rules of card acquiring merchant agreement 11 …...rules of card acquiring merchant agreement...

Rules of Card Acquiring Merchant Agreement 11.2013

1 (30)

These Rules of Card Acquiring Merchant Agreement consist of Part A – General rules Part B – Country-specific rules and rules for domestic card programmes Part C – Sector- and/or -service-specific rules Part A – General rules 1. Application of the rules This extract of rules describes the framework which applies to the agreement entered into between the Merchant and the Bank in respect of acquiring of card transactions. 2. General remarks regarding the acquiring of card transactions and the Merchant Agreement as a whole, contradiction in terms and conditions ‘Acquiring of card transactions’ refers to the services offered for authorising, clearing and settling card transactions carried out at the Merchant. The services provided by the Bank under the Merchant Agreement are mainly directed to entrepreneurs, companies and associations and they are always to be used for industrial and commercial activity only. The content of the service and the parties’ responsibilities and rights are stated in the approved Merchant Agreement application, in the General rules (Part A) and in the Specific rules (cf Parts B and C) and in the Merchant Instructions which altogether at any given time constitute the content of the Merchant Agreement. The Bank is not liable for any damage caused to the Merchant as a result of the Merchant not complying with the terms and conditions of the Merchant Agreement. The Bank’s right and ability to offer card services are affected by Visa’s and MasterCard’s regulations and directives. The contractual relation between the Bank and the Merchant must comply with these regulations. The Merchant instructions as in force at the time of approval of the Merchant Agreement application by the Bank are sent by the Bank to the Merchant or they are set available to the Merchant in the Nordea’s Merchant Portal. Should the approved Merchant Agreement application conflict with the General rules or the Specific rules, the approved Merchant Agreement application prevails.

Should the General rules conflict with the Specific rules, the Specific rules shall prevail. 3. Use of third-party service providers Either party may fulfil its obligations under this Merchant Agreement using a third-party service provider. All third-party service providers have to be PCI-compliant and registered as an approved service provider according to the card scheme instructions. The parties are responsible for the activities of their third-party service providers as for their own. 4. Scope The Merchant may utilise the services provided under the Merchant Agreement by the Bank only to payments made with MasterCards (debit, credit, Maestro) and Visa cards (debit, credit, Visa Electron, V PAY) and other cards stated in the Merchant Agreement. The card issuers may also introduce new card products (embossed or unembossed). In the case some card issuer introduces new card products, the Merchant may start accepting them as means of payment after complying with the procedures instructed by the Bank. The Merchant approves the new terms and conditions (including without limitation new pricing) set by the Bank applicable to acquiring of the new card products as the Merchant accepts a Transaction made by a new card product. During the validity of the Merchant Agreement, the Bank is to be the exclusive acquirer of all Transactions in which the above-mentioned cards are used unless otherwise agreed. 5. Other cards The Merchant may enter into agreements with companies that acquire types of cards other than those described in the Merchant Agreement. The Merchant must notify the Bank of any such agreements before the card company’s cards may be used at the Merchant. Purchases made with such cards are to be credited to the Merchant’s account with the Bank unless otherwise separately agreed on. 6. Types of card payments and other definitions 6.1 Bank: means the acquirer in this Merchant Agreement. 6.2 Standard payment (POS): Payments to manned Merchants by the cardholder using the


2 (30)

card’s chip or magnetic stripe in a payment terminal providing proof of identity by a PIN code, signature or other approved Cardholder Verification Method (CVM) or payments to manned Merchants by the cardholder using the card’s or a mobile’s contactless feature. Special conditions apply to Standard payments (POS). 6.3 Online purchases in eCommerce environment: Payments to virtual Merchants by the cardholder via the Internet or another open network approved by the Bank, approving payments made with the card. Special conditions apply to online purchases. 6.4 Mail and telephone orders (MO/TO): Payments to Merchants that offer goods and services via mail order and telephone order sales. The cardholder writes the number, etc., of the card on the mail order which is signed, or this information is stated on the telephone. Special conditions apply to mail and telephone orders. 6.5 Hotels: A Merchant that offers overnight accommodation, possibly with advance booking. Special conditions apply to hotels. 6.6 Vehicle rental: A Merchant that offers vehicle rental, possibly with advance booking. Special conditions apply to vehicle rentals. 6.7 Unattended payment terminals or Cardholder-Activated Terminals (CAT): Payments are made at unattended terminals by the cardholder using the card in a self-service payment terminal, possibly providing proof of identity with a PIN code if the payment terminal asks for this. Special conditions apply to unattended payment solutions and automatic machines. 6.8 Recurring payments: A Merchant and a cardholder may enter into an agreement to make periodic payments, often without stating a fixed amount and for an unspecified period. Special conditions apply to recurring payments. 6.9 Cash Advance: The service allows cardholders to withdraw cash either through an ATM or over the counter at a bank or other financial agency, up to a certain limit. 6.10 Quasi-Cash: A Transaction representing a Merchant's sale of items that are directly convertible to cash, for example, currency

exchange. Special conditions apply to Quasi-Cash. 6.11 Cash-back: The cardholder may withdraw cash from the Merchant when paying a purchase at the Point-of-Sale – effectively offering two services in one transaction. Cash-back is a domestic service and only cardholders of the participating issuers having access to it. The EMV POS terminal needs to support the service and its requirements. Special Country-specific rules apply to Cash-back. 6.12 Authentication service: A function in which the cardholder is identified by the issuer of the card in connection with an Internet-based online payment by means of a separate set of IDs and/or passwords (for example, 3DSecure like MasterCard SecureCode and Verified by Visa). 6.13 Authorisation: A check carried out by the Merchant in which the card issuer states whether the card’s status or the size of the amount prevents a transaction from being executed. 6.14 Authorisation limit: Limit specified by the Bank in the local currency for a Point-of-Sale or Trading Site within which the Point-of-Sale or Trading Site in question must always authorise transactions. 6.15 Banking Day: Banking Day means a business day on which the Bank is open to the public for carrying on substantially all of its banking functions. 6.16 Card data: Card data means the card number, expiry date, and verification code of the cardholder’s card. 6.17 Card Scheme: means the Visa and MasterCard card organisations and their card schemes as well as other card schemes the parties may agree at any given time. It refers mainly to Visa and MasterCard, as the owners of the payment scheme, into which a Bank or any other eligible financial institution can become a member. By becoming a member of the scheme, the member is thereby authorised to issue or acquire the Transactions performed within the scheme. 6.18 Card Verification Code/Value (CVC/CVV) are security features of the card, such as CVC, CVV, iCVV or PVV. Three- or four-digit number series printed on the card’s signature panel,


3 (30)

such as CVV2, CVC2, are used in mail orders or telephone orders and eCommerce environment. 6.19 Charge back: A procedure in which an issuer charges all or part of the amount of a Transaction back via an Acquirer to the Merchant in accordance with Card Scheme regulations. 6.20 EMV: EMV® is a global standard for credit and debit cards based on chip card technology. 6.21 International Card Organisations/Card Schemes: Visa and MasterCard card organisations and their card schemes, as well as other card schemes the parties may agree on. 6.22 Merchant: The entrepreneur, company or other entity that has concluded a Merchant Agreement with the Bank, including all its Points-of-Sale and/or Trading Sites. 6.23 Merchant Agreement: The application/agreement with the appendices, rules and Merchant Instructions which together in their format at any given time constitute the Merchant Agreement. 6.24 Merchant ID: An identification number given by the Bank to the Merchant which specifies the Point-of-Sale, Trading Site and/or the main Point-of-Sale. 6.25 Merchant Instructions: Instructions issued by the Bank in order to comply with, among others, the rules and instructions of the International Card Originations, including payment card handling, data security, MO/TO, eCommerce and functions of terminals, as well as best practices and other information to Merchants. 6.26 Merchant Portal Merchant Portal: is a web-based service provided by the Bank where the Merchant’s administrator gets access and grants access rights within the Merchant organisation. The portal provides information about settlements, batches, specific Transactions and calculated fees. In addition, Merchants can view information about Acquiring products and services and the latest news. 6.27 Payment Service Provider (PSP/internet Payment Service Provider (iPSP)): A third party used by the Merchant to which the

Merchant sends the Transactions acquired by it (e.g. a third party or other transaction router). The Merchant Processor must be a certified service provider in accordance with the PCI standard.

6.28 PCI: PCI DSS is the international Payment Card Industry Data Security Standard, used by Visa International, MasterCard Worldwide, American Express, JCB and Discover Financial Services. PCI DSS and other payment card industry standards complement each other and define the minimum safety requirements for card transactions. Adhering to this standard is compulsory for all parties receiving, transmitting or storing card transactions.

6.29 Point-of-Sale (POS) terminal: A certified device and/or system used by the Merchant that reads and verifies the card data. 6.30 Secure Payment Application (SPA): Security method designed to authenticate cardholders when they pay online. 6.31 Transaction date (T): A date on which the Bank (or the collection centre with which the Bank has on agreement) has received a Transaction with the correct content and in the agreed format from the Merchant or from the Merchant’s Payment Service Provider. 6.32 Terminal vendor: A company which supplies certified POS terminals to other companies or Merchants. 6.33 Trading Site: A site approved by the Bank with a distinctive Merchant ID issued by the Bank and used by the Merchant for MO/TO or eCommerce. 6.34 Transaction: Information about payment based on an agreement between a company and a cardholder to transfer an amount from the cardholder to the Merchant. 6.35 Universal Cardholder Authentication Field (UCAF): A field to support a universal, multipurpose data transport infrastructure that the Card Scheme uses to communicate authentication information among the cardholder, merchant, issuer and acquirer communities. 7. Rights and obligations of the Bank 7.1 Authorisation routing, Transaction Acquiring and Data Errors The Bank routes the authorisation requests sent by the Merchant and/or the Merchants


4 (30)

