MERCHANTS Payments Acceptance Guide

With Wellet you turn your smartphone to a POS

Versions control

Introduction

Purpose

Congratulations! Accepting contactless payments as a valid form of payment offers a valued service to a merchant's customers.
We live in a rapidly evolving digital world, a world in which consumers are always connected. Increased connectivity is changing consumer expectations. They want faster and more secure seamless payment experience. You can meet these changing expectations by accepting contactless payments directly with your Android smartphone.
Paynetics' Card Acceptance Guide is a comprehensive manual for all businesses that would like to accept contactless payments.

The purpose of this guide is to:
  • Provide merchants and their staff the latest information on processing all types of transactions.
  • Define requirements and best practices for doing business.
  • Provide detailed information on the types of fraud and guidelines to follow to remedy or prevent them
This Guide is part of the Paynetics 'Merchant Agreement. Merchants must follow the procedures in this Guide to comply with their Merchant Agreement.

Paynetics wants all of its merchants to be comfortable with the card acceptance program, take advantage of all its features and ensure merchants have the information, card payment options and flexibility needed to grow their businesses. The information in this Guide has been provided to supplement the Merchant Agreement and will assist in the operation of the card acceptance program.
Paynetics' Role

Paynetics' most important role is serving as its merchants' advocate. Paynetics is committed to providing service, value and a comprehensive selection of payment solutions, for fast and reliable processing and settlement.

Paynetics is a full-service Mastercard and VISA provider of merchant processing services for:
  • Credit cards
  • Debit cards
  • Prepaid cards
  • Commercial cards
  • Gift cards
  • Purchasing cards
Your Role

As a Paynetics merchant, it is important to:
  • Read, understand and abide by the General Terms and conditions and this Payments Acceptance Guide.
  • Take all necessary steps to prevent fraud.
  • Follow best practices in accepting contactless payment methods.
  • Advise Paynetics of any changes related to your business, such as changes in status, changes in business structure, address or contact information, or cancellations.
  • Keep up to date on all industry news and policy changes.
It is your responsibility to comply with all applicable laws and association rules and regulations. Please note that, while several guidelines in this Payment Acceptance Guide reference or suggest obtaining certain information from a cardholder in the transaction process, merchants should consider and are responsible for compliance with any applicable country laws regarding obtaining personal information from a cardholder in connection with a card transaction.
What is a Contactless Payment?

In this complex and rapidly changing digital commerce environment, it is important we all have a common understanding of the role contactless payments plays in the digital landscape.

Merchants can benefit from the growth of digital commerce by preparing to accept digital payments at the point-of-sale with contactless payment.
Contactless payment acceptance is proven to bring many benefits for merchants, including faster checkout, increased transaction volumes, higher spend, and reduced cash handling costs. It also enables a new generation of mobile payments. Contactless acceptance is particularly applicable to high through put, low value retail environments where cash is currently the predominant payment method. For such merchants, adding contactless capability through terminal upgrades or through simple plug-in devices will make sense at any stage of your POS lifecycle.

Contactless is a payment method that gives your customers the convenience of making payments without swiping or dipping a payment card.

Instead, the customer simply taps their contactless-enabled payment device onto your smartphone and the chip and antenna in the payment device securely transmit payment details wirelessly to a contactless reader.

For lower value payments, the customer will normally receive payment confirmation immediately and can be on their way. The transaction details are subsequently cleared automatically, and you don't have to do anything additionally. A contactless payment is very similar to a contact chip payment in terms of its functionality and security. Both types of payment are generated by M/Chip and protected by EMV security.

Contactless cards are standard payment cards. But embedded inside them is a computer chip that stores and processes the payment account data and a connected antenna that typically runs around the perimeter of the card. Similar chip and Near Field Communication (NFC) technology powers contactless payments made by mobile phones and other form factors.

Contactless capability is denoted by the universal Contactless Indicator which is present on all contactless cards and form factors or should be displayed on the screen of contactless mobile devices.
How safe are these transactions?

