Merchant Acquiring Guidelines
- SCOPE OF THE GUIDELINES
This document covers payments made using the Payment Card and establishes operational guidelines that apply to Card Payments in the Merchant’s payment solutions. If a word or phrase is not defined in these Guidelines, it will have the meaning given to it in the Rapyd Merchant Agreement (“Terms”).The Merchant will at all times comply with the provisions of these Guidelines and the Terms.
The Merchant is responsible for ensuring that the Merchant’s sales and all transactions are completed in accordance with relevant domestic and international laws and regulations, including by ensuring that the products/services sold are allowed under applicable legislation. The Merchant may only accept payments for activities, products or services that have been registered with and approved by Rapyd.
The Merchant must have the right of use in respect of the Merchant Outlet from which the products/ services are sold, irrespective of whether it is a physical store or website. The Merchant Outlet must be registered in the Merchant’s name as it appears at signup with Rapyd.
The Merchant must not accept Card Payments for any of the following:
a) To complete payments for products/services that are not approved by Rapyd, as set out in Rapyd‘s restricted or prohibited list.
b) To complete payments originating from sales or activities offered by other parties
c) To complete payments that are subsequently forwarded to other parties, e.g. by assigning its receivables from Rapyd to other parties
d) Activities that may harm Rapyd’ and/or the Card Associations’ brand and image
e) Morally or ethically dubious purposes, or purposes which in any way violate applicable laws and regulations
- MERCHANT OBLIGATIONS
2.1 Compliance with security requirements
Payment Terminals and Payment Solutions
All payment terminals and payment solutions used by the Merchant must comply Rapyd‘s standards and with the applicable standards established by the Card Associations and by national legislation at any given time, and must be approved by Rapyd, including technical and security requirements.
The Merchant is required to comply with the verification procedures and security requirements or with such rules as Rapyd may otherwise have informed the Merchant of at any given time, including 3-D Secure and other measures to avoid fraudulent transactions.
The Merchant must ensure that no unauthorised person(s) have access to payment terminals or payment solutions.
The Merchant is responsible for ensuring that the payment terminals are protected against unauthorised use, including the installation of skimming equipment.
Merchants that use Cardholder-Activated Terminals must inspect them at least once a day in order to ensure that the payment terminals have not been tampered with. Rapyd may require that the Merchant install anti-skimming equipment and/or camera surveillance in cases where Rapyd deems that there is a risk of skimming and/or “money traps”. If the Merchant’s payment terminals are skimmed, Rapyd may request the Merchant to inspect the payment terminals more often.
The compromising of systems
The Merchant must inform Rapyd immediately of any unauthorised access or suspicion of unauthorised access to the Merchant’s systems containing Card Data in case of skimming, attempted skimming, compromising or suspected compromising of Card Data.
In the event that systems containing Card Data handled by the Merchant or by the Merchant’s external suppliers are compromised, or reasonably suspected to be compromised, Rapyd reserves the right to impose charges on the Merchant to the same extent as those imposed on Rapyd by the Card Associations.
The Merchant is liable for any loss or damage incurred as a result of Payment Card fraud and costs associated with the investigation required into the security breach or a suspected breach. Such investigations must only be performed by a certified data security firm approved by the Card Associations. The Merchant is obliged to cooperate with and assist Rapyd, the chosen data security firm and any relevant public authorities in the event of a compromise or a suspected compromise.
While the investigation is ongoing, Rapyd is entitled to suspend any payment services until such time as the investigation is complete and it can be confirmed that the Merchant complies with the security requirements laid down in PCI DSS.
2.2. Processing of Payment Card and Transaction Data and other documentation
Card Data must only be used to complete transactions and must not be used for the purpose of identifying the Cardholder on access control, etc.
The Merchant must store all documentation in a proper manner, to protect it from unauthorised access. The Merchant must store the transaction documentation, including Receipts bearing the Cardholder’s signature, for a minimum of 540 days to allow, among other things, for disputes by the Cardholder. Once the retention period has expired, the transaction documentation/settlement documents must be destroyed in a suitable manner, to ensure unauthorised persons are unable to gain access to documentation containing data.
Compliance with PCI DSS requirements
Merchant must comply with requirements laid down in PCI DSS and all bear associated costs to comply with the requirements. Upon request, Merchant must present PCI DSS validation, for instance an attestation of compliance (AOC) or a report of compliance (ROC) completed by a certified data security firm (Qualified Security Assessor) and a pass result for a vulnerability scan performed by a certified data security firm (Approved Scanning Vendor) in line with Rapyd’ and the Card Associations’ validation requirements. Merchant that do not handle/store Card Data may still be obliged to present PCI DSS certification if required to do so pursuant to Rapyd or the Card Associations
Merchant shall refrain to store Card Data and must inform Rapyd of any handling or storing of Card Data by it or any third-party connected to the Merchant. The Payment Card’s Security Code and other sensitive Card Data must not be stored under any circumstances after an Authorisation is complete.
2.3. Use of and rights to trademarks
For general rules on the use and rights to trademark, please refer to our Terms.
