an overall chargeback-to-transaction rate of one percent or greater. Unlike the MCMP, under HRCMP, there is no warning period and fines of $100 per chargeback are imposed immediately if a merchant has an excessive chargeback rate.

Visa also monitors international sales and chargeback rates through its Global Merchant Chargeback Monitoring Program.

Visa Chargeback Monitoring Programs

Visa Chargeback Monitoring Programs

Visa monitors the chargeback activity of all merchants accepting their cards on a monthly basis and alerts acquirers when any one of their merchants reaches excessive chargeback levels. Typically, chargeback rates of 1% or greater are considered excessive. Once notified of a merchant with excessive chargeback rates, merchant banks (acquirers) are expected to take appropriate steps to reduce the merchant's chargebacks. Remedial actions depend on various factors, including merchant type, sales volume, geographic location, and other risk factors. Often merchants need to provide their sales staff with additional training on card acceptance procedures. Merchants may also be required to work with their merchant services providers to develop a detailed chargeback-reduction plan. Visa may impose financial penalties on acquirers that fail to reduce excessive merchant-chargeback rates. Visa has two chargeback monitoring programs:

• Merchant Chargeback Monitoring Program. The Merchant Chargeback Monitoring Program (MCMP) monitors chargeback rates for all acquirers and merchants on a monthly basis. If a merchant reaches excessive chargeback rates, Visa notifies its merchant bank in writing. MCMP applies to all merchants with more than 100 total transactions per month - sales, credits, etc. - more than 100 chargebacks, and an overall chargeback-to-transaction rate of one percent or greater. First notification of excessive chargebacks for a specific merchant is considered a warning. Visa imposes fines only if remedial actions are not taken within an appropriate period of time to return chargeback rates to acceptable levels.
• High-Risk Chargeback Monitoring Program. The High Risk Chargeback Monitoring Program (HRCMP) is specifically designed to reduce excessive chargebacks by high-risk merchants. High-risk merchants include direct marketers, travel services, outbound telemarketers, inbound teleservices, and betting establishments. HRCMP applies to all high-risk merchants with more than 100 total transactions per month - sales, credits, etc. - more than 100 chargebacks, and an overall chargeback-to-transaction rate of one percent or greater. Unlike the MCMP, under HRCMP, there is no warning period and fines of $100 per chargeback are imposed immediately if a merchant has an excessive chargeback rate.

Visa also monitors international sales and chargeback rates through its Global Merchant Chargeback Monitoring Program.

Chargeback Reason Code 60: Request Copy Illegible or Invalid

Chargebacks are identified with a Reason Code 60 when the card issuer requests a copy of the sales receipt and is provided an illegible copy by the merchant or its merchant services provider, an incomplete substitute receipt, or something other than the requested item. Most commonly a Reason Code 60 chargeback results when a merchant submits a substitute sales receipt that does not contain all of the required information, the sales receipt is not legible, or is other than the requested item because:

• The terminal's printer ribbon is worn and the ink is too light.
• The terminal's paper roll is nearing the end, and the colored streak indicating this obscures transaction information.
• The copy is on colored paper.
• The carbonless paper of the original sales receipt is mishandled, causing black blotches and making copies illegible.
• The original sales receipt is copied at a reduced size, resulting in blurred and illegible copies.
• The document submitted is not the requested copy of the sales receipt.

The remedial actions that merchants can take in the event of a Reason Code 60 chargeback can be the following:

• The back office staff should resubmit, if possible, a legible or complete copy of the sales receipt to their merchant bank. If a legible copy cannot be produced or the original receipt is missing, the chargeback should be accepted. If the retrieval request is fraud-related, the merchant has no representment rights and should accept the chargeback.
• The point-of-sale staff has a very important role to play as well. Printer ribbons should be changed routinely. Faded, barely visible ink on sales receipts is the top cause of illegible receipt copies. Printer paper should be changed when colored streak first appears. The colored streak down the center or the edges of printer paper indicates the end of the paper roll. It also diminishes the legibility of transaction information. Keep the white copy of the sales receipt and give customers the colored copy. Colored paper does not copy as clearly as white paper and often results in illegible copies. Carbonless paper and carbon- or silver-back paper should be handled carefully. Silverback paper appears black when copied. Any pressure on carbonless and carbonback paper during handling and storage causes black blotches, making copies illegible. Merchants should always keep the top copy.
• The owners and managers of your organization also have a role to play. Your company logo or marketing messages should be placed on sales receipts in a way that does not interfere with the transaction information. If your company name, logo, or marketing message is printed across the face of sales receipts, the transaction information on a copy may be illegible.

Chargeback Reason Code 75: Cardholder does not Recognize Transaction

Chargeback Reason Code 75 is issued when the card issuer receives a complaint from a cardholder stating that the transaction appearing on the monthly statement is not recognized. This code applies to both card-present and card-not-present transactions. The most common cause for a Reason Code 75 chargeback is that either the merchant store name or location reflected on the cardholder's monthly statement is not correct or recognizable to the cardholder. Merchants can take actions to remedy Reason Code 75 chargebacks on both back-office-staff- and ownership levels.