The card schemes Mastercard and Visa have put in place a number of measures which mean that contactless payments are highly secure:
  • Every contactless transaction is protected by a unique code which proves that the payment device is genuine and means the transaction cannot be fraudulently replayed.
  • Below the CVM Limit all transactions are authorized online.
  • Above the CVM Limit the customer will be prompted to use PIN or CDCVM.
  • The POS Entry Mode field in all contactless transactions is set as "contactless" to verify that transactions properly originate at a contactless terminal.
  • With mobile devices, a variety of additional security measures are possible, and issuers may also choose to use "tokens" instead of "real" card account numbers (PANs) in a process called "tokenization."
  • The customer keeps possession of the payment device throughout a contactless payment transaction.
  • Transactions are conducted only if the merchant has initiated the transaction and usually when the device is about 2 cm from the reader.

Processing Transactions

General Operating Guidelines

When processing Transactions, it is important to keep the following general guidelines in mind:
  • Do Not Set Restrictions on Card Transactions: Visa and Mastercard prohibit setting a maximum purchase amount
  • Do Not Discriminate: Unless Laws expressly require otherwise, you must honor all valid Cards/payment devices within your acceptance categories when properly presented for payment, without discrimination, and maintain a policy that does not discriminate among Cardholders seeking to make purchases with a particular brand of Card.
  • Do Not sell, transfer or disclose cardholder account information or personal information.
  • Do Not Restrict acceptance of contactless payments (for a sale or discounted item)
  • Keep Passwords Secure: Keep all passwords that allow you to access Paynetics's platform or services secure. Remember, you are responsible for the actions of anyone who uses your password. If you believe your password has been compromised or shared with an unauthorized user, please contact Paynetics immediately.
  • Protect Cardholder Privacy: You may only require a Cardholder's personal information if it is necessary to complete a Transaction (such as a delivery address or telephone number). You may not refuse to complete an otherwise valid Card Transaction just because a Cardholder refuses to provide additional identification or information.
  • You must not use any Paynetics systems, including custom fields or any other unprotected fields within Paynetics's systems, to collect, transmit, or store any sensitive or confidential data (such as, Primary Account Numbers (PAN), Card expiration dates, track data, Card Identification Numbers, Card Validation Codes, Social Security numbers, Personal Identification Numbers, individually identifiable health information, or other private data) of customers or cardholders.
  • Security Program Compliance: You, and any third-party vendors that you use, must comply with all applicable requirements of the Payment Card Industry (PCI) Data Security Standard.
  • Data Compromise: Notify Paynetics immediately (within twenty-four (24) hours), if you know or suspect that Cardholder information has been accessed or used without authorization, even if this compromise involves a third-party vendor. You must take immediate steps to preserve all business records, logs and electronic evidence and contact local law enforcement authorities. You must work with us to rectify any issues that result, including providing Paynetics (and obtaining any waivers necessary to provide Paynetics with) all relevant information to verify your ability to prevent future data incidents in a manner consistent with the Agreement.
  • Display of Card Marks. Unless otherwise informed by Paynetics, you must prominently display the most current versions of the Payment Network's and EFT Network's names, symbols, or service marks, as appropriate, at or near the Point-of-sale area.
  • Prohibited Transactions. You must not:
    - submit any Transaction that
    ▪ arises from the dishonor of a Cardholder's personal check,
    ▪ arises from the acceptance of a Card at an Android smartphones that are compromised,
    ▪ is illegal, or
    ▪ is otherwise prohibited in the Operating Guide or in the Payment Network Regulations;
    - accept Cards at Android smartphones that are compromised
    - process cash disbursement transactions
Prohibited Transactions

You must be aware of prohibited transactions and the penalties that can be imposed if you complete them. A prohibited transaction is one that does not comply with the operating regulations of the Visa and MasterCard associations and/or policies and procedures as defined in the Terms and Conditions. If deposited, contactless payments involving prohibited transactions will be subject to chargeback and may lead to termination of your agreement with us, perhaps immediately!
Parties Involved
Customer/Cardholder (your client)

A customer applies to an institution that issues Visa® or Mastercard® payment cards to become a cardholder. The customer may be an individual or a business. The cardholder becomes an authorized user when the institution approves and issues a card.
Issuers

The company which issued the Visa and Mastercard cards are called issuers which can be banks, financial institutions, credit institution, etc.

