e-comm sales process brief milan .doc

Title - Level 2 (Font: Verdana, 10, bold, grey)

E-commerce presales/sales process

Brief best practice guide


1. Introduction

1.1. What are benefits from e-commerce acquiring for the Banks?

Major benefits for the acquiring Banks from adoption of e-commerce are: retaining and increasing customer base

o strengthening relationship with existing Bank clients willing to expand their business to e-commerce card acquiring,

o expansion to new merchant industry segments (e.g. HOREKA and renting agencies),

increased card acquiring merchant acquisitions, margins & total revenues, improved competitive edge,

o extended application of new technologies & improved Bank image as an technological leader,

the ability to use existing Web space for marketing towards key merchants and to attract cardholders.

1.2. What are the general (business & technical) prerequisites on Bank side for e-commerce implementation?

The Bank should ensure following activities are performed before e-commerce service is offered to merchants:

Technical preparation:o Get template language package in English from ISPC and return it with

local language translation of language files and bank's logo for the Merchant Center of Service

o Decide what will be the URL of Service o ISPC and the Bank must define details of specific Service’s usage (e.g. card

brand, type of possible transaction, the model of Merchant integration with Services, the back office reports about transactions made, additional CMS fields for the Merchants…)

o Merchant migration approach TBD by the bank Preparation of documentation for potential Merchants:

o Integration & administration manuals (with ISP Card’s help) o General introduction for potential e-commerce merchantso Merchant´s Request for Card Acceptance o Merchant contract templateo Business policy & general standards that Merchants should follow

Training of:o Bank’s technical stuff which will operate on the Service by ISP Cardo Bank’s fraud prevention team o Bank’s sales stuff

The Bank must perform User Acceptance Test on the Bank pilot Merchant

2. E-commerce presales/sales process


2.1. Initial contact with merchant

As previously mentioned one of prerequisites for conducting e-commerce sales activities towards merchants is training of Bank's authorized sales personnel.

Initial contact with merchant can be initiated by: merchant (by e-mail, by phone or by visit to Bank's premises); Bank's authorized personnel (e.g. E-commerce Sales Manager or Agent).

Banks should provide following information to merchants: Description of Service in few sentences Benefits for Merchants and their clients Service details & security standards Graphical description of Service

The Bank should train its sales stuff about its business policy regarding e-commerce and about preferred sales approach.

Example of general introduction document for introduction of merchant with e-commerce service:

2.2.New E-commerce merchant application

After initial contact Bank's authorized personnel should send to a merchant initial Merchant application form in order to ease collection of merchant applications.

The Bank (responsible unit or employee) should ensure that each new E-commerce merchant fills Merchant application form1 before signing the Merchant agreement2. The Merchant application form should be inserted in the Merchant file, and should be available to all responsible organization units that participate in merchant relationship and monitoring management3.

Example of E-commerce merchant application:

The Merchant application form should4 contain at least the following information:- Merchant name and the web site name that is visible to cardholders (doing-

business-as or trade name available on web site),

1 This activity should be performed even if the merchant, with existing acquiring relationship, wants to expand relationship to E-commerce acquiring.

2 Merchant’s responsible employee can contact Bank’s responsible unit / employee by E-mail request, by visiting Bank’s responsible employee (relationship manager) in branch etc. Also, Bank’s Acquiring sales team employees can contact Merchant for acquisition.

3 For example: organization unit responsible for relationship management, sales management, fraud management, risk management, complaint management.

4 For example, a draft of this form is attached in Appendix A, and the Bank can use it to create own Merchant application form.


- Relevant merchant data: merchant registration name, business address, company registration address, point of sale address, registration numbers, tax numbers, ID numbers,

- Merchant’s principal contact details: name, date of birth, place of birth, address, telephone number(s), e-mail, ID number, copy of ID used for identification5, personal identification number,

- Information about merchant’s authorized person and management board: name, date of birth, place of birth, address, telephone number(s), e-mail, ID number, copy of ID used for identification, personal identification number,

- Detailed description of merchant’s business6

- Type of company / business structure (for example; small business, limited liability company, joint stock company)

- Copy of licenses and/or registrations forms that are obligatory or proposed by local regulation7

- Detailed information about business with prior acquirers - if applicable8. - Information about previous years turnover – if merchant has previously

established relationship in acquiring business- Information about merchant’s expected average turnover in E-commerce

acquiring business (monthly or annual projection)9.