Payment Service Provider (PSP) to the Bank on the terms and conditions set out in the Merchant Agreement. The Bank acquires all Transactions properly presented to it and received by it on the terms and conditions set out in the Merchant Agreement. The Merchant must ensure that the Transactions are sent by the PSP of the Merchant to the Bank and that the transaction data sent by the terminal or other solution is free from errors. The Bank is entitled to refuse to acquire or send to the card issuer Transactions that have been found to be erroneous or are suspected to be erroneous as well as to apply an extended settlement period. Errors in an assembled data set comprising transactions of several companies and sent by the Payment Service Provider might result in an extended settlement period with respect to all transactions within the same assembled data set, even if the error only concerns a part of the assembled data, e.g. another company than the Merchant. If the Bank acquires and settles to the Merchant Transactions that the Merchant has delivered after the due date or that have been erroneous, the Bank is entitled to deduct the Transaction contested by the cardholder or card issuer and any other expenses incurred by the Bank from the subsequent settlements with the Merchant and/or its Points-of-Sale or Trading Sites, or to otherwise debit these to the Merchant. The Bank is also entitled to refuse to acquire Transactions that entail a specific risk of credit loss or misuse or for any other justified cause for refusal, or to apply an extended settlement period with respect to such Transactions. The Bank is not liable for an extended settlement period caused by errors in transaction data or assembled data sets or caused by Transactions delivered after the due date. 7.2 The Bank’s settlement guarantee The Bank undertakes to provide settlement to the Merchant for the Transactions properly presented to the Bank and received by the Bank in accordance with the Merchant Agreement. The settlement takes place at the latest on a day followed by the number of Banking Days after the Transaction Date agreed in the Merchant Agreement. The payment is to be made to the account that is

designated by the Merchant and stated in the Merchant Agreement. The settlement is to take place in the same currency as that in which the transaction took place unless otherwise stated in the Merchant Agreement. The settlement account must be in the same currency as the settlement. The Bank’s obligation to make payment in accordance with this provision is conditional (i) on the Merchant having met its obligations in accordance with the Merchant Agreement and (ii) on the date of settlement being (a) a Banking Day, and (b) where the currency of the payment is other than the domestic currency of the Bank, a day (other than Saturday or Sunday) on which banks are open for general business in the principal financial centre of the country of that currency to enable the Bank to execute the Transactions in such currency. If the Merchant is liable for a loss caused to the Bank or the Merchant has received settlement for transactions to which it is not entitled, the Bank has the right to deduct a corresponding amount from a later settlement with the Merchant. The Bank does not normally check the Transaction before settlement is made to the Merchant. The Bank may use set-off to collect any claim that it has against the Merchant in connection with this Merchant Agreement. The Bank is entitled to hold back the settlement as a risk management measure if it suspects that the Merchant would cause financial or any other kind of risk to the Bank. In addition the Bank may be obliged to hold back the settlement or do the settlement (in whole or partly) to a third party subject to law or other order binding on the Bank. 7.3 Repayment obligation of the Merchant and the Bank’s right to charge back Where a cardholder makes a complaint regarding a Transaction which has been reported by the Merchant and the Bank does not find that the complaint is clearly erroneous, the Bank is to charge back the Transaction from the Merchant. Where a Transaction related to a standard payment is made at an EMV terminal or the parties have specifically agreed upon guaranteed payment for transactions of the relevant type, the Merchant must, within seven (7) days of the earlier of (i) the Bank’s retrieval request or (ii) charge back, demonstrate that in conjunction with the Transaction the Merchant has made the verifications and otherwise has


5 (30)

fulfilled the requirements stated in this Merchant Agreement. Where the complaint is based on such, the Merchant must also demonstrate that there was no defect or deficiency on the article or service to which the Transaction related. In the event that the sales company does not fulfil its obligations in this respect, a repayment obligation arises and the amount is charged back from the Merchant. Where the Transaction relates to any other type of card payment, the Merchant must, in addition to the requirements set out chapter hereinabove within seven (7) days the earlier of (i) the Bank’s retrieval request or (ii) charge back, demonstrate that the Transaction was ordered by the cardholder. Where the Merchant fails to fulfil its obligations in this respect or where the complaint, in accordance with Visa’s or MasterCard’s rules and regulations, is such that the Transaction can be rejected, a repayment obligation arises. Where repayment obligations arise, the Merchant must immediately pay an amount to the Bank corresponding to that which the Bank must pay to the issuer who had issued the card used, plus interest on such amount for the period from the date that the Bank paid the Transaction amount to the Merchant until such time as payment is made by the Merchant at an interest rate corresponding to local law. The Bank is entitled to debit the Merchant’s account in the case a repayment obligation arises and the Merchant is obligated to pay in accordance with this provision. The disputed amount may be debited to the Merchant’s account unless the Bank can immediately reject the cardholder’s complaint as being groundless. From the date when the Bank receives a claim for payment as mentioned above or is made aware that there may be a breach of the Merchant Agreement, the Bank may freeze funds in the Merchant’s accounts in the amount equal to the claim against the Bank brought by a third party. The Bank is entitled to charge a fee for each charge back that occurs during the invoicing period. Should complaints or losses relating to the Merchant during the previous thirty (30) days exceed 0.5% of the card volumes or number of Transactions on a specific Merchant ID, the

Bank may debit the Merchant for processing costs and/or for charges or fees imposed on the Bank by MasterCard or Visa. The Bank is also entitled to charge the Merchant for fees and other claims for compensation that can be brought against the Bank by a third party (such as MasterCard and Visa) on the basis that the Merchant has breached the Merchant Agreement. Handling costs that the Bank incurs in connection with processing the claim may also be debited to the Merchant. The parties are to have a continuous dialogue regarding the volume of complaints and implementation of measures to limit the number of complaints as low as possible. 7.4 Merchant Portal and reporting Merchant Portal is a service provided by the Bank to the Merchant. The Bank defines the content of the Merchant Portal at any given time. The Bank provides the Merchant with administrator codes with which the Merchant’s administrator may create the necessary number of user IDs entitling the access to the Merchant Portal. The Merchant identifies itself to the Merchant Portal by utilising the user ID’s. The Merchant undertakes to keep, and is liable for keeping, the identification data, consisting of a user ID and password, used in the interactive services separate from each other. The Merchant is liable for the proper safekeeping of identification data to prevent all unauthorised third parties from accessing the data. The Merchant acknowledges the fact that a person using the created ID always has access rights to the Merchant Portal and is entitled to represent the Merchant towards the Bank relating to documents set into the Merchant Portal. If the identification data has been lost or the Merchant has reason to suspect that an unauthorised person has gained access to the identification data, it is obligated to prevent unauthorised use and to notify the Bank thereof immediately. The Merchant is liable for informing all its employees and other persons acting on its behalf who use or keep its identification data of the safekeeping obligations. The Merchant acquires the data communications required for the use of the Merchant Portal and is responsible for their functioning, costs and security. The Bank is not responsible for any failures in data


6 (30)

communications or data transfer that do not derive from the Bank. Both parties are responsible for ensuring proper data security for their own data systems and for seeing to it that the systems are protected against unauthorised use in a reliable manner. The Bank sets available to the Merchant in the Merchant Portal (or at option of the Bank or if it has been separately so agreed, sends via e-mail or by mail) a report on the settlements on each Banking Day. In addition, the Bank sets available in the Merchant Portal or sends via e-mail a monthly summary report to the Merchant. The Bank may make changes to the reporting system. If the change adds the Merchant’s obligations or restricts its rights, the change is subject to a prior notification to the Merchant in accordance with clause 16 of Part A Rules. The Bank may give notifications to the Merchant by using the Merchant Portal, as stated in these Rules. 7.5 Use of the service The Bank or the Bank’s service provider does not guarantee uninterrupted use of the service. The Bank or the Bank’s service provider endeavours to rectify faults and errors notified by the Merchant within a reasonable time or, depending on the nature of the fault or error, in connection with further upgrading of the service. The Bank or its service provider is entitled to interrupt the use of the service if this is necessary for the maintenance; repair or upgrading of the service or if there is another justified cause for the interruption. The Bank or its service provider notifies the Merchant of any interruptions in the use of the service in advance, if possible. 7.6 Reserve/security The Bank may demand that the Merchant has to provide security for its obligations to the Bank. This may take the form of a deposit in the Bank, the withholding of settlement or some other form according to the Bank’s demands. The security is to be returned to the Merchant 540 days after the termination of the Merchant Agreement at the latest. 7.7 Inspection of the Merchant’s premises The Bank or a party named by the Bank is entitled, without giving prior notice, to have access to the Merchant’s premises and equipment for handling card transactions in

order to inspect these and ensure that the Merchant’s operations are bona fide and honourable. If the Merchant has a service provider to handle the Transactions, the Merchant must ensure that the Bank is given a corresponding opportunity to inspect this company’s premises and equipment. The inspection pursuant to this provision may take place at least once in a calendar year unless there are unforeseen grounds for carrying out such an inspection more often. Should any error or breach of security regulations be ascertained, the Merchant undertakes to correct these. A site inspection visit report should be generated. The Bank may request the Merchant to replace the equipment. If the Merchant’s equipment or other procedures do not fulfil the requirements set by the Bank, the Merchant shall replace the equipment and/or change the procedures at the Bank’s request in a manner and within the period specified by the Bank. In case of non-compliance with the Bank’s request, the Bank may terminate the Merchant Agreement. 7.8 Miscellaneous The Bank may record the calls to its service numbers. The recorded calls will be processed by the authorised personnel only. Recordings will be used, among others, in the processing of claims and in staff training. The Bank is entitled to give a Payment Service Provider and/or terminal vendor necessary information about the Merchant in order to set up the Merchant POS terminals or other systems for the service correctly. 8. Rights and obligations of the Merchant 8.1 Handing over of Transactions and technical standards The equipment that the Merchant is to use for Transactions and authorisations (such as a terminal), including software, hardware and communications, must be certified and must comply with the prevailing technical standards and guidelines stipulated by the Bank. The Merchant is to send the Transactions, the authorisation requests and authorisation reversals to the Bank (or a collection centre with which the Bank has an agreement) in accordance with the prevailing standard and guidelines stipulated by the Bank. The Merchant is responsible for the functioning, costs and security of its equipment used for


7 (30)

authorisations, gathering and storing information and handing over Transactions. The Merchant may use a Payment Service Provider to process authorisations and transactions, pass them on to the Bank and reverse them. This Payment Service Provider (and any changes of it) must be approved by the Bank before the Merchant starts to use the relevant Payment Service Provider. The Payment Service Provider is to comply with the standards and guidelines which apply to the Merchant. The Merchant is at all times responsible for the Payment Service Provider and liable for its errors, costs, and the like. The Merchant must notify the Bank of its intention to start to use a different Payment Service Provider well in advance in order to receive the approval or denial of the Bank early enough. A special merchant number provided by the Bank must be stated in connection with the sending or reversal of Transactions and authorisations. Where the Merchant Agreement covers several types of card payments the Bank provides a merchant number for each type of card payment under the Merchant Agreement. Transactions are to be deposited with the Bank (or a collection centre with which the Bank has an agreement) within two (2) days after the Transaction date on which the cardholder has authorised the payment at the latest unless otherwise agreed in the Merchant Agreement. The Merchant is always liable to retrieve the feedback on that the Transactions have been sent. If Transactions are received by the Bank (or a collection centre with which the Bank has an agreement) later than by the above-mentioned cut-off time, the Bank may refuse to settle the Transactions or to write back settlements that have been made. It is the Merchant’s responsibility to ensure that the Merchant has received settlement for Transactions which have been sent to the Bank. The Merchant must complain about any lack of settlement within twenty-one (21) calendar days after the Transactions have been handed over to the Bank at the latest. In order to decrease the risk relating to malfunctioning of equipment used to send Transactions to the Bank, the Merchant is advised to send Transactions to the Bank online or at least on a daily basis. The Bank may refuse to settle the Transactions sent to the Bank in an incorrect form.

