Visa Europe V PAY Operating Regulations - Scheme 15 April 2017 THIS PAGE INTENTIONALLY LEFT BLANK Summary of Changes

This Summary of Changes shows all additions and revisions to the V PAY Operating Regulations that have been approved by Visa. Unless otherwise specified, these revisions will come into effect on 15 April 2017.

Card Verification Value 2 (CVV2) data requirements for Mail Order Transactions

Background Effective from 22 April 2017, an Acquirer must not request a CVV2 from a Cardholder for a Transaction in a Card-Absent Environment that is a mail order Transaction where the CVV2 data is captured and stored in written form.

Regulation Changes The following has been amended:  Section 2.3.1

Supersedes VBN  AI06095, “Mail Orders Will Be Exempted From CVV2 Requirements”

Dynamic Currency Conversion Transaction Indicator

Background Effective from 22 April 2017, an Acquirer must use the Dynamic Currency Conversion (DCC) Indicator for all DCC Transactions occurring at ATMs.

Regulation Changes The following has been amended:  Section 6.9

Supersedes VBN  AI06261, "Requirement for DCC Indicator at ATMs Will Be Introduced”

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 3 V PAY Operating Regulations Summary of Changes

Mail/Phone Order Transaction Acceptance

Background Effective from 15 October 2016, a Merchant is allowed to accept a V PAY Card for a Mail/Phone Order Transaction (MOTO).

Regulation Changes The following sections have been amended:  Section 1.14.2;  Section 6.1.3, Section 6.4.1, Section 6.6.1.2, Section 6.11.8;  Section 8.3.1.2;  Reason Code 30—Services Not Provided or Merchandise Not Received;  Reason Code 53—Not as Described or Defective Merchandise;  Reason Code 83—Fraud—Card-Absent Environment;  Appendix C, "Maximum Authorised Floor Limits"; and  Appendix D, "Defined Terms".

Transaction Receipt Requirements

Background Effective from 22 April 2017, the rules for Transaction Receipts that are electronically delivered have been amended.

Regulation Changes The following have been amended:  Section 6.6.1.4.2; and  Appendix D, "Defined Terms".

Supersedes VBN  AI06001, “Rules Related to Transaction Receipts Will Be Updated”

4 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations About the V PAY Operating Regulations - Scheme

V PAY is Visa’s pan-European Chip-only, PIN-based debit solution. It is an unembossed, full Authorization that can be used at any EMV-Compliant terminal displaying the V PAY Brand Mark. HIERARCHY OF VISA REGULATORY PUBLICATIONS

The V PAY Operating Regulations - Scheme The V PAY Operating Regulations - Scheme specify the minimum standards with which V PAY Members must comply.

Use and Application of the V PAY Operating Regulations - Scheme The V PAY Operating Regulations - Scheme are only to be used in connection with Visa’s payment services and may not be used, modified, copied, downloaded, transferred or printed in total or in any part for any other purpose without the express written permission of Visa.

The V PAY Operating Regulations - Scheme govern the relationship between Visa and its V PAY Members and their agents. The V PAY Operating Regulations - Scheme do not constitute a third-party beneficiary contract as to any entity or person, nor do they constitute a contract, promise or representation, or confer any rights, privileges, or claims of any kind, as to any third parties. Visa reserves the right to amend, modify, delete or otherwise change the V PAY Operating Regulations - Scheme at any time, and such changes, if made after the publication date noted in the V PAY Operating Regulations - Scheme, will not appear in such V PAY Operating Regulations - Scheme. Such changes will be reflected in the next published version of the V PAY Operating Regulations - Scheme.

Rules set out in the V PAY Operating Regulations - Scheme in the form of tables or diagrams have the same status as the V PAY Operating Regulations - Scheme.

Other Rules National Organisations or Private Agreements:  Govern operation of the V PAY and Programs within the jurisdiction of the National Organisation; and  Govern activity within the scope of any Private Agreement.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 5 V PAY Operating Regulations - Scheme About the V PAY Operating Regulations - Scheme

Extensions to the V PAY Operating Regulations - Scheme

Description The requirements in the publications listed below, when referenced in the V PAY Operating Regulations - Scheme, have the same status as the V PAY Operating Regulations - Scheme. They are binding upon V PAY Members participating in the services or using the systems referenced in such publications. In the event of any inconsistency between a provision set out in one of the publications listed below and a rule set out in the V PAY Operating Regulations - Scheme, the V PAY Operating Regulations - Scheme shall prevail, unless a variance to that rule has been specifically granted by Visa to a V PAY Member, in which case, the V PAY Member is required to comply with the variance to the rule rather than the rule set out in the V PAY Operating Regulations - Scheme.

Publications

The Visa Products and Services manuals include:  3-D Secure Specification: — 3-D Secure Security Requirements Enrolment Servers & Control Servers, August 2015; — 3-D Secure Functional Requirements Access Control Server, September 2009; — 3-D Secure Functional Requirements Merchant Server Plug-In , September 2009; and — 3-D Secure Protocol Specification Core Functions, September 2009.  Dynamic Currency Conversion (DCC) Acquirer and Merchants Standards Manual  EMV Contactless Specification for Payment Systems Book C-3  EMV Integrated Circuit Card Specifications for Payment Systems  EMV Integrated Circuit Card Terminal Specification for Payment Systems  Global Security Validation Requirements for Over-the-Air Secure Element Personalization Vendors  Guidelines for Terminated Merchant Databases  Mobile Application enabled for Visa payWave (MAV) - Requirements and Recommendations  Original Credits Membership Requirements Manual  Payment Card Industry Data Security Standard (PCI DSS)  Payment Card Industry Payment Application Data Security Standard (PCI PA-DSS)  Payment Card Industry (PCI) Card Production – Logical Security Requirements  Payment Card Industry (PCI) Card Production – Physical Security Requirements  Payment Card Industry (PCI): Point-to-Point Encryption Solution Requirements and Testing Procedures  Payment Card Industry (PCI): POS PIN Entry Device Security Requirements  Visa Cloud-Based Payments Platform Security Requirements  Visa Cloud-Based Payments Program Minimum Requirements and Guidelines  Visa Cloud-Based Payments Specifications  Visa Specification Version 2.0.2  Visa Contactless Payment Specification Version 2.1  Visa Contactless Payment Specification Version 2.1.1  Transaction Acceptance Device Requirements  Verified by Visa Issuer Implementation Guide  Verified by Visa Issuer Implementation Guide: Activation During Shopping  Verified by Visa Merchant and Acquirer Implementation Guide  Visa Europe Card Vendor Programme Guide  Visa Europe Contactless Terminal Requirements and Implementation Guide  Visa Europe Fee Guide - Non-EEA  Visa Europe Fee Guide - Non-Regulated Business Unit  Visa Europe Fee Guide - Scheme Business Unit  Visa Europe Global Brand Protection Program Guide  Visa Europe Global Compromised Account Recovery Guide

6 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme About the V PAY Operating Regulations - Scheme

 Visa Europe Prepaid Card Products Member Implementation Guidelines  Visa Europe What To Do If Compromised Guide  Visa Global Physical Security Validation Requirements for Data Preparation Encryption Support and Fulfilment Card Vendors  Visa Global Security Requirements for Secure Element Vendors and OTA Service Providers  Visa Integrated Circuit Card Specifications  Visa Merchant Alert Service User Guide  Effective until 30 June 2016, Visa Merchant Fraud Performance Program Guide  Visa Mobile Contactless Payment Specifications (VMCPS)  Visa Mobile Gateway Logical and Physical Security Requirements  Visa Mobile Gateway Specifications  Visa Payment Technology Standards Manual  Effective until 17 May 2016, Visa Direct Member Implementation Guide for Issuers  Visa Product Brand Standards  Visa SimplyOne Member Implementation Guide for V PAY

The PIN Management Requirements Documents include:  Payment Card Industry (PCI) PIN Security Requirements  Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) Modular Security Requirements

NOTE: All manuals are available on Visa Online https://www.visaonline.com.

Forms

The V PAY forms include:  Acquirer Registration Form  Exception File Update Form  Visa Europe Agent Registration and Designation Form  Visa Europe PIN Security Self Audit Requirements and Forms  Visa Interchange Directory Update Form

The BIN forms include:  Exhibit 4A- BIN Licensing Agreement Form  Exhibit 4B-1- BIN Licensee Transfer Request  Exhibit 4B-2- BIN User Transfer Request Form  Exhibit 4D- Member Portfolio Sale Notification  Exhibit 4E-1- BIN Release Request  Exhibit 4E-2 - Reversal of BIN Release Request  Exhibit 4F- Visa Interchange Directory Update Form

VBNs V PAY VBNs are written by Visa to communicate changes that have been approved by Visa, but are not yet incorporated into the V PAY Operating Regulations - Scheme. They have the full authority of the V PAY Operating Regulations - Scheme.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 7 V PAY Operating Regulations - Scheme About the V PAY Operating Regulations - Scheme

Programs The following programs are referred to in the V PAY Operating Regulations - Scheme:  3-D Secure Vendor Compliance Testing Program  Account Information Security Program  Acquirer Performance Metric Program  Chip Interoperability Compliance Program  Chip and PIN Disputes Compliance Program  Custom Payment Service/ATM Program  Dynamic Currency Conversion  Data Quality Compliance Program  Electronic Commerce Merchant Monitoring Program  Global Brand Protection Program  Global Compromised Account Recovery  Global Fraud Information Service  Effective until 30 June 2016, Global Merchant Monitoring Program  Issuer and Acquirer Monitoring Program  Effective until 30 June 2016, Merchant Fraud Performance Program  Plus Program  Visa Europe Anti-Money Laundering Program  Visa Global ATM Program  Visa Merchant Alert Service APPLICABLE LAWS A V PAY Member must comply with all applicable laws. In the event of any conflict between the V PAY Operating Regulations - Scheme and any applicable law, the requirements of applicable law govern.

An Acquirer must comply with any local legislation resulting from the implementation of the Payment Services Directive that is applicable to the areas in which it operates. CONVENTIONS

Grammar and Usage The following conventions apply to grammar and usage throughout the V PAY Operating Regulations - Scheme:  Effective dates are inclusive. For example, “Effective until 31 December 2016” means effective up to and including 23:59 on 31 December 2016 and “Effective from 1 January 2017” means effective from 00:00 on 1 January 2017;  The singular imports the plural and the plural imports the singular.  For example, “A Merchant must...,”implies that “All Merchants must...”; and  The masculine imports the feminine and the feminine imports the masculine.  For example: “A Cardholder may present his Card...,” implies that any Cardholder, regardless of gender may present a Card.

8 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme About the V PAY Operating Regulations - Scheme

Symbols and Style In the V PAY Operating Regulations - Scheme, special symbols and conventions are used as follows:  References to other documents and sections within the documents are in italics;  'A' and/or 'B' that appear before a heading or paragraph indicate those regulations that make up the collection of Visa's unregulated businesses, where 'A' indicates international business;  Words that appear with initial capitalisation have a special meaning beyond, or in place of, their dictionary meaning. These terms are specified in Appendix D, "Defined Terms"; and  Words that appear with initial capitalisation and are not defined in Appendix D, "Defined Terms" or are not written in italics are programs. Please see above for the list of programs referred to in the V PAY Operating Regulations - Scheme.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 9 V PAY Operating Regulations - Scheme About the V PAY Operating Regulations - Scheme

V PAY Operating Regulations - Scheme Road Map About Describes the V PAY governance, the hierarchy of publications, applicable laws and lists all other relevant publications

Program Specifies all program requirements a V PAY Member must follow in order to implement a Requirements successful V PAY Card Program including: • Membership categories • BIN information • Systems management • Confidentiality • Visa’s rights • Issuer and Acquirer contract requirements

Risk Provides information about managing and reducing your exposure to risk as an Issuer or Management Acquirer

Use of Marks Explains the use of the V PAY Brand Mark and other brand marks for Card and non-Card use, including: • Marks licence • Reproduction of Marks • Co-badging and Co-branding program requirements • Plus Program and Plus Program Marks

Payment Describes the required technologies to implement a V PAY Program, including: Technology • Chip specifications • Magnetic Stripe Specifications • Terminal requirements • Unattended Acceptance Terminals

Card Design Details V PAY Card features, general Card specifications and Card manufacture and delivery requirements

Payment Explains the V PAY acceptance requirements including: Acceptance • Merchant obligations • Cash Disbursements (Manual and ATM) • ATM Acquirer standards • Authorizations • Transaction Receipts • Dynamic Currency Conversion (DCC) • Special payment acceptance services • Electronic Commerce

Payment Describes the V PAY payment processing services and requirements, including: Processing • Authorization requirements • Payment service standards • Clearing and Settlement

Dispute Details all resolution processes including: Resolution • and Representments • Dispute Groups and reason codes • Arbitration and Compliance

Fines and Describes the fines and penalties rules, processes and schedules Penalties

Appendices Gives the Defined Terms, Exhibits, Maximum Authorized Floor Limits and the Visa System software licence agreement

10 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Program Requirements

1.1 V PAY PROGRAM OVERVIEW ...... 15

1.2 MEMBERSHIP CATEGORIES ...... 15 V PAY Member ...... 15 V PAY Sponsored Member ...... 15

1.3 BIN ...... 15

1.4 MEMBERSHIP OBLIGATIONS ...... 15 Initial Service Fees ...... 15 Notification and Provision of Information to Visa ...... 15 Sponsoring Members ...... 16 Sale or Transfer ...... 16 Notification ...... 16 V PAY Member Financial Liability ...... 16 Mergers, Acquisitions or Restructuring ...... 16

1.5 BIN LICENCE AND ADMINISTRATION ...... 17 BIN Licensing ...... 17 BIN Licence Agreement ...... 17 Visa Interchange Directory Update Form (Exhibit 4F) ...... 17 BIN Use ...... 17 V PAY Member Requirements ...... 17 Processor Requirements ...... 18 BIN Fees ...... 18 New BIN Assignments ...... 18 Transfer ...... 18 BIN Licensed to Another V PAY Member ...... 18 Failure to Return BINs ...... 18 BIN Blocking ...... 18 BIN Administration Changes ...... 19 Visa Responsibility ...... 19 V PAY Member Responsibility ...... 19

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 11 V PAY Operating Regulations - Scheme Chapter 1 - Program Requirements

Visa Reserved BIN Range ...... 20

1.6 TECHNOLOGY (SOFTWARE) LICENSE...... 20 License Grant ...... 20 Delivery of Software ...... 20 Licence, Installation, Training, Maintenance and Support Fees ...... 20 Systems Management ...... 21 Notification of Changes ...... 21

1.7 ACCOUNT NUMBERS ...... 21

1.8 PIN PROGRAM ...... 21 Overview ...... 21 Participation Requirements ...... 21 PIN Verification Procedures ...... 21 Offline PIN Verification Procedures ...... 21 Prepaid Card Issuers ...... 21 Non-Reloadable Card ...... 22 Reloadable Cards ...... 22 Activation and Load Service ...... 22 Visa Prepaid Load Service ...... 22 Point-of-Transaction Balance Return Service ...... 23

1.9 VISA SIMPLYONE CARDS WITH V PAY...... 23 Issuer Requirements ...... 24 Card Design ...... 24

1.10 CONFIDENTIALITY ...... 24

1.11 VISA RIGHTS ...... 25 Right to Monitor, Audit, Inspect and Investigate ...... 25 V PAY Member Obligations ...... 25 Right to Protect ...... 25

1.12 REGULATION ENFORCEMENT ...... 25 Fines and Penalties ...... 25

1.13 CARDHOLDER AGREEMENTS AND COMMUNICATION...... 26 Cardholder Notification ...... 26 Prepaid Cards ...... 26 Zero Liability for Cardholders ...... 26 Cardholder Agreements ...... 26 Cardholder Agreement Prohibition ...... 27

1.14 ACQUIRER MERCHANT CONTRACT REQUIREMENTS ...... 27 Financial Responsibility ...... 27 Merchant Inspection ...... 27

12 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 1 - Program Requirements

General Requirements ...... 28 Merchant Agreement ...... 28 Merchant Category Code ...... 29 Merchant Invoices ...... 29 Transparency of Interchange Reimbursement Fee Rates ...... 29 Merchant Card Acceptance ...... 30 Cross-Border Domestic Interchange Program ...... 30 Revocation of Merchant Privileges ...... 31

1.15 LIABILITIES AND INDEMNIFICATION...... 31 General Liabilities and Indemnification Provisions ...... 31 Limitations of Liability ...... 31 Disclaimer of Warranty and Representation ...... 31 Indemnity ...... 32 Arrests ...... 33 Lost or Stolen Card Reports ...... 33 International Airline Merchant Service ...... 33 Visa Merchant Alert Service ...... 33

1.16 COUNTRY OF ACTIVITY ...... 33

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 13 V PAY Operating Regulations - Scheme THIS PAGE INTENTIONALLY LEFT BLANK Chapter 1 - Program Requirements

1.1 V PAY PROGRAM OVERVIEW V PAY is Visa’s pan-European, Chip-only, PIN-based debit solution. It is an unembossed, full Authorization debit Card that can be used at any EMV-Compliant device displaying the V PAY Brand Mark.

V PAY Members are permitted to supply all services available under the V PAY Card Program, including:  Point-of-Transaction services;  ATM services;  Manual Cash Disbursement services; and  Electronic commerce services. 1.2 MEMBERSHIP CATEGORIES

1.2.1 V PAY Member A V PAY Member shall issue cards bearing the V PAY Brand Mark and/or contract with Merchants for the acceptance of such V PAY Cards.

1.2.2 V PAY Sponsored Member A V PAY Sponsored Member shall issue cards bearing the V PAY Brand Mark and/or contract with Merchants for the acceptance of such V PAY Cards under the sponsorship of a V PAY Member. 1.3 BIN A V PAY Card Program must be issued on a unique BIN that is not used for any other Card program.

An Issuer may use a Visa assigned BIN or, with the prior agreement of Visa, a non-Visa assigned BIN assigned by International Organisation for Standardisation (ISO) exclusively for use by the Issuer or its licensed affiliates. 1.4 MEMBERSHIP OBLIGATIONS In addition to the requirements in the Visa Europe Membership Regulations, a V PAY Member must comply with this Section 1.4.

1.4.1 Initial Service Fees Any organisation accepted as a V PAY Member of Visa shall pay to Visa initial service fees, as set out in the Visa Europe Fee Guide. These fees are non-refundable and are payable to Visa immediately upon successful completion of a membership application.

1.4.2 Notification and Provision of Information to Visa Each V PAY Member which has entered into a Visa approved membership and thus has signed the Visa Europe Membership Deed, must notify Visa as soon as reasonably practicable, but no later than within 30 calendar days of each and any of the following occurring:  The V PAY Member ceasing to be controlled by the organisation(s) or person(s) that controlled the V PAY Member as at the effective date of membership;  The V PAY Member being involved in a consolidation or merger or the V PAY Member being involved in changing its legal status;  A change of the V PAY Member's registered address;  A change of the V PAY Member's legal name;  Any breach by the V PAY Member of the provisions of the Visa Europe Membership Deed;  Any change to the notice details of the V PAY Member set out in the Visa Europe  Membership Deed;

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 V PAY Operating Regulations - Scheme Chapter 1 - Program Requirements

 The V PAY Member ceasing to be an organisation eligible for membership; or  If the V PAY Member wishes to become sponsored for a particular category of membership or to change sponsor, the V PAY Member intending to seek sponsorship or change sponsor (as applicable).

1.4.3 Sponsoring Members

1.4.3.1 Each V PAY Member which has entered into a Visa approved sponsorship agreement and is the sponsor, must supply Visa with a list of the full legal names, registered offices and full company identification numbers (where applicable) for any V PAY Member they sponsor. This must be submitted by 31 January each year and, in addition, within 30 calendar days of a request in writing from Visa.

1.4.3.2 A sponsoring V PAY Member must ensure that, within the time frame specified in Section 1.4.3.1, all  its sponsored V PAY Members have completed and returned in full to Visa all required documentation.

1.4.3.3 A sponsoring V PAY Member must notify Visa in writing immediately of:  Any changes in the details of the original Visa approved sponsorship agreement; or  Any changes as described in Section 1.4.2 that relate to its sponsored V PAY Members.

1.4.3.4 A sponsoring V PAY Member that wishes to withdraw its sponsorship of its sponsored V PAY Member(s), must notify Visa in writing at least 90 working days prior to the withdrawal of its sponsorship becoming effective. The sponsoring V PAY Member must include at a minimum the following information relating to the sponsored V PAY Member:  Full legal name;  Company identification number (where applicable);  Business ID (BID);  Registered office; and  Date on which the sponsored V PAY Member will cease to be sponsored.

1.4.4 Sale or Transfer

1.4.4.1 Notification When the sale or transfer of any of the following occurs, the relevant V PAY Member must provide Visa with, a completed Member Portfolio Sale Notification (Exhibit 4D) within 10 calendar days of such sale or transfer:  All or part of an Issuer’s portfolio of V PAY Cards;  All or part of an Acquirer’s portfolio of Merchants; and  Controlling interest in a V PAY Member.

1.4.4.2 V PAY Member Financial Liability A V PAY Member will be financially liable to Visa for all activities in relation to any portfolio(s) that it is transferring, including the payment of applicable service fees, until Visa acknowledges receipt of all required documentation in respect of the sale or transfer of the portfolio(s).

1.4.4.3 Mergers, Acquisitions or Restructuring If the sale of a V PAY Member’s portfolio(s) results from a merger, acquisition or V PAY Member restructuring, all Visa membership qualification criteria must be met by the surviving or acquiring entity if the surviving or acquiring entity wishes to remain or become a V PAY Member.

16 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 1 - Program Requirements

1.5 BIN LICENCE AND ADMINISTRATION

1.5.1 BIN Licensing A V PAY Member must have a BIN prior to issuing V PAY Cards.

1.5.1.1 BIN Licence Agreement A V PAY Member must submit a BIN Licensing Agreement Form (Exhibit 4A) to Visa prior to issuing any V PAY Card bearing the requested BIN or acquiring a Merchant using the BIN. By completing the BIN Licensing Agreement Form (Exhibit 4A), the V PAY Member acknowledges that it will use the requested BIN only for the agreed purpose set out in the BIN Licensing Agreement Form (Exhibit 4A). If a V PAY Member wishes to change the purpose for which it uses a BIN, it must submit to Visa for prior approval a revised form to reflect any such change in use prior to the effective date of that change. Visa will notify that V PAY Member in writing whether the change in use has been approved. That V PAY Member must not make use of the BIN for a different purpose to that set out in its BIN Licensing Agreement Form (Exhibit 4A) until it has received approval from Visa in writing of the change in purpose. 

1.5.1.2 Visa Interchange Directory Update Form (Exhibit 4F)

1.5.1.2.1 Each V PAY Member or Processor assigned a BIN to use on V PAY Cards must provide Visa with the information required in the Visa Interchange Directory Update Form (Exhibit 4F) for the Visa Interchange Directory. 

1.5.1.2.2 If any of the V PAY Member or Processor information required by the Visa Interchange Directory Update Form (Exhibit 4F) changes, a V PAY Member or Processor must, within 10 business days of such change, submit to Visa a new Visa Interchange Directory Update Form (Exhibit 4F) with any updates. 

1.5.2 BIN Use

1.5.2.1 V PAY Member Requirements

1.5.2.1.1 V PAY Members and Processors shall be responsible for all activities associated with any BIN licensed to them. 

1.5.2.1.2 A V PAY Member is responsible and liable for all activities associated with the BINs licensed directly to a V PAY Member who they sponsor.

1.5.2.1.3 A V PAY Member must countersign the BIN Licensing Agreement User Instructions (Exhibit 4A) for any BIN license request submitted to Visa by a sponsored V PAY Member before Visa reviews the request.

1.5.2.1.4 Only a V PAY Member licensed by Visa or ISO to use the BIN or the licensee’s designated agent on behalf of that V PAY Member, may use the BIN for the agreed purpose as set out in the BIN Licensing Agreement Form (Exhibit 4A). 

1.5.2.1.5 An Issuer using a BIN licensed to another V PAY Member must be uniquely identified within the first nine digits of the Account Number. 

1.5.2.1.6 Only a V PAY Member to whom the BIN is licensed, or who is identified as the user of that BIN, may have sole use of that BIN.

1.5.2.1.7 An Issuer must ensure that the denominated currency of the BIN, on which the V PAY Card is issued, is the same as the Billing Currency.

1.5.2.1.8 An Issuer of Prepaid Cards must issue its Prepaid Cards on a BIN designated for Prepaid Cards. The Issuer may either:  Choose a BIN from a BIN previously assigned to it by Visa; or  Request a new BIN assignment for the service.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 17 V PAY Operating Regulations - Scheme Chapter 1 - Program Requirements

1.5.2.2 Processor Requirements

1.5.2.2.1 A Processor with licensed BINs must use those BINs exclusively for processing activities. It must not use the BINs for issuing or acquiring purposes without the prior written consent of from Visa for issuing and acquiring purposes. 

1.5.2.2.2 A V PAY Member using Visa BINs for non-Visa purposes must obtain prior written approval from Visa. The V PAY Member must submit to Visa a BIN Licensing Agreement Form (Exhibit 4A) identifying those uses.

1.5.2.3 BIN Fees Visa shall set the new BIN fee (for a new BIN or a transferred BIN) and the annual BIN licensing fee, which shall be paid to Visa by V PAY Members and Processors providing payment-related services, in relation to the assignment of BINs to such V PAY Members and Processors. 

1.5.2.4 New BIN Assignments

1.5.2.4.1 V PAY Members and Processors that obtain new BIN assignments must pay a one-off fee per BIN assessed by Visa.

1.5.2.4.2 A V PAY Member with a new BIN assignment for a new V PAY Card Program or V PAY Card Product shall have 18 months in which to activate such new V PAY Card Program or V PAY Card Product, after which that V PAY Member shall be liable for the annual license fee for an inactive BIN. 

1.5.2.4.3 An Issuer must not combine Debit and Prepaid Card Programs in a single BIN. 

1.5.2.5 Transfer Any V PAY Member obtaining a BIN previously licensed to another V PAY Member must pay a fee, as determined by Visa, for each BIN or account range transfer.

1.5.2.6 BIN Licensed to Another V PAY Member A V PAY Member that uses BINs licensed to another V PAY Member is subject to the same fee structure as the V PAY Member that obtained the BIN licence.

1.5.2.7 Failure to Return BINs Visa shall impose a fine on a V PAY Member, as specified in the Visa Europe Fee Guide, on an annual basis for:  BINs that are unused and which have not been returned to Visa; and  BINs that are not returned where they are used, but are not in accordance with rules set by Visa.

1.5.3 BIN Blocking Visa may as it sees fit at any time and without warning, require a Visa Scheme Processor to block the function of all or any part of its system in relation to any BIN assigned to a Member (whether yours or any other person’s, a “blocked BIN”) so that, during the period of the block:  No Authorization may be given using the blocked BIN, and/or  No Clearing Record may be created in respect of the blocked BIN, and/or  No Settlement may be effected of amounts owed to the blocked BIN (any such outcome being a “BIN block”) subject only to such exceptions as Visa may see fit to make from time to time.

Visa will exercise its discretions under this paragraph with a view to (a) ensuring the stability of the Visa Enterprise, and/or (b) protecting Visa and its Members against any loss or liability whatsoever (including, without limitation, in respect of Settlement Loss), and/or (c) avoiding or mitigating any act or omission which Visa considers might be illegal, inconsistent with applicable regulatory standards or materially damaging to the VISA brand (each of (a), (b) and (c) being a “BIN blocking objective”).

18 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 1 - Program Requirements

Visa may declare any BIN block to be temporary, indefinite or permanent. If no such declaration is made, a BIN block will be treated as indefinite. Visa will take such steps as it considers appropriate to terminate the membership of any Person whose assigned BIN is subject to a permanent BIN block. A temporary or indefinite BIN block will end: (a) if Visa (i) determines that continuing the BIN block is of no further help to achieving the BIN blocking objectives and (ii) does not intend to terminate the membership of any Person to whom the blocked BIN is assigned, or (b) in the case of a temporary BIN block only, if earlier, at the time and subject to such conditions that Visa may specify.

Visa may as it sees fit at any time and without warning cancel a BIN block and/or change the status and scope of application of any BIN block. Visa may as it sees fit at any time and without warning extend or modify the conditions of any temporary BIN block.

Visa’s right to effect a BIN block is in addition, and without prejudice, to any other rights or remedies of Visa under the Member Agreements, the Membership Regulations, the Operating Regulations, the Member Risk Policy and otherwise.

The exclusions and limitations of Visa’s liability set out in the Visa Core Rules and Visa Product and Service Rules and will apply to any Liability or Claim arising in connection with a BIN block.

1.5.4 BIN Administration Changes

1.5.4.1 Visa Responsibility Visa will make changes to BINs that are licensed to Members where such changes are required to accommodate mergers and acquisitions, portfolio sales and V PAY Card Program or V PAY Card Product transfers only after Visa acknowledges receipt of a BIN Licensee Transfer Request (Exhibit 4B-1)/ BIN User Transfer Request Form (Exhibit 4B-2) and a Member Portfolio Sale Notification (Exhibit 4D) as appropriate. 

1.5.4.2 V PAY Member Responsibility

1.5.4.2.1 When a V PAY Member or Processor no longer wishes to use a BIN assigned to them, or Visa recalls a BIN, that V PAY Member or that Processor shall continue to meet its obligations under its BIN Licensing Agreement Form (Exhibit 4A), including all financial obligations, until the reassignment or recall is recorded in the BIN licensing system of record. 

1.5.4.2.2 If a BIN is recalled, the V PAY Member or Processor will be released from its obligations under its BIN License Agreement, six calendar months after:  The expiry date of the last V PAY Card issued on that BIN;   All processing activity has ceased; and   All acquiring activity has ceased. 

Visa may, at its discretion, consider other evidence to indicate that all V PAY Cards issued on that BIN have been withdrawn from the market.

1.5.4.2.3 A V PAY Member or Processor with a licensed BIN must not sell, rent or exchange in any way any such BIN to another entity. The transfer of BINs is not permitted except as specified in Section 1.5.4.1 and Section 1.5.4.2.4 and with the permission of Visa. 

Visa may, at its sole discretion, accommodate requests for BIN transfers in connection with a portfolio sale.

