E-commerce
presales/sales
process
Brief best practice guide
1. Introduction
1.2. What are the general (business & technical) prerequisites on Bank side for
e-commerce implementation?
The Bank should ensure following activities are performed before e-commerce service is
offered to merchants:
Technical preparation:
o Get template language package in English from ISPC and return it with
local language translation of language files and bank's logo for the
Merchant Center of Service
o Decide what will be the URL of Service
o ISPC and the Bank must define details of specific Services usage (e.g. card
brand, type of possible transaction, the model of Merchant integration with
Services, the back office reports about transactions made, additional CMS
fields for the Merchants)
o Merchant migration approach TBD by the bank
Preparation of documentation for potential Merchants:
o Integration & administration manuals (with ISP Cards help)
o General introduction for potential e-commerce merchants
o Merchants Request for Card Acceptance
o Merchant contract template
o Business policy & general standards that Merchants should follow
Training of:
o Banks technical stuff which will operate on the Service by ISP Card
o Banks fraud prevention team
o Banks sales stuff
The Bank must perform User Acceptance Test on the Bank pilot Merchant
The Bank should train its sales stuff about its business policy regarding e-commerce and
about preferred sales approach.
Example of general introduction document for introduction of merchant with e-commerce
service:
General introduction
document.docx
Merchant application
form.doc
1
This activity should be performed even if the merchant, with existing acquiring relationship, wants to expand
relationship to E-commerce acquiring.
Merchants responsible employee can contact Banks responsible unit / employee by E-mail request, by visiting
Banks responsible employee (relationship manager) in branch etc. Also, Banks Acquiring sales team
employees can contact Merchant for acquisition.
For example: organization unit responsible for relationship management, sales management, fraud
management, risk management, complaint management.
The Merchant application form should4 contain at least the following information:
- Merchant name and the web site name that is visible to cardholders (doingbusiness-as or trade name available on web site),
- Relevant merchant data: merchant registration name, business address, company
registration address, point of sale address, registration numbers, tax numbers, ID
numbers,
- Merchants principal contact details: name, date of birth, place of birth, address,
telephone number(s), e-mail, ID number, copy of ID used for identification 5,
personal identification number,
- Information about merchants authorized person and management board: name,
date of birth, place of birth, address, telephone number(s), e-mail, ID number,
copy of ID used for identification, personal identification number,
- Detailed description of merchants business6
- Type of company / business structure (for example; small business, limited
liability company, joint stock company)
- Copy of licenses and/or registrations forms that are obligatory or proposed by
local regulation7
- Detailed information about business with prior acquirers - if applicable 8.
- Information about previous years turnover if merchant has previously
established relationship in acquiring business
- Information about merchants expected average turnover in E-commerce
acquiring business (monthly or annual projection)9.
If a Merchant is banks new client without any previous relationship, Banks responsible
unit or employee must fill or attach a copy of Know Your Customer Questionnaire (KYC)
in Merchant file.
The Bank should ensure that the banks financial institution name, contact address, and
contact phone numbers are prominently displayed on the merchant application form in a
font size that makes this information conspicuous to the reader10.
During this initial stage the Bank should also share with merchant document describing
its business policy regarding e-commerce (e.g. standards expected from e-commerce
sales outlet etc.):
Business policy.doc
- Needs translation
4
For example, a draft of this form is attached in Appendix A, and the Bank can use it to create own Merchant
application form.
5
For identification purposes, the responsible employee always should use valid ID document with picture.
6
For example, if the Merchant is newly acquired entity without previously relationship with Bank, the Bank
(responsible unit or employee) can obtain a business plan, description of merchandise, and copies of all
relevant marketing materials, including catalogs, brochures, telemarketing scripts, and print and broadcast
advertisements.
Bank (responsible unit or employee) should ask merchant to attach copy of permit or approval if they are
proposed by local law for specific type of business. These documents should be also inserted in Merchant file.
For example, the Bank (responsible unit or employee) should ask the merchant for reason for termination with
prior acquirers. If exists, the Bank should include this information in Merchant application form, and this
information should be important part of risk analysis in later Merchant approval process.
If the merchant has previously relationship in acquiring business, the Bank should also analyse actualized
turnover (total sales amount), fraud and chargeback amounts for each existing acquiring channel (EFT POS,
MO/TO). This information is important part of merchant approval for E-commerce service.
10
Beside Banks general contact information, responsible relationship manager's or sales agents name and
contact information also can be included.
11
15
If the merchant has no point of sale location (store), the responsible Banks employee should visit merchants
headquarters at registration address or other appropriate location if applicable. The Banks responsible
employee also should visit warehouse if it exist and if it is possible.
16
For example, Bank (responsible unit or employee) can verify that a merchants e-mail address is valid by
sending a message to that address. An alert should be triggered if the message is returned as undeliverable or
bounced. In addition Bank also should check the merchants customer service for its quality response and
timeliness by sending mail to known e-mail address.