The card may be:
  • a credit card, which means the иссуер has authorized a line of credit from which the customer may draw;
  • a debit/prepaid card, which is tied to the amount of money actually on deposit for the customer; or
  • a commercial card, which is used for business charges.
In most cases, the processing of these types of cards is similar.
Merchants (you)

You open a merchant account with us and once the account is established and you have been approved for a merchant account, you will be an authorized acceptor of contactless payments for the payment of goods and/or services.
Acquirer (we)

As your acquirer, we are the financial institution that processes credit or debit card payments on your behalf. The acquirer allows merchants to accept credit card payments within an association (VISA and Mastercard). We enter into a contract with you and provide with a merchant account. Under the agreement, we exchange funds with issuer on your behalf, and pay out to you the daily payment-card activity's net balance — that is, gross sales minus reversals, refunds, merchant fees, chargebacks and other fees.
How the Transaction Process Works

Any contactless payment transaction ultimately begins and ends with the cardholder. The illustration below shows the steps involved in an electronic payment transaction and how the various organizations interact to create a smoothly executed process.

The cardholder presents the card/payment device as payment for goods or services at Wellet.
Wellet.
How the Transaction Process Works

Any contactless payment transaction ultimately begins and ends with the cardholder. The illustration below shows the steps involved in an electronic payment transaction and how the various organizations interact to create a smoothly executed process.
Please, note that all payments are processed online and your Android device which operates with Wellet mobile apps should be connected to the internet every time a payment is processed.

Wellet DOES NOT process payments offline.
Payment Below CVM limit

Once Wellet captures the data from the card it passes online an electronic imprint of the card number, expiration date and counterfeit detection value to Paynetics for authorization.

Paynetics then electronically routes the electronic data from the card to the card issuer and encrypts sensitive data inflight. The card issuer checks the cardholder account status and compares the requested authorization amount to the cardholder's available spending limit, reviews the transaction with fraud protection tools or memo posts and sends it back to Paynetics.

At this point, Paynetics routes the card issuer's authorization response to you. You will have different options to present the transaction receipt to the cardholder – via email, SMS, QR code or print it if you have connected Wellet to a Bluetooth printer.
Payment Above CVM limit Or Payment Which Requires Cardholder Verification

If you have installed the Wellet PIN mobile app, then you can accept also contactless payments which require PIN entry. Once Wellet and the PIN mobile app captures the data from the card it passes an online electronic imprint of the card number, expiration date, counterfeit detection value and separately a PIN block to Paynetics for authorization. PIN transactions are processed using security compliant PIN mobile app that uses latest encryption standards and are always processed online. Paynetics then routes the data from the card and the PIN data to the card issuer with all sensitive data encrypted "inflight."
Cardholder Verification

Traditional payments normally require some Cardholder Verification Method (CVM) such as PIN or signature. For low-value contactless payments below the "Contactless CVM Limit," no CVM is required—the customer can simply tap & go. Note that the Contactless CVM limit varies from country to country, Cardholder verification is required for contactless card transactions above the CVM limit (e.g., by online PIN using the merchant PIN pad or signature). You are only liable for contactless transactions above the CVM limit that have no cardholder verification.
A new form of CVM called Consumer Device Cardholder Verification (CDCVM) is available with mobile contactless devices. In this case, the customer enters a PIN (or biometric) on the mobile device.

Two versions are supported:
• Early CDCVM. The customer provides the cardholder verification before the tap (typically while waiting in the line or queue).
• Two-Tap. The customer taps their device onto the reader to start the transaction, moves their phone away for CDCVM when prompted, and taps again to complete the transaction.

CDCVM can also be supported through biometric technology, if the mobile device is fitted with a fingerprint reader for example. Other verification methods may be supported in the future like pattern and vein recognition. For contactless transactions below the CVM Limit, a receipt is not required unless the customer requests it. For transactions above the limit, a receipt must always be provided.
CVM Limits Values Per Country
Settlement

The process of moving the final transaction information from your business to the cardholder's financial institution is called settlement. Once the transaction information is submitted, you have the right to receive the net amount for the processed payments.

To help you avoid service disruptions, chargeback losses, additional fees and to help you maintain your cash flow Paynetics automatically sends all your approved authorizations for settlement.