1.5.4.2.4 If a V PAY Member is involved with a merger, acquisition, portfolio sale or V PAY Card Program or V PAY Card Product transfer it must submit a BIN Licensee Transfer Request (Exhibit 4B-1)/BIN User Transfer Request Form (Exhibit 4B-2) and a Member Portfolio Sale Notification (Exhibit 4D) to Visa.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 19 V PAY Operating Regulations - Scheme Chapter 1 - Program Requirements

1.5.4.2.5 A V PAY Member, Processor or Visa Scheme Processor providing payment-related services that no longer uses or wishes to use a BIN must complete, and submit to Visa, a BIN Release Request (Exhibit 4E-1). 

Once the BIN Release Request (Exhibit 4E-1) has been processed, Visa will notify the V PAY Member or Processor of the recall effective date.

That V PAY Member, Processor or Visa Scheme Processor must not use a BIN recalled by Visa after the recall effective date. 

1.5.4.2.6 A V PAY Member must use a Reversal of BIN Release Request (Exhibit 4E-2) to request cancellation of a previously requested BIN release. 

1.5.4.2.7 When Visa downgrades a V PAY Member’s status such that it is no longer entitled to issue V PAY Cards or sign Merchants, the V PAY Member must return its BIN to Visa. A V PAY Member that has had its status downgraded by Visa such that it is no longer entitled to issue V PAY Cards or sign Merchants may make a request to Visa that it be entitled to transfer the BIN to another V PAY Member. Such V PAY Member shall only be entitled to transfer the BIN to another V PAY Member if Visa provides the V PAY Member that has been downgraded with written consent to such transfer. 

1.5.5 Visa Reserved BIN Range

1.5.5.1 An Acquirer must not submit Clearing Records containing an Account Number where the first six digits of that Account Number are the same as the Visa Reserved BIN Range.

1.5.5.2 An Acquirer must ensure that its V PAY Merchants do not submit Authorization Requests or Transactions that contain an Account Number where the first six digits of that Account Number are the same as the Visa Reserved BIN Range.

1.5.5.3 An Acquirer must monitor its usage and its V PAY Merchant’s usage of the Visa Reserved BIN Range and, at the request of Visa, must provide to Visa confirmation that the Visa Reserved BIN Range is being used in accordance with Section 1.5.5.1 and Section 1.5.5.2. 1.6 TECHNOLOGY (SOFTWARE) LICENSE

1.6.1 License Grant A V PAY Member’s right to use any proprietary technology or software owned by Visa is provided for in the Visa Europe Technology Licence, pursuant to which Visa grants to each Member a non-exclusive, non-transferable licence to use any proprietary technology or software owned by Visa and provided to the Member (at the option of Visa) on the terms and conditions set out in the Visa Europe Technology Licence.

Any proprietary technology or software owned by Visa and provided to the V PAY Member (at the option of Visa) must be used solely in the development and operation by the V PAY Member for their V PAY Card Programs or V PAY Card Products to which Visa gives its prior written consent.

1.6.1.1 Delivery of Software Immediately upon delivery of any proprietary technology or software from Visa, and before opening any packaging material, the V PAY Member must inspect the package for external signs of damage and promptly notify Visa and the carrier that delivered the package if there is any external sign of damage.

1.6.1.2 Licence, Installation, Training, Maintenance and Support Fees Visa will determine the fees payable by a V PAY Member to Visa for use, installation, training, maintenance and support of any proprietary technology or software owned by Visa and provided to the V PAY Member (at the option of Visa).

20 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 1 - Program Requirements

1.6.2 Systems Management

1.6.2.1 Notification of Changes Visa will provide:  Six months notice of changes that affect the systems and software of all V PAY Members in the Territory;  Two Edit Package updates each year, to be implemented in April and in October; and  Three weeks’ notice for Visa Extended Access Server changes not affecting the V PAY Member. 1.7 ACCOUNT NUMBERS A V PAY Card Account Number must be 16-19 digits in length, of which the last digit must be a modulus ten check-digit. 1.8 PIN PROGRAM

1.8.1 Overview An Issuer must make a PIN available to each Cardholder for use with a V PAY Card.

1.8.2 Participation Requirements An Issuer:  Must notify each of its Cardholders of the PIN for that Cardholder’s Card;   No later than 1 July 2008, must be capable of receiving, and receive, PINs from Visa using a secure PIN block format that is specified in the Payment Card Industry (PCI ) PIN Security Requirements. 

1.8.3 PIN Verification Procedures An Issuer must use PIN Verification for all ATM Transactions. 

An Issuer must provide PIN Verification for each Transaction either through its own PIN verification service or by using the PIN Verification Service, as specified in Chapter 2, "Risk Management".

If the Issuer uses the PIN Verification Service as specified in Chapter 2, "Risk Management", it must comply with the “Key Management Service” procedures specified in the Visa Payment Technology Standards Manual. 

1.8.3.1 Offline PIN Verification Procedures An Issuer must provide offline PIN verification capability on all V PAY Cards. Offline PIN Verification is a process used to verify the Cardholder’s identity by comparing the PIN entered at the Chip-Reading Device to the PIN value contained in the Chip using enciphered and/or plaintext Offline PIN Verification.

1.8.4 Prepaid Card Issuers An Issuer of Prepaid Cards must:  Prevent unauthorized reselling of its Prepaid Cards or Prepaid Accounts;   Ensure that all Prepaid Cards that it issues bear a V PAY Brand Mark;   Comply with the Visa Product Brand Standards and the Visa Europe Prepaid Card Products Member Implementation Guidelines;   Certify that any non-Members that distribute Prepaid Cards on their behalf comply with the Guidelines for Distribution and Storage of Simple Purchase Card Programs, available from Visa upon request with the Prepaid Implementation Plan; and  For Prepaid Card design requirements, see Chapter 5, "Card Design".

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 21 V PAY Operating Regulations - Scheme Chapter 1 - Program Requirements

1.8.4.1 Non-Reloadable Card For Non-Reloadable Cards, an Issuer:  May process a Credit Transaction, Reversal or an Adjustment if it is directly related to a previous Transaction to such Cards;   Must, if the Issuer does not have the Cardholder data on file, comply with the maximum initial funding limits, as specified in the Visa Europe Prepaid Card Products Member Implementation Guidelines, or as provided by local law;   Must have an anti-money laundering and an anti-terrorist financing program to monitor for suspicious activity;   Must not process Recurring Transactions, Instalment Transactions or, effective from 22 April 2017, Unscheduled Credential-on-File Transactions; and   May, upon prior written permission from Visa, elect not to process ATM Transactions. 

1.8.4.2 Reloadable Cards For Reloadable Cards, Issuers must:  Unless local law provides otherwise, not reload the Reloadable Card beyond the initial funding if Cardholder data is not on file. If such Cardholder data is not on file, limit the amount of initial funding, as specified in the Visa Europe Prepaid Card Products Member Implementation Guidelines; and   Personalise the Card with the name of the Cardholder or a generic identifier, as approved by Visa, on the Card. 

1.8.4.3 Activation and Load Service

1.8.4.3.1 An Issuer may permit Cardholders to purchase, activate and add the initial Load Transaction to a Prepaid Card at a Prepaid Partner.

1.8.4.3.2 An Issuer that uses a Prepaid Partner to sell, activate and/or load its Prepaid Cards must have a Prepaid Partner Agreement in place. A Prepaid Partner Agreement must include, at a minimum:  Any service fee charged to a Cardholder by the Prepaid Partner;   The portion of the service fee that will be paid to the Issuer; and   A provision requiring the Prepaid Partner to provide the Cardholder with a Transaction Receipt showing the Load Transaction. 

1.8.4.4 Visa Prepaid Load Service

1.8.4.4.1 An Issuer participating in the Visa Prepaid Load Service must:  Approve Authorization Requests to load funds to Reloadable Cards; and   Post the value of the funds loaded to the Reloadable Card, either upon Authorization, or as soon as the funds are cleared. 

1.8.4.4.2 Issuers participating in the Visa Prepaid Load Service must comply with the requirements, as specified in the Visa Europe Prepaid Card Products Member Implementation Guidelines. 

1.8.4.4.3 An Issuer must use a Fee Collection Transaction to recover outstanding funds relating to a Load Transaction when a Reversal was not received by the Issuer from the Acquirer and either:  A Clearing Record was not received by the Issuer from the Acquirer; or  The Transaction Amount in the Clearing Record is less than the Transaction Amount on the Transaction Receipt.

22 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 1 - Program Requirements

1.8.4.4.4 If a Fee Collection Transaction is submitted to recover outstanding funds relating to a Load Transaction using the Visa Prepaid Load Service, the Issuer must have:  Provided an Authorization for that Load Transaction; and  Transferred the Transaction Amount to the Prepaid account either upon Authorization, or as soon as the funds are cleared, or the Cardholder provides a Transaction Receipt documenting the Transaction Amount of that Load Transaction.

1.8.4.4.5 A Fee Collection Transaction to recover outstanding funds relating to a Load Transaction using the Visa Prepaid Load Service, must be submitted within 180 calendar days from the date of that Load Transaction but no earlier than 10 calendar days from the date that the Issuer provided the Authorization.

1.8.4.5 Point-of-Transaction Balance Return Service Issuers who participate in the Point-of-Transaction Balance Return Service must meet the testing requirements set by Visa.  1.9 VISA SIMPLYONE CARDS WITH V PAY

1.9.1 Subject to agreement with Visa, Issuers in the following countries may issue Visa SimplyOne Cards containing the V PAY Payment Application:  Austria;  Belgium;  Germany;  Luxembourg;  The Netherlands; and  Switzerland.

1.9.2 An Issuer of Visa SimplyOne Cards with V PAY must comply with the Visa SimplyOne Member Implementation Guide for V PAY.

1.9.3 A Visa SimplyOne Card with V PAY can be a Visa Card or a Card.

1.9.4 Visa SimplyOne Cards with V PAY must contain two Account Numbers.

1.9.5 Both Account Numbers contained on a Visa SimplyOne Card with V PAY must be:  Issued by the same Issuer; and  Associated with the Payment Application(s) encoded on that Card.

1.9.6 A Visa SimplyOne Card must contain two Payment Applications. Where V PAY is one of the Payment Applications encoded on a Visa SimplyOne Card, it must be the Visa Lower Priority Payment Application, and the other Visa branded product must be the Visa Higher Priority Payment Application.

1.9.7 Visa SimplyOne Cards with V PAY used for Proximity Payments must have the Proximity Payment associated to the Visa Higher Priority Payment Application.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 23 V PAY Operating Regulations - Scheme Chapter 1 - Program Requirements

1.9.8 Issuer Requirements

1.9.8.1 Issuers of Visa SimplyOne Cards with V PAY must:  Comply with the Visa Product Brand Standards and the Visa Europe Membership Regulations;  Comply with debit rules when Visa SimplyOne with V PAY is used as a debit card and credit rules when Visa SimplyOne with V PAY is used as a ; and  Issue the Payment Application on a designated BIN as follows: — The debit application on a BIN designated for V PAY debit; — The credit application on a BIN designated for credit; — The consumer application on a BIN designated for consumer; and — The commercial application on a BIN designated for commercial.

1.9.8.2 Issuers of Visa SimplyOne Cards with V PAY must not issue Non-Reloadable cards when a Visa SimplyOne Card with V PAY is used as a Prepaid Card.

1.9.8.3 An Issuer must stop or close both accounts on a Visa SimplyOne Card with V PAY in order to stop or close an account.

1.9.9 Card Design For Visa SimplyOne with V PAY Card design requirements, see the Visa Product Brand Standards. 1.10 CONFIDENTIALITY A V PAY Member must:  Maintain the confidentiality of Confidential Information, in strict confidence. Confidential Information shall not include any information that: — Is or becomes generally available to the public other than as a result of a disclosure by the V PAY Member;  — Is, at the time of disclosure by Visa to the Member, in possession of the V PAY Member or becomes available to the V PAY Member from a source (other than Visa) that is not prohibited from disclosing such information by contractual, legal, equitable or fiduciary obligation to Visa;  — Is independently developed by a third party who did not have access to the Confidential Information;   Not disclose (save where expressly permitted or directed by Visa), or allow its directors, officers, agents, representatives, employees or Affiliates to disclose, any Confidential Information except as is necessary for the purpose of fulfilling the V PAY Member’s obligations under the V PAY Operating Regulations - Scheme in the conduct of the V PAY Member’s business, in which case the disclosure must be subject to a written agreement preserving the confidentiality of the disclosed Confidential Information in terms no less restrictive than the terms set out in this Section 1.10;   Store and handle Confidential Information in such a way as to prevent unauthorized disclosure;   Take reasonable measures to protect Confidential Information and treat it with at least the degree of care with which a V PAY Member treats its own confidential and proprietary information;   Immediately upon Visa’s written request, return to Visa, or destroy, originals and all copies of any Confidential Information in any medium and, if required by Visa, certify that it has done so;   Notify Visa immediately in the event that the V PAY Member becomes legally compelled to disclose any Confidential Information and, if legally required to disclose any Confidential Information, only disclose that portion that it is advised by legal counsel that it is legally required to disclose; and   Only process and transfer personal data (whether or not it is classified as Confidential Information) in accordance with the V PAY Operating Regulations - Scheme and applicable laws.

24 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 1 - Program Requirements

1.11 VISA RIGHTS

1.11.1 Right to Monitor, Audit, Inspect and Investigate Visa reserves the right to audit the records and procedures of any V PAY Member, see Section 1.14.2.

Visa may:  Inspect the premises of a V PAY Member at any time and that V PAY Member must pay a fee to Visa for this inspection;   Audit the records and procedures of any Issuer, including, the following procedures: — Shipping and storage security procedures; and/or  — Procedures for issuance and distribution;   Monitor an Acquirer to determine disproportionate fraud-to-sales ratios; and   Perform periodic audits, at the V PAY Member's expense, to ensure that the V PAY Member, its agents, its Merchants and its Merchants' agents comply with the PIN Management Requirements Documents.

A V PAY Member shall include provisions in its agreements with its Merchants, Approved Manufacturers, Third Party Personalisers and agents that allow Visa to:  Inspect the premises of such entities at any time;   Monitor such entities to determine disproportionate fraud-to-sales ratios; and   Conduct security inspections at the premises of any such entities that are identified as having excessive fraud levels. 

If Visa inspects the premises of any of a V PAY Member’s Merchants, Approved Manufacturers or Third-Party Personalisers agents that Member must pay a fee to Visa for such inspection. 

A V PAY Member shall include provisions in its agreements with its Merchants with whom it has contracted to sell Prepaid Cards that allow Visa to audit the records and procedures of such Merchants, including auditing the following:  Shipping and storage security procedures; and/or   Procedures for issuance and distribution. 

1.11.2 V PAY Member Obligations A V PAY Member must, and include provisions in its agreements with its Merchants, Approved Manufacturers, Third-Party Personalisers or agents obliging those parties to, co-operate fully with Visa in any investigation or onsite review. This co-operation includes providing access to the premises and to all pertinent records and releasing any information to Visa upon Visa’s request. 

1.11.3 Right to Protect Visa is not obligated to take any actions to protect any V PAY Member, Merchant or Cardholder from financial loss. 

A V PAY Member must provide, in its agreements with Merchants, Approved Manufacturers,  Third-Party Personalisers or agents, a provision that enables the V PAY Member to limit or terminate its agreements with its Merchants, Approved Manufacturers, Third-Party Personalisers or agents upon instruction by Visa. The V PAY Member must terminate or limit those agreements when requested to do so by Visa.  1.12 REGULATION ENFORCEMENT

1.12.1 Fines and Penalties Visa may impose fines and penalties on its V PAY Members for failure to comply with the  V PAY Operating Regulations - Scheme as specified in Section 9.1.2.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 25 V PAY Operating Regulations - Scheme Chapter 1 - Program Requirements

1.13 CARDHOLDER AGREEMENTS AND COMMUNICATION

1.13.1 Cardholder Notification An Issuer of V PAY Cards must notify the Cardholder in writing of the following: 1  That the Currency Conversion Rate used to convert the Transaction Currency to the Billing Currency, is a wholesale market rate or government-mandated rate to which the following has been added: — Any fees and charges imposed by the Issuer through the addition of a percentage increase to the Currency Conversion Rate; or — Any other fees for currency conversion;  Specific fees and charges to be charged to the Cardholder, where appropriate, including, but not limited to: — ATM Cash Disbursement fee; — Manual Cash Disbursement fee; — PIN replacement charge; and — Annual/monthly fee; and/or — Fee for additional statement copies;  Date that Transactions will be debited from the Cardholder’s account;  Effective until 28 February 2017, subject to applicable domestic law, Cardholder’s liability both: — Is a maximum of €150 (or local Billing Currency equivalent) if the V PAY Card is lost or stolen; and — Ceases when Cardholder reports the loss or theft of the V PAY Card, unless the Issuer can prove that the Cardholder acted fraudulently or negligently; and  Effective from 1 March 2017, the Cardholder’s liability for unauthorised Transactions, as specified in Section 1.13.2.

1.13.1.1 Prepaid Cards An Issuer must not describe a Prepaid Card in any way that could imply that Visa is liable for outstanding balances.

1.13.2 Zero Liability for Cardholders

1.13.2.1 Effective from 1 March 2017, an Issuer must limit a Cardholder's liability to zero upon notification from that Cardholder of an unauthorised Transaction. This limitation of liability does not apply to Transactions completed with an anonymous Prepaid Card. 

1.13.2.2 Effective from 1 March 2017, the Issuer may increase the amount of the Cardholder's liability for unauthorised Transactions if the Issuer reasonably determines, based on substantial evidence, that:  The Cardholder has acted fraudulently or negligently in the handling of the account or the Card; or   The Cardholder is proven to have participated in the Transaction.  The Issuer must communicate any restrictions to its Cardholders.

1.13.3 Cardholder Agreements Taking into account all the products and services provided by Visa, all information required under applicable data protection legislation must be provided in the Cardholder Agreement including, but not limited, to the following:  The identity of the Issuer;  The purposes of the processing for which any personal data are intended including building a profile of the Cardholder’s interests;

1. For purposes of the Payment Services Directive, the Currency Conversion Rate shall be the “Reference Exchange Rate”.

26 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 1 - Program Requirements

 The recipients of the personal data, such as: — V PAY Member’s subsidiaries and/or group of companies, agents and employees; — Visa and their respective third party subcontractors and any of their employees; — Third parties with whom the Cardholder transacts and has agreed to share their personal data; — Third parties in an approved partnership with Visa, only where such data is presented in either an anonymised, pseudonymised or aggregated form and will never be able to be used by those third parties to identify a particular Cardholder; — Such other persons as it may be reasonably necessary to disclose and transfer personal data (for example credit reference agencies, law enforcement agencies, anti-terrorism, anti-organised crime agencies, fraud monitoring agencies, central banks); and — Any other persons as otherwise required or permitted by local law and/or regulations;  That the transfer and disclosure of personal data may take place worldwide;  Any other information necessary to guarantee fair processing of personal data under the applicable law; including without limitation: — That aggregated, anonymised data may be created based on personal data; — That data may be used and/or shared where deemed applicable with third parties for:  Billing purposes;  Product enablement and build;  Testing or product improvement purposes; and  To reply to requests from public authorities. — That Cardholders are not identifiable from this data; — That data may be analysed for offers or promotional activities that Cardholders have entered or agreed to be part of; — The categories of personal data processed, whenever considered necessary or convenient by the Member; and  A contact point for data protection-related enquiries.

1.13.3.1 Cardholder Agreement Prohibition An Issuer must include a provision in its Cardholder Agreement that a V PAY Card must not be used for any purpose which is contrary to applicable law.  1.14 ACQUIRER MERCHANT CONTRACT REQUIREMENTS

1.14.1 Financial Responsibility An Acquirer must determine that each of its prospective Merchants is capable of satisfying the obligations imposed on a Merchant in a Merchant Agreement, that its prospective Merchants are financially responsible and that there is no significant derogatory background information about any of those Merchants’ principals. 

The Acquirer may obtain this information through the following:  Credit reports;   Personal and business financial statements;   Income tax returns; and   Other information lawfully available to the Acquirer. 

1.14.2 Merchant Inspection An Acquirer must conduct a physical inspection of the business premises of a prospective Merchant to ensure that the prospective Merchant conducts the business that it purports to conduct. For prospective Electronic Commerce Merchants and, effective from 15 October 2016, Mail/Phone Order Merchants, the Acquirer must also obtain a detailed business description from the relevant prospective Merchant. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 27 V PAY Operating Regulations - Scheme Chapter 1 - Program Requirements

1.14.3 General Requirements

1.14.3.1 Merchant Agreement An Acquirer must:  Enter into a Merchant Agreement with each of its Merchants;   Include in those Merchant Agreements: — A provision stating that Merchant Service Charges must not be blended between V PAY Transactions and the transactions of other payment card systems; — A provision stating that Merchant Service Charges must not be blended between V PAY Transactions and other Transactions; and — For new Merchant Agreements, a provision stating that the Merchant must only use a payment application, as defined in the Payment Application Data Security Standard, that is compliant with the Payment Application Data Security Standard;  Include in those Merchant Agreements an obligation that the Merchant must: — Perform its obligations under the Merchant Agreement in compliance with applicable laws;  — Comply with those rules set out in the V PAY Operating Regulations - Scheme that relate to the use of the V PAY Mark; and   Only accept Transaction Receipts from a Merchant with which it has a Merchant  Agreement;   For all PIN Entry Devices (PEDs), include in its Merchant Agreement that the Merchant must undertake PED asset management on a regular basis, including: — Recording all stock and serial numbers of each of their PEDs; — Recording the locations of each of their PEDs; — Ensuring that they undertake basic electronic and physical identification, and authentication of each of their PEDs; and — Ensuring that they comply with any relevant guidelines and/or requirements as specified by the PCI SSC.

Existing Merchants, in the Territory, meeting the functional criteria in Section 1.14 do not require a specific Merchant Agreement to accept V PAY, unless local contractual arrangements require this.

All information required under applicable data protection legislation must be provided in the Merchant Agreement including, but not limited to, the following:  The identity of the Acquirer;  The purposes of the processing for which any personal data are intended;  The recipients of the personal data, such as: — V PAY Member’s subsidiaries and/or group of companies, agents and employees; — Visa and their employees; — Such other persons deemed reasonably necessary to disclose and transfer personal data (for example credit reference agencies, law enforcement agencies, anti-terrorism agencies, anti-organised crime agencies, fraud monitoring agencies, central banks);  and/or — Any other persons as otherwise required or permitted by local law and/or regulations;  That the transfer and disclosure of personal data may take place worldwide; and  Any other information necessary to guarantee fair processing of personal data under the applicable law including without limitation: — That aggregated, anonymised data may be created based on personal data; — That data may be used and/or shared where deemed applicable with third parties for:  Billing purposes;  Product enablement and build;

28 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 1 - Program Requirements

 Testing or product improvement purposes;  To reply to requests from public authorities. — That data subjects are not identifiable from this data; — The categories of personal data processed, whenever considered necessary or convenient by the Member; and  A contact point for data protection enquiries.

1.14.3.1.1 A Merchant Agreement must specify that a Merchant must not knowingly submit, and an Acquirer must not knowingly accept from a Merchant, for submission to a Visa Scheme Processor, any Transaction that is illegal. 

A Merchant Agreement must specify that a Merchant must not knowingly submit, and an Acquirer must not knowingly accept from a Merchant, for submission to a Visa Scheme Processor, any Transaction that the Merchant and/or Acquirer should have known was illegal. 

1.14.3.1.2 An Acquirer may be subject to corrective actions or fines, as specified in Section 9.1, if its Merchant Outlet, agent, or Internet Payment Service Provider (IPSP) processes illegal Transactions.

1.14.3.1.3 An Acquirer must include a term in each of its Merchant Agreements that allows Visa to limit, suspend or terminate the Merchant Agreement. 

1.14.3.2 Merchant Category Code An Acquirer must assign the appropriate Merchant Category Code (MCC) to each Merchant, as specified in the Visa Europe Merchant Data Standards. 

1.14.3.3 Merchant Invoices

1.14.3.3.1 Acquirers must provide invoices to Merchants for Merchant Service Charges relevant to the invoice period that show:  The total number of all Transactions processed by the Merchant relevant to the invoice period;  The total value of all Transactions processed by the Merchant relevant to the invoice  period; and  Merchant Service Charges levied on the Merchant which, unless the Merchant has chosen blended pricing, must be broken down by the following Card types: — Credit Card and Deferred Debit Card; — Direct (Immediate) Debit Card; — Visa Electron Card; — V PAY Card; and — Visa Commercial Card.

1.14.3.3.2 Acquirers must offer each of their Merchants the option of Merchant Service Charge pricing on a MIF Plus Plus basis in relation to Transactions made with V PAY Cards. Acquirers are entitled to charge an administrative fee for this service.

An Acquirer must include in its Merchant Agreement with each of its Merchants a provision stating that Merchant Service Charge pricing on a MIF Plus Plus basis in relation to Transactions made with  V PAY Cards is available at the request of the Merchant.

An Acquirer must also specify in its Merchant Agreement with each of its Merchants whether an administrative fee will be charged to the Merchant for this service and the amount of this fee.

1.14.3.4 Transparency of Interchange Reimbursement Fee Rates Acquirers must inform Merchants of the availability of the following information published by Visa:  Interchange Reimbursement Fee rates set by Visa; and  Interchange Reimbursement Fee rates registered with Visa by Members.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 29 V PAY Operating Regulations - Scheme Chapter 1 - Program Requirements

1.14.3.5 Merchant Card Acceptance Subject always to Section 6.1.2, Acquirers must inform Merchants that they are permitted to contract with the Acquirer to accept any one of, or combination of, Visa Cards, Visa Electron Cards, V PAY Cards and competing cards.

1.14.4 Cross-Border Domestic Interchange Program Capitalised terms used in Section 1.14.4 are defined below and apply to Section 1.14.4 only. In the event the same term has been defined in both Section 1.14.4 and in Appendix D, "Defined Terms", the definitions set out below will prevail for the purposes of Section 1.14.4 only.

Capitalised terms which are not defined below will have the meaning assigned to them in Appendix D, "Defined Terms":  - a Card which is not directly linked to an account and which offers a line of credit which is billed separately and which must be paid in full at the end of each billing period.  Credit Card - a consumer Card, Deferred Debit Card or Charge Card. For the avoidance of doubt, Immediate Debit MIFs (and not Credit MIFs) apply to Prepaid Cards.  Cross-Border Acquired Transaction - a Transaction where the Merchant Outlet and the Merchant’s Acquirer are located in two different countries and the Merchant Outlet is located in the EEA. The country in which the Merchant’s Acquirer is located under Visa’s Operating Regulations is the country in which the Merchant’s Acquirer is a Principal Member or an Associate Member of Visa.  Cross-Border Acquirer - an Acquirer involved in Cross-Border Acquiring.  Cross-Border Acquiring - the activity of an Acquirer of acquiring transactions at a Merchant Outlet located in a different EEA country than the country of the Acquirer.  Domestic Immediate Debit MIFs - MIFs that apply by default to POS consumer Immediate Debit Card Transactions where the Issuer of the Card used and the Merchant Outlet where the Card is used are located in the same EEA country.  Immediate Debit Card - a Card that is linked to a current or to which a Transaction is debited immediately (in a maximum of two working days) on receipt of the Transaction by the Issuer and shall include Transactions with Prepaid Cards.  Merchant Service Charge - a charge that is agreed between, and charged by, an Acquirer to a Merchant on a per-transaction basis in respect of payment card transactions.  POS - point of sale.  Revolving Credit Card - a Card that offers the Cardholder a line of credit, specific to that Revolving Credit Card account and the ability to revolve part, or all, of any outstanding balance on the Revolving Credit Card account during each statement cycle.  Single Merchant Identifier - the identifier assigned to Merchants belonging to the same group of companies, or each franchise arrangement, for which there is a single Merchant relationship, by Visa at their request.

Cross-Border Acquirers can offer either the Domestic Immediate Debit MIFs applicable in the location of the Merchant Outlet or an immediate debit MIF of 0.20%, for domestic consumer Cross-Border Acquired Transactions which meet the following conditions:  The Acquirer identifies the Merchant accepting the Card Transaction with its Single Merchant Identifier;  The Transaction is correctly accepted by the Merchant using EMV, Verified by Visa or other equivalent secure Visa technology and correctly entered into the Visa Europe System or reported to Visa by the Acquirer; and  The Merchant Agreement sets the Merchant Service Charge on a MIF Plus Plus basis and does not blend the Merchant Service Charges paid in relation to Card Transactions with the Merchant Service Charges paid in relation to any other payment system transaction. In addition, the Cross-Border Acquirer shall offer Merchants separate MIF Plus Plus pricing for each of Credit Cards and Immediate Debit Cards.

30 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 1 - Program Requirements

1.14.5 Revocation of Merchant Privileges Visa may fine a V PAY Member that enters into a Merchant Agreement with a Merchant that has been, or a Merchant with principals that are known to have been, prohibited from participating in the V PAY Program, as specified in Section 2.5.4.  1.15 LIABILITIES AND INDEMNIFICATION

1.15.1 General Liabilities and Indemnification Provisions

1.15.1.1 Limitations of Liability

1.15.1.1.1 For purposes of this Section 1.15.1.1, “Claim” and “Liability” includes Claims and Liabilities involving any Members, Member agents, Member business partners, Member representatives, third party vendors of Members, Member officers, Member employees, Merchants, Internet Payment Service Providers, Sponsored Merchants, Cardholders and third parties contributing to a Claim or Liability.

1.15.1.1.2 To the fullest extent permitted by applicable law, Visa shall have no liability (whether in contract, tort, including negligence, or otherwise) to a V PAY Member for any Claim or Liability whatsoever arising from or in connection with that V PAY Member’s participation in the Visa Enterprise including:  The direct or indirect use of, offering of, or participation in, any V PAY Card Program, V PAY Card Product or any other product or service provided by Visa to that V PAY Member, or created, supplied, required, licensed or approved by Visa;  The direct or indirect use, or offering, of any specification, standard, software, hardware or firmware created, supplied, required, licensed, or approved by Visa;  The use of the V PAY Brand Mark, including any materials produced by or for a V PAY Member;  The use of the Visa System;  The use of third party Trademarks or technology, including without limitation software or hardware, in connection with any V PAY Card Program, V PAY Card Product, or any other product or service provided by Visa to that V PAY Member, specification, standard, software, hardware or firmware created, supplied, required, licensed or approved by Visa or referenced in the V PAY Operating Regulations - Scheme;  A Member’s use of a licensed BIN; and  Stand-In Processing for transactions using a card issued by a third party issuer that is not a Member if the authorization processing service associated with that card is unavailable.

