Swedbank E-commerce solutions

3D Secure

3D Secure is a tool developed by MasterCard and Visa to provide e-commerce merchants and cardholders with greater security for their payment card transactions on the Internet. With 3D Secure, the card issuer authenticates the cardholder online and thus protects Internet retailers against fraud-related chargebacks.

One-stage authorization

The usual card payment flow involves two mandatory steps:

• authorisation (holding) of money in the cardholder account; and
• Financial settlement of an authorised transaction.

The one-stage model automatically sends transaction details for financial settlements on the next working day. This process charges or refunds the cardholder without requiring any additional action by the merchant.

Situations in which this could be implemented include ticket, software and goods sales when the final order amount is clearly known during customer checkout.

Two-stage authorization

The two-stage model is more suited to situations where the final order amount is only known after the order is accepted for execution i.e. when clarified by the merchant later.

The two-stage model or card pre-authorisation is much like any other charge to a card, except instead of actually debiting funds from the cardholder you simply put a temporary "hold" on the funds for up to 7 days. It is still possible to charge the card after this period but the funds will not be guaranteed.

Tokenization

This allows you to offer a simplified payment method which is mostly suitable for recurrent shoppers. Once the client card is registered on the merchant's site, all further payments are performed using one simple step to confirm payment. There is no need to re-enter card data at any time during the validity period of the card.

Tokenization provides an enhanced shopping experience to the customer - there is no need to enter card details on each customer visit, thus encouraging repeat purchases. Merchants don't need to store card numbers, thereby saving on the operational costs associated with compliance with payment security requirements.

Cancel

Depending on the needs of the merchant, authorised transactions may be cancelled by presenting a "Cancel" transaction to the bank. The bank initiates cancellation of the money held in the cardholder's account.

Refund

There is an additional optional step for a "Refund" after settlement has been completed. This makes it possible for the merchant to refund money from their account to the cardholder account.

Recurrent payments

Swedbank supports a range of services designed to process customers' subscription and regular instalment payments by bank card for merchants. In some business areas (books, periodicals, newspapers, digital services, IT services, telecommunications services, utilities and insurance), it can be common practice to pay on a recurring basis for services which are rendered according to a payment schedule.

Swedbank's BankLink

Swedbank's BankLink is the most popular payment method for paying online in the local market. It ensures good local reachability of the consumer market and an efficient order execution process. By using Swedbank's BankLink you can easily access a huge customer base - 1 million users of Swedbank Internet bank. Payments are executed as direct payments from the buyer's account to the merchant's account with Swedbank.

Other Latvian and Baltic banks' BankLink

To increase the Latvian customer base and expand in the Baltics, Swedbank offers a technical transaction processing service for the BankLink payments of these banks: Swedbank AB (Lithunia), Swedbank AS (Estonia), AS SEB Banka (Latvia), AS Citadele Banka (Latvia), AB SEB (Lithuania), Nordea Bank AB (Lithuania), Danske Bank A/S (Lithuania) and AB DNB (Lithuania). The merchant's online store sends transactions involving different banks to Swedbank and Swedbank ensures technical connection with other banks and the processing of the transaction on behalf of the merchant.

N.B.! The merchant must have an agreement with the particular bank to ensure settlement and agree on the commercial conditions of direct payment (BankLink) acceptance with the particular bank.

Chargebacks

Cardholders have the right to dispute any card transaction processed on a MasterCard or Visa card. Such disputes are resolved as chargebacks and are governed by a series of rules set forth by the international card organizations. In the chargeback process, the burden of proof lies with the merchant who is given the opportunity to provide supporting documentation to prove the legitimacy of the transaction. If the merchant is successful, the value of the transaction is credited back to their account. If the merchant is unsuccessful or does not respond in a timely fashion, they are held financially responsible for returning funds to the consumer who filed the complaint.

Common reasons for chargebacks include:

• the cardholder did not perform the transaction (frequently an indication of fraud);
• cancelled recurring transaction;
• goods not as described;
• goods faulty or defective;
• failure to respond to voucher requests.