• Back-Office Staff. To prove that the cardholder has participated in the transaction at issue. your organization's back office staff should provide to the merchant processing bank any documentation or information that would assist the cardholder in recognizing the transaction. For example:
  • Sales receipt.
  • Shipping invoice or delivery receipts.
  • Description of merchandise or service purchased.
  If no supporting evidence is available or if you cannot produce a legible copy, you should accept the chargeback.
• Owner. The merchant name is the single most important factor in cardholder recognition of transactions. It is the owner's responsibility to make sure that the merchant name that the customers see on their credit card statements (also called a billing descriptor) is the one they associate with the merchant they shopped at. The owner should work with their merchant processing bank and set up the billing descriptor the right way. The merchant name, city, and state should be properly identified in the billing descriptor.

Chargeback Reason Code 57: Fraudulent Multiple Transactions

Chargeback Reason Code 57 is issued when the card issuer receives a written claim from the cardholder, acknowledging participation in at least one transaction at the merchant outlet but disputing participation in the remaining transaction. The cardholder also states the card was in his or her possession at the time of the disputed transactions. This chargeback does not apply to recurring payments or to mail order, telephone order, or eCommerce transactions. Most often a Reason Code 57 chargeback occurs when the merchant fails to void multiple transactions or attempts to process a fraudulent transaction. Merchant Actions.

• Back-Office Staff Actions. If the appropriate credit has been processed to the cardholder's account on one or all of the disputed transactions, the merchant should send to their merchant bank evidence of the credits. If the cardholder did participate in more than one valid transaction, the merchant should provide appropriate documentation, such as sales receipts, invoices, etc. If appropriate credit has not yet been processed on the disputed transaction, the merchant should accept the chargeback. The merchant should not process a credit since the chargeback has already performed this function.
• Owner Actions. Owners and managers should immediately investigate such chargebacks. This type of chargeback may indicate potential fraud occurring at the point of sale. It also may simply be the result of a mistake by point-of-sale staff.

Chargeback Reason Code 62: Counterfeit Transaction

Chargeback Reason Code 62 occurs when the card issuer receives a written complaint from the cardholder claiming that he or she was in possession of the card on the date of transaction and that he or she did not authorize or participate in the transaction. The most common causes for Reason Code 62 chargebacks are that the merchants fail to compare the first four-digits of the embossed account number on the card with the pre-printed digits below the embossed number for a card-present transaction or that they receive authorization without transmission of the entire magnetic stripe. Merchant Actions.

• Back-Office Staff Actions. If the card was swiped and transaction authorized at the point of sale, you should provide your merchant bank with a copy of the printed sales receipt. If the transaction was fraudulent, you should accept the chargeback.
• Point-of-Sale Staff Actions. Point-of-sale personnel should check all card security features before completing the transaction. In particular, the first four digits of the embossed account number on the card should match the printed four-digit number below the embossed number. If the numbers do not match, you should make a Code 10 call. You should also look for other signs of counterfeit, such as embossed numbers that are blurry or uneven, or ghost images beneath the embossed numbers, indicating that they have been tampered with. If you key-enter a transaction because the magnetic stripe cannot be read, you should make an imprint of the front of the card either on the printed sales receipt or a manual sales receipt form, which should be signed by the customer.

Chargeback Reason Code 81: Fraudulent Transaction

Chargeback Reason Code 81 is issued when the card issuer receives a sales receipt that is missing required information, indicating a potentially fraudulent transaction. A Reason Code 81 may be issued when the card issuer receives a sales receipt that has no imprint of the card’s embossed or magnetic-stripe information or is missing the cardholder’s signature, and either: cardholder certifies that he or she neither authorized nor participated in the transaction or the card issuer certifies that no valid card with that account number existed on the transaction date. This type of chargeback is not valid for recurring payments and card-not-present transactions. It is valid for card-present sales on self-serve POS terminals, such as cardholder-activated gas pumps. Typically chargeback Reason Code 81 is issued when the merchant:

• Has not swiped the card through a POS terminal.
• Has not made a manual imprint of the card account information on the sales receipt for a key-entered transaction.
• Has completed a card-present transaction without obtaining the cardholder’s signature on the sales receipt.
• Has completed a card-not-present transaction but has not identified the transaction as a MO/TO or eCommerce purchase.

Merchant Actions.