If a Merchant is bank’s new client without any previous relationship, Bank’s responsible unit or employee must fill or attach a copy of Know Your Customer Questionnaire (KYC) in Merchant file.

The Bank should ensure that the bank’s financial institution name, contact address, and contact phone numbers are prominently displayed on the merchant application form in a font size that makes this information conspicuous to the reader10.

During this initial stage the Bank should also share with merchant document describing its business policy regarding e-commerce (e.g. standards expected from e-commerce sales outlet etc.):

- Needs translation

2.3.Merchant premises inspection

5 For identification purposes, the responsible employee always should use valid ID document with picture. 6 For example, if the Merchant is newly acquired entity without previously relationship with Bank, the Bank

(responsible unit or employee) can obtain a business plan, description of merchandise, and copies of all relevant marketing materials, including catalogs, brochures, telemarketing scripts, and print and broadcast advertisements.

7 Bank (responsible unit or employee) should ask merchant to attach copy of permit or approval if they are proposed by local law for specific type of business. These documents should be also inserted in Merchant file.

8 For example, the Bank (responsible unit or employee) should ask the merchant for reason for termination with

prior acquirers. If exists, the Bank should include this information in Merchant application form, and this information should be important part of risk analysis in later Merchant approval process.

9 If the merchant has previously relationship in acquiring business, the Bank should also analyse actualized turnover (total sales amount), fraud and chargeback amounts for each existing acquiring channel (EFT POS, MO/TO). This information is important part of merchant approval for E-commerce service.

10 Beside Bank’s general contact information, responsible relationship manager's or sales agent’s name and contact information also can be included.


After receiving Merchant application form by appropriate communication channel11, and before signing a Merchant agreement, the Bank (responsible unit or employee) should at least12:

Confirm description of merchant’s business and other information given in Merchant application form. This should be performed by:

inspection of all premises and records13, inspection at least one outlet (point of sale) from which it will

acquire transactions – if exists14 15,

Collect and verify, at least:

- uniform Resource Locator (URL - also known as the website address) and Internet Protocol (IP) server address for the merchant website(s),

- contact details for the merchant’s website hosting service (telephone numbers, e-mail addresses, name of responsible personnel),

- e-mail addresses and phone numbers for merchant customer service16,

- description of any links on the merchant’s website to other sites to which they may or may not be affiliated.

Collect following information to gain knowledge of the merchant’s expected business revenue:

- projected total sales volume per year

- projected credit and debit volume per year

- actual chargeback volume (only if Merchant has previously established acquiring relationship with Bank)

- period between the purchase and actual delivery of goods

2.4. Merchant approval

11 For example; E-mail.12 For example, Checklist form or Merchant premises inspection document can be used to collect this type of

information. Note that any type of used document should be inserted in Merchant file and must be a part of risk analysis in Merchant approval process.

13 Note that card schemes rules require that Bank must verify that merchant has the proper facilities, equipment, inventory, agreements, and personnel required and if necessary, license or permit and other proposed capabilities to conduct the business.

14 In this activity, the Bank (responsible unit or employee) at least should collect and verify:

- Information about point of sale address, - Information about type of location (for example: storefront, indoor shopping mall, or office)- Information about position of merchant’s point-of-sale (for example: in apartment, house,

warehouse, shopping mall)- Information about point of sale property (for example: merchant owns or leases the Point of

sale location)- Information about duration of merchant’s business at inspected location- Information about inventory (is it appropriate for stated business)- Information about merchant’s warehouse details- Point of sale contact information (name, telephone, e-mail, working hours)- Point of sale photos

15 If the merchant has no point of sale location (store), the responsible Bank’s employee should visit merchant’s headquarters at registration address or other appropriate location – if applicable. The Bank’s responsible employee also should visit warehouse if it exist and if it is possible.

