guidelines for merchants accepting card payments

GUIDELINESFOR MERCHANTS ACCEPTING CARD PAYMENTS

UniCredit Bank Czech Republic and Slovakia, a.s.

YOUR MERCHANT ID

HELPDESK TELEPHONE NO.

221 210 014

2

These guidelines contain the respective rules worked out by card associations, thus representing business terms and conditions worked out by professional organisations in accordance with Article 1751 (3) of Act No. 89/2012 Coll., Civil Code. These guidelines, (hereinafter the “Guidelines”) shall come into force on 23 September 2019 and they apply to entrepreneurs, with whom UniCredit Bank Czech Republic and Slovakia, a.s. (hereinafter “UniCredit Bank”) has entered into a Payment Card Acceptance Contract (hereinafter the “Merchandiser”).

TABLE OF CONTENTS

1. Description and Types1.1 Terms used1.2 How to accept payment cards1.3 How to prevent card fraud attempts1.4 Mastercard card description1.5 Maestro card description1.6 Visa card description1.7 Visa Electron card description1.8 Diners Club International card description

2. Imprinter2.1 Card payment using an imprinter2.2 Procedure for the use of imprinter2.3 Authorisation2.4 Delivery of transaction receipts to the bank

3. Electronic Payment Terminal3.1 Card payment using an electronic terminal3.2 Procedure for the use of electronic terminal3.3 EMV – chip card acceptance3.4 Contactless card acceptance3.5 Card payment using mPOS

4. Other4.1 Cash Advance – cash advance at bank branches, exchange office, casino4.2 Pre-authorisation4.3 MO/TO (Mail Order / Telephone Order)4.4 Special transaction cases4.5 Card pick-up4.6 Claims

5. Transaction Clearing5.1 Clearing of payment transactions by the bank

6. PCI DSS

7. Telephone numbers and addresses:

8. Consumables

9. Annexes

3

1. DESCRIPTION AND TYPES 1.1 TERMS USED

AuthorisationA process during which payment card validity and payment coverage by the card is verified.

Authorisation CentreA place, where payment authorisation takes place, i.e. payment card validity verification and verification of payment coverage by the payment card.

Authorisation CodeA two- to six-digit sequence of digits or digits and letters confirming the consent to transaction execution.

Authorisation LimitThe highest amount or sum of amounts, which the merchant is authorised to accept from one payment card at one merchant’s point of sale during one calendar day without previous authorisation.

BankIt processes merchant’s transactions carried out by Mastercard, Maestro, Visa, Visa Electron and Diners Club payment cards.

Banking DayBanking day means a day when banks in the Czech Republic are open for the public.

CardA plastic card with dimensions of about 85 mm x 54 mm, whose appearance, data layout and security features on both front and back side correspond to the specification of the respective card association. The card allows its holder to make cashless payments for goods and services and cash withdrawals. Cards remain the ownership of their issuer and are issued to cardholders to be used. Cards are non-transferable.

Card AssociationsThe companies Visa International, Mastercard Worldwide, Diners Club International.

Card IssuerA bank or other financial institution authorised to issue Visa, Visa Electron, Mastercard, Maestro and Diners Club Cards. The issuer is also authorised to block cards.

Card OwnerThe bank that issued the card to the cardholder for use (issuer).

Card ValidityA period throughout which the cardholder is entitled to use the payment card to pay for goods and services or to withdraw cash. The period of validity is marked in the lower half of the card front. It is specified as a period of card validity or date of expiry. The card is valid until the last day of the month and year marked on the card. Cards must not be accepted out of the period of validity.

CardholderA natural person meeting the conditions for payment card issuance and use, whose name and surname can be printed on the payment card in the lower part of the card front.

Cash AdvanceCash advance after payment card submission.

CVC2 (CVV2)A verification code, i.e. the last three digits printed in the signature panel on the card back. (Card Verification Code / Value).

EFT/POS TerminalA device for electronic transaction processing. This device will verify the payment card and issue a sales slip.

Exchange OfficeA place providing cash after the submission of a Mastercard, Visa or Diners Club card.

ImprinterA mechanical device making an imprint of the card identification data and identification label of the merchant’s point of sale when transaction is executed.

Mail Order / Telephone Order (MO/TO)Card payments, where identification data are notified by the cardholder in writing or by phone with the following written confirmation and the merchant does not have any possibility to see the payment card or make its imprint.

Merchant / Contracting PartnerA legal entity or natural person – entrepreneur that has entered into a Payment Card Acceptance Contract with UniCredit Bank.

4

mPOSIt is a mobile electronic device allowing accepting payments cards and connected to the authorisation centre via a smartphone or tablet.

PCI DSS(Payment Card Industry Data Security Standard) – International rules defining the conditions of treating the cardholders’ data contained in payment cards.

Point of SaleA place, at which the merchant accepts cashless payments for goods and services.

Prohibited CardIt is a card, for which during payment authorisation the terminal display shows the text: “PICK UP THE CARD“.Prohibited card also means the payment card, whose security features do not correspond to the requirements of associations (see the card pictures). The prohibited card cannot be used for payment of goods, services or cash advance. It must be picked up, deteriorated and handed over to the bank.

Proof of IdentityIdentity card, passport or ID card for European Union countries.

Sales SlipA document on card payment using an EFT/POS terminal signed by the cardholder or PIN verified and confirming goods take-over or utilisation of services.

Summary Accounting DocumentA summary accounting document on the executed transactions at the merchandiser’s point of sale for an accounting period.

TransactionPayment for goods and services using a Card.

Transaction ReceiptA confirmation of transaction on a mechanical sensor (imprinter), with the data on the payment card, cardholder, point of sale and price of goods or services.

Visual InspectionChecking the card for the presence and correctness of all security features, see 1.2–1.8. Their purpose is to prevent the use of a fake card.

5

1.2 HOW TO ACCEPT PAYMENT CARDS

1. Hold the card in your hand through the entire transaction (this does not apply to contactless transactions)

2. Check the security features of the card

THE PAYMENT CARD IS INVALID FOR THE TRANSACTION AND THE MERCHANDISER MUST NOT ACCEPT IT FOR PAYMENT IF:• the signature is not identical with the signature

in the sales slip. (After the correct entry of PIN, the cardholder’s signature need not be requested. Card acceptance through the EMV chip is described in Chapter 3.3)

• the period of validity specified on the card has expired

• the card is provably submitted by a person different from the one stated on it and signed on the back side

• the signature panel is damaged (erasing, overwriting etc.)

• the card is mechanically damaged or deteriorated• CVV2, CVC2 – the three-digit number in the

signature panel to the right of the last four-digit number of the card is missing

• the BIN on the card is not identical with the first four digits of the card number

• the number on the display of the EFT/POS electronic terminal or printed in the sales slip is not identical with the number on the card front – pick up the card!!!

The payment card must not bear the inscriptions “SPECIMEN“, “VOID“, “VZOR“ or be slit in any way or otherwise deteriorated.

If any of the above description items, data or characteristics is missing or if you have any doubts regarding the card validity, make a “Code 10” call to the authorisation centre immediately.

OTHER SECURITY FEATURES ACCORDING TO SPECIFICATIONS OF INDIVIDUAL CARD TYPES

3. Watch the customer,whether he/she does not show marks of suspi-cious behaviour (see “How to prevent card fraud attempts…“).

4. Authorisea) If you are equipped with an EFT/POS terminal,

insert or swipe the card (using the chip or

magnetic stripe), check the card number on the terminal display and wait until the sales slip is printed with the authorisation code.

b) If you are equipped with a mechanical imprinter, authorise by phone.

c) Contactless transactions are authorised by putting the card or mobile phone on the contactless reader of the payment terminal.

5. Compare the signaturesof the customer, whether they are identical in the transaction receipt and on the card, if the signature is requested.

FOLLOW THE ABOVE INSTRUCTIONS TO AVOID FRAUDS AND PREVENT LOSSES IN YOUR ESTABLISHMENT.

6

1.3 HOW TO PREVENT FRAUD ATTEMPTS IN CARD PAYMENTS USING AN ELECTRONIC TERMINAL

The behaviour of some customers may suggest that they are trying to commit fraud when paying by card. However, bear in mind that suspicious behaviour need not necessarily mean an unlawful activity – you know your customers, thus follow your instincts.