• Back-Office Staff.
  • Card Imprint from Magnetic Stripe Was Obtained. If account information was captured from the card’s magnetic stripe, request that your merchant bank send a copy of the authorization record to the card issuer as proof that the card’s magnetic stripe was read. You should also provide a copy of the sales receipt proving the cardholder’s signature was obtained.
  • Card Imprint Was Manually Obtained. If the account number was manually imprinted on the sales receipt, you should send a copy of the sales receipt to your merchant bank as documentation. The copy of the sales receipt must also contain the cardholder’s signature in order to remedy the chargeback.
  • Card Imprint Was Not Obtained. If the account number was not obtained from either the magnetic stripe or manually, there is no remedy and you should accept the chargeback.
  • Signature Was Obtained. If the cardholder’s signature was obtained on the sales receipt or a related document (for example, an invoice with cardholder’s name, address, and the date of the transaction) send a copy of the document to your merchant bank. You should also send evidence that the cardholder’s card was present, specifically either a manually imprinted sales receipt or authorization record proving the magnetic stripe was read. You must be able to prove the sales receipt and other documentation are from the same transaction.
  • Signature Was Not Obtained. If the cardholder’s signature was not obtained for a card-present transaction, there is no remedy and you should accept the chargeback.
• Point-of-Sale Staff Actions.
  • Swipe Cards or Use a Manual Imprinter. Merchants should obtain a record of the card’s account and expiration date information on the sales receipt by either swiping the card through a terminal or using a manual imprinter. If you use a manual imprinter, make sure the imprint can be positively matched with other transaction information to prove the card was present. For example, if you take an imprint on a separate receipt for a key-entered transaction, you should write the transaction date, amount, and authorization code on this document before completing the sale.
  • Obtain Cardholder Signature. Merchants should obtain the cardholder’s signature on the sales receipt for all card-present transactions. Always compare the customer’s signature on the sales receipt to the signature on the back of the card. If the names are not spelled the same or the signatures look different, call your merchant processing bank's voice authorization center and ask for a "Code 10" authorization.
• Owner Actions.
  • Remind Staff to Obtain an Electronic or Manual Imprint. Owners should train sales staff to swipe the card through a terminal or to use a manual imprinter to imprint the embossed information from the front of the card onto a sales receipt that will be signed by the customer.
  • Manual Imprinter or Portable Electronic Terminal. If your business delivers merchandise or performs services at customers' homes, your field employees should be equipped with manual imprinters or portable electronic terminals that can read the card’s magnetic stripe.
  • Cardholder Signature. Owners should train sales staff to obtain the cardholder's signature on the sales receipt for all card-present transactions; to compare the signature on the receipt to the signature on the back of the card; and to accept only signed cards.
  • Investigate High Volume of Chargebacks. If your business is receiving a high volume of Code 81 chargebacks, you should investigate. It could be a sign of internal fraud. You may need to examine sales receipts related to the chargebacks to check which POS terminals and sales staff were involved in these transactions.
  • Train Staff, Clean Magnetic-Stripe Readers. A high volume of Code 81 chargebacks may also indicate a need for additional staff training in proper card acceptance procedures or better maintenance and cleaning of the magnetic-stripe readers in your terminals.

CVV2 Processing in Card-not-Present Transactions

Card Verification Value 2 (CVV2) is a three-digit number located on the back of every Visa credit and debit card, to the right of the signature panel. It is used by MO/TO and eCommerce merchants to verify that the customer is in a physical possession of the card at the time of the payment. When processing CVV2 requests in card-not-present transactions, merchants should follow these best practices:

• The CVV2 verification process begins with the merchant asking the customer to provide the last three digits in or next to the signature panel on the back of the Visa card.
• If the customer provides the requested numeric code, it should be included with the account number and the expiration date when the transaction is submitted for authorization. Whether the CVV2 is included in the authorization request or not, one of the following CVV2 presence indicators should be included in the authorization request:

  Indicator	Meaning
  0	CVV2 is not included in authorization request.
  1	CVV2 is included in authorization request.
  2	Cardholder has stated that CVV2 is illegible.
  9	Cardholder has stated that CVV2 is not on the card.

• The merchants will receive a CVV2 result code from the card issuer, along with the transaction authorization. You should evaluate the code and take it into account when deciding on how to proceed with the transaction. You will receive one of the following result codes.

  CVV2 Result Code	Recommended Action
  M - Match	Complete the transaction, taking into account all other transaction characteristics and verification data.
  N - No match	This is a sign of potential fraud which should be taken into account along with the authorization response and any other verification data. You may also want to resubmit the CVV2 with a zero-dollar authorization request to rule out the possibility of a key-entry error.
  P - CVV2 Request not processed	Resubmit the authorization request.
  S - Cardholder reports that CVV2 is not on the card	Follow up with the customer to verify that the correct card location has been checked for CVV2.
  U - Issuer does not support CVV2	Evaluate all available information and decide whether to proceed with the transaction or to investigate further.

Be advised that for security reasons CVV2 can never be stored as a part of order information or customer data. Merchants who do store CVV2 may be assessed substantial fines.

Cardholder Information Security Program

Visa has established the Cardholder Information Security Program (CISP) to define standards for protecting sensitive information. CISP compliance is mandatory for all merchants that accept Visa credit cards and for merchant services companies that provide payment processing services. There are twelve basic CISP requirements that merchants and service providers have to meet. By demanding compliance with all of these requirements, Visa ensures that if one of them fails, there are other walls left to protect the sensitive information from unauthorized use. CISP requires that merchants:

1. Install and maintain a functioning firewall to protect personal data.
2. Regularly install security updates.
3. Protect stored data.
4. Encrypt cardholder and other sensitive information when transmitted across public networks.
5. Install and regularly update anti-virus software or programs.
6. Restrict internal access to cardholder account data on a "need-to-know" basis.
7. Assign a unique user ID to each person with computer access to sensitive data.
8. Do not use vendor-supplied default settings for system passwords and other security parameters.
9. Track access to data by unique user ID.
10. Regularly test security systems and processes.
11. Establish and maintain information security requirements for employees and contractors.
12. Restrict physical access to cardholder information.

The above CISP requirements apply to any merchant or payment processing service provider that stores, processes, or transmits Visa cardholder information. All eligible merchants and card processing service providers, regardless of size (or in the case of service providers, whether they support issuing or merchant activity) must comply with the twelve basic CISP requirements.

