YOUR GUIDE TO SAFER, SMARTER CREDIT CARD PAYMENTS

What you need to know aboutchargebacks and fraud on mail,telephone, IVR and Internet orders

1

HELPING YOU PROTECT YOUR BUSINESS AND YOUR PROFITS 2

THE FACTS ON CHARGEBACKS AND AUTHORISATIONS 3

What is a chargeback? 3

Are you liable for chargebacks? 4

What you can do 4

What is an authorisation? 4

What an authorisation approval means 4

It’s not a guarantee 5

What else should you do? 5

The chargeback process 6

What to do if you’re notified of a chargeback 6

TIPS TO HELP YOU REDUCECHARGEBACKS 7

Reducing chargebacks from customer disputes 7

Be smart, not sorry, follow these simple guidelines 7

Special requirements – mail order, Internet and paper merchants 8

Three common reasons for customerdisputes and how to avoid them 10

Industry best practice – carry out customer checks before delivery 10

SUSPICIOUS ORDERS – WHAT TO LOOK FOR 13

Telephone orders 13

IVR orders 14

Internet orders 14

INTERNET ORDERS – ADDITIONAL INFORMATION 16

Further tips on how to minimise risk 16

What to do if your web site is being targeted for fraud 17

How to ensure cardholder data security on your Internet site 17

6 WHAT TO DO IF YOU SUSPECT AFRAUDULENT ORDER 18

7 WHERE TO GET ADDITIONAL HELP 19

Contents

Mail, telephone, IVR and Internet facilitieshave many benefits. They provide aninvaluable service to your customers bymaking shopping and paying easier.

There are many opportunities to grow yourbusiness using these channels. However,there are some risks you need to be awareof. There is a disproportionate amount offraudulent activity and customer disputesthrough mail, telephone, IVR and Internetfacilities. As the merchant, you are liable forthis risk. Therefore, it is important that youunderstand the extent of these risks andways you can minimise them.

This guide is designed to help you do justthat. Protect your business and profits bygiving you the facts on fraud, customerdisputes and chargebacks. You’ll also finduseful information to help you identify highrisk orders, advice on what to watch out forand what to do if you suspect a problem.

So please take a few minutes to read this guide and use it to train your staff.Knowledge and awareness leads to smarter,safer business practices. It all starts withunderstanding the risks and learning how to avoid them.

2

Helping you protect your business and your profits

The more you know, the more you’ll be able to protect your business againstchargebacks and fraud, so read on and put your new-found knowledge to work inyour business.

What is a chargeback?A chargeback is a debit entry to your bankaccount processed by the Bank.

Put simply, it is a reversal or “charge back”of a credit card transaction previouslycredited to your account. Chargebacksoccur for two main reasons:

1. Fraudulent use of the card.

2. Customer disputes.

The most common examples of fraudulentuse of a credit card are:

1. Your customer uses a stolen card oraccount number to fraudulently purchasegoods or services.

2. A person known by the cardholder uses a credit card to order goods or servicesbut has not been authorised to do so by the cardholder.

3. Customer falsely claims that he or she didnot receive the goods or services.

4. Fraudsters run consecutive numbers on an Internet site or IVR in an attempt to find a valid card number that they will then use to fraudulently purchasegoods or services.

The most common examples of customerdisputes are:

1. Customer complains that goods orservices are not as described on aweb site or in a mail order catalogue.

2. Customer is billed twice for same orderand/or billed for an incorrect amount.

3. Customer does not recognise thetransaction on their statement becausethe business name on the statement is different to the business name used on the web site or mail/telephone ordermarketing materials.

4. Customer is billed before goods orservices are shipped or delivered.

5. Confusion and disagreement occursbetween the customer and merchant over a return or refund amount.

3

The facts on chargebacks and authorisations

Are you liable forchargebacks?According to the terms and conditions ofyour merchant agreement, if a cardholderdisputes a transaction and you do not have sufficient evidence to show that thecardholder authorised the transaction, theliability for the chargeback rests with you.

