Title - Level 2 (Font: Verdana, 10, bold, grey)

E-commerce
presales/sales
process
Brief best practice guide

Title - Level 2 (Font: Verdana, 10, bold, grey)

1. Introduction

1.1.What are benefits from e-commerce acquiring for the Banks?

Major benefits for the acquiring Banks from adoption of e-commerce are:
retaining and increasing customer base
o strengthening relationship with existing Bank clients willing to expand their
business to e-commerce card acquiring,
o expansion to new merchant industry segments (e.g. HOREKA and renting
agencies),
increased card acquiring merchant acquisitions, margins & total revenues,
improved competitive edge,
o extended application of new technologies & improved Bank image as an
technological leader,
the ability to use existing Web space for marketing towards key merchants and to
attract cardholders.

1.2. What are the general (business & technical) prerequisites on Bank side for
e-commerce implementation?
The Bank should ensure following activities are performed before e-commerce service is
offered to merchants:
Technical preparation:
o Get template language package in English from ISPC and return it with
local language translation of language files and bank's logo for the
Merchant Center of Service
o Decide what will be the URL of Service
o ISPC and the Bank must define details of specific Services usage (e.g. card
brand, type of possible transaction, the model of Merchant integration with
Services, the back office reports about transactions made, additional CMS
fields for the Merchants)
o Merchant migration approach TBD by the bank
Preparation of documentation for potential Merchants:
o Integration & administration manuals (with ISP Cards help)
o General introduction for potential e-commerce merchants
o Merchants Request for Card Acceptance
o Merchant contract template
o Business policy & general standards that Merchants should follow
Training of:
o Banks technical stuff which will operate on the Service by ISP Card
o Banks fraud prevention team
o Banks sales stuff
The Bank must perform User Acceptance Test on the Bank pilot Merchant

Title - Level 2 (Font: Verdana, 10, bold, grey)

2. E-commerce presales/sales process

2.1. Initial contact with merchant
As previously mentioned one of prerequisites for conducting e-commerce sales activities
towards merchants is training of Bank's authorized sales personnel.
Initial contact with merchant can be initiated by:
merchant (by e-mail, by phone or by visit to Bank's premises);
Bank's authorized personnel (e.g. E-commerce Sales Manager or Agent).
Banks

should provide following information to merchants:

Description of Service in few sentences
Benefits for Merchants and their clients
Service details & security standards
Graphical description of Service

The Bank should train its sales stuff about its business policy regarding e-commerce and
about preferred sales approach.
Example of general introduction document for introduction of merchant with e-commerce
service:

General introduction
document.docx

2.2.New E-commerce merchant application

After initial contact Bank's authorized personnel should send to a merchant initial
Merchant application form in order to ease collection of merchant applications.
The Bank (responsible unit or employee) should ensure that each new E-commerce
merchant fills Merchant application form1 before signing the Merchant agreement2. The
Merchant application form should be inserted in the Merchant file, and should be available
to all responsible organization units that participate in merchant relationship and
monitoring management3.
Example of E-commerce merchant application:

Merchant application
form.doc
1

This activity should be performed even if the merchant, with existing acquiring relationship, wants to expand
relationship to E-commerce acquiring.
Merchants responsible employee can contact Banks responsible unit / employee by E-mail request, by visiting
Banks responsible employee (relationship manager) in branch etc. Also, Banks Acquiring sales team
employees can contact Merchant for acquisition.
For example: organization unit responsible for relationship management, sales management, fraud
management, risk management, complaint management.

Title - Level 2 (Font: Verdana, 10, bold, grey)