Card Processing Security Breach Responses

Merchants have a responsibility and an obligation to protect the privacy of the credit card information that customers provide during transactions. They must comply with a set of payment card information protection standards that the Credit Card Associations have enacted. Still, security breaches do occur and, when that happens, merchants must have policies in place to guide their responses. If merchants or merchant services providers experience a suspected or confirmed security breach, they should:

• Immediately contain and limit the exposure. To protect any further loss of data, merchants should conduct a thorough investigation of the suspected or confirmed loss or theft of account information within 24 hours of the compromise. Implement the following measures:
  • Do not access or alter compromised computer systems. Do not log on to the computer or change passwords.
  • Do not turn off the compromised computer. Instead, isolate compromised systems from the network by unplugging their cables.
  • Preserve logs and electronic evidence.
  • Log all actions taken.
  • If using a wireless network, change the network code on the access point and on computers that may be using this connection (with the exception of any systems believed to be compromised).
  • Be on high alert and monitor all data security and fraud prevention systems.
• Alert all necessary parties. You should immediately contact:
  • Your internal information security group, if applicable.
  • Your legal department.
  • Your merchant services provider.
  • The local FBI office.

In the event of a security breach, the Credit Card Associations or your merchant processing bank will contact the merchant or merchant services provider to discuss the compromise and review the actions required to prevent future loss or theft of transaction information.

Initiating Transaction Copy Requests

When cardholders do not recognize a charge on their credit card account statements, they typically contact their card issuers and request a copy of the transaction at issue to help determine whether or not the charge is valid. When a card issuer receives such a request, their representative will first try to answer the cardholder's questions and attempt to establish the facts surrounding the transaction. If this cannot be done, the card issuer will electronically send a "request for copy" (also knows as a "retrieval request") to the merchant processing bank (also known as merchant bank, acquiring bank or Acquirer) that provides merchant services to the establishment that has generated the transaction. If the transaction receipts that the merchant generates are stored at their merchant processing bank, the bank will fulfill the retrieval request and the merchant will never find out about it. If, however, the merchant stores its own transaction receipts, the merchant processing bank will forward the retrieval request to the merchant. The merchant then must produce a legible copy of the transaction receipt and submit it to the merchant processing bank within a certain time frame. The merchant processing bank will then send the transaction copy on to the card issuer. The process of producing and submitting a copy of a transaction receipt is also known as representment. The following posts will describe this process in details.

Recurring Payments

What are Recurring Payments? Recurring payment plans exist when a cardholder authorizes a merchant to charge his or her credit or debit card on a regular basis (e.g., monthly, quarterly or annually). Payment amounts can be fixed or they can vary and the plan exists until it is canceled by the cardholder. A good example of a recurring payment plan would be an auto insurance policy that has been set up so that the insured's credit card is charged monthly and the service will be provided indefinitely, or until it is canceled by the consumer. All merchant processing accounts support this feature. Benefits for Merchants:

• Providing additional payment processing options. Customers like having payment options at the checkout.
• Increasing enrollment in online payment processing. It is a great time-saving tool.
• Reducing customer service calls. By automatizing the process merchants ensure less payment-related issues.
• Improving cash flow. Recurring payment card processing plans ensure that less mistakes will be made and less payments will be returned.
• Reducing delinquencies. Setting up the payment schedule beforehand ensures less delinquencies.
• Improving collections. Since the payments are processed automatically, they are easier to collect.
• Increasing customer retention. Consumers, too, enjoy the convenience of recurring payment plans.

Benefits for Cardholders:

• Convenience of setting up the payments once. It's fast, easy and simple. You don't have to go over it again.
• Time savings. Once the plan is set up, you are done. Payments are made automatically thereafter.
• Stress relief. You don't have to keep on checking when the bill is due and worry about being late on a payment.
• Cost savings. No more post stamps to stick on payment envelopes.
• Earning points on rewards program. Some merchants qualify for various credit card reward programs.

Depending on the type of merchant account that you have, recurring payment plans may be set up differently. Ask your credit card processing provider for assistance if you are not sure how it is done.

Merchant Requirements for Securing Cardholder Information

To protect your merchants, cardholders, and the integrity of the payment system, each of the credit card processing companies has in place a set of requirements governing the safekeeping of account information. Following is a brief overview of the most critical aspects of those requirements.

Storage of Cardholder Information	Do not store the following under any circumstance: Full contents of any track from the magnetic stripe on the back of the card. Card-validation code-the three-digit value printed on the signature panel of a MasterCard®, Visa®, Discover®Card, JCB®, or Diners Club® card, and four-digit code printed on the front of an American Express® card. Store only that portion of the customer's account information that is essential to your business-i.e. name, account number or expiration date. Store all material containing this information (e.g., authorization logs, transaction reports, transaction receipts, car rental agreements, and carbons) in a secure area limited to authorized personnel.
Destruction of Cardholder Information	Destroy or purge all media containing obsolete transaction data with cardholder information.
Use of Agents or Third Parties (Vendors, Processors, Software Providers, Payment Gateways, or Other Service Providers)	Advise each merchant account provider or credit card processing contact (representing each of your card brands) of any agents that engage in, or propose to engage in, the processing or storage of transaction data on your behalf-regardless of the manner or duration of such activities. Make sure these payment processing agents adhere to all rules and regulations governing cardholder information security. Any violation by your card processing agent may result in unnecessary financial exposure and inconvenience to your business.
Reporting a Security Incident	In the event that transaction data is accessed or retrieved by any unauthorized entity, notify the merchant services provider or merchant processing contact for each card brand immediately. This report will not only minimize risk to the payment system, but protect your customers in the most responsible manner. Systems and procedures are in place to immediately stop the unauthorized use of compromised data, but are effective only when you (and every small business merchants accounts provider) do your part to promptly report a security incident.