In most instances, this means that theoriginal transaction will be reversed and you will not receive payment for goods orservices you may have already delivered.Additionally, you may also be required to pay fees for investigating and processing the chargeback.

For this reason it is essential for you as a merchant to understand how to set upbusiness procedures and use appropriateproduct features to minimise chargebacksand fraud.

What you can doThere are lots of things you can do toprotect against chargebacks, but first you need to understand the importance of authorisations.

What is an authorisation?Every time you process a transaction via one of our electronic commerce productsyou will receive an authorisation for thetransaction. Paper voucher merchants canget an authorisation by calling 13 26 36.

The authorisation is a request to the CardIssuer to validate that:

1. the card number presented exists, and

2. that there are sufficient funds available in the account for the transaction.

The authorisation will be either:

1. Approved.

2. Declined.

What an authorisation approval meansIf the authorisation is approved, it verifies that:

1. the card number and expiry date are valid; and

2. there are sufficient funds available for the sale.

4

It’s not a guaranteeIn mail order, telephone order, Internet and IVR transactions where:

1. there is no imprint of the card andsignature to prove the cardholderconducted the transaction; or

2. no PIN or password has been provided by the cardholder,

the Bank has no means to provide you with irrefutable proof of identification.

For this reason, the authorisation does not (and cannot) guarantee that:

1. The person using the card is the trueowner of the account.

2. The person using the card is authorisedto do so (i.e. that the card is not stolen or being used fraudulently).

While authorisation is important, it DOESNOT guarantee you will receive payment.

Despite the fact that you have received an authorisation, it is still possible that youmay subsequently receive a chargebacknotification. In this instance, unless you canprove the validity of the transaction with:

1. a signed imprint of the card;

2. a confirmation of a correct Verified byVisa or MasterCard SecureCode InternetPIN; or

3. in the instance of a dispute, can addressthe dispute to the customer’s satisfaction,

the transaction will be credited back to thecardholder and your account debited for theamount originally charged.

What else should you do?Authorisations should be combined with avariety of business processes and otherchecks to minimise chargeback exposure.

This is particularly important for mail order, telephone order, IVR and Internetorders where:

1. The card and cardholder are not present at the time of the transaction thus leaving you unable to get an imprint of the card and a signature from the cardholder to confirm that they authorised the transaction.

2. Additionally, you have not seen theperson, and therefore will not be able to identify who actually conducted the transaction.

So remember, it’s your responsibility to verify to your own satisfaction the identity of a customer prior to the supply of goods or services.

Industry best practices to assist you to do this are discussed in detail later in this brochure.

5

The chargeback processWhen a cardholder disputes a saletransaction there is a four-step procedurethat follows:

1. The cardholder disputes a transaction by advising their card issuer.

A transaction can be disputed up to 6months from the date of the transactionor goods/service delivery date, whicheveris the latter. For this reason you shouldkeep records of transactions accessiblefor at least 6 months after the date ofdelivery of the goods or services.

2. The card issuer seeks documentation/supporting evidence from the merchant’s bank to determine validity of the chargeback.

3. The Commonwealth Bank contacts youto ask for documentation or informationto support or reject the chargeback.

You will have 14 calendar days to respondto the Bank’s request. Action required byyou will be advised in the request.

4. The information is evaluated by both banksand a decision is made under rules setout by the card schemes as to the validityof the chargeback.

If the cardholder dispute is notsatisfactorily resolved or is ignored, thedisputed amount will be “charged back”(debited) to your bank account.

If the merchant provides proof ofcardholder authorisation and the receiptof goods or services, the chargeback issent back to the original bank and thecardholder must pay their credit card billas they normally do.

What to do if you’re notified of a chargebackOnce a transaction is disputed it’s yourresponsibility to prove that a valid transactionoccurred. That means you, as the merchant,must provide supporting documentation or other relevant information to respond to the query.

Responsibility rests with you, the merchant,to provide satisfactory evidence regardingthe transaction.