16 For example, Bank (responsible unit or employee) can verify that a merchant’s e-mail address is valid by sending a message to that address. An alert should be triggered if the message is returned as “undeliverable” or “bounced.” In addition Bank also should check the merchant’s customer service for its quality response and timeliness – by sending mail to known e-mail address.


After the merchant inspection, the Bank (responsible unit or employee) should conduct risk analysis based on information collected in Merchant application form and Merchant premises inspection document17.

The risk analysis at least should include:

- confirmation that merchant’s business is fully compliant with local regulatory and card schemes rules18

- MATCH19 inquiry and/or VMTS20 inquiry activities. Inquiry request (printed version) should be part Merchant file.

Bank's authorized personnel should also evaluate e-commerce business potential of concerned merchant on similar/same way as for EFT-POS acquiring merchants.

If all requirements are met, the Bank (responsible unit or employee) can approve merchant’s request for E-commerce service21. The approval should include Four eyes approval principle22.For Merchants23 that have:

- previously established relationship with Bank and/or

- previously established relationship with other local bank24, the Bank can create specific approval process that will make easier complete acquisition and approval process25.

The Bank (responsible unit or employee) should not accept merchant’s request for E-commerce service which does not consist all of above mentioned documents or if the risk analysis results are not acceptable for Bank, Group or card schemes business policy.26 27

The Bank should include all above mentioned documents and information in Merchant file.

2.5. Merchant agreement

17 To help in estimation of risk that should be conducted by responsible unit or employee, Bank can create approval decision matrix or approval checklist document.

18 The illegal sale of prescription drugs (illicit pharmaceutical sales), illegal sale of tobacco products, images of non-consensual sexual behaviour, child pornography, Internet gambling in jurisdictions where it is illegal, the sale of counterfeit merchandise, the sale or violation of intellectual property rights, sales of modification chip used to modify or disable built-in restrictions and limitations on computers, specifically video game consoles, HD DVD and Blu-ray Disc Decryption Devices, are strongly prohibited in card acquiring business activities. As a best practice, the Bank should create own list of prohibited activities and unacceptable business for acquiring service.

19 No Customer is exempt from participation in the MATCH system check.20 Were it is available.21 For example, Bank can create Application approval form or Merchant approval form or document.22 Each approval decision should be authorized at least by responsible employee and his supervisor.23 Especially includes all merchants that have good reputation on local markets and for which is clearly that do not

have or will not have any risk potential – for example leading domestic retailers, fuel companies etc. 24 For example,relationship with leading local bank in duration at least of two years.25 Note that Risk analysis although should be conducted, and must consist of : MATCH / VMTS inquiry and

confirmation that merchant’s business is fully compliant with local regulatory and card schemes rules. 26 For example, if there is potential operational or reputational risk, or merchant is doing unacceptable business,

or Merchant is registered in MATCH / VMTS application.27 The bank should establish List of prohibited industries and countries. The list at firstly should contain

industries whose acceptance is not in compliance with local regulatory and card schemes regulations, then group rules and/or bank’s acquiring business strategy. List of strongly prohibited business activities proposed by card schemes is given in Footnote No.19.


After Merchant approval decision, responsible employee can sign Merchant agreement with merchant that meets all criteria.

The bank should ensure that each Merchant agreement, beside local regulatory requirements, includes all mandatory elements proposed by card schemes regulation.

The Bank must create Merchant agreement in written, and such agreement at least must:

- Have a clause that web merchants must prominently display the name of the merchant and unequivocally inform the cardholder of the identity of the merchant at all point of interaction,

- Have a clause that Merchant must prominently show the name of the Merchant on web as name that will appear on the cardholder statement,

- Have a clause that Merchant must show any other information28 other than images of the products or services being offered for sale,

- Have a clause about use of card schemes’ brand mark29,

- Have a clause that the Merchant must display the card schemes’ acceptance mark at the point of interaction to indicate that the merchant accepts cards,

- Have a clause that merchant must honor all valid cards without discrimination when properly presented for payment,

