The Merchant Solutions gives our merchants an ease-of-mind when it comes to security. We are always monitoring merchant accounts for potential risk situations.

Rules for Visa Merchants – Card Acceptance and Chargeback Management Guidelines        PDF | 2415k

Industry Letter to Merchants – Securing cardholder information PDF | 133k

Chargeback Dispute Resolution Cardholder information security program

Preventing Chargeback
Chargeback Cycle
Responding to Chargeback

Securing Visa Cardholder Data
How CISP compliance works
Compliance validation
Why comply?
Visa regulations
Member responsibilities
CISP compliance penalties
Loss or theft of account information
Safe Harbor


Chargeback Dispute Resolution provided by visa

Preventing Chargeback
Most chargeback situations arise at the point of transaction—at the time the transaction is completed—and most can be prevented with a little training.

Consider these 15 tips to avoid potential chargebacks
Do not complete a transaction if the authorization request was declined. Do not repeat the authorization request after receiving a decline.
If you receive a “Call” message in response to an authorization request, call your authorization center. Be prepared to answer questions. The operator may ask to speak with the cardholder. If approved, write the authorization code on the sales receipt. If declined, ask the cardholder for another Visa card.
Make an imprint for all card-present transactions. If you have a point-of-sale terminal with a magnetic-stripe reader, swipe the card through the reader for every face-to-face transaction. If the terminal isn’t working or a card’s magnetic stripe cannot be read, key-enter the account information and make an imprint of the embossed information onto the sales receipt using a manual imprinter. Even if the transaction is authorized and the cardholder signs the receipt, if the receipt does not have an imprint of the embossed account number and expiration date, the transaction may be charged back to you for “no imprint” if the cardholder later denies participating the transaction.
Obtain cardholder signature. The cardholder’s signature on card-present transactions is required. Failure to obtain the cardholder’s signature could result in a chargeback for “no signature” if the cardholder denies authorizing or participating in the transaction.
Make only one imprint of the card for each transaction. Making more than one imprint can lead to duplicate deposits and increase the chance of a chargeback. If you need to redo a sales receipt because of an error, write “VOID” across the incorrect sales receipt, inform the cardholder, and tear up the incorrect sales receipt in view of the customer.
Ensure that transactions are entered into point-of-sale terminals only once—and deposited only once. Entering the same transaction into a terminal more than once, or depositing both the merchant copy and the bank copy of the sales receipt with your acquirer, or depositing the same transaction with more than one merchant bank can all result in “duplicate transaction” chargebacks.
Ensure that incorrect sale receipts are voided and that transactions are processed only once.
If your establishment has policies regarding merchandise returns, refunds, or service cancellation, disclose these policies to the cardholder at the time of the transaction. Your policy should be pre-printed on your sales receipts; if not, write or stamp your refund/return policy information on the sales receipt near the customer signature line before the customer signs (be sure the policy shows clearly on all copies of the sales receipt). Failure to disclose such policies at the time of the transaction will be to your disadvantage should the customer return the merchandise.
Deposit sales receipts with your merchant bank as quickly as possible, preferably within one to five days of the transaction date—do not hold on to them. Failure to deposit in a timely manner can result in chargebacks for “late presentment.”
Deposit credit receipts with your acquirer as quickly as possible, preferably the same day as the credit transaction is generated. Failure to process credits in a timely manner can result in chargebacks for "credit not issued."
If a customer requests cancellation of a recurring transaction which is billed periodically (monthly, quarterly, annually), always respond to the request and cancel the transaction immediately or as specified by the customer. As a customer service, advise the customer in writing that the service, subscription, or membership has been cancelled and state the effective date of the cancellation. Failure to respond to customer cancellation requests almost always leads to chargebacks.
Keep customers informed on the status of their transactions.
If the merchandise or service to be provided to the cardholder will be delayed, advise the cardholder in writing of the delay and the new expected delivery or service date
If the merchandise ordered by the cardholder is out of stock and delivery will be delayed or this item is no longer available, advise the cardholder in writing and offer the cardholder the option of purchasing a similar item or canceling the transaction. Do not substitute another item unless the customer agrees to accept it. By giving the customer notice and the option to cancel, you may help avoid a customer dispute regarding the merchandise and a possible chargeback.
Ship merchandise before depositing transaction. Don’t deposit transactions with your merchant bank until you have shipped the related merchandise. If customers see a transaction on their monthly Visa statement before they receive the merchandise, it could lead to a preventable chargeback.
Chargeback Cycle
Most chargebacks begin when a cardholder reports a problem to the card issuer. Here is a quick snapshot of the streamlined Chargeback Life Cycle in a customer-initiated dispute situation.

Note: "Acquirer" refers to the "merchant bank" or merchant's financial institution.
Responding to chargebacks
Some chargebacks can be resolved easily without the merchant having to lose the sale. This can be done by simply providing additional information about the transaction or about specific actions taken regarding the transaction. The key here is to always supply as much information as possible to your acquirer to help them remedy the chargeback. Consider these guidelines to ensure you have a system in place.

Know your representment rights to avoid unnecessary losses for your business.
Act promptly when customers with valid disputes deserve credits.
When cardholders contact you directly to resolve a dispute, issue the credit on a timely basis to avoid unnecessary disputes and their associated chargeback processing costs.
Let cardholders know immediately of the impending credit.
Respond to a chargeback as quickly as possible.
Address all of the cardholder’s pertinent claims.
Be sure to supply “compelling” information to prove the true cardholder participated in the transaction, received the goods or services, and benefited from the transaction.
Examples of compelling information
Correspondence between the cardholder and merchant that proves the merchant spoke to the cardholder or received a letter stating that they acknowledge the validity of the transaction.
Evidence that the merchant swiped or imprinted the card, received an authorization approval, and the cardholder’s signature.