It is critical that you respond immediately to information/voucher requests from theBank, as the Bank must receive all relevantdocumentation within 14 calendar days.

Merchants who receive a chargebacknotification and require clarification orassistance should call the number listed in the request letter.

6

Understanding what causes chargebackscan help you reduce risk and minimiselosses. As stated previously, chargebacksoccur for two main reasons:

1. Customer disputes.

2. Fraudulent use of the card.

There are business processes you canimplement to help your business reduce the likelihood of receiving a chargeback for each of these instances.

Reducing chargebacks fromcustomer disputesMany customer disputes occur as a result of confusion or miscommunication such as:

1. The cardholder cannot identify the nameand details they see on their statementwith the outlet they purchased goods orservices from.

2. There is a dispute over refunds/returns.

3. Goods or services are not as described.

4. The price charged is different to the price quoted.

Be smart, not sorry, followthese simple guidelinesTo help you manage disputes you shouldalways make a record of the following details for all mail, telephone, IVR andInternet order sales:

1. Full name of cardholder as it appears onthe customer’s card.

2. The card type (e.g. Bankcard,MasterCard, Visa) and card number.

3. The card expiry date.

4. Date of the transaction.

5. The authorisation number (especially for paper merchants).

6. The customer’s address.

7. The delivery address.

8. A daytime phone number (not a mobiletelephone number).

9. A second contact number.

Keep good records so that you can findspecific transactions quickly and easily.

Additionally, you can reduce disputes by always including the following in yourbrochures, membership forms, web sites and other promotional material:

1. The merchant name as it will appearon the statement.

Ensure your business name is the sameas the trading name to avoid confusion.Where this is not possible, clearly indicateto the customer the business name thatwill appear on their credit card statement.

7

Tips to help you reduce chargebacks

2. The business address.

3. Customer service contact numbers(telephone, email and mail).

Many disputes can be resolved by yourcustomer service staff and consequentlynever become a chargeback. Preventionis better than cure.

4. A complete description of goods or services.

Use photos where possible. This will help avoid disputes.

5. The total cost in Australian dollars.

Clearly outline any additional costincluding packaging and freight costs (if applicable).

6. Clear delivery times.

Always let the customer know how longdelivery will take. If you provide expressfreight as an option clearly outline anyadditional cost the customer will incur by using this option.

7. Clear return and cancellation policy.

Inform the cardholders of what to do if they need to return goods. If you have a limited or a no refund/no cancellationpolicy this must be clearly communicatedto cardholders before the purchasedecision is made.

8. Privacy Statement/Policies.

Inform the customer of the policiesregarding the privacy of their informationand any privacy procedures you have in place.

9. Provide clear instructions for recurringtransactions.

Where the transaction will be recurring ona monthly basis (e.g. subscription services)clearly state that the card will be debitedmonthly until the cardholder informs you inwriting to stop the subscription. Inform thecustomer how to contact you to cancel amonthly subscription.

Special requirements – mail order, Internet and paper merchantsAdditionally, mail order, Internet and papermerchants have special requirements. Thesemerchants should provide the following:

For mail order:

1. An authority to debit credit cards.

Provide the customer with a form that states “Please debit my Bankcard,MasterCard, or Visa” and allows thecustomer to enter the card details,including name on the card and expiry date.

If the sale is for monthly subscriptionservices, clearly outline that the card willbe debited monthly until the customercancels the service in writing.

8

2. The cardholder’s signature on theauthority to debit the credit card.

Ensure the authority has a space for asignature and date.

3. Provide a sealable envelope for return of the authority.

Ensure that the cardholder’s order form is returned to you in a sealed envelope.Where possible, provide a sealable return address envelope or give the cardholderappropriate mailing instructions.

For Internet-based processing:

1. Clearly identify the transaction currency.

As your customer base can beworldwide, it is important that thecardholder is aware of the currency the transaction is in before the cardholder proceeds to purchase.