- Have a clause that merchant must not refuse to complete a transaction solely because a cardholder who has complied with the conditions for presentment of a card at the point of interaction refuses to provide additional identification information, except as specifically permitted or required by the card schemes standards30,

- Have a clause that the Merchant must not directly or indirectly require any Cardholder to pay a surcharge or any part of any Merchant discount or any contemporaneous finance charge in connection with a transaction 31,

- Have a clause that the Merchant must not determine minimum or maximum transaction amount,

- Have a clause that merchant must not submit to Bank a transaction that the merchant knows or should have known to be fraudulent or not authorized by the cardholder32,

- Have a clause that merchant must not submit for payment into interchange, and the Bank must not accept from a merchant for submission

28 For example technical description, detailed product information.29 For example, the Merchant agreement should have clause to instruct the Merchant that:

1. use of card schemes brand mark must be only in accordance with a merchant agreement

2. any use of a mark by a merchant in acceptance advertising, acceptance decals, or signs, must be in accordance with the card schemes standards, including the card schemes’ reproduction, usage, and artwork standards, as may be in effect from time to time;

3. merchant must terminate use or display of any mark effective immediately with the termination of the merchant agreement or upon notification by the card schemes to discontinue such use or display.

30 For example, in case of gambling transactions, additional identification of cardholder is mandatory. Also, the Merchant can ask cardholder for additional identification information for shipping purposes.

31 Note that the Merchant may provide a discount to its customers for cash payments.32 For example, Merchants employees should check last four digit on transaction receipt and swiped card. These

numbers must be the same. If they are not same, it is counterfeit card, and merchant can be responsible for chargeback amounts.


into interchange, any transaction that is illegal, or in the sole discretion of the card schemes regulation33, may damage the goodwill or reflect negatively on the brand,

- Have a clause that the merchant must not submit for payment into interchange, and a Bank must not accept from a merchant for submission into interchange, any transaction that:

- represents the refinancing or transfer of an existing cardholder obligation that is deemed to be uncollectible, or

- arises from the dishonour of a cardholder’s personal check, or

- arises from the acceptance of a card at a terminal that dispenses scrip,

- Have a clause that merchant must not sell, purchase, provide, exchange or in any manner disclose card account number, transaction, or personal information of or about a cardholder to anyone other than its Bank, to the corporation, or in response to a valid government demand34,

- Have a clause that merchants and Third Party Agents acknowledge and understand the importance of compliance with security requirements, such as those relating to transaction information, storage, and disclosure. Merchant agreements must specify that all merchants and Third Party Agents that have access to cardholder data maintain and demonstrate compliance with the PCI DSS requirements and all subsequent requirement updates,

- Have a clause that requires merchant to notify the Bank of its use of any agent that will have access to cardholder data,

- Have a clause that will ensure merchants and Third Party Agents are aware of the Bank’s policies and guidelines to remain in compliance,

- Have visible and clearly stated MCC / SIC code identification35,

- Have a clause that informs merchant that he is responsible for its employees’ actions while in its employ,

- Have a clause that enables / allows immediate termination of a Merchant agreement for any activity that may create harm or loss to the goodwill of the payment system or brand3637.

Example of Merchant agreement: - to be replaced with standardised contract approach?

2.6. Merchant file

The Bank should create a Merchant file which, at least, should include duly fulfilled:

A) Merchant application form

33 Card schemes can in sole discretion add prohibited business activities that negatively affect to card scheme brand, so this clause should be in general character form.

34 For example, this prohibition applies to card imprints, TIDs, carbon copies, mailing lists, tapes, database files, and all other media created or obtained as a result of a transaction.

35 If the Merchant has two or more business category codes, the bank should clearly state MCC / SIC code that has or will have highest sales volume ratio.

36 This clause enables immediate termination of a Merchant agreement for any activity that is not acceptable for Bank’s acquiring business – based on risk / fraud / web site monitoring results.

37 Of course, agreement must have a clause that the Bank is responsible for providing settlement funds directly to the merchant.