The Merchant application form should4 contain at least the following information:
- Merchant name and the web site name that is visible to cardholders (doingbusiness-as or trade name available on web site),
- Relevant merchant data: merchant registration name, business address, company
registration address, point of sale address, registration numbers, tax numbers, ID
numbers,
- Merchants principal contact details: name, date of birth, place of birth, address,
telephone number(s), e-mail, ID number, copy of ID used for identification 5,
personal identification number,
- Information about merchants authorized person and management board: name,
date of birth, place of birth, address, telephone number(s), e-mail, ID number,
copy of ID used for identification, personal identification number,
- Detailed description of merchants business6
- Type of company / business structure (for example; small business, limited
liability company, joint stock company)
- Copy of licenses and/or registrations forms that are obligatory or proposed by
local regulation7
- Detailed information about business with prior acquirers - if applicable 8.
- Information about previous years turnover if merchant has previously
established relationship in acquiring business
- Information about merchants expected average turnover in E-commerce
acquiring business (monthly or annual projection)9.
If a Merchant is banks new client without any previous relationship, Banks responsible
unit or employee must fill or attach a copy of Know Your Customer Questionnaire (KYC)
in Merchant file.
The Bank should ensure that the banks financial institution name, contact address, and
contact phone numbers are prominently displayed on the merchant application form in a
font size that makes this information conspicuous to the reader10.
During this initial stage the Bank should also share with merchant document describing
its business policy regarding e-commerce (e.g. standards expected from e-commerce
sales outlet etc.):

Business policy.doc

- Needs translation
4

For example, a draft of this form is attached in Appendix A, and the Bank can use it to create own Merchant
application form.
5
For identification purposes, the responsible employee always should use valid ID document with picture.
6

For example, if the Merchant is newly acquired entity without previously relationship with Bank, the Bank
(responsible unit or employee) can obtain a business plan, description of merchandise, and copies of all
relevant marketing materials, including catalogs, brochures, telemarketing scripts, and print and broadcast
advertisements.
Bank (responsible unit or employee) should ask merchant to attach copy of permit or approval if they are
proposed by local law for specific type of business. These documents should be also inserted in Merchant file.
For example, the Bank (responsible unit or employee) should ask the merchant for reason for termination with
prior acquirers. If exists, the Bank should include this information in Merchant application form, and this
information should be important part of risk analysis in later Merchant approval process.

If the merchant has previously relationship in acquiring business, the Bank should also analyse actualized
turnover (total sales amount), fraud and chargeback amounts for each existing acquiring channel (EFT POS,
MO/TO). This information is important part of merchant approval for E-commerce service.
10
Beside Banks general contact information, responsible relationship manager's or sales agents name and
contact information also can be included.

Title - Level 2 (Font: Verdana, 10, bold, grey)

2.3.Merchant premises inspection

After receiving Merchant application form by appropriate communication channel 11, and
before signing a Merchant agreement, the Bank (responsible unit or employee) should at
least12:

Confirm description of merchants business and other information given in

Merchant application form. This should be performed by:

inspection of all premises and records13,

inspection at least one outlet (point of sale) from which it will

acquire transactions if exists14 15,

Collect and verify, at least:

-

uniform Resource Locator (URL - also known as the website address)

and Internet Protocol (IP) server address for the merchant website(s),

contact details for the merchants website hosting service (telephone

numbers, e-mail addresses, name of responsible personnel),

e-mail addresses and phone numbers for merchant customer service16,

description of any links on the merchants website to other sites to

which they may or may not be affiliated.

Collect following information to gain knowledge of the merchants expected

business revenue:
-

projected total sales volume per year

projected credit and debit volume per year

11

For example; E-mail.

For example, Checklist form or Merchant premises inspection document can be used to collect this type of
information. Note that any type of used document should be inserted in Merchant file and must be a part of risk
analysis in Merchant approval process.
13
Note that card schemes rules require that Bank must verify that merchant has the proper facilities, equipment,
inventory, agreements, and personnel required and if necessary, license or permit and other proposed
capabilities to conduct the business.
14
In this activity, the Bank (responsible unit or employee) at least should collect and verify:
12

Information about point of sale address,

Information about type of location (for example: storefront, indoor shopping mall, or office)
Information about position of merchants point-of-sale (for example: in apartment, house,
warehouse, shopping mall)
Information about point of sale property (for example: merchant owns or leases the Point of
sale location)
Information about duration of merchants business at inspected location
Information about inventory (is it appropriate for stated business)
Information about merchants warehouse details
Point of sale contact information (name, telephone, e-mail, working hours)
Point of sale photos

15

If the merchant has no point of sale location (store), the responsible Banks employee should visit merchants
headquarters at registration address or other appropriate location if applicable. The Banks responsible
employee also should visit warehouse if it exist and if it is possible.