Chargebacks may also be made for other reasons, including goods or services not having been received.

Tips on dealing with chargebacks:

• In order to prevent undelivered product claims it is highly recommended to use a delivery service that offers delivery confirmation.
• In order to prevent broken merchandise claims during shipping, always purchase shipping insurance if your items are fragile. Make sure you clearly document the timeframe in which such claims will be processed.
• There are two ways of handling claims concerning merchandise breakage not caused by shipping: have the customer contact the manufacturer directly if the item is under warranty or ask the customer to ship the item back to you. Make sure your returns policy is very clear about the timeframe and the returned merchandise authorisation process.
• If the customer claims they never ordered the product, make sure you have clear documentation of their order.
• Whenever possible handle communication via e-mail as that way you will have a precise record of all conversations.
• The requirement is to have terms and conditions clearly presented on the website where the online services are provided. The Consumer Protection Regulations set out the information that must be provided to customers prior to entering into an agreement. The regulations apply to anyone who supplies goods or services under a distance contract; you cannot opt out of them.
• The information must be provided in a clear and comprehensible manner appropriate to the means of distance communication used. The information you need to provide includes specific details of the goods or services in question, their price (including VAT and other taxes) and delivery charges, as well as the details of customers' cancellation rights. You also need to include the full contact details of your business.
• If the goods or services ordered by the customer are likely to be unavailable, you must inform them if you wish to provide substitute goods or services of equivalent quality and price.

Payment security

Each time a customer pays you, they entrust you with their personal and financial information. At the same time, you count on them to be who they say they are and that they are the genuine cardholder. The Payment Card Industry Data Security Standard (PCI DSS) is designed to help protect you both.

Swedbank offers fully PCI DSS-compliant solutions to merchants. While a merchant may be able to reduce the scope of or avoid its environment being subject to the PCI DSS requirements by using the bank's hosted payment pages, it does not eliminate the merchant's risk of becoming involved in, or even being the source of, an account data compromise event. Merchants are still obliged to employ security controls in their web-based environment based on best practice in the industry so as to protect payment card data.

The standard is set by MasterCard and Visa and helps ensure that you process and store customer card data as securely as possible. Being compliant will not deter fraudsters from targeting your business but it will make sure that you are in the best position to deal with attacks, helping you avoid potential financial losses and damage to reputation.

PCI DSS requirements differ depending on the merchant's transaction count. Exact compliance needs can be verified with Swedbank. Each merchant, as a minimum, is recommended to complete the Self-Assessment Questionnaires for e-commerce (SAQ-A).

The PCI Security Standards Council provides advice on completing the SAQ (see: https://www.pcisecuritystandards.org/merchants/self_assessment_form.php).

For PCI Security Standards Council website, visit www.pcisecuritystandards.org

Fraud management

Merchants face various risks when accepting card transactions. This information has been put together to help you understand the types of risk you face and the steps to take in order to reduce the risk of loss. One of the greatest risks to merchants is that of fraudulent transactions. If you are not careful, fraud could cost your business dearly. Some types of merchants - depending on the type of goods sold - are more vulnerable to fraudulent transactions than others. Merchants should be aware that they may be targeted.
It is essential to understand the term "authorisation" - what it does and does not mean.

What authorisation does mean:

• The account number is valid
• The card has not been reported as lost or stolen (although it may still be lost, stolen or compromised, i.e. the card details may have been unduly obtained or copied) and the card owner may be unaware of this)
• There are sufficient funds available to cover the transaction

What authorisation does not mean:

• Authorisation does not confirm that the person providing the card number is the legitimate cardholder - the risk remains that the person providing the number has either stolen or unduly obtained the card
• There is also a risk of the purchaser having unduly obtained the card number without being in possession of the card

Although it is important to obtain authorisation for each transaction, this alone does not protect you against the risk of fraud or chargeback. These risks remain even if authorisation has been obtained.