Pay attention to the customers that:− purchase a lot of goods regardless of size, style,

colour or price− purchase for extraordinarily high amounts− do not ask any questions during notable

purchases− try to distract you during sale or are in a great

hurry− return to the shop after a successful purchase to

buy again (and more)− purchase immediately after shop opening or in

the last minute before closing− make a larger number of consecutive contactless

transactions up to CZK 500 – contactless chips usually require no PIN or signature to confirm the transaction; it could be a stolen card

If you encounter a behaviour which raises your suspicion:− request a proof of identity (see the definition

of terms) and verify, whether the data in it correspond to the data on the payment card, write the number of the proof of identity (see the definition of terms) in the sales slip or transaction receipt

− follow the procedures of your company and inform your superior

− call the authorisation service and report the password “authorising with Code 10” to the operator, then follow the operator’s instructions

NEVER RISK YOUR OWN SECURITY.

VALIDTHRU

5779

DEBIT

01/20JAN NOVÁK

5779 0000 0000 0000

4

8 1

3 5 7 6

2

VLASTNORUČNÍ PODPIS / AUTHORISED SIGNATURE – NOT VALID UNLESS SIGNED

Tato karta může být použita jen oprávněným držitelem. Zneužití je trestné. Při nálezu prosím vraťte na adresu banky.

This card can be used only by the authorised cardholder. Misuse is a criminal offence. If found, please return to the bank.

www.unicreditbank.cz

INFOLINKA: 800 14 00 14 EMERGENCY LINE: +420 221 210 012

10

10 11

13 129

7

1.4 MASTERCARD CARD DESCRIPTION

The front of the Mastercard payment card contains:

1 Issuer’s name and logoIn the upper part, the name of the company issuing the card.

2 Local validity of the cardIt bears the English inscription “Valid only in…“ and possible an inscription in the official language in the country of the issuer that has issued the card. The card is valid only in the country which bears this inscription.

CARD WITHOUT INFORMATION ABOUT LOCAL VALIDITY CAN BE USED IN ALL COUNTRIES OF THE WORLD.

3 BINThe first four digits of BIN can be printed above or below the card number. If printed on the card, it must be identical with the first four figures of the card number itself.

4 Cardholder’s nameCardholder’s name and surname, which can be printed in the lower part of the card. It also can contain the title (Mr., Mrs., Dr. etc.).

5 Card validityIt is specified either as a period of card validity or date of expiry. The card is valid until the last day of the month and year marked on the card. Expired cards must not be accepted!

6 Mastercard logoIt consists of two interlocking circles, red and yel-low, with the inscription Mastercard below.

7 Card numberA 16-digit number. It begins with digit 5 and is always divided into 4 groups of 4 digits.

Protective UV symbolM and C upper-case letters visible under an UV light. It is an optional element.

8 Chip or contactless chipThe front side can also contain other data, such as company name, cardholder’s photo, special signs, chip or contactless chip.

The back of the Mastercard payment card contains:

9 HologramInterlocking circles with the inscription Mastercard on the edge of the right circle. It can also be on the front of the card..

10 General instructions and card issuer’s address

The text is in English or in the language of the issuer’s country.

11 Magnetic stripeIt must in no case be disturbed or damaged.

12 Three-digit verification code (CVC2)It is shifted out of the signature panel.

13 Signature panelIt does not have to be mandatorily included in the card. A grey stripe with light-grey horizontal lines of dots. The signature panel is not a mandatory component. If present in the card, the cardholder’s signature serves as a specimen signature. The signature panel must be undisturbed and must not contain “VOID” inscription.

The back of the card can also contain other data, such as company logos.

debit

PODPIS DRŽITEĽA KARTY / AUTHORISED SIGNATURE – NOT VALID UNLESS SIGNED

Túto kartu môže použiť iba oprávnený držiteľ. V prípade nálezu kartu vráťte, prosím, na adresu banky alebo ju odovzdajte v ktorejkoľvek banke. Zneužitie karty je trestné!

This card can be used only by the authorised cardholder. If found, please return to the bank, or give it back to any bank. Misuse of card is a criminal offence!

www.unicreditbank.sk

UniTel: 0800 14 00 14, +421/44/5476870

9

9 8

10

VALIDTHRU

6 7 6 4 0 0 0 0 0 0 0 0 0 0 0 0

0 1 / 2 1JAN NOVÁK

2

51 4 67

3

8

1.5 MAESTRO CARD DESCRIPTION

The front of the Maestro payment card contains:

1 Chip or contactless chip


3 Local validity of the cardIt bears the English inscription “Valid only in…” and possible an inscription in the official language in the country of the issuer that has issued the card. The card is only valid in the country which bears this inscription.


4 Cardholder’s nameCardholder’s name and surname – if stated on the card then it is situated in the lower part of the card.

5 Maestro logoIt consists of two interlocking circles, blue and red, with the inscription Maestro below. The logo of two interlocking circles may also be on the back of the card in grey colours.

6 Card numberA printed, exceptionally embossed number (up to 19 digits) on the front of the card. The marked number may be only a part of the real card number or it need not be shown at all.Note: The first four BIN digits can be printed above or below the card number. If the BIN is shown on the card, it must be identical with the first four digits of the card number itself.

7 Card validityIf shown on the card, it is specified either as a peri-od of card validity or date of expiry. The card is valid until the last day of the month and year marked on the card. Expired cards must not be accepted! The card can also contain other data, such as company name, cardholder’s photo, or special signs.

WHEN MAKING MAESTRO CARD TRANSACTIONS, THE TERMINAL ALWAYS REQUESTS PIN ENTRY BY THE CARDHOLDER.

The back of the Maestro payment card contains:




10 Signature panelA grey stripe with light-grey horizontal lines of dots. The signature panel is not a mandatory component. If present in the card, the cardholder’s signature serves as a specimen signature.


4570 0000 0000 0000

JAN NOVÁK

01/18

121311

3

7 2

84 5 6

9 11

1

10

9

1.6 VISA CARD DESCRIPTION

The front of the Visa payment card contains:



3 BINThe first four BIN digits can be printed above or below the card number. If printed on the card, it must be identical with the first four digits of the card number itself.

4 Cardholder’s nameCardholder’s name and surname, which can be printed in the lower part of the card. It also can contain the title (Mr., Mrs., Dr. etc.).

5 Card validityIt is specified as a period of card validity or date of expiry. The card is valid until the last day of the month and year marked on the card. Expired cards must not be accepted!

6 Card numberA 16- or 13-digit embossed card number. The card number always begins with “4” and is divided:• the 16-digit number to four 4-digit groups• the 13-digit number to groups 4 – 3 – 3 – 3

7 Local validity of the cardIt bears the English inscription “Valid only in…” and possible an inscription in the official language in the country of the issuer that has issued the card. The card is only valid in the country which bears this inscription. The front side can also contain other data, such as company name, cardholder’s photo, or special signs.


8 Visa logo The logo is created by a blue Visa inscription in a white field.

Protective UV symbolA “V” upper-case letter in the place of company’s logo, visible only under an UV lamp.

The back of the VISA payment card contains:

9 HologramDove in flight. Under a certain angle, a coloured three-dimensional picture of a dove beating its wings can be clearly seen, the mark can also be on the front of the card.




12 Three-digit verification code (CVV2)It is shifted out of the signature panel.

13 Signature panelA stripe with light-orange lines.The signature panel must contain the cardholder’s signature serving as a specimen signature. A card without a signature is invalid! The signature panel must be undisturbed and must not contain “VOID” inscription.


0 1 / 1 8

4 5 9 0 0 0 0 0 0 0 0 0 0 0 0 0

JAN NOVÁK

3

21

64 5 7

8

DEBIT

1311 12109 11

10

1.7 VISA ELECTRON CARD DESCRIPTION

The front of the Visa Electron payment card contains:



3 BINThe first four BIN digits can be printed above or below the card number. If printed on the card, it must be identical with the first four digits of the card number itself. 4 Cardholder’s nameCardholder’s name and surname can be printed in the lower part of the card.

5 Card validityIt is specified as a period of card validity or date of expiry. The card is valid until the last day of the month and year marked on the card. Expired cards must not be accepted!