16

For example, Bank (responsible unit or employee) can verify that a merchants e-mail address is valid by
sending a message to that address. An alert should be triggered if the message is returned as undeliverable or
bounced. In addition Bank also should check the merchants customer service for its quality response and
timeliness by sending mail to known e-mail address.

Title - Level 2 (Font: Verdana, 10, bold, grey)

actual chargeback volume (only if Merchant has previously established

acquiring relationship with Bank)

period between the purchase and actual delivery of goods

2.4. Merchant approval

After the merchant inspection, the Bank (responsible unit or employee) should conduct
risk analysis based on information collected in Merchant application form and Merchant
premises inspection document17.
The risk analysis at least should include:
-

confirmation that merchants business is fully compliant with local

regulatory and card schemes rules18

MATCH19 inquiry and/or VMTS20 inquiry activities. Inquiry request

(printed version) should be part Merchant file.

Bank's authorized personnel should also evaluate e-commerce business potential of

concerned merchant on similar/same way as for EFT-POS acquiring merchants.
If all requirements are met, the Bank (responsible unit or employee) can approve
merchants request for E-commerce service21. The approval should include Four eyes
approval principle22.
For Merchants23 that have:
-

previously established relationship with Bank and/or

previously established relationship with other local bank24, the Bank can
create specific approval process that will make easier complete
acquisition and approval process25.

The Bank (responsible unit or employee) should not accept merchants request for Ecommerce service which does not consist all of above mentioned documents or if the risk
analysis results are not acceptable for Bank, Group or card schemes business policy.26 27
17

To help in estimation of risk that should be conducted by responsible unit or employee, Bank can create
approval decision matrix or approval checklist document.

18

The illegal sale of prescription drugs (illicit pharmaceutical sales), illegal sale of tobacco products,
images of non-consensual sexual behaviour, child pornography, Internet gambling in jurisdictions
where it is illegal, the sale of counterfeit merchandise, the sale or violation of intellectual property
rights, sales of modification chip used to modify or disable built-in restrictions and limitations on
computers, specifically video game consoles, HD DVD and Blu-ray Disc Decryption Devices, are
strongly prohibited in card acquiring business activities. As a best practice, the Bank should create own
list of prohibited activities and unacceptable business for acquiring service.
19
No Customer is exempt from participation in the MATCH system check.
20
Were it is available.
21
For example, Bank can create Application approval form or Merchant approval form or document.
22
Each approval decision should be authorized at least by responsible employee and his supervisor.
23
Especially includes all merchants that have good reputation on local markets and for which is clearly that do not
have or will not have any risk potential for example leading domestic retailers, fuel companies etc.
24
For example,relationship with leading local bank in duration at least of two years.
25
Note that Risk analysis although should be conducted, and must consist of : MATCH / VMTS inquiry and
confirmation that merchants business is fully compliant with local regulatory and card schemes rules.
26
For example, if there is potential operational or reputational risk, or merchant is doing unacceptable business,
or Merchant is registered in MATCH / VMTS application.
27

The bank should establish List of prohibited industries and countries. The list at firstly should contain
industries whose acceptance is not in compliance with local regulatory and card schemes regulations, then
group rules and/or banks acquiring business strategy. List of strongly prohibited business activities proposed by

Title - Level 2 (Font: Verdana, 10, bold, grey)

The Bank should include all above mentioned documents and information in Merchant
file.

2.5. Merchant agreement

After Merchant approval decision, responsible employee can sign Merchant agreement
with merchant that meets all criteria.
The bank should ensure that each Merchant agreement, beside local regulatory
requirements, includes all mandatory elements proposed by card schemes regulation.
The Bank must create Merchant agreement in written, and such agreement at least
must:
-

Have a clause that web merchants must prominently display the name of
the merchant and unequivocally inform the cardholder of the identity of the
merchant at all point of interaction,

Have a clause that Merchant must prominently show the name of the
Merchant on web as name that will appear on the cardholder statement,

Have a clause that Merchant must show any other information 28 other than
images of the products or services being offered for sale,

Have a clause about use of card schemes brand mark29,

Have a clause that the Merchant must display the card schemes
acceptance mark at the point of interaction to indicate that the merchant
accepts cards,

Have a clause that merchant must honor all valid cards without
discrimination when properly presented for payment,

Have a clause that merchant must not refuse to complete a transaction

solely because a cardholder who has complied with the conditions for
presentment of a card at the point of interaction refuses to provide
additional identification information, except as specifically permitted or
required by the card schemes standards30,

Have a clause that the Merchant must not directly or indirectly require any
Cardholder to pay a surcharge or any part of any Merchant discount or any
contemporaneous finance charge in connection with a transaction 31,

card schemes is given in Footnote No.19.