B) Inspection of premises document, signed by responsible Bank’s employee

C) Copy of KYC Questionnaire (if applicable)

D) Copy of MATCH / VMTS38 inquiry requests39 (if applicable)

E) Merchant agreement and all amendments to the contract,

F) Copy of the merchant registration documentation (commercial register, trade register or other country requirements)

G) Application approval form / Merchant approval form or document

H) Web site inspection document40

I) All other records and information concerning the regular monitoring of merchant

J) All records related to merchant relationship termination41.

2.7. E-commerce web site monitoring and inspection

Once a merchant agreement is signed, the Bank must establish an ongoing relationship of risk prevention42, including an education process consisting of periodic visits to

38 Were it is available.39 The bank should not enter into any agreement before MATCH / VMTS check.40 For details, please see paragraph 3.6. of this procedure.41 For example, this records can include:

- site inspection report with photographs of premises and inventory verification. Report should be signed by responsible employee who conducted such inspection

- merchant certificate of incorporation, licenses, or permits- verification of references, including personal, business, or financial references- verification of the authenticity of the supplier relationship for the goods or services (invoice

records) that the Merchant is offering the cardholder for sale- date-stamped MATCH / VMTS addition record- all Bank’s correspondence with the merchant- all correspondence relating to law enforcement >>- signed Service Provider contract, including the name of agents involved in the due

diligence process42 For example, the Bank can conduct periodic detailed security check of several randomly chosen merchants

from their portfolio. In this check, all available information from previously established Merchant file should be verified and confirmed. The Bank should record all changes that were not contained in Merchant file. According to results, the Bank can make various decisions, but they must be in accordance with applicable Bank’s rules,


merchants43, distribution of related educational literature44, and participation in seminars organized by responsible Bank's unit or other local organization45.Ongoing merchant monitoring activity must be conducted by responsible unit for each merchant46.

The Bank regularly, as reasonably appropriate in light of all circumstances, must review and monitor the merchant’s web site(s) and other business activities to confirm and to reconfirm regularly that any merchant activity related to or using a card schemes’ brand mark is conducted in a legal and ethical manner and in full compliance with the merchant agreement.

The Bank must check every Web page on every Web site as appropriate and according to local country or region characteristics47.

The Bank can use a Web site monitoring solution or other appropriate process solution48 to review merchants’ activity to avoid processing illegal or brand-damaging transactions that are not in accordance with merchant agreement.

The Bank must, at least, monitor, verify and confirm:

- website content and merchant information standards,- name displayed on website matches merchant description,- merchant location,- privacy policy,- products offered for sale,- links to other sites,- minimum website requirements for payment purposes,- security method for payments and disclosure including verification of

compliant payment application,- website data security and encryption practices,- back order, return, and refund policies,- terms and Conditions.

After web site monitoring activity, the Bank should create Web site inspection document in case if this process is not automated. This report can be ether in electronic or in paper form49.Web site inspection document at least must consist of:

- date of inspection,- name of responsible employee who performed web-site check,- merchant status (for example active/inactive),- confirmation that the detailed merchant data are visible to cardholder,

Group rules and card schemes’ rules. As a best practice solution, the Bank can also create decision matrix to enable efficient decision process. The Bank can also create separate document or form for this purposes or can use previously mentioned Checklist form or Merchant premises inspection document.

43 For example, the responsible relationship manager or other responsible Bank’s employee should visit the merchant and review all previously collected information from Merchant file document. This periodic visit activity should be conducted at least once per year for each merchant separately – if it is possible. The Bank can also create separate document or form for this purposes or can use previously mentioned Checklist form or Merchant premises inspection document.

44 This material can include: - information about Bank's best practices in resolving business, sales or fraud issues,- information about activity flowcharts in customer complaint or other Bank’s processes

related to merchant activity,- user manual or other instructions that will help merchant doing business

45 The Bank can organize this type of education separately or as a apart of local organizations (for example, local Bank association or card association).

46 This mean that fraud monitoring activity must be conducted on a daily basis.47 Nevertheless, the most efficiency way for prevention of operational risk events, such as fraud/chargeback

losses or card schemes’ penalties connected with non-compliance status detected by card schemes’ systems is a weekly monitoring and inspection of each merchants’ web site.