2. Provide a reference number andreceipt/confirmation number for thecustomer to be able to make enquiriesabout the order.

Provide a receipt/confirmation via mailand/or email with all the details of thetransaction. Ensure that the customerservice contact details are in this receipt/confirmation so that the customer canmake contact with you if they have anyissues with the order. Keep a copy foryour records.

For paper-based processing:

Although most mail, telephone, IVR andInternet orders are processed electronically,in some instances paper transactions may be appropriate. For paper transactions, astandard sales voucher must be completed.Fill in the voucher with all the card details andproduct description. In the space providedfor the signature write “mail order/telephoneorder” (see illustration below). Obtain anauthorisation and enter the authorisationnumber on the voucher.

Authorisations are a must

For all paper transactions call 13 26 36.

9

Sample of correctly completed sales voucher.

Three common reasons forcustomer disputes and how to avoid them1. Customer is billed twice for the same

order and/or is billed an incorrect amount.

Action: Always double check everytransaction to ensure the correct amount has been charged. Do random checks oforders periodically as a quality control check.

2. Customer does not receive the goods or services.

Action: Always use a reputable courier todeliver goods and obtain the name andsignature of the person accepting delivery.Attempt to deliver the goods to thecardholder where possible. Request thecardholder to show their credit card upondelivery and check signature with signatureon the back of the card.

3. A merchant alters the amount without the cardholder’s authority.

Action: Always contact a customer if youneed to change the amount from what wasoriginally agreed. Do not change amounts on completed transactions without thecustomer’s approval.

Industry best practice – carry out customer checksbefore deliveryFor all mail, telephone and Internettransactions, experience has shown thatcarrying out the following checks cansignificantly reduce the likelihood offraudulent activity and chargebacks:

1. Ask for comprehensive customerdetails and do validity checks.

Always obtain the customer’s full name,address and home phone number (not amobile). Check these details against thelatest White Pages before delivering thegoods. If you cannot verify that the detailsare authentic, issue a refund on the cardand do not deliver the goods.

2. Do an order confirmation.

Telephone the customer some time laterto confirm order details before delivering.Where the customer is not aware of theorder, or cannot confirm the details, issuea refund on the card and do not deliverthe goods.

Most customers will allow you to conductverification checks with minimal objection.If a customer objects or asks why theinformation is needed, simply say that youare trying to protect them from someoneusing their details fraudulently.

3. Always use your own courier and not one engaged by the customer.

Do not deliver the goods if the customerinsists on their own courier. Issue a refundon the card and do not proceed with the order.

10

4. Ask customer to show their credit card and driver’s licence (wherepossible) as identification on delivery.

Attempt to arrange the delivery at a timewhen the cardholder will be available.

Instruct the courier to confirm the creditcard details are correct and take downdetails of the driver’s licence (if the person has one). Do not leave goods ifthe person cannot show the appropriatecard or if the signatures do not match.Issue a refund and keep the goods.

If the person who has ordered the goodsnotifies you that they will pick up the goods,advise them that they will be required topresent their card and driver’s licence (if the person has one) as identification.

5. Never deliver goods to post office boxes.

Always deliver to a physical address. If a customer refuses to provide aphysical address it is best not to proceed with the order.

6. Never leave goods at unattended premises.

Under no circumstances should goods be left at premises that are unattended.Attempt to redeliver the goods at anothertime. If you cannot deliver the goods to aperson, issue a refund on the card andkeep the goods.

7. Always ask for the card expiry date.

Always ask customers for the card expirydate. An order containing an invalid ormissing expiry date can be an indicatorthat the person on the other end does not have the actual card in hand and isusing it fraudulently.

Be aware that verifying the expiry date on its own does NOT guarantee that the card is not stolen or being used bysomeone who is not authorised to usethe card. It only verifies that the personmaking the transaction has the card intheir possession.

For recurring orders (e.g. monthlysubscriptions), it is your responsibility to maintain up-to-date card details. You will need to maintain a regularcustomer contact program to verify that the card details and expiry dates are current. This will reduce declinedtransactions due to lapsed expiry dates and changed card numbers.