For example technical description, detailed product information.
29
For example, the Merchant agreement should have clause to instruct the Merchant that:
28

1. use of card schemes brand mark must be only in accordance with a merchant
agreement
2. any use of a mark by a merchant in acceptance advertising, acceptance decals, or signs,
must be in accordance with the card schemes standards, including the card schemes
reproduction, usage, and artwork standards, as may be in effect from time to time;
3. merchant must terminate use or display of any mark effective immediately with the
termination of the merchant agreement or upon notification by the card schemes to
discontinue such use or display.
30
For example, in case of gambling transactions, additional identification of cardholder is mandatory. Also, the
Merchant can ask cardholder for additional identification information for shipping purposes.
31

Note that the Merchant may provide a discount to its customers for cash payments.

Title - Level 2 (Font: Verdana, 10, bold, grey)

Have a clause that the Merchant must not determine minimum or

maximum transaction amount,

Have a clause that merchant must not submit to Bank a transaction that
the merchant knows or should have known to be fraudulent or not
authorized by the cardholder32,

Have a clause that merchant must not submit for payment into
interchange, and the Bank must not accept from a merchant for submission
into interchange, any transaction that is illegal, or in the sole discretion of
the card schemes regulation33, may damage the goodwill or reflect
negatively on the brand,

Have a clause that the merchant must not submit for payment into
interchange, and a Bank must not accept from a merchant for submission
into interchange, any transaction that:
- represents the refinancing or transfer of an existing
cardholder obligation that is deemed to be uncollectible, or
- arises from the dishonour of a cardholders personal check,
or
- arises from the acceptance of a card at a terminal that
dispenses scrip,

Have a clause that merchant must not sell, purchase, provide, exchange or
in any manner disclose card account number, transaction, or personal
information of or about a cardholder to anyone other than its Bank, to the
corporation, or in response to a valid government demand34,

Have a clause that merchants and Third Party Agents acknowledge and
understand the importance of compliance with security requirements, such
as those relating to transaction information, storage, and disclosure.
Merchant agreements must specify that all merchants and Third Party
Agents that have access to cardholder data maintain and demonstrate
compliance with the PCI DSS requirements and all subsequent requirement
updates,
Have a clause that requires merchant to notify the Bank of its use of any
agent that will have access to cardholder data,

Have a clause that will ensure merchants and Third Party Agents are aware
of the Banks policies and guidelines to remain in compliance,

Have visible and clearly stated MCC / SIC code identification 35,

Have a clause that informs merchant that he is responsible for its

employees actions while in its employ,

32

For example, Merchants employees should check last four digit on transaction receipt and swiped card. These
numbers must be the same. If they are not same, it is counterfeit card, and merchant can be responsible for
chargeback amounts.
33
Card schemes can in sole discretion add prohibited business activities that negatively affect to card scheme
brand, so this clause should be in general character form.
34

For example, this prohibition applies to card imprints, TIDs, carbon copies, mailing lists, tapes, database files,
and all other media created or obtained as a result of a transaction.
35
If the Merchant has two or more business category codes, the bank should clearly state MCC / SIC code that
has or will have highest sales volume ratio.

Title - Level 2 (Font: Verdana, 10, bold, grey)

Have a clause that enables / allows immediate termination of a Merchant

agreement for any activity that may create harm or loss to the goodwill of
the payment system or brand3637.
Example of Merchant agreement: - to be replaced with standardised contract approach?
-

Contract example.doc

2.6. Merchant file

The Bank should create a Merchant file which, at least, should include duly fulfilled:
A)

Merchant application form

B)

Inspection of premises document, signed by responsible Banks employee

C)

Copy of KYC Questionnaire (if applicable)

D)

Copy of MATCH / VMTS38 inquiry requests39 (if applicable)

E)

Merchant agreement and all amendments to the contract,

F)

Copy of the merchant registration documentation (commercial register,

trade register or other country requirements)

G)

Application approval form / Merchant approval form or document

H)

Web site inspection document40

I)

J)

36

All other records and information concerning the regular monitoring of

merchant
All records related to merchant relationship termination41.