Cardholder information security program provided by visa

Securing Visa cardholder data
When customers offer their bankcard at the point of sale, over the Internet, on the phone, or through the mail, they want assurance that their account information is safe. That’s why Visa USA has instituted the Cardholder Information Security Program (CISP). Mandated since June 2001, CISP is intended to protect Visa cardholder data–wherever it resides–ensuring that members, merchants, and service providers maintain the highest information security standard.

In 2004, the CISP requirements were incorporated into an industry standard known as Payment Card Industry (PCI) Data Security Standard resulting from a collaboration between Visa and MasterCard to create common industry security requirements. Visa USA maintains CISP as the managing program for data security compliance endorsing the PCI Data Security Standard.

If you are a non-U.S.-based entity, please visit Visa International Account Information Security (AIS).

The new PCI Data Security Standard v1.1 has been released and is now available! Effective September 7, 2006, the PCI Security Standards Council ("PCI SSC") owns, develops, maintains and distributes the PCI Data Security Standard (DSS) and all its supporting documents. Visa USA will, however, continue to manage all CISP compliance enforcement and validation initiatives.

The QDSC Program has also transitioned to the PCI SSC. Please refer to the the Assessors page for more information.


How CISP compliance works
CISP compliance is required of all merchants and service providers that store, process, or transmit Visa cardholder data. The program applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce. Compliance with CISP means compliance with the PCI Data Security Standard with the required program validation. The Payment Card Industry (PCI) Data Security Standard offers a single approach to safeguarding sensitive data for all card brands. Other card companies operating in the U.S. have also endorsed the PCI Data Security Standard within their respective programs.

Using the PCI Data Security Standard as its framework, CISP provides the tools and measurements needed to protect against cardholder data exposure and compromise. The PCI Data Security Standard consists of twelve basic requirements and corresponding sub-requirements categorized as follows:

PCI Data Security Standard
Build and Maintain a Secure Network Install and maintain a firewall configuration to   protect data
Do not use vendor-supplied defaults for system   passwords and other security parameters
Protect Cardholder Data Protect stored data
Encrypt transmission of cardholder data and   sensitiveinformation across public networks
Maintain a Vulnerability Management Program Use and regularly update anti-virus software
Develop and maintain secure systems and   applications
Implement Strong Access Control Measures Restrict access to data by business need-to-know
Assign a unique ID to each person with computer   access
Restrict physical access to cardholder data
Regularly Monitor and Test Networks Track and monitor all access to network resources    and cardholder data
Regularly test security systems and processes
Maintain an Information Security Policy Maintain a policy that addresses information   security

Compliance validation
Separate and distinct from the mandate to comply with the PCI Data Security Standard is the validation of compliance whereby entities verify and demonstrate their compliance status. It is a fundamental and critical function that identifies and corrects vulnerabilities, and protects customers by ensuring that appropriate levels of cardholder information security are maintained. Visa has prioritized and defined levels of compliance validation based on the volume of transactions, the potential risk, and exposure introduced into the payment system by merchants and service providers.

For a detailed description of: Go to:
Visa merchant levels of compliance criteria and validation actions


Service provider compliance criteria and validation actions Service Providers


Why comply?
By complying with the PCI Data Security Standard, Visa members, merchants, and service providers not only meet their obligations to the payment system, but also build a culture of security that benefits everyone.

Benefits of compliance
Everyone Limited risk
More confidence in the payment industry
Member Protected reputation
Merchant and Service Provider Competitive edge gained
Increased revenue and improved bottom line
Positive image maintained
Customers are protected
Industry Good security neighbors" encouraged
Consumer Information is safeguarded
Identity theft prevention

Visa regulations

The Visa USA, Interlink, Inc., and Plus Systems, Inc. Operating Regulations govern the activities of member financial institutions and, by extension, merchants and service providers as participants in the Visa payment system.


Member responsibilities
Members must comply with CISP and are responsible for ensuring the compliance of their merchants, service providers, and their merchants' service providers. Acquirers must include a CISP compliance provision in all contracts with merchants and Nonmember agents.

Specific compliance requirements and validation criteria are provided at this website.


CISP compliance penalties
If a member, merchant or service provider does not comply with the security requirements or fails to rectify a security issue, Visa may:

Fine the responsible member
Impose restrictions on the merchant or its agent


Loss or theft of account information
A member or the member's service provider, or a merchant or the merchant's service provider must immediately report the suspected or confirmed loss or theft of any material or records that contain Visa cardholder data.

If a member knows or suspects a security breach with a merchant or service provider, the member must take immediate action to investigate the incident and limit the exposure of cardholder data.

If a Visa member fails to immediately notify Visa USA Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident.

Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident.


Safe Harbor
Safe harbor provides members protection from Visa fines and compliance exposure in the event its merchant or service provider experiences a data compromise. To attain safe harbor status:

A member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation.
A member must demonstrate that prior to the compromise their merchant had already met the compliance validation requirements, demonstrating full compliance.
It is important to note that the submission of compliance validation documentation, in and of itself, does not provide the member safe harbor status. The entity must have adhered to all the requirements at the time of the compromise.


Call Us for the Best Deal on Credit Card Processing
Accept Credit Cards Today!

Call 888-707-2836 or simply answer the questions below to get started.

Does your business currently accept credit cards?

Are you currently in need of credit card processing equipment or software?

How much do you currently accept, or do you anticipate accepting, in monthly charges?

  © Copyright 2008. All rights reserved. The Merchant Solutions (TMS) is a registered ISO/MSP of Wells Fargo Bank, N.A., Walnut Creek, CA