8. Ask for the CVV2/CVC2 code.

The CVV2/CVC2 is an important securityfeature located on the back of Visa andMasterCard cards. It is the last threedigits printed on the signature panel.

In the mail, telephone, IVR and Internetsales environment, this is a valuable toolfor verifying that the customer actuallyhas a legitimate card in their hand at thetime of the order. An order containing aninvalid or missing CVV2/CVC2 code canbe an indicator that the person on theother end does not have the actual cardin hand and may be using the card details fraudulently.

11

Verifying the CVV2/CVC2 on its own isNOT a guarantee that the card is not stolenor being used by someone who is notauthorised to use the card. It can only verifythat the person making the transaction hasthe card in their possession.

To prevent the CVV2/CVC2 from beingcompromised, NEVER keep or store a card’s CVV2/CVC2 code once atransaction has been completed. Suchaction is prohibited and could result in fines.

9. Be particularly careful with overseas orders.

Overseas orders can be a problem,particularly in regions like South East Asia where there is a high incidence offraud. Adding to the problem is the costand difficulty of pursuing legal recovery in overseas jurisdictions. Furthermore, in most instances it is impossible torecover losses.

Too many businesses have suffered loss from a sales order that was out ofthe ordinary even for a local buyer, andshould have been considered “too good to be true”. If you cannot verifyinformation provided by your overseascustomer it is safer to not proceed with delivery.

12

13

Suspicious orders – what to look for

Experience suggests that there are certaincharacteristics that can be tip-offs topossible fraud. One of these characteristicsalone is seldom cause for alarm, but whentwo or more appear in a single purchase itmay indicate a fraud scheme.

You should put into place in-house policiesand procedures for handling irregular orsuspicious transactions (e.g. unusually largeorders). Sales staff should be trained torecognise suspicious orders and given clearinstructions on the steps to take to verifythese transactions.

Telephone orders Be on the lookout for any of the followingsigns of suspicious customer behaviour:

1. Hesitation.

Beware of customers who hesitate orseem uncertain when giving you personalinformation, such as a postcode, thespelling of a street, or family name. This is often a sign that the person isusing a false identity.

2. Rush orders.

Urgent requests for quick or overnightdelivery should be another red flag forpossible fraud. While often perfectly

valid, rush orders are one of the commoncharacteristics of “hit and run” fraudschemes aimed at obtaining merchandisefor quick resale.

3. Random orders.

Watch out for customers who don’t seemto care if a particular item is out of stock or who order haphazardly, e.g. “You don’thave it in red? Any colour will do”. Ordersof this kind may be intended for resalerather than personal use.

4. Suspicious shipping address.

Requests to ship merchandise to postoffice boxes or an office address are often associated with fraud. Keep lists of postcodes where fraud rates are highand verify any order that has a ship-toaddress in these areas. If your businessdoes not typically service foreigncustomers, use caution when shipping to international addresses, particularly ifyou are dealing with a new customer or a very large order.

5. Multiple cards.

Pay attention to order situations in whichthe customer wants to pay with multiplecards. More than one or two cards couldindicate a fraud scheme.

6. Multiple purchases on one card in a short period of time.

Be particularly cautious with multipletransactions charged to one card over a very short period. Usually purchasescontinue until a declined status is reached.This suggests that it is a stolen card beingused to maximise usage prior to theaccount being closed.

Keep in mind that none of these alonemeans you’re being targeted for fraud, butseveral of them together might. So be alertand check everything.

IVR orders IVR merchants can sometimes be victims of attacks by fraudsters. The IVR is usuallyused to check stolen card numbers to usefraudulently. This is done by conductingmany transactions for small amounts ($1 or $2) on multiple cards.

To avoid this type of activity, you should:

1. Monitor transactions.

Look for suspicious activity. Where anaccount has more than five transactions on different cards in the $1–$2 range,particularly if they have all been declined,you should close the account. It could bebeing used to test stolen or fraudulentcredit card details.

