As a partner platform to WePay, you must ensure compliance with card network rules using this guide.
Ensure that all methods of payment are supported according to payment provider rules.
|American Express||✓ *||✓||Not Supported|
|Discover (includes JCB and Diners Club)||✓||Not Supported||Not Supported|
|Bank Account/eCheckout (ACH)||✓||Not Supported||Not Supported|
|ApplePay||✓ **||Not Supported||Not Supported|
Tokenization must be enabled before payments from any MoP can be processed.
* In compliance with American Express rules, WePay does not allow certain travel and telecom merchants to accept Amex cards. In those specific cases, platforms may be required to disable Amex acceptance for that merchant.
* * Check with your Account Manager or with API Support (firstname.lastname@example.org) before starting development work for ApplePay.
- Payment marks for all supported card brands (Visa, MasterCard, American Express, Discover) must be displayed at the point where a consumer/payer is asked to select a method of payment during checkout.
- Displaying the card acceptance marks on the merchant’s home page is recommended.
- All marks must be displayed at parity; all card network marks must be displayed with equal prominence, frequency, size and color treatment.
- Refer to the official brand guidelines for each card network for any further requirements:
Below are examples of display marks:
Follow the ApplePay guidelines for ApplePay buttons and marks.
Merchants/platforms must provide transaction receipts in either electronic or paper format at the time of transaction. By default, WePay delivers electronic receipts and the platform/merchant must:
- Inform the payer of transaction receipt delivery method (i.e. email, text message, etc) and when it will be sent. WePay transaction receipts will be sent immediately via email.
- Provide the receipt in a static format that cannot easily be manipulated after it has been created.
- If a link to the receipt is provided, outline clear instructions for accessing the receipt, as appropriate.
- Make the receipt available to the cardholder for at least 24 hours after the transaction.
- Not store or use personal information provided by the cardholder to receive a receipt (such as email address or phone number) without the express consent of the cardholder.
- Include the following in the title of the email or first line of the text message:
- the merchant name
- language indicating that the email or text message contains the transaction receipt or a link to the transaction receipt.
A merchant/platform must retain a transaction receipt for 13 months.
- Merchant name or DBA (or merchant website)
- Merchant location: address, city, country, phone number
- Transaction type (retail sale, cash disbursement, refund)
- Descriptions (and price) of goods and services
- Total amount
- Transaction date (and time if possible)
- For recurring transactions: the words “Recurring Transactions”, frequency of recurring transactions, duration of recurring transaction period
- Card network name
- PAN (in truncated form)
- Transaction authorization approval code returned by issuer
- Refund and return policies
- Customer service contact information such as email address or phone number
Reference: Visa Core Rules and Visa Product and Service Rules, April-2016
A merchant is responsible for establishing their merchandise return and refund or cancellation policies. Clear disclosure of these policies help in reducing cardholder disputes and chargebacks. Card networks require clear disclosure of these policies for them to be considered in cases of chargeback.
Examples of clear disclosure statements are:
- No refunds or returns or exchanges
- Exchange only
- In-store credit only
Special terms must be spelled out.
For internet or app purchases, merchant must communicate their refund and return policies on the transaction receipt. Additionally, the merchant website must communicate the refund policy to the cardholder either in the checkout flow with a “click to accept” or other acknowledgement, or on the checkout screen near the “submit” button.
For phone order, the merchant may send the disclosure by mail, email or text message after the transaction.
For face-to-face transactions, the cardholder must receive the disclosure at the time of purchase. For card-present transactions, disclosure statements should be legibly printed on the transaction receipt near the cardholder signature area or in an area easily seen by the cardholder.
Reference: Card Acceptance Guidelines for Visa Merchants, Visa, 2015
A recurring transaction can be set up for automatic periodic payments for subscriptions, memberships, bill payment, etc. Because recurring transactions are processed automatically and without direct participation of the cardholder, they are particularly liable to potential disputes by cardholders.