Due to their high value and suitability for resale, the following types of goods are frequently targeted by fraudsters:

• Electronics
• Household appliances
• Jewellery
• Computers
• Furniture
• Goods easily sold for cash

If you trade in any of these goods, be extremely careful before handing over/shipping items. Make sure you take all possible steps to confirm that the purchaser is the actual cardholder.

The following are indications of potentially suspicious transactions. Often it is the existence of more than one indication that suggests a potentially fraudulent activity.

1. First-time shopper - Criminals are always looking for new merchants to steal from
2. Larger-than-normal orders - Because stolen cards and account numbers have use only for a limited time period, criminals need to maximise their purchases
3. Orders that include several varieties of the same item - Having more than one of the same item increases the criminal's profits
4. "Urgent" or "overnight" shipping - Criminals want their fraudulently obtained items as soon as possible for quick resale and are not concerned about extra delivery charges
5. Shipping outside of the merchant's country - There are times when items purchased in fraudulent transactions are shipped to criminals outside of the home country
6. Inconsistencies - Information in order details such as a mismatch in the billing and shipping addresses, telephone area codes with corresponding near post office codes, e-mail addresses that do not look legitimate and irregular times of day when orders are placed.
7. Multiple transactions on one card during a short period of time - This could be an attempt to 'run a card' until the account is closed
8. Shipping to a single address via transactions on multiple cards - This could involve an account number generated using special software or even a batch of stolen cards
9. Multiple transactions on one card or a similar card with a single billing address, but multiple shipping addresses - This could represent an organised activity, rather than one individual at work
10. For online transactions, multiple cards used from a single IP (Internet Protocol) address - More than one or two cards could indicate a fraudulent scheme
11. Orders from Internet addresses that make use of free e-mail services - These e-mail services involve no billing relationships and often neither an audit trail nor verification that a legitimate cardholder has opened the account

Merchants can minimise the possibility of fraudulent purchases and chargebacks from online transactions by taking certain precautions:

• request the name of the cardholder's bank - fraudsters who have unduly obtained account details will not have this information. If the purchaser hesitates in giving the name of their bank, caution should be exercised;
• request the purchaser to provide a faxed copy of their driver's licence;
• the risk of goods not being received should be evaluated if goods are forwarded to a post office box;
• obtain a signed receipt from the cardholder when the goods are delivered;
• in the case of orders for a large number of different goods, telephone the cardholder after the order is placed to confirm the order. Also, have the purchaser read back all details of the order. Frequently, where an order is fraudulent, the purchaser is unable to confirm these details, as they were ordering at random, with no record of what they ordered;
• be suspicious in cases where multiple cards are used for a single purchase;
• do not continue to attempt authorisation after receiving a decline;
• exercise extra caution in relation to overseas orders - large orders should in all cases be held back for shipping until the enquiries above are made into the legitimacy of the purchaser. Merchants should not ship goods until satisfied that the purchase is legitimate.

By using the 3-D Secure authentication services, the merchant obtains chargeback protection (i.e. fraud liability shift) on a transaction in most events where a chargeback would normally be received on the basis of a claim that the customer did not actually participate in the transaction. These services provide customers, retailers and banks with greater security in online card payments.

The IT resources necessary for implementing the Swedbank Payment Portal can be outsourced. Below you will find information about IT companies offering such a service.

These companies, which are not affiliated with Swedbank, are listed only as examples of such service providers. This list of IT companies is not exhaustive and you are free to engage other IT companies offering the services necessary.

We offer a solution to facilitate and shorten the time to implement the Swedbank Payment Portal in your online store or portal.

The tool is API (Application Programming Interface) library in PHP programming, available from this site: https://github.com/Swedbank-SPP/swedbank-payment-portal

It features support for the most popular payment methods:

• Cards integration type HPS
• Cards integration type HCC (with 3D-secure)
• Cards integration type HCC (without 3D-secure)
• Banklinks
• PayPal Express Checkout