In the case of any necessary replacement or modification of equipment and system changes, including the introduction of chip cards, the Merchant and Bank are each to pay their own costs. The Merchant is financially responsible for Transactions in which a chip card has been used at a terminal or other solution that is not approved in accordance with the EMV specifications. 8.2 Authorisations and blocking controls The Merchant shall authorise each Transaction unless otherwise stated in the Merchant Agreement, in the specific terms and conditions or in the Merchant Instructions. An authorisation is a confirmation from the card issuer that the payment may be carried out. The authorisation may also provide other information but it does not confirm the correct identity of the cardholder. An approved authorisation alone does not provide the Merchant with a guarantee that the card payment will be settled, see clause 7. The floor limit of authorisations must not be disclosed to any unauthorised third parties (including the cardholder). The entire purchase price (the total amount) must be authorised or verified as one amount. The Merchant cannot evade the floor limit dividing the amount or split sales. If the floor limit is exceeded without authorisation having been obtained, the Bank may reject or reverse the Transaction. Transactions involving Electron or Maestro cards must at all times be authorised online before they are executed. The same applies to cash-back cash withdrawal transactions. If the Merchant receives a blocking notice from the Bank and attempts are made to use a card stated on the notice, the card is to be rejected. An obtained authorisation must be reversed as soon as possible (and however not later than within 24 hours) after a Transaction cancellation or a finalisation of a Transaction for an amount lower than the authorised amount. The Merchant shall ensure (with its PSP) that the reversal has been made. Any authorised amount not reversed must correspond to the Transaction amount. The rules and instructions regarding the manner in which authorisation takes place may


8 (30)

be specified in the specific terms and conditions and in the Merchant Instructions. 8.2.1 Further terms and conditions applicable to the authorisations of MasterCard Transactions In addition to the terms set out in clause 8.2, the terms set out in this clause 8.2.1 are applicable to the authorisations relating to Transactions made using a MasterCard payment card unless otherwise stated in the specific terms and conditions or in the Merchant Instructions. The Merchant must code the authorisation request as either pre-authorisation or final authorisation. Pre-authorisations of Maestro Transactions are allowed only in online shopping in eCommerce environment and at unattended, automated fuel dispensers as set out in the specific terms and conditions or in the Merchant Instructions. Unless otherwise stated in the specific terms and conditions or in the Merchant Instructions, the Merchant shall use the final authorisation in which the authorisation is requested for the final Transaction amount and the Transaction may no longer be cancelled after the authorisation request is approved in full. Each approved final authorisation has a payment guarantee period of seven (7) calendar days from the authorisation approval date unless otherwise stated in the specific terms and conditions or in the Merchant Instructions. A pre-authorisation is an authorisation in which the authorisation is requested for an estimated amount and/or the Transaction may not be completed for reasons other than a technical failure or lack of full issuer approval. Pre-authorisations may only be used in accordance with the specific terms and conditions and/or the Merchant Instructions. Each approved pre-authorisation has a payment guarantee period of thirty (30) calendar days from the authorisation approval date unless otherwise stated in the specific terms and conditions or in the Merchant Instructions. To extend the duration of the payment guarantee period, the Merchant may submit additional authorisation requests for the same Transaction on later dates. A unique identifier from the original approved authorisation of a Transaction must appear in each additional authorisation request. The approved amount of any authorisation with an expired guarantee is deemed to be zero.

8.3 Commissions and other fees The Merchant shall pay to the Bank the fees stated in the tariff of the Bank for the services stated in the Merchant Agreement and other charges, commissions, fees and costs in accordance with the Merchant Agreement. Unless otherwise agreed, the amounts are to be debited in the same currency as the one in which the relevant Transaction is executed and are to be documented by a bank statement or separate statements. All other fees are to be debited in the domestic currency of the Bank, unless otherwise agreed in the Merchant Agreement. The account to which the fee will be debited should be in the same currency as the fee. The Merchant is to ensure that there are always sufficient funds to cover the amount debited. The Bank is allowed to debit the commissions and fees monthly to the Merchant’s account if nothing else is specified in the Merchant Agreement. A tariff and Merchant commissions are part of the Merchant Agreement. The service fees and commissions are debited to the Merchant’s account monthly in Gross settlement option and deducted from the settlement amount in Net settlement option. Should the Merchant Agreement be terminated by one of the parties during a period for which the Merchant has paid a fee, any of the fees may not be refunded to the Merchant. 8.4 Permitted transactions The Merchant is to accept transactions with all types of cards that are within the scope of the Merchant Agreement. Additional rules for the handling of cards and card transactions may be stated in the specific terms and conditions or in the Merchant Instructions. Transactions may only be executed in the domestic currency of the Bank unless otherwise stated in the Merchant Agreement. The Merchant may not hand over Transactions that contravene local or international laws or rules or in which a card has been used to pay for bets in games or similar circumstances or where the cardholder’s payment and/or obligation can be regarded as being invalid by virtue of local law. The Bank may at any time demand that the Merchant must document that Transactions


9 (30)

have been executed in accordance with this Merchant Agreement or the Merchant Instructions. If there is any doubt that this has not taken place, the Bank is entitled, while waiting for documentation, to withhold settlement until the situation has been settled. Should the Merchant have deliberately forced the use of a back-up solution, settlement may be withheld if a dispute regarding the Transaction arises. The cardholder is only to be credited in connection with previously approved Transactions. The credit transaction is to be executed using the same card and card number as the originally approved debit transaction. The Merchant is not allowed to pay cash in connection with any return of goods or other repayments to the cardholder. Unless otherwise specified in the specific terms and conditions, a Merchant may only report Transactions under this Merchant Agreement relating to the purchase of goods and services from the Merchant and subsequent reversals relating to previous Transactions. Therefore a Merchant may not report card transactions relating to the receiving of payment for goods and services provided by other companies, as may occur with a distributor’s handling. Nor may the Merchant report card transactions which concern payment of existing debt or previously rejected checks. After the Bank's special review and prior consent, the Merchant may report Transactions in which the Merchant acts as an agent or intermediary and thereby sells or conveys another party's goods or services or sells or conveys goods or services on another party’s behalf, for example, trips or tickets to events. In the cases where another party may perform the service that the card transactions concern, the Merchant is responsible for the service as if it had been performed by the Merchant itself in accordance with the Merchant Agreement, for example, as regards clause 7.3 Repayment obligation. 8.4.1 Unjustified card usage If the Merchant knew or should have known that the cardholder was not entitled to use the card, the card transaction must not be executed.

In cases of doubt, the Merchant is to conduct more detailed investigations, such as checks of identity of the cardholder, or contacting the Bank before the Transaction is carried out. This applies both in the case of ordinary electronic usage and when using a backup solution. 8.5 Cross-border Acquiring Unless otherwise agreed in the Merchant Agreement, the Merchant may only hand over Transactions relating to the purchase of goods or services from the Merchant in the Bank’s country of domicile. If the Merchant operates in multiple countries and the Merchant and the Bank have so agreed, the Merchant may hand over Transactions also from the other countries specified in the Merchant Agreement at any given time.

For the sake of clarity it is stated that the Merchants operating in cross-border sales must comply with all local laws, regulations and rules in the markets they operate or enter. Furthermore, the Merchant must comply with any regional rules registered with the Card Schemes and informed by the Bank or its service providers to the Merchant.

8.6 Requirements for the Merchant’s services The Merchant must accept all valid cards falling within the scope of this Merchant Agreement as full settlement for the sale of goods and services. The Merchant must accept cards for registration as electronic transactions (terminal) unless otherwise stated. The Merchant undertakes to handle card transactions in a professional manner, to ensure that the personnel who handle card transactions possess the necessary competence and comply with the terms and conditions of the Merchant Agreement, including without limitation Merchant Instructions, and with generally accepted practices in the industry. The Merchant must show that it accepts cards by using stickers in entrance areas and beside payment points and must state in its advertising material the cards that can be used for payment. The Merchant is entitled to use the Bank’s business name and trademark, MasterCard’s and Visa’s trademarks and the trademarks of other cards covered by this Merchant Agreement. This is to be done in the way that the Bank instructs. The Merchant is to remove all trademarks and other symbols and


10 (30)

identifiers of the International Card Organisations from all of its material and its main Point-of-Sale and all Points-of-Sale and Trading Sites immediately after the termination of the Merchant Agreement. The Bank is to a reasonable extent provide the Merchant with advertising and information material relating to card payments. The Merchant must comply with all laws to which it may be subject where a failure to do so is reasonably likely to have a material adverse effect on (i) the business, assets, financial condition or the prospects of the Merchant and/or its group taken as a whole, (ii) the ability of the Merchant to perform its obligations under the Merchant Agreement or (iii) the validity or enforceability of the Merchant Agreement or a part of it. The Merchant has obtained, and must comply with, any material official approval, authorisation, consent, licence or the like required or appropriate for (i) the carrying on by it of its business and (ii) the execution and performance of the Merchant Agreement and any related document and the use of the service under the Merchant Agreement. The Merchant is to promptly inform the Bank of:

• any changes to ownership factors, the board of directors, general manager or contact information required for its operations under the Merchant Agreement,

• any material changes in its business, and

• any circumstances referred to in clause 14 which could entitle the Bank to terminate the Merchant Agreement with immediate effect.

Should the Merchant believe that the Bank has incorrect information about the Merchant, the Merchant must immediately contact the Bank to rectify the matter. 8.7 Filing The terminal records, signed receipts and merchant bookings must be stored in accordance with the prevailing accounting regulations, and according to PCI (see clause 10.1), and for a minimum period of 18 months. If requested by the Bank, purchase receipts, logs, vouchers and suchlike, or if necessary copies of these, must be handed over to the Bank within five (5) days of a request received. If the Merchant uses a service provider to store

documentation, the service provider must hand over the documentation on behalf of the Merchant. This obligation also applies after the Merchant Agreement has expired. Upon request by the Bank, all information that has been compiled during the last eighteen (18) months before the Merchant Agreement has expired must be delivered to the Bank. 8.8 Register of Point-of-Sale terminals The Merchant is liable to have an up-to-date register of all its Point-of-Sale terminals, and also the Point-of-Sale terminals which have been taken out of use. The Bank may at any time ask for such a register and it should at any time be up-to-date. 8.9 Currency indemnity and waiver The Merchant is obliged at the Bank’s request to indemnify the Bank against any cost or loss arisen out of the conversion of a currency in the case of any sum due from the Merchant has to be converted from the currency in which it is payable into another currency for the purpose of filing a claim against the Merchant or obtaining or enforcing an order, judgement or kind and there has been discrepancy between the rate of exchange applied to the conversion and the rate of exchange available to the Bank at the time the Bank receives the sum. The Merchant waives any right it may have in any jurisdiction to pay any amount under the Merchant Agreement in a currency other than that in which it is expressed to be payable in the Merchant Agreement. 9. Duty of confidentiality The parties must not disclose any information regarding the content of the Merchant Agreement or any information that the parties gather in accordance with the rules and instructions of the Merchant Agreement and which relates to the parties or the cardholder. The information may only be disclosed to the Bank, to a service provider engaged by the Bank, to a company or other corporation based in Finland or abroad which belongs to the same domestic or foreign group or economic interest consortium as the bank at any given time or to a company or to some other company that is legally in such a position that information can be disclosed to it and to service providers engaged by the Merchant for handling card transactions. When information is disclosed to the latter type of company, the