Thus, you don't have to worry about expired transaction authorizations and put your funds at risk and subject you to non-compliance fines.
Chargebacks

Chargebacks are previous transactions that are disputed by the cardholder or the cardholder's issuing institution. A chargeback occurs when a cardholder disputes a charge or when proper card acceptance and authorization procedures were not followed. If you receive a chargeback, your merchant account is debited for the indicated amount. In addition to the chargeback, you may incur a fee if it failed to follow card acceptance and authorization procedures. Reasons for chargebacks include a cardholder dispute or an error in handling on the part of a merchant's staff. Chargebacks can be minimized by obtaining proper authorization and adhering to correct processing procedures.
Your Right to Request A Re-Presentment

If you have received notification of a chargeback, you have the right to request a re-presentment of the payment. A re-presentment is your written reply to a chargeback that provides documentation proving that the sale was valid and that proper merchant procedures were followed. Re-presentment must be completed within the number of days indicated on the chargeback notification.

Merchants' Best Practices

Train Staff

Extensive staff training is vital to the success of a contactless payment implementation. Training is one of the most critical aspects of contactless implementation. It is extremely important for your cashiers and other staff to understand the differences between contactless and traditional payment methods, and the way contactless payments are processed.

Employee training that instills confidence in the technology and encourages use by customers is critical to a successful deployment. Training must be consistent and ongoing so employees know how to use it and can explain it to customers. Employees should learn to prompt customers to use their contactless-enabled payment device to encourage activation and usage.

Be sure to cover these key points in your training:
  • Variety of Forms - Contactless payments are available to consumers in a variety of forms and factors, including cards, key fobs, mobile stickers, and mobile phones.
  • Identification - There will be contactless identification in the form of the Contactless Indicator on a contactless card or form factor, and there should be a Contactless Indicator on the screen of a mobile device, as well as a Contactless Symbol on the reader.
  • Card Verification - Contactless is ideal for low-value payments, but high-value payments are also possible in most countries. For purchases above your region's CVM limit, PIN or Consumer Device Cardholder Verification (CDCVM), and receipt sending is required.
  • Security - Some customers will be nervous about the security of contactless payments. Explain to staff why contactless is actually highly secure so that they can reassure customers.
  • Signage - The most effective merchants display POS collateral that lets customers know contactless payments are accepted. Consider also including information about contactless acceptance in your marketing and advertising materials. This will help to build awareness of contactless payments, encourage use, and strengthen customer satisfaction.
Sample Employee Training Curriculum

1. Describe contactless payments—what they are, how they work, form factors
  • Contactless devices can be anything that can hold a chip and antenna: credit card, key fob, wristband, mobile phone.
  • Works the same way as a regular payment card. The only differences are that the customer retains the card or device during payment of the transaction and taps the card or device onto the reader.
  • Can be used in stores around the world at any merchant category.
2. How to recognize a contactless card or other contactless device
  • If the customer's card or form factor is enabled with contactless there will be the Contactless Indicator shown here.
  • In the case of a mobile phone the Contactless Indicator should appear.
  • If the customer's mobile phone is enabled with contactless there should be a Contactless Indicator on the screen.
  • Since the contactless reader is placed on the back of your smartphone, you should tap with the back of your smartphone on the customer's contactless device.
3. How transactions work - walk through an end-to-end transaction:
  • Enter the transaction amount.
  • Confirm the payment.
  • Your phone will show reading ready screen and beep as the card is read.
  • On the display, it will say that the transaction is being processed
  • On the next screen the authorization result will be shown – approved or declined

Good to know!

- There is no PIN required for transactions below the CVM limit.
- If contactless transactions above the CVM limit are allowed, the customer will be prompted to enter a PIN on your smartphone or use CDCVM (PIN or biometric such as fingerprint entered on the mobile phone) if using a mobile phone.
- Customers paying with a mobile phone may use "Early CDCVM" or "Two Tap" sequences and may be required to activate their device or confirm the transaction.
- Occasionally, customers may be forced to carry out a contact transaction, or if using a mobile device, may be forced to use online PIN as an additional CVM. This is for their security.
- Below the CVM limit, no receipt is required unless the customer requests it.
- Above the limit, a receipt is required.