All rights to the trademarks of Payment Cards that the Merchant accepts as means of payment belong to the respective Card Associations and/or to Rapyd. All rights to the trademarks of Rapyd products belong to Rapyd. The Merchant is entitled to use the Payment Cards’ trademarks in connection with its marketing of products and services that can be paid for using the Payment Cards. Similarly, the Merchant is entitled to use 3-D Secure trademarks. The Merchant must clearly post the trademarks (logos) of the Payment Cards that it accepts as means of payment. If the Merchant uses 3-D Secure, the relevant 3-D Secure trademarks must be displayed together with the Payment Card logos. The trademarks must not be used for any other purpose.
The Merchant may obtain and order the trademarks and stickers for use at the Merchant Outlet and in its marketing materials from Rapyd. The trademarks must always be displayed in their original, correct layout.
Images of Payment Cards used in marketing materials must not contain a valid card number or Cardholder name.
The use of the trademarks must not violate the owners’ rights to the trademarks and must not create the impression that the products and services are sponsored, produced, offered, sold or otherwise supported by the Card Association.
On expiry of the Agreement, the Merchant must cease its use of the trademarks, including in signage, marketing on the Internet or via other media, or any other form of marketing.
2.4. Requirements regarding the Merchant’s website for E-commerce Transactions
The Merchant’s website must contain at least the following information:
a) The Merchant’s name, company registration number and address (including country)
b) E-mail address and telephone number for customer service or similar department
c) Description of the products/services that the Merchant sells (including prices, taxes and fees)
d) General terms and conditions (including the rules related to Cardholder’s right of cancellation, delivery and payment) as well as shipping costs
e) A “click to accept” button or another type of confirmation function on the website whereby the Cardholder is required to accept the conditions governing return policy of the products
f) It must be evident that customers are able to pay using Payment Cards
g) The trademarks of the Payment Cards that the Merchant accepts as means of payment must be apparent. The trademarks must also be displayed in the place where the Cardholder chooses the payment method
h) Transaction currency
i) Any export restrictions
In addition, the Merchant’s payment solution must contain a function for the Cardholders to enter their Security Code.
2.5. External suppliers
The Merchant must inform Rapyd of its use of any external supplier, e.g. web hosting service, payment solution provider, Digital Wallet, etc., that handles Card Data or which for other reasons has access to Card Data through the Merchant. The Merchant must also inform Rapyd of any change in its use of external suppliers.
The Merchant is responsible for acts and omissions of its external suppliers and for ensuring that all external suppliers that process Card Data on behalf of the Merchant meet the relevant security and data privacy requirements of Rapyd, the Card Associations, including those laid down in PCI DSS.
2.7. Risk assessment
Rapyd reserves the right to perform a risk assessment of the Merchant at any time, including by requesting and obtaining information and data relating to the Merchant related parties, and by requesting the disclosure of financial statements and other information required in order to perform an assessment of the Merchant’s creditworthiness and risk profile. This information may include documentation of necessary licenses as well as information about revenue related to prepayments. Rapyd may also assess the Merchant‘s sales, refund, chargeback, or fraud performance as part of the risk assessment.
If, on the basis of the risk assessment, Rapyd deems it necessary, Rapyd may, with immediate effect:
a) demand a guarantee, collateral or other type of security
b) withhold the Merchant’s settlement in whole or in part
c) extend the settlement period for all or part of the Merchant’s revenue
d) establish a risk and/or chargeback fee that the Merchant will be required to pay
e) amend or terminate the Agreement
As part of ongoing risk assessment, Rapyd or the Card Associations may conduct an unannounced physical inspection, Merchant bearing all reasonable costs, of the Merchant’s premises to the extent they are relevant to this Agreement, which may include a security assessment and/or a general assessment covering the following areas:
a) The Merchant Outlet
b) Access to the Merchant’s servers and stored data
c) Stock, if any
d) Internal processes
e) Compliance with all security requirements imposed pursuant to this Agreement
2.8. Changes in the Merchant’s circumstances
The Merchant must inform Rapyd in writing of any change in the circumstances reported to Rapyd, including those events listed in the Terms.
The Merchant must inform Rapyd if the Merchant makes significant changes to its product range or its payment and delivery conditions in connection with Card Not Present- Transactions, e.g. prepayment, or if it anticipates significantly increased sales.
Changes in accordance with this section may result in a new risk assessment (cf. section 2.7 (Risk Assessment)) and/or a requirement that a new Agreement must be entered into with Rapyd. Any change to the settlement account must be documented in writing in the form of a confirmation from the bank/submission of account statements, and must be signed by an authorised signatory or person holding a power of attorney in accordance with the rules governing powers to bind the Merchant.
- ACCEPTANCE OF PAYMENT CARDS
The Merchant undertakes to ensure that all personnel who handle Card Payments on behalf of the Merchant understand the requirements set out by the Card Associations and Rapyd, and that they have received the training required in order to satisfy any such requirements.
The Merchant must accept payment made with all valid Payment Cards of the card types that the Merchant has chosen to accept as payment for products and services at the relevant Merchant Outlet, regardless of the amount.
