CARD NOT PRESENT CARD PROCESSING POLICY FOR MERCHANTS
Introduction
This Card Not Present (CNP) Card Processing Policy is provided to our merchants to outline your responsibilities, provide guidelines, and explain the risks associated with Card Not Present transactions. Card Not Present transactions involve accepting credit card payments via mail, telephone, or non-face-to-face methods such as online where a physical card or device is not tapped, swiped or inserted into a payment terminal and/or is manually entered into the payment terminal or on a website (eCommerce). This policy aims to ensure compliance with Payment Card Industry Data Security Standard (PCI DSS) requirements, outline chargeback procedures, and identify ways to minimize fraud due to Card Not Present credit card processing.
Chargeback Liability
General Overview
Chargeback liability refers to the responsibility of the merchant to reimburse the cardholder's issuing bank for disputed or fraudulent transactions. It is essential to minimize chargebacks as they can result in financial losses and damage our reputation. To reduce chargeback liability, we expect our merchants to comply with the following guidelines:
Specific Training
Identification of Tampering or Suspicious Activity
Merchants must provide specific training for employees involved in Card Not Present credit card processing on ways to protect customer and credit card information, prevent credit card fraud and how to identify and report potential tampering or suspicious activity.
Masking of PAN
When card data is entered into a physical or virtual terminal, adhere to PCI DSS Requirement 3.2.1 for masking the 16-digit Primary Account Number (PAN), Expiry Date and CVV/CVC when displayed on computer screens, payment card receipts, faxes, or paper reports.
Confidentiality and Security Awareness
- Implement policies and controls to protect cardholder data against unauthorized online access (including emails) or physical access such as copying and especially on sales counters, desks, removable portable media, or printed documents.
- In a retail setting, consider implementing a ban on the use of pens or writing materials when taking customer card details.
- Merchants must maintain comprehensive records of all Card Not Present transactions, including receipts with customer or proxy signatures, customer billing information, and transaction details.
Screening Personnel
Only employees who have passed the retail staff requirements/certifications set by provincial and federal regulators are permitted perform card not present credit card transactions.
Some useful links (for illustrative purposes and is not a comprehensive list)
Regulatory Compliance for Retail Cannabis Sales
- Merchants must follow provincial and federal legislation, rules and regulations specific to the jurisdiction of their operations when processing Card Not Present sales.
- Merchants must follow provincial and federal legislation, rules and regulations specific to the jurisdiction of their operations when processing Online Sales (Click-and-Collect, Curbside Pick-Up, Delivery)
Some useful links (for illustrative purposes and is not a comprehensive list)
Verification and Authorization
Before processing transactions, merchants should obtain proper authorization for Card Not Present transactions and ensure the accuracy of cardholder information.
Conclusion
This Card Not Present (CNP) Credit Card Processing Policy aims to provide our merchants with a clear framework for securely conducting Card Not Present transactions and complying with industry standards, rules and regulations. Adherence to these guidelines is crucial to mitigate chargeback liability, maintain customer data security, and adapt to evolving regulations.
Failure to comply with this Card Not Present Credit Card Processing Policy may result in the termination of Cova Pay Services and result financial losses, reputational damage, and legal liabilities. We encourage all our merchants to embrace these practices diligently and ensure the ongoing security and integrity of Card Not Present payment card data processing.