If, in the event that Visa is determined to be liable to any V PAY Member for any Claim or Liability, Visa’s aggregate liability to such V PAY Member for any individual or related series of Claims or Liabilities shall, in no event, exceed €1 (one) million.

1.15.1.2 Disclaimer of Warranty and Representation To the fullest extent permitted by the applicable law, Visa does not make or give, and hereby expressly disclaims, all warranties, representations, or conditions, both express and implied, arising by statute or otherwise in law, or from a course of dealing or usage of trade, including any implied warranty, representation, or condition of merchantability, merchantable quality or fitness for any purpose (particular, specific, or otherwise), or any warranty of title or non-infringement, for any V PAY Card Program, V PAY Card Product or any other product or service provided by Visa to that Member, specification, standard, software, hardware, or firmware created, supplied, required, licensed or approved by Visa, or referenced in the V PAY Operating Regulations - Scheme.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 31 V PAY Operating Regulations - Scheme Chapter 1 - Program Requirements

1.15.1.3 Indemnity A V PAY Member agrees to indemnify and hold Visa harmless against any loss, damage, cost or expense, whether direct or indirect, to Visa arising from, or in connection with, the Member’s participation in the Visa Enterprise (as described in Section 1.15.1.1.1) including from, or in connection with:

1.15.1.3.1 Use of Agents  An agent, whether a V PAY Member or a third party designated by a V PAY Member to perform activities or services in connection with the operation of the V PAY Member’s Visa- related business, whether or not the performance or non-performance was in connection with services provided by the agent to the V PAY Member, or the person responsible was, or is alleged to have been authorized or unauthorized; and  The Liability of V PAY Members pursuant to this Section 1.15.1.3.1 is joint and several.

1.15.1.3.2 Visa System Errors  Mechanical or other breakdown, malfunction or defect of any equipment, facilities or computer programs used by Visa to perform Visa System services;  Delay or failure to provide Visa System services to Visa System Processors;  Loss or destruction of any information furnished by V PAY Members to the Visa System;  Supplying Visa System Processors with any information through the Visa System that is incomplete, incorrect, or otherwise erroneous; and  Liability to indemnify Visa in relation to the Visa System will be allocated by Visa between Issuers and Acquirers, including in the following manner: — Issuers shall indemnify Visa against Claims of Cardholders; — Acquirers shall indemnify Visa against Claims of their Merchants including losses arising from Claims relating to events that occur at the property of its Merchant or that Merchant’s agent; and — Acquirers shall indemnify Visa against Claims from the processing of any transaction through the Visa System that are not made with a V PAY Card.

1.15.1.3.3 Miscellaneous  A V PAY Member’s use of any V PAY Mark on promotional goods, printed material or broadcast material related to sponsorship activity;  An Issuer’s use of any V PAY Mark or third party Trademark in the Member Identification Area on a V PAY Card; and  An Issuer’s use of any V PAY Mark or third party Trademark, licensed to the Issuer by Visa, legend, description or design on a V PAY Card.

1.15.1.3.4 Claims or Liabilities Involving Card Manufacturers or Third Party Personalisers  Acquiring V PAY Cards from an Approved Manufacturer, or personalisation services from a Third Party Personaliser;  An Approved Manufacturer producing V PAY Cards, unless it can be established that such Claims or Liabilities were incurred because Visa failed to exercise reasonable diligence in monitoring security and quality control in accordance with its published procedures; and  An Issuer, its Approved Manufacturer, or other agent using materials or techniques for the production, shipping, storage or delivery of V PAY Cards not required by Visa that result in a Claim of infringement of patent, Trademark, copyright, trade secret or confidential information or design right of any other person.

1.15.1.3.5 PIN Security By submitting a Transaction through Interchange, an Acquirer warrants that required safeguards are protecting PINs as specified in the applicable technical specifications, guides or manuals. The Acquirer agrees to indemnify and hold the Issuer harmless for any Claims and/or Liabilities resulting from the Acquirer’s breach of this warranty.

32 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 1 - Program Requirements

1.15.1.3.6 Failure to Terminate a Merchant An Acquirer’s failure to terminate its Merchant Agreement with a Merchant.

1.15.1.4 Arrests A V PAY Member requesting the arrest of a V PAY Card user or the recovery of a V PAY Card indemnifies and holds the Visa Enterprise harmless from and against all Claims or Liabilities arising from that arrest, ensuing prosecution or V PAY Card recovery. Indemnification applies unless caused by negligence or unauthorized acts of the Visa Enterprise, its officers, employees or agents providing the service.

Any action by the Visa Enterprise that is unlawful or wrongful under applicable law is considered unauthorized. However, an action that is unlawful or wrongful solely because the arrested persons did not unlawfully or fraudulently use the V PAY Card is not deemed an unauthorized act.

1.15.1.5 Lost or Stolen Card Reports An Issuer is responsible for all Claims and/or Liabilities resulting from any error or omission in connection with accepting a Lost or Stolen V PAY Card Report (Exhibit 1A) or blocking the reported lost or stolen Account Number on an Exception File.

1.15.1.6 International Airline Merchant Service By making a Presentment, an Acquirer both:  When participating in the International Airline Program, warrants that the Transaction and the Transaction Receipt, and the export thereof outside the Transaction Country, do not violate, and will not cause an Issuer or Visa to violate applicable local laws or any applicable technical specifications, guides or manuals; and  Agrees to indemnify and hold the Issuer or Visa harmless warranty against all liability, cost, expense, damage and loss (including but not limited to any direct, indirect or consequential loss) resulting from or in a connection with a breach of such warranty.

1.15.1.7 Visa Merchant Alert Service Without limiting the scope or content of Section 9.2, a V PAY Member indemnifies and holds Visa harmless against Claims or Liabilities arising from an Acquirer either:  Listing a terminated Merchant on the Visa Merchant Alert Service; or  Submitting an inquiry regarding a Merchant to the Visa Merchant Alert Service. 1.16 COUNTRY OF ACTIVITY Each V PAY Member or V PAY Group Member must notify Visa in writing, at least 60 calendar days prior to commencement, of each country where the V PAY Member either:  Performs any V PAY or Plus Program services; or  Uses, displays or supplies any materials bearing a Visa Mark.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 33 V PAY Operating Regulations - Scheme THIS PAGE INTENTIONALLY LEFT BLANK Risk Management

2.1 AGENTS ...... 39 Agent Registration and Responsibilities ...... 39 Use of a Processor or Visa Scheme Processor ...... 39 Use of a Non-Member as a Processor, Visa Scheme Processor or other Third Party . .39 Use of a Member as a Visa Scheme Processor or Other Third Party ...... 39 Registration Fees ...... 39 General Responsibilities ...... 40 Fines and Penalties ...... 41 Fees ...... 41 Fines and Penalties ...... 41 Visa Scheme Processors and Airlines ...... 41 Use of an Internet Payment Service Provider ...... 41 Contract Requirements between V PAY Members and Visa Scheme Processors or  Third Parties ...... 42 Independent Sales Organisations ...... 42 Revocation of Contract ...... 42 Acquirer Safe Harbour ...... 43 Registration with Visa ...... 43 Safe Harbour ...... 43 Prohibitions ...... 43 General Requirement ...... 43 Misrepresentation by an Agent ...... 44 Marketing Materials ...... 44 Audit ...... 44

2.2 VISA RIGHTS AND RESPONSIBILITIES ...... 44 Corporate Risk Reduction Procedures ...... 44

2.3 RISK MANAGEMENT SERVICES ...... 45 Card Verification Value 2 for Transactions occurring in a Card-Absent Environment . .45 Fraud Detection Systems ...... 45

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 35 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

Exception File Service ...... 45 Overview ...... 45 Updates ...... 45 PIN Verification Service ...... 46 Fraud Activity Reporting ...... 46 Fraud Advice Reporting ...... 46 Fraud Activity Reporting to Visa ...... 46 Time Limits ...... 46 Non-Compliance ...... 46 Fines ...... 46 Global Fraud Information Service ...... 47 Merchant Fraud Performance Program ...... 47 Criteria ...... 47 Compliance ...... 47 Visa Fraud Monitoring Program ...... 47 Criteria ...... 47 General Requirements ...... 47 Data Quality Compliance Requirements ...... 48 Visa Fraud Monitoring Standard Program ...... 48 Visa Fraud Monitoring High-Risk Program ...... 48 Global Merchant Chargeback Monitoring Program and the Global Brand Protection  Program ...... 48 Criteria ...... 49 Compliance ...... 49 Merchants and Sponsored Merchants Identified as High Brand-Risk ...... 50 Rights of Visa ...... 51 Visa Chargeback Monitoring Program ...... 51 General Requirements ...... 51 Data Quality Compliance Requirements ...... 51 Visa Chargeback Monitoring Standard Program ...... 52 Visa Chargeback Monitoring High-Risk Program ...... 52 Visa Acquirer Monitoring Program ...... 52 Program Criteria ...... 52 Acquirer Non-Compliance ...... 53 Acquirer Performance Metric Program ...... 53 Program Criteria ...... 53 Acquirer Non-Compliance ...... 53

2.4 VISA MERCHANT ALERT SERVICE ...... 54 Overview ...... 54 Merchant Registration on the Visa Merchant Alert Service ...... 54 Acquirer Responsibilities ...... 54 Merchant Agreement Requirements ...... 54 Visa Merchant Alert Service File ...... 54 Notification ...... 54 Visa Responsibility ...... 55 Fees ...... 55 Penalties ...... 55

36 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

Data Protection Compliance ...... 55

2.5 MERCHANT DEPOSIT MONITORING ...... 56 Merchant Activity Monitoring Standards ...... 57 Fines and Penalties ...... 57 Merchant Monitoring Standards ...... 57 Normal Daily Activity Reporting ...... 57 Exception Reports ...... 58 Investigation of Merchant ...... 58 Merchant Records ...... 58 Merchant Compliance ...... 58 Investigation of Merchant ...... 58 Revocation of Privileges ...... 59 Acquirer Responsibilities for Termination ...... 59 Fees and Costs ...... 59

2.6 GENERAL SECURITY REQUIREMENTS ...... 60 Security Staff Responsibilities ...... 60 Investigations ...... 60 V PAY Member Responsibilities ...... 60 Visa Investigation Requirements ...... 60 Investigative Assistance ...... 60 V PAY Member Responsibilities ...... 60 Payment for Investigative Services ...... 60 Performance Standards ...... 61 Response Standards ...... 61 Issuer Information Requirements ...... 61 Acquirer Information Requirements ...... 61 Lost or Stolen Card Reports ...... 61 Member Responsibility ...... 61 Reimbursement ...... 61 Recovered V PAY Cards ...... 62 Handling Recovered V PAY Cards ...... 62 Returning Recovered Cards to the Issuer ...... 62 Inventory Log of Recovered Cards ...... 62 Notification of Recovered Cards ...... 63 Secure Destruction of Recovered Cards ...... 63 Issuer Requirements ...... 63 Rewards Paid by Acquirer ...... 63

2.7 ACCOUNT AND TRANSACTION INFORMATION SECURITY...... 64 Overview ...... 64 Acquirer Contracts with Merchants and/or Third Party Agents ...... 64 Payment Applications ...... 65 Acquirer Requirements ...... 65 Loss or Theft of Account or Transaction Information ...... 66 Investigations ...... 66 Non-Compliance ...... 66

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 37 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

V PAY Member Co-operation ...... 67 PIN Security ...... 68 PIN Security Self-Audit Requirements ...... 68 PIN Security Non-Compliance ...... 68

2.8 VISA ANTI-MONEY LAUNDERING PROGRAM ...... 68 Visa Anti-Money Laundering Program Requirements ...... 68 Visa Anti-Money Laundering Program Compliance ...... 69

2.9 DATA PROTECTION PROVISIONS ...... 69 V PAY Member Responsibility as Sole Data Controller ...... 69 V PAY Member and Visa Responsibilities as Joint Data Controllers ...... 70 Visa Responsibility as Data Processor ...... 70 V PAY Member Obligations for Providing Visa with Data Relating to Cardholders . . . . . 71

38 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.1 AGENTS

2.1.1 Agent Registration and Responsibilities

2.1.1.1 Use of a Processor or Visa Scheme Processor A V PAY Member using a Processor or a Visa Scheme Processor that is not a Member of Visa to provide processing services must:  Register such Processor or Visa Scheme Processor with Visa;   Ensure that the Processor or Visa Scheme Processor completes and returns to Visa a signed letter of agreement;   Notify to Visa any change to the identity of such Processor or Visa Scheme Processor, or any change to the scope of the activities of such Processor or Visa Scheme Processor within five business days of the change; and   Only contract processing services to a Processor or Visa Scheme Processor that is compliant with the Payment Card Industry Data Security Standard.

2.1.1.2 Use of a Non-Member as a Processor, Visa Scheme Processor or other Third Party A V PAY Member using a Processor, Visa Scheme Processor, Distribution Channel Vendor or third party (excluding co-brand partners, Approved Manufacturers, Fulfilment Vendors and Third Party Personalisers) that is not a Member must1:  Annually complete and return to Visa a Visa Europe Agent Registration and Designation Form; and   Notify Visa, by submitting an updated Visa Europe Agent Registration and Designation Form, of any change in a Processor, Visa Scheme Processor, Distribution Channel Vendor or third party (excluding co-brand partners, Approved Manufacturers, Fulfilment Vendors and Third Party Personalisers) within five business days of such change. Changes requiring notification include: — Termination of the agreement between the V PAY Member and the Processor, Visa Scheme Processor, Distribution Channel Vendor or those third parties; — Change of ownership of the Processor or Visa Scheme Processor, Distribution Channel Vendor or those third parties; and — Change of business function of the Processor, Visa Scheme Processor, Distribution Channel Vendor or those third parties. 

2.1.1.3 Use of a Member as a Visa Scheme Processor or Other Third Party A V PAY Member using another Member as a Distribution Channel Vendor must:  Annually complete a Visa Europe Agent Registration and Designation Form and return it to  Visa; and  Notify Visa, by submitting an updated Visa Europe Agent Registration and Designation Form, of any change to such Distribution Channel Vendor within five business days of such change. Changes requiring notification include termination of the agreement between the V PAY Member and the Distribution Channel Vendor, change of ownership of the Distribution Channel Vendor, or change of business function of the Distribution Channel Vendor.

2.1.1.4 Registration Fees Visa reserves the right to charge V PAY Members registration fees for registration of such Processors, Visa Scheme Processors, Distribution Channel Vendors and third parties (excluding co-brand, Approved Manufacturers, Fulfilment Vendors and Third Party Personalisers). 

1. An exception applies for a V PAY Member acquiring Transactions from an Airline, if the Airline is using a Visa Scheme Processor that only processes Authorization Requests from Airlines.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 39 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.1.1.5 General Responsibilities

2.1.1.5.1 For all Visa Scheme Processors, Distribution Channel Vendors and third parties (excluding co-brand partners, Approved Manufacturers, Fulfilment Vendors and Third Party Personalisers) that are not Members, a V PAY Member must:  Execute a written contract with any agent that it engages for the purpose of performing that  V PAY Member’s responsibilities in relation to the Visa Enterprise;   Comply with the standards and practices notified by Visa for evaluating and approving the use of such Visa Scheme Processors, Distribution Channel Vendors and such third parties (excluding co-brand partners, Approved Manufacturers, Fulfilment Vendors and Third Party Personalisers);   Distribute the written policies and procedures established by Visa for Visa Scheme Processors, Distribution Channel Vendors and third parties (excluding co-brand partners, Approved Manufacturers, Fulfilment Vendors and Third Party Personalisers) to such Visa Scheme Processors, Distribution Channel Vendors and third parties;   Ensure that all such Visa Scheme Processors, Distribution Channel Vendors and such third parties comply with the written policies and procedures made available by Visa from time to time, including: — Account or Transaction Information access, as specified in the Payment Card Industry Data Security Standard;  — ATM deployment and operational support compliance, as specified in the V PAY Operating Regulations - Scheme; and  — PIN Entry Device deployment and operational support compliance with the PIN Management Manuals;   Establish a risk management program to control risks related to the use of such Visa Scheme Processors, Distribution Channel Vendors and third parties;   Verify that the principals and senior management of such Visa Scheme Processors, Distribution Channel Vendors and/or third party have the requisite knowledge and experience to successfully perform the contracted services;   Conduct a physical inspection of the business premises of such Visa Scheme Processor, Distribution Channel Vendors and/or such third parties to: — Inspect operational controls; and  — Monitor security standards regarding unauthorised disclosure of, or access to, sensitive data relating to the Visa Enterprise and other payment systems’ Transaction Information;   Subject to applicable law, maintain a file on each such Visa Scheme Processor, Distribution Channel Vendors and/or such third party that includes details of that party, such as a copy of its written contract with the V PAY Member which must be retained for a minimum of two years following termination of that contract; and   For the provision of services relating to V PAY Products and Services, conduct a background investigation into such Visa Scheme Processors and such third parties, and its principals, prior to contracting with such party to verify financial standing and business legitimacy of those third parties for the purpose of assessing whether the third party is capable of satisfying the obligations imposed on the third party in its agreement with the Member. 

2.1.1.5.2 V PAY Members must include in their agreements with their respective agents a term that provides that the relevant V PAY Member is responsible for the acts or omissions of such agents. 

40 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.1.2 Fines and Penalties

2.1.2.1 Fees Visa will charge an annual registration fee of €5,000 for all agent and third party (excluding  co-brand partners, Approved Manufacturers, Fulfilment Vendors and Third Party Personalisers) registrations.

2.1.2.2 Fines and Penalties

2.1.2.2.1 In addition to liability under Section 2.1.2, a V PAY Member using a Visa Scheme Processor, Distribution Channel Vendors or third party (excluding co-brand partners, Approved Manufacturers, Fulfilment Vendors and Third Party Personalisers) that fails to comply with the V PAY Operating Regulations - Scheme is subject to fines and penalties.

2.1.2.2.2 Visa may impose fines resulting from the activities of a V PAY Member performing services on behalf of another V PAY Member on both the:  Performing V PAY Member; and   The V PAY Member for whom the services are being performed. 

The total fine paid by both V PAY Members must not exceed the fine that would have been paid for the same violation by a single V PAY Member. 

2.1.2.2.3 A Member is subject to the fines and penalties specified in the V PAY Operating Regulations - Scheme, Section 2.1.2.1, if the V PAY Member fails to register any Distribution Channel Vendor or third party (excluding co-brand partners, Approved Manufacturers, Fulfilment Vendors and Third Party Personalisers) using the Visa Europe Agent Registration and Designation Form or notify Visa of:  Any change of business function of those third parties;  Change of ownership of those third parties; or  Termination of an agreement between the Member and those parties.

2.1.2.2.4 Effective until 30 April 2016, a V PAY Member contracting services to a Processor or Visa Scheme Processor that is not compliant with the Payment Card Industry Data Security Standard, may be subject to fines as specified in Section 9.2.3.3.

A V PAY Member contracting services to a Distribution Channel Vendor that is not compliant with the Payment Card Industry Data Security Standard, may be subject to fines as specified in Section 9.2.3.

2.1.2.2.5 Where a V PAY Member acts as an agent for and provides payment-related services on behalf of another V PAY Member, it is considered a single entity with that other V PAY Member in determining repetitive violations of the V PAY Operating Regulations - Scheme. 

2.1.3 Visa Scheme Processors and Airlines Before a Visa Scheme Processor is entitled to provide Authorization services for Airlines, the V PAY Member who has contracted with that Visa Scheme Processor must ensure that the Visa Scheme Processor has either:  Completed and submitted a letter of agreement; or  Signed a separate agreement with Visa.

2.1.4 Use of an Internet Payment Service Provider An Acquirer that has contracted with an Internet Payment Service Provider (IPSP) is liable for all acts and omissions of that IPSP and the Sponsored Merchants of that IPSP.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 41 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.1.5 Contract Requirements between V PAY Members and Visa Scheme Processors or Third Parties A V PAY Member must execute with each of its agents that performs payment-related services, such services including soliciting Cardholders or Merchants deploying ATMs, providing operational support or performing Transaction processing on its behalf, including its Distribution Channel Vendors, a written contract containing terms appropriate to protect and maintain the safety, security and soundness of the Visa Enterprise.

A V PAY Member must execute a written contract with each Visa Scheme Processor, Distribution Channel Vendor and any other third party (excluding co-brand partners, Approved Manufacturers, Fulfilment Vendors and Third Party Personalisers) that perform payment-related services, including but not limited to:  Soliciting Cardholders or Merchants:   Deploying and/or providing operational support for ATMs; and/or   Performing Transaction processing, storing and transmitting activities or services in connection with the operating of V PAY Products and Services, for or on behalf of that V PAY Member.

That contract must contain terms appropriate to protect and maintain the safety, security and soundness of the Visa Enterprise and include a provision providing that the Visa Scheme Processor, Distribution Channel Vendor or the other third party must comply with the rules set out in the Payment Card Industry Data Security Standard, which relate to the activities conducted by such Visa Scheme Processor or other third party by or on behalf of the V PAY Member. 

The V PAY Member must provide such Visa Scheme Processor, Distribution Channel Vendor or other third party with the relevant rules. 

2.1.5.1 Independent Sales Organisations

2.1.5.1.1 A contract with an Independent Sales Organisation is limited to a maximum period of three years.

2.1.5.1.2 The V PAY Member may renew the contract, subject to the requirements of Section 2.1.5.

2.1.5.1.3 An Independent Sales Organisation must not perform any of the following functions:  Clearing and Settlement of Transactions;  Payment to, or crediting of, Merchant accounts;  Merchant and Cardholder account underwriting, activation, or charge-offs;  Risk management, including Transaction monitoring;  Approval and review of Merchants;  Approval of Cardholder applications; and  Establishment of Merchant fees for Transactions.

2.1.5.2 Revocation of Contract Visa may permanently prohibit a Visa Scheme Processor, Distribution Channel Vendor or third party (except co-brand partner, Approved Manufacturer, Fulfilment Vendor and Third Party Personaliser), or one of its principals, from providing services to V PAY Members for good cause as specified in Section 2.1.7.

42 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.1.6 Acquirer Safe Harbour

2.1.6.1 Registration with Visa An Acquirer must ensure that its Merchants only use agents that are registered with Visa and appear on the Visa Europe Merchant Agent weblisting. These agents provide payment related services (including services that operate under contractual obligations to the Merchant to control access to Cardholder data) to Merchants or Sponsored Merchants, excluding payment application software providers.

Information on the agent registration process (including the registration form to be completed) and the validated agent weblisting are available at:  http://www.visaeurope.com/receiving-payments/security/third-party-agents

2.1.6.2 Safe Harbour

2.1.6.2.1 If the conditions in Section 2.1.6.2.2 are met, Acquirers whose Merchant or Sponsored Merchant suffers a data compromise through an agent are:  Not subject to the penalties in Section 9.2.3; and  Not liable for any losses resulting from the Global Compromised Account Recovery (GCAR) Program.

2.1.6.2.2 To qualify for safe harbour, as defined per Section 2.1.6.2.1, the agent must:  Be listed with Visa before the date of notification of the data compromise, as suspected or confirmed; and  Demonstrate that it was: — Successfully assessed by a qualified security assessor as Payment Card Industry Data Security Standard compliant at the time of the data compromise; — Self-assessed against the Payment Card Industry Data Security Standard. The PCI Forensic Investigator report1 must confirm that the agent complied with the security measures as stated in the self-assessment questionnaire completed during the registration process; or — Out of scope for the Payment Card Industry Data Security Standard. The PCI Forensic Investigator report1 must confirm that the agent did not have access to or control over the Cardholder data which was compromised.

2.1.7 Prohibitions

2.1.7.1 General Requirement Visa may, at its discretion, permanently prohibit any V PAY Member and its third parties (excluding co- brand partners, Approved Manufacturers, Fulfilment Vendors and Third Party Personalisers) from providing V PAY Products and Services for good cause such as:  Fraudulent activity;  Activity that causes the V PAY Member to repeatedly violate the V PAY Operating Regulations - Scheme;  Operating in an unsound and unsafe manner; and  Any other activities that may result in undue economic hardship or damage to the goodwill of the Visa Enterprise.

1. This report is available from the PCI Security Standards Council website.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 43 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.1.7.2 Misrepresentation by an Agent

2.1.7.2.1 V PAY Members must include a provision in their contracts with any of the following, stating that such third party, co-brand partner or Merchant must not misrepresent itself as being a V PAY Member:  Third party performing services relating to V PAY Products and Services on behalf of such V PAY Members;   Co-brand partner; or   Merchant. 

A V PAY Member’s agent must not present itself to prospective Cardholders and/or Merchants under any other trade name except the one registered on the Visa Europe Agent Registration and Designation Form. 

2.1.7.2.2 The Visa Scheme Processor, Distribution Channel Vendor, agent or third party (excluding co-brand partners, Approved Manufacturers, Fulfilment Vendors and Third Party Personalisers) must not imply that registration with Visa is an endorsement of its services by Visa.

2.1.8 Marketing Materials A V PAY Member must ensure that its agent or independent contractor:  Only uses marketing materials approved by the V PAY Member;  Ensures that all marketing materials displaying the V PAY Mark also include the name of the V PAY Member, which must be more prominent and in a larger font than that of the agent or the independent contractor;  In respect of Prepaid Card distribution, clearly and conspicuously includes the name of that V PAY Member on any website operated by that agent or that independent contractor that displays the V PAY Mark or offers V PAY Prepaid Cards. The name of that V PAY Member must be located within close proximity to the V PAY Marks as specified in the Visa Europe Prepaid Card Product Member Implementation Guidelines; and  Is prominently identified on the marketing materials as an agent or representative of that V PAY Member.

2.1.9 Audit The V PAY Member or Visa may conduct financial and procedural audits of the agent at any time, subject to applicable local law. Any audit conducted by Visa will be at the V PAY Member’s expense. 2.2 VISA RIGHTS AND RESPONSIBILITIES

2.2.1 Corporate Risk Reduction Procedures Upon receipt of instructions from Visa, a V PAY Member must implement appropriate risk reduction measures that may include, but are not limited to:  Prohibiting or limiting any of the following: — Issuing new V PAY Cards or re-issuing V PAY Cards; — Signing or re-signing Merchants; or — Using any third party for payment-related services relating to V PAY Products and Services;  Blocking the Authorization of Transactions, or prohibiting Acquirers from obtaining Authorization for Transactions on behalf of certain Merchants;  Terminating some or all of its Merchant Agreements with its Merchants;  Pledging collateral to secure a V PAY Member’s obligations and reimbursement to Visa for any expenses incurred by Visa in ensuring compliance with any risk reduction measures;

44 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

 Redirecting of Settlement funds to avoid potential losses, as specified in Section 7.4.4, including, but not limited to: — Rerouting of Settlement funds around the Member’s bank that normally holds the V PAY Member’s funds; — Holding funds to ensure the correct application of Cardholder funds; — Holding funds for the payment of Merchants; — Holding funds for the future payment of Chargebacks; and — Withholding funds for the purpose of obtaining collateral or meeting other V PAY Member obligations;  Prohibiting or limiting a V PAY Member’s right to sponsor a V PAY Member; and  Requiring a V PAY Member to change one or more of its designated agents. 2.3 RISK MANAGEMENT SERVICES

2.3.1 Card Verification Value 2 for Transactions occurring in a Card-Absent Environment V PAY Members will lose Chargeback rights when the Card Verification Value 2 (CVV2) was supplied by the Acquirer as part of the Authorization request.

Issuers and Acquirers must ensure that they are certified by Visa for CVV2 processing.

Issuers who are not certified will be deemed as ‘not participating in the service’ and will therefore lose fraud Chargeback rights under Reason Code 83 — Fraud — Card-Absent Environment.

Effective from 22 April 2017, an Acquirer must not request a CVV2 from a Cardholder for a Transaction in a Card-Absent Environment that is a mail order Transaction where the CVV2 data is captured and stored in written form.

All Authorization Requests containing CVV2 values should be declined when the CVV2 check indicates 'No Match’ (denoted by results code ’N’).

Issuers will be liable for Transactions approved showing a CVV2 results code ‘N’.

2.3.2 Fraud Detection Systems All Issuers must be subscribed to and actively participating in one of the following:  A fraud detection system provided to them by Visa; or  An equivalent authorisation scoring neural network or rules-based system approved by Visa.

Issuers who do not comply are subject to fines, as specified in Section 9.2 and Table 9-1.

2.3.3 Exception File Service

2.3.3.1 Overview A Visa Scheme Processor wishing to start using an Exception File must notify Visa in writing at least 90 calendar days prior to the date on which it wishes to start using an Exception File.

2.3.3.2 Updates

2.3.3.2.1 An Issuer must add an Account Number to the Exception File if:  A V PAY Card was reported as lost, stolen or as being a Counterfeit V PAY Card and the Issuer wishes that V PAY Card or Counterfeit V PAY Card to be recovered;  Authorizations for Transactions using that Account Number must always be declined;  Authorization for Transactions using that Account Number must always be approved;  Authorization limits that have been defined by the Issuer in relation to the Account Number have been met or exceeded; or  The Acquirer is required to contact the Issuer to obtain Authorization for Transactions using the Account Number.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 45 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.3.3.2.2 If an Account Number is required to be added to the Exception File pursuant to Section 2.3.3.2.1 above, an Issuer must update the Exception File with the following information relating to each new addition:  Account Number;  Authorization Response required to be given in response to an Authorization Request relating to that Account Number; and  Date that the record is to be purged from the Exception File.

2.3.4 PIN Verification Service If an Issuer chooses to participate in the PIN Verification Service, it must submit a written request to Visa at least 90 calendar days prior to implementing the PIN Verification Service.

An Issuer may choose to use the service either:  As a full-time service for all Authorization Requests that include a PIN; or  If the Issuer is unavailable or unable to respond within the time required by the Assured Transaction Response parameters.

2.3.5 Fraud Activity Reporting

2.3.5.1 Fraud Advice Reporting An Acquirer must, upon request by one of their Merchants, provide that Merchant with fraud advice reports.