The Merchant is not obliged to accept payments with all card types (credit, debit, prepaid or commercial) within each Card Association (Visa, Mastercard, etc.) included in this Agreement, provided the denial is not based on the identity of the issuer or of the Cardholder. Merchant may refuse payment from a Cardholder using a card type the Merchant does not want to accept. If the Merchant accepts payment with a card type the Merchant wishes not to accept within one of the Card Associations included in this Agreement, the transaction will be processed in accordance with the Agreement and price list. Further, if the Merchant chooses not to accept payments with certain card types within a scheme the Merchant must inform the Cardholders of this in a clear and unequivocal manner at the same time as the Cardholders are informed of which card types the Merchant accepts. Such information shall be displayed prominently at the entrance of the Merchants premises and near the point of sale terminal. In the case of card not present transaction, this information shall be displayed on the Merchants website or other applicable electronic or mobile medium. The information shall be provided to the Cardholder in good time before the Cardholder enters into a purchase agreement with the Merchant.
The Merchant must always follow the instructions displayed on the payment terminal.
If the Payment Card has a chip, the Merchant’s payment terminal must always read the Payment Card’s chip, except for Contactless payments. If the chip cannot be read, the Merchant may complete the transaction using the magnetic stripe, for Payment Cards accepting such methods.
The Cardholder is entitled to a copy of the Receipt for each Card Payment. Once the Card Payment has been completed, the Merchant must ensure that the Cardholder receives a Receipt, either in paper form or as an Electronic Receipt, if the Cardholder has consented to receive an Electronic Receipt. Regardless of the type of Receipt, the Receipt must contain at least the following information:
a) The Merchant Outlet’s name and address,
c) Transaction Date,
d) the last four digits of the card number,
e) the Authorisation Code,
f) signature (where appropriate), and
g) delivery address (for Card Not Present-Transactions).
In special circumstances, e.g. in connection with low value-transactions using Cardholder-Activated Terminals, Rapyd may approve terminals not printing a receipt (e.g. in the case of soft drink vending machines).
The Receipt may only show the last four digits of the card number.
3.2. Manual Entry of data
The Merchant must not manually enter a card number or other information into the payment terminal except as part of a procedure to comply with these terms and conditions imposed on hotels in connection with no-show transactions and Delayed Charges, as well as Delayed Charges or modified transactions for car rental firms.
If the payment terminal is in offline mode and has offline transaction functionality, the Card’s chip or magnetic stripe must be read in the payment terminal. The Merchant must, before completing an offline transaction, verify that the Card is valid,to make sure that the Card is not blocked. The Merchant will receive an Authorisation Code if the Authorisation is approved, and will receive a rejection notice if the Card is blocked, if there are insufficient funds, etc. The Merchant must enter the Authorisation Code into the payment terminal. Under no circumstances should the Merchant give the Cardholder or a third-party permission to enter a card number or Authorisation Code into the payment terminal.
The Merchant must Authorise all transactions. A Security Code must always be used for E-commerce Transactions and MOTO Transactions.
If the Merchant makes use of Pre-Authorisation functionality, the Merchant is obliged to inform the Cardholder of the amount Authorised.
For Card Not Present-Transactions, an Authorisation is valid for up to seven calendar days.
The Authorisation Code must be included in the Transaction Data sent to Rapyd.
If the Merchant’s Authorisation request is rejected, the Merchant must not complete the Card Payment, irrespective of the amount.
If the payment terminal displays a code indicating that the Payment Card should be confiscated, the Merchant must refuse to accept the Payment Card as a means of payment and must confiscate the Payment Card if possible. Confiscated Payment Cards must always be sent to Rapyd.
The Merchant must not accept Authorisation Codes from Cardholders or third parties, but only from Rapyd or systems approved by Rapyd. The Merchant must not request or obtain Authorisation at the request of a third party.
An Authorisation Code is no guarantee that Rapyd will accept the Card Payment, nor is it a confirmation of the Cardholder’s identity; it merely confirms that the Payment Card is not blocked and that there are sufficient funds in the account to cover the amount at the time of Authorisation.
If the Card Payment is not carried out, Authorised amounts must be reversed within 24 hours of cancellation of the purchase. If the final transaction amount is less than the amount that was originally Authorised, the excess Authorised amount must be reversed immediately. Authorised amounts that are not reversed must correspond to the final transaction amount.
The Merchant must not perform Authorisations in order to validate the Card’s status, but only to complete Card Payments for transactions. If the Merchant obtains Card Data in order to perform MITs, an Account Verification must be performed and SCA must be applied.
Pre-Authorisations for Mastercard and Maestro: If a Merchant is not sure whether it will be able to complete the transaction within seven calendar days of performing Authorisation, or if the amount is not known, the Merchant must perform a Pre- Authorisation. A Pre-Authorisation is valid for 30 days for Mastercard and 7 days for Maestro.
The Merchant must not perform Pre-Authorisations for Maestro cards for Card Present-Transactions, except in the case of sale of fuel in Cardholder-Activated Terminals.
3.4. Approved currencies
Transactions can only be transmitted and settled in Approved currencies.