6 Visa Electron logoIt consists of Visa Electron or Electron writing.

7 Card numberA number printed on the front of the card. On the card, there need not be printed a whole number, only a part of it – i.e. the first and the last four-digit number.

8 Local validity of the cardIt bears the English inscription “Valid only in…” and possible an inscription in the official language in the country of the issuer that has issued the card. The card is only valid in the country which bears this inscription. The card can also contain other data, such as company name, cardholder’s photo, or special signs.


The back of the VISA Electron payment card contains:

9 HologramDove in flight. Under a certain angle, a coloured three-dimensional picture of a dove beating its wings can be clearly seen, the mark can also be on the front of the card. It is an optional element on the VISA Electron card.




12 Three-digit verification code (CVV2)It is shifted out of the signature panel.

13 Signature panelA stripe with light-orange lines.The signature panel must contain the cardholder’s signature serving as a specimen signature. The signature panel must be undisturbed and must not contain “VOID” inscription.

Protective UV symbolA “V” upper-case letter in the place of the company’s logo. It is visible only under an UV light.


2

1 4

3 5 6

10 12

137

8 1415

11

9

3612 345678 0009 123

11

1.8 DINERS CLUB INTERNATIONAL CARD DESCRIPTION

There are many various types of Diners Club (DC) cards. All of them bear the same elements and security features. The cards are always embossed.

The front of the Diners Club International payment card contains:

1 Diners Club International Brand MarkThe Diners Club International Brand Mark is situated in the upper left corner and printed in blue colour. The words “Diners Club International“ are printed in black. The brand mark can be displayed in the form of both new and old DCI logo.

2 “MEMBER SINCE“, “VALID“ AND “THRU“Member since, Valid (validity from) and Thru (validity to). The cards submitted before the first day of the month shown as “Valid” and after the last day of the month shown as “Thru” cannot be accepted.

3 Card backgroundThe background of the card is silver or in greyscale.

4 Meridian lines and mapThe meridian lines are printed in greyscale on the silver or grey background. Based on the card type, the card may include meridian linesseparately or in combination with the map or another element (e.g. a waving line, golf ball...).

5 Embossed card numberThe card number contains 14 characters and begins with “30“, “36“, “38“.

6 An impress sensitive to UV lightThe front of all cards must contain a security UV feature. This invisible mark is a magnified Diners Club International Brand Mark printed for security reasons in the middle of the card.

The back of the Diners Club International contains:

7 Holographic magnetic stripeDiners Club International cards use a holographic magnetic stripe bearing the brand mark and name of Diners Club International.

8 Signature panelThe location of the signature panel depends on the width of the magnetic stripe used.

9 Discover network acceptance markThe use of a Discover network acceptance mark is obligatory for the internationally valid cards.

10 Pulse markThe Pulse mark must be situated to the right of the Discover network acceptance mark. This mark is printed in black or white depending on the background colour of the back.

11 Text “Valid Worldwide”The text “Valid Worldwide“ is situated in the right upper corner. It must be in English and can be supplemented with a text in the local language.

12 Printed last 4 digits of the account numberThe printed last 4 digits of the account must be identical with the embossed number on the front of the Diners Club card.

13 CVV2 printed with engravingThe data are printed in the right lower corner of the signature panel. One of the following possibilities can be selected:a) printing of the whole account number followed

by the CVV2 codeb) printing of the last four digits of the account

number followed by the CVV2 codec) printing of the CVV2 code only

14 Text „AUTHORIZED SIGNATURE – NOT TRANSFERABLE“

The text “Authorized signature – not transferable“ is situated below the signature panel.

15 Optional text

12

The merchant is obliged to sell goods or provide services to the holder of a valid card for the same prices and under the same conditions as to a customer paying in cash. In its establishment, the merchant must not set any price limit, from which they will accept Mastercard, Visa and Diners Club cards for payment.

Before making a payment, the employee shall take over the card and verify:• whether it is a Mastercard, Visa or Diners Club card – he/she shall refuse other card type• the presence of security feature of the card – he/she shall make a visual inspection• the card validity – he/she shall refuse an expired card and return to the customer• the local validity of the card. Cards without specification of local validity or with the validity for the Czech

Republic – “Valid only in the Czech Republic“ can only be accepted.• whether the card is not damaged, deteriorated or slit – if yes, he/she shall refuse the card and return to the

customer• the specimen signature of the cardholder on the back of the card (Mastercard and Maestro no longer need to

include a signature panel)

If the signature is missing on the card:• the merchant shall refuse to accept the card for payment• if the employee has any doubts regarding the signature, he/she shall request the proof of identity from the

cardholder (see the definition of terms) or contact the authorisation centre and report “Code 10“• he/she can check the proof of identity (see the definition of terms), have the card signed by the client and make

the transaction.

CAUTION, EMBOSSED MAESTRO PAYMENT CARDS ARE FOR ELECTRONIC USE ONLY.

2. IMPRINTER 2.1 CARD PAYMENT USING AN IMPRINTER

Only Mastercard, Visa, Diners Club payment cards, i.e. embossed cards can be accepted on the imprinter. Pay attention to embossed Maestro cards that are for electronic use only.

13

2.2 PROCEDURE FOR THE USE OF IMPRINTER

The employee shall insert the card face up into the imprinter, lay the transaction receipt consisting of three sheets over the credit card. By sliding the imprinter handle from the left to the right and back, he/she shall create an imprint of the card and identification label. The imprint with the signature of the cardholder is a document of submitting the card by the cardholder. The employee shall check whether the data imprinted in the transaction receipt are legible and complete.

If the imprint is unclear or incomplete, the employee shall destroy the document and produce a new one.

The transaction receipt consists of three sheets.Sheet 1 – a merchant’s copySheet 2 – a bank’s copySheet 3 – a cardholder’s copy

FILLING IN THE TRANSACTION RECEIPT:

the employee shall legibly fill in the following fields:• transaction date• authorisation code (see Chap. 2.3 Authorisation)• description of goods• amount• tips• total amount• employee’s signature

The employee shall submit the completed transaction receipt to the cardholder for signing and make sure that the signature in the transaction receipt and the signature on the card match. If both signatures match, the employee shall hand over the payment card along with the third sheet of the transaction receipt, the cardholder’s copy, to the cardholder, possibly with the proof of identity (see the definition of terms).

If the signature in the transaction receipt and the signature on the card do not match, the transaction cannot be executed. Nothing may be overwritten or corrected in the transaction receipt. If yes, the employee shall destroy the transaction receipt before the customer and issue a new one. In case of doubts or suspicion, the employee shall always contact the authorisation centre and notify that the transaction is suspicious, “Code 10“. He/she shall follow the instructions from the authorisation centre.

14

2.3 AUTHORISATION

When to ask for authorisation1. The merchant shall ask the authorisation centre for payment authorisation by phone for all types of

transactions made using the imprinter..2. In case of doubts, when the merchant has a suspicion that it is a fraud (the card seems to be fake, stolen,

the customer’s behaviour is suspicious), he/she shall inform the operators that he/she asks for “Code 10” authorisation.

The authorisation code must be written in the transaction receiptThe granting of authorisation shall not relieve the employee from the duty to check:• the genuineness of the card,• the match between the customer’s signature and the specimen signature on the card (if there is a signature

panel on the card), or to verify the customer’s identity.

Authorisation procedureTelephone number of the authorisation centre – see IMPORTANT INFORMATION AND TELEPHONE CONTACTS.Authorisation in a way other than through the authorisation centre specified by the bank is not permitted. When asking for authorisation, the employee shall report the necessary data in the following order:• the number of the point of sale assigned by UniCredit Bank• card number• card validity• total amount in CZK (the sum of individual amounts)The operator may also ask for the notification of the three-digit verification number (CVC2, CVV2) or of some data from the cardholder or for the possibility to speak to the cardholder (this does not apply to pre-authorisation and pre-authorisation completion for hotels).The operator shall notify the result of authorisation as follows:• PERMITTED AND THE AUTHORISATION CODE• REFUSED (AND RETURN THE CARD)• REFUSED, PICK UP THE CARD

(The card issuer shall make the decision on permitting the authorisation, refusing or on the order to pick up the card.) If the employee receives the consent to execute the transaction, he/she shall write the authorisation code to the field “Authorisation Code“ in the transaction receipt.