2.3.5.2 Fraud Activity Reporting to Visa When an Issuer identifies fraud activity, it must report that fraud activity to Visa in accordance with this Section 2.3.5.

From the date an Account Number is reported to Visa in accordance with the options set out in the Fraud Reporting System User’s Guide, that Account Number is outside the scope of Payment Card Industry Data Security Standard and Account Information Security Program requirements.

2.3.5.3 Time Limits An Issuer must report any fraud activity upon detection, ensuring that:  80% of fraud related to lost V PAY Cards, stolen V PAY Cards, Counterfeit V PAY Cards and V PAY Card not received is reported within 60 days of the Transaction Date and the remaining 20% within 90 days; and  65% of fraud related to fraudulent use of Account Numbers is reported within 60 days of the Transaction Date and the remaining 35% within 90 days.

Issuers must report all fraudulent Transaction immediately upon confirmation, but no later than 60 days after the Transaction Date.

Failure to comply is subject to fines, as specified in the V PAY Operating Regulations - Scheme, Section 2.3.5.5.

2.3.5.4 Non-Compliance If a V PAY Member does not comply with Section 2.3.5, the V PAY Member may be subject to both:  An onsite audit by Visa at the V PAY Member’s expense; and  Fines, as specified in Table 9-8.

2.3.5.5 Fines If Visa determines that a V PAY Member is not in compliance with Section 2.3.5 for a given quarter, both:  Fines will be assessed, as specified in Table 9-8; and  The V PAY Member will be monitored and evaluated for the following eight quarters.

46 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.3.6 Global Fraud Information Service All V PAY Members must be subscribed to the Global Fraud Information Service (GFIS).

V PAY Members who do not comply are subject to penalties, as specified in Table 9-1.

2.3.7 Merchant Fraud Performance Program

2.3.7.1 Criteria Effective until 30 June 2016, a Merchant Outlet will be identified in the Merchant Fraud Performance Program if it meets or exceeds the monthly fraud levels specified in the Visa Merchant Fraud Performance Program Guide.

2.3.7.2 Compliance Effective until 30 June 2016, an Acquirer must address any fraud exposure attributed to a Merchant Outlet that has been identified in the Merchant Fraud Performance Program within the time period specified in the Visa Merchant Fraud Performance Program Guide, or face possible corrective action.

2.3.8 Visa Fraud Monitoring Program

2.3.8.1 Criteria Effective from 1 July 2016, Visa monitors Merchants that generate an excessive level of fraud through the Visa Fraud Monitoring Program. Merchants are monitored under the Visa Fraud Monitoring Standard Program (Section 2.3.8.4) or the Visa Fraud Monitoring High-Risk Program  (Section 2.3.8.5). 

2.3.8.2 General Requirements

2.3.8.2.1 Effective from 1 July 2016, the Visa Fraud Monitoring Program monitors all Transactions other than Domestic Transactions, with the exception of the following markets where Domestic Transactions are also monitored: Australia, Brazil, Canada, Germany, the United Kingdom and the United States. Visa may, at its discretion, modify this list of markets. 

2.3.8.2.2 Effective from 1 July 2016, a Merchant will remain monitored under the Visa Fraud Monitoring High- Risk Program until the Merchant exits the Visa Fraud Monitoring Program, as specified in Section 2.3.8.2.4, if:  The Merchant is moved from the Visa Fraud Monitoring Standard Program to the Visa Fraud Monitoring High-Risk Program because it exceeded the excessive fraud threshold; and/or   The Merchant’s performance drops below the monthly excessive fraud thresholds for the Visa Fraud Monitoring High-Risk Program. 

2.3.8.2.3 Effective from 1 July 2016, a Merchant identified in the Visa Fraud Monitoring Program that changes Acquirers and/or countries before it exits out of the program will be assigned an equivalent program status with the new Acquirer and/or country. 

2.3.8.2.4 Effective from 1 July 2016, a Merchant will exit the Visa Fraud Monitoring Program if they are below the program thresholds for three consecutive months. 

2.3.8.2.5 Effective from 1 July 2016, Visa may, at its discretion, require the Acquirer to deploy appropriate fraud remediation tools or technologies at its Merchant identified in the Visa Fraud Monitoring Program. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 47 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.3.8.3 Data Quality Compliance Requirements

2.3.8.3.1 Effective from 1 July 2016, if Visa determines that an Acquirer, its third party agent, or its Merchant changed, modified, or altered the Merchant name or Merchant data in any way to circumvent the Visa Fraud Monitoring Program, Visa may, at its discretion:  Impose a non-compliance assessment to the Acquirer; and/or   Permanently disqualify the Merchant and its known principals from participating in the Visa Enterprise. 

2.3.8.3.2 Effective from 1 July 2016, if an Acquirer submits Transactions for a single Merchant under multiple Merchant descriptor names or Merchant accounts, Visa may, at its discretion:  Consolidate the individual Merchant descriptor names or Merchant accounts for monitoring purposes;   Notify the Acquirer of the aggregation and any potential non-compliance assessments;   Apply the program thresholds to the consolidated Merchant performance; or   Track and report the consolidated Merchant activity. 

2.3.8.3.3 Effective from 1 July 2016, Visa may, at its discretion, evaluate Payment Facilitator performance at the Sponsored Merchant level or by aggregating all Transactions relating to sales and fraud activity. 

2.3.8.4 Visa Fraud Monitoring Standard Program

Effective from 1 July 2016, a Merchant is identified under the Visa Fraud Monitoring Standard Program if it meets or exceeds both of the following monthly program thresholds:  USD 75,000, or local currency equivalent, fraud amount; and   1% fraud-dollar-to-sales dollar count ratio. 

2.3.8.5 Visa Fraud Monitoring High-Risk Program

Effective from 1 July 2016, a Merchant identified in the Visa Fraud Monitoring Program is monitored under the Visa Fraud Monitoring High-Risk Program for any of the following reasons:  The Merchant is categorised or should be categorised as a High Brand-Risk Merchant;   For Merchants that are not and should not be categorised as a High Brand-Risk Merchant, the Merchant meets or exceeds the following monthly program thresholds: — USD 250,000, or local currency equivalent, fraud amount; and  — 2% fraud-dollar-to-sales-dollar ratio; or   Visa determined the Merchant caused undue harm to the goodwill of the Visa Enterprise. Monitoring includes all fraud reported by Issuers and all Transactions, as defined in Section 2.3.8.2.1, submitted to Visa submitted by the Acquirer on behalf of a Merchant for the preceding calendar  month. 

2.3.9 Global Merchant Chargeback Monitoring Program and the Global Brand Protection Program Visa monitors International Transactions and Country-to-Country Transactions to identify Merchant Outlets that generate excessive Chargebacks in relation to International Transactions and Country-to- Country Transactions.

48 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.3.9.1 Criteria A Merchant is placed in the Global Brand Protection Program, and/or, effective until 30 June 2016, the Global Merchant Chargeback Monitoring Program, if any of its Merchant Outlets meets or exceeds all of the following monthly performance activity levels for International Transactions or Country-to- Country Transactions:  200 Chargebacks;  200 Transactions; and  2% ratio of Chargebacks to Transactions.

2.3.9.2 Compliance

2.3.9.2.1 If a Merchant has been placed on the Global Brand Protection Program, and/or, effective until 30 June 2016, the Global Merchant Chargeback Monitoring Program, and a Chargeback is received in relation to an International Transaction or Country-to-Country Transaction at any Merchant Outlet of that Merchant, Visa will charge that Merchant’s Acquirer the handling fee specified in  the Visa Core Rules and Visa Product and Service Rules.

2.3.9.2.2 Effective until 30 June 2016, Merchants that have been placed in the Global Merchant Chargeback Monitoring Program will be granted a three-month remediation period to reduce excessive Chargebacks.

Visa may, at its discretion, revoke the remediation period of a Merchant in the Global Merchant Chargeback Monitoring Program if Visa deems that the Merchant's activities may cause undue harm to the goodwill of the Visa Enterprise.

The remediation period is not applicable for High Brand-Risk Merchants or High Brand-Risk Sponsored Merchants.

2.3.9.2.3 If a Merchant has been placed on the Global Brand Protection Program, and/or, effective until 30 June 2016, the Global Merchant Chargeback Monitoring Program, and that Merchant or its Acquirer has not implemented procedures to reduce Chargebacks relating to International Transactions or Country-to-Country Transactions originating at a Merchant Outlet, Visa may charge the Acquirer an increased handling fee as set out in Visa Core Rules and Visa Product and Service Rules for each such Chargeback received for that Merchant.

2.3.9.2.4 Visa will collect a Chargeback handling fee from the Acquirer and disburse €56 to the Issuer that initiated the Chargeback. Visa will retain the balance as an administration fee.

2.3.9.2.5 Visa may, at its discretion, assess Chargeback handling fees to the Acquirer for Chargeback activity that occurs up to four months after the Acquirer has stopped processing sales Transactions for the Merchant, regardless of sales volume.

2.3.9.2.6 For the purposes of administering Merchant compliance under the Global Brand Protection Program, and/or, effective until 30 June 2016, the Global Merchant Chargeback Monitoring Program, if an Acquirer submits Interchange for a single Merchant Outlet under multiple names, Visa may:  Group the Merchant activity; and  Notify the Acquirer of the Interchange grouping.

2.3.9.2.7 Visa may evaluate Internet Payment Service Provider (IPSP) performance either by aggregating all Interchange activity together or at the level of the Sponsored Merchant.

2.3.9.2.8 A Merchant that changes Acquirers while in the Global Brand Protection Program, and/or, effective until 30 June 2016, the Global Merchant Chargeback Monitoring Program, will be assigned the equivalent status in the program with the new Acquirer.

2.3.9.2.9 A Merchant placed in the Global Brand Protection Program, and/or, effective until 30 June 2016, the Global Merchant Chargeback Monitoring Program, must be below the Chargeback thresholds for three consecutive months to be able to exit the program.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 49 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.3.9.2.10 If Visa determines that an Acquirer or its Merchant modified the Merchant name or Merchant data in any way to circumvent the Global Brand Protection Program, and/or, effective until 30 June 2016, the Global Merchant Chargeback Monitoring Program, Visa may:  Assess a fine of €8,000 per Merchant, per month, to the Acquirer; and  Permanently disqualify the Merchant and its principals from participating in the Visa program.

2.3.9.3 Merchants and Sponsored Merchants Identified as High Brand-Risk

2.3.9.3.1 High Brand-Risk Merchants and High Brand-Risk Sponsored Merchants shall include, but shall not be limited to, Merchants and Sponsored Merchants that are required to use one of the following category codes:  5962—Direct Marketing—Travel-Related Arrangement Services;   5966—Direct Marketing—Outbound Telemarketing Merchants;   5967—Direct Marketing—Inbound Telemarketing Merchants;   7995—Betting, including Lottery Tickets, Casino Gaming Chips, Off-Track Betting and Wagers at Race Tracks;   5912—Drug Stores, Pharmacies;  5122—Drugs, Drug Proprietaries, Druggists’ Sundries; and   5993—Cigar Stores and Stands, Merchants selling cigarettes in a Card-Absent  Environment. 

2.3.9.3.2 Effective until 30 June 2016, for Visa Europe Transactions, any Merchant group or Merchant Category Code that accounts for 15% or more of total Chargebacks identified by the Global Merchant Chargeback Monitoring Program (GMCMP) will be defined as “high-risk” and will need to be registered with Visa.

2.3.9.3.3 Effective until 30 June 2016, Acquirers with Internet Payment Service Providers (IPSP), Sponsored Merchants and/or Merchants that have been identified by the Global Merchant Chargeback Monitoring Program must:  Submit registration forms for each existing or newly acquired IPSP, Sponsored Merchant and Merchant that has been identified as “high-risk” to Visa for approval;  Notify Visa of any changes to the initial registration form on a monthly basis; and  Provide monthly reports on sales and Chargeback volumes for each IPSP, Sponsored Merchant and Merchant that has been identified as “high-risk”.

Registrations will be reviewed to ensure compliance with existing V PAY Operating Regulations - Scheme, including, but not limited to, those relating to:  Merchant naming standards and conventions;  Cross-border acquiring regulations; and  MCC definitions.

Failure of an Acquirer to comply with registration requirements may result in a fine of €25,000 per month per IPSP, Sponsored Merchant or Merchant at the discretion of Visa.

2.3.9.3.4 If a High Brand-Risk Merchant or a High Brand-Risk Sponsored Merchant has been placed in Global Brand Protection Program, and/or, effective until 30 June 2016, the Global Merchant Chargeback Monitoring Program, that Merchant’s Acquirer will be charged a penalty for each Chargeback received in relation to International Transactions at any Merchant Outlet of that High Brand-Risk Merchant or High Brand-Risk Sponsored Merchant. Such penalties are specified at Section 9.2.10.

50 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.3.9.4 Rights of Visa Penalties will no longer be imposed in accordance with Section 9.2.10 once the High Brand-Risk Merchant or the High Brand-Risk Sponsored Merchant has met performance levels which are acceptable to Visa. However, penalties may continue to be imposed, or a High Brand-Risk Merchant or a High Brand-Risk Sponsored Merchant may be prohibited from participating in the Visa Enterprise, if Visa determines that a high volume of Transactions originating from that High Brand-Risk Merchant or High Brand-Risk Sponsored Merchant are being disputed.

2.3.10 Visa Chargeback Monitoring Program Effective from 1 July 2016, Visa monitors Merchants that generate an excessive level of Chargebacks using the Visa Chargeback Monitoring Program. Merchants are monitored under either the Visa Chargeback Monitoring Standard Program (Section 2.3.10.3) or the Visa Chargeback Monitoring High- Risk Program (Section 2.3.10.4). 

2.3.10.1 General Requirements

2.3.10.1.1 Effective from 1 July 2016, Chargebacks reported under reason code 93, “Visa Fraud Monitoring Program” will not be included in the Visa Chargeback Monitoring Program. 

2.3.10.1.2 Effective from 1 July 2016, the Visa Chargeback Monitoring Program monitors all Transactions other than Domestic Transactions, with the exception of the following markets where Domestic Transactions are also monitored: Australia, Brazil, Canada, Germany, the United Kingdom and the United States. Visa may, at its discretion, modify this list of markets. 

2.3.10.1.3 Effective from 1 July 2016, a Merchant will remain monitored under the Visa Chargeback Monitoring High-Risk Program until the Merchant exits the Visa Chargeback Monitoring Program, as specified in Section 2.3.10.1.5, if:  The Merchant is moved from the Visa Chargeback Monitoring Standard Program to the Visa Chargeback Monitoring High-Risk Program because it exceeded the excessive Chargeback threshold; and/or   The Merchant’s performance drops below the monthly excessive fraud thresholds for the Visa Chargeback Monitoring High-Risk Program. 

2.3.10.1.4 Effective from 1 July 2016, a Merchant identified in the Visa Chargeback Monitoring Program that changes Acquirers and/or countries before it exits out of the program will be assigned an equivalent program status with the new Acquirer and/or country. 

2.3.10.1.5 Effective from 1 July 2016, a Merchant will exit the Visa Chargeback Monitoring Program if they are below the program thresholds for three consecutive months. 

2.3.10.1.6 Effective from 1 July 2016, Visa may, at its discretion, require the Acquirer to deploy appropriate Chargeback remediation tools or technologies at its Merchant identified in the Visa Chargeback Monitoring Program. 

2.3.10.2 Data Quality Compliance Requirements

2.3.10.2.1 Effective from 1 July 2016, if Visa determines that an Acquirer, its third party agent, or its Merchant changed, modified, or altered the Merchant name or Merchant data in any way to circumvent the Visa Chargeback Monitoring Program, Visa may, at its discretion:  Impose a non-compliance assessment to the Acquirer; and/or   Permanently disqualify the Merchant and its known principals from participating in the Visa Enterprise. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 51 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.3.10.2.2 Effective from 1 July 2016, if an Acquirer submits Transactions for a single Merchant under multiple Merchant descriptor names or Merchant accounts, Visa may, at its discretion:  Consolidate the individual Merchant descriptor names or Merchant accounts for monitoring purposes;   Notify the Acquirer of the aggregation and any potential non-compliance assessments;   Apply the program thresholds to the consolidated Merchant performance; and/or   Track and report the consolidated Merchant activity. 

2.3.10.2.3 Effective from 1 July 2016, Visa may, at its discretion, evaluate Payment Facilitator performance at the Sponsored Merchant level or by aggregating all Transactions relating to sales and Chargebacks. 

2.3.10.3 Visa Chargeback Monitoring Standard Program Effective from 1 July 2016, a Merchant is identified under the Visa Chargeback Monitoring Standard Program if it meets or exceeds both of the following monthly program thresholds:  100 Chargebacks; and   1% Chargebacks-to-sales Transaction ratio. 

2.3.10.4 Visa Chargeback Monitoring High-Risk Program

2.3.10.4.1 Effective from 1 July 2016, a Merchant identified in the Visa Chargeback Monitoring Program is monitored under the Visa Chargeback Monitoring High-Risk Program for any of the following reasons:  The Merchant is categorised or should be categorised as a High Brand-Risk Merchant;   For Merchants that are not and should not be categorised as a High Brand-Risk Merchant, the Merchant meets or exceeds the following monthly program thresholds: — 500 Chargebacks; and  — 2% Chargeback-to-sales ratio; or   Visa determined the Merchant caused undue harm to the goodwill of the Visa Enterprise. 

2.3.10.4.2 Effective from 1 July 2016, an Acquirer is subject to risk reduction measures, as specified in Section 2.2.1, for poor management of their Merchants placed in the Visa Chargeback Monitoring High-Risk Program. 

2.3.11 Visa Acquirer Monitoring Program

2.3.11.1 Program Criteria

2.3.11.1.1 Visa monitors the ratio of Transactions received by an Acquirer that are determined as fraudulent to determine disproportionate fraud-to-sales ratios.

NOTE: Visa may modify program parameters over time to reflect changing fraud trends.

2.3.11.1.2 Effective from 1 July 2016, Visa monitors Acquirers that generate an excessive level of Chargebacks or fraud activity through the Visa Acquirer Monitoring Program. Visa will identify an Acquirer if it meets or exceeds all of the following monthly thresholds for either excessive Chargebacks or fraud activity:  For Chargeback Monitoring: — 750 Chargebacks; and  — 1% Chargebacks-to-sales Transaction ratio; and   For fraud activity monitoring: — USD 500,000, local currency equivalent, fraud dollar amount; and  — 1% fraud-dollar-to-sales-dollar amount ratio. 

2.3.11.1.3 Effective from 1 July 2016, the Visa Acquirer Monitoring Program monitors all Transactions other than Domestic Transactions, with the exception of the following markets where Domestic Transactions are also monitored: Australia, Brazil, Canada, Germany, the United Kingdom, and the United States. Visa may, at its discretion, modify this list of markets. 

52 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.3.11.1.4 Effective from 1 July 2016, program monitoring will include all Chargebacks or fraud activity submitted to Visa by Issuers in the preceding calendar month and all Transactions submitted to Visa by Acquirers in the preceding calendar month. 

2.3.11.1.5 Effective from 1 July 2016, an Acquirer will exit the Visa Acquirer Monitoring Program if they are below the program thresholds for three consecutive months. 

2.3.11.1.6 Effective from 1 July 2016, Visa may require an Acquirer to terminate the Merchant Agreement with any of its Merchants that have caused the Acquirer to meet or exceed the Visa Acquirer Monitoring Program monthly fraud activity or Chargeback activity thresholds and may disqualify that Merchant from entering in to any further agreement with Customer or Member. 

2.3.11.2 Acquirer Non-Compliance An Acquirer exceeding three times the monthly “fraud-to-sales ratio” notified by Visa to Acquirers, will be considered non-compliant with the Acquirer Monitoring Program and may be subject to the following penalties:  Monetary penalties specified by Visa;  Temporary suspension of the right of that Acquirer to contract with new Merchants; and  Termination of that Acquirer’s status as a Member.

2.3.12 Acquirer Performance Metric Program The Acquirer Performance Metric Program monitors the Acquirer’s overall International and Country- to-Country Chargeback performance to identify Acquirers that generate excessive Chargebacks in relation to International Transactions or Country-to-Country Transactions.

2.3.12.1 Program Criteria An Acquirer is placed in the Acquirer Performance Metric Program if that Acquirer meets or exceeds all of the following monthly performance activity levels for International Transactions or Country-to- Country Transactions:  500 Chargebacks;  500 Transactions;  1.5% ratio of Chargebacks to Transactions; and  Effective until 30 June 2016, one or more Merchants appear in the Global Merchant Chargeback Monitoring Program during the reporting month.

2.3.12.2 Acquirer Non-Compliance An Acquirer placed in the Acquirer Performance Metric Program may, at Visa’s discretion, be subject to the penalties set out in Section 9.2.11.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 53 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.4 VISA MERCHANT ALERT SERVICE

2.4.1 Overview All Acquirers must participate in the Visa Merchant Alert Service (VMAS), unless forbidden by current domestic legislation.

V PAY Members must comply with the requirements set out in the Visa Merchant Alert Service User Guide.

2.4.2 Merchant Registration on the Visa Merchant Alert Service Merchants whose contract with their Acquirer has been terminated for cause, as specified in Table 2-1 must be registered on the Visa Merchant Alert Service. For details about each cause, see the Visa Merchant Alert Service User Guide. Table 2-1 Visa Merchant Alert Service Terminated Merchant Listing Reason Codes

Listing Reason Code Description

1 Exceeds objective reporting standard (for example, fraud, counterfeit) 2Laundering 3 Excessive Chargebacks 4 Insolvency 5 Cardholder information mis-use 6Agreement violation 7 violation 8 Questionable Merchant

2.4.3 Acquirer Responsibilities

2.4.3.1 Merchant Agreement Requirements

Prior to signing a Merchant Agreement, an Acquirer must request information about the Merchant through the Visa Merchant Alert Service.

An Acquirer should not refuse to enter into a Merchant Agreement based solely on information held in the Visa Merchant Alert Service.

2.4.3.2 Visa Merchant Alert Service File The Acquirer must:  List complete information for all Merchants terminated for cause on the Visa Merchant Alert Service;  List each Merchant by the end of the business day following the day when the written notification was mailed to the Merchant;  Retain Merchant Agreement termination information as listed on the Visa Merchant Alert Service, in accordance with the Visa Merchant Alert Service User Guide; and  Provide assistance to an enquiring V PAY Member as to the reasons for listing the Merchant.

2.4.3.3 Notification

2.4.3.3.1 The Acquirer must notify the Merchant in writing, at the outset of the relationship, that if the Merchant Agreement is terminated by Visa or the Acquirer for cause, that the Merchant may be listed on the Visa Merchant Alert Service.

54 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.4.3.3.2 The Acquirer must notify the Merchant, in writing, that:  The Merchant’s Agreement with the Acquirer has been terminated; and 1  The Merchant has been included in the Visa Merchant Alert Service file .

2.4.4 Visa Responsibility Visa provides the Visa Merchant Alert Service and shall ensure that it complies with those requirements of the Guidelines for Terminated Merchant Databases (approved by the Article 29 - Data Protection Working Party) that are allocated to the database operator as may be amended from time to time.

2.4.5 Fees An Acquirer participating in the Visa Merchant Alert Service must pay Visa fees as described in the Visa Europe Fee Guide.

A review of fees will take place two years from implementation of the Visa Merchant Alert Service. Visa may review the Visa Merchant Alert Service fee annually after this initial review.

2.4.6 Penalties Visa may impose a penalty, as specified in Section 9.2 and Table 9-10, each time an Acquirer fails to list a Merchant on the Visa Merchant Alert Service file.

2.4.7 Data Protection Compliance Visa and the Acquirer shall each comply with their respective obligations to comply with applicable Data Protection legislation as specified in the Guidelines for Terminated Merchants insofar as these apply to the Visa Merchant Alert Service. It will provide individuals or companies with rights of subject access where this is requested. Where an individual or a company requests information from Visa regarding what information is stored on the Visa Merchant Alert Service database in relation to them, Visa will provide a subject right of access form to be completed. Visa will provide the individual or company concerned with a clear description of the information that is held on the database in relation to that individual or company within three working days of receipt of the completed form.

1. Merchants must be informed of their rights under applicable Data Protection Legislation, including subject right of access.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 55 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.5 MERCHANT DEPOSIT MONITORING Acquirers that have been identified by the Acquirer Monitoring Program must implement daily monitoring and produce exception reports in order to reduce their losses. Failure to implement effective monitoring could result in a non-compliance penalty of €25,000 levied for each month where actions remain outstanding.

Exception reports must be generated covering the parameters listed in Table 2-2, where the respective defined thresholds have been exceeded.

In addition to daily monitoring, an Acquirer must employ adequate risk management resources to control and monitor its Merchants, and undertake specific investigative actions to combat any fraudulent activity.

A Merchant’s normal daily trading and activity pattern must be adjusted on a daily basis using the most recent activity and replacing the oldest data. Merchant trading averages must be calculated using a  90-day rolling average.

While these new standard Merchant monitoring requirements are mandatory only for Acquirers who exceed the levels of fraud specified, all Acquirers are recommended to adopt similar daily Merchant monitoring practices.

Table 2-2 Mandatory Transaction Parameters to be Monitored

Parameter1 Exceeds By2

An individual Transaction value The daily average Transaction % threshold defined by the value for the individual Merchant Acquirer Outlet The total number of Transactions The normal daily average number % threshold defined by the deposited daily of Transactions for the individual Acquirer Merchant Outlet The total value of Transactions The normal daily average value % threshold defined by the deposited daily deposited for the individual Acquirer Merchant Outlet The number and value of A threshold defined by the Transactions processed on the Acquirer same Cardholder account in one or more Merchants The number and value of incoming A pre-determined ratio or Retrieval Requests and threshold defined by the Acquirer Chargebacks processed The total number and value of A threshold defined by the Transactions on the same Issuer Acquirer BIN at the same Merchant Outlet on the same day The value of credits (refunds) The normal daily average value of A threshold defined by the processed credits for the individual Merchant Acquirer Outlet The number of credits (refunds) The normal daily average number A threshold defined by the processed of credits for the individual Acquirer Merchant Outlet

56 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

Table 2-2 Mandatory Transaction Parameters to be Monitored (Continued)

Parameter1 Exceeds By2

A deposit is received from a Within the last three months or by Merchant who has not processed a time period specified by the any Transaction activity in a Acquirer specified period A deposit is processed for a Merchant after the Merchant Agreement was terminated

1. If Visa determines that the parameters defined in this table do not allow sufficient detection of fraud, then Visa may, at its discretion, vary or impose new parameters to identify changing fraud patterns. 2. If Visa determines that the thresholds defined by the Acquirer do not allow sufficient detection of fraud, then Visa may, at its discretion, impose a threshold value on the Acquirer.

2.5.1 Merchant Activity Monitoring Standards An Acquirer must monitor its Merchant’s activity and, at the request of Visa, must provide to Visa for the purpose of demonstrating compliance with the monitoring standards specified in this Section 2.5:  Copies of actual reports or records used to monitor its Merchants’ activities; and   Subject to applicable law, any other data requested by Visa. 

2.5.1.1 Fines and Penalties An Acquirer that fails to comply with the obligations set out in this Section 2.5 is subject to the fines and penalties specified in Section 9.2.

2.5.2 Merchant Monitoring Standards

2.5.2.1 Normal Daily Activity Reporting An Acquirer must:  Retain at least the following daily data in relation to each of its Merchants: — Gross sales volume; — Average Transaction Amount; — Number of Transaction Receipts; — Average elapsed time between the Transaction Date and the Settlement Date (counting each as one day); and — Number of Chargebacks;  Determine the “normal daily activity” over a period of 30 days, beginning after each Merchant’s initial Deposit, by using the categories of data above;  Begin the daily monitoring of the Merchant’s activity processed on the 31st day from the first Deposit against the “normal daily activity” calculated by taking an average of the data collated over the 30 day period;  Compare current related data to the normal daily activity parameters at least daily;  Review the Merchant’s “normal daily activity” at least weekly, using the previous week’s activity; and  Adjust the Merchant’s “normal daily activity” at least monthly, using the previous month’s activity.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 57 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.5.2.2 Exception Reports An Acquirer must generate an exception report on a daily basis and report to Visa within two business days, if either:  Any of the following exceeds 150% of the normal daily activity: — Number of daily Deposits; — Gross amount of daily Deposits; — Average Transaction Amount; — Number of daily Chargebacks; or  Average elapsed time between the Transaction Date and the Processing Date or the Processing Date and the Settlement Date for a Transaction (counting each as one day respectively) exceeds 15 calendar days.

2.5.2.3 Investigation of Merchant When an Acquirer is required to report to Visa in accordance with Section 2.5.2.2 above, the Acquirer must investigate the Transactions originating at any Merchant Outlet appearing on that Acquirer’s exception report within one business day of generating the report. If the investigation reveals that the Merchant associated with that Merchant Outlet was involved in any illegal or fraudulent activity, the Acquirer must:  Co-operate fully with Visa in any investigation that Visa may undertake in relation to that Merchant, and provide Visa with all information relating to that Merchant upon request;  Take appropriate legal action to minimise losses to both the Acquirer and to Visa if Visa’s investigation reveals illegal or fraudulent activity by that Merchant;  Co-operate with Issuers and law enforcement agencies in relation to the investigation of that Merchant;  Hold any funds owed to that Merchant, if possible; and  Initiate criminal and civil proceedings against that Merchant, if applicable.

2.5.3 Merchant Records An Acquirer must keep an up-to-date and complete file containing information relating to their Merchants, including any information connected to an investigation of fraud. Such records should be maintained for a minimum of two years following termination of the relevant Merchant Agreement.

2.5.4 Merchant Compliance

2.5.4.1 Investigation of Merchant

2.5.4.1.1 An Acquirer must ensure that Visa is able to contact all of the Acquirer’s Merchants’ Merchant Outlets directly and conduct an onsite investigation of those Merchant Outlets at any time to investigate such Merchant compliance with the V PAY Operating Regulations - Scheme.

2.5.4.1.2 If the Merchant fails to correct a problem that Visa has identified as a result of its investigation carried out pursuant to Section 2.5.4.1.1, Visa may, for reasons such as those listed in Section 2.5.4.2, either impose conditions upon the Merchant or permanently prohibit the Merchant, or its principals, from participating in the V PAY Card Program.

