Electronic Exchange Systems
1 (888) 949-2021
Register Now for EXS

Do's and Dont's

Do:

  • Use a terminal or third party terminal provider service that truncates the card expiration date and all but the last 4 digits of the card number on the cardholder copy of the receipt.
    Note: The merchant copy of receipt bearing signature may display full account number and expiration date.
  • Store all materials containing cardholder account information in a restricted/secure area
  • Limit access to sales drafts, reports, or other sources of cardholder data to your employees on a “need to know” basis
  • Render materials containing cardholder account information unreadable prior to discarding
  • Retain legal control over cardholder transaction data and personal cardholder information if you use a third-party
  • Limit access to EXS systems requiring unique operator log-in and notify EXS immediately of staff terminations or changes
  • Immediately notify EXS Risk Management of any suspected or confirmed loss or theft of materials or records that contain account information retained by merchant or its third party
  • Immediately notify EXS of the use of an agent or third party provider not identified on the Merchant Application
  • Communicate these requirements to your third party provider and/or third party terminal provider, and direct them to card association information, publications, and/or Web sites regarding safeguarding cardholder transaction data
  • Require your third party provider to adhere to all CISP, AIS, and MasterCard data security requirements
  • Retain sales drafts for 18 months
  • Display proper signage.

Don't:

  • Process cash advance transactions unless you are a financial institution approved to do so through your merchant account
  • Assign a minimum or maximum purchase amount
  • Add a surcharge or fee
  • Restrict bankcard use (for a sale or discounted item)
  • Use a bankcard to guarantee a check
  • List a cardholder’s personal information on a bankcard sales slip (unless the authorization operator requests it)
  • Record CVV2/CVC2/CID on sales draft (only the one-digit result code can be recorded or retained)
  • Retain sensitive cardholder data if expressly prohibited, including complete contents of a card’s magnetic stripe (subsequent to the authorization)
  • Sell, transfer, or otherwise disclose cardholder account information or personal information. (This information should be released only to EXS or Member, or as specifically required by law. If you want to participate in a loyalty program, the loyalty vendor must be CISP certified by Visa and implemented in accordance with processes and procedures.)
  • Deny a transaction because the cardholder refuses to provide you additional identification such as telephone number, address, social security number, or driver’s license
  • Use any other telephone number other than the official number provided for authorization of a transaction.

 

 

CONTACT US |  Electronic Exchange Systems (EXS) is a registered ISO/MSP for HSBC Bank USA, National Association, Buffalo, NY