3.5. Dynamic Currency Conversion (DCC)
If approved by Rapyd, Merchant may offer Dynamic Currency Conversion (DCC). If the Merchant offers DCC to Cardholders, the Cardholder must be informed of the current exchange rate and any fees, and must agree to pay in their own currency before the Merchant completes the transaction as a DCC transaction. If the Cardholder does not agree to pay in their own currency, the Merchant must complete the transaction in its own local currency.
Current exchange rates are fixed daily on banking days by the DCC provider. The currency tables in the payment terminals are updated automatically.
Settlement of DCC transactions will be based on the original transaction amount in the local currency, i.e. the amount prior to DCC conversion.
DCC is not permitted for domestic Card Payments, i.e. where the Payment Card and the Merchant have the same local currency. DCC is only permitted for payments with foreign Mastercard and Visa.
Authorisation requests must be sent to Rapyd in the Transaction Currency and stating the final transaction amount, i.e. the amount after DCC.
3.6. Submission of transactions to Rapyd for settlement
The Merchant must send transactions to Rapyd without undue delay and no later than three days after the Transaction Date. The Merchant may be charged a fee for transactions received by Rapyd more than three calendar days after the Transaction Date. Additionally, Rapyd may reject transactions received more than 3 calendar days after the Transaction Date.
The Merchant must not send transactions to Rapyd for settlement before the products/services have been sent or delivered to the agreed recipient, unless Rapyd has given the Merchant its written approval to accept prepayments.
All transactions are sent to Rapyd for settlement via the payment terminal or the payment solution. The Merchant undertakes to reconcile the payment terminal or payment solution on a daily basis if transactions have been performed.
The Merchant is responsible for the Transaction Data, that is sent via payment terminal or payment solution, being error-free. Rapyd may refuse to receive or process transactions with Transaction Data errors. Rapyd reserves the right to correct Transaction Data with errors.
3.7. Strong Customer Authentication (SCA)
The Merchant shall, except where explicitly exempted, apply SCA in all cases where the Cardholder:
a) initiates a Card Payment.
b) provide the Merchant with Card Data which will be used at a later stage, e.g., MITs.
c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
In addition, the Merchant shall apply SCA when it for a specific Card Payment is required by the issuer of the Payment Card used to complete the Card Payment.
SCA cannot be used for MOTO Card Payments.
The Merchant’s payment solution must have implemented and shall support SCA. The foregoing applies even if the Merchant intends to only complete SCA exempted Card Payments.
The Merchant shall only use a type of SCA that is approved by Rapyd. Rapyd has approved the following types:
- For Card Not Present-transactions: 3-D Secure.
- For Card Present-Transactions: Cardholder’s PIN
The Merchant shall always use a version of 3-D Secure which is compliant with the rules of the relevant Card Association(s).
The Merchant is responsible for ensuring that all transactions are marked correctly, including with respect to submitting the transaction indicator.
If the Merchant is using third parties to carry out Card Payments or otherwise handle Card Data, the Merchant is responsible for ensuring that such third parties apply SCA in accordance with the Terms. For example, if the Merchant is using third parties for bookings, e.g., lodging merchants, vehicle rental merchants, travel agencies and airlines, the Merchant is responsible for ensuring that SCA is applied by the third parties.
The Merchant is not obliged to apply SCA where the Cardholder initiates a Card Present-Transaction and the transaction is:
a) a Contactless Payments where the individual amount does not exceed EUR 50
b) a Card Payment where Cardholder-Activated Terminals are used for the purpose of paying a transport fare or a parking fee.
The Merchant is not obliged to apply SCA where the Cardholder initiates a Card Not Present-Trans- actions provided and the amount of the Card Not Present-transaction does not exceed EUR 30.
Merchants that in Rapyd’ opinion accept payments for activities, products or services considered to be low risk, may utilize transaction risk analysis or delegated authentication and be exempted from using SCA, upon Rapyd written approval. Irrespective of Rapyd written approval, Card Issuers may still require SCA on these transactions.
Even if the Merchant is not obliged to apply SCA, the Issuer of the Payment Card used to complete a Card Payment may require it.
Merchant Initiated Transactions (MIT)
For MIT full Authentication with SCA shall be used for the first Card Payment. SCA shall not be used for subsequent MIT.
Requirement for SCA on all Card Payments
Notwithstanding the Terms, Rapyd is entitled, with immediate effect, to require that SCA is used for all or specific Card Payments if:
a) The number of disputes in which the Merchant is involved is disproportionately large compared to the number or volume of Card Payments.
b) The risk assessment of the Merchant is not satisfactory to Rapyd.
c) The activities, products or services offered by the Merchant in Rapyd’ opinion is not considered to be low risk.
d) The Card Associations require it.
e) It is in Rapyd’ reasonable opinion required by applicable law.
Suspensions and reject Card Payments
If the Merchant does not comply with the requirements for applying SCA, Rapyd may with immediate effect and without notice suspend the provision of acquiring services pursuant to the Agreement and/or reject non-compliant Card Payments, until the Merchant is compliant with the requirements.
126.96.36.199. The Merchant is fully liable for all disputed Card Payments where SCA has not been applied and will be charged the full transaction amount and possible associated fees for such disputed Card Payments.