If the result of the authorisation is “REFUSED”, the employee shall not make the transaction and he/she shall inform the cardholder that the transaction cannot be carried out at the moment. He/she shall destroy the transaction receipt in front of the holder and return the card to him/her.

If the operator issues the order REFUSED, PICK UP THE CARD, the employee shall not execute the transaction. He/she shall not return the card to the holder. If the cardholder asks for it, the employee shall issue a “HOT CARD RECEIPT CONFIRMATION“ (see Annex No. 1) and return the proof of identity (see the definition of terms). He/she shall destroy (slit) the card in front of the holder and destroy the transaction receipt. He/she shall fill in the form “HOT CARD RECEIPT CONFIRMATION“ and deliver it along with the card, which has been picked up, to UniCredit Bank as soon as possible. Further instructions for picking up cards, see Chapter 4.6.

15

2.4 DELIVERY OF TRANSACTION DOCUMENTS TO THE BANK

Transaction documents must be delivered to the bank no later than within 5 days from the date of issue (including the day of execution and the day of delivery). The employee shall issue a summary document on the imprinter. He/she shall attach copies of transaction receipts for the bank to the original summary document. For credit documents, he/she shall issue an individual summary document (visibly marked as “CREDIT“). Credit can only be sent to the card number, from which the original transaction was charged. He/she shall send the summaries with transaction receipts as a registered mail or deliver them in person to the bank’s registry.

Summary documentIt is used as a summary document of transactions executed by one point of sale for an accounting period. The summary document is issued as an accompanying document for accounting the transaction receipts for the bank. The number of individual transaction receipts to one summary document must not exceed 99 pieces.

The summary document consists of three sheets:Sheet 1 and 2 for the point of sale (merchant copy)Sheet 3 for the bank (bank copy)

It must contain:• data on the point of sale (an imprint of the identification label)• date of issue of the document• total number of the attached transaction receipts, however, maximum 99 pieces• total amount (the sum for all transaction receipts)• the signature of the worker that has issued the summary document

THE SUMMARY DOCUMENTS SHALL BE SENT TO THE FOLLOWING ADDRESS:UniCredit Bank – Cards Operations CZ Processing & Authorizations – 3rd floor BB Centrum – Filadelfie building, Želetavská 1525/1 140 92 Prague 4 – Michle

16

3. 3. ELECTRONIC PAYMENT TERMINAL 3.1 CARD PAYMENT USING AN ELECTRONIC TERMINAL

Shops can accept Mastercard, Maestro, Visa, Visa Electron, Diners Club payment cards.

The merchant is obliged to sell goods or provide services to the holder of a valid card for the same prices and under the same conditions as to a customer paying in cash. In its establishment, the merchant must not set any price limit, from which they will accept Mastercard, Maestro, Visa, Visa Electron, Diners Club cards for payment.

Before making a card payment by the customer, the employee shall take over the card (not applicable to contactless transactions) and verify:

• whether it is a Mastercard, Maestro, Visa, Visa Electron, Diners Club card• whether the security features are visually all right• the card validity – he/she shall refuse an expired card and return to the customer• the local validity of the card – cards without specification of local validity or with the validity for the Czech

Republic – “Valid only in the Czech Republic“ can only be accepted.• whether the card is not damaged, deteriorated or slit – if yes, he/she shall refuse the card and return to the

customer• the specimen signature of the cardholder on the back of the card (Mastercard and Maestro no longer need to

include a signature panel)

If the terminal employee has any doubts regarding the submitting person, he/she shall request the proof of identity (see the definition of terms) or contact the authorisation centre and report “Code 10“.

17

3.2 PROCEDURE FOR THE USE OF ELECTRONIC TERMINAL

The merchant shall follow the manual provided by the company that has installed the terminal. A properly signed or by PIN confirmed transaction receipt issued by inserting the payment card into the terminal represents a document of execution of the respective transaction and of the acknowledgement of the cardholder’s debts resulting from this transaction towards the merchant (acceptance of contactless cards – see Chap. 3.4.). If the terminal is not in operation and the merchant is equipped with an imprinter, the merchant shall use an imprinter for transactions – see Chap. 2.

If the instruction “Call the authorisation centre” is displayed on the terminal, the merchant shall carry out authorisation by phone and use an imprinter for transaction execution – see Chap. 2. The imprinter cannot be used for Maestro and Visa Electron cards. If the merchant is not equipped with an imprinter, they shall proceed as if the transaction has been refused.

GENERAL INFORMATION:• The merchant shall be obliged to finish their activity by daily close of the terminal.• The merchant shall follow the manual provided by the service company that has installed the payment

terminal.

Transaction permission by the terminal shall not relieve the employee from the duty to check:• the genuineness of the card – visual inspection• the match between the customer’s signature and the specimen signature on the card, or to verify the

customer’s identity (not applicable to cards without a signature panel); Verification of identity shall mean the check and entry of the below data into the transaction receipt or sales slip:

• document type• document number• document issuer• name and surname of the submitting person corresponding to the data on the payment card in case that the

name is shown on the card.

Only the ID card or passport or an identification document valid in the respective EU State can be used to verify identity.

payment card chip reader

18

3.3 EMV – CHIP CARD ACCEPTANCE

• Chip card transactions (EMV standard) must be executed only through the terminal chip reader.

• After selecting the transaction type and entering the amount, on call of the terminal (or cash-desk system) insert the chip card with the chip up to the reader in the payment terminal (see the picture below).

• If the transaction is executed through the chip, in most cases, the cardholder is called upon to enter the PIN.

• If the transaction is executed through the chip, the signing of the sales slip is usually unnecessary (no line for the cardholder’s signature is printed in the sales slip). In some cases, the signature line can be printed in the sales slip, in such case the cardholder’s signature is also necessary.

19

3.4 CONTACTLESS CARD ACCEPTANCE

Contactless transactions are certified by the Visa and Mastercard card associations and they enable transactions both through a contactless payment card and a mobile phone with the NFC technology supporting the PayPass and PayWave standards. These transactions can also be processed by holding other contactless device against the reader (such as sticker or contactless watch). A uniform designation by the following symbol is used for the PayPass and PayWave technologies:

Simplicity:• Contactless payments take place simply by holding the contactless card or mobile phone against the

contactless reader of the payment terminal.• For payments up to CZK 500, contactless transactions need not be (except for exceptions) authorised by

entering the PIN or by signing the transaction receipt.

Security:• An accidental payment is excluded. Contactless payments are made by holding the card against the payment

terminal at a minimum distance.• An individual setting by the card issuer can cause that the PIN/signature will also be requested for the

transactions below CZK 500 in order to ensure payment security.• Contactless payments exceeding CZK 500 will be confirmed by entering the PIN or by signing according to the

instruction from the terminal.

20

3.5 CARD PAYMENT USING mPOS

mPOS is an electronic device providing payment card acceptance through smartphones or tablets.

GENERAL INFORMATION:• The merchant shall be obliged to finish their activity by daily close of mPOS.• In executing transactions, the merchant shall follow the manual provided by the service company that has

provided mPOS.• mPOS does not print a sales slip for the cardholder – the merchant is obliged to offer the possibility of sending

the sales slip through SMS or by e-mail to the cardholder.• The sales slips for the merchant are saved only in electronic form and the access to the sales slips is described

in the manual of the service company that has delivered mPOS.