2.5.4.1.3 If an Acquirer believes that a condition imposed by Visa in accordance with Section 2.5.4.1.2 is unreasonable, it may appeal to Visa. The Acquirer must prove in such an appeal that the prohibition or imposed conditions are impractical or unwarranted.

58 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.5.4.2 Revocation of Privileges

2.5.4.2.1 Visa may permanently prohibit a Merchant, IPSP or any other entity from participating in the V PAY Card Program for any reasons it deems appropriate, including:  Fraudulent activity;   Presenting Transaction Receipts that do not result from an act between the Cardholder and the Merchant;  Activity that causes the Acquirer to repeatedly breach the V PAY Operating Regulations - Scheme;  Activity that has resulted in Visa prohibiting a Merchant from participating in the V PAY Card Program; and   Any other activity that may result in undue economic hardship or damage to the reputation of the Visa Enterprise. 

2.5.4.2.2 Effective until 30 June 2016, Visa may require an Acquirer to terminate the Merchant Agreement with any of its Merchants that have been placed in the Global Merchant Chargeback Monitoring Program, and may disqualify that Merchant from entering into any further agreement with any Acquirer, if Merchant meets or exceeds the specified Chargeback ratio threshold of two per cent without an effective Chargeback reduction plan having been put in place in conjunction with Visa and two of the following levels of Chargeback activity are reached:  Merchant’s Chargeback ratio is two or more times the specified Chargeback threshold of two per cent in a single month;   Merchant is assessed fees for 3,000 or more Chargebacks in a single month; or   Merchant is assessed a total cumulative fee of €800,000 or more in Global Merchant Chargeback Monitoring Program fees. 

Effective from 1 July 2016, Visa may require an Acquirer to terminate the Merchant Agreement with any of its Merchants that have been placed in the Visa Chargeback Monitoring Program, and may disqualify that Merchant from entering in to any further agreement with any Customer of Member, if a Merchant continues to meet or exceed the monthly Chargeback activity thresholds specified in Section 2.3.10 without an effective Chargeback reduction plan having been put in place in conjunction with Visa. 

2.5.4.3 Acquirer Responsibilities for Termination

2.5.4.3.1 If Visa has prohibited a Merchant from participating in the V PAY Card Program, an Acquirer must terminate the Merchant Agreement no later than the date specified by Visa. 

2.5.4.3.2 If the Acquirer has not terminated the Merchant Agreement by the date specified by Visa in accordance with Section 2.5.4.3.1, Visa may fine the Acquirer for an amount to be determined by Visa.

2.5.4.4 Fees and Costs An Acquirer shall be responsible for all costs incurred by Visa due to the Acquirer’s failure to terminate its Merchant Agreement with a Merchant in accordance with Section 2.5.4.3.1. These costs include all legal fees and costs of any legal action undertaken by Visa to protect the goodwill of the Visa Enterprise, or to prevent further harm to V PAY Members and Cardholders.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 59 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.6 GENERAL SECURITY REQUIREMENTS A V PAY Member must comply with the requirements specified in the Visa Europe What To Do If Compromised Guide.

2.6.1 Security Staff Responsibilities An Issuer must have a designated fraud control and Card security officer and staff that are primarily responsible for all areas of security for V PAY Cards.

Such security staff must:  Investigate all fraudulent use of the Issuer’s V PAY Cards;  Plan and supervise the manufacturing, encoding, printing and mailing of the Issuer’s  V PAY Cards;  Plan and supervise the physical protection of the Issuer’s buildings; and  Participate in background investigations of the Issuer’s employees.

2.6.2 Investigations

2.6.2.1 V PAY Member Responsibilities A V PAY Member must investigate any suspected or confirmed fraud or money laundering on a Cardholder account.

2.6.2.2 Visa Investigation Requirements Visa may require a V PAY Member, or require the V PAY Member to assist Visa, to conduct a further investigation into fraud or money laundering, in addition to the investigation described in Section 2.6.2.1.

If Visa decides to conduct its own investigation, at the request of Visa, a V PAY Member must:  Co-operate fully with Visa in respect of such investigation;  Provide Visa access to the premises involved in the investigation; and  Provide access to Visa to all applicable records that the V PAY Member has that might relate to the investigation.

2.6.3 Investigative Assistance

2.6.3.1 V PAY Member Responsibilities On receipt of a request from another V PAY Member, a V PAY Member must assist other V PAY Members with an investigation into fraudulent activity in relation to a V PAY Card, such assistance to include:  Securing interviews with Merchants, Cardholders, suspects, witnesses and law enforcement personnel;  Obtaining handwriting samples, photographs, fingerprints and any other similar physical evidence;  Recovering lost or stolen V PAY Cards or Counterfeit V PAY Cards; and  At the Issuer’s request, providing information to proper authorities for the possible arrest of suspects.

2.6.3.2 Payment for Investigative Services If a V PAY Member requests investigative assistance from another V PAY Member in accordance with Section 2.6.3.1 it must pay a fee in accordance with Table 10-4 to the assisting V PAY Member for its assistance with any investigation, provided that the assisting V PAY Member prepares an itemised statement of the actions taken in providing that assistance.

60 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.6.4 Performance Standards

2.6.4.1 Response Standards A V PAY Member must respond to a request from another V PAY Member, Visa, or a law enforcement agency as follows: Table 2-3 V PAY Member Response Standards: Risk Management Requests

V PAY Member Response Standard

Issuer Three business days Acquirer Five business days

If the request relates to an investigation where a suspect is in custody, the V PAY Member must respond within 12 hours of the request.

2.6.4.2 Issuer Information Requirements An Issuer must supply at least the following minimum information, providing as much detail as possible:  Card status;  Full details of loss or theft of V PAY Card;  Cardholder details;  Expiry date; and  Suspect or disputed fraudulent activity.

2.6.4.3 Acquirer Information Requirements An Acquirer must supply at least the following minimum information, providing as much detail as possible:  Merchant status;  Name and address details;  Principal name;  Suspect fraudulent activity details; and  Other relevant circumstances.

2.6.5 Lost or Stolen Card Reports

2.6.5.1 Member Responsibility A V PAY Member must, on behalf of all other V PAY Members:  Accept a report from any Cardholder in respect of a lost or stolen V PAY Card, using the Lost or Stolen V PAY Card Report (Exhibit 1A); and   Within two hours of receipt of that report from the Cardholder notify the Issuer of the V PAY Card, at that Issuer’s expense, of the activity above. 

2.6.5.2 Reimbursement Effective until 14 October 2016, a V PAY Member that fulfils the requirements set out in Section 2.6.3.1 above, may collect a handling fee from the Issuer of the V PAY Card that is the subject of the Lost or Stolen V PAY Card Report (Exhibit 1A) as specified in the Visa Core Rules and Visa Product and Service Rules.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 61 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.6.6 Recovered V PAY Cards Effective until 14 October 2016, one of the following may recover a V PAY Card and return it to a V PAY Member:  A Merchant;  A local law enforcement agency; or  A V PAY Member’s employee.

2.6.7 Handling Recovered V PAY Cards

2.6.7.1 Upon the recovery of a V PAY Card, the Merchant or Acquirer must:  Log it under dual custody, where applicable; and   Render it unusable, as specified in Section 2.6.7.8. 

2.6.7.2 Effective from 16 April 2016, a Merchant must send a recovered V PAY Card to its Acquirer.

2.6.7.3 Effective from 16 April 2016 until 14 October 2016, an Acquirer must either:  Return the V PAY Card to the Issuer, with the exception of Non-Reloadable Cards that have been recovered without a Pickup Response or a specific request from the Issuer, which must be rendered unusable and securely destroyed as specified in Section 2.6.7.8; or   Retain a recovered V PAY Card and follow the rules specified in Section 2.6.7.6, Section 2.6.7.7 and Section 2.6.7.8. 

2.6.7.4 Effective from 15 October 2016, an Acquirer must retain a recovered V PAY Card and follow the rules specified in Section 2.6.7.6, Section 2.6.7.7 and Section 2.6.7.8. 

2.6.7.5 Returning Recovered Cards to the Issuer Effective until 14 October 2016, if an Acquirer sends the recovered V PAY Card to the Issuer, the Acquirer must:  Render the recovered V PAY Card unusable by either punching a hole through the middle of the Magnetic Stripe to make it unreadable or cut away the corner of the V PAY Card at the opposite end from the Chip; and   Send the recovered V PAY Card and Recovered Card Advice (Exhibit 1C) to the Issuer on the input date of the Fee Collection Transaction but no later than either: — Five business days after the V PAY Card is recovered; or  — For a V PAY Card recovered at an ATM, five business days after the V PAY Card is received at the Acquirer’s card return centre, if applicable. 

2.6.7.6 Inventory Log of Recovered Cards

2.6.7.6.1 Effective from 16 April 2016, an Acquirer must maintain an inventory log of recovered V PAY Cards that includes a record of all of the following:  Date of V PAY Card recovery (DD/MM/YY);   Location of V PAY Card recovery;   First six digits and last four digits of the Account Number;   Cardholder name: Title (if applicable), first initial of first name and first and last initials of last name;   Printed names and signatures of all parties counting, logging or destroying the V PAY Cards;   If the V PAY Card was retained by a law enforcement agency, name of agency and contact information; and   Date of V PAY Card destruction (DD/MM/YY). 

2.6.7.6.2 Effective from 15 October 2016, an Acquirer must retain the details of a recovered V PAY Card, as specified in Section 2.6.7.6.1 in the inventory log for a minimum of three months.

62 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.6.7.7 Notification of Recovered Cards

2.6.7.7.1 Effective from 16 April 2016, upon recovery of a V PAY Card, an Acquirer must send a notification to the Issuer, through Visa Resolve Online, that the V PAY Card was recovered and destroyed. The notification must be sent no later than either:  Five business days after the V PAY Card is recovered; or   For a V PAY Card recovered at an ATM, five business days after the V PAY Card is received at the Acquirer's card return centre, if applicable. 

2.6.7.7.2 Effective from 16 April 2016, the notification must include all of the following information:  Date of V PAY Card recovery (DD/MM/YY);   Location of V PAY Card recovery;   First six digits and last four digits of the Account Number;   Cardholder name: Title (if applicable), first initial of first name and first and last initials of last name;   If the V PAY Card was retained by a law enforcement agency, the name of the agency and contact information;   If the Acquirer paid an appropriate V PAY Card recovery reward to its Merchant, as specified in Section 2.6.7.10, the reward amount to be collected from the Issuer in order to reimburse the Acquirer; and   Date of V PAY Card destruction (DD/MM/YY). 

2.6.7.8 Secure Destruction of Recovered Cards

2.6.7.8.1 Effective from 16 April 2016 until 14 October 2016, an Acquirer must follow the rules specified in either Section 2.6.7.3 above or Section 2.6.7.8.2 below.

2.6.7.8.2 Effective from 16 April 2016, an Acquirer, or any entity acting on their behalf , must comply with all of the following requirements for the secure destruction of recovered V PAY Cards:  Within five business days of V PAY Card recovery, ensure that V PAY Cards are securely destroyed through shredding or incineration;   If a V PAY Card cannot be destroyed immediately upon receipt by the secure destruction location, store the V PAY Card in a secure environment under dual control, where applicable, until the V PAY Card can be properly destroyed;   Before secure destruction, maintain V PAY Cards as specified in the Payment Card Industry Data Security Standard;   Render all images, Account Numbers, and generic identifiers completely unusable or unreadable and dispose of V PAY Cards;   Ensure that all V PAY Cards have been destroyed before leaving the destruction area; and   If a secure destruction entity is contracted to destroy V PAY Cards, ensure that the entity presents a certificate of destruction once the destruction process is completed. 

2.6.7.9 Issuer Requirements An Issuer must:  Reimburse that Acquirer for rewards paid by that Acquirer in accordance with Section 2.6.7.10 following the recovery of a V PAY Card by that Acquirer’s Merchant or teller; and  Effective until 14 October 2016, pay the handling fee specified in Section 10.7.

2.6.7.10 Rewards Paid by Acquirer

2.6.7.10.1 Subject to Section 2.6.7.10.2, if a Merchant returns a recovered V PAY Card to its Acquirer, and that Acquirer returns the Card to the Issuer of the recovered V PAY Card, the Acquirer must ensure that the minimum reward as specified in Table 2-4, is paid to the Merchant that recovered the V PAY Card.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 63 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.6.7.10.2 The Acquirer need not pay a reward to a Merchant that has recovered a V PAY Card if that V PAY Card:  Has expired;  Was recovered at an ATM or Unattended Acceptance Terminal; or  Was inadvertently left at a Merchant Outlet.

2.6.7.10.3 If an Acquirer pays a reward, as specified in Table 2-4, to its tellers for the recovery of V PAY Cards, it may collect the reward amount from the Issuer.

. Table 2-4 Rewards for Recovered Cards

Paid To Amount (€)

Merchant 25 - 150 Teller/Disbursing V PAY Member 0 - 150

2.7 ACCOUNT AND TRANSACTION INFORMATION SECURITY

2.7.1 Overview V PAY Members must:  Maintain all materials or records that contain account information or Transaction Information in a safe and secure manner, as specified in the Payment Card Industry Data Security  Standard;   Ensure that each agreement and contract entered into by the V PAY Member with a third party (including Merchants) contains the obligations to be performed by that third party in accordance with the V PAY Operating Regulations - Scheme;   Ensure that each third party (including Merchants) with whom that V PAY Member has entered into a contract, where that third party has access to account information or Transaction Information, is under an obligation to comply with the Payment Card Industry Data Security Standard; and   Upon request from Visa, a V PAY Member must certify to Visa that its contracts with third parties (including Merchants), where appropriate, comply with the conditions specified in the Payment Card Industry Data Security Standard.

NOTE: V PAY Merchants who only operate in a Face-to-Face Environment, and who only  accept V PAY Cards, are not required to validate their compliance with the Payment Card Industry Data Security Standard and/or the Payment Application Data Security Standard.

2.7.2 Acquirer Contracts with Merchants and/or Third Party Agents

2.7.2.1 Acquirer contracts with Merchants and/or third parties must incorporate specific clauses prohibiting the storage of authentication data (when Authorization is complete), including but not limited to:  Card Verification Value (CVV);  Card Verification Value 2 (CVV2); and  PIN blocks, as defined in the PIN Management Manuals.

2.7.2.2 An Acquirer that does not have 90 percent of their Merchants, across each of the Merchant types defined in Table 9-4, in compliance with the requirements in this Section 2.7 must provide Visa, for each Merchant type that is non-compliant, an explanation and a plan for the next 12 months, indicating how they will ensure the protection of Cardholder data.

64 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.7.2.3 Payment Applications

2.7.2.3.1 Acquirers must:  Ensure that all Merchants using payment applications that either store, or cause to be stored, sensitive authentication data, when Authorization is complete, must migrate to, or upgrade to, payment applications that do not store sensitive authentication data. This must be done within six months of those applications being identified; and  Verify that all Merchants who are new to Card acceptance and who are using a payment application that meets the eligibility criteria as defined by the PCI SSC, only use a payment application that is compliant with the Payment Application Data Security Standard.

2.7.2.3.2 Acquirers must ensure that any Merchant using a payment application, as defined in the Payment Application Data Security Standard, that is listed as vulnerable by Visa, must within six months of the application being identified as vulnerable either:  Upgrade the payment application to remove the identified vulnerability; or  Use a payment application that is compliant with the Payment Application Data Security Standard.

2.7.2.4 Acquirer Requirements

2.7.2.4.1 Acquirers must:  Report to Visa their compliance with the Payment Card Industry Data Security Standard;  Report and verify to Visa, at a minimum every six-months, the compliance status of their Merchants with the Payment Card Industry Data Security Standard;  Ensure their Electronic Commerce Merchants that process less than one million Transactions per annum (Levels 3 and 4, as per Table 9-4): — Exclusively use a service provider that is compliant with the Payment Card Industry Data Security Standard; or — Provide to their Acquirer certification of their own compliance with the Payment Card Industry Data Security Standard; and  Ensure their Merchants meet the compliance thresholds mandated by Visa, which are available from Visa upon request, for the following sectors: — Levels 1 and 2 (as per Table 9-4); and — The aviation and hotel sectors.

2.7.2.4.2 An Acquirer that falls significantly outside of the expected performance, as determined by Visa, may be required, at the discretion of Visa, to undergo a formal Account Information Security Program assessment and reimburse to Visa any expenses incurred by Visa.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 65 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.7.3 Loss or Theft of Account or Transaction Information A V PAY Member must immediately report to Visa the suspected or confirmed loss or theft (including loss or theft by one of its agents or Merchants) of any material or records that contain account information or Transaction Information, as specified in the Visa Europe What To Do If Compromised Guide.

The V PAY Member must ensure that the report described above, contains, to the extent possible, all of the following categories of information relating to the lost or stolen materials or records that contain account information or Transaction Information:  Issuer name;  Format, amount and description of missing account information or Transaction Information;  Any specific Account Numbers missing;  Type of account information that was included in the missing material;  Details of the loss or theft of account information or Transaction Information and the ensuing investigation being conducted by the V PAY Member in accordance with Section 2.7.4;  The contact name and telephone number of the V PAY Member for the provision of additional information; and  The name and telephone number of the person reporting the loss or theft.

2.7.4 Investigations A V PAY Member must conduct an investigation of any suspected or confirmed loss or theft of account information or Transaction Information as specified in the Visa Europe What To Do If Compromised Guide.

2.7.4.1 Effective from 1 May 2016, a Member must ensure that all incidents of non-compliance with Section 2.7 are investigated by a PCI Forensic Investigator and the results reported to Visa, as specified in the Visa Europe What To Do If Compromised Guide.

2.7.4.2 Non-Compliance

2.7.4.2.1 Visa may fine a Member (as specified in Section 9.2.3) or require that Member to take immediate corrective action, if Visa determines, at its sole discretion, that the V PAY Member has been deficient or negligent in:  Securely maintaining account information or any Transaction Information; or   Reporting or investigating the loss or theft of such information. 

2.7.4.2.2 Application of Fines

2.7.4.2.2.1 Effective from 1 May 2016, where an Acquirer incurs a fine, as specified in Section 2.7.4.2.1, that is greater than €100,000, that fine will be limited to five per cent of that Acquirer’s Merchant’s gross sales volume, for the 12 months prior to the initial notification by Visa.

2.7.4.2.2.2 Effective from 1 May 2016, Visa will charge a Member €3,000 for each Account Data Compromise event.

2.7.4.2.3 Reduction of Fines/Penalties

2.7.4.2.3.1 Effective from 1 May 2016, Visa may, at its discretion, reduce the fines specified in Section 9.2.3 based upon:  A review of an Acquirer’s self-certification, provided to Visa; or  A Merchant’s compliance with the Payment Card Industry Data Security Standard.

2.7.4.2.3.2 Effective from 1 May 2016, for an Acquirer that supports Verified by Visa, Visa may, at its discretion, reduce the fines specified in Section 9.2.3 up to a maximum of 50 per cent dependent on the volume of Transactions with ECI value “5” and ECI value “6”, for the 12 months prior to the initial notification by Visa.

66 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.7.4.2.3.3 Effective from 1 May 2016, Visa may, at its discretion, offer an Acquirer penalty reductions as set out in Table 2-5 and Table 2-6, where the reductions vary depending on whether the Merchant is found compliant or non-compliant following a forensic investigation conducted by a PCI Forensic Investigator.

Table 2-5 Reductions where Merchant found compliant in a forensic investigation

Notification at half-yearly Acquirer informed Visa Visa informed Acquirer report

Acquirer reports the Acquirer qualifies for 100% penalty Acquirer qualifies for 100% penalty Merchant as compliant reduction reduction Acquirer reports the Acquirer qualifies for 100% penalty Acquirer qualifies for 100% penalty Merchant as non-compliant reduction reduction Acquirer fails to declare or Acquirer qualifies for 100% penalty Acquirer qualifies for 75% penalty incorrectly reports the reduction reduction Merchant’s compliance

Table 2-6 Reductions where Merchant found non-compliant in a forensic investigation

Notification at half-yearly Acquirer informed Visa Visa informed Acquirer report

Acquirer correctly Acquirer qualifies for 75% penalty Acquirer qualifies for 50% penalty reports the Merchant as reduction reduction compliant Acquirer correctly reports Acquirer qualifies for 50% penalty Acquirer qualifies for 25% penalty the Merchant as non- reduction reduction compliant Acquirer fails to declare or Acquirer qualifies for 25% penalty Acquirer does not qualify for a penalty incorrectly reports the reduction reduction Merchant’s compliance

2.7.4.3 V PAY Member Co-operation Members must co-operate with Visa to protect the payment system and its Members against account and Transaction data compromises. Failure to do so will result in a penalty of €100,000 being levied by Visa.

Lack of V PAY Member co-operation is classified as:  Failure to immediately disclose a suspected compromise to Visa;  Failure to distribute Account Numbers at risk to Visa within seven calendar days of notification of a suspected compromise;  Failure to notify law enforcement that a crime may have been committed;  Failure to appoint an accredited assessor within seven calendar days of a suspected compromise;  Failure to distribute to Visa by a Member all Transaction data processed by such Member, or on their behalf by an entity at risk, during the window of exposure on a Visa BIN, within 15 calendar days of the request by Visa: — Such Transaction data must be distributed to Visa irrespective of which entity processed this data; — The entity at risk and the window of exposure on a Visa BIN are defined by Visa on a case by case basis;  Failure to identify Account Numbers at risk; and  Any other aspect regarding a Member’s management of Account and Transaction data compromises that Visa deems to have an adverse impact on the Visa payment system.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 67 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.7.5 PIN Security

2.7.5.1 PIN Security Self-Audit Requirements An Acquirer and its agents processing PINs for Transactions must comply with the security requirements, as specified in the PIN Management Requirements Documents, and the requirement to perform a self-audit in accordance with the Visa Europe PIN Security Self Audit Requirements and Forms. Failure to comply with the security requirements specified in the PIN Management Requirements Documents may subject the Acquirer to the fines specified in Section 9.2 and Table 9-8.

2.7.5.2 PIN Security Non-Compliance

2.7.5.2.1 Following an on-site inspection by Visa for any violation of a rule contained in the PIN Management Requirements Documents, if an Acquirer is found to be non-compliant with the PIN Management Requirements Documents, Visa may notify the Acquirer of such violation. If that Acquirer that fails to respond to such notification within 30 days of receipt of a notification from Visa, Visa may fine the Acquirer or suspend that Acquirer’s certification relating to PIN implementation procedures until a response from the Acquirer has been received and acknowledged by Visa.

2.7.5.2.2 An Acquirer that provides an action plan in response to the notification from Visa described in Section 2.7.5.2.1, but does not perform its commitments as set out in such action plan, must deposit €75,000 with Visa as a performance bond or place €75,000 in escrow until Visa either:  Confirms that the Acquirer is in compliance with the requirements of the PIN Management Requirements Documents; or  In the case of the escrow arrangements, suspends that Acquirer’s certification.

2.7.5.2.3 If Acquirer certification in relation to PIN implementation procedures is suspended, the Acquirer may forfeit to Visa the performance bond or escrowed amount referred to in Section 2.7.5.2.2. 2.8 VISA ANTI-MONEY LAUNDERING PROGRAM

2.8.1 Visa Anti-Money Laundering Program Requirements A V PAY Member must implement and maintain an anti-money laundering program that Visa considers to be reasonably designed to prevent the use of the Visa Enterprise to facilitate money laundering or the financing of terrorist activities in accordance with the legal and regulatory requirements applicable to that V PAY Member. 

Each V PAY Member must cooperate with Visa in the administration of the relevant anti-money laundering program described in Section 2.8.1, including but not limited to the following:  Assisting Visa in guarding against V PAY Card issuance and Merchant acquiring in circumstances that could facilitate money laundering or the financing of terrorist activities;   Identifying circumstances of heightened risk and instituting policies, procedures, controls or other actions specified by Visa to address the heightened risk;   Providing a copy of the V PAY Member’s anti-money laundering plan to Visa, if requested by Visa; and   Ensuring the adequacy of the applicable controls implemented by designated agents of the V PAY Member. 

68 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.8.2 Visa Anti-Money Laundering Program Compliance If Visa determines that a V PAY Member has failed to comply with any of the requirements specified in Section 2.8.1, then Visa may, consistent with local law, impose conditions on or require additional actions of a V PAY Member to prevent possible money laundering or financing of terrorist activities. 

These actions may include, but are not limited to, the following:  Implementation of additional policies, procedures, or controls on that V PAY Member;   Requiring the Acquirer to terminate a Merchant Agreement or agreement with a  Cardholder;   Requiring the Acquirer to terminate an agreement with a designated agent;   Termination of that V PAY Member’s status as a Member;   Imposing fines or penalties; and   Any other action that Visa in its sole discretion determines to take with respect to the V PAY Member or the V PAY Member’s designated agent.  2.9 DATA PROTECTION PROVISIONS Depending on the service and as specified for such service, a V PAY Member must understand and accept that it is either:  A data controller, as specified by European Data Protection legislation, with regard to all personal data that the V PAY Member and/or Visa collects from Cardholders and Merchants with Visa and its sub-contractors being the data processor; and  Primarily responsible for fulfilling all data protection responsibilities toward Cardholders and Merchants with whom it has a direct relationship, or that the V PAY Member is:  A joint data controller together with Visa, as specified by European Data Protection legislation, with regard to all personal data that the Member and/or Visa collects from Cardholders and Merchants with Visa and its sub-contractors being the joint data controller; and  Jointly responsible with Visa for fulfilling all data protection responsibilities towards Cardholders and Merchants.

2.9.1 V PAY Member Responsibility as Sole Data Controller If a V PAY Member is the sole data controller in respect of a service, then it must:  Ensure that it complies fully with all applicable data protection laws with regard to personal data that it collects, stores, processes and transfers;  Ensure that it has a valid legal basis (such as a standard contractual clause or any mechanism that is deemed adequate) for making any data transfers outside the European Economic Area;  Provide appropriate prior information to the Cardholder or Merchant about the intended processing of their personal data by the Member and Visa;  Provide accurate data regarding their Cardholders to Visa, including informing Visa when Cardholder personal data must be corrected, updated or deleted;  Respond promptly to Cardholders or Merchants who contact the Member seeking to exercise their data protection rights, informing Visa of such response;  Adopt appropriate technical and organisational security measures in respect of the storage and processing of such personal data, as more particularly specified in the relevant service description;  Provide consent for Visa to transfer data outside the EEA and execute any required legal documentation on behalf of the data controller to adduce adequacy for the data  transfer; and  Work with the Cardholder or Merchant to resolve any dispute regarding their personal data, informing Visa of such resolution.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 69 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.9.2 V PAY Member and Visa Responsibilities as Joint Data Controllers If a V PAY Member together with Visa are joint data controllers in respect of a service,  each must:  Ensure that it complies fully with all applicable data protection laws with regard to personal data that it collects, stores, processes and transfers;  Ensure that it has a valid legal basis (such as a standard contractual clause or any mechanism that is deemed adequate) for making any data transfers outside the European Economic  Area; and  Adopt appropriate technical and organisational security measures in respect of the storage and processing of such personal data, as more particularly specified in the relevant service description.

A V PAY Member must:  Provide appropriate prior information to the Cardholder or Merchant about all of the intended processing of their personal data by the Member and Visa;  Provide accurate data regarding the Cardholders to Visa, including promptly informing Visa when Cardholder personal data must be corrected, updated or deleted;  Respond promptly to Cardholders or Merchants who contact the Member or Visa seeking to exercise their data protection rights, informing Visa or the Member (as the case may be) of such response;  Provide consent to transfer data outside the EEA and execute legal documentation on behalf of the data controller to adduce adequacy for the data transfer; and  Work with the Cardholder or Merchant to resolve any dispute regarding their personal data, informing Visa or the Member (as the case may be) of such resolution.

Visa will:  Assist V PAY Members, where appropriate, to respond to a Cardholder or Merchant seeking to exercise their data protection rights;  Respond to a Cardholder or Merchant contacting Visa seeking to exercise their data protection rights; and  Work with V PAY Members, Cardholders or Merchants to resolve any issues raised to Visa regarding the processing of Cardholder personal data.

2.9.3 Visa Responsibility as Data Processor Visa will comply fully with all applicable data protection laws in regards to the personal data it, or its sub-contractors, stores and processes on behalf of its V PAY Members as follows:  Update the personal data of Cardholders or Merchants when notified of such corrections or updates by Members or Cardholders;  Assist Members, where appropriate, to respond to a Cardholder or Merchant seeking to exercise their data protection rights;  Respond to a Cardholder or Merchant contacting Visa seeking to exercise their data protection rights;  Remove personal data about a Merchant from the Visa Merchant Alert Service (VMAS) file: — If the Merchant’s inclusion was not in accordance with VMAS requirements; and — Notify such parties that have accessed the information on that Merchant within the previous 12 month period of the removal;  Delete any personal data at the end of the relevant retention period;  Adopt appropriate technical and organisational security measures for the storage and processing of such personal data as disclosed by Members, as more particularly specified in the relevant service description;  Work with Members, Cardholders or Merchants to resolve disputes raised to Visa regarding the processing of their personal data; and  To the extent that it is Visa’s responsibility to do so, ensure that all transfers of personal data outside the EEA have a valid legal basis.