4. Set up a mock workstation
  • Having an actual workstation at the training session is extremely helpful in demonstrating how transactions work with contactless.
  • Demonstrate how accepting contactless is similar to accepting any other card, with the key differences being:
- Not taking the card from the customer. The employee should tap the smartphone against the payment device.
- No PIN or CDCVM required for transactions at or below the CVM limit.
- All contactless payment devices (Visa or Mastercard) will work on the reader device.

5. Role-playing
With the mock smartphone set up, allow employees to enter transactions to see how the contactless transaction works using small values for the transactions.
Payment security

To help keep your customers' data as safe and secure as possible, it's important that you keep to the Payment Card Industry Data Security Standard (PCI DSS). It's a set of guidelines to make sure payment information is stored securely by your company and anyone else who stores, transmits or processes the cardholder's payment information on your behalf. Remember that cardholder data should not be stored unless absolutely necessary to meet the needs of your business.
Sticking to this standard also forms part of your agreement with us. If you don't, you can be charged non-compliance fees, penalties and charges from card schemes – not to mention the impact it will have to your customers, and your business' reputation.

There are 12 requirements within the PCI DSS which you must meet if you are to become compliant. These are best summarized by the six key goals of the Standard below:
  1. Build and maintain a secure network and systems
  2. Protect cardholder data
  3. Maintain a vulnerability management programmed
  4. Implement strong access control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy
Take a look at the full details of the requirements and what they mean on the Payment Card Industry Security Standards Council (PCI SSC) page at: www.pcisecuritystandards.org
Meeting these requirements will mean you're compliant with the PCI DSS and are running a more secure business for the peace of mind of you and your customers.
Requirements for processing of contactless payments

  • You are responsible for maintaining the security of your Android devices which operate with card data. Wellet and for instituting appropriate controls to prevent employees or others from collecting card data.
  • Install and maintain a secure firewall configuration to protect data.
  • Protect personal data and encrypt transmission of data sent across open/public networks, using methods indicated in the Payment Card Industry Data Security Standard (PCI DSS) which is available at: www.pcisecuritystandards.org
  • You will take all reasonable steps to ensure that all Android device using Wellet and which are used in your business locations have only licensed versions of Android operating system, have not been rooted and no malicious software is installed.
  • You will use only the licensed by Paynetics mobile applications to initiate every contactless payment.
  • You will ensure that each Cardholder enters his or her PIN using the licensed by Paynetics PIN mobile application. You may not require a Cardholder to sign a Transaction Receipt or other receipt or require any other means of identification when initiating a PIN-authorized Card Transaction.
  • Use and regularly update anti-virus software and keep security patches up-to-date.
  • Regularly test security systems and processes.
  • Maintain a policy that addresses information security for employees and contractors.
  • Use only those services and devices that have been certified as PCI-DSS compliant by the payment organizations.
  • Call us if your device is lost or stolen.
  • Don't use vendor-supplied defaults for system passwords and other security parameters.
  • A Cardholder's Card information and PIN are confidential. You may not request or require a Cardholder to disclose his or her PIN at any point during a Transaction.
  • During the Transaction process, you must provide a reasonably secure area for Cardholders to enter their PIN. You are responsible for positioning the Android device in such a way that Cardholders may enter their PIN in a confidential manner.
  • No Minimum or Maximum. You will not establish minimum or maximum contactless payment amounts.
  • Transaction Receipt Requirements - at the time of any contactless payment, you will inform each Cardholder that he or she might receive a Transaction Receipt
  • Technical Problems. You will ask a Cardholder to use a different method of payment if the Paynetics System or the Android Device inoperative or has connection problems.
Preventing Card Fraud

It is important to take steps to educate staff to reduce your risk of accepting a counterfeit or fraudulent Card Transaction. Remember that you are responsible for all Chargebacks, including those for fraudulent Transactions. Fraudulent Card sales involve an invalid Card account number or, more commonly, a valid Card number presented by an unauthorized user. Fraud normally occurs within hours of the loss, theft, or compromise of a Card number or Card, and before most victims report the Card missing or discover the compromise. You will take all reasonable steps to ensure that all Android device using Wellet and which are

If you receive an Authorization Approval Code but suspect a Card has been altered or is counterfeit, contact Paynetics as soon as possible.
Identifying Suspicious Customer Actions