This clause enables immediate termination of a Merchant agreement for any activity that is not acceptable for
Banks acquiring business based on risk / fraud / web site monitoring results.

37

Of course, agreement must have a clause that the Bank is responsible for providing settlement funds directly to
the merchant.
38
Were it is available.
39
The bank should not enter into any agreement before MATCH / VMTS check.
40
For details, please see paragraph 3.6. of this procedure.
41

For example, this records can include:

site inspection report with photographs of premises and inventory verification. Report
should be signed by responsible employee who conducted such inspection
merchant certificate of incorporation, licenses, or permits
verification of references, including personal, business, or financial references
verification of the authenticity of the supplier relationship for the goods or services (invoice
records) that the Merchant is offering the cardholder for sale
date-stamped MATCH / VMTS addition record
all Banks correspondence with the merchant
all correspondence relating to law enforcement >>
signed Service Provider contract, including the name of agents involved in the due
diligence process

Title - Level 2 (Font: Verdana, 10, bold, grey)

2.7. E-commerce web site monitoring and inspection

Once a merchant agreement is signed, the Bank must establish an ongoing relationship
of risk prevention42, including an education process consisting of periodic visits to
merchants43, distribution of related educational literature44, and participation in seminars
organized by responsible Bank's unit or other local organization45.
Ongoing merchant monitoring activity must be conducted by responsible unit for each
merchant46.
The Bank regularly, as reasonably appropriate in light of all circumstances, must review
and monitor the merchants web site(s) and other business activities to confirm and to
reconfirm regularly that any merchant activity related to or using a card schemes brand
mark is conducted in a legal and ethical manner and in full compliance with the merchant
agreement.
The Bank must check every Web page on every Web site as appropriate and according to
local country or region characteristics47.
The Bank can use a Web site monitoring solution or other appropriate process solution 48
to review merchants activity to avoid processing illegal or brand-damaging transactions
that are not in accordance with merchant agreement.
42

For example, the Bank can conduct periodic detailed security check of several randomly chosen merchants
from their portfolio. In this check, all available information from previously established Merchant file should be
verified and confirmed. The Bank should record all changes that were not contained in Merchant file. According
to results, the Bank can make various decisions, but they must be in accordance with applicable Banks rules,
Group rules and card schemes rules. As a best practice solution, the Bank can also create decision matrix to
enable efficient decision process. The Bank can also create separate document or form for this purposes or can
use previously mentioned Checklist form or Merchant premises inspection document.

43

For example, the responsible relationship manager or other responsible Banks employee should visit the
merchant and review all previously collected information from Merchant file document. This periodic visit activity
should be conducted at least once per year for each merchant separately if it is possible. The Bank can also
create separate document or form for this purposes or can use previously mentioned Checklist form or
Merchant premises inspection document.
44
This material can include:
information about Bank's best practices in resolving business, sales or fraud issues,
information about activity flowcharts in customer complaint or other Banks processes
related to merchant activity,
user manual or other instructions that will help merchant doing business
45
The Bank can organize this type of education separately or as a apart of local organizations (for example, local
Bank association or card association).
46
This mean that fraud monitoring activity must be conducted on a daily basis.
47
Nevertheless, the most efficiency way for prevention of operational risk events, such as fraud/chargeback
losses or card schemes penalties connected with non-compliance status detected by card schemes systems is
a weekly monitoring and inspection of each merchants web site.
48
Intesa Sanpaolo Card will propose an automated solution for such monitoring.