48 Intesa Sanpaolo Card will propose an automated solution for such monitoring. 49 Note that this report should be inserted in Merchant file or other document related to merchant relationship.


- confirmation that the card scheme brand(s) are present, and they are properly displayed to cardholders,

- confirmation that the products offered for sale corresponds to merchant business,

- information about the merchant’s IP address validity (valid/invalid),- confirmation about validity of the customer support e-mail address (for

example: valid/invalid),- confirmation that all links from web site are in compliance with

merchant’s business as specified in merchant agreement,- confirmation that the inspected web site has full description of products

and services,- confirmation that the merchant offers only allowed products and

services (products and services are in full compliance with local laws, group rules and card schemes’ rules),

- confirmation that the amounts on inspected web site are expressed in local currency, or if they are not expressed in local currency – currency conversion information is clearly visible to cardholders,

- confirmation that the inspected web site has visible and detailed merchant business policy,

- confirmation that the inspected web site has visible and detailed order cancelation policy,

- confirmation that the inspected web site has visible and detailed delivery policy, with restrictions that could affect delivery service (also, export restrictions - if known),

- confirmation that the inspected web site has visible the duration of the trial period, if offered, including clear disclosure that the cardholder will be charged unless the cardholder takes steps to cancel the subsequent transaction,

- confirmation that the inspected web site has visible and detailed complaint policy (with refund policy),

- confirmation that the inspected web site has visible and detailed consumer data protection policy (or other requirements proposed by local law),

- confirmation that the inspected web site has visible and detailed information about security and transaction data protection during transaction,

- confirmation that merchant assigns unique ordering number,- confirmation that the inspected web site has visible and detailed

ordering confirmation, - confirmation that the inspected web site has order agreement (known

as: check box), - confirmation that merchant sends e-mail notification to cardholder after

the order is successfully finished,- other comments based on web site inspection activity50.

If the Bank detects merchant’s web-site non-compliance, an inspection of merchant location, and all web links on merchant’s site should be conducted immediately. The inspection should be conducted by responsible employees (for example relationship managers and risk/fraud manager). The Bank must immediately terminate relationship with merchant when:

- determines performing of any deceptive marketing, scam or illegal transaction or business,

- determines that merchant’s business is not acceptable for Bank or Group strategy,

- determines that merchant’s business is not in accordance with merchant agreement or local law.

50 For example, the Bank can establish sales volume and/or fraud volume information as a part of risk monitoring activity.


After such termination, the Bank must:

- inform card schemes without exception or delay51, when required

- enter each terminated merchant in the card schemes’ systems such as: MATCH or VMTS - unless prohibited by local law,

- retain all records concerning the investigation of any terminated merchant. The Bank must retain these records for a minimum period of two years after the termination date52. These records must be inserted in Merchant file document (for details, refer to paragraph 3.5.).

51 In cases when card schemes require feedback from Bank upon merchants' violation of rules. This feedback, even specific actions and deadlines are required after card schemes detect violations of rules related to fraud-to-sales ratio, chargeback-to-transaction ratio, brand damaging transactions etc. These programs are also known as: MasterCard Business Risk Assessment and Mitigation (BRAM), VISA Global Brand Protection Program (GBPP), Global Merchant Audit Program: Tier3 (GMAP), CTR, etc.

52 For example, the Bank at least should retain the following records:- signed merchant agreement- corporate or personal banking statements- credit reports - site inspection report with photographs, premises, inventory verification, and the name and

signature of the responsible employee who conducted such inspection- merchant certificate of incorporation, licenses, or permits- verification of references, including personal, business, or financial- verification of the authenticity of the supplier relationship for the goods or services (invoice

records) that the Merchant is offering the Cardholder for sale- date-stamped MATCH / VMTS inquiry records- date-stamped MATCH / VMTS addition record- all Bank’s correspondence with the merchant- all correspondence relating to law enforcement >>- signed Service Provider contract, including the name of agents involved in the due

diligence process.

e-comm sales process brief milan .doc

Documents