21

4. OTHER 4.1 CASH ADVANCE – CASH PAYMENT AT BANK BRANCHES,

EXCHANGE OFFICE, CASINO

BASIC STEPS AND PROCEDURE TO BE OBSERVED AT CARD ACCEPTANCE:

• transactions can only be carried out after the submission of the proof of identity (see the definition of terms)

BEFORE EXECUTING A TRANSACTION, ATTENTION HAS TO BE PAID TO THE FOLLOWING STEPS:

Card front• check of the existence of the printed card issuer’s name (bank name)• check of the Brand Mark of the Mastercard, Visa, Diners Club companies or associations• check of the three-dimensional Mastercard hologram (hemispheres with continents), Visa (dove in flight), it can

also be situated on the back of the card• check of the card validity (card validity month and year)• check of the printed verification four-digit number (BIN), which must be identical with the first four digits of the

card number, if stated on the card• check of the security features – for the cards of the company Diners Club “DC“• check under an UV light:

− for Visa cards, the “V” upper-case letter at the company’s logo – for Mastercard cards, “M” and “C” upper case letters in the lower part of the card – for DC – a large “cross-hatched logo“ of the company DC

Card back• check of the undamaged signature panel, check of the raster (text, colour, composition)• check of the cardholder’s signature in the signature panel (the check of the signature is addressed to the

following two sections for sales slips on an imprinter and POS• for DC – check of the holographic magnetic stripe

The following is printed in the sales slip:• date of document issuance• transaction amount and currency• card number and merchant’s identification• authorisation code• The following has to be written in the sales slip:• number and type of identity proof (see the definition of terms)• country (abbreviation) of issue of the identity proof• validity of the identity proof• payment card holder’s name (if not provided on the card, the submitting person’s name shall be written)• card holder’s signature, which has to correspond with the card signature on the signature strip on the back of

the card, if the signature panel is included in the card (not applied to chip cards, cards where the bank card issuer does not require the signature and PIN code confirmed transactions)

22

4.2 PRE-AUTHORISATION

PRE-AUTHORISATION can be used when the transaction amount is not known in advance.

Pre-authorisation can be carried out through payment terminals (EFT/POS) in hotels, car rentals and rentals of any kind. The employee shall estimate the amount to be paid by the client for the service (e.g. according to the duration of the stay, period of rent of a car or goods, etc.) and execute the pre-authorisation.

RECOMMENDATION: At the time of arrival or pick-up of a car or goods by the client, request the payment card for which the pre-authorisation has been executed, and have the sales slip with the authorisation code and amount signed by the cardholder.

When the transaction is finished (check-out of the hotel, returning the car or goods), the merchant shall execute PRE-AUTHORISATION COMPLETION.

• Pre-authorisation completion cannot be carried out without a previous pre-authorisation.• In the end, pre-authorisation must always be completed or cancelled within 30 days.• Pre-authorisation and its completion can be carried out without the presence of the payment card for embossed

payment cards. The Bank recommends the pre-authorisation completion always to be carried out in the presence of the payment card, due to eventual complaint about the transaction by the cardholder.

• Pre-authorisation may not be requested as a guarantee against damage to goods.• If at the completion of pre-authorisation the real amount is lower than the estimated amount, for which the

pre-authorisation has been executed, the merchant shall complete the pre-authorisation in a common way in the amount really spent.

• Pre-authorisation shall be valid only for 30 days after the execution of pre-authorisation (in case that the client wants to make a reservation for a longer time, carry out the pre-authorisation of the transaction 30–25 days before the cardholder’s arrival).

• Before executing the pre-authorisation you are obliged to inform the cardholder about the fact that you will make pre-authorisation and about the value of the pre-authorised amount.

The following exceptions apply to the cards issued by the company Mastercard Inc.:Execution of pre-authorisation is prohibited for Maestro cards• The amount of pre-authorisation completion (final authorisation) must be equal to or lower than the

pre-authorised amount. If the real amount exceeds the pre-authorised amount, the merchant shall complete the pre-authorisation for the pre-authorised amount and subsequently it must additionally authorise the difference between the pre-authorised amount and the real amount.

As regards cards issued by VISA Int., the following exceptions shall apply:• Pre-authorisation is only valid for 30 days from the date of the execution thereof (applicable to accommodation

facilities and car rentals). As for other rentals, pre-authorisation is only valid for 7 days.• If the real amount exceeds the pre-authorised amount by less than 15 %, the merchant can complete the

pre-authorisation in a common way. If the real amount exceeds the pre-authorised amount by more than 15%, the merchant shall complete the pre-authorisation for the pre-authorised amount and subsequently it must additionally authorise the difference between the pre-authorised amount and the real amount.

The successful pre-authorisation completion cannot be cancelled by the RETURN function because such transaction can cause an exchange-rate difference and a damage can incur to the cardholder.The successful pre-authorisation completion cannot be cancelled by the CANCEL function. In case of money-back due to an incorrect transaction, the bank must be asked in writing for the cancellation of the transaction at:e-mail: [email protected] fax: 220 514 207

23

4.3 MO/TO (MAIL ORDER / TELEPHONE ORDER)

MO/TOMO/TO is a transaction executed on the basis of a written or telephone order of goods or services, when the future payment will be made without submitting the card physically by its holder to the provider of the goods or services.

MO/TO type transactions can be executed only on the basis of a special contract with the bank!

• The merchant shall ensure the completion of the form “Consent to charging the account“ (see Annex 2; hereinafter the “Form”).

• The cardholder shall confirm in writing his/her consent to transaction execution by his/her signature.• The merchant must not accept the cardholder’s consent to transaction execution via internet or e-mail.• On the day of order receipt, the merchant shall execute voice authorisation in the authorisation centre or enter

the transaction in an electronic terminal.• After the authorisation, the merchant shall make the CVV2/CVC2 code in the form illegible by colouring or

removing it by cutting it off from the edge of the form. The part of the form cut off shall be destroyed by crushing, milling or burning.

Voice authorisation:• The merchant shall be obliged to inform the authorisation centre operator about the fact that it is a MO/TO

transaction and they shall report:− merchant’s number− payment card number− card validity− CVC2, CVV2 code – the three-digit number printed to the right of the card number in the signature panel− amount

• The operator shall notify the authorisation result:PERMITTED and he/she shall also notify the authorisation number− the merchant shall issue a transaction receipt and in the field “Cardholder’s signature”, he/she shall write MO

or TO (written order or telephone order)− the merchant shall attach the cardholder’s part of the transaction receipt to the goods and send them to the

cardholder. The merchant shall save another part of the transaction receipt along with the original copy of the form “Consent to charging the account“ (see Annex No.2) and they shall send the last part to the bank.

REFUSED:− if the merchant receives the result of the authorisation “refused“, they shall not execute the transaction and

immediately they shall inform the cardholder that the transaction cannot be executed

FORM – Consent to charging the accountBy issuing this form, the cardholder admits by his/her own signature the duty to pay for the ordered service or goods, and confirms the correctness and truthfulness of the data included in the form.All types of documents must be filled in legibly and must not contain corrections or crossing out. The form must not be saved with information about the CVV2/CVC2 code, not even for a refused transaction.

Goods sending:The merchant sending the goods to the cardholder shall be obliged to send the goods in the way ensuring the return of an advice of delivery unambiguously proving that the goods were taken over by the addressee.

24

4.4 SPECIAL TRANSACTION CASES

NO SHOWPayment for a non-cancelled and unused reservation – for example, the customer orders a service (hotel room booking) and fails to cancel it or to cancel it in time. In such case, according to the rules of associations, the merchant shall be entitled to charge only one night/one-day car rental as a compensation!Conditions:• The merchant must inform the client about the charging by fax or e-mail.• The merchant must have information about the card (card number, card validity). Never request CVV2/CVC2 for

this type of transactions.• The merchant must have a written order of goods or services.• The merchant must have the right to additional charging in their conditions for the provision of services. The

merchant shall fill in the transaction receipt with all details and in the place intended for signature they shall write No Show.

DELAYED OR AMENDED CHARGES ADDITIONAL CHARGING OF FEES FOR SERVICES

If after the transaction execution and cardholder’s departure it is found out that payment was not paid in full amount (e.g. additionally found unpaid phone calls or hotel mini-bar consumption), the merchant may claim the settlement of the unpaid amount. The merchant shall fill in an additional transaction receipt with all details and in the place intended for signature, they shall write legibly in block letters “Signature on File“ (S.O.F.). The merchant shall be obliged to inform the cardholder about the reason of additional charging by fax or e-mail. It shall also send a copy of the transaction receipt to the cardholder’s address.

However, all these ways of cardholder charging (MO/TO, No Show, S.O.F.) are accounted to the merchant with the reservation of cancellation. Thus, the transaction shall be valid only provided that the cardholder does not make a complaint. It means that the customer would deny the receipt of services or goods from the merchant.

TIPS FROM THE CUSTOMERTips are mentioned separately in the transaction receipt in the respective column with the title “Extra Tips“.

COMBINED PAYMENTSThe merchant must not issue several transaction receipts for one transaction (payment). Issuing two documents for one transaction is only possible for combined payments, when a part is paid by card and the other part is paid in another way, e.g. in cash, by cheque etc. In such case, a separate transaction receipt shall be issued for the amount paid by card anda separate one for the other amount (sales slip etc.). For the amount paid by card, authorisation shall be requested. A combination of payment by two different cards, e.g. Mastercard and Visa, is also possible.