Title - Level 2 (Font: Verdana, 10, bold, grey)

The Bank must, at least, monitor, verify and confirm:

website content and merchant information standards,
name displayed on website matches merchant description,
merchant location,
privacy policy,
products offered for sale,
links to other sites,
minimum website requirements for payment purposes,
security method for payments and disclosure including verification of
compliant payment application,
- website data security and encryption practices,
- back order, return, and refund policies,
- terms and Conditions.
After web site monitoring activity, the Bank should create Web site inspection document
in case if this process is not automated. This report can be ether in electronic or in paper
form49.
Web site inspection document at least must consist of:
- date of inspection,
- name of responsible employee who performed web-site check,
- merchant status (for example active/inactive),
- confirmation that the detailed merchant data are visible to cardholder,
- confirmation that the card scheme brand(s) are present, and they are
properly displayed to cardholders,
- confirmation that the products offered for sale corresponds to merchant
business,
- information about the merchants IP address validity (valid/invalid),
- confirmation about validity of the customer support e-mail address (for
example: valid/invalid),
- confirmation that all links from web site are in compliance with
merchants business as specified in merchant agreement,
- confirmation that the inspected web site has full description of products
and services,
- confirmation that the merchant offers only allowed products and
services (products and services are in full compliance with local laws,
group rules and card schemes rules),
- confirmation that the amounts on inspected web site are expressed in
local currency, or if they are not expressed in local currency currency
conversion information is clearly visible to cardholders,
- confirmation that the inspected web site has visible and detailed
merchant business policy,
- confirmation that the inspected web site has visible and detailed order
cancelation policy,
- confirmation that the inspected web site has visible and detailed
delivery policy, with restrictions that could affect delivery service (also,
export restrictions - if known),
- confirmation that the inspected web site has visible the duration of the
trial period, if offered, including clear disclosure that the cardholder will
be charged unless the cardholder takes steps to cancel the subsequent
transaction,
- confirmation that the inspected web site has visible and detailed
complaint policy (with refund policy),
- confirmation that the inspected web site has visible and detailed
consumer data protection policy (or other requirements proposed by
local law),
-

49

Note that this report should be inserted in Merchant file or other document related to merchant relationship.

Title - Level 2 (Font: Verdana, 10, bold, grey)

confirmation that the inspected web site has visible and detailed
information about security and transaction data protection during
transaction,
- confirmation that merchant assigns unique ordering number,
- confirmation that the inspected web site has visible and detailed
ordering confirmation,
- confirmation that the inspected web site has order agreement (known
as: check box),
- confirmation that merchant sends e-mail notification to cardholder after
the order is successfully finished,
- other comments based on web site inspection activity 50.
If the Bank detects merchants web-site non-compliance, an inspection of merchant
location, and all web links on merchants site should be conducted immediately. The
inspection should be conducted by responsible employees (for example relationship
managers and risk/fraud manager).
The Bank must immediately terminate relationship with merchant when:
-

determines performing of any deceptive marketing, scam or illegal

transaction or business,

determines that merchants business is not acceptable for Bank or

Group strategy,

determines that merchants business is not in accordance with

merchant agreement or local law.

After such termination, the Bank must:

-

inform card schemes without exception or delay51, when required

enter each terminated merchant in the card schemes systems such as:
MATCH or VMTS - unless prohibited by local law,

retain all records concerning the investigation of any terminated

merchant. The Bank must retain these records for a minimum period of
two years after the termination date52. These records must be inserted
in Merchant file document (for details, refer to paragraph 3.5.).

50

For example, the Bank can establish sales volume and/or fraud volume information as a part of risk monitoring
activity.
51
In cases when card schemes require feedback from Bank upon merchants' violation of rules. This feedback,
even specific actions and deadlines are required after card schemes detect violations of rules related to fraudto-sales ratio, chargeback-to-transaction ratio, brand damaging transactions etc. These programs are also
known as: MasterCard Business Risk Assessment and Mitigation (BRAM), VISA Global Brand Protection
Program (GBPP), Global Merchant Audit Program: Tier3 (GMAP), CTR, etc.
52

For example, the Bank at least should retain the following records:
signed merchant agreement
corporate or personal banking statements
credit reports
site inspection report with photographs, premises, inventory verification, and the name and
signature of the responsible employee who conducted such inspection
merchant certificate of incorporation, licenses, or permits
verification of references, including personal, business, or financial
verification of the authenticity of the supplier relationship for the goods or services (invoice
records) that the Merchant is offering the Cardholder for sale
date-stamped MATCH / VMTS inquiry records
date-stamped MATCH / VMTS addition record
all Banks correspondence with the merchant
all correspondence relating to law enforcement >>
signed Service Provider contract, including the name of agents involved in the due
diligence process.

Title - Level 2 (Font: Verdana, 10, bold, grey)