2. Provide minimum payment limit controls.

Set up a menu structure so that the IVR will not accept payments under

set minimum amounts. The size of thisamount will vary depending on the type of business you are conducting.

3. Use call centre staff to verify suspicious activity.

Where a person has made three attempts on an IVR and all attempts have beendeclined, forward the call to an operator.Instruct the operator to conduct acustomer check. This often stops thefraudulent activity. If the account continuesto have unusual behaviour close theaccount. It could be being used to teststolen or fraudulent credit card details.

4. Inform authorities of activity.

Whenever you find this type of activity,inform your local police and ask them to investigate.

Internet orders The Internet offers unique challenges. The anonymity of the channel makes itparticularly susceptible to fraudulent activity. For this reason, Internet merchantsneed to be especially vigilant with orders.

Be alert for transactions with several of thesecharacteristics:

1. First-time shopper.

Criminals usually hit a merchant once, and don’t go back a second or third time.

2. Larger than normal orders.

Because they may be using stolen cards or bogus account numbers thathave a limited life span, criminals need to maximise the size of their purchase.

14

Be very cautious with large orders,particularly if they are from overseas. Be thorough with your verification checks.

3. Orders consisting of several of the same item.

If these items are intended for resale,having more of them increases thecriminal’s profits.

4. Orders made up of “big-ticket” items.

These items have maximum resale valueand, therefore, maximum profit potential.Be particularly cautious with orders madeup of multiple big-ticket items.

5. Orders shipped “rush” or “overnight”.

Perpetrators want fraudulently obtaineditems in their hands as soon as possiblefor the quickest possible resale, and aren’tconcerned about extra delivery charges.

6. Orders from Internet addressesmaking use of free email services.

For these services, there’s no billingrelationship and often no audit trail orverification that a legitimate cardholderhas opened the account.

7. Orders shipped to an international address.

Be particularly careful with orders fromSouth East Asia. A considerable amountof fraud is conducted from this area. Be especially careful if the order is largeand bought on numerous cards.

8. Multiple cards.

Pay attention to order situations wherethe customer attempts to pay withmultiple cards. More than one or twocards could well indicate a fraud scheme.

9. Multiple purchases on one card in ashort period of time.

Be particularly cautious with multipletransactions charged to one card over a very short period. Usually purchasescontinue until a declined status is reached.This suggests that it is a stolen card beingused to maximise usage prior to theaccount being closed.

10. Suspicious IP addresses.

Monitor activity from IP addresses thathave had a history of chargeback activityon your web site. Be very suspicious if one IP address is attempting to usemultiple cards over many transactions,especially if three or more are declined. If possible, attempt to block the IPaddress from your site.

11. Suspicious delivery addresses.

Monitor delivery addresses. Be particularlycautious with orders shipped to a singleaddress charged to multiple cards over a relatively short period of time. Monitordeclined transactions to see if one deliveryaddress is being used consistently. Becautious of such a delivery address.

None of these alone means you’re beingtargeted for fraud, but several of themtogether might. So be vigilant and alwaysconduct thorough checks.

15

16

Internet orders – additional information

Further tips on how to minimise risk

In addition to applying your knowledge ofsuspicious Internet orders, you can use thefollowing tips to help you minimise the risk of a chargeback:

1. Use a security program such asVerified by Visa or MasterCardSecureCode.

These programs require cardholders to enter a password to verify they areauthorised to use the card (similar to a PIN on EFTPOS). If the password is incorrectly entered, the transaction is declined. This feature is currentlyavailable only on CommWeb.

2. Never process transactions for anotherbusiness entity.

This is a very high risk activity in relationto fraud and chargeback. Additionally,both Visa and MasterCard strictly prohibitthird party processing. Breaching thisregulation will result in termination of your facility.