- THE RELATIONSHIP BETWEEN THE MERCHANT AND THE CARDHOLDER
The Merchant undertakes to receive and process any claims from Cardholders relating to the product/service. Such claims are to be settled directly between the Merchant and the Cardholder and should not involve Rapyd. The Merchant must not include a clause in its terms and conditions that prevent or limit the Cardholder from raising claims against the Merchant, or that refer the Cardholder to a third party for claim handling.
4.2. Credit a transaction
The Merchant must only credit the Cardholder for a transaction for the purpose of voiding a previous Card Payment in whole or in part, e.g. if the customer returns a purchased product. The credit transaction must be identifiable to the original transaction.
Credits of purchases made using Payment Cards (previously accepted Card Payment) must always be credited to the Payment Card used for the purchase. The amount credited to the Cardholder must not exceed the total amount of the transaction. Credit transactions must be submitted electronically. The Merchant must provide a Receipt for the credit transaction to the Cardholder.
Rapyd will offset the total amount of the credit and any other costs against future settlements to the Merchant, or will prepare an invoice for the Merchant pertaining to the credit. Previously calculated transaction fees will not be refunded in connection with such credits.
4.3. Cancellation of a Card Payment
If a Card Payment is made in error, the Merchant must cancel the transaction if possible. If it is not possible to cancel the transaction, the Merchant must complete a credit transaction. If this is not possible, the Merchant must contact Rapyd.
4.4. Fees for use of Payment Cards
If the Merchant, acting in accordance with applicable legislation, charges a fee for Card Payments (surcharge), the Merchant must inform the Cardholder accordingly before the transaction is completed.
- DISPUTED CARD PAYMENTS
The Merchant must respond to all Cardholder disputes. If a Merchant fails to provide documentation or information within the applicable time limits, the dispute will not be contested and Rapyd may uphold the Chargeback and offset or deduct the disputed amount from the Merchant’s account. Rapyd is not required to provide the Merchant with documentation regarding the Cardholder’s dispute.
If Rapyd receives a dispute of a Card Payment and Rapyd is unable to reject the dispute as unfounded, Rapyd will withdraw the full amount plus any fees from the Merchant’s account, or offset it against the Merchant’s settlement from Rapyd. If there are insufficient funds in the Merchant’s account or insufficient revenue, Rapyd may invoice the Merchant.
Rapyd reserves the right to withdraw money from the Merchant or to offset any dispute concerning:
a) Card Payments made using payment terminals that do not read chips if (i) the Payment Card used was forged or counterfeit and/or (ii) the Cardholder claims that the Cardholder did not complete the Card Payment.
b) Card Not Present-Transactions carried out in the absence of Authentication using the latest version of 3-D Secure.
c) Transactions on Cardholder-Activated Terminals completed without the use of a PIN.
If the Card Payment (i) was completed using the Payment Card’s chip and PIN or (ii) was Authenticated by the Cardholder using 3-D Secure in the event of Card Not Present-Transactions, Rapyd will approve the Card Payment unless the Merchant knew or should have known that the customer was not entitled to use the Payment Card, or if the Merchant neglected to provide the necessary documentation for the transaction at Rapyd’ request.
- MONITORING, FRAUD, ETC.
Rapyd monitors Authorisations and transactions received from the Merchant. Rapyd likewise monitors any transaction reported as being a dispute, Chargeback, or case of fraud.
The Merchant will be contacted, and the matter will be investigated if such monitoring reveals significant deviations from normal activity at the Merchant or within the Merchant’s industry, or if Rapyd, for any other reason whatsoever, suspects that card fraud has occurred at the Merchant, or if the reported level of fraud is higher than what Rapyd considers to be normal. In such cases, Rapyd is entitled, with immediate effect, to modify the settlement conditions, to withhold settlement, and/or to suspend or terminate the Terms.
Rapyd also reserves the right to reverse transactions that the card issuer has confirmed as being instances of fraud, provided that the Merchant has not delivered the products or services.
Rapyd may require the Merchant to implement such measures as may be needed to reduce the number of fraudulent transactions, disputes, Chargebacks or credit transactions, etc., for instance by upgrading or replacing payment terminals, implementing a fraud monitoring system approved by Rapyd, or by implementing manual monitoring of transactions. The Merchant must act in accordance with Rapyd’ instructions to limit fraud within the time limit specified.
If the number of disputes, Chargebacks, fraudulent transactions or credit transactions leads to additional costs for Rapyd, e.g. in the form of charges payable to one or more Card Associations, Rapyd reserves the right to pass such costs on to the Merchant.
The Merchant’s right to settlement of Card Payments where the Merchant has used 3-D Secure may lapse if the Cardholder denies having participated in the Card Payment and the fraud reported to Visa and/or Mastercard exceeds 0.5% of the Merchant’s revenue from Visa and Mastercard respectively. Fraud, Chargebacks and disputes may be calculated on the basis of domestic, European or international card use and/or number of transactions. Rapyd will advise the Merchant if its right to transaction settlement has lapsed.