70 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 2 - Risk Management

2.9.4 V PAY Member Obligations for Providing Visa with Data Relating to Cardholders A V PAY Member must:  Warrant that, as applicable, the terms and conditions of its Cardholder Agreements do and will continue to permit Visa to conduct propensity modelling and to use such data to build and market products and services to third parties;  Ensure that all fair processing notices have been given to a Cardholder (and/or, as applicable, consents obtained from Cardholders) and such notices are sufficient in scope to enable Visa to process any Cardholder personal data as required and in accordance with applicable laws, including ensuring that such fair processing notices are accordance with Section 1.13.3; and  Indemnify and hold Visa harmless against all liability, cost, expense, damage and loss (including but not limited to any direct, indirect or consequential loss) resulting from or in a connection with a breach of such warranty.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 71 V PAY Operating Regulations - Scheme THIS PAGE INTENTIONALLY LEFT BLANK Use of Marks

3.1 INTRODUCTION ...... 75

3.2 V PAY BRAND MARK ...... 75 V PAY Cards ...... 75 Merchant Acceptance ...... 75 License Grant for V PAY Marks ...... 75 Use of Other Marks on V PAY Cards ...... 76 Use of Marks ...... 76 General ...... 76 Protection of V PAY Brand Mark ...... 76 Use of V PAY Mark for V PAY Card Programs and /or V PAY Card Products ...... 76 Use of V PAY Mark in Corporate Names ...... 76 Use of the V PAY Brand Mark on Cards ...... 77 Use of Visa Marks in Any Media ...... 77 Use of V PAY Mark in Domain Names ...... 77 Ownership and Use of an Internet Domain Name Including the Word “V PAY” ...... 78 Use of the V PAY Mark with V PAY Member Sponsorships ...... 78 Audits of use of V PAY Mark ...... 79

3.3 CO-BADGING PROGRAM REQUIREMENTS...... 79 Co-Badging with Plus ...... 79 Co-Badging with Visa or Visa Electron ...... 79 Co-Badging with other Chip Applications ...... 79

3.4 CO-BRANDING ...... 79 Use of Non-Member Marks ...... 79 Non-Member Co-Branding Requirements ...... 79 Non-Member Trademark ...... 80 Issuer Co-Branding Requirements ...... 80

3.5 GRAPHIC REPRODUCTION OF VISA MARKS ...... 80 Approval ...... 80 Usage Requirements ...... 80

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 73 V PAY Operating Regulations - Scheme Chapter 3 - Use of Marks

Full-Colour Reproductions ...... 80

3.6 TRADEMARK REQUIREMENTS...... 80 Trademark Denotation Symbols ...... 81 Use of Trademark Symbols Denoting Registered Trademark Status ...... 81 Multiple Member Trademarks ...... 81

3.7 USE OF VISA MARKS...... 81 Use at a Point-of-Transaction ...... 81 Use at Merchant Outlets and V PAY Member Locations ...... 81 Use at Merchant Websites ...... 81 The V PAY Mark at ATMs ...... 82

3.8 V PAY MEMBER USE OF NON-VISA MARKS...... 82 V PAY Member Use of Third Party Marks ...... 82 Multiple Marks ...... 82

3.9 PLUS PROGRAM ...... 82 Plus Program Participation Requirements ...... 82

3.10 VISA GLOBAL ATM PROGRAM REQUIREMENTS FOR PLUS PROGRAM PARTICIPANTS...... 83 Participation Requirements ...... 83 Balance Inquiry Service ...... 83 Decline Fees ...... 83 Cash Disbursement Fees ...... 83 Custom Payment Service for ATM Program ...... 83 Non-Participation ...... 83

3.11 PLUS PROGRAM MARKS ...... 84 Plus Program Marks ...... 84 Colours ...... 84 Plus Logotype ...... 85 Plus Wordmark ...... 85 Plus ATMs ...... 85

74 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 3 - Use of Marks

3.1 INTRODUCTION If a V PAY Member uses the V PAY Brand Mark, it must comply with the Visa Product Brand Standards. In the event of any inconsistency between the V PAY Operating Regulations - Scheme and the Visa Product Brand Standards, the Visa Product Brand Standards shall prevail.  3.2 V PAY BRAND MARK The V PAY Brand Mark is a Visa Mark.

3.2.1 V PAY Cards

3.2.1.1 If a Member places a new order for V PAY Cards from its Approved Manufacturer, these Cards must reproduce the V PAY Brand Mark in one colour only (blue).

3.2.1.2 Effective from 1 June 2019, all V PAY Cards issued by a Member must display the V PAY Brand Mark in one colour only (blue).

3.2.2 Merchant Acceptance

3.2.2.1 New V PAY Merchants must display the V PAY Brand Mark in one colour only (blue or black) at Point- of-Transaction.

3.2.2.2 An Electronic Commerce Merchant that displays a V PAY payment option on its website must reproduce the V PAY Brand Mark in one colour only (blue or black).

3.2.2.3 Where an ATM Acquirer displays acceptance marks on the electronic screen of its ATMs, that ATM Acquirer must:  Display the V PAY Brand Mark; and  Display the V PAY Brand Mark in one colour only (blue or black).

3.2.3 License Grant for V PAY Marks A V PAY Member’s right to use any V PAY Brand Mark is provided for in the Visa Trade Mark Licence, pursuant to which Visa grants to each V PAY Member a non-exclusive, non-transferable, royalty-free licence to use the V PAY Brand Mark on the terms and conditions set out in the Visa Trade Mark Licence.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 75 V PAY Operating Regulations - Scheme Chapter 3 - Use of Marks

3.2.4 Use of Other Marks on V PAY Cards With the prior agreement of Visa, Non-Visa Marks may be used in conjunction with the V PAY Brand Mark on the same V PAY Card (refer to Section 3.3 for information on co-badging and Section 3.4 for information on the Co-Branding process for V PAY Members). Marks belonging to competitors of Visa must not appear on V PAY Cards. V PAY Members are responsible for ensuring they have the rights to use non-Visa Marks, including their own trade names and marks.

The proprietary mark of a domestic debit scheme or SEPA Card Framework (SCF) compliant debit scheme may, with the prior agreement of Visa, be placed on a V PAY Card.

The dimensions of any Non-Visa Marks featured on a V PAY Card must not be any larger than the V PAY Brand Mark.

The V PAY Mark must be separated from Non-Visa Marks by a minimum of 3mm.

3.2.5 Use of Marks

3.2.5.1 General

3.2.5.1.1 V PAY Members may not use the V PAY Brand Mark in any manner which may, in the view of Visa, bring the V PAY Mark or Visa Enterprise into disrepute. 

3.2.5.1.2 A V PAY Member must not use the V PAY Brand Mark, in relation to, or for the purchase of, photographs, video imagery, computer-generated images, cartoons, simulation or any other media, of activities that include, but are not limited to:  Imagery of child abuse;  Bestiality;  Rape (or any other non-consensual sexual behaviour); and/or  Non-consensual mutilation of a person or body part.

V PAY Members not complying with Section 3.2.5.1.1 and Section 3.2.5.1.2 will be subject to penalties, as specified in Table 9-18.

3.2.5.1.3 A V PAY Member must not state or imply that it is the exclusive owner or provider of any V PAY Program and/or V PAY Card Product.

3.2.6 Protection of V PAY Brand Mark A V PAY Member must not use, register or attempt to register a Trademark that is identical or confusingly similar to any Visa Mark.

3.2.6.1 Use of V PAY Mark for V PAY Card Programs and /or V PAY Card Products

3.2.6.1.1 A V PAY Member must only use the V PAY Mark:  To denote or promote a V PAY Card Program and/or V PAY Card Product; and/or   In operations in support of its V PAY Products and Services, on the terms and conditions set out in the Visa Trade Mark Licence. 

3.2.6.1.2 A V PAY Member must not use the V PAY Brand Mark to indicate that Visa endorses, is identified with, or sponsors goods or services other than those of Visa, except as permitted in the V PAY Operating Regulations - Scheme or the Visa Product Brand Standards. 

3.2.6.2 Use of V PAY Mark in Corporate Names

3.2.6.2.1 A V PAY Member, or a wholly owned subsidiary of a V PAY Member that exclusively engages in Transaction processing, may only use the V PAY Brand Mark in its corporate name or other business name with the prior written consent from Visa, except as otherwise permitted in the V PAY Operating Regulations - Scheme or the Visa Product Brand Standards. 

76 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 3 - Use of Marks

3.2.6.2.2 A V PAY Member must not use the name of a country in conjunction with any Visa Mark in its corporate name or other business name, without the prior written consent of Visa, unless such consent was granted by Visa International prior to 1 October 2007. 

3.2.6.3 Use of the V PAY Brand Mark on Cards All graphic reproductions of any Visa Mark must comply with this chapter and the Visa Product Brand Standards.

3.2.6.4 Use of Visa Marks in Any Media

3.2.6.4.1 Subject to applicable law, a V PAY Member must identify itself by its business name, but may substitute the local Branch name, if desired, on all supplies, materials (including broadcast) and oral or written solicitations sent to current or prospective Cardholders or Merchants. A V PAY Member must not state or imply in these materials that any other V PAY Member’s V PAY Cards or Merchant materials are being replaced, are invalid or should be destroyed. A V PAY Member must not state or imply that Visa has provided or endorsed these materials unless Visa designed them for V PAY Member use. 

3.2.6.4.2 A V PAY Member must not use the V PAY Brand Mark in such a way that the material bearing the V PAY Brand Mark could be mistaken for an actual V PAY Card and used in a Transaction. 

3.2.6.4.3 A V PAY Member must not use any third party Trademark that is the subject of a sponsorship or licence agreement between Visa and the owner of that third party Trademark without the prior written consent of Visa. Where a V PAY Member has received prior written consent from Visa, that V PAY Member’s use of any third party Trademarks in any media pursuant to a sponsorship or license agreement between Visa and the owner of the third party Trademark or Trademarks must comply with the terms and conditions set out in such sponsorship or licensing agreement, as well as the processes and standards established by Visa, depending on which party has entered into the sponsorship or licensing agreement with the owner of the Trademark or Trademarks (“Sponsorship Rules”). Subject to applicable law, such “Sponsorship Rules” shall govern in the case of any ambiguity, conflict or inconsistency between the “Sponsorship Rules” and any rule in the V PAY Operating Regulations - Scheme, contract, sublicense, agreement or arrangement between Visa and V PAY Members, Merchants or Affiliates. 

3.2.6.5 Use of V PAY Mark in Domain Names

3.2.6.5.1 Except as provided in this Section 3.2.6.5, a V PAY Member may not adopt, use, register or attempt to register any domain name containing a V PAY Brand Mark without prior written consent from Visa. Except where a domain name has been registered in compliance with this Section 3.2.6.5, in the event that a V PAY Member registers a domain name in breach of this rule, that V PAY Member must immediately cause the transfer of such domain name registration to Visa. 

3.2.6.5.2 A V PAY Member or its co-branding or affinity partner that currently owns an internet domain name or internet domain name beginning with the word “V PAY”, “VPAY”, “V_PAY”, “V.PAY” and so on, must transfer ownership to Visa, except when Visa grants a variance to ownership and use of an internet domain name for a specific internet domain name.

3.2.6.5.3 If a domain name registrar will not permit transfer of ownership of the domain name, the V PAY Member or its co-branding or affinity partner must retain ownership of the domain name and create an automatic connection to the Visa website. The domain name owner must not use the domain name to identify its website.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 77 V PAY Operating Regulations - Scheme Chapter 3 - Use of Marks

3.2.6.5.4 A V PAY Member or a National Organisation that owns or uses an internet domain name or internet domain name beginning with the word “V PAY”, “VPAY”, “V_PAY”, “V.PAY” and so on, must not:  Combine the V PAY name in a domain name with the name of any Visa Competitor;  Display a Visa Europe Competitor’s mark on a website with a V PAY internet domain name; or  Engage in commercial activities not related to issuing or accepting V PAY products on a website with a V PAY internet domain name.

3.2.6.5.5 During the transfer of ownership process, Visa will:  Manage the necessary paperwork;  Provide a redirect to another web page for up to six months;  Pay fees to a domain name registrar; and  Provide other reasonable assistance.

3.2.6.6 Ownership and Use of an Internet Domain Name Including the Word “V PAY”

3.2.6.6.1 A V PAY Member or its co-branding or affinity partner or a National Organisation may own or use an internet domain name including the word “V PAY”, “VPAY”, “V_PAY”, “V.PAY” and so on, on a website, provided the associated website home page displays a graphic provided by Visa that offers a link to one of the following:  V PAY website; or  Visa website.

3.2.6.6.2 A website of a V PAY Member or a National Organisation must comply with this Chapter 3, that governs the use of the V PAY Brand Mark.

3.2.6.6.3 A V PAY Member or National Organisation that owns or uses an internet domain name Including the Word “V PAY”, “VPAY”, “V_PAY”, “V.PAY” and so on, must not:  Combine the V PAY name in a domain name with the name of any Visa Europe Competitor; or  Display a Visa Europe Competitor’s mark on a website with a V PAY internet domain name.

3.2.6.6.4 A V PAY Member must not use an internet domain name including the word “V PAY”, “VPAY”, “V_PAY”, “V.PAY” and so on, containing a country name or geographical designation, unless the country name or geographical designation exactly matches its actual company name.

3.2.6.7 Use of the V PAY Mark with V PAY Member Sponsorships

3.2.6.7.1 A V PAY Member may not use the V PAY Brand Mark to sponsor a specific sporting, musical, artistic or other event without prior written consent from Visa.

3.2.6.7.2 Where a V PAY Member would like to use the V PAY Brand Mark to sponsor, it must submit an approval request to Visa at least two months prior to the anticipated release date of any materials associated with the sponsorship activities or the start date of the proposed sponsored event, whichever is the earlier.

3.2.6.7.3 A V PAY Member participating in any sponsorship activity must clearly convey in all of its communications, displays and materials that only the V PAY Member, not Visa, is the sponsor. The V PAY Member must not state or imply that it owns the V PAY Brand Mark.

3.2.6.7.4 A V PAY Member must ensure that it only uses the V PAY Brand Mark for sponsorship activities within the scope of any written approval that Visa may provide in response to the approval request submitted by the V PAY Member in accordance with Section 3.2.6.7.1. Where Visa provides notification to a V PAY Member that the V PAY Member is not using the V PAY Brand Mark within the scope of such written approval, a V PAY Member must correct any improper use of any of the Visa Marks.

78 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 3 - Use of Marks

3.2.6.8 Audits of use of V PAY Mark Visa may conduct any audits that it deems appropriate to ensure that all entities authorised to use the V PAY Brand Mark are doing so in a manner consistent with the approval granted by Visa. Members must fully co-operate with Visa to enable Visa to carry out such audits. 3.3 CO-BADGING PROGRAM REQUIREMENTS A V PAY Program can be issued in conjunction with an existing non-competing domestic debit program or a non-competing SEPA Cards Framework (SCF) compliant debit program, subject to the approval of Visa. Co-badging can only take place with a SCF compliant debit program; please refer to the EPC SEPA Cards Framework (Version 2.0).

An Issuer may place the mark and functionality of a non-competing proprietary or domestic payment scheme, on a V PAY Card.

3.3.1 Co-Badging with Plus Co-badging a V PAY Card with Plus will give the Cardholder global ATM access. When a V PAY Card is co-badged with Plus, the V PAY application will be used for cash withdrawals at EMV-Compliant ATMs and the Plus application used for non-EMV compliant ATMs, including those outside the Territory. See Section 3.9 for more information.

3.3.2 Co-Badging with Visa or Visa Electron Co-badging a V PAY Card with the Visa Brand Mark or the Visa Brand Mark with Electron Identifier will allow worldwide acceptance at Point-of-Transaction and ATM terminals accepting these products, including non-EMV compliant devices.

3.3.3 Co-Badging with other Chip Applications V PAY can co-exist on the Chip with other non-competing applications (for example, store loyalty programs). 3.4 CO-BRANDING

3.4.1 Use of Non-Member Marks A V PAY co-brand is a joint venture between an Issuer and a co-brand partner. The co-branding partner must not be eligible for membership of Visa.

The use of Trademarks belonging to co-branding partners on V PAY Cards is subject to prior approval of Visa, and may be subject to additional restrictions.

3.4.1.1 Non-Member Co-Branding Requirements In order to issue V PAY Cards with the Trademark of non-Members, all of the following provisions must apply:  Non-Member has a good reputation, is financially sound and is widely known in the proposed country of issuance—the Issuer must provide supporting documentation prior to program approval by Visa;  Proposed V PAY Card Program is consistent with the policies and guidelines established by Visa;  Non-Member does not: — Maintain a contractual relationship with the Cardholder for purposes of accessing, through the use of that V PAY Card, an account that the non-Member either establishes, maintains, manages or underwrites; or — Directly or indirectly control or exercise a controlling influence over the management or policies of the Issuer;

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 79 V PAY Operating Regulations - Scheme Chapter 3 - Use of Marks

 Non-Member submits written agreement to the Issuer acknowledging the rights of Visa to the V PAY Brand Mark;  Non-Member is not an organisation deemed to be a Visa Europe Competitor; and  Where the co-brand partner is a retailer, its Merchant Outlets must accept V PAY Cards.

3.4.1.2 Non-Member Trademark For all such V PAY Cards:  The Trademark of the non-Member must be a registered Trademark;  The following images are permitted on co-branded V PAY Cards, provided that the Issuer obtains prior written approval from Visa or any other sponsoring party. Such uses will be permitted in limited circumstances and are subject to approval of the those sponsoring entities: — Logos; — Designations; and — Authenticating statements;  The trade name of the non-Member may appear in any colours except those prohibited in the Visa Product Brand Standards; and  The following images are not permitted on a co-branded V PAY Card: — Political or religious imagery which is offensive to cultural values; — Illegal groups; — Socially unacceptable groups; — Provocative or sexual material; and/or — Material which may result in non-acceptance or other problems at Point-of-Transaction.

3.4.1.3 Issuer Co-Branding Requirements An Issuer must identify each co-brand program. This identification can be:  Through a dedicated BIN, with each account range for each program identified; or  Within an existing BIN, where the account ranges are identified for each co-brand program.

The Issuer must notify Visa of these account ranges by submission of a BIN Licensing Agreement Form (Exhibit 4A) as part of the co-brand program application process. 3.5 GRAPHIC REPRODUCTION OF VISA MARKS

3.5.1 Approval A V PAY Member must submit its proposed designs for all Cards and Point-of-Transaction displays to Visa for written approval prior to production and each time the design is changed.

3.5.2 Usage Requirements A V PAY Member using the V PAY Brand Mark must ensure that the V PAY Brand Mark or any portion thereof is not obscured, distorted or defaced.

3.5.3 Full-Colour Reproductions Full-colour reproduction of the Visa Marks must conform to the specifications supplied by Visa. 3.6 TRADEMARK REQUIREMENTS Unless an Issuer has the prior written consent of Visa, it must not use any Trademarks on a V PAY Card other than the Licensed Marks, Trademarks owned by the Issuer and/or Trademarks owned by Visa. 

Subject to applicable law, an Issuer shall not apply to any V PAY Card any Trademarks that are owned by Visa Inc. Competitors or Visa Europe Competitors. 

An Issuer shall not apply to any V PAY Card any third party Trademark that is confusingly similar to any Licensed Mark. 

80 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 3 - Use of Marks

3.6.1 Trademark Denotation Symbols

3.6.1.1 Use of Trademark Symbols Denoting Registered Trademark Status A V PAY Member’s use of the V PAY Brand Mark on V PAY Cards, websites or printed marketing materials may require the use of a registration symbol (for example, ®) to denote registered Trademark status. Each country has its own laws for whether the use of Trademark denotation symbols is required or optional. These requirements may change from time to time.

3.6.2 Multiple Member Trademarks

3.6.2.1 A V PAY Card may display one or more Trademarks in addition to the V PAY Licensed Mark.

3.6.2.2 The primary Trademark on a V PAY Card must always be the Trademark of the Issuer of that V PAY Card.

3.6.2.3 An Issuer of a V PAY Card that wishes to display multiple Trademarks on that V PAY Card:  Must have a proven relationship with the owners of those Trademarks;  Must have permission from the owners of the Trademarks to display those Trademarks;  May display the Trademarks on either the front or reverse of the V PAY Card; and  Must not display those Trademarks solely for marketing or advertising purposes.

3.6.2.4 If the non-primary Trademarks on a V PAY Card are not owned by either a Member or a V PAY Member, then the Co-Branding rules specified in Section 3.4 apply. 3.7 USE OF VISA MARKS

3.7.1 Use at a Point-of-Transaction

3.7.1.1 A V PAY Member must, and must ensure that its Merchants, display the appropriate V PAY Brand Mark or Visa Marks to indicate which Cards it accepts for payment, as specified in the Visa Product Brand Standards. 

3.7.1.2 Effective from 22 April 2017, a Merchant must display the V PAY POS graphic prominently as follows:  At the Merchant entrance or storefront; and  On the payment acceptance device, as specified in the Visa Product Brand Standards.

3.7.2 Use at Merchant Outlets and V PAY Member Locations A V PAY Member or Merchant must display the V PAY Symbol, either alone or combined with other acceptance marks.

3.7.3 Use at Merchant Websites An Acquirer must ensure that each of its Merchants that accept payments through their websites must display the V PAY Brand Mark or POS graphic as specified in the Visa Product Brand Standards. 

All Visa Marks appearing at a Merchant Outlet or V PAY Member location must be:  Clearly visible and displayed in full colour; and  At least 54mm high by 86mm wide.

The size of a Visa Mark on signage may be adjusted to fit the space restrictions of each location, but must not be smaller than any other acceptance mark displayed.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 81 V PAY Operating Regulations - Scheme Chapter 3 - Use of Marks

3.7.4 The V PAY Mark at ATMs An ATM operated by a V PAY Member may display the V PAY Symbol if it is EMV-Compliant and accepts V PAY Cards.

If Non-Visa Marks are displayed in a single colour at an ATM, Visa Marks may be displayed in that single colour.

If an ATM is located inside a Branch or other facility, the appropriate Visa Marks must be displayed at or near the main entrance and at the ATM.

All newly-installed ATMs must display the V PAY Brand Mark.

All ATMs that are EMV-Compliant and display the Visa Brand Mark must also display the V PAY Brand Mark. 3.8 V PAY MEMBER USE OF NON-VISA MARKS

3.8.1 V PAY Member Use of Third Party Marks

3.8.1.1 Multiple Marks

3.8.1.1.1 A V PAY Member must not use any Trademark other than the V PAY Brand Mark on V PAY Cards to indicate V PAY Card acceptance at a Merchant Outlet outside the country of V PAY Card issuance.

3.8.1.1.2 A V PAY Member may only use a Trademark other than a V PAY Brand Mark to indicate V PAY Card acceptance at a Merchant Outlet if such Trademark is clearly less prominent than the V PAY Brand Mark.

3.8.1.1.3 When a V PAY Member uses the V PAY Brand Mark in proximity to a Trademark of a Visa Europe Competitor (as may be permitted by the V PAY Operating Regulations - Scheme), such use must unmistakably convey the idea that the V PAY Brand Mark identified a V PAY Product or Service that is separate and distinct from any product or service of the Visa Europe Competitor. 3.9 PLUS PROGRAM Upon request, Visa will grant to a V PAY Member not otherwise licensed a non-exclusive, non- transferable license to use each of the Plus Program Marks with the Plus Program.

3.9.1 Plus Program Participation Requirements To become an Issuer of V PAY Cards bearing the Plus Symbol, an Issuer must do all of the following:  Comply with all of the following: — Visa Product Brand Standards; and — The Magnetic Stripe encoding specifications in the Payment Technology Standards Manual and the Chip encoding specifications in the EMV Integrated Circuit Card Specifications for Payment Systems, as appropriate; and  Provide a service for obtaining Authorization service 24 hours a day, seven days a week.

82 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 3 - Use of Marks

3.10 VISA GLOBAL ATM PROGRAM REQUIREMENTS FOR PLUS PROGRAM PARTICIPANTS

3.10.1 Participation Requirements Where an Issuer wishes to offer its Cardholders world-wide access to ATMs bearing any Visa Marks, it must submit to Visa, prior to offering that ATM access, an application of written certification from Visa certifying that it meets the requirements set out in the V PAY Operating Regulations - Scheme. 

3.10.1.1 Balance Inquiry Service

3.10.1.1.1 An Issuer providing a Balance Inquiry Service must:  Obtain certification from Visa prior to providing a Balance Inquiry Service;   Provide a Balance Inquiry Service as separate, non-financial Transaction; and   Provide the balance in the Billing Currency. 

3.10.1.1.2 An Issuer may additionally provide balance information as part of an ATM Cash Disbursement.

3.10.1.1.3 An Issuer must pay the ATM Acquirer a €0.20 fee for each Balance Inquiry. If the Issuer does not participate in a Balance Inquiry Service, the inquiry will be declined and a decline fee will be assessed to the Issuer.

3.10.1.2 Decline Fees An Issuer must pay an ATM Acquirer a decline fee of €0.20 for each Authorization Request or Balance Inquiry at an ATM that results in a Decline Response other than the following response codes:  “Authorization declined, pick up card”;  “Cryptographic or formatting error”;  “System malfunction”;  “No such Issuer”;  “Re-enter Transaction”;  “Security violation”; and  “Destination cannot be found for routing”.

3.10.1.3 Cash Disbursement Fees An Issuer must pay a Cash Disbursement Fee to the Acquirer performing a Cash Disbursement.

Effective from 1 July 2016, an exception applies where an ATM Acquirer adds an Access Fee to the Transaction Amount of an ATM Cash Disbursement as specified in Section 10.3.1.

3.10.1.4 Custom Payment Service for ATM Program If an Issuer provides Custom Payment Service for ATMs that Issuer must:  Be certified by Visa;   Receive and return the Transaction Identifier in the Authorization Response for each ATM Transaction;   Have the capability to receive the code that identifies the ATM being used in a Transaction, the details of the owner and the ATM’s location in each Transaction Record; and   Include the Transaction Identifier for the ATM Transaction in all Chargebacks. 

3.10.2 Non-Participation If an Issuer chooses not to participate in the Visa Global ATM Program, it must either:  Encode the Service Code field on the Magnetic Stripe to specify that a V PAY Card is invalid for use in an ATM Cash Disbursement; or  Decline all Authorization Requests for ATM Cash Disbursements and instruct its Processor, Visa Scheme Processor and Stand-In Processing, as applicable, to do the same.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 83 V PAY Operating Regulations - Scheme Chapter 3 - Use of Marks

3.11 PLUS PROGRAM MARKS

3.11.1 Plus Program Marks The Plus Program marks are all of the following:  Plus Symbol;  Plus logotype;  Plus wordmark;  Plus design; and  Any other mark that Visa adopts for use with the Plus Program.

Upon request, Visa will grant to a V PAY Member not otherwise licensed a non-exclusive, non- transferable license to use each of the Plus Program marks with the Plus Program.

A V PAY Member must use the Plus Symbol only as a mark indicating acceptance for ATM services.

The Plus Symbol may be used:  On V PAY Cards;  At the Point-of-Transaction; and  On print manuals.

The Plus Symbol-contained must appear exactly as shown in Figure 3-1. The Plus Symbol-contained design elements must not be used separately.

The Plus Symbol-contained must be used in a rectangle form without rounded corners.

Figure 3-1 Specifications for the Plus Symbol-Contained

The Plus Symbol-uncontained must appear exactly as shown in Figure 3-2. The Plus Symbol- uncontained design elements must not be used separately.

Figure 3-2 Specifications for the Plus Symbol-Uncontained

3.11.2 Colours Where a Non-Visa Mark at the Point-of-Transaction is displayed in multiple colours the Plus Symbol must be displayed in full colour. The Plus Symbol must be displayed using the same material as the Non-Visa Mark.

Where a Non-Visa Mark at the Point-of-Transaction is displayed in a single colour the Plus Symbol may be displayed in full colour or in black-white-and-grey.

84 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 3 - Use of Marks

3.11.2.1 Plus Logotype When used as part of the Plus Symbol, the Plus logotype:  Must always appear as specified in Figure 3-1 and Figure 3-2;  May be enlarged or reduced for specific applications, but the specified relationships between the length and height or width of letters must not be altered; and  Must not appear in a style other than that specified, except in typed or printed text, unless approved in writing by Visa.

3.11.2.2 Plus Wordmark Use of the Plus wordmark in typed or printed text must:  Appear with the initial letter of each word capitalised; and  Be treated in a way that is consistent with the body of the type in which it is placed.

3.11.2.3 Plus ATMs The Plus Symbol displayed on participating ATMs must be either:  White on a blue background; or  Blue on a white background.

The blue must match the Visa blue colour.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 85 V PAY Operating Regulations - Scheme THIS PAGE INTENTIONALLY LEFT BLANK Payment Technology

4.1 GENERAL PROGRAM REQUIREMENTS ...... 89 Chip Card Technology ...... 89 Chip Specifications ...... 89 Placement ...... 89 Encoding and Personalisation Requirements ...... 89 Chip Card Technology Requirements ...... 89 Cardholder Verification Method ...... 90 Card Authentication Method ...... 90 Visa Smart Debit/Credit Personalisation Assistant ...... 91 Issuers of Proximity Payment Devices ...... 91 General Requirements ...... 91 Compliance with the Visa Contactless Payment Specifications ...... 91 Issuers of Proximity Payment Devices that are not standard plastic payment  Cards ...... 92 Issuers of Portable Payment Devices ...... 92 Issuers of V PAY Micro Tags ...... 93 Personalisation ...... 93 Personalisation of Data Fields ...... 93 Cardholder Verification Method ...... 94 Authorization Responses ...... 94 Magnetic Stripe Specifications ...... 94

4.2 TERMINAL REQUIREMENTS ...... 95 Point-of-Transaction Terminals ...... 95 PIN Entry Devices ...... 95 Mobile Acceptance Terminals ...... 96 General Requirements ...... 96 Testing Requirements ...... 96 Identification of Transactions ...... 97 General Requirements ...... 97 Terminal Logic ...... 97 PIN Pad Requirements ...... 98 Acquirer Responsibilities ...... 98 Acquirer Liability ...... 98

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 87 V PAY Operating Regulations - Scheme Chapter 4 - Payment Technology

Terminals for Proximity Payment Devices ...... 98 General Requirements ...... 98 ATMs that accept Proximity Payment Devices ...... 99 Compliance with the Visa Contactless Payment Specifications ...... 99 Configuration of Settings ...... 100 Cardholder Verification ...... 100 Authorization Responses ...... 100 Truncating Account Numbers ...... 100 Unattended Acceptance Terminals ...... 101 General Requirements ...... 101 Transaction Receipt Requirements ...... 101 Gambling Transaction Requirements ...... 101 Automated Fuel Dispensers ...... 101 Interoperability and Compliance ...... 102 Chip Interoperability Compliance ...... 102

88 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 4 - Payment Technology

4.1 GENERAL PROGRAM REQUIREMENTS

4.1.1 Chip Card Technology

4.1.1.1 Chip Specifications A V PAY Card must always carry a Chip that:  Is EMV-Compliant;  Is VIS-Compliant;  Contains both the V PAY and Visa Electron application identifier (AID); and  Complies with the V PAY Operating Regulations - Scheme.