11 (30)

duty of confidentiality applies to such company as well. The obligation to maintain confidentiality in accordance with this provision also applies after the Merchant Agreement has terminated. The parties and their service providers must not process personal data obtained from the Transaction apart from that which is necessary for executing the Transaction. The information must not be used in selective marketing measures or other contexts which contravene local rules and regulations. 10. Security requirements The Bank may lay down requirements for the equipment that the Merchant must have for authorisations, gathering and storing information and handing over Transactions. In order to prevent information which is confidential according to the clause regarding the duty of confidentiality becoming known to unauthorised third parties, the Merchant must implement the necessary security measures. The Merchant must implement the security measures that the Bank considers necessary. 10.1 Storage and securing of cardholder data and PCI regulation The Merchant must at all times comply with the common standard PCI (Payment Card Industry Data security standard) and the regulations of Visa, MasterCard and/or the Bank for secure trade and perform the required security checks. These are required where Visa AIS is concerned (Account Information Security) and are available at www.visa.com and where MasterCard is concerned SDP (Site Data Protection) and are available at www.mastercardeurope.com. More information about PCI can be found at https://www.pcisecuritystandards.org/ More detailed rules and instructions regarding what the Merchant must apply may be stated in the specific terms and conditions. The Bank is also entitled to issue security rules and instructions in another manner. The rules and instructions issued by the Bank separately or in the specific terms and conditions can specify, for example, what kind of a technical solution the Merchant needs to have for making authorisation, collecting information, reporting or other measures of handling the transaction data. All the physical and/or electronic storage of cardholder data must take place in such a way and in such a form that the data are

inaccessible to unauthorised third parties. All the access rights must be logged and all users must be assigned a separate user identity. All stored card numbers must be encrypted and CVV2/CVC2 or other sensitive authorisation data must under no circumstances be stored after an authorisation has been made. The Merchant may not save the card verification value in the chip application (iCVV/chip CVC) or the PIN verification value in the magnetic stripe (PVV). Should a Payment Service Provider (PSP) store, process and transfer cardholder data on behalf of the Merchant, the Merchant undertakes to inform the Bank of this. The Merchant’s service provider will in such cases be subject to the regulations mentioned above. The Merchant undertakes to immediately contact the Bank if it suspects fraud, infringement into a system or another incident that can constitute a security risk. Furthermore, the Bank is entitled to delay the settlement of suspicious card transactions until the incident has been investigated. In connection with serious suspicions the Bank is entitled to temporarily stop all card transactions. Should there be reasonable grounds to suspect a breach of security or that cardholder data has gone astray or the PCI rules define that the Merchant has to go through the security scanning, the Merchant must by order of the Bank examine the Merchant’s systems thoroughly, (“vulnerability scanning”). Such an examination must be performed by a PCI-certified data security company. The Merchant must bear all the costs incurred in connection with this. Should the Merchant fail to comply with the PCI DSS requirements and the cardholder data goes astray, the Merchant will be financially liable for the investigations, forensic costs and any losses that arise as a result of misused cards. In addition, the Bank may charge the Merchant for the fines that the card companies impose on the Bank as a result of the Merchant’s incompliance with the PCI DSS requirements. 11. Liabilities 11.1 Liability for Damage Each party is liable for damage caused to the other party by a breach of the Merchant Agreement subject to the limitations set out


12 (30)

below in clause 11.2 and/or in the Merchant Agreement. 11.2 Limitation of liability The parties are not liable for the other party’s losses which arise from a force majeure, amendments to law, measures implemented by the authorities, acts of war, disruption of postal, telephone or data traffic or any other electronic communication networks, data transfer, automatic data processing, interruptions of general transactions, strikes, boycotts, lockouts, blockades or other similar circumstances. The reservation regarding strikes, lockouts and blockades also applies if the parties themselves are the objective of, or themselves initiate, such measures. The parties are not liable for any indirect damage including, without limitation, loss of profits or revenue, loss of savings or business or loss of goodwill. Limitations of liability do not apply to intentional acts or gross negligence or breach of confidentiality obligations. 12. The validity, service utilisation and termination of the Merchant Agreement The Merchant Agreement enters into force and the Merchant may start to utilise the services provided under the Merchant Agreement when the Merchant has signed the Merchant’s application for Card Acquiring Merchant Agreement, the Bank has approved the Merchant’s application for Card Acquiring Merchant Agreement and the Merchant has fulfilled all the conditions precedents set out by the Bank for the utilisation of the service. The Merchant Agreement continues to be in force until further notice. The Merchant Agreement may be terminated by either party by giving a written notice at least three (3) months prior to the termination. The Bank may terminate the Merchant Agreement and block the settlement account with immediate effect if one or more of the following circumstances occur or the Bank suspects might occur:

• One or more items in the Merchant Agreement are breached

• The Merchant has given incorrect or incomplete information regarding its business.

• The Merchant provides services or sells products on the market in a way that in

the opinion of the Bank is contrary to responsible business practice.

• The Merchant’s area of operations has changed since the Merchant Agreement was entered into and the Merchant has not given notice of this or the Merchant has terminated its business or changed its business materially in a way which in the opinion of the Bank is inappropriate for acquiring Transactions

• The Merchant sells or brokers goods or services, or performs other operations which contravene MasterCard’s, Visa’s or another business partner’s regulations.

• There is a reason to suspect that the Acquiring service is being used or will be used for criminal activity or activities.

• The Merchant acts or plans to act in a way that would damage the reputation of the Bank or a third party.

• The number or type of complaints deviates from that which the Bank regards as normal or exceeds by 0.5% the number of Transactions per Merchant ID in a month.

• The Merchant has not fulfilled any or all of its payment obligations towards the Bank when due, or the Bank has right to cancel its commitment towards the Merchant, under an agreement or another undertaking binding between the Bank and the Merchant or the Bank considers that the Merchant’s liquidity is otherwise insufficient.

• The Merchant offers goods or services that, in the Bank’s view, are of such a nature that they contravene the Bank’s policy.

• The Merchant has been engaged in unlawful or criminal acts.

• The Merchant has defaulted on a payment or committed some other fundamental breach of the Merchant Agreement.

• The Merchant’s settlement account is terminated.

• The Merchant starts debt settlement proceedings, goes into liquidation, petitions to be wound up or is forced into bankruptcy.

Such termination must be given in writing. The parties have the right to terminate the acquiring of a certain type of card payments from the scope of the Merchant Agreement. Following the termination of the Merchant Agreement, wholly or partially, the Merchant’s


13 (30)

sales paid for through cards whose acquiring has been terminated immediately cease. When the Bank is entitled to terminate the Merchant Agreement with immediate effect or has reason to suspect that such right to terminate exists, the Bank may refuse to acquire reported Transactions. If the Merchant Agreement is terminated, the Merchant must hand back all the material and equipment it has received from the Bank and immediately stop all sales using the cards covered by this Merchant Agreement. After the termination, the parties are still responsible for Transactions handled during the validity of the Merchant Agreement. For example, the Bank has the right to debit chargebacks and fees to the Merchant’s account. If the Merchant Agreement is terminated due to misuse as defined by the International Card Organisations (e.g. misuse of card data or suspected money laundering) or any other breach of the Merchant Agreement by the Merchant or by any of the Merchant’s service providers, the Bank is entitled to register the reason for terminating the Merchant Agreement in the data systems maintained by the International Card Organisations, where data will be stored for five (5) years from the registration. 13. Intellectual Property Rights All intellectual property rights to the Merchant services and the service descriptions are the property of the Bank. All trademark rights and all other intellectual property rights to Visa and MasterCard trademarks and to other trademarks of the International Card Organisations belong to the appropriate International Card Organisation. The Merchant is not granted any other rights to them, except for those expressly set out in these rules. 14. Amendments to the terms and conditions in the Merchant Agreement and other changes The Bank is entitled to amend the Merchant Agreement and its terms and conditions, such as these rules and charges, commissions and fees. If an amendment to the Merchant Agreement or its terms and conditions does not add the Merchant’s obligations or restrict its rights, or is caused by an amendment to legislation or

Card Scheme rules or a decision of the authorities or is made for critical security reasons, The Bank is entitled to announce the amendment by publishing it on the Bank’s website, at the Merchant Portal, in Netbank or in another electronic channel provided or accepted by the Bank, by sending the amendment to the Merchant via e-mail or by post or they may be otherwise delivered to the Merchant. The amendment comes into effect at the time announced by the Bank. If an amendment to the Merchant Agreement or its terms and conditions add the Merchant’s obligations or restricts its rights, and is not caused by an amendment to legislation or Card Scheme rules or a decision of the authorities or is not made for critical security reasons, Nordea will inform the Merchant of the amendment via Merchant Portal, Netbank or another electronic channel provided or accepted by the Bank, via e-mail, by post or in some other manner agreed separately either electronically or on paper. The amendment enters into force at the time stated by the Bank; however, no earlier than one (1) month from the sending of the notification. If the Merchant does not wish to accept such an amendment, the Merchant may, by giving at least fourteen (14) days prior to the amendment a written notice to the Bank to terminate the Merchant Agreement with effect from the date when the amendment enters into force. Changes of charges, commissions and fees included in the tariff of the Bank are published in the revised tariff. Such changes take effect as of the date indicated by the Bank. In addition, the Bank has the right to issue new or amend the Merchant Instructions with effect from the time announced by the Bank by publishing the Merchant Instructions via the Merchant Portal or by sending them via e-mail or by post or by informing the Merchant of setting them available to the Merchant at the branches of the Bank or by delivering them in some other manner either electronically or on paper. A change of the settlement account must be documented in writing to the Bank 15. Transfer The Merchant may not transfer its rights or obligations pursuant to the Merchant Agreement to a third party without the Bank’s prior written approval.


14 (30)

The Bank is entitled to transfer its rights and obligations pursuant to the Merchant Agreement to another company in the Nordea Group. 16. Notices A written notification sent by post from the Bank is considered to have been delivered to the Merchant on the seventh (7th) day after the notification was sent at the latest, provided the letter is sent to the address which is stated in the Merchant Agreement or which is otherwise known to the Bank. An electronic notification by the Bank to the Merchant is considered to have been delivered to the Merchant no later than on the next day after the Bank has published the notification or has delivered the notification to the Merchant by using at least one of the agreed electronic means. 17. Dispute resolution The parties must attempt to reach an amicable resolution of any dispute relating to the Merchant Agreement. If the parties fail to agree the disputes arising from the Merchant Agreement, they are processed in the District Court of the capital of the country where the Bank has its domicile unless otherwise agreed. The Merchant Agreement is governed by the law of the country where the Bank has its domicile.