Interchange Fees

In the payment card industry interchange is the fee that an acquiring bank pays to a card issuing bank when a card (issued by the card issuing bank) is used to pay for a product or a service, provided by a merchant who has a merchant account with the acquiring bank. The issuing bank pays the acquiring bank the transaction amount minus the interchange fee. The acquirer then pays the merchant the transaction amount minus both the interchange fee and its own payment processing cost. Interchange rates are published annually by both Credit Card Networks - Visa's and MasterCard's and are available for everyone to see. They represent the largest chunk of the total transaction processing costs that merchants pay for accepting payment cards. Various estimates put their share at anywhere between 70% - 90%. Interchange rates are typically comprised of a percentage of the transaction amount (for example 1.94%) plus a fixed fee (for example $0.10). Various factors come into play when interchange fees are established. Generally, payments taken in a card-not-present environment are processed at a higher interchange than payments taken in a card-present environment. That is the reason why eCommerce merchant account and MOTO merchant account users pay higher processing fees than, say, retail merchant account users. Since interchange rates are set by Visa and MasterCard, merchants have no leverage over them. It is, however, important to know what they are, so that, when negotiating with prospective merchant account providers, you will know exactly what you are being offered. There are several merchant processing pricing structures and this article will not go over all of them but probably the best model is the pass-through one. It works by simply adding your merchant services provider's processing cost to interchange, ensuring that every single transaction is processed at the same rate. You will only have to make sure that these processing costs are not inflated and a simple referral to the interchange chart will help you do just that.

Merchant Account

Definition. A merchant account is a payment card processing service that a merchant bank provides to a merchant. It represents a form of line of credit that the merchant bank extends to the merchant and it allows the merchant to accept the card brands, specified in the processing agreement. How it Works. When a merchant accepts a cardholder's payment information, it is transmitted to the merchant bank. The merchant bank then pays the merchant the transaction amount, minus the interchange fees and the processing costs, and submits a payment request to the bank that issued the card used to make the purchase. The issuing bank then pays the merchant bank the transaction amount, minus the interchange fees, and posts the transaction on the cardholder's monthly statement. The cardholder then pays the issuing bank to close the cycle. Types of Merchant Accounts. There are a number of different merchant account types but the most widely used are:

• Card-Present Merchant Accounts. This type of merchant account service includes all payment processing solutions that use payment terminals to read the account information from the magnetic stripe of a card that is swiped through. Because the merchant is in actual possession of the card (hence, card-present) as the payment is being made, these merchant accounts are considered less likely to generate fraudulent transactions and enjoy lower processing rates.
• Card-not-Present Merchant Accounts. Included in this group are all card payment processing services where the card account information is manually entered into the merchant bank's system, using a web browser or a telephone keypad. The card itself is absent (hence, card-not-present). Because the merchant is never in possession of the card and the information is given to him or her, card-not-present transactions are considered more likely to generate fraudulent activity or processing errors and are processed at higher rates. There are two distinct sub-groups here:
  • ECommerce Merchant Accounts. These merchant accounts are used by web-based merchants and enable consumers to enter their payment card information into a payment form on the merchant's website. Once submitted, the payment details are automatically transmitted, via a payment gateway, to the merchant bank.
  • Mail Order and Telephone Order Merchant Accounts. Also known as MO/TO merchant accounts, these payment acceptance solutions enable merchants to enter the payment information, provided to them by their customers into a form on the merchant bank's payment system's website or, using a telephone keypad, to call it into the merchant bank's system.

Payment Gateway

Definition. A payment gateway is a web-based service that transmits payment information from an eCommerce website to a merchant processing bank. It is the eCommerce equivalent of the physical terminal used by merchants in card-present payment acceptance environments. The collected information is encrypted to ensure that personal data is transmitted in a secure fashion. How it works. A payment processing gateway connects the eCommerce website's shopping cart with the merchant processing bank's system. The stages of the process are as follows:

• A customer places an order on an eCommerce website and submits his or her payment information.
• The payment information is encrypted using a secure socket layer (SSL) service and sent to the merchant's server.
• The eCommerce gateway then collects the payment information and, after another SSL encryption, transmits it to the merchant account provider's server.
• The merchant processing bank then sends the payment details to the appropriate Credit Card Network (Visa or MasterCard).
• If the cardholder used a Discover or an American Express card, the payment processing provider serves as an acquiring bank and decides whether or not to authorize the transaction; then forwards the response to the merchant.
• The Credit Card Network forwards the transaction to the card issuing bank.
• The Issuer either authorizes or declines the transaction and sends a response code (through the exact same channel) back to the merchant bank. The response codes for declined transactions provide details for the reason the transaction did not get approved.
• The merchant processing bank then sends the response code (through the eCommerce payment gateway) to the merchant's website and it is presented to the cardholder.
• The whole process, from submitting the payment to receiving the response, takes seconds.
• The merchant then provides the service or ships the product and settles the transaction. It is very important that transactions do not get deposited prior to the product being shipped. If the cardholder notices the charge on his or her card statement or transaction activity (now available online in almost real time), prior to receiving the merchandise, the transaction may be disputed, initiating a chargeback.
• At the end of the business day, all authorized transactions (also called a "batch") are submitted to the merchant processing bank for settlement.
• The merchant bank then deposits the total transaction amount, minus interchange fees and processing costs, into the merchant's bank account.
• The entire process takes approximately 2-3 business days.

Card payment processors typically provide eCommerce gateways as part of the merchant account. They charge a monthly fee for the service ($10 - $25) and may charge a fee for the set up as well. Every major online payment gateway supports the latest fraud prevention solutions, including the Address Verification (AVS) and Card Verification (CVC2, CVV2, CID) services.