3. Use a pre-authorisation to conductcustomer checks before delivery.

A pre-authorisation verifies the cardnumber and expiry date are valid and that there are sufficient funds available for the sale. It then holds these funds forapproximately 5 working days dependingon the cardholder’s bank.

During this 5 day period the pre-authorisation allows you to undertakechecks of the cardholder’s identity andaddress (for more information see thesection on Industry best practice – carryout customer checks before delivery).

Once you are satisfied with the results of the customer checks, a financialcapture transaction can be employed to match the sale to the originalauthorisation and ensure you receivesettlement for the transaction.

If you suspect fraudulent activity you can let the pre-authorisation lapse andyou do not need to conduct a refund.

This feature is currently available onlyon CommWeb.

4. Maintain a good customer database.

A customer database is a very useful tool.Maintain and update it regularly. Use it toidentify good customers as well as helpyou steer clear of fraudulent customersand high-risk orders. Divide yourdatabase into:

– Low Risk – long standing customerswho have made previous transactionswith no chargebacks.

– High Risk – customers who previouslycaused a chargeback.

Use it to identify suspicious delivery andIP addresses.

17

What to do if your web site isbeing targeted for fraudSometimes web sites are attacked byfraudsters running a range of consecutivecard numbers, from an automatic numbergenerator, in an attempt to find valid cardnumbers to use fraudulently. Usually theseare for small amounts.

Unfortunately, if you are a victim of this typeof fraudulent activity, the only action availableto you if it is detected in time, is to shutdown your web site and investigate thenature of the attack.

Your investigation should look at the source of the attack and whether you areable to block the IP address of the attacker.Seek advice from a reputable IT expert tohelp you redesign your web site to reduce the possibility of future attacks.

How to ensure cardholder datasecurity on your Internet siteApart from providing adequate businesspractices, Internet providers must also protecttheir web sites from outside attacks that cancompromise credit card details in any way.

One way to address this is to use the Bank’se-commerce payment gateway, CommWeb. It contains a security feature, which means youdo not need to store or even see credit carddetails on your web site. By never having thisdata on your web site, hackers cannot invadeyour web site and compromise the data.

Should you choose not to implement thissecurity feature of CommWeb, you will berequired to maintain a minimum standard of security.

Now that you know what to look out for, you are better prepared to identifysuspicious orders. If you suspect afraudulent order you should:

1. Under no circumstance deliver the goods or services.

2. Contact the customer and conductadditional customer checks (see sectionon Industry best practice – carry outcustomer checks before delivery).

3. If you are still suspicious contactMerchant Enquiries on 1800 230 177(Monday to Friday 9am to 5pm – localtime) with details of transactions such as time, date and amount of suspicioustransaction and request that thetransactions be investigated.

4. If you cannot confirm that the order islegitimate decline the order. Issue arefund if necessary. It is safer to refusethe order than it is to expose yourbusiness to the chargeback risk.

5. Report the card as suspect for fraudactivity by calling the number below. A specialist telephone consultant willassist you. This will also help ensure other merchants are not defrauded. If all merchants report suspect fraudulentactivity the number of attacks can be reduced.

Number What toCard to call ask for

MasterCard, 13 2636 Press 1 Visa, Bankcard or ask for

Ext. 500

6. Contact your local police squad with the details of the activity and ask them to investigate.

18

What to do if you suspect a fraudulent order

19

Where to get additional help

Merchant enquiries helpdesk

At the Commonwealth Bank we take pride in being a high quality service provider. Part of that is making sure you know where to go for help when you need it.

For more information, contact MerchantEnquiries on 1800 230 177 (Monday toFriday 9am to 5pm – local time).

Bank relationship managers

Further information on the security featuresof the merchant channel you are currentlyusing can be obtained by contacting your Account Manager or Electronic Product Consultant.

Our staff have access to the latest cardscheme procedures and industry trends and they can help you to minimise the risks to your business. Remember, we’re at your service with the products andprocedures to make a difference.

20

ADB4530903

Commonwealth Bank of AustraliaABN 48 123 123 124