15 (30)

Part B Country-specific rules and rules for domestic card programmes

1. in Denmark 2. in Finland 3. in Norway 4. in Sweden 5. in Estonia 6. in Latvia 7. in Lithuania 8. in Poland

Part B – 2. Specific rules for payments in Finland and rules for domestic card programmes The Bank referred to in the Part A, B and C of these Rules of Card Acquiring Merchant Agreement is Nordea Bank Finland Plc. Nordea Bank Finland Plc Domicile Helsinki Business Identity Code 16802358 Aleksanterinkatu 36, Helsinki FI-00020 NORDEA tel +358 9 1651 www.nordea.fi Nordea Bank Finland Plc has been registered in the Trade Register maintained by the National Board of Patents and Registration. The business operations of Nordea Bank Finland Plc are supervised by the Finnish Financial Supervisory Authority, Snellmaninkatu 6, PO Box 103, FI-00101 HELSINKI, tel +358 10 831 51, www.finanssivalvonta.fi. Separate agreements are needed for routing of other card scheme transactions like American Express (AmEx), Diners and PLCs (private label cards). In addition to these terms and conditions, also Nordea Bank Finland Plc’s General Terms Governing Electronic Services for Companies, including the General Terms and Conditions of Payment Terminal Service and the appendix “Instructions on the use of PATU (Bank security) security systems” apply to the routing services and constitute a part of the separate agreement relating to the routing of transactions made by using a payment card of card schemes other than MasterCard or Visa . Authorisations In Finland the Card schemes set country-specific floor limits for authorisations are

followed. The value of the floor limit is the maximum amount the Merchant can complete a Transaction without online authorisation. A party that puts to use higher floor limits than are set or refuses to authorise Transactions that must be authorised has financial liability for possible disputable Transactions. The published floor limits set up to the POS terminal • Apply to EMV chip transactions to determine which Transactions may be authorised offline, • Apply to all Transactions completed at a Merchant that does not have an online-capable Point-of-Sale (POS) terminal, • Do not apply to any magnetic stripe-read face-to-face transaction completed at an online-capable terminal (floor limit is zero), and • Do not apply to any non–face-to-face transactions e.g. unattended terminals or eCommerce (floor limit is zero). Floor limit values are assigned according to the business code of the Merchant (MCC), the transaction category code (TCC), and the geographical location. The Bank informs the Merchant of the floor limits in force at any given time by publishing the floor limits in the Merchant Instructions or by informing the payment service provider of the floor limits required for the POS terminal. Cash withdrawals in connection with payments made with cards The Merchant may offer Cash-back to the cardholder in accordance with the Merchant Instructions. Cash withdrawals in connection with Cash-back may only take place in conjunction with face-to-face purchases and may not exceed the maximum amount set out in the Merchant Instructions. The issuer may decide to have lower Cash-back limits and also if Cash-back is allowed for the card type. A Cash-back transaction is only made in connection with a purchase and it has to be always online authorised. The cardholder receipt must show the purchase amount and Cash-back amount separately. Surcharging The Merchant is entitled to impose an additional charge on the cardholder in connection with purchases made with a Visa or MasterCard only to the extent that it is allowed according to the Finnish law. The Merchant must, in connection with the provision of a service or an item which is paid by card, offer its customer reasonable terms and conditions and ensure that the customer is


16 (30)

clearly informed regarding the terms and conditions for its provision. The charge must be separately shown on the receipt. Restricted loop cards Issuers of cards may issue, in accordance with the Card Scheme rules, cards that only Merchants belonging to a certain business code of the merchants (MCC) may accept for payment. These cards may be destined to be used only for payment of a certain goods and/or with a value of certain minimum/maximum amount e.g. relating to fringe benefits in accordance with the tax regulation. The Merchant accepting restricted loop cards for payment of certain fringe benefits must comply with the laws and regulations as well as with the decisions and instructions of the Finnish Tax Administration regarding fringe benefits in force at any given time.


17 (30)

Part C – Sector- and/or service-specific rules This part contains a specific extract of the terms and conditions applicable to

1. standard payments (POS) 2. mail orders and telephone orders

(MO/TO) 3. online shopping, eCommerce 4. recurring transactions 5. Quasi Cash 6. unattended payment terminals or

cardholder-activated terminals (CAT) 7. hotels 8. car rentals 9. contactless payments

The specific rules apply in addition to the general rules. In the case of any conflict between the specific rules and the general rules, the specific rules prevail. 1 Specific terms and conditions applicable to standard payments (POS) 1.1 Verification If the chip on the card is read without any participation of the Merchant and the cardholder authorises the transaction with PIN, or if the chip is read, at the option of the cardholder, using the contactless interface of the terminal for a transaction under the CVM-required limit, the Merchant does not need to perform the card verification listed below. This is also applicable if the information on the card is read without any participation of the Merchant and the card does not demand any further measures than that the information is read. In connection with purchases, the Merchant must perform the following verifications: 1.1.1 Card verification The Merchant must through ocular inspection of the card ensure that: • the card number, name of the cardholder,

and term of validity are stated on the card • the card does not show any signs of

alteration • the card bears the cardholder’s signature • the term of validity on the card has not

expired • the first four digits of the card number are

identical to the four digits printed on the card directly under or above the card number. In the case the digits are not identical; the Merchant must retain the card and contact the Bank for further instructions.

• the card number on the sales slip is identical to the card number on the card, and

• the term of validity on the sales slip is identical to the term of validity stated on the card.

1.1.2 Customer identification The cardholder must approve that the agreed amount will be debited to the card either through PIN or signature. The Merchant ensures that it is actually the cardholder who approves that the amount will be debited to the card by: (A) Verification with PIN In order for PIN codes to be accepted in connection with customer identification, the card number must be read mechanically. PIN codes are entered using a PIN keypad approved by the Bank. The PIN keypad may only be used at the Merchant where the original installation took place. The cardholder may at no time be requested to enter his or her PIN code where PIN usage is not permitted for the card in question. In connection with return transactions, PIN numbers must not be used. (B) Verification with signature The customer’s signature on the invoice or sales slip must be compared with the signature on the card and with the signature on the valid, official identity verification document issued by the authorities. In addition, the Merchant must verify that the photo on the ID matches the customer. Where the signatures or the photo do not match, the card must not be accepted for payment. 1.2 Collection of information The following information must be collected by the card being read electronically in a terminal or other solution approved by the Bank and distributed to the Bank: • Merchant’s name • address with country code • transaction type (purchase or returned

purchase) • trademark (Visa, MasterCard, Maestro) • acquirer (Nordea) • card number • card expiry (Valid through) • transaction date and time for authorisation • transaction amount • transaction currency


18 (30)

• authorisation code • Terminal Verification Result (TVR),

Application Identifier (AID) and Transaction Status Information (TSI)

• reference number Otherwise the collected transactions follow the specification provided by the Bank or the Bank’s service provider. Manually registered Transactions are not permitted unless approved technical equipment allows this and the Bank and the Merchant have made a special agreement. 1.3 Authorisation All card transactions must be authorised through a terminal or other approved solution. The floor limit is zero (0) if nothing else is laid down in the Merchant Agreement or stated in the Country-specific rules and rules for domestic card programmes as informed in the Merchant Instructions. 2 Specific terms and conditions applicable to mail order and telephone order (MO/TO) 2.1 Permitted transactions These special conditions apply to MasterCard and Visa cards. Transactions using Maestro, Electron and V PAY cards are not permitted. 2.2 Information to be obtained The Merchant must obtain the following information in connection with a Transaction (this should be stated in the customer’s mail order/telephone order):

� cardholder’s name � cardholder’s address (delivery name and

address) � name of the person making the order � card number � card type � card’s expiry date � card’s control digits (CVC2/CVV2), i.e.

the last three digits on the signature panel on the back of the card

� cardholder’s signature (in the case of mail orders)

� transaction currency � transaction date � authorisation code � order date � shipping date � shipping address � description of the merchandise and

services � total amount of the order � order confirmation number

� information on whether the cardholder wishes the Value Added Tax (VAT) amount to be specified

� Merchant name � Merchant location � online address, if any � itemised charges if any

2.3 Authorisation The Merchant must obtain authorisation for the order’s total amount and check the card’s control digits (CVV2/CVC2). This is done by stating the control digits in the authorisation request. The authorisation is carried out by the Merchant’s approved electronic system contacting the Bank or the Bank’s service provider. If the authorisation and/or control digits are not approved by the authorisation request, the Transaction must not be carried out. This section is applicable to Visa Transactions: If more than seven (7) days elapse between the date when the authorisation is made and the date when the goods are sent and the amount is debited, the Merchant must obtain a renewed authorisation for the total amount. If this renewed authorisation is not agreed on, the cardholder must not be debited and the goods must not be delivered. This section is applicable to MasterCard Transactions: If the transaction might not be completed for a reason such as the goods ordered being later found out to be out of stock, the Merchant must obtain a pre-authorisation for the agreed amount and later obtain an additional authorisation to get the duration of the payment guarantee period of seven (7) days extended, if necessary. If the cardholder is debited after the payment guarantee period has expired the transaction may be charged back also on the basis that the card account is permanently closed. 2.4 Requirements for the Merchant’s services The Merchant is to comply with the legislation in force governing sales and marketing via distance selling. Immediately following the order, the Merchant must send the cardholder a written confirmation of the order and inform the cardholder of any cancellation conditions. The ordered goods may not be sent before an authorisation in accordance with clause 3 has


19 (30)

been made. Once the Transaction has been authorised, the goods are to be sent within seven (7) days unless any other agreement regarding delivery has been entered into in writing with the cardholder. 2.5 Delivery of Transactions Transactions may not be handed over until the goods have been sent off to the cardholder. When the goods are sent, the Transaction is to be handed over by the deadlines stated in the general terms and conditions. With mail order, telephone order (MOTO) hosted with an internet Payment Service Provider (iPSP), connected to fraud monitoring, the Merchant is always responsible for fraud and risk if not 3D Secure. 3. Specific terms and conditions applicable to online shopping in eCommerce environment 3.1 A general description of online payments using MasterCard SecureCode/Verified by Visa. With MasterCard SecureCode/Verified by Visa, the Merchant may accept card payments via the Internet and verify a transaction with it (verification service). The Merchant must have installed a payment solution that contains MasterCard SecureCode/Verified by Visa in order to be able to execute Transactions. The MasterCard SecureCode/Verified by Visa functionality applies to cards issued within the MasterCard and Visa EU regions; acceptance of cards issued outside these regions is not covered by a corresponding security level and complaint rules. The Merchant must use software for an online shopping -payment solution in accordance with an agreement with the Bank. This software is not covered by this Merchant Agreement. 3.2 Guaranteed payment Transactions effected using Visa cards and MasterCards over the Internet are in most cases subject to guaranteed payment (see clause 7.3 Repayment obligation of the General rules relating to Merchant Agreement). However, Transactions made using Visa Commercial Cards and MasterCard Commercial Cards issued outside Europe are not subject to guaranteed payment.

3.3. ID check via an issuing bank Once a card number has been registered by the Merchant or its Payment Service Provider, an enquiry will immediately be sent to Visa’s or MasterCard’s register of card issuers and card number series which are included in 3D Secure. The enquiry must be sent in the form and manner defined by the Bank or a service company engaged by the Bank. Where the cardholder’s card is included in 3D Secure, he or she is linked to the card issuing bank’s website. The Merchant assists in such linking service in the manner defined by the Bank or a service company engaged by the Bank. Once the customer has successfully passed the ID check by the issuing bank, he or she is then linked back to the Merchant's website. The Merchant collects CAVV/AAV from Cardholder Web interface and this value must be included in the Transaction according to the 3D Secure specification. In order to ensure that the verification against Visa’s and MasterCard’s register and the following linking, etc., takes place correctly, the Merchant uses software stipulated by the Bank or a service company engaged by the Bank. Such software is not covered by this agreement. 3.4 Permitted Transactions A Transaction pursuant to this Merchant Agreement may only be executed if: o the card in question is covered by

MasterCard SecureCode/Verified by Visa and the cardholder has been successfully identified by the card issuer or

o the card in question is not covered by MasterCard SecureCode/Verified by Visa.