Merchant Account Providers

Merchant account providers enable businesses to accept credit and debit cards for payment. Whether an organization accepts cards in a card-present or in a card-not-present environment, they need a merchant account to do that. In order for a company to become a provider of merchant account services, it first has to be authorized by the Credit Card Associations of Visa and MasterCard. The process involves a check of the credit worthiness of both the business and its principals, a review of the applicant's business and marketing plans and the payment of the registration fees which are $5,000 for each Association. Although banks, that are members of Visa and MasterCard, can and do provide merchant processing services, more typically they outsource this responsibility to third parties. By doing so, they become sponsors of these third parties in their applications with Visa and MasterCard. Merchant account processors are known as Independent Sales Organizations ISO) when they are registered with Visa and as Member Service Providers (MSP) when they are registered with MasterCard. Businesses apply for both registrations at the same time, through their sponsor bank. Upon approval of the application, the sponsor bank becomes an acquiring bank for the ISO/MSP. This means that it acquires the sales receipts that the merchants, using its payment processing services, generate and it is then responsible for paying the merchant the transaction amounts, minus its processing costs and the interchange fees. In the mean time the merchant processing bank submits a payment request, through Visa or MasterCard, to the bank that issued the card used in the particular transaction. ISOs and MSPs are obligated to display the name(s) of their acquiring bank(s) on every page of their website and other promotional materials. Usually this sign is placed in the footer of the website. Once registered, ISOs and MSPs can sign up sales agents to source merchants for them. The sales agents, however, cannot advertise themselves as providers of merchant account processing services. They are only authorized to represent the ISO/MSP and must identify themselves as agents to these companies.

Merchant Account Qualifications

There are certain requirements that applicants for US-based merchant accounts have to comply with. It is the responsibility of merchant account providers to ensure that all applicants:

• Are legally registered within the US. Applicants for merchant services have to be either incorporated as businesses within the state that they reside in or they have to be registered with the local municipality and obtain a "Doing Business As" (DBA) name. Individuals are not allowed to establish merchant account processing services. Foreign establishments are also excluded from obtaining US-based payment processing accounts.
• Have a physical address and a registered agent within the USA. Applicants for US merchant services need to provide available a contact person within the US and a physical office for the merchant processing bank to inspect.
• Have a bank account with a US bank. The bank account into which the merchant will have his or her funds deposited must be opened with a US bank.

Only if the applicant complies with the above requirements, the merchant account processor will proceed with the application.

Merchant Account Application Requirements

Provided your organization is qualified to apply for a US-based merchant processing account and has received an acceptable payment processing proposal, you can commence the application process. There are a number of requirements that need to be met and, to understand why the process is so stringent, you need to understand exactly what is it that you are applying for. A merchant account is a form of line of credit that a merchant processing bank is extending to the applicant. When you accept a transaction, your merchant account bank will "acquire" it, usually at the end of the day, and will automatically deposit the payment amount, after subtracting the interchange fee and its own processing cost, into your checking account. At the same time it will submit a request for payment to your customer's card issuing bank. Your merchant bank will pay you before it gets paid. That is the reason why they have set in place an application process, designed to establish the credit worthiness of both the applicant organization and its principals. Following is a list of requirements that you will have to meet:

• Merchant Account Application. You will provide in this form details about both your business and yourself, including address (business and personal), social security number, tax ID (if applicable), phone numbers, email address, web address, bank account info, etc.
• Personal Guarantee (for-profit businesses only). All new businesses and a great many established ones are required to provide a personal guarantee before establishing payment processing services.
• Articles of Incorporation. Unless your establishment is a sole proprietorship, you will have to provide a proof that it has been legally incorporated.
• Business License. If your business activity is regulated and requires a license, either a federal or a state one, you will need to provide it.
• Business Financial Statements. Unless your organization has been formed recently, you will have to provide its financial statements (typically it is required that you produce financial statements for the two years preceding the application date).
• Personal Financial Statements. Typically requested in place of business financial statements, personal financials might be requested in addition to them. Personal tax returns for the latest two years are typically sufficient.
• Processing Statements. If you are currently processing credit cards and are looking for a new service, you will be asked to produce your three latest processing statements.
• Voided Check. You will need to provide a voided copy of a check for the bank account that you want your money to be deposited into. The check has to have your "Doing Business As" (DBA) name printed on it. If you have not yet received your checks, you will need to provide a signed bank letter stating your account details.

As you see, there are quite a few requirements for applicants to accept credit and debit cards and it is by no means certain that you will be approved. Still, if you provide the needed paperwork and have a decent credit history, chances are that you will get your merchant account service.

Wireless Merchant Account

What they are. Wireless merchant accounts enable merchants to accept credit and debit card payments on portable terminals whenever their customers happen to be. Depending on the type of wireless credit card processing solution, the terminals may be using short- or long-range networks to transmit the payment processing information.

Types of Wireless Payment Processing Services. There are two groups of wireless solutions:

• Long-Range Wireless Service. Long-range wireless solutions use cell phone-type of network connectivity for transmitting payment information. It works everywhere network service is available. It is perfect for businesses that regularly accept payments at their customers' locations.
• Short-Range Wireless Service. Short-range merchant processing solutions use the same connectivity services that cordless phones use. The credit card processing device can be operational within several hundred feet of the location of its base unit which is connected to a phone line. The short-range wireless card processing solution is perfect for merchants with limited portability requirements, e.g. merchants who need payment processing services at different locations on their premises.