25

WARNING FOR THE MERCHANTS PROVIDING ACCOMMODATION SERVICES:

Within the framework of the Contract for Payment Cards Acceptance for Accommodation Services, the merchant has the possibility to charge payments for its services without the physical presence of payment card using the following types of transactions: Pre-authorisation, No-Show, S.O.F., Advance Deposit (guaranteed reservation), Priority/Express Check-Out Service. In particular as regards Advance Deposit transactions, where the merchant charge an amount from the payment card for a planned accommodation in advance, it must be pointed out that these transactions are always charged with the reservation of cancellation. Where the cardholder complains about such transaction, the bank is entitled to charge the amount thus paid from the following payments to the debit of the contracting partner without its prior consent.

Suspicious behaviour of clients which may lead to fraud:

• In case of reservations for an unusually long period and/or for a larger number of people, usually sent by e-mail directly to the hotel.

• If during authorisation, the payment card is refused and the customer immediately sends another card and another card numbers or asks for splitting the total transaction’s amount among several card numbers offered.

• If an unknown foreign travel agency contacts you, guaranteeing the accommodation of its clients by a payment card and at the same time, asking you for sending a commission for the services to its bank account.

How to proceed in such cases:

• If you charged the amount for reservation using Advance Deposit (guaranteed reservation) and then the cardholder cancels it, never return the amount in a way other than to the original card number (e.g. to a bank account, in cash or by sending goods).

• Never accept orders of other services or goods, which are not directly related to accommodation services (e.g. purchase and sending of electronic equipment).

• If the guest is present, always request physical submission of the card and execute the transaction with the presence of the card (magnetic stripe, chip, c-less). Never accept payment card data dictating by the submitting person (e.g. from a mobile phone, PC).

To mitigate the risk of complaints arising from potential fraudulent transactions, the correct and appropriate procedure for guaranteed reservations is the execution of pre-authorisation in a POS terminal and subsequently, after the guest’s arrival, completion of the transaction with the presence of the payment card. Thereby, the card is verified by the POS terminal. If the guest is present, alwaysrequest physical submission of the card and execute the transaction with the presence of the card (magnetic stripe, chip, C-less).Other possibilities of preventing fraudulent reservations include card acceptance via the e-commerce pay gate (push pay payments) with a so-called 3D security.If you have any questions, contact the department of payment cards security or the authorisation service.

26

4.5 PAYMENT CARD PICK-UP

The merchant shall be obliged to pick up a payment card in the following cases:• The merchant has received the instruction “PICK UP THE CARD” from the authorisation centre.• BIN is not identical with the first four digits of the Mastercard or Visa card number, if it is stated on the card.• The security features of the card do not meet the requirements of the associations (see items 1.2–1.8). Contact

the authorisation centre with Code 10, where the operator will verify the genuineness of the payments card with you or issues the instruction to pick up the card.

The payment card is in the ownership of the company that has issued it, i.e. the card issuer. The customer is only a holder. The request for authorisation is submitted to the card issuer through the computer network and the issuer makes the decision on the answer to the request. Therefore, the employee shall be obliged to satisfy the request of the customer’s payment card issuer to pick it up. If the cardholder wants to know the reason for card pick-up, it must afterwards turn to the issuer of the payment card.

When picking up the card, the merchant shall use all adequate and non-violent means to hold the card. The merchant shall deteriorate the hot card in front of the holder and on demand, he/she shall issue the “HOT CARD RECEIPT CONFIRMATION“ to the customer (see Annex No.1).

The merchant shall fill in the “HOT CARD RECEIPT CONFIRMATION“ – the name, address and number of the merchant, the name and address of the employee, employee’s account No., date of pick-up and date of sending the card, the reason for pick-up, payment card number and along with the card, it shall deliver it in person to any UniCredit Bank branch or send in a registered mail within one week to the payment cards department of UniCredit Bank (see IMPORTANT INFORMATION AND TELEPHONE CONTACTS).

The merchant shall never notify the authorisation centre contact to the cardholder.The bank shall decide on paying a reward for payment card pick-up in the above cases. The finder shall not be entitled for a reward for finding a payment card.If a payment card is found at the point of sale, the merchant shall fill in the “FOUND CARD RECEIPT CONFIRMATION“ (see Annex No.3).

How to deteriorate a Visa, Visa Electron, Mastercard, Maestro and Diners Club payment card

The card can be deteriorated by slitting it longitudinally across the card number.

Send the hot cards to the below address:

UniCredit Bank – Cards Operations CZProcessing & Authorizations – 3rd floorBB Centrum – Filadelfie building, Želetavská 1525/1140 92 Praha 4 – Michle

27

4.6 CLAIMS

CLAIM – GOODS REPLACEMENT OR REFUNDIn case of a claim of goods or provided services, the merchant shall not return cash to the cardholder, for the cancellation or modification of the payment made by card, they shall issue a credit voucher.

The credit voucher consists of three sheets.Sheet 1 – merchant’s copySheet 2 – bank’s copySheet 3 – cardholder’s copy

• Goods refund A credit voucher for the total amount shall be issued. Credit transactions are not authorised.

• Goods replacement in the same amount In this case, no substitute transaction receipt is issued.

• Replacement for goods of a lower value A credit voucher for the difference between the amounts shall be issued.

• Replacement for goods of a higher value A transaction receipt for the difference between the amounts shall be issued and authorisation must be requested for this amount (see Item 2.3).

If the cardholder is not present at the replacement or refund of goods (e.g. a refund on the basis of a written claim), the merchant shall fill in the card data in the credit voucher manually, make an imprint of the identification label and sign in the place intended for the cardholder. The merchant shall send one of the parts of the transaction receipt (the cardholder’s copy) to the cardholder.

Address for sending the credit vouchers:UniCredit Bank – Cards Operations CZProcessing & Authorizations – 3rd floorBB Centrum – Filadelfie building, Želetavská 1525/1140 92 Praha 4 – Michle

CLAIMS MADE ON THE PAYMENT TERMINAL

The cardholder complains about the quality of goods or service providedIf the cardholder claims goods or services, the merchant shall refund the claimed amount using the CHARGEBACK function via the payment terminal.Note: The CHARGEBACK function in the terminal is protected with a password set by the supplier. After the terminal is installes, we recommend changing the password to your own value via out helpline.

REQUEST FOR CLAIM OF A POINT OF SALE

• In case of an incorrect transaction accounting (the cardholder is not present anymore), the merchant can ask the bank in writing (by e-mail or fax, see the contacts below) for a claim by sending the form “CLAIM REQUEST“ (see Annex No. 4). Cancellations and partial cancellations of transactions up to the amount of CZK 1 cannot be executed for technical reasons.

Delayed or amended charges• The merchant is not automatically entitled to additional charges.• The bank must ask the issuer bank for a consent to additionally charging the client’s account.• Additional charging is always executed WITH THE RESERVATION OF CANCELLATION.• THE BANK DOES NOT additionally charge the amounts up to CZK 100.

28

5. TRANSACTION CLEARING 5.1 CLEARING OF PAYMENT TRANSACTIONS BY THE BANK

If the merchant violates the conditions, under which the contract has been signed with them, for example, they submit incorrectly completed or incomplete documents or execute an unauthorised transaction, the transaction will not be paid to it.In certain cases, the transaction can be paid to the merchant. However, if the card issuer fails to reimburse such payment or clears the already made payment, the bank shall be entitled to set off this payment as its claim from the merchant against any merchant’s claim from the bank. If the merchant has no claims from the bank, it shall be called upon to remit the amount in dispute back to the account of UniCredit Bank.

THIS CASE CAN OCCUR, FOR EXAMPLE, IF:• authorisation has not been carried out for the amounts exceeding the authorisation limit• the customer’s signature is missing in the transaction receipt (in case that it is a transaction receipt from an

imprinter or the signature was requested during the POS terminal transaction)• the date of transaction is missing in the document• the data on the point of sale are missing in the document• the data in the document are altered (crossing out, overwriting etc.)• the imprint of the payment card is incomplete, unclear• the documents were handed over to UniCredit Bank later than 5 days after the date of transaction• the transaction has been carried out with a fake card or the card number has been abused, etc.