- OPERATING INSTRUCTIONS FOR CONTACTLESS PAYMENTS
7.1.1 These guidelines apply to Contactless Payments.
7.2. Payment terminal requirements
7.2.1. Contactless Payments are offered as an additional feature for Merchants that have payment terminals with approved Contactless Payment functionality.
7.2.2. The Merchant is responsible for ensuring that the technical configuration of the payment terminals/ contactless card readers used for Contactless Payments at all times comply with the Terms and possess technical characteristics that comply with EMV Contactless Specifications, which are available at www.emvco.com. The Merchant is liable for any losses that may arise as a result of improper technical configuration, cf. section 9 (Liability etc.).
7.3.1. The payment terminal must be able to print Receipts for Contactless Payments. A Receipt must be printed at the Cardholder’s request.
7.4. Transaction limit
7.4.1. The transaction limits for use of Contactless Payments are established by the Card Association and are subject to change without notice at any time. Currently prevailing transaction limits can be found in the Merchant Instructions at Rapyd.eu/payments.
7.4.2. Cardholder Authentications are not required on completion of Contactless Payments, unless the transaction amount exceeds the applicable transaction limit, or if the payment terminal prompts Cardholder Authentication.
7.4.3. Card Payments that exceed the prevailing transaction limits must be completed by performing Cardholder Authentication by means of PIN entry.
7.4.4. Transactions completed with another approved payment device, e.g. a smartphone, and which exceed the prevailing transaction limits, must be completed by Authenticating the Cardholder using the security precautions associated with the given payment device. When a smartphone is used as a payment device, the Cardholder is verified through the entry of a password on their smartphone. The instructions appearing on the payment terminal must be followed at all times.
7.5.1. Rapyd undertakes to settle all Contactless Payments provided that the provisions of the Terms are complied with and that the maximum transaction limits for Contactless Payments prevailing at any given time are not exceeded.
- OPERATING INSTRUCTIONS FOR STORED CARDS AND APP PAYMENTS
8.1.1 These guidelines apply to Merchants that offer a Stored Card function on their website or App Payments.
8.1.2. In order to offer a Stored Card or App Payment function, the Merchant must have entered into an agreement with Rapyd on E-commerce Transaction. An option must be provided for non-registered customers to pay using Payment Cards.
8.1.3. Stored Card or App Payments may be offered as an alternative payment method for Cardholders who have created a customer profile, provided that this payment method is available through the Merchant’s payment solution.
189.2.1. The Cardholder must create a username and password on the Merchant’s website or in the user interface.
8.2.2. The Cardholder must give their consent to Card Data being retained by the Merchant’s supplier of payment solutions.
8.2.3. The Merchant’s supplier of payment solutions must be PCI DSS-certified, and Card Data must be processed, stored and transmitted in accordance with PCI DSS. The Merchant must ensure that the supplier of payment solutions deletes the stored Card Data at the Cardholder’s request.
8.2.4. The website or user interface where the Cardholder enters their username and password must use approved encrypted data storage and an encrypted connection, in order to prevent unauthorised parties from gaining access to this information.
8.2.5. Rapyd may impose requirements regarding the Merchant’s validation of the Cardholder’s information at the time of registration.
8.3. Password requirements
8.3.1. The password must consist of a combination of uppercase and lowercase letters and numbers/symbols, and must comprise at least seven characters for Stored Cards, and at least four characters for the App function, unless otherwise agreed in writing with Rapyd. After six failed attempts, access must be blocked.
8.3.2. The password and username must not be identical. The password must not be the same as any of the four most recent passwords used by the Cardholder.
8.4. Security requirements
8.4.1. Once the Cardholder has entered their password, the Cardholder must only remain logged in for as long as the browser window remains open. If the browser window is closed, the Cardholder must log in again. A time limit must be configured to limit how long the browser window can remain open without any activity (timeout). This time limit must not exceed 15 minutes. If the time limit is exceeded, the Cardholder must be logged out automatically.
8.4.2. For App Payments, the Cardholder must be logged out automatically when the Cardholder closes the application. The Cardholder must then log in again. A time limit must be configured to limit how long the Cardholder can be logged in without any activity (timeout). This time limit must not exceed 15 minutes. If the time limit is exceeded, the Cardholder must be logged out automatically.
8.4.3. Using applications to store passwords is not allowed.
8.5.1. At the time of the first transaction, full Authentication using 3-D Secure is required, unless otherwise agreed in writing with Rapyd.
8.6. Information on the payment screen
8.6.1. The Merchant must display on the payment screen both the: last four digits of the account number or token, and the card scheme brand
8.7.1. An Electronic Receipt must be sent to the Cardholder by e-mail once the purchase has been completed.
8.8.1. If the Cardholder wishes to change information related to their account or Payment Card, the Cardholder must be Authenticated again using 3-D Secure, unless otherwise agreed in writing with Rapyd.
8.9. Storage of customer data
8.9.1. The Merchant must store all customer data, such as usernames and passwords, in a proper manner that prevents Cardholder accounts or information from being compromised.
8.9.2. The password must be hashed or encrypted.
8.10.1. Rapyd may require that a daily limit be imposed on each Payment Card. The Merchant must ensure that its payment solution provider is able to handle such limits, including implementation of the same.