Advantages of Wireless Processing. There are several main advantages to using portable credit card processing solutions.

• Additional Processing Options. A mobile credit card processing service allows you to immediately accept payments at trade shows, conventions, or at your customers' premises.
• Increased Security. With a wireless terminal the customer remains in possession of the card at all times.
• Reduced Processing Costs. Because wireless transactions are processed in a card-present environment, they generally receive the best possible rates.

Disadvantages of Wireless Processing. There are a couple of disadvantages of using portable processing solutions that you need to be aware of.

• Equipment Cost. The price of wireless terminals is significantly higher than that of regular point-of-sale terminals and can be the deciding factor in your decision, especially if your processing volumes are low.
• Network Coverage. Generally described as the biggest draw-back, network connectivity is constantly being improved. You will need to check its reliability in the area you will be operating in with your prospective merchant services provider before setting up a wireless merchant account.

Processing Cards in a Face-To-Face Environment

Credit card processing in a face-to-face setting provides merchants with a certain amount of leverage over weeding out fraudulent transactions before it is too late. Having a visual contact with your customer and the ability to physically examine the payment card, as the transaction is being processed, gives you a powerful tool to evaluate the genuineness of both the card and the cardholder. In order to exploit your advantage to the highest degree, you will need to follow a set of payment processing procedures at the checkout. Your point-of-sale personnel must be fully trained to execute your card processing strategy. The process of accepting payment cards includes:

• Swiping the Card. This procedure is straightforward enough and it does not require much explanation. Make sure you place the card correctly so that the magnetic stripe is in the right position to be read by your terminal.
• Checking the Card's Security Features. This is probably the most important stage in the process. Make sure the card has not been altered in any way, pay close attention to the account number and the Card Verification Code, as well as the hologram. If any one of these features looks altered, this, in itself, might be a sufficient reason to make a "Code 10" call (see below).
• Authorizing the Transaction. Make sure your authorization request is approved and have your customer sign the sales receipt.
• Comparing Sales Receipt to Payment Card. Make sure the account information, printed on the sales receipt, matches the card's details. Compare your customer's signature, provided on the receipt, to the one on the back of the card. If everything looks legitimate, return the card to its cardholder and provide him or her with a copy of the sales receipt.
• Making a "Code 10" Call. If you have gathered enough information to lead you to suspect a fraudulent activity, call your merchant services provider's authorization center and state that you are making a "Code 10" call. This is the code word for reporting a possible fraud. You will be routed to the card issuer's call center, where you will be asked to answer, with a "yes" or "no", a series of questions to determine the legitimacy of the transaction. Upon reaching a conclusion, you will be given instructions on how to proceed. If asked to recover the card, you should only do so if it is safe. If not, complete the transaction and alert your management after your customer leaves the store.

Following the above procedures will ensure lower levels of fraud and less chargebacks which, in turn, will improve your bottom line.

Processing Cards in a Face-To-Face Environment

Processing Cards in a Face-To-Face Environment

Credit card processing in a face-to-face setting provides merchants with a certain amount of leverage over weeding out fraudulent transactions before it is too late. Having a visual contact with your customer and the ability to physically examine the payment card, as the transaction is being processed, gives you a powerful tool to evaluate the genuineness of both the card and the cardholder. In order to exploit your advantage to the highest degree, you will need to follow a set of payment processing procedures at the checkout. Your point-of-sale personnel must be fully trained to execute your card processing strategy. The process of accepting payment cards includes:

• Swiping the Card. This procedure is straightforward enough and it does not require much explanation. Make sure you place the card correctly so that the magnetic stripe is in the right position to be read by your terminal.
• Checking the Card's Security Features. This is probably the most important stage in the process. Make sure the card has not been altered in any way, pay close attention to the account number and the Card Verification Code, as well as the hologram. If any one of these features looks altered, this, in itself, might be a sufficient reason to make a "Code 10" call (see below).
• Authorizing the Transaction. Make sure your authorization request is approved and have your customer sign the sales receipt.
• Comparing Sales Receipt to Payment Card. Make sure the account information, printed on the sales receipt, matches the card's details. Compare your customer's signature, provided on the receipt, to the one on the back of the card. If everything looks legitimate, return the card to its cardholder and provide him or her with a copy of the sales receipt.
• Making a "Code 10" Call. If you have gathered enough information to lead you to suspect a fraudulent activity, call your merchant services provider's authorization center and state that you are making a "Code 10" call. This is the code word for reporting a possible fraud. You will be routed to the card issuer's call center, where you will be asked to answer, with a "yes" or "no", a series of questions to determine the legitimacy of the transaction. Upon reaching a conclusion, you will be given instructions on how to proceed. If asked to recover the card, you should only do so if it is safe. If not, complete the transaction and alert your management after your customer leaves the store.

Following the above procedures will ensure lower levels of fraud and less chargebacks which, in turn, will improve your bottom line.