4.1.1.2 Placement The Chip must:  Be on the front of the V PAY Card; and  Comply with the International Organisation for Standardisation Standard 7816–2, Reference Number ISO/IEC 7816–2:1988 (E)–“Identification on Cards–Integrated Circuit(s) Cards with Contacts–Part 2: Dimensions and Locations of the Contacts”.

4.1.1.2.1 The application label of both the V PAY Payment Application and Visa Electron Payment Application must be "V PAY" coded as "56 20 50 41 59".

4.1.1.2.2 The application preferred name for both the V PAY Payment Application and Visa Electron Payment Application must contain at least “V PAY”.

4.1.1.3 Encoding and Personalisation Requirements

4.1.1.3.1 An Issuer must use a Service Code beginning with “2” or “6” on all V PAY Cards that are EMV- Compliant that bear the V PAY Brand Mark or the V PAY Brand Mark with the Electron Identifier.

If the Cardholder name is encoded on the Chip and on the Magnetic Stripe on a Card, the names encoded must be the same as the name displayed on that Card, as far as is allowed by the character sets supported by the Chip and the Magnetic Stripe. 

4.1.1.3.2 If the effective date of the V PAY Payment Application is encoded in a Chip, the month of that effective date must be the same as the month of the “VALID FROM” date displayed on the V PAY Card, if that V PAY Card bears a “VALID FROM” date. 

4.1.1.3.3 The expiry date contained in a Chip on a V PAY Card must be the same as the expiry date displayed on that V PAY Card. 

4.1.1.3.4 The expiry date of the payment application for services on a V PAY Card must not exceed the expiry date of the V PAY Payment Application on that V PAY Card. 

4.1.1.3.5 For V PAY products approved by Visa on or after 1 January 2016, an Issuer must ensure that the expiration date contained in the Chip, encoded on the Magnetic Stripe and, if applicable, printed on the V PAY Card does not extend beyond the date the product is scheduled to be removed from the list of Visa-approved Chip products. 

4.1.1.3.6 The expiry date displayed on a V PAY Card must not be later than the expiry date of the Public Key of the Issuer, or any other security feature containing an expiry date in the Chip. 

4.1.1.4 Chip Card Technology Requirements

4.1.1.4.1 An Issuer must ensure that the Visa EMV Public Keys are used solely for the V PAY Payment Application.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 89 V PAY Operating Regulations - Scheme Chapter 4 - Payment Technology

4.1.1.4.2 Post-Issuance Updates relating to a specific Chip Card containing a V PAY Payment Application must be controlled by the Issuer of that Chip Card.

4.1.1.4.3 The maximum validity period of a V PAY Card is at the discretion of the V PAY Issuer, subject to the expiry date contained in the Chip being the same as the expiry date on the V PAY Card (if applicable) and that held at the Issuer host.

4.1.1.4.4 The expiry date must not be later than the expiry date of the Public Key of the Issuer.

4.1.1.5 Cardholder Verification Method

This section specifies the Cardholder Verification Method requirements for Chip-initiated Transactions, excluding Proximity Payments. Issuers of Proximity Payment Devices must comply with the Cardholder Verification Method requirements as specified in Section 4.1.2.8.

4.1.1.5.1 An Issuer of V PAY Cards must ensure that the Cardholder Verification Method preferences are communicated to the Chip-Reading Device at the Point-of-Transaction.

4.1.1.5.2 The Issuer of a V PAY Card must define a Cardholder Verification Method that includes the following:  Enciphered and/or plaintext PIN verified offline; and  Enciphered PIN verified Online.

4.1.1.5.3 An Issuer may define ”No CVM (Cardholder Verification Method) required” as the last option within the Cardholder Verification Method.

NOTE: Visa recommends that Issuers include “No CVM Required” in order to allow acceptance in low value payment scenarios which, in the future, may not support PIN. For example, parking and toll booths.

4.1.1.5.4 An Issuer must not include ”signature” in the Cardholder Verification Method.

4.1.1.5.5 An Issuer is permitted to personalise individual V PAY Cards with alternative Cardholder Verification Method profiles to accommodate specific user needs.

4.1.1.6 Card Authentication Method

4.1.1.6.1 All existing V PAY Cards upon renewal must support Dynamic Data Authentication (DDA). Combined DDA/Application Cryptogram Generation (CDA) may also be supported at the Issuer’s option.

4.1.1.6.2 All newly issued V PAY Cards and existing V PAY Cards, upon renewal, must not support Static Data Authentication.

4.1.1.6.3 All issued V PAY Cards must not support Static Data Authentication.

4.1.1.6.4 In the event of Offline data authentication failure, the Payment Application must instruct the Point-of- Transaction Terminal to go Online. If the Point-of-Transaction Terminal cannot go Online, the Transaction must be declined.

4.1.1.6.5 An Issuer that issues a V PAY Card that is Online-Only, may choose not to support an Offline Data Authentication method.

4.1.1.6.6 An Issuer of a V PAY Card that does not support an Offline Data Authentication method must ensure that such V PAY Card, as specified in Section 4.1.1.6.5, complies with all of the following:  Is unembossed;  The velocity checking parameters are set to zero; and  Is personalised, as specified in the Visa Smart Debit/Credit Personalisation Assistant Tool, or using another Visa-approved process.

90 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 4 - Payment Technology

4.1.1.6.7 An Issuer of a V PAY Card that is Online Only and that does not support an Offline Data Authentication method must:  Support an authentication method that is Online, as specified in the Visa Integrated Circuit Card Specifications; and  Not, once issued and for the lifetime of that V PAY Card, change the established personalisation parameters for such V PAY Cards.

4.1.1.7 Visa Smart Debit/Credit Personalisation Assistant For all new and/or modified V PAY Card Programs, Issuers must submit to Visa:  A Card profile for validation using the Visa Smart Debit/Credit Personalisation Assistant or Visa approved process; and  A personalised V PAY Card for validation showing that the production V PAY Card matches the Visa Smart Debit/Credit Personalisation Assistant Profile or equivalent profile process submitted to, and approved by, Visa. The personalised V PAY Card may contain either test keys or production keys and may be used for Issuer host certification.

4.1.2 Issuers of Proximity Payment Devices

4.1.2.1 General Requirements

4.1.2.1.1 All Proximity Payment Devices and all personalisation profiles for Proximity Payment Devices must be approved by Visa.

4.1.2.1.2 All Proximity Payment Devices excluding Portable Payment Devices that comply with, at a minimum, the Visa Contactless Payment Specification Version 2.1 must support fast Dynamic Data Authentication (fDDA)1 for Proximity Payments.

4.1.2.1.3 All Portable Payment Devices must support fast Dynamic Data Authentication (fDDA)1 for Proximity Payments.

This does not apply to a Transaction made using a Cloud-Based Payments Mobile Application.

4.1.2.1.4 For Transactions that are not Domestic Transactions, if a Proximity Payment Device is configured to support Chip-initiated Transactions that are not Proximity Payments, then that Proximity Payment Device must also be configured to allow Proximity Payments.

4.1.2.1.5 Issuers must be certified by Visa for the Authorization, Clearing and Settlement of Proximity Payments.

4.1.2.1.6 All newly issued or replacement Proximity Payment Devices: 1  Must support the “qVSDC path” ; and  1  Must not support the “MSD path” . 

4.1.2.2 Compliance with the Visa Contactless Payment Specifications

4.1.2.2.1 All Proximity Payment Devices excluding Portable Payment Devices must comply with, at a minimum, the Visa Contactless Payment Specification Version 2.0.2. 

4.1.2.2.2 All newly issued Proximity Payment Devices excluding Portable Payment Devices that are Prepaid Cards must comply with, at a minimum, the Visa Contactless Payment Specification Version 2.1.1.

4.1.2.2.3 All newly issued or replacement Proximity Payment Devices excluding Portable Payment Devices that are issued within the Territory must comply with, at a minimum, the Visa Contactless Payment Specification Version 2.1.

1. Where the term is set out in the Visa Contactless Payment Specification Version 2.0.2, Version 2.1 and Version 2.1.1.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 91 V PAY Operating Regulations - Scheme Chapter 4 - Payment Technology

4.1.2.2.4 All newly issued or replacement Proximity Payment Devices must be personalized with the Form Factor Indicator as set out in the Visa Contactless Payment Specification Version 2.1.

4.1.2.3 Issuers of Proximity Payment Devices that are not standard plastic payment Cards Issuers of Proximity Payment Devices that are not standard plastic payment Cards must ensure that such Proximity Payment Devices:  Comply with the Visa Product Brand Standards; and   Except in the case of Prepaid Cards, be issued against an account that also has a standard plastic payment Card issued. 

4.1.2.4 Issuers of Portable Payment Devices

4.1.2.4.1 Issuers must ensure that the Portable Payment Device complies with the:  Visa Mobile Contactless Payment Specifications (VMCPS); and   Mobile Application enabled for Visa payWave (MAV) - Requirements and Recommendations.

4.1.2.4.2 An Issuer of a Portable Payment Device that offers a Cloud-Based Payments Mobile Application must:  Ensure that the Cloud-Based Payments Mobile Application uses a different Account Number to the Account Number associated with that Portable Payment Device and its corresponding standard plastic payment Card;  Ensure that the Cloud-Based Payments Mobile Application complies with the Visa Cloud-Based Payments Specifications;  Comply with the Visa Cloud-Based Payments Program Minimum Requirements and  Guidelines; and  Ensure that the Portable Payment Device complies with the Visa Cloud-Based Payments Specifications.

4.1.2.4.3 Issuers that use a mobile gateway must ensure that their mobile gateway:  Is provided or approved by Visa;   Complies with the Visa Mobile Gateway Specifications; and   Complies with the Visa Mobile Gateway Logical and Physical Security Requirements. 

4.1.2.4.4 Issuers of Portable Payment Devices that use services of vendors approved by Visa to personalise standard plastic payment Cards must, depending on the services they use, comply with the:  Payment Card Industry (PCI ) Card Production - Physical Security Requirements;   Payment Card Industry (PCI) Card Production - Logical Security Requirements;   Visa Europe Card Vendor Programme Guide;   Global Security Validation Requirements for Over-the-Air Secure Element Personalization  Vendors;   Visa Global Security Requirements for Secure Element Vendors and OTA Service Providers; or   Visa Cloud-Based Payment Platform Security Requirements. 

Issuers of Portable Payment Devices that use services of vendors not approved by Visa to personalise standard plastic payment Cards must comply with the Visa Global Security Requirements for Secure Element Vendors and OTA Service Providers. 

92 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 4 - Payment Technology

4.1.2.4.5 Issuers of Portable Payment Devices must be able to support the following processing services to Cardholders:  Block and unblock Portable Payment Devices, including the Cloud-Based Payments Mobile Application;  Permanently disable Portable Payment Devices, including the Cloud-Based Payments Mobile Application; and  Change or reset the CDCVM.

4.1.2.5 Issuers of V PAY Micro Tags

4.1.2.5.1 Issuers of V PAY Micro Tags must comply with the Visa Micro Tag Member Implementation Guide.

4.1.2.5.2 Issuers of adhesive V PAY Micro Tags must comply with the Visa payWave Adhesive Micro Tag Requirements. 

4.1.2.5.3 Issuers of adhesive V PAY Micro Tags must provide written notification that informs the Cardholder that there is the risk of:  Impairing the functionality of a mobile phone or other device to which an adhesive V PAY Micro Tag is attached; and  Invalidating the manufacturer’s warranty, if applicable, for a mobile phone or other device to which an adhesive V PAY Micro Tag is attached.

4.1.2.6 Personalisation

4.1.2.6.1 All Proximity Payment Devices must be personalised to support, at a minimum, Online Authorization for all Transactions.

4.1.2.6.2 All V PAY Micro Tags must be personalised to support Online Authorization only.

4.1.2.6.3 All Proximity Payment Devices that are Prepaid Cards must be personalised to support Online Authorization only.

This Section 4.1.2.6.3 is optional for Portable Payment Devices that are Prepaid Cards.

4.1.2.6.4 V PAY Micro Tags must not be personalised to be able to perform Manual Cash Disbursements or Quasi-Cash Transactions. 

4.1.2.6.5 All new and replacement Proximity Payment Devices must be personalized such that the Cardholder name is not accessible via the contactless interface of the Chip. 

4.1.2.7 Personalisation of Data Fields Details of data fields are defined in the Visa Contactless Payment Specification and Exhibit 8A.

4.1.2.7.1 If an Issuer personalises the value of the “Card CVM Limit” data field on a Proximity Payment Device, then this data field must be:  Set to be greater than the country-specific Cardholder Verification Limit for the country into which that Proximity Payment Device is issued; and  Capable of being updated by the Issuer.

4.1.2.7.2 If an Issuer personalises the value of the “VLP Single Transaction Limit” data field on a Proximity Payment Device, then this data field must be:  Set to be greater than the country-specific Cardholder Verification Limit for the country into which that Proximity Payment Device is issued; and  Capable of being updated by the Issuer.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 93 V PAY Operating Regulations - Scheme Chapter 4 - Payment Technology

4.1.2.7.3 For all new and replacement Proximity Payment Devices, Issuers must personalise the value of the “Application Program Identifier” data field on those devices by defining, at a minimum, the:  “Application Currency Code”; and  “Issuer Country Code”.

4.1.2.7.4 Issuers that personalise the value of the “Application Program Identifier” data field on a Proximity Payment Device with more than the minimum data specified in Section 4.1.2.7.3, must request values to be allocated by Visa, as set out in the Visa Europe Contactless Terminal Requirements and Implementation Guide.

4.1.2.7.5 When both CDCVM and PIN are personalised on a Proximity Payment Device, Issuers must ensure that:  The PIN of the standard plastic payment Card that is linked to the same account of the Portable Payment Device is not synchronised with the PIN and CDCVM of the Portable Payment Device, if the Issuer chooses to synchronise the PIN and CDCVM of the Portable Payment Device; and  The CDCVM of the Portable Payment Device is not synchronised with the PIN of the Portable Payment Device and the PIN of the standard plastic payment Card that is linked to the same account of the Portable Payment Device, if the Issuer chooses to synchronise the PIN of the Portable Payment Device and the PIN of the standard plastic payment Card.

4.1.2.7.6 Portable Payment Devices and Visa Micro Tags must not be personalised to be able to perform Manual Cash Disbursements or Quasi-Cash Transactions. 

4.1.2.8 Cardholder Verification Method

4.1.2.8.1 Issuers of Proximity Payment Devices must ensure that if a Proximity Payment Device is able to be used for Proximity Payments where the Transaction Amount is above the Cardholder Verification Limit, that Proximity Payment Device is configured for Online PIN Verification.

This Section 4.1.2.8.1 is optional for Portable Payment Devices.

4.1.2.8.2 Issuers of Portable Payment Devices must ensure that if a Portable Payment Device is able to be used for a Proximity Payment where the Transaction Amount is above the Cardholder Verification Limit, that Portable Payment Device is configured for CDVCM. 

4.1.2.9 Authorization Responses For Authorization Requests for Proximity Payments, an Issuer must only send an Approval Response or a Decline Response.

4.1.3 Magnetic Stripe Specifications The Magnetic Stripe of a V PAY Card must contain a valid expiry date and a Service Code beginning with “2” or “6” as specified in both:  EMV Integrated Circuit Card Specifications for Payment Systems; and  Visa Integrated Circuit Card Specifications.

Account data should only be encoded on the Magnetic Stripe if any of the following apply:  The Issuer is participating in the Plus Program and the V PAY Card is co-badged with Plus;  The Issuer is permitted by Visa to enable domestic acceptance of V PAY via Magnetic Stripe technology;  The Issuer is permitted by Visa to co-badge V PAY with a domestic debit mark that is not a Visa competitor;  The Issuer is participating in the Visa or Visa Electron Card programs and the V PAY Card is co-badged with the Visa Brand Mark or the Visa Brand Mark with Electron Identifier; or  The Issuer supports another application on the Magnetic Stripe.

94 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 4 - Payment Technology

4.2 TERMINAL REQUIREMENTS

4.2.1 Point-of-Transaction Terminals

4.2.1.1 All Point-of-Transaction Terminals that accept V PAY Cards must meet Visa’s specifications for international interoperability and functionality.

4.2.1.2 All V PAY acceptance devices must:  Comply with the Visa PIN requirements as specified in Section 4.2.2.5.3 and Section 4.2.2.5.4;  Have passed PIN Entry Device (PED) Certification with a Payment Card Industry (PCI) approved laboratory;  Be fully EMV-Compliant; and  Comply with the Transaction Acceptance Device Requirements.

4.2.1.3 All devices that use Chip technology must support Static and Dynamic Data Authentication (DDA) and optionally Combined DDA/AC Generation (CDA). Devices that are Online-Only are optionally exempt from this requirement.

4.2.1.4 All Point-of-Transaction Terminals must accept Proximity Payments and comply with, at a minimum, the Visa Contactless Payment Specification Version 2.1.1 where those terminals are:  Deployed at a new Merchant; or  Deployed as part of a hardware or software upgrade to the payments infrastructure of an existing Merchant.

The requirements in this Section 4.2.1.4 do not apply to the following:  Mobile Acceptance Terminals used by a Merchant that does not trade in a fixed location;  Point-of-Transaction Terminals installed at a Branch;  Automated Fuel Dispensers; and  ATMs.

4.2.1.5 Effective from 31 December 2019, all Point-of-Transaction Terminals must accept Proximity Payments and comply with, at a minimum, the Visa Contactless Payment Specification Version 2.1.1. The requirements in this Section 4.2.1.5 do not apply to the following:  Mobile Acceptance Terminals used by a Merchant that does not trade in a fixed location;  Point-of-Transaction Terminals installed at a Branch;  Automated Fuel Dispensers; and  ATMs.

4.2.1.6 PIN Entry Devices

4.2.1.6.1 For Transactions taking place in either a Face-to-Face Environment or a Semi-Attended Environment, Acquirers must not deploy any new or replacement PIN Entry Devices that do not comply with the requirements set out in the Payment Card Industry (PCI): POS PIN Entry Device Security Requirements version 2.0 or later.

4.2.1.6.2 Effective until 31 December 2017, for Transactions taking place in either a Face-to-Face Environment or a Semi-Attended Environment, an Acquirer may, for maintenance purposes only, replace an existing PIN Entry Device that complies with the requirements set out in the Payment Card Industry (PCI): POS PIN Entry Device Security Requirements version 1.0 or later with an identical PIN Entry Device. This excludes the replacement of all or the majority of such PIN Entry Devices, that do not comply with the Payment Card Industry (PCI): POS PIN Entry Device Security Requirements version 1.0 or later, in a particular Merchant Outlet. Such a replacement is considered to be a new deployment and must comply with Section 4.2.1.6.1.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 95 V PAY Operating Regulations - Scheme Chapter 4 - Payment Technology

4.2.1.6.3 Effective from 1 January 2021, all existing PIN Entry Devices that do not comply with the requirements set out in the Payment Card Industry (PCI): POS PIN Entry Device Security Requirements version 2.0 or later must be replaced by PIN Entry Devices that comply with the requirements set out in the Payment Card Industry (PCI): POS PIN Entry Device Security Requirements version 2.0 or later, and are approved for deployment by Visa, if these existing PIN Entry Devices are either:  Deployed in an Unattended Environment; or  Are not covered by Section 4.2.1.6.1 or Section 4.2.1.6.2.

4.2.2 Mobile Acceptance Terminals

4.2.2.1 General Requirements

4.2.2.1.1 Acquirers must ensure that Merchants that deploy Mobile Acceptance Terminals meet the following requirements:  The mobile or portable devices must be used in conjunction with a hardware accessory;  The hardware accessory must: — Be able to capture Cardholder and Card data; — Have an integrated Chip reader that is EMV-compliant; — Support secure PIN entry; and — Comply with the Payment Card Industry (PCI): POS PIN Entry Device Security Requirements Version 2.0 or later, including compliance with the additional Secure Read and Exchange of Data (SRED) module requirements. The SRED module must be enabled for encrypting Cardholder data in point-to-point encryption;  The hardware accessory can optionally support acceptance of Proximity Payments. Support of Proximity Payments acceptance is not permitted on the portable device owned or operated by the Merchant; and  Key entry or electronic capture, by reading the data on a Chip, of account data on the portable device owned or operated by the Merchant is not permitted.

4.2.2.1.2 Acquirers that deploy Mobile Acceptance Terminals must ensure that they or their third party agents comply with the Payment Card Industry Data Security Standard and support point-to-point encryption that complies with the Payment Card Industry (PCI): Point-to-Point Encryption Solution Requirements and Testing Procedures Version 1.1 or later.

4.2.2.2 Testing Requirements

4.2.2.2.1 Prior to an Acquirer deploying a new Mobile Acceptance Terminal, that Acquirer must:  Submit the Acquirer Device Validation Toolkit (ADVT) testing results to Visa including the word 'Mobile' in the test result description, together with the PCI Secure Read and Exchange of Data (SRED) certification details;  For Mobile Acceptance Terminals that support Proximity Payments, submit the Visa payWave Test Tool (VpTT) results to Visa; and  Provide Visa with a terminal that allows Visa to complete testing in a live production environment.

A Mobile Acceptance Terminal implementation is not considered new if a Mobile Acceptance Terminal has been connected to the Visa System by that provider and by that Acquirer.

96 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 4 - Payment Technology

4.2.2.2.2 The requirement in Section 4.2.2.2.1 to test a Mobile Acceptance Terminal in a live production environment does not apply where:  The new Mobile Acceptance Terminal is limited to a Merchant’s own in-store acceptance system; or  An Acquirer adds a hardware device to its existing Mobile Acceptance Terminal implementation which has been already validated by Visa, and the hardware device has been previously tested and validated for the same implementation with a different Acquirer.

4.2.2.3 Identification of Transactions Acquirers must identify Transactions initiated at Mobile Acceptance Devices in both in the Authorization Request and the Clearing Record, except where those terminals are connected to a Merchant’s own in-store acceptance system.

4.2.2.4 General Requirements

4.2.2.4.1 When installing and operating a Chip-Reading Device, which is EMV-Compliant, to accept a Payment Application, the Acquirer must ensure that the Point-of-Transaction Terminal:  Has been approved by EMVCo as being EMV-Compliant;   Has been approved by Visa, or an entity authorised by Visa; and  Has the capability to have its Visa EMV Public Keys replaced in an acceptable method by any date specified by Visa. 

4.2.2.4.2 The V PAY Member or V PAY Member’s agent is subject to the Chip Interoperability Program as specified in Section 9.2.15, where Visa determines, at its discretion that:  The V PAY Member or its agent has a Chip interoperability problem; and   Any plan to address such problem previously agreed between the V PAY Member and Visa is no longer acceptable. 

4.2.2.4.3 Prior to deploying or upgrading a Chip-Reading Device, an Acquirer must test the Chip-Reading Device against the Acquirer Device Validation Toolkit (ADVT). If the Acquirer either fails to undertake such testing, or fails to pass the testing requirements of the ADVT, it may be subject to the Chip Interoperability Compliance Program, as specified in Section 9.2.12.

NOTE: Exceptions are permitted by Visa when compliance is inherently impractical, for example, road tolls, transit applications, situations where a Cardholder would not expect interaction with a device or to enter a PIN.

4.2.2.5 Terminal Logic

4.2.2.5.1 An Acquirer must ensure that all Devices that accept V PAY Cards support variable length Account Numbers up to, and including, 19 digits. 

4.2.2.5.2 An Acquirer must ensure that each Device that is EMV-Compliant:  Does not allow Chip Authorization controls to be by-passed by manual prompts to use Magnetic Stripe data only;  Supports Post-Issuance Application Change commands;  Transmits all Chip data elements that create the EMV-Online Card Authentication Cryptogram;  If capable of performing Transactions Online, performs Terminal Risk Management; 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 97 V PAY Operating Regulations - Scheme Chapter 4 - Payment Technology

 Supports the terminal action codes and facilitates access to multiple accounts on a Chip  Card; and   Presents options for mutually-supported Payment Applications contained in the Chip either: — To the Chip, in which case the Chip-Reading Device must not discriminate between Payment Applications, except as stipulated by the Chip parameters; or  — Where the Cardholder has the ability to select the Payment Application, to the Cardholder. 

4.2.2.5.3 All Devices that are Online-Capable must support both “Plaintext PIN verified offline” and “Enciphered PIN verified offline”, with the optional exception of Devices that are Online-Only.

4.2.2.5.4 If a Device that is Online-Only and does not support both “Plaintext PIN verified offline” and “Enciphered PIN verified offline”, it must support “Enciphered PIN verified Online”.

4.2.2.6 PIN Pad Requirements A Chip-Reading Device at an Unattended Acceptance Terminal does not have to be capable of accepting PINs if that Chip-Reading Device performs only Transactions classified with MCC 4784 - Toll and Bridge Fees.

4.2.2.7 Acquirer Responsibilities

4.2.2.7.1 All Acquirers must:  Identify Chip-initiated Transactions in the Clearing Record;  Provide the Authorization Response code in the Clearing Records for Chip-initiated Transactions that are offline approved;  Ensure that all Online Chip-Initiated Transaction Authorization Requests include Full-Chip Data; and  Be capable of accepting and processing both VIS and Common Core Definitions-Compliant Chip Cards, as specified in EMV Integrated Circuit Card Specifications for Payment Systems and the Transaction Acceptance Device Requirements.

4.2.2.7.2 An Acquirer must ensure that the Visa EMV Public Keys are replaced by any date specified by  Visa. 

4.2.2.8 Acquirer Liability

4.2.2.8.1 An Acquirer is responsible for the actions of a Chip-Reading Device that provides any information and processing decisions to the Chip that are not in accordance with EMV Integrated Circuit Card Specifications, the V PAY Operating Regulations - Scheme and the Transaction Acceptance Device Requirements.

4.2.2.8.2 An Acquirer is liable for any loss resulting from any of its Merchants' Chip-Reading Devices where any such Chip-Reading Device provides improper processing decisions. 

4.2.2.8.3 The Acquirer is protected from applicable Chargebacks if it submits a valid Cryptogram, even if an Issuer does not process the Full-Chip Data.

4.2.3 Terminals for Proximity Payment Devices

4.2.3.1 General Requirements An Acquirer must ensure that a terminal that accepts Proximity Payments uses the correct POS Entry Mode code, as this code is required to identify that the Transaction is processed as either a:  Chip Transaction; or  Proximity Payment.

98 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 4 - Payment Technology

4.2.3.1.1 Terminals for the acceptance of Proximity Payments must:  Comply with the requirements as specified in Section 4.2.1.4 and Section 4.2.1.5;  Support Online Authorization, with the exception of terminals that accept Proximity Payment Devices only as specified in Section 4.2.3.3;  Be approved by Visa to process Proximity Payments;  Comply with the Visa Europe Contactless Terminal Requirements and Implementation Guide; 1  Not process a Transaction using the “MSD path” ; and  Display the Contactless Symbol, as specified in Visa Product Brand Standards.

4.2.3.1.2 All terminals that accept Proximity Payment Devices must comply with the Visa Europe Contactless Terminal Requirements and Implementation Guide Version 1.3.

4.2.3.1.3 Acquirers that accept Proximity Payments must be capable of processing those Proximity Payments where the Transaction Amount is above the Cardholder Verification Limit.

4.2.3.1.4 Acquirers must be certified by Visa for the Authorization, Clearing and Settlement of Proximity Payments.

4.2.3.2 ATMs that accept Proximity Payment Devices ATMs that accept Proximity Payment Devices must:  Support only Online Authorization; and  Comply with the Visa Contactless Payment Specification Version 2.1.1 or later. 

4.2.3.3 Compliance with the Visa Contactless Payment Specifications

4.2.3.3.1 Any Acquirer that operates in a country where:  No Issuers have issued Proximity Payment Devices and/or no Acquirers have deployed terminals for Proximity Payments; and   It has not itself deployed terminals for Proximity Payment prior to 1 April 2008, must ensure that any terminals for Proximity Payments that it subsequently deploys after 1 April 2008 in that country comply with, at a minimum, the Visa Contactless Payment Specification Version 2.0.2. 

4.2.3.3.2 Any Acquirer that either operates in a country where Issuers have issued Proximity Payment Devices, and/or Acquirers have deployed terminals for Proximity Payments, prior to 1 April 2008, must ensure that all new or replacement terminals for Proximity Payments that it deploys after 1 January 2012 comply with, at a minimum, the Visa Contactless Payment Specification Version 2.0.2. 

4.2.3.3.3 All terminals that accept Proximity Payments must be capable of processing a Transaction using the “qVSDC path”1. 

4.2.3.3.4 Merchants who commence the acceptance of Proximity Payments must deploy terminals for Proximity Payments that comply with either:  At a minimum, the Visa Contactless Payment Specification Version 2.1.1; or   The EMV Contactless Specification for Payment Systems Book C-3.

4.2.3.3.5 All terminals accepting Proximity Payments must comply with either:  At a minimum, the Visa Contactless Payment Specification Version 2.1.1; or   The EMV Contactless Specification for Payment Systems Book C-3.

1. Where the term is set out in the Visa Contactless Payment Specification Version 2.0.2, Version 2.1 and Version 2.1.1.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 99 V PAY Operating Regulations - Scheme Chapter 4 - Payment Technology

4.2.3.3.6 Acquirers must identify the form factor in both the Authorization Request and the Clearing Record where the Proximity Payment Device provides a form factor indicator.

4.2.3.4 Configuration of Settings Details of data fields are defined in the Visa Contactless Payment Specification and Exhibit 8A.

4.2.3.4.1 An Acquirer that deploys a terminal that accepts Proximity Payments must be able to update on such a terminal the values of the following data fields:  “Reader Contactless Floor Limit”;  “Reader Contactless Transaction Limit”; and  “Reader CVM Required Limit”.

4.2.3.4.2 All terminals accepting Proximity Payments and that comply with the Visa Contactless Payment Specification Version 2.0.2, must be configured such that the value of the “Reader Contactless Transaction Limit” data field is set to the applicable Cardholder Verification Limit, as set out in Table 6-4.

4.2.3.4.3 All terminals accepting Proximity Payments and that comply with the Visa Contactless Payment Specification Version 2.0.2, must not have the values of the following data fields configured:  “Reader Contactless Floor Limit”; and  “Reader CVM Required Limit”.