3.5 Information to be obtained The following information is to be obtained by the Merchant with a system approved by the Bank: From the cardholder via the Internet o card number o card’s validity period o trademark with which the card is

associated o cardholder’s name and address o Address Verification Value (AVV) or

Cardholder Authentication Verification Value (CAVV) that the cardholder is given after the attempt of identification with the card issuer.

o shipping address o total transaction amount


20 (30)

o currency in which the purchase has been made

o transaction date o transaction’s reference number o buyer’s name o message confirming the Transaction as a

card transaction o goods or services covered by the

purchase o price for each article or service o VAT share of the total amount and the

basis for the VAT o itemised charges

From the Merchant’s technical system: o the cardholder’s IP address o Merchant’s name o Merchant’s location

From the institution that authorises the payment: o authorisation date o authorisation code o ECI value

The transaction amount and a copy of the cardholder’s receipt(s) are to be obtained from the Merchant’s own system. The information obtained is to be shown in a data medium or printout from such a medium. The Bank must upon request have access to the MPI-log (3D Secure log). 3.6 Authorisation All card transactions must be authorised. The authorisation must take place electronically online in connection with the cardholder entering his or her card number on the Merchant’s website in the form stipulated by the Bank. The relevant Electronic Commerce Indicator (ECI) value must be shown in a request for authorisation. The AVV/CAVV value must also be registered together with the request for authorisation. The Merchant must check the card’s control digits (CVV2/CVC2). This is done by the control digits being stated when the cardholder orders goods or services. This check must produce an approved result. This section is applicable to Visa Transactions: If more than seven (7) days elapse between the date when the authorisation has been made and the date when the goods are sent and the amount is debited, the Merchant must

obtain a renewed authorisation for the total amount. If this renewed authorisation is not agreed on, the cardholder must not be debited and the goods must not be delivered. This section is applicable to MasterCard Transactions: If the transaction might not be completed for a reason such as the goods ordered being later found out to be out of stock, the Merchant must obtain a pre-authorisation for the agreed amount and later obtain an additional authorisation to get the duration of the payment guarantee period extended, if necessary. As a rule, the payment guarantee period of pre-authorisations of MasterCards is thirty (30) days, save for pre-authorisations of Maestro Transactions. The payment guarantee period of both pre- and final authorisations of Maestro Transactions is seven (7) days. If the cardholder is debited after the payment guarantee period has expired the transaction may be charged back also on the basis that the card account is permanently closed. 3.7 Requirements for the Merchant’s services The Merchant is to comply with the legislation in force governing sales and marketing via distance selling. The Merchant is to design its online shop in such a way that complaints are avoided. The online shop must contain information on how to contact the Merchant for complaints or for other reasons. The online shop must be approved by the Bank before it is opened. Similarly, all changes must be approved by the Bank before the online shop can be reopened. The Merchant’s website must state that the Merchant is linked to the MasterCard SecureCode and Verified by Visa services. In addition, the Merchant must meet the MasterCard SPA/UCAF requirements. The Merchant must therefore create UCAF Hidden Fields. These fields must be located and designed as the Bank or the Bank’s service provider states. The cardholder must confirm having read the terms and conditions when making the order. The Merchant must comply with MasterCard’s and Visa’s rules in force for safe e-commerce, including, but not limited to, PCI DSS. When a card transaction is carried out online, the cardholder is to be given an electronic


21 (30)

receipt for the Transaction. The following information must be stated on the receipt: o Merchant’s Internet address, URL o Merchant’s name o Merchant’s organisation number o Merchant’s address o Merchant’s telephone number o card’s validity period o cardholder’s name o total transaction amount o currency in which the purchase has been

made o transaction date o transaction’s reference number o buyer’s name o authorisation code o message confirming the transaction as a

card transaction o goods or services covered by the

purchase o price for each article or service o itemised charges, if any o VAT share of the total amount and the

basis for the VAT. 3.8 Delivery of Transactions Transactions may not be handed over until the goods have been sent off to the cardholder. When the goods are sent, the Transaction is to be handed over by the deadlines stated in the general terms and conditions. When handing over a Transaction, the AAV/CAVV and ECI values are to be sent along with the notification. 3.9 Security requirements The Merchant’s system must at least be able to handle transaction encryption with 128 bits SSL or similar protection factor. Customer-related information in the systems must be protected against access and changes by unauthorised third parties, both employees of the Merchant and others. The updating of a system functionality using open networks must be authenticated in the system using digital signatures or suchlike. Refer also to clause 10 of the general terms and conditions. 4. Specific terms and conditions applicable to recurring transactions If the first payment is an online payment, special conditions applicable to online shopping also apply. If the first payment is a mail order payment, special conditions applicable to mail orders also apply.

The Merchant must clearly state on its website and in its mail-order information that the cardholder is entering into an agreement regarding recurring payments and that this is not just a one-time purchase. If the cardholder withdraws from this agreement, the Merchant’s right to debit the cardholder’s card number ends. The Merchant must have its website and the terms and conditions governing recurring payments that the cardholder agrees on with the Merchant approved by the Bank. The Merchant must also have its recurring payment solution approved by the Bank before being used. The Merchant is not entitled to have guaranteed payments for recurring payments. 4.1 Requirements for the cardholder’s order In addition to information regarding online shopping orders and mail orders, the order must also contain information stating:

• the order is an order involving recurring payments

• the payment period and frequency of the payments (the frequency between the transactions cannot be more than twelve (12) months).

• the duration of the order • the payment criteria • how the order is to be renewed and

cancelled. The Recurring Services Merchant must retain the cardholder’s permission in a format, such as an e-mail, other electronic record or paper, for the duration of the recurring transactions, and provide it upon the issuer’s request.

4.2 Authorisation and permitted Transactions All Transactions must be authorised online. Transactions with Electron, Maestro and VPay are not permitted. The first payment must include a check of the MasterCard SecureCode/Verified by Visa (for online payments) or CVC2/CVV2 (for mail order payments). If the check is not successful, the Transactions may not be carried out. When a card has expired and the cardholder provides information on his or her renewed card, a new first Transaction using this new card must be authorised, including a check of the MasterCard SecureCode/Verified by Visa


22 (30)

(for online payments) or CVC2/CVV2 (for mail order payments). The subsequent Transactions may be executed without these verifications. All authorisation requests must contain the relevant indicator for recurring Transactions. 4.3 Complaints Complaints about the first Transaction (in the case of online payments) are to be dealt with in the same way as for online shopping and complaints about the first Transaction (in the case of mail orders) and all subsequent Transactions are to be dealt with as for mail orders. 4.4 Handing over of transactions All Transactions must contain the relevant indicator for recurring payments. The Transactions must also contain contact information on the Merchant in the field of the Merchant’s name or city address to make it easy for the cardholder to contact the Merchant, if necessary. 5. Specific terms and conditions applicable to Quasi-Cash 5.1 Permitted Transactions Cash-back is not permitted in connection with a Quasi-Cash transaction. Reversals are not permitted. Transactions with Maestro are only permitted if the cardholder is verified by using PIN. 5.2 Verification In connection with purchases, the Merchant must perform the following verifications: 5.2.1 Card verification The Merchant must through ocular inspection of the card ensure that: • the card number, name of the cardholder,

and term of validity are stated on the card • the card does not show any signs of

alteration • the card bears the cardholder’s signature • the term of validity on the card has not

expired • the first four digits of the card number are

identical to the four digits are printed on the card directly under or above the card number.

• the first four digits are also stated on the sales slip.

• In the case the digits are not identical; the Merchant should retain the card and contact the Bank for further instructions.

• the card number on the sales slip is identical to the card number on the card, and

• the term of validity on the sales slip is identical to the term of validity stated on the card.

5.2.2 Customer identification The cardholder must always approve that the agreed amount will be charged to the card by authorising the Transaction by PIN or by signing the invoice/sales slip. The merchant must ensure that it is actually the cardholder who approves that the amount will be charged to the card by verifying the cardholder’s signature according to this routine: (A) Verification with PIN When a PIN code is entered in connection with customer identification, the card number must be read electronically. PIN codes are entered using a PIN keypad approved by the Bank. The PIN keypad may only be used at the Merchant where the original installation took place. (B) Verification with signature The customer’s signature on the invoice/sales slip must be compared with the signature on the card and with the signature on the ID and they must be similar. The Merchant must request the personal identification of the cardholder in the form of a valid, official identity verification document issued by the authorities (for example, a passport, an identification document, or a driving licence) according to law in force. In addition, the Merchant must verify that the photo on the ID matches the customer. Where the ID does not match the customer, the card must not be accepted for payment. The Merchant must verify that the ID does not show signs of alteration. Information regarding the type and number of ID must be stated on the sales slip. These controls must always be performed, even if the cardholder verifies the purchase by PIN or if the card is issued outside the country where the Transactions take place. The Merchant must otherwise at all times comply with the rules and instructions regarding identification issued by governmental authorities, or set out in the agreements


23 (30)

entered into between the Bank and the Merchant. 5.3 Collection of information The following information must be collected by the card being read electronically in a terminal or other solution approved by the Bank and distributed to the Bank: • Merchant’s name • address with country code • transaction type (purchase or returned

purchase) • trademark (Visa, MasterCard, Maestro) • acquirer (Nordea) • card number • card expiry (Valid through) • transaction date and time for authorisation • transaction amount • transaction currency • authorisation code • TVR, AID and TSI • reference number Otherwise the collected transactions follow the specification provided by the Bank or the Bank’s service provider. 5.4 Authorisation All card transactions must be authorised through technical equipment. The floor limit is zero (0). The authorisation must contain information regarding the card number, card expiry, amount and the specific MCC code given by the Bank. The authorisation for a specific purchase is approved when the Merchant receives the control number of the authorisation. Manually registered Transactions are not permitted. If there is something wrong with the card or the terminal solution or other solution used and the card cannot be read electronically, the Transaction must not be performed. 5.5 Handing over the Transactions The Merchant must use the MCC code given by the Bank when reporting the Transactions. 6. Specific terms and conditions applicable to unattended payment terminals and cardholder-activated terminals (CAT) An unattended payment terminal or a cardholder-activated terminal (CAT) Transaction occurs at an unattended electronic POS terminal or by means of a cardholder-controlled electronic device. Since no

Merchant representative is present at the time of the Transaction, it is a non-face-to-face Transaction. 6.1 Types of automatic machines Acceptance in accordance with this Merchant Agreement includes the different types of automatic machines, e.g. ticket dispensing machines, vending machines, automated fuel dispensers, toll booths and parking meters. A self-service terminal with online authorisation capability is an unattended terminal where the Transactions are authorised. A self-service terminal with offline authorisation capability is an unattended terminal where the Transactions remaining below the floor limit may be authorised offline through the EMV chip with or without CVM. The automatic machines or terminals must be approved by the Bank or by a company that the Bank has approved before they can be used. 6.2 Permitted Transactions A card transaction that is carried out using an automatic machine must not exceed the limits set out for certain terminals and advised in the Merchant Instructions. Card transactions which exceed this amount may be rejected by the card issuer if there are valid reasons for doing so. At certain cardholder-activated terminals (CATs), if both the card and the CAT support chip technology, the Transaction may only be completed using the chip. A technical fallback is not permitted at such terminals. 6.3 Authorisation All card transactions must be authorised through technical equipment. The floor limit is zero (0) if nothing else is laid down in the Merchant Agreement or stated in the country-specific rules or in the Merchant Instructions. All intended Transactions at unattended fuel dispensers must be pre-authorised for the maximum amount determined by the cardholder prior to the refill unless otherwise stated in the Merchant Instructions. The pre-authorisation response may be for the full maximum amount requested as a pre-authorisation or for a lesser amount. The final Transaction is guaranteed only up to the pre-authorised amount for a guarantee period of


24 (30)

seven (7) days. If the final amount of the Transaction after the refill is less than the pre-authorised amount, the excess amount of the pre-authorisation must be reversed immediately. Further terms and conditions applicable to authorisations and authorisation reversals at unattended fuel dispensers may be set out in the Merchant Instructions. However all Electron and Maestro Transactions at unattended fuel dispensers must always be pre-authorised and the final Transaction amount may not exceed the level of the obtained authorisation. Chip-initiated transactions may be approved offline, provided that the transaction amount does not exceed the floor limit and the issuer has personalised the card to allow this. A floor limit set out in the Merchant Instructions, or its equivalent in local currency, will apply to chip-initiated transactions at an unattended terminal (UAT) within Visa Europe unless the market has a different floor limit. 6.4 Requirements for the Merchant In order to limit the risk of misuse, the Merchant must secure the automatic machine and its environment in the best way possible. The cardholder must be able to choose to receive a receipt for the Transaction. The receipt must state the following information:

• Merchant’s name • Merchant’s organisation number • location of the automatic machine • time and date of the transaction • masked card number • currency in which total amount of the

transaction has been carried out • transaction’s reference number • authorisation reference • VAT percentage of the total amount.