STATEMENT OF CARD TRANSACTIONSAs standard, UniCredit Bank credits the amounts from card transactions according to the summary amounts for a day (business date), i.e. for all card associations together. The transactions are always credited separately for individual establishments. The merchant’s account is credited with a net amount, i.e. the amount without commission, unless the merchant and the bank have agreed on another commission charging method.

IDENTIFICATION OF PAYMENTS IN THE STATEMENT OF PAYMENT CARD TRANSACTIONSSample statements of transactions can be found at:http://www.unicreditbank.cz/web/firmy/produkty-a-sluzby/platebni-karty-a-terminaly/struktura-aformat-elektronickych-vypisu

IDENTIFICATION OF PAYMENTS IN THE ACCOUNT STATEMENTSender:UCB Merchants, Account No. 9342510001/2700 for CZK, Account No. 9342510087/2700 for EUR, Account No. 9342510044/2700 for USD.

Variable symbol:The whole contract number including the point of sale, e.g. 12001501.

Specific symbol:Transaction clearing date.

CAV2/CID/CVC2/CVV2(Discover, JCB, Mastercard, Visa)

Magnetic stripe (data from Tracks 1 and 2)Chip CID (American Express)

Card expiry PAN

29

6. PCI DSS

The PCI DSS (Payment Card Industry Data Security Standard) represents international rules defining the conditions of treatment of the cardholders’ data contained in payment cards. These international rules, whose fulfilment is requested by card associations and companies, are determined for the organisations processing, transmitting or saving cardholders’ data (from payment cards and on card transactions).

The objective of PCI DSS is to limit the risks of the above data leakage and possible abuse. PCI DSS as a model framework for security assurance contains the most suitable procedures for minimising the risks of data theft.

This standard is obligatory for all points of sale accepting payment cards and its basic requirements are included in the Product Business Terms and Conditions of the Payment Card Acceptance Contract.

Through correct protection of cardholders’ data you protect your customers as well as your business.

The cardholders’ data that must be protected according to PCI DSS requirement No. 3.4:• card number• cardholder’s name• card expiry date

Sensitive verification data, which must not be saved in any way after the authorisation, not even in coded forms:• complete data of the magnetic stripe or card chip• CVV2/CVC2• PIN / PIN Blok

Everything marked with the red line means sensitive data of cardholders. The data from the back of the payment card and from the chip must not be saved in any way. The other marked data can be saved if there are business or procedural reasons for that but the data must be protected according to PCI DSS standards.

How to save the data of cardholders1) To install and maintain the configuration of firewalls for cardholders’ data protection.2) To not use the initial setting from the supplier for system passwords and other security parameters.3) To protect the stored cardholders’ data.4) To encipher cardholders’ data transmission via open public networks.5) To use and update the antivirus software or programmes.6) To develop and maintain secure systems and applications.7) To restrict access to cardholders’ data only as necessary.8) To assign a unique ID to each person with an access to a computer.9) To restrict the physical access to cardholders’ data.10) To monitor all accesses to network sources and cardholders’ data.11) To test the security systems and processes on a regular basis.12) To maintain rules focused on information security for employees and suppliers.

If data leakage or cardholders’ data abuse is detected at the merchant or its agent, the merchant shall be obliged to report the fact immediately to the bank by e-mail: [email protected]

30

The rules of card companies define the levels, to which merchants are assigned according to the type and number of transactions executed per year. The level, to which the merchant belongs, shall be specified by the bank.

Requirements for validation of merchant’s PCI DSS conformity (according to the level)

Abbreviations:QSA (Qualified Security Assessor) – an external certified auditor, who will carry out the PCI DSS audit on site. The list of auditors is available at official sites of PCI standards.ASV (Approved Scanning Vendor) – approved supplier of monitoring. A company approved by PCI SSC to provide services of monitoring the external vulnerability.ISA (Internal Security Auditor) – a merchant’s own employee, who has passed the certification programme of PCI DSS.SAQ (Self-Assessment Questionnaire). A tool used by the entity to verify their own conformity with PCI DSS standards.

You can find any PCI DSS details at www.pcistandard.cz, the original wording in English at www.pcisecuritystandard.org.

Address any questions regarding PCI to: [email protected].

Service providers (agents)Within the activity, it is possible that the merchant uses the services of some service provider and shares cardholders’ data with them. Service providers include, for example: a mediator of air, accommodation etc. reservations, booking system operators, payment gate providers, webhosting companies, loyalty programme mediators, call centres etc.

In such case, the duty to protect cardholders’ data according to the PCI DSS rules shall also apply to such companies and the bank must be informed about such cooperation.

These providers must also comply with PCI DSS and they must be registered at the websites of individual associations.

Merchants can use only such service providers who are fully compliant with PCI DSS and merchants are fully responsible for them, also in the event of data leakage on the part of the service provider.

If the bank finds out that the merchant uses a service provider non-compliant with PCI DSS, it is entitled to stop processing the merchant’s transactions.

You can find out whether your agent is registered at the websites of individual companies, see below:Visa: hereMastercard: here

Merchant’s level Validation requirements requested by the bank

1. Merchants with a turnover over 6 million transactions per year

Audit execution by an external auditor (QSA) or a certified internal auditor (ISA) with the output Conformity Report (ROC)+ Quarterly scan from ASV (if applicable)

2. Merchants with a turnover of 1 to 6 million transactions per year

Audit execution by an external auditor (QSA) with the Conformity Report (ROC) or completion of the SAQ questionnaire including the Certificate of Conformity (AOC) through an internal certified auditor (ISA)+ Quarterly scan from ASV (if applicable)

3. Online merchants with a turnover of 20 thousand to 1 million e-commerce transactions per year

Completion of a Self-Assessment Questionnaire (SAQ) or proof of using a certified (in terms of PCI DSS) service provider or a solution when the merchant does not come into contact with the payment card number+ Quarterly scan from ASV

4. Other Other merchants:Completion of the SAQ questionnaire including the Certificate of Conformity (AOC) + Quarterly scan from ASV (if applicable)

https://www.visa.com/splisting/searchGrsp.do

https://www.mastercard.us/content/dam/mccom/global/documents/Sitedataprotection/site-data-protection-pci-list.pdf

31

7. TELEPHONE NUMBERS AND ADDRESSES:

HELP-LINE: 221 210 014(non-stop authorisation centre – payment authorisation)

TECHNICAL SUPPORT TO MERCHANTS: 221 210 014, 013 955 962 628, 629, 630, 626

PAYMENT CLAIMS: 955 962 876 (fax 220 514 207) [email protected]

ADDRESS FOR SENDING THE TRANSACTION RECEIPTS FOR PROCESSING: UniCredit Bank – Card CentreADDRESS FOR SENDING HOT CARDS: Processing & Authorizations – 3rd floor BB Centrum – Filadelfie building Želetavská 1525/1 140 92 Praha 4 – Michle

ORDERS OF TRANSACTION RECEIPTS AND SUMMARY DOCUMENTS: 955 962 627

CONSUMABLES

SONET, společnost s.r.o.: 543 423 540, [email protected](terminal rolls) The manuals for the POS terminals operation are available at www.sonet.cz/ke-stazeni/

Aevi CZ s.r.o.: 221 210 014, [email protected](terminal rolls)

SECTION OF CARD SECURITY – REPORTING THE THREATENED DATAOF CARDHOLDERS: [email protected](e.g. loss/theft of sales slips, electronic data, PC, network attack etc.)

RESPONSE TO REQUEST FOR DOCUMENTATION SENDING: [email protected]

32

8. CONSUMABLES PAYMENT TERMINAL ROLLS

PAYMENT TERMINAL ROLLS OR CLEANING KITS CAN BE ORDERED DEPENDING ON THE TERMINAL SUPPLIER:

SONET s.r.o.1. By e-mail to the address [email protected], specifying the name of your company, the requested number of

pieces, delivery address and your contact, where we can contact you, if necessary.2. By phone, tel. No. 543 423 543.3. Or through your payment terminal as follows:

a) in the initial screen of the POS terminal – MAIN MENU, then b) select the hPOS function, confirm, ORDER, confirm c) and in the next screen, select the product ROLLS, just write the requested number of pieces and send

In case of problems, you will be contacted automatically.

