From merchants

Do I need special contracts to enable my customers to pay with credit and debit cards in my online shop?
Yes. To process e-commerce transactions you need an acceptance contract for SECURE E-COMMERCE with SIX Multipay. It regulates the conditions under which you may accept Visa and MasterCard as a means of payment.

You also need a contract with a so-called Payment Service Provider (PSP). They ensure the integration of the payment solution in your online shop and technically process your online transactions for you.

With SECURE E-COMMERCE COMPLETE We offer you the acceptance contract and the PSP payment solution Saferpay from one source in a single service package.

What conditions must I meet to be able to conclude a SECURE E-COMMERCE contract with SIX Multipay?
To conclude a SECURE E-COMMERCE contract you must meet the following conditions:

• Send us the application form with a description of your business model or the URL (Internet address) of your online shop (or a test URL if your online shop is under construction).
  
• Have your company listed in the commercial register; excepted are public bodies and associations (statutes).
  
• You online shop must be in operation (or at least operable as a test shop) and must meet the guidelines listed in the bulletin “Best practices for e-commerce merchants”
  
• Based on our experience, we assess your business for its potential for improper transactions, possible chargebacks and credits, and discuss recommended measures to reduce risk.
  

Finally, the URL (Internet address) of your online shop will be entered by SIX Multipay worldwide in the Visa and MasterCard organizations’ systems and activated with your Payment Server Providers’ payment software.

SIX Multipay reserves the right to reject a contract application without providing reasons.

Can I use the automatic currency conversion (DCC: Dynamic Currency Conversion) with Secure E-Commerce?
Yes, if you have signed a corresponding contractual agreement with SIX Multipay Ltd. and your Payment Service Provider. In the process, the payment procedure is required to meet specific regulations. See the next question for more information. Check whether your Payment Service Providers has implemented a proper payment procedure.

What is DCC (Dynamic Currency Conversion)?
If the currency of a payment card does not match the currency of the online shop, the currency conversion is normally made by the card organization after completion of the payment. Online shops that have a DCC agreement with SIX Multipay, can offer the cardholder the option of converting the payment amount to his/her card currency during the payment process. This means that the conversion is made by the acquirer. The cardholder must be free to decide whether the payment is to be carried out in the currency of the online shop or the currency of his/her card. In the process, the currency conversion rate and the amounts in both currencies must be shown to him/her. This information must also appear on the payment sales slip. As long as the DCC transaction has been processed correctly, the cardholder's decision is binding. If a chargeback must be subsequently carried out, then it is mandatory that this be done in same currency as the original order.

With DCC you can dispense with foreign currency contracts. Moreover, the costs for card acceptance are generally lower. The cardholder also benefits from currency conversion rates that are generally preferable.

How long does it take until I can accept card payments in my online shop?
The verification and contract processing phase normally requires around two weeks. However, if you do not meet all conditions, and should additional clarifications be necessary, then the process can take longer.

What does it cost to activate SECURE E-COMMERCE?
If you have not yet concluded another distance contract with SIX Multipay, then the activation of the two card systems, Visa and MasterCard, costs CHF 500 each, in a one-time payment.

You do not have to pay the activation fee if you already have a distance contract with SIX Multipay. However, you can request a refund of the activation fee if you generate CHF 20,000 in turnover within the twelve months following contract conclusion.

For companies headquartered abroad, an equal amount in euro will be charged.

Special activation fees apply for our new all-in-one solutions MAIL/PHONE ORDER EASY and SECURE E-COMMERCE COMPLETE.

Why do I need a Payment Service Provider (PSP)?
To integrate a payment solution in your online shop and to operate it securely is costly in terms of time and money. A PSP takes on responsibility for these tasks for you and charges activation and service fees. Your customers subsequently process their card payments on your Payment Service Provider’s server. This leaves you free to fully concentrate on your actual business.

Use exclusively PSP solutions that have been certified by Visa and MasterCard. In this way you meet the security requirements regarding SDP/AIS.

You can find further information about certified online payment solutions on the Internet pages of the corresponding Payment Service Provider

What are SDP/AIS?
The abbreviations SDP/AIS stand for the security programs, Site Data Protection from MasterCard and Account Information Security from Visa. The two matching programs regulate how online shops and Payment Service Providers must handle sensitive card data that are transmitted during Internet payments. They are applicable worldwide and are based on the PCI security standards (Payment Card Industry Data Security Standards) that were standardized between Visa and MasterCard.

You can find further information about SDP/AIS on the page Security rules for the handling of credit and debit card data.