7. Specific terms and conditions applicable to hotels and other lodging services In this clause 7, a reference to a hotel shall be read and construed as a reference also to other lodging services. 7.1 Guaranteed reservation When the cardholder contacts a hotel to make a booking, the hotel must

1. obtain information on the card number, the card’s expiry date, the cardholder’s name as stated on the card and the cardholder’s address

2. inform the cardholder about: the price of the room (including taxes and charges), the hotel’s address and the booking

number for the booking, and advise the cardholder to retain this number

3. inform the cardholder about: the hotel’s cancellation rules, including that the room is booked until the check-out time on the day after arrival, that cancellation must take place by 6pm (in the hotel’s time zone) on the expected arrival date and that, if the room is not used or cancelled, the cardholder will be debited for one night’s stay (“no show”). This is not applicable if the cardholder made the hotel reservation within 72 hours before the supposed arrival.

If the cardholder wishes to receive a written confirmation of the order, the hotel must include in it all the information stated in sections 1-3 above (only the last four digits of the card number are to be shown).

7.2 Cancellation If the cardholder cancels the booking, the hotel must

• give the cardholder a cancellation number

• advise the cardholder to retain the cancellation number

• enter the cancellation in the hotel’s booking system

• send the cardholder a written confirmation of the cancellation that contains the card number (only the last four digits), the expiry date, the cardholder’s name taken from the card and the cancellation number.

The hotel or its third-party booking agent must not require a cancellation notification more than 72 hours before the scheduled arrival time and date agreed at the time of the booking. If the cardholder makes the reservation within 72 hours of the scheduled date, the cancellation deadline must be no earlier than 6pm (local time) on the arrival date. 7.3 “No show” If the cardholder does not arrive at the hotel and has not cancelled the booking, the hotel may debit the cardholder for one night’s stay and write “no show/guaranteed reservation” in the signature area on the copy of the receipt. The authorisation and handing over of “no show” Transactions and the storage of receipts must take place in accordance with the general terms and conditions applicable to this agreement. If a card transaction that has been debited for a “no show” transaction is unknown to the issuer and the issuer charges back the


25 (30)

transaction, the hotel will be debited with the amount of the Transaction. The hotel must store the original booking information and room number for 18 months after the date when the Transaction is handed over; see clause 11 of the general terms and conditions. When a cardholder uses the Hotel Reservation Service, and does not claim or cancel the accommodation, the hotel or its third-party booking agent must complete a transaction receipt that must contain the following:

• amount of one night's lodging plus applicable tax

• cardholder’s name • account number • card expiry date and • the words “No-Show” on the signature

line of the Transaction receipt. 7.4 Overbooking If the hotel does not have a room available for the cardholder when the cardholder arrives, the hotel must at no extra cost to the cardholder

• assign the cardholder a comparable room at another hotel

• arrange transport to this hotel • allow a long distance phone call in

accordance with the cardholder’s wishes • pass on all messages and phone calls to

the cardholder to this hotel. 7.5 Booking via an agent The hotel is responsible for bookings that take place via agencies/agents. It is the agent’s responsibility to ensure that cancellations which have been reported to agents are passed on to the hotel. 7.6 Authorisation When the cardholder arrives at the hotel, the hotel and the cardholder are to fill in and sign a registration form. In addition to other information, the form must state the subsequent amounts that the hotel may debit after the cardholder has left, and the cardholder’s agreement to be willing to accept these. 7.6.1 Further terms and conditions applicable to the authorisations of Visa Transactions When authorising a Transaction to be made using a Visa payment card, the hotel is to calculate the estimated cost of the cardholder’s stay based on the duration of the stay and the

room price and obtain authorisation for this amount on the terminal. The hotel must inform the cardholder of the size of the authorised amount. The terminal receipt is to be stored together with the registration form during the cardholder’s stay. If the amount debited to the cardholder during the stay exceeds the authorised amount by more than 15%, the hotel is to obtain authorisation for the estimated additional amount. This may take place several times during the stay. The terminal receipt for the additional authorisation is to be kept together with the registration form. When the cardholder is leaving the hotel, the cardholder’s bill is to be made ready and a Transaction involving the total amount is to be carried out using the terminal. The cardholder is to key in his or her PIN code or sign the terminal receipt or use other approved cardholder verification method (CVM). If the total amount exceeds the already authorised amount(s) by less than 15%, the hotel does not have to obtain any further authorisation (save for payments with Electron). If the total amount exceeds the already authorised amount(s) by more than 15%, the excess amount must be authorised. Electron Transactions must always be authorised for the final amount. The Transaction is to be handed over to the Bank in accordance with the general terms and conditions. If the authorised amounts are larger than the bill’s total amount, the hotel must reverse the the excess amount. 7.6.2 Further terms and conditions applicable to the authorisations of MasterCard Transactions When authorising a Transaction to be made using a MasterCard payment card, the hotel is to calculate the estimated cost of the cardholder’s stay based on the duration of the stay and the room price and obtain a pre-authorisation for this amount on the terminal. The hotel must inform the cardholder of the size of the pre-authorised amount. The terminal receipt is to be stored together with the registration form during the cardholder’s stay. Maestro payment cards may not be used to pre-authorise a hotel stay. Authorisations of Maestro Transactions must be made as final authorisations by using either pre-payment of hotel stay or final payment once the amount is known.


26 (30)

If the amount debited to the cardholder during the stay exceeds the pre-authorised amount, the hotel is to obtain an additional pre-authorisation for the estimated additional amount. This may take place several times during the stay. The terminal receipt for the additional authorisation is to be kept together with the registration form. When the cardholder is leaving the hotel, the cardholder’s bill is to be made ready and a Transaction involving the total amount is to be carried out using the terminal. The cardholder is to key in his or her PIN code or sign the terminal receipt or use other approved cardholder verification method (CVM). If the total amount exceeds the already pre-authorised amount(s), the excess amount must be authorised with a final authorisation. The Transaction is to be handed over to the Bank in accordance with the general terms and conditions. If the authorised amounts are larger than the bill’s total amount, the hotel must reverse the excess amount. 7.6.3 Interim billing For stays lasting more than fourteen (14) days, the hotel is advised to prepare the cardholder’s bill after fourteen (14) days, carry out a Transaction for this amount and send the Transaction to the Bank. Thereafter, a new 14-day bill period is to be started as stated above. 7.7 Express checkout Upon arrival at the hotel If the hotel allows an express checkout, the cardholder must fill in and sign an express checkout form, which can be part of the hotel’s registration form, for example. This form must as a minimum state the hotel’s name, address and telephone number, the cardholder’s name and address, room number and signature, and card number. The form must clearly state that the cardholder is asking the hotel to debit the cardholder’s card number for the final hotel bill without the cardholder having to sign for this. The hotel must read the chip in a terminal and carry out the normal authorisation procedure. Upon departure from the hotel The hotel is to prepare the cardholder’s bill for the stay and carry out a terminal transaction for the total amount.

This section is applicable to Visa Transactions: If the total amount is less than 15% more than the already authorised amount(s), the hotel does not have to obtain any further authorisation. If the total amount exceeds the already authorised amount(s) by more than 15%, authorisation must be obtained for the excess amount. This section is applicable to MasterCard Transactions: If the total amount exceeds the pre-authorised amount(s), a final authorisation must be obtained for the excess amount. The words “signature on file – express checkout” if it is a MasterCard trademark and Priority Check Out if it is a Visa trademark must be noted in the terminal receipt’s signature area. The Transaction is to be handed over to the Bank in accordance with the general terms and conditions. The hotel must send a copy of the hotel bill, terminal receipt and express checkout form to the cardholder within three days of the cardholder checking out of the hotel. The hotel must store all documentation for eighteen (18) months and send a copy to the Bank, if requested. 7.8 Subsequent debiting of the cardholder If stated on the registration form, the hotel may subsequently debit the cardholder for his or her use of room service, the telephone, minibar and restaurant. The hotel cannot subsequently debit the cardholder for defects in, damage to or thefts from the room. The subsequent debiting is to be carried out as a terminal transaction and the words “signature on file” are to be noted in the receipt’s signature area. The Transaction must be authorised. A copy of the terminal receipt and a bill specifying the items subsequently debited are to be sent to the cardholder. 8. Specific terms and conditions applicable to car rental 8.1 Requirements stipulated for the Merchant The Merchant needs to send a written booking confirmation to the cardholder via e-mail or by letter. When the cardholder collects the car/vehicle, the Merchant and the cardholder must fill in and sign a rental contract. In addition to other information, the rental contract must state the amounts that the Merchant may debit after the


27 (30)

cardholder has returned the car and the cardholder’s acceptance of the fact that amounts may be subsequently debited. Subsequent debits may cover fuel, traffic fines, tolls and damage to the car. If the Merchant allows an express return, the cardholder is to fill in and sign an express return form, which can be part of the rental contract, for example. The Merchant should ensure that all the terms and conditions relating to subsequent debits and express returns are clearly stated to the cardholder and shown on the same side of the form as the cardholder’s signature. 8.1.1 Further terms and conditions applicable to the authorisations of Visa Transactions The Merchant is to calculate the estimated amount for the cardholder’s rental period based on the length of the period, the rental price and possibly kilometre price and obtain authorisation for this amount via the terminal. No amount for possible damage to the car or for a collision/loss damage waiver is to be included in the authorised total amount. The Merchant must inform the cardholder of the size of the authorised amount. The terminal receipt is to be stored together with the rental contract during the rental period. If the amount charged to the cardholder during the rental period exceeds the authorised amount by more than 15%, the Merchant is to obtain authorisation for the estimated additional amount. This may take place several times during the rental period. The terminal receipt for an additional authorisation is to be stored together with the rental contract. 8.1.2 Further terms and conditions applicable to the authorisations of MasterCard Transactions The Merchant is to calculate the estimated amount for the cardholder’s rental period based on the length of the period, the rental price and possibly kilometre price and obtain a pre-authorisation for this amount via the terminal. No amount for possible damage to the car or for a collision/loss damage waiver is to be included in the authorised total amount. The Merchant must inform the cardholder of the size of the pre-authorised amount. The terminal receipt is to be stored together with the rental contract during the rental period. Maestro payment cards may not be used to pre-authorise a car rental. Authorisations of