- OPERATING INSTRUCTIONS FOR RECURRING PAYMENTS, INSTALLMENT PAYMENTS AND UNSCHEDULED CREDENTIAL ON FILE
9.1.1 These guidelines apply to Merchants that offer Recurring Payments, Installment Payments or Unscheduled Credential on file in connection with E-commerce.
9.1.2. In order to offer Recurring Payments, Installment Payments or Unscheduled Credential on file, the Merchant must have entered into an agreement with Rapyd on E-commerce Transactions.
9.1.3. It is the Merchant’s responsibility to ensure that their payment solution provider marks the transactions correctly, including submitting the transaction indicator for recurring payments, Installment Payments and Unscheduled Credential on file.
9.2. The Merchant’s terms of Recurring Payments, Installment Payments and Unscheduled Credential on file
9.2.1. An agreement must be entered into between the Merchant and the Cardholder giving the Merchant permission to complete transactions with the Cardholder’s Card Data. The agreement must at least include:
a) Description of the products/services
b) Total amount and Transaction Currency
c) Cancellation and refund policies, including the date any cancellation privileges expire without advance payment forfeiture
d) Merchant name and location
e) Merchant address, e-mail and phone number
f) The last four digits of the card number
g) Information about how the Cardholder will be notified of any changes to the agreement
h) Transaction amount or a description of how the transaction amount will be determined, if applicable
i) Information about how the stored credential will be used
j) Information about the time and frequency of Card Payments
k) If a stored credential will be used for Unscheduled Credential on-File Transactions, information about the event that will prompt the Transaction e.g. if the Cardholder’s balance falls below a certain amount.
l) The expiration date of the agreement, if applicable
m) The fixed dates or intervals on which the Transactions will be processed, if applicable.
All requirements related to these specific transaction types must be clearly displayed at the time that the Cardholder gives their consent and must be displayed separately from the Merchant´s general terms and conditions.
9.2.2 Merchants offering Unscheduled Credential-on-File Transactions must notify the Cardholder of any change in the Transaction amount or any other terms of the agreement at least 2 working days before the change. The Merchant must retain this information for the duration of the agreement and provide it to the Cardholder or Rapyd upon written request.
9.2.3. Merchants offering Recurring Payments must do the following:
a) Provide a confirmation of the establishment of the Recurring Transaction agreement within 2 business days
b) Provide a simple cancellation procedure, and, if the Cardholder’s order was initially accepted online, at least an online cancellation procedure.
c) At least 7 days before a Recurring Transaction, notify the Cardholder via email or other agreed method of communication if any of the following occur:
- More than 6 months have elapsed since the previous Recurring Transaction.
- The Recurring Transaction agreement has been changed, including the amount of the Recurring Transaction, the date of the Recurring Transaction, or any other terms of the agreement.
9.2.4. For the first transaction, full Authentication using 3-D Secure or PIN is required, unless otherwise agreed in writing with Rapyd.
9.2.5. The Payment Card’s Security Code must under no circumstances be recorded or stored after Authorisation of the initial Card Payment.
9.2.6. The agreement on Recurring Payments, Installment Payments or Unscheduled Transaction on file must either be signed by the Cardholder or accepted directly on the Merchant’s website with subsequent written confirmation provided to the Cardholder. The terms and conditions and prices must be accessible to the Cardholder on sign-up.
9.3. Procedure for renewal and deletion of Card Data
9.3.1. The Merchant must employ a secure procedure for registering, renewing, and deleting Card Data, and for handling expired Payment Cards.
9.3.2. The Merchant’s procedure for deleting Card Data must provide for the deletion of the information from the customer register immediately after the Cardholder makes a request to this effect.
9.3.3. The Merchant must inform Rapyd if the Merchant stops offering Recurring Payments, Installment Payments or Unscheduled Transaction on file.
- OPERATING INSTRUCTIONS FOR LINK PAYMENT
10.1.1 These guidelines apply to Merchants that offer payments with Link Payment.
10.2.1. In order to offer Link Payment, the Merchant must have entered into an agreement with Rapyd on E-Commerce Transactions.
10.3. Information to the Cardholder
10.3.1. The Merchant shall as a minimum provide the Cardholder with the following content in the payment window:
a) A description of the product or service to be delivered by the Merchant
b) The Merchant’s name, company registration number and address (including country)
c) E-mail address and telephone number for customer service or similar department
d) The amount to be paid by the Cardholder, specified on prices, taxes, shipping costs and fees
e) The Merchant’s General terms and conditions, including the rules related to Cardholder’s right of cancellation, delivery and payment
f) A “click to accept” button or another type of confirmation function on the website whereby the Cardholder is required to accept the conditions governing return policy of the products.
g) It shall be evident on that the Cardholder is able to pay using Payment Cards
h) The trademarks of the Payment Cards that the Merchant accepts as means of payment must be apparent. The trademarks must also be displayed in the place where the Cardholder chooses the payment method.
i) Transaction Currency
j) Export restrictions (if any)
10.4.1. An Electronic Receipt must be sent to the Cardholder by e-mail once the purchase has been completed.
A method for verifying that the Cardholder is the person making the online Card Payment in question.