What risk do I bear as a merchant with SECURE E-COMMERCE contracts?
With SECURE E-COMMERCE transactions, as a merchant you basically bear a higher del credere risk than with presence payments.  That means that the danger that a cardholder successfully disputes payments as fraudulent, which will then be charged back to you. That is because the cardholder cannot unambiguously prove his identity on the Internet by presenting the credit card and his signature. This gives the cardholder greater possibilities to dispute the payment. That is because the cardholder cannot unambiguously prove his/her identity on the Internet by presenting the card and his/her signature. For the same reason, this also makes things easier for those who would commit fraud.

Which types of businesses are particularly risky?
Experience shows that particularly companies that deliver to countries outside the EU are susceptible to a higher level of risk. Particular caution is to be exercised with African countries as well as certain countries in the Far East and America. We recommend that you only to deliver goods to customers in these countries with whom you are acquainted.

Experience also shows that businesses selling immaterial items, such as software, are particularly endangered and tend to lead to more frequent chargebacks. This is why we recommend that online shops also take their own security precautions.

How can I securely handle payments in my online shop?
There is no such thing as absolute protection. However, there are various ways to improve security:

• With a SECURE E-COMMERCE contract you benefit from increased protection from unjustified disputed payments. This protection even applies if the cardholder is not registered for the secure process. Exempt from this are payments with so-called commercial cards from Visa and MasterCard that were not issued in Europe as well as Visa payments made with mobile phones. Because these exemption rules occasionally change, our customer service can provide you with the latest information.
  
• Make sure that your Payment Service Provider specially marks payments in which the liability shift does not apply (see question "What does “liability shift" mean?").
  
• Also activate the option CVC2/CVV2 in your PSP software. You thereby protect yourself from payments with illegally generated card numbers.
  
• Adhere to the SDP/AIS security standards. They protect you from fines and loss recovery claims from the card organizations Visa and MasterCard, should unauthorized parties steal card data from your shop.
  
• When choosing the Payment Service Provider, make sure that its software supports the following security functions:
  
  -> Software for SecureCode and Verified by Visa (mandatory for a SECURE E-COMMERCE contract).
  
  -> Requesting the CVC2/CVV2 code (see above).
  
  -> Obtaining information regarding the country in which the card was issued.
  
  -> Marking of transactions for which the liability shift does not apply.
  
  -> Blocking of individual card numbers or ranges of card numbers.
  
  -> Checking and blocking of the cardholder’s IP address.
  .
  -> Blocking of multiple authorization requests.
  
  -> Access to information about a credit or debit card without saving the correct card number.

If you go beyond this and adhere to the best practice guidelines, you reduce the danger of chargeback if the cardholder claims not to recognize transactions that have been made. Moreover we can also thereby ideally represent your interests in chargeback cases.

For more information please also read our bulletin “Card Misuse in the Distance Business”.

What does “liability shift" mean?
As a merchant in the distance business, you basically bear the risk if a cardholder disputes having made a payment.

Through the use of SECURE E-COMMERCE in an online shop, however, the risk for certain types of disputed transactions shifts from the merchant to the cardholder. This shifting of risk is called liability reversal or liability shift.

For SECURE E-COMMERCE contracts the liability shiftl applies in every case, if both the cardholder and merchant are registered for the secure payment process.

If only the merchant is equipped for this, then the liability shift for payments disputed by the cardholder applies nevertheless, with some exceptions, such as for the so-called commercial cards from Visa and MasterCard, which were not issued in Europe and for Visa payments made with a mobile phone. Because these exemption rules occasionally change, our customer service can provide you with the latest information.

Important for you is that the liability shift only applies if the MasterCard SecureCode and/or Verified by Visa logos are clearly visible on the payment side. Your Payment Service Provider ensures compliance with this rule.

The detailed rules are very complicated. For merchants, it is most important to understand that the liability shift will not be effective for all disputed transactions.

May I also carry out other types of transactions through my SECURE E-COMMERCE contract?
No. Only e-commerce transactions may be processed through the SECURE E-COMMERCE contract. You need corresponding contracts for all other transactions (MAIL/PHONE ORDER or presence business).

May I process payments for multiple online shops through the same contract?
No. For security reasons, you may process payments for only a single shop per SECURE E-COMMERCE contract. You need a separate contract for each other URL (Internet addresses) or shops with other articles.  

Certain cardholders have reported to me that while paying a pop-up window appears in which they are prompted to enter their password. Is this a phishing attack?

After the cardholder has filled in the merchant’s payment page, the merchant’s payment software attempts to contact the issuer for the purpose of authenticating the cardholder electronically. If the cardholder is not yet registered for MasterCard SecureCode/Verified by Visa, then under these circumstances, certain issuers will take this opportunity to open one or two windows to convince the cardholder to register during the payment process.

Click here for a demonstration of the Verified by Visa registration process.