Maestro Transactions must be made as final authorisations by using either pre-payment of car rental or final payment once the amount is known. If the amount charged to the cardholder during the rental period exceeds the pre-authorised amount, the Merchant is to obtain an additional pre-authorisation for the estimated additional amount. This may take place several times during the rental period. The terminal receipt for an additional pre-authorisation is to be stored together with the rental contract. 8.1.3 Damages When the car is returned, the cardholder’s bill is to be prepared and a Transaction for the total amount is to be carried out in the terminal. If the cardholder has agreed to a collision/loss damage waiver (CDW/LDW) in the rental contract and damage has been incurred, the Merchant may include the collision/loss damage waiver amount in the total amount for the rental period. If the cardholder has not agreed to a collision/loss damage waiver, the amount relating to the damage must only be debited to the cardholder’s bill if the cardholder has accepted this in the rental contract and the cardholder has agreed to the damage amount. This section is applicable to Visa Transactions: Debits relating to damage must be authorised and carried out as a separate terminal transaction using the cardholder’s PIN code or signature or other approved cardholder verification method (CVM). The Merchant must give the cardholder a credible estimate on the cost of the repair work and tell him/her that the amount may be altered in connection with the repair work. The final cost of the repair must not exceed this estimate by more than 15%. If the final amount is less than the estimated amount, the Merchant must reverse the excess authorisation amount. This Transaction must be handed over to the Bank within thirty (30) days of the previous Transaction to which it is related. The cardholder keys in his or her PIN code or signs the terminal receipt or uses some other approved cardholder verification method (CVM). If the total amount exceeds the already authorised amount(s) by less than 15%, the Merchant does not have to obtain any further authorisation. If the total amount exceeds the already authorised amount(s) by more than 15%, authorisation must be obtained for the excess amount. The Transaction must be


28 (30)

handed over to the Bank in accordance with the general terms and conditions. This section is applicable to MasterCard Transactions: Debits relating to damage must be pre-authorised and carried out as separate terminal transactions using the cardholder’s PIN code or signature or other approved cardholder verification method (CVM). The Merchant must give the cardholder a credible estimate on the cost of the repair work and tell him or her that the amount may be altered in connection with the repair work. The final cost of the repair may not exceed this estimate. If the final amount is less than the estimated amount, the Merchant must reverse the excess authorisation amount. The cardholder keys in his or her PIN code or signs the terminal receipt or uses some other approved cardholder verification method (CVM). If the total amount exceeds the pre-authorised amount(s), a final authorisation must be obtained for the excess amount. The Transaction must be handed over to the Bank in accordance with the general terms and conditions. 8.1.4 Interim billing For rental periods of more than fourteen (14) days, the Merchant is advised to prepare the cardholder’s bill after fourteen (14) days, carry out a Transaction for this amount and send the Transaction to the Bank. Thereafter, a new 14-day bill period is to be started as described above. 8.2 Express return When the car is returned Once the cardholder has returned the car, the Merchant is to prepare the cardholder’s bill for the rental period and carry out a terminal transaction for the total amount. This section is applicable to Visa Transactions: If the total amount exceeds the already authorised amount(s) by less than 15%, the Merchant does not have to obtain any further authorisation. If the total amount exceeds the already authorised amounts by more than 15%, an authorisation must be obtained for the excess amount. This section is applicable to MasterCard Transactions: If the total amount exceeds the pre-authorised amount(s), a new final authorisation must be obtained for the excess amount.

The words “signature on file – express return” must be noted in the terminal receipt’s signature area. The Transaction is to be handed over to the Bank in accordance with the general terms and conditions. The Merchant is to send a copy of the itemised bill, terminal receipt, rental contract and express return form to the cardholder within three (3) days of the cardholder returning the car. The Merchant is to store all the documentation for eighteen (18) months and send a copy to the Bank upon request. 8.3 Subsequent debiting of the cardholder If stated in the rental contract, the Merchant may subsequently debit the cardholder for fuel consumption, any extended rental period, traffic fines, parking fines and tolls. The subsequent debiting is to be carried out as a terminal transaction and the words “signature on file” are to be noted in the receipt’s signature area. The Transaction must be authorised. Subsequent payments are to be carried out within ninety (90) days of the cardholder having returned the car. A copy of the terminal receipt and an itemised bill for the subsequent debiting must be sent to the cardholder. In addition to the above special terms and conditions for car rental, the following Operating Principles set out in clauses 8.4–8.10 apply to cardholders with Visa cards issued within the Visa Europe region. In the case of any conflict between these Operating Principles and the other specific terms and conditions applicable to car rental, the Operating Principles prevail. 8.4 Car Rental Reservation Service A car rental company or its third-party booking agent that accepts Visa cards must follow the requirements of the Car Rental Reservation Service if it accepts Visa cards to guarantee car rental reservations. Written confirmation to the cardholder must be sent either by mail, fax or via e-mail. 8.5 Car rental information The car rental company must communicate the cancellation policy and procedures to the cardholder during the reservation process. At the time of reservation, the car rental company or its third-party booking agent must inform the cardholder of the reserved car rental


29 (30)

rate, currency and the exact name and physical address of the location the car is to be collected from. If the car rental company wishes to charge a no-show fee, the car rental company or its third-party booking agent must inform the cardholder that a no-show transaction up to the value of one (1) day’s rental at the reserved car rental rate will be debited to the cardholder if the cardholder has not either: • collected the vehicle within 24 hours of the collection time, or • properly cancelled the reservation in accordance with the communicated car rental company’s cancellation policy If the car rental company wishes to charge a no-show transaction, the car rental company or its third-party booking agent must confirm in writing as part of the reservation confirmation the value and the currency of the fee that will be debited to the cardholder. 8.6 Reservation confirmation The car rental company or its third-party booking agent must provide a confirmation code and advise the cardholder to retain it for future reference. The car rental company or its third-party booking agent must provide the cardholder with this information as a written confirmation with the following information relating to that booking: • cardholder’s name, account number and card expiration date • confirmation code • exact physical address the car is to be collected from • hours of operation of the collection and the return outlets • cancellation policy and procedures 8.7 Cancellation period The car rental company or its third-party booking agent must not require a cancellation notification more than 72 hours before the scheduled collection time and date agreed at the time of the booking. If the cardholder makes the reservation within 72 hours of the scheduled pickup date, the cancellation deadline must be no earlier than 6pm (local time of the Merchant outlet on the pick-up date).

8.8 Cancellation confirmation The car rental company or its third-party booking agent must provide a cancellation code for cancellations made in accordance with the communicated cancellation policy and advise the cardholder to retain it. The car rental company or its third-party booking agent must send a written confirmation of the cancellation code to the cardholder within five (5) business days of the cancellation date. 8.9 Unclaimed rentals If the cardholder has not claimed or cancelled the car rental by the specified time, the car rental company or its third-party booking agent must hold the car available according to the reservation for 24 hours from the collection time. If the car rental remains unclaimed by the cardholder, the car rental company may process a no-show transaction. 8.10 Unavailable rentals If rentals guaranteed by the Car Rental Reservation Service are unavailable, the car rental company must provide the cardholder with a car in an equivalent group or higher at no extra charge. 8.11 Damage, fuel and extra charges confirmation The cost to repair the damage to the car needs to be charged as a separate Transaction. If the costs are paid with a MasterCard trademark, the Merchant needs to send an estimated cost approval which the cardholder needs to sign or the Merchant has no right to make the charge. If the car is paid with a Visa trademark, the Merchant has to send an estimated cost approval to the customer and the customer can contact the Merchant to propose another garage. After that the Merchant should wait for twenty (20) days before debiting the card. Every page of the car rental contract should be signed by the cardholder. The car rental company must ensure that the cardholder is advised at the time of making a reservation that a confirmation receipt is available during the hours of operation of the outlet to which the rental car is returned. The confirmation receipt confirms the mutually agreed condition of the car upon return. The car rental company must provide written confirmation of the cardholder’s decision to request or not to request a confirmation receipt as part of the reservation confirmation.


30 (30)

The car rental company must provide the cardholder with a written confirmation of the following: • The visible damage status of the car upon return. If there is no visible damage, this must be clearly stated on the written confirmation and the car rental company must not process a delayed or amended Transaction for visible damage to the car • The fuel status of the car upon return. If there are no extra fuel charges, this must be clearly stated on the written confirmation and the car rental company must not process a delayed or amended Transaction for extra fuel. • The date and time of the return. If there are no extra rental charges as a result of extended timeframes, this must be clearly stated on the written confirmation and the car rental company must not process a delayed or amended Transaction for one (1) extra day’s rental or more. If the cardholder returns the car using an express drop-off facility, the written confirmation receipt must be sent to the cardholder within five (5) business days of the car return date. This confirmation receipt should be retained by the cardholder if required for future reference. A car rental company may only process a delayed or amended Transaction if the cardholder has given his or her prior written consent to incur such delayed or revised charges. For delayed or revised charges relating to damage, the car rental company must provide the cardholder with a written confirmation of the details of the damage, the currency of the damage amount and the value of the damage amount within ten (10) business days of the car return date. For delayed or revised charges relating to damage where the car rental company has written to the cardholder, the cardholder may provide a written confirmation of an alternative estimate for the damage amount at no cost to the cardholder. The cardholder must provide the car rental company with the written confirmation of an alternative estimate within ten (10) business days of receiving the written confirmation of the original details of the damage from the car rental company. For delayed or revised charges relating to damages, the car rental company must wait twenty (20) business days from the date of the

confirmation receipt was delivered to the cardholder before processing the Transaction. Other delayed or revised charges may still apply. 9. Contactless payments A Cardholder (or a holder of a mobile payment application) may make at its option a low-value Transaction in the amount up to the CVM-required limit set out in the Merchant Instructions without authorising the Transaction with PIN (unless the cardholder’s authorisation by PIN is required by the terminal due to the contactless feature of a card) by using a card (or a mobile payment application) personalised by the issuer to be able to perform contactless payment Transactions. In contactless payment Transactions the chip is read using the contactless interface in a terminal. Transactions exceeding the CVM-required limit or Transactions where the cardholder’s authorisation by PIN is required for security reasons may only be accepted by the Merchant if the verification procedures are performed in accordance with clause 1.1 of the Part C Rules. If the cardholder selects to use contactless payment for a payment of less than the CVM-required limit, the Merchant must always provide the cardholder with receipt at the cardholder’s request. In order to receive contactless payments the Merchant must have a terminal displaying the contactless symbol, supporting offline and online transactions and contact, contactless and magnetic stripe payments, supporting signature as a CVM and otherwise fulfilling the requirements set out in the Merchant Instructions and other requirements for POS terminals. If a purchase transaction is made using the contactless card or device, the return transaction must also use the contactless device. The return process will need to account for contactless mapped transactions. In addition clause 1 in the Part C Rules is applicable to contactless payments.

rules of card acquiring merchant agreement 11 …...rules of card acquiring merchant agreement...

Documents