Be aware of customers who:
  • Make indiscriminate high value purchases without regard to size, color, style, or price.
  • Question the sales employee about credit limits or the Authorization process.
  • Attempt to distract the sales employee (e.g., continually delay selections, talk continuously).
  • Purchase a high-ticket item, such as a wide-screen HDTV monitor or other large item, and insist on taking it immediately, rather than having it delivered—even when delivery is included in the price.
  • Buy a high-ticket item and request that it be sent next day air or request for someone else to pick up the purchase at a later time.
  • Pull a Card from a pocket rather than a wallet.
  • Appear too young to make purchases with a Card.
  • Buy clothing without trying it on for size or decline alterations that are included in the price.
  • Charge expensive items on a newly valid Card.
  • Do not ask questions on major purchases.
  • Make purchases, leave the store, and return to make more purchases.
  • Make purchases just after the store opens or just before it closes.
  • Use a Card belonging to a friend or relative.
Borrowed Cards

Beware of people using letters of authorization for use of a payment card. Under no circumstances are these letters an acceptable form of verification or authorization. Friends, co-workers and spouses are not permitted to borrow each other's cards. Children cannot borrow their parents' cards. The only person who should present a card is the person whose name is on the front of the card. Most often, the rightful owner gets the statement and a chargeback inevitably occurs.
Identifying Suspicious Employee Actions

Be aware – not all Card fraud is committed by Customers. Sometimes employees engage in fraud using the following activities:
  • Recording Card Numbers: Employees may write Card numbers on another piece of paper.
  • Processing contactless payments with their own Wellet merchant accounts
To help prevent employee-related fraud, do the following:
  • Reconcile work daily rather than monthly.
  • Monitor closely for any suspicious employee activity
Factoring

Factoring (also known as laundering) occurs when you process another person's transactions through a Company account. Processing transactions which belong to another person or business is in violation of the Agreement. Factoring may result in the termination of your contactless payments acceptance contract.

Be wary of the "fellow businessperson" who offers to pay you to process card transactions in return for a fee. These transactions are often questionable or fraudulent. These schemes typically result in a flood of Chargebacks. By the time you realize this has occurred, the other business will most likely have relocated under a different name.

To protect you from these schemes and the devastating losses that ensue, educate yourself and your staff about this serious problem and immediately report factoring propositions to us or to the local authorities. Remember, you are responsible for all transactions processed using your MID, so make sure that all transactions processed through that account represent transactions between you and the Cardholder.

You will not present for processing or credit, directly or indirectly, any Transaction not originated as a result of a transaction directly between you and a Cardholder or any Transaction you know or should know to be fraudulent or not authorized by the Cardholder. Perpetrators of fraudulent Transactions will be referred to law enforcement officials.
What to Do with An Unauthorized Card

If you are informed that a Card has been reported lost or stolen, or is otherwise invalid, do not complete the Transaction.

If you are instructed to retain the Card, follow these procedures:
  • If payment is done via physical card, cut the Card through the account number lengthwise without damaging the Magnetic Stripe and contact Paynetics for further instructions
  • If payment is done via any other payment means (phone, key holder, etc, contact Paynetics)
NOTE: Do not challenge the Card holder. Avoid any physical confrontation with anyone who may be using a lost, stolen, or otherwise invalid Card. Do not jeopardize your safety or that of your employees or Customers.

Once the person leaves your location, note in writing his or her physical characteristics and any other relevant identification information.
Changes in the Payments Acceptance Guide

Paynetics reserves the right to make changes to the Payment Acceptance Guide in scheduled changes and at any time in unscheduled changes. You agree to accept all changes (and further to abide by the changed provisions of the Payment Acceptance Guide) as a condition of your agreement to accept contactless payments.

The Payment Acceptance Guide is published in electronic format on a scheduled basis, once each year, in October. You may find the latest version of the Payment Acceptance Guide by visiting this page.

Provisions changed in unscheduled releases generally take effect ten (10) days after notice to Merchants (unless another effective date is specified in the notice).

Upon notification of an unscheduled change, you shall be responsible for obtaining and referring to the then-current version of the Payment Acceptance Guide.