After the merchant inspection, the Bank (responsible unit or employee) should conduct
risk analysis based on information collected in Merchant application form and Merchant
premises inspection document17.
The risk analysis at least should include:
-
previously established relationship with other local bank24, the Bank can
create specific approval process that will make easier complete
acquisition and approval process25.
The Bank (responsible unit or employee) should not accept merchants request for Ecommerce service which does not consist all of above mentioned documents or if the risk
analysis results are not acceptable for Bank, Group or card schemes business policy.26 27
17
To help in estimation of risk that should be conducted by responsible unit or employee, Bank can create
approval decision matrix or approval checklist document.
18
The illegal sale of prescription drugs (illicit pharmaceutical sales), illegal sale of tobacco products,
images of non-consensual sexual behaviour, child pornography, Internet gambling in jurisdictions
where it is illegal, the sale of counterfeit merchandise, the sale or violation of intellectual property
rights, sales of modification chip used to modify or disable built-in restrictions and limitations on
computers, specifically video game consoles, HD DVD and Blu-ray Disc Decryption Devices, are
strongly prohibited in card acquiring business activities. As a best practice, the Bank should create own
list of prohibited activities and unacceptable business for acquiring service.
19
No Customer is exempt from participation in the MATCH system check.
20
Were it is available.
21
For example, Bank can create Application approval form or Merchant approval form or document.
22
Each approval decision should be authorized at least by responsible employee and his supervisor.
23
Especially includes all merchants that have good reputation on local markets and for which is clearly that do not
have or will not have any risk potential for example leading domestic retailers, fuel companies etc.
24
For example,relationship with leading local bank in duration at least of two years.
25
Note that Risk analysis although should be conducted, and must consist of : MATCH / VMTS inquiry and
confirmation that merchants business is fully compliant with local regulatory and card schemes rules.
26
For example, if there is potential operational or reputational risk, or merchant is doing unacceptable business,
or Merchant is registered in MATCH / VMTS application.
27
The bank should establish List of prohibited industries and countries. The list at firstly should contain
industries whose acceptance is not in compliance with local regulatory and card schemes regulations, then
group rules and/or banks acquiring business strategy. List of strongly prohibited business activities proposed by
The Bank should include all above mentioned documents and information in Merchant
file.
Have a clause that web merchants must prominently display the name of
the merchant and unequivocally inform the cardholder of the identity of the
merchant at all point of interaction,
Have a clause that Merchant must prominently show the name of the
Merchant on web as name that will appear on the cardholder statement,
Have a clause that Merchant must show any other information 28 other than
images of the products or services being offered for sale,
Have a clause that the Merchant must display the card schemes
acceptance mark at the point of interaction to indicate that the merchant
accepts cards,
Have a clause that merchant must honor all valid cards without
discrimination when properly presented for payment,
Have a clause that the Merchant must not directly or indirectly require any
Cardholder to pay a surcharge or any part of any Merchant discount or any
contemporaneous finance charge in connection with a transaction 31,
1. use of card schemes brand mark must be only in accordance with a merchant
agreement
2. any use of a mark by a merchant in acceptance advertising, acceptance decals, or signs,
must be in accordance with the card schemes standards, including the card schemes
reproduction, usage, and artwork standards, as may be in effect from time to time;
3. merchant must terminate use or display of any mark effective immediately with the
termination of the merchant agreement or upon notification by the card schemes to
discontinue such use or display.
30
For example, in case of gambling transactions, additional identification of cardholder is mandatory. Also, the
Merchant can ask cardholder for additional identification information for shipping purposes.
31
Note that the Merchant may provide a discount to its customers for cash payments.
Have a clause that merchant must not submit to Bank a transaction that
the merchant knows or should have known to be fraudulent or not
authorized by the cardholder32,
Have a clause that merchant must not submit for payment into
interchange, and the Bank must not accept from a merchant for submission
into interchange, any transaction that is illegal, or in the sole discretion of
the card schemes regulation33, may damage the goodwill or reflect
negatively on the brand,
Have a clause that the merchant must not submit for payment into
interchange, and a Bank must not accept from a merchant for submission
into interchange, any transaction that:
- represents the refinancing or transfer of an existing
cardholder obligation that is deemed to be uncollectible, or
- arises from the dishonour of a cardholders personal check,
or
- arises from the acceptance of a card at a terminal that
dispenses scrip,
Have a clause that merchant must not sell, purchase, provide, exchange or
in any manner disclose card account number, transaction, or personal
information of or about a cardholder to anyone other than its Bank, to the
corporation, or in response to a valid government demand34,
Have a clause that merchants and Third Party Agents acknowledge and
understand the importance of compliance with security requirements, such
as those relating to transaction information, storage, and disclosure.