A method, using a currency unit of zero, to confirm that a Card Payment can be completed at a later stage e.g. in connection with MITs.
Card Payments that are performed over the Internet using Card Data registered in the Merchant’s mobile application on smartphones, tablets, etc.
A method of verification using a password, a personal secret code, etc.
A process verifying that the Card is valid, that there are sufficient funds to make the Card Payment, that the Card is not blocked, and that the amount for the Card Payment will be reserved.
The number generated when performing an Authorisation.
The data used to identify a Payment Card, e.g., the card number, expiry date and the Payment Card’s Security Code.
Card Not Present-Transactions
Card Payments that are performed through a payment solution in which the Payment Card’s magnetic stripe, chip or Contactless Payment technology is not read, e.g., E-commerce, Digital Wallet payments, App Payments, Link Payment and MOTO.
The Associations that establish the international rules for payment systems and which have issued Rapyd’ licenses for acquiring payments made using Payment Cards, e.g. Mastercard and Visa.
The transaction between the Cardholder and the Merchant resulting in the transfer of the agreed amount to the Merchant by using a Payment Card.
Card Payments that are made via a payment terminal in which the Payment Card’s chip, magnetic stripe, or contactless payment technology is read.
The person to whom the Payment Card is issued.
Cardholder-Activated Terminal, e.g., for payment of bridge tolls, tickets and parking, i.e. where the payment terminal is exclusively operated by the Cardholder, regardless of whether or not a PIN is used.
Reversal of an amount which the Cardholder or Card Issuer disputes.
Payments where the radio transmitter inside the chip in the Payment Card or in a smartphone communicates with the contactless Payment Card reader in the payment terminal. A contactless payment can be made using a Payment Card, a smartphone or a micro ID chip installed in a watch, bracelet, etc.
Charging of the Cardholder for amounts not known at the time of the Card Payment’s completion, such as parking fines.
Dynamic Currency Conversion (DCC)
Conversion of the amount that the Cardholder is to pay from the Merchant’s local currency into the Payment Card’s local currency.
Card Payments performed using a payment solution in which the Cardholder orders and pays for the purchase in a webshop.
A receipt sent to the Cardholder via e-mail or SMS.
A global standard for payments using credit cards and debit cards based on chip card technology. For more information, please see www.emvco.com.
The process of reserving an additional amount, e.g. during a hotel stay or car rental, where the Cardholder has agreed to pay for any services incurred during the stay or rental period.
A E-commerce Transaction completed via a process where the Merchant has sent an URL (by e-mail, SMS or otherwise) to the Cardholder which directs the Cardholder to a payment window (page) where the Cardholder can enter Card Data and complete the Card Payment.
Mail and Telephone Order (MOTO)
A Card Payment where the Cardholder provides their Card Data to the Merchant over the phone or on a mail order form. The Merchant then enters the Card Data into a virtual payment solution.
The natural or legal person who has entered into an agreement with Rapyd for the purpose of completing Card Payments.
Merchant Initiated Transactions (MIT)
Card Payments that are initiated by the Merchant, pursuant to an agreement between that the Merchant and the Cardholder, allowing the Merchant to initiate Card Payments on the Cardholder´s behalf.
Any and all instructions for acquiring Payment Cards, including information on security and the requirements imposed by the Card Associations or Rapyd.
The Merchant’s store, physical address, URL or application from which the products/services are sold, as stated in the Agreement Form or clearly submitted by the Merchant to Rapyd in writing.
The entity with which the Merchant has entered into the Agreement.
The international Payment Cards regarding which the Merchant has entered into an agreement with Rapyd
The Card Associations’ security standard, known as the Payment Card Industry Data Security Standard, available at https://www.pcisecuritystandards.org.
The personal code linked to the Payment Card.
The process of checking the Payment Card’s status and reserving an estimated amount, e.g. on hotel check-in or when purchasing petrol in a Cardholder-Activated Terminal.
Documentation that the transaction was performed.
Recurring Payments allow the Merchant to complete Card Payments automatically with stored Card Data at regular intervals.
The Payment Card security code (e.g. CVV2, CVC2, CID, PVV, appears inside or near the signature strip. The security code is made up of digits that appear after the card number or of parts of the card number, e.g. in a separate field, and typically consists of three digits.
A solution where the Cardholder has registered with the Merchant with a username and password and in which Card Data is stored by the Merchant’s payment solution provider at the time of the first transaction. The Cardholder may subsequently complete Card Payments to the Merchant without entering Payment Card information, simply by entering the username, password and the Security Code.
Strong Customer Authentication (SCA)
An authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data and which fulfill the requirements set out in the EU Commission’s delegated regulation 2018/389.
The currency in which the Cardholder pays and which is stated on the Receipt.
The data used to complete a Card Payment. These include Card Data and other information received in connection with the Card Payment, e.g. the transaction amount and Transaction Date.
The date on which the transaction takes place. For Card Not Present-Transactions, the Transaction Date is the date on which the goods are dispatched, or the service is delivered.
Unscheduled Credential on File (UCOF)
UCOF allows the Merchant to complete Card Payments automatically with stored Card Data at irregular intervals.