TRANSPORT AND PAYMENT TERMS:1. take-over in person at the registered office of the company SONET, Lužická 9, Brno, payment in cash2. carrier service (provided by SONET), payment to the carrier upon delivery

Aevi CZ s.r.o.By e-mail to the address [email protected], specifying the name of your company, the requested number of pieces, delivery address and your contact. Together with your invoice, the consumables will be sent to you by the PPL carrier.

Číslo karty (Card number)

Platnost karty (Card expiry)

Datum zadržení karty (Date of pick-up)

Jméno obchodníka (Merchant name)

Číslo smlouvy o přijímání PK (Merchant number)

Jméno zadržitele (Retainer’s name)

Telefon (Phone number)

Datum převzetí (Date of receipt)

................................................................. ................................................................. Jméno a podpis pracovníka Jméno a podpis zadržitele karty (Name and signature of employee) (Name and signature of retainer)

Odměna se vyplácí pouze v případě zadržení karty na pokyn autorizačního centra UniCredit Bank Czech Republic and Slovakia, a.s. The reward is paid only if the card is retained on request of UniCredit Bank Czech Republic and Slovakia, a.s. authorisation centre.

Číslo účtu zadržitele Měna (Retainer’s account number) (Currency)

Specifický symbol Kód banky (Specific symbol) (Bank code)

Souhlasím s vyplacením odměny ve prospěch výše uvedeného účtu. I agree with paying of the reward to the above-mentioned account number.

................................................................. Jméno a podpis zadržitele karty (Name and signature of retainer)

Tuto část vyplňuje pracovník oddělení vypořádání kartových obchodů UniCredit Bank Czech Republic and Slovakia, a.s.

Datum odeslání na účet

................................................................. Jméno pracovníka, podpis

UniCredit Bank Czech Republic and Slovakia, a.s. | Sídlo / Registered Office: Želetavská 1525/1, 140 92 Praha 4 – Michle, www.unicreditbank.cz IČO / Identification Number: 64948242 | Obchodní rejstřík / Commercial Register: Městský soud v Praze, oddíl B, vložka 3608 / Municipal Court in Prague, Section B, file 3608 | Směrový kód banky / Bank Code: 2700 | Swift Code: BACXCZPP

POTVRZENĺ O PŘEVZETÍ ZADRŽENÉ PLATEBNĺ KARTY VISA / MC / DINERS CLUBHOT CARD RECEIPT CONFIRMATION

Odesláním formuláře beru na vědomí, že Banka bude zpracovávat osobní údaje v něm vyplněné z titulu nezbytnosti pro plnění smlouvy mezi Bankou a Smluvním partnerem za účelem naplnění práv a povinností touto smlouvou dohodnutých. By submitting the form, I acknowledge and am aware that Bank’s processing of my personal data entered in the form is necessary for the performance of the contract by and between the Bank and the Contracting partner for the purposes of the rights and obligations agreed under this contract.

33

9. ANNEXES

ANNEX NO. 1

Vyplní obchodník (Merchant will fill the following information):

Číslo objednávky (Order number)

Datum (Date)

Adresa obchodníka (Merchant address)

Jméno odpovědného zástupce (Name of author. person of merchant)

Popis zboží/služeb (Description of goods/services)

Cena zboží/služeb (Price of goods/services)

Dopravné (Transportation costs)

CELKOVÁ ČÁSTKA A MĚNA (vždy v CZK) (TOTAL PRICE)

Vyplní držitel karty (Cardholder will fill the following information):

Jméno a příjmení držitele karty (Name and surname of the cardholder)

Adresa (Address)

Telefon, fax (Phone No., Fax No.)



Popis objednávaného zboží/služeb (včetně množství a ceny/měny) Description of goods/services ordered (incl. number of pieces and price/currency)

Držitel svým podpisem stvrzuje správnost a pravdivost uvedených údajů. UniCredit Bank Czech Republic and Slovakia, a.s., za žádných okolností nezasáhne nebo neponese odpovědnost za jakékoliv spory, které event. vyvstanou mezi obchodníkem a držitelem karty v důsledku platby prostřednictvím výše uvedené platební karty nebo karet za zboží či služby.(According to my request I wish to pay the ordered goods/services by my credit card. All stated information above is correct and true.)

................................................................. Datum objednávky Vlastnoruční podpis držitele karty (Order date) (Signature of authorised cardholder)

Kontrolní kód z platební karty (Last three digits printed on the signature panel of a card):

MASTERCARD/CVC2 – Card Validation Code 2 VISA/CVV2 – Card Verification Value 2

Po provedení autorizace a před archivací objednávky odstřihněte kontrolní kód (Please, cut off the control code after the authorisation before archiving of document)


SOUHLAS SE ZATÍŽENÍM ÚČTU

Odesláním formuláře beru na vědomí, že Banka bude zpracovávat osobní údaje v něm vyplněné z titulu nezbytnosti pro plnění smlouvy mezi bankou a smluvním partnerem za účelem naplnění práv a povinností touto smlouvou dohodnutých. By submitting the form, I acknowledge and am aware that Bank’s processing of my personal data entered in the form is necessary for the performance of the contract by and between the Bank and the Contracting partner for the purposes of the rights and obligations agreed under this contract.

34

ANNEX NO. 2



Datum nalezení karty (Date of finding)

Jméno obchodníka (Merchant name)


Jméno nálezce (Finder’s name)

Telefon (Phone number)

Datum převzetí (Date of receipt)

................................................................. ................................................................. Jméno a podpis pracovníka Jméno a podpis nálezce karty (Name and signature of employee) (Name and signature of finder)

Tuto část vyplňuje pracovník Oddělení vypořádání kartových obchodů UniCredit Bank Czech Republic and Slovakia, a.s.

Manipulační poplatek USD Natypován dne:

................................................................. Jméno pracovníka, podpis


POTVRZENĺ O PŘEVZETÍ NALEZENÉ PLATEBNĺ KARTY VISA / MC / DINERS CLUBFOUND CARD RECEIPT CONFIRMATION

Odesláním formuláře beru na vědomí, že Banka bude zpracovávat osobní údaje v něm vyplněné z titulu nezbytnosti pro plnění smlouvy mezi Bankou a Smluvním partnerem za účelem naplnění práv a povinností touto smlouvou dohodnutých. By submitting the form, I acknowledge and am aware that Bank’s processing of my personal data entered in the form is necessary for the performance of the contract by and between the Bank and the Contracting partner for the purposes of the rights and obligations agreed under this contract.

35

ANNEX NO. 3


Telefon (Phone No.)

E-mail (E-mail address)

Fax (Fax No.)

Jméno a podpis žadatele (Aplicant’s name and signature)

Číslo terminálu (Terminal No.)

Datum transakce (Transaction date)

Částka transakce / měna (Trx. Amount)

Číslo karty (Card No.)

Platnost (Card expiry)

Doúčtování rozdílu transakce SPRÁVNÁ ČÁSTKA (Increase transaction amount) (Correct amount)

ČÁSTKA ROZDÍLU (Difference)

Odúčtování rozdílu transakce SPRÁVNÁ ČÁSTKA (Decrease transaction amount) (Correct amount)

ČÁSTKA ROZDÍLU (Difference)

Storno transakce (Cancellation of transaction)

Doúčtování transakce (Manual input transaction)

Jiná žádost (Other request)

Popis (Description):

Spolu se Žádostí o reklamaci je nutné zaslat (Please enclose below mentioned documents):• kopie účtenky z platebního terminálu (POS sales slip copy)• kopie pokladní účtenky (ECR sales slip copy)


Odesláním formuláře beru na vědomí, že Banka bude zpracovávat osobní údaje v něm vyplněné z titulu nezbytnosti pro plnění smlouvy mezi Bankou a Smluvním partnerem za účelem naplnění práv a povinností touto smlouvou dohodnutých. By submitting the form, I acknowledge and am aware that Bank s processing of my personal data entered in the form is necessary for the performance of the contract by and between the Bank and the Contracting partner for the purposes of the rights and obligations agreed under this contract.

ŽÁDOST O REKLAMACICLAIM REQUEST

Fax: 220 514 207 E-mail: [email protected]

36

ANNEX NO. 4

guidelines for merchants accepting card payments

Documents