Merchant agreements must specify that all merchants and Third Party
Agents that have access to cardholder data maintain and demonstrate
compliance with the PCI DSS requirements and all subsequent requirement
updates,
Have a clause that requires merchant to notify the Bank of its use of any
agent that will have access to cardholder data,
Have a clause that will ensure merchants and Third Party Agents are aware
of the Banks policies and guidelines to remain in compliance,
Have visible and clearly stated MCC / SIC code identification 35,
32
For example, Merchants employees should check last four digit on transaction receipt and swiped card. These
numbers must be the same. If they are not same, it is counterfeit card, and merchant can be responsible for
chargeback amounts.
33
Card schemes can in sole discretion add prohibited business activities that negatively affect to card scheme
brand, so this clause should be in general character form.
34
For example, this prohibition applies to card imprints, TIDs, carbon copies, mailing lists, tapes, database files,
and all other media created or obtained as a result of a transaction.
35
If the Merchant has two or more business category codes, the bank should clearly state MCC / SIC code that
has or will have highest sales volume ratio.
Contract example.doc
B)
C)
D)
E)
F)
G)
H)
I)
J)
36
This clause enables immediate termination of a Merchant agreement for any activity that is not acceptable for
Banks acquiring business based on risk / fraud / web site monitoring results.
37
Of course, agreement must have a clause that the Bank is responsible for providing settlement funds directly to
the merchant.
38
Were it is available.
39
The bank should not enter into any agreement before MATCH / VMTS check.
40
For details, please see paragraph 3.6. of this procedure.
41
For example, the Bank can conduct periodic detailed security check of several randomly chosen merchants
from their portfolio. In this check, all available information from previously established Merchant file should be
verified and confirmed. The Bank should record all changes that were not contained in Merchant file. According
to results, the Bank can make various decisions, but they must be in accordance with applicable Banks rules,
Group rules and card schemes rules. As a best practice solution, the Bank can also create decision matrix to
enable efficient decision process. The Bank can also create separate document or form for this purposes or can
use previously mentioned Checklist form or Merchant premises inspection document.
43
For example, the responsible relationship manager or other responsible Banks employee should visit the
merchant and review all previously collected information from Merchant file document. This periodic visit activity
should be conducted at least once per year for each merchant separately if it is possible. The Bank can also
create separate document or form for this purposes or can use previously mentioned Checklist form or
Merchant premises inspection document.
44
This material can include:
information about Bank's best practices in resolving business, sales or fraud issues,
information about activity flowcharts in customer complaint or other Banks processes
related to merchant activity,
user manual or other instructions that will help merchant doing business
45
The Bank can organize this type of education separately or as a apart of local organizations (for example, local
Bank association or card association).
46
This mean that fraud monitoring activity must be conducted on a daily basis.
47
Nevertheless, the most efficiency way for prevention of operational risk events, such as fraud/chargeback
losses or card schemes penalties connected with non-compliance status detected by card schemes systems is
a weekly monitoring and inspection of each merchants web site.
48
Intesa Sanpaolo Card will propose an automated solution for such monitoring.
49
Note that this report should be inserted in Merchant file or other document related to merchant relationship.
confirmation that the inspected web site has visible and detailed
information about security and transaction data protection during
transaction,
- confirmation that merchant assigns unique ordering number,
- confirmation that the inspected web site has visible and detailed
ordering confirmation,
- confirmation that the inspected web site has order agreement (known
as: check box),
- confirmation that merchant sends e-mail notification to cardholder after
the order is successfully finished,
- other comments based on web site inspection activity 50.
If the Bank detects merchants web-site non-compliance, an inspection of merchant
location, and all web links on merchants site should be conducted immediately. The
inspection should be conducted by responsible employees (for example relationship
managers and risk/fraud manager).
The Bank must immediately terminate relationship with merchant when:
-
enter each terminated merchant in the card schemes systems such as:
MATCH or VMTS - unless prohibited by local law,
50
For example, the Bank can establish sales volume and/or fraud volume information as a part of risk monitoring
activity.
51
In cases when card schemes require feedback from Bank upon merchants' violation of rules. This feedback,
even specific actions and deadlines are required after card schemes detect violations of rules related to fraudto-sales ratio, chargeback-to-transaction ratio, brand damaging transactions etc. These programs are also
known as: MasterCard Business Risk Assessment and Mitigation (BRAM), VISA Global Brand Protection
Program (GBPP), Global Merchant Audit Program: Tier3 (GMAP), CTR, etc.
52
For example, the Bank at least should retain the following records:
signed merchant agreement
corporate or personal banking statements
credit reports
site inspection report with photographs, premises, inventory verification, and the name and
signature of the responsible employee who conducted such inspection
merchant certificate of incorporation, licenses, or permits
verification of references, including personal, business, or financial
verification of the authenticity of the supplier relationship for the goods or services (invoice
records) that the Merchant is offering the Cardholder for sale
date-stamped MATCH / VMTS inquiry records
date-stamped MATCH / VMTS addition record
all Banks correspondence with the merchant
all correspondence relating to law enforcement >>
signed Service Provider contract, including the name of agents involved in the due
diligence process.