Processing Cards in a Card-Not-Present Environment

Overview. Credit card processing for eCommerce and direct marketing merchants is conducted in a very different manner, compared to card processing in a face-to-face environment. For obvious reasons, in a card-not-present setting, the card's magnetic stripe cannot be read and the account information has to be collected using other means. MOTO merchant account solutions provide direct marketers with a virtual terminal which allows them to log into their merchant processing bank's system and enter payment information, as they have received it from their customers. ECommerce merchant account solutions, on the other hand, provide customers with the option to enter their payment details on the merchant's website. The payment processing information is then transmitted, through a payment gateway, to the merchant account processor. In both cases the information is provided to the merchants by their customers and, unlike in a card-present environment, they lack the capability to physically examine the card to verify its authenticity. There are, however, several fraud prevention tools that, if implemented diligently, will significantly reduce the possibility of fraud. Transaction Authorization. Transactions, conducted in a card-not-present setting, have a zero floor limit. What this means is that they all require authorization. Always obtain authorization before providing the service or shipping the product. Expiration Date. Always ask for the "Good Through" date of the payment card that your customer is using. ECommerce processing merchants should set up their websites' payment forms to have a mandatory field for the card's expiration date. Direct marketers should have the same field available in their printed payment forms and should insist that customers provide it. Card Verification Codes. Card verification codes are the three-digit numbers that are found in the signature panels on the back of Visa, MasterCard and Discover cards and the four-digit numbers that are found slightly above and to the right of the account numbers of American Express cards. You should always ask the customer to provide this code as an additional way to prove that he or she is in a physical possession of the card. Address Service Verification. Address Service Verification (AVS) is an automated service that allows merchants to verify the cardholder's billing address. A part of the authorization process, the AVS provides merchants with another indicator on whether or not a transaction is genuine. The way it works is by sending the address information, collected by the merchant, to the card issuer. The card issuer then compares the submitted data to the one they have on file for their cardholder and respond accordingly.

Card Security Codes

Card security codes were implemented and are used by all Credit Card Companies and Associations as an additional anti-fraud tool. Card security codes are the three-digit numbers found in the signature panels on the back of Visa, MasterCard and Discover cards and the four-digit numbers found slightly above and to the right of the account numbers of American Express cards. You should implement their use in your daily card payment processing procedures and should always ask your customer to provide this code as an additional way to prove that he or she is in a physical possession of the card. The following procedures should be followed in all card-not-present transactions:

• Ask your customer for the last three digits on the back of a Visa, MasterCard or a Discover card or for the four-digit number above the account number on the front of an American Express card.
• Submit the information obtained from your customer, along with other data, with your authorization request. Use one of the codes in the table below.

Indication	Meaning
0	Card Security Code is not Included in the authorization request
1	Card Security Code is Included in the authorization request
2	Cardholder has Stated that the Card Security Code is Illegible
9	Cardholder has Stated that the Card Security Code is not on the Card

• Evaluate the result code for your Card Security Code verification request and use it in determining your action. The table below lists the possible result codes.

Result Code	Recommended Action
M - Match	Go ahead and complete the transaction, unless other fraud indicators are raising a red flag.
N - No Match	A strong signal for fraud, this result code should be taken into consideration along with data from your other fraud-prevention services.
P - Request not Processed	Resubmit your request.
S - Cardholder States Security Code is Not on Card	Make sure the cardholder is looking at the right location, often customers just don't know what is it they are looking for.
U - Issuer does not Support Security Code	In such cases you should rely on your other fraud prevention mechanisms.

The Credit Card Companies and Associations strictly prohibit the storage of Card Security Codes and may impose substantial fines on offenders. You are allowed to store card account name and number, as well as cards' expiration dates. Contact your merchant services provider for additional information on Card Security Codes and how to implement their use in your daily card processing procedures. They will help you weed out fraudulent transactions, reduce chargeback levels and improve your bottom line.

Merchant Account

Definition. A merchant account is a payment card processing service that a merchant bank provides to a merchant. It represents a form of line of credit that the merchant bank extends to the merchant and it allows the merchant to accept the card brands, specified in the processing agreement. How it Works. When a merchant accepts a cardholder's payment information, it is transmitted to the merchant bank. The merchant bank then pays the merchant the transaction amount, minus the interchange fees and the processing costs, and submits a payment request to the bank that issued the card used to make the purchase. The issuing bank then pays the merchant bank the transaction amount, minus the interchange fees, and posts the transaction on the cardholder's monthly statement. The cardholder then pays the issuing bank to close the cycle. Types of Merchant Accounts. There are a number of different merchant account types but the most widely used are:

• Card-Present Merchant Accounts. This type of merchant account services includes all payment proccesing solutions that use payment terminals to read the account information from the magnetic stripe of a card that is swiped through. Because the merchant is in actual possession of the card (hence, card-present) as the payment is being made, these merchant accounts are considered less likely to generate fraudulent transactions and enjoy lower processing rates.
• Card-not-Present Merchant Accounts. Included in this group are all card payment processing services where the card account information is manually entered into the merchant bank's system, using a web browser or a telephone keypad. The card itself is absent (hence, card-not-present). Because the merchant is never in possession of the card and the information is given to him or her, card-not-present transactions are considered more likely to generate fraudulent activity or processing errors and are processed at higher rates. There are two distinct sub-groups here:
  • ECommerce Merchant Accounts. These merchant accounts are used by web-based merchants and enable consumers to enter their payment card information into a payment form on the merchant's website. Once submitted, the payment details are automatically transmitted, via a payment gateway, to the merchant bank.
  • Mail Order and Telephone Order Merchant Accounts. Also known as MO/TO merchant account, these payment acceptance solutions enable merchants to enter the payment information, provided to them by their customers into a form on the merchant bank's payment system's website or, using a telephone keypad, to call it into the merchant bank's system.