Card networks have specific requirements and recommendations to minimize disputes and to contest chargebacks in case of disputes:
- The merchant/platform must obtain consent of the cardholder of the following
- Transaction amount (does not apply where transactions will be of varying amounts)
- Duration of billing arrangement
- Acknowledgement of merchant’s cancellation and refund policies
- The merchant/platform must retain the cardholder’s consent in either written or electronic format in case of potential disputes of subsequent charges
- The merchant/platform must provide an online cancellation procedure for the cardholder
- The merchant/platform must not charge a recurring transaction beyond the duration expressly authorized by the cardholder
- Cancellation requests should be processed promptly (recommended at least on a daily basis) and the cardholder should be notified that the recurring transaction has been cancelled, along with a confirmation number for the cancellation
- If a cancellation request is received too late to prevent the most recent recurring charge from being posted to the cardholder’s account, submit a credit and notify the cardholder
- Transaction receipts should include the following information:
- The phrase “recurring transaction”
- The frequency of the charges
- The period of time the cardholder has agreed to for the charges
- Notify the customer at least ten days in advance before each recurring payment. The advance notification should include the amount. If the amount exceeds a pre-authorized range, expressly include this information, as well.
- It is recommended that the card is enrolled in Account Updater to reduce declines due to updates to card numbers and card expiration date. Contact your Relationship Executive or API Support (email@example.com) for further information.
- For declined transactions, merchants should contact the cardholder for updated card information.
Reference: Card Acceptance Guidelines for Visa Merchants, Visa, 2015
It is recommended that following is included on merchant website (or platform website, if appropriate) to reduce cardholder disputes and potential chargebacks:
- Complete description of goods and services.
- Customer service contact information including email address or phone number
- Return, refund, and cancellation policy
- Delivery policies for goods or services, if applicable, including order fulfillment information such as time frames for order processing so that customers do not dispute a transaction on grounds of not receiving goods or services.
- If applicable, information on when credit cards are charged. For example, if cards are charged at a later date after merchandise is shipped.
- Merchant location, as well as country and export restrictions (if known or applicable)
- How the charge will appear on their card statement such as wpy*MerchantName. (Merchants should use a merchant name on their platform/WePay account that their customers will recognize.)
- A statement encouraging cardholders to retain a copy of the transaction receipt
AVS (address verification service) is a service offered by card networks to verify card holder address. Along with other cardholder information, this is used to authorize a transaction. In AVS, when cardholder address is included in the authorization request message, the issuer provides a ‘match’ or ‘no match’ response in the authorization response using the cardholder address in their records.
WePay requires AVS because there are a number of uses for it:
- AVS is a useful fraud protection tool in case of lost or stolen cards.
- AVS-match gives issuer greater confidence and authorization declines are reduced.
- AVS helps merchants to win chargebacks. For card-not-present/ecommerce transactions, when goods are delivered to the same address for which an AVS match was received, it is considered a compelling evidence to reverse a chargeback.
- Certain transactions without AVS are downgraded by card networks, which increases the processing cost on those transactions.
WePay automatically handles AVS checks on your behalf, which is part of why we require address information for payers.
CVV (card verification value) is the three-digit security code on the card. CVV is used during authorization in ecommerce transactions to verify that the payer is in possession of the card. CVV is a catch-all term for CVV2 (Visa and Mastercard) and CID (Amex and Discover). When CVV is included in the authorization request message, the issuer provides a ‘match’ or ‘no match’ response in the authorization response.
Unlike AVS, CVV cannot be stored by the merchant or any payment processor, per card network rules.
In Canada, CVV is mandatory for ecommerce transactions, except for transactions using stored credentials.
WePay requires CVV when a card is used for the first time because:
- CVV is a useful fraud protection tool in case of lost or stolen cards.
- CVV-match gives issuer greater confidence and authorization declines are reduced.
In server-to-server integrations, your platform will not use the WePay tokenization library with custom checkout, so you’ll need to ensure that the
cvv parameter from /credit_card/create calls does not get stored in your servers.
The Canadian regulator FCAC requires card networks to ensure that acquirers (such as Chase) and their agents (such as WePay and our platform partners) who provide payment services to merchants, comply with the Code of Conduct.
Please find specifics on compliance in our Platform Legal Obligations article.
Last Updated: July 8, 2019