4.2.3.4.4 All terminals that accept Proximity Payments and that comply with, at a minimum, the Visa Contactless Payment Specification Version 2.1 or the EMV Contactless Specification for Payment Systems Book C-3 must:  Be configured such that the values of both the “Reader CVM Required Limit” and the “Reader Contactless Floor Limit” data fields are equal, and set to the applicable Cardholder Verification Limit, as set out in Table 6-4; and  Not have the value of the “Reader Contactless Transaction Limit” data field configured.

4.2.3.5 Cardholder Verification Terminals that are capable of processing Proximity Payments where the Transaction Amount is above the Cardholder Verification Limit must only process these payments following successful Cardholder Verification with a valid Cardholder Verification Method as specified in Section 6.13.3.2.2.

4.2.3.6 Authorization Responses For Authorization Requests for Proximity Payments, an Acquirer must process a Pickup Response as a Decline Response.

4.2.4 Truncating Account Numbers All Point-of-Transaction Terminals must truncate the Account Number on the Transaction Receipt as specified in Section 6.5.2.

100 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 4 - Payment Technology

4.2.5 Unattended Acceptance Terminals

4.2.5.1 General Requirements

4.2.5.1.1 The Authorization Response relating to a Transaction conducted at an Unattended Acceptance Terminal is not valid if the Authorization amount is less than the Transaction Amount.

4.2.5.1.2 An Acquirer that installs Unattended Acceptance Terminals must:  Identify each Transaction initiated at an Unattended Acceptance Terminal; and  Ensure that the Unattended Acceptance Terminal: — Does not dispense cash (except when operating as an ATM under ATM rules); and — Displays the Merchant name and customer service telephone number.

4.2.5.1.3 Transactions at an Unattended Acceptance Terminal do not require Cardholder Verification if all of the following are true:  The Unattended Acceptance Terminal performs only Transactions for MCC 4784 (Toll and Bridge Fees);  The Transaction receives Online Authorization; and  The Transaction Amount is €40 or less, or local currency equivalent.

4.2.5.2 Transaction Receipt Requirements

4.2.5.2.1 An Unattended Acceptance Terminal must be capable of providing a Transaction Receipt.

This Section 4.2.5.2.1 does not apply to Unattended Acceptance Terminals performing only Transactions with a Transaction Amount of €20 (or local currency equivalent) or less.

4.2.5.2.2 An Unattended Acceptance Terminal must inform the Cardholder that a Transaction Receipt is available upon request if a receipt is required to be provided but is not provided automatically.

4.2.5.3 Gambling Transaction Requirements

4.2.5.3.1 An Unattended Acceptance Terminal used for Gambling Transactions must display the following information on the introductory screen:  The name of the Merchant;   The Merchant Outlet;   The rules of play;   The pay-out policies; and   The following terms and conditions of the Merchant:  — The refund policy;  — The return policy; and  — The cancellation policy, as appropriate. 

4.2.5.3.2 Prior to initiating a Gambling Transaction, an Unattended Acceptance Terminal must allow the Cardholder to either:  Agree to the terms and conditions appearing on the introductory screen; or   Cancel the Transaction. 

4.2.5.4 Automated Fuel Dispensers

4.2.5.4.1 Effective from 1 May 2017, an Issuer must be certified by Visa to:  Support Partial Authorization at an Automated Fuel Dispenser; and  Receive an Acquirer Confirmation Advice.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 101 V PAY Operating Regulations - Scheme Chapter 4 - Payment Technology

4.2.5.4.2 Effective from 1 May 2017, an Acquirer must ensure that a Merchant that deploys an Automated Fuel Dispenser supports Partial Authorization.

4.2.5.4.3 A Merchant deploying an Automated Fuel Dispenser must estimate the Transaction Amount for Authorization based on:  The Cardholder's pre-selected fuel amount at the Automated Fuel Dispenser; or   The Merchant's maximum dispensable fuel amount at the Automated Fuel Dispenser up to a maximum amount of €150 or local currency equivalent. 

4.2.5.4.4 When the final Transaction Amount for an estimated Transaction at an Automated Fuel Dispenser is known, the Acquirer must:  Send an Acquirer Confirmation Advice; and   Ensure the amount transmitted in the Clearing Record equals the amount transmitted in the Acquirer Confirmation Advice. 

4.2.5.4.5 On receipt of an Acquirer Confirmation Advice, an Issuer must release any associated hold on available funds in its Cardholder's account where the amount held is in excess of the final Transaction Amount specified in that Acquirer Confirmation Advice, as specified in Section 6.8. 

4.2.6 Interoperability and Compliance

4.2.6.1 Chip Interoperability Compliance An Issuer, Acquirer or Acquirer’s agent is subject to the Chip Interoperability Compliance Program as specified in Section 9.2.12 where Visa determines at its discretion that:  The Issuer, Acquirer or its agent has a Chip interoperability problem; and  Any plan to address such problem previously agreed between that Issuer or Acquirer and Visa is no longer acceptable.

102 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Card Design

5.1 INTRODUCTION ...... 105

5.2 GENERAL REQUIREMENTS...... 105 V PAY Brand Mark ...... 105 Card Dimensions ...... 105 V PAY Card Mandatory Features ...... 105 V PAY Card Optional Features ...... 106 Front or Back Features ...... 106 Front Only Features ...... 106 Back Only Features ...... 106

5.3 V PAY MICRO TAG REQUIREMENTS ...... 108

5.4 GENERAL CARD SPECIFICATIONS...... 108 Approval of First Production-Run Sample ...... 108 Colour Images on V PAY Cards ...... 108 Use of Colour Images on V PAY Cards ...... 108 Issuer Responsibilities for V PAY Cards with Colour Images ...... 109 Visa Responsibilities for V PAY Cards with Colour Images ...... 109 Use of Images of Celebrities on V PAY Cards ...... 109

5.5 CARD MANUFACTURE AND DELIVERY...... 109 Card Manufacturer and Third Party Personaliser Certification ...... 109 Issuer Standards ...... 109 Issuer Contract with a Card Manufacturer ...... 109 Issuer Contact with a Fulfilment Vendor ...... 109 Issuer Contract with a Distribution Channel Vendor ...... 110 Shipping Security Requirements ...... 110 Issuer Responsibility ...... 110 Shipping Methods ...... 110 Preparation for Shipment ...... 110 Shipping Procedures ...... 111 Missing or Damaged Shipment ...... 111

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 103 V PAY Operating Regulations - Scheme Chapter 5 - Card Design

Loss or Theft of Cards without Personalisation or Visible Account Numbers ...... 111 Printing and Encoding ...... 112 Receipt and Storage ...... 112 Receipt of V PAY Cards ...... 112 Preparation for Mailing ...... 112 Delivery of V PAY Cards to V PAY Cardholders ...... 113 Issuer Responsibilities ...... 113 Prevention of Theft ...... 113 Security Requirements at Card Distribution Points ...... 113 Card Destruction Security Requirements ...... 113 Returned Cards ...... 113

104 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 5 - Card Design

5.1 INTRODUCTION If a V PAY Member uses a Licensed Mark, it must comply with the Visa Product Brand Standards. In the event of any inconsistency between the V PAY Operating Regulations - Scheme and the Visa Product Brand Standards, the Visa Product Brand Standards shall prevail.  5.2 GENERAL REQUIREMENTS When issuing a V PAY Card the following requirements must be met:  The V PAY Brand Mark must always appear on the front of a V PAY Card as specified in the Visa Product Brand Standards;  V PAY Cards can be any colour, including gold; and  An Issuer of V PAY Cards must not emboss the full or partial Card Account Number.

5.2.1 V PAY Brand Mark

5.2.1.1 A Member must comply with the Visa Product Brand Standards for the use and application of the V PAY Brand Mark.

5.2.1.2 All V PAY Cards must bear the V PAY Brand Mark.

5.2.2 Card Dimensions The V PAY Card must comply with the following ISO standard Card dimensions:  Width: — Vertical Cards 53.98mm; and — Horizontal Cards 85.60mm.  Height: — Vertical Cards 85.60mm; and — Horizontal Cards 53.98mm.  Thickness: 0.76mm +/- 0.076mm; and  Radius of all corners: 3.175mm +/- 0.125mm.

5.2.3 V PAY Card Mandatory Features The following features are mandatory on a V PAY Card:  V PAY Brand Mark;  EMV-Compliant Chip;  UV Element; and  Magnetic Stripe.

The Issuer responsible for Prepaid Account balances must be identified either on the front or back of the Prepaid Card. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 105 V PAY Operating Regulations - Scheme Chapter 5 - Card Design

All V PAY Card mandatory features must comply with the requirements in Table 5-1. Table 5-1 V PAY Card Mandatory Feature Requirements

Mandatory Feature Requirement

V PAY Brand Mark The V PAY Brand Mark must comply with the following dimensions: • Width: 12mm; • Height: 13mm; and • Maintain 2mm of clear space area on the exposed sides of the Mark. For information on placement of the V PAY Brand Mark, please refer to the Visa Product Brand Standards EMV-Compliant Chip The Chip must be on the front of the V PAY Card. Chip placement (in accordance with ISO standards): • Distance from left edge of V PAY Card to left edge of Chip: 10.25mm; • Distance from top edge of V PAY Card to top edge of Chip: 19.23mm; and • Maximum distance from top edge of V PAY Card to bottom edge of Chip: 28.55mm UV Element The UV Element security feature must be positioned centrally on the V PAY Brand Mark in UV ink visible only under UV light Magnetic Stripe V PAY Cards must always have a Magnetic Stripe

5.2.4 V PAY Card Optional Features The following features may be placed on a V PAY Card at the option of the Issuer. Depending on the feature they may be placed on either the front or back or either side of the V PAY Card.

5.2.4.1 Front or Back Features The following features may appear on either the front of back of a V PAY Card:  Bank registered trade name and/or mark;  Cardholder name;  Cardholder photograph;  Contactless Indicator;  Domestic Debit or SCF Compliant Scheme mark;  Expiry date;  Full or partial Account Number; and  Valid dates and legends.

5.2.4.2 Front Only Features The following features may only appear on the front of a V PAY Card:  The printed BIN may only appear on the front of a V PAY Card; and  Issuers may place a Tactile Brand Mark on a V PAY Card manufactured by an approved vendor, that has been certified by Visa for these purposes, as set out in the Visa Product Brand Standards.

5.2.4.3 Back Only Features The following features may only appear on the back of a V PAY Card:  Customised or Visa standard signature panel;  Plus Symbol; and  Card Verification Value 2 (CVV2).

106 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 5 - Card Design

If any of these optional features are placed on a V PAY Card they must comply with the following requirements: Table 5-2 V PAY Card Optional Feature Requirements

Optional Feature Requirement (if used)

Printed BIN The first four digits of the BIN must be either pre-printed or applied during the personalisation stage, on the line below the Account Number, using a Visa approved method. Contactless Indicator The Contactless Indicator is a Visa Mark used to denote contactless payment capabilities. The V PAY Card must include Visa approved contactless technology if it features the Contactless Indicator. The Contactless Indicator must be placed on the front or back of the V PAY Card using a minimum height of seven millimetres with a surrounding clear space of two millimetres on all sides for the first two years of implementation. The Contactless Indicator can be displayed in Visa Blue, black or white. Cardholder name Print the Cardholder name (use 9-12pt sans serif style) on the front or back of the V PAY Card in a contrasting colour to the background design. Do not print into the V PAY Brand Mark or its clear space area. Cardholder photograph The Cardholder photograph must be placed on the front or the back of the  V PAY Card. The Cardholder photograph must not be placed over the V PAY Brand Mark or its clear space and must not interfere with the V PAY Card’s functional or security features. Full or partial Account Place the Account Number on the front or back of a V PAY Card. An Issuer must Number print the full or partial Account Number in a contrasting colour to the background design. The full or partial Account Number must not be printed into the V PAY Brand Mark or its clear space area. Valid dates and legends When used, print the legend above, below or beside the expiry date or, to the left of the date and below the Account Number Expiry date Print, in an ISO compliant font, the expiry date on the front or back of the V PAY Card. This date must match the information encoded on the Chip. Bank registered trade name The trade name or mark of the Issuer can appear on the front or the back of the and/or mark V PAY Card. A Sponsored Member Mark if present, may only appear on the front of the V PAY Card. Domestic Debit Scheme The Trade name or mark of the Domestic Debit Scheme may appear on the mark front or back of the V PAY Card. The dimensions of the mark must not be larger than the V PAY Brand Mark, subject to the approval of Visa. Signature panel An Issuer may use a customised or Visa standard signature panel on the back of a V PAY Card. Plus Symbol The Plus Symbol represents a program that allows participants to provide ATM Services. A V PAY Member participating in the Plus Program may use either the Plus Symbol-Contained or the Plus Symbol-Uncontained, as shown in Figure 3-1 and Figure 3-2, on the back of their V PAY Cards. Card Verification Value 2 The Card Verification Value 2 (CVV2) is a three-digit number printed on a  (CVV2) V PAY Card for security purposes. For information on placement of the CVV2, refer to the Visa Product Brand Standards.

NOTE: Refer to the Visa Product Brand Standards for more information regarding V PAY Card requirements.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 107 V PAY Operating Regulations - Scheme Chapter 5 - Card Design

5.3 V PAY MICRO TAG REQUIREMENTS V PAY Micro Tags:  Must comply with the Visa Product Brand Standards; and  Must not bear a Card Verification Value 2 (CVV2). 5.4 GENERAL CARD SPECIFICATIONS

5.4.1 Approval of First Production-Run Sample An Issuer must provide Visa with one sample V PAY Card and obtain approval for each unique V PAY Card design in one of the following ways:  Provide Visa with one first production-run sample V PAY Card prior to issuance; or  Submit a completed Card Design Member Self-Certification Form for the V PAY product.

A V PAY Member that issues V PAY Cards without obtaining approval as specified in this section is subject to the fines and penalties specified in Chapter 9, "Fines and Penalties".

5.4.2 Colour Images on V PAY Cards With the prior approval of Visa, a colour image supplied by the Cardholder (including, but not limited to, a photograph of the Cardholder) may appear on the front of the V PAY Card as part of the base V PAY Card design. All V PAY Cards that bear a colour image supplied by the Cardholder must comply with Section 5.4.2.1 and Section 5.4.2.3.

5.4.2.1 Use of Colour Images on V PAY Cards

5.4.2.1.1 Colour Image Restrictions on V PAY Cards The colour image must not:  Compromise any of the required V PAY Card features, as specified in this chapter and the Visa Product Brand Standards; and  Result in non-acceptance or other problems at the Point-of-Transaction.

5.4.2.1.2 Colour Image Content Restrictions on V PAY Cards The appearance of any of the following on apparel, banners, signs, and so on, in the foreground or background of colour images is prohibited, including but not limited to:  Competitive marks as specified in the V PAY Operating Regulations - Scheme;  Political statements, symbols, organisations or parties;  Religious statements, symbols, organisations or parties;  Materials or political imagery which are offensive to cultural or religious values;  Advertising or promotional material;  Branded products;  Copyright material;  Socially unacceptable groups;  Illegal groups;  Provocative or sexual materials;  Any photograph that may result in non-acceptance or other problems at the  Point-of-Transaction;  Any subject or process that interferes with any required security feature of the  V PAY Card; and  Any olympic marks, logos, designation, or authentication statements.

108 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 5 - Card Design

5.4.2.2 Issuer Responsibilities for V PAY Cards with Colour Images Issuers are responsible for administering the V PAY Program. The Issuer is liable for any public complaint as a result of a photo/picture appearing on a V PAY Card. If complaints are raised against an Issuer, or a V PAY Card is contested, the Issuer may lose the right to issue V PAY Cards using colour images.

5.4.2.3 Visa Responsibilities for V PAY Cards with Colour Images Visa may require a V PAY Member to replace a V PAY Card containing a colour image that does not comply with the V PAY Operating Regulations - Scheme.

5.4.3 Use of Images of Celebrities on V PAY Cards The use of images of celebrities, famous people, musicians, public figures and athletes are permitted on V PAY Cards with the following conditions:  V PAY Members must provide Visa with evidence of who the celebrity is and that they have the right to use the image on a V PAY Card design;  V PAY Members must indemnify Visa from any loss or damage arising from the use of imagery of celebrities on V PAY Cards;  Imagery of religious or political figures are not permitted on V PAY Cards;  Visa reserves the right to refuse a V PAY Card design if Visa management considers that the imagery of celebrities has a negative impact to the Visa brand; and  Visa reserves the right to request that a V PAY Card design using imagery of celebrities is immediately withdrawn as a result of a public complaint or if Visa considers there to be a negative impact on the V PAY brand. 5.5 CARD MANUFACTURE AND DELIVERY

5.5.1 Card Manufacturer and Third Party Personaliser Certification

5.5.1.1 Issuer Standards

5.5.1.1.1 An Issuer must use an Approved Manufacturer to manufacture or print V PAY Cards. 

5.5.1.1.2 An Issuer that uses a third party to:  Personalise V PAY Cards, must ensure that the third party is a Third Party Personaliser; and   Distribute and/or provide fulfilment services in relation to Cards must ensure that the third party is either a Fulfilment Vendor or a Distribution Channel Vendor. 

NOTE: Visa will, upon Issuer request, supply a list of Approved Manufacturers and Third Party Personalisers.

5.5.1.2 Issuer Contract with a Card Manufacturer An Issuer may contract with an Approved Manufacturer either through another V PAY Member, through a third party or directly with that Approved Manufacturer for the production of V PAY Cards.

5.5.1.3 Issuer Contact with a Fulfilment Vendor An Issuer that contracts with a Fulfilment Vendor must ensure that the Fulfilment Vendor is approved by Visa and complies with both the:  Global Physical Security Validation Requirements for Data Preparation, Encryption Support and Fulfilment Card Vendors; and   Visa Product Brand Standards. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 109 V PAY Operating Regulations - Scheme Chapter 5 - Card Design

5.5.1.4 Issuer Contract with a Distribution Channel Vendor An Issuer that contracts with a Distribution Channel Vendor must:  Ensure that the Distribution Channel Vendor complies with the Global Physical Security Validation Requirements for Data Preparation, Encryption Support and Fulfilment Card  Vendors; and   Register that Distribution Channel Vendor with Visa, as specified in Section 2.1.1.2. 

5.5.2 Shipping Security Requirements

5.5.2.1 Issuer Responsibility An Issuer must ensure adequate security throughout the delivery of V PAY Cards from an Approved Manufacturer or Third Party Personaliser to the Issuer, or from the manufacturer to a Third Party Personaliser. 

5.5.2.2 Shipping Methods An Issuer must transport completed V PAY Cards using any of the following:  Transport vehicle, as described in Section 5.5.2.2.1;  Air freight as described in Section 5.5.2.2.3;  Express courier as described in Section 5.5.2.2.4; or  Any other method with equivalent security and the prior written approval of Visa, as specified in Section 5.5.2.

5.5.2.2.1 A transport vehicle must be supplied and operated by the Issuer and be either:  A vehicle exclusively chartered by the Issuer for the specific shipment, accompanied by appropriate security; or  An armoured car service.

5.5.2.2.2 The transport vehicle chosen by the Issuer pursuant to Section 5.5.2.2.2, must be:  Secure, enclosed, suitable for transporting high-value cargo and equipped with operable  two-way radio or telephone communications;  Under dual control; and  Accompanied by a responsible representative of the manufacturer or the Issuer.

5.5.2.2.3 An air freight shipment of V PAY Cards must be sealed in secure and tamper-evident containers, and wherever possible transported on a non-stop flight between the Approved Manufacturer location and the Issuer location.

5.5.2.2.4 The Issuer may use an overnight or two day express service or courier service to transport V PAY Cards. Shipments of V PAY Cards using a mail service of a courier are limited, per Issuer to:  One shipment per week;  No more than four shipments per month; and  No more than 500 V PAY Cards per shipment.

NOTE: Visa recommends that Issuers avoid shipment on weekends and holidays when excessive storage may be necessary.

5.5.2.3 Preparation for Shipment At least 24 hours before shipment of V PAY Cards from an Approved Manufacturer to an Issuer, the Issuer and the Approved Manufacturer must arrange a method to verify the carrier’s authority to receive the Approved Manufacturer’s shipment. The Issuer must both:  Approve all transportation schedules; and  Ensure that its staff or representative meet the shipment of V PAY Cards at its destination.

110 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 5 - Card Design

5.5.2.4 Shipping Procedures

5.5.2.4.1 For each shipment of V PAY Cards that an Issuer receives from an Approved Manufacturer, the  Issuer must:  Inspect each unopened container in which the V PAY Cards were transported for damage and to confirm that the containers are still locked and/or sealed;  Provide to the carrier of the V PAY Cards a written receipt reflecting this inspection and keep a copy for the Issuer’s own records; and  For express courier shipments, date and sign the receipt upon receiving the shipment of V PAY Cards.

5.5.2.4.2 When the shipment of V PAY Cards from an Approved Manufacturer to an Issuer is not accompanied by an authorised representative of the Issuer, the:  Approved Manufacturer must advise the Issuer of the time that the shipment will arrive at the Issuer’s location and the method of shipment; and  Issuer’s staff must meet the shipment at its destination.

5.5.2.4.3 If intermediate stops are made on air freight shipments, the Issuer or its designated security representative must:  Ensure that any ground storage is secure and accessible only to personnel that have been authorised by the Issuer to have such access;  Ensure that the V PAY Cards are not unloaded from their sealed containers;  Accompany the V PAY Cards, or ensure that its representative meets the shipment at each intermediate stop; and  Prior to releasing the V PAY Cards to the next carrier for shipment to their final destination, provide a written receipt confirming that the V PAY Cards are not damaged and have remained locked and/or sealed.

5.5.2.5 Missing or Damaged Shipment

5.5.2.5.1 After having received a shipment of V PAY Cards from an Approved Manufacturer, the Issuer must:  Thoroughly check the entire shipment of V PAY Cards to determine if any V PAY Cards are missing; and  If the Issuer suspects that any V PAY Cards are missing, provide additional instructions to the carrier before authorising further movement of the shipment.

5.5.2.5.2 The Issuer must immediately notify the Approved Manufacturer, the carrier, Visa, the appropriate law enforcement agency and its own security personnel if a shipment of V PAY Cards is either:  Not received as scheduled;   Damaged or opened; or   There is evidence that the contents of a sleeve, box or container are missing. 

5.5.3 Loss or Theft of Cards without Personalisation or Visible Account Numbers V PAY Members must notify Visa of the suspected or confirmed loss or theft of any V PAY Card that does not bear encoded data or a visible Account Number. 

Such notification must include the following information, if available:  Issuer name;   Manufacturer name and address (if applicable);   Number of missing V PAY Cards;   Batch number;   Pertinent details regarding loss and ensuing investigation by that Member;   Contact name and telephone number; and   Name and telephone number of the person reporting the loss or theft. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 111 V PAY Operating Regulations - Scheme Chapter 5 - Card Design

5.5.4 Printing and Encoding If an Issuer prints and encodes V PAY Cards itself it must:  Review for accuracy the printing and encoding of all V PAY Cards;   Ensure that the personalisation or printing and encoding of all V PAY Cards: — Comply with the Visa Product Brand Standards; and  — Are completed in an area restricted to people responsible for, or engaged in such printing and encoding operations; and   Create and maintain a secure environment for such printing and encoding operations. 

If an Issuer engages a third party to print and encode V PAY Cards, the Issuer must ensure that the third party both:  Complies with the: — Obligation of the Issuer set out in Section 5.5.4;  — Payment Card Industry (PCI) Card Production – Physical Security Requirements;  — Payment Card Industry (PCI) Card Production – Logical Security Requirements;  — Visa Europe Card Vendor Programme Guide; or  — Global Physical Security Validation Requirements for Data Preparation, Encryption Support and Fulfilment Card Vendors; and   Delivers the complete unembossed or printed, and encoded V PAY Cards in accordance with the Issuer’s instructions. 

An Issuer must immediately notify Visa if its Third Party Personaliser cannot or does not complete its responsibilities for such Issuer.

5.5.5 Receipt and Storage

5.5.5.1 Receipt of V PAY Cards Upon receipt of V PAY Cards from its Third-Party Personaliser or Approved Manufacturer, an  Issuer must:  Authorise at least two employees to take the shipment of the V PAY Cards to a high-security storage area;   Compare the number of V PAY Cards received from the Third-Party Personaliser or Approved Manufacturer with the V PAY Card count on the shipment invoice;   Attempt to resolve any discrepancies. If a discrepancy cannot be resolved, the Issuer must notify Visa of such discrepancy;   Report all lost, stolen, or missing V PAY Cards from the shipment to Visa; and   Store the V PAY Cards in a high-security area or vault with all of the following characteristics: — Secure construction;  — An intrusion alarm system; and  — Dual access limited to individuals meeting comprehensive background investigation. 

5.5.5.2 Preparation for Mailing The Issuer must:  Proof and prepare the V PAY Cards for mailing to Cardholders under dual control in a high security area that is separate from the Issuer’s other operations; and  Prevent unauthorised entry into the area where such proofing and preparation of V PAY Cards takes place.

112 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 5 - Card Design

5.5.6 Delivery of V PAY Cards to V PAY Cardholders

5.5.6.1 Issuer Responsibilities An Issuer must:  Ensure that the Cardholder addresses, including postal codes, are complete and correct;  Maintain the sealed and stamped envelopes that contain the V PAY Cards to be mailed to Cardholders in a vault under dual control until the envelopes are mailed;  Record the exact date, time and place that each V PAY Card is mailed to a Cardholder; and  Report any V PAY Card lost in the mail to Visa, the postal authorities and the appropriate carrier.

5.5.6.2 Prevention of Theft

5.5.6.2.1 The Issuer should ensure that the return address on the envelope containing a V PAY Card that is being mailed to a Cardholder:  Does not identify the Issuer; and  Includes a special post office box number that is changed periodically and serviced only by the Issuer’s authorised staff.

5.5.6.2.2 The Issuer must take every precaution to prevent theft of an envelope containing a V PAY Card being mailed to a Cardholder by using special delivery procedures such as:  Registered mail;  Certified mail;  Cardholder pick-up; and/or  Personal delivery.

5.5.7 Security Requirements at Card Distribution Points All Issuers must meet the security requirements set by Visa specific to the V PAY Card Product for printing, encoding, storing, shipping, distributing and destroying V PAY Cards at Card Distribution Points. 

5.5.8 Card Destruction Security Requirements Issuers must meet the security requirements for the destruction of V PAY Cards as specified in:  Visa Global Physical Security Validation Requirements for Data Preparation, Encryption Support and Fulfillment Card Vendors. 

Issuers must ensure that the security requirements for the destruction of Cards are met by:  Fulfillment Vendors, Distribution Channel Vendors, Card Distribution Points and third party agents that sell Prepaid Cards as specified in the Visa Global Physical Security Validation Requirements for Data Preparation, Encryption Support and Fulfillment Card Vendors; and   Third Party Instant Card Personalizers as specified in the Visa Global Instant Card Personalization Issuance Security Standards. 

5.5.9 Returned Cards If a Card is returned to the Issuer after it has been sent out by that Issuer to a Cardholder, the  Issuer must:  Put such V PAY Cards under dual control; and  Establish controls to ensure their proper destruction.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 113 V PAY Operating Regulations - Scheme THIS PAGE INTENTIONALLY LEFT BLANK Payment Acceptance

6.1 V PAY ACCEPTANCE REQUIREMENTS ...... 120 Display of Marks ...... 120 Promotional Material ...... 120 Honouring Cards ...... 120 Uniform Services ...... 120 Prohibitions ...... 120 Cardholder and Card Verification ...... 120 Identification Verification ...... 120

6.2 MANUAL CASH DISBURSEMENTS ...... 121 Transaction Processing Requirements ...... 121 Uniform Services ...... 121 Floor Limit ...... 121 Transaction Currency ...... 121 Fee Disclosure ...... 121 Prohibition ...... 121 Terminal Capability ...... 121 Uncertain Cardholder Identification ...... 122 Display of Marks ...... 122 Cash Disbursement Fees ...... 122 Proximity Payments ...... 122

6.3 ATM ACQUIRER REQUIREMENTS ...... 122 Certification Requirements ...... 122 Card Acceptance Requirements ...... 122 Non Chip-initiated ATM Authorization Requirements ...... 122 Proximity Payments ...... 122 Transaction Processing Requirements ...... 123 V PAY Brand Mark at ATMs ...... 123 Technology Requirements ...... 123 ATM Authorizations ...... 123 Deferred Clearing Processing ...... 123 ATM Expiry Date Editing ...... 123

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 115 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

Unrecognised Service Code ...... 123 Authorization Routing ...... 123 ATM Transaction Receipt Requirements ...... 124 Minimum Cash Disbursement ...... 124 Currency or Cheque Disbursement ...... 124 Transaction Currency ...... 124 Transaction Surcharge ...... 124 Account Selection ...... 125 Balance Inquiry Service ...... 126 Fraud Management and Reporting ...... 126 ATM Transaction Exceptions ...... 126 Multiple ATM Transactions ...... 126 ATM Card Retention ...... 126

6.4 AUTHORIZATIONS ...... 127 General Requirements ...... 127 Floor Limits ...... 127 Data Quality Requirements ...... 127 Hours of Authorization ...... 127 Authorization Routing ...... 127 Authorization Rejection ...... 128 Authorization Reversals ...... 128 Partial Authorization ...... 128

6.5 TRANSACTION RECEIPT REQUIREMENTS ...... 128 Electronic Commerce Transaction Receipts ...... 128 Truncating Account Numbers ...... 128 Legend Wording ...... 129 Prepaid Transactions ...... 129 Merchant Requirements ...... 129

6.6 TRANSACTION RECEIPT COMPLETION ...... 129 General Transaction Receipt Information Requirements ...... 129 General Requirements ...... 129 Returned Merchandise and Adjustments ...... 129 Proximity Payments ...... 130 Electronically Delivered Transaction Receipts ...... 131

6.7 TRANSACTION RECEIPT PROCESSING ...... 132 Multiple Transaction Receipts and Partial Payments ...... 132 Credit Refunds ...... 132 Restrictions ...... 132 Credit Transaction Receipt ...... 132 Transaction Receipt Reversal or Adjustment ...... 132 Special Credit Refund Requirements for Timeshare Merchants ...... 133 Returned Merchandise and Adjustments ...... 133 Transaction Receipt Delivery to Cardholder ...... 133

116 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

Transaction Receipt Deposit ...... 133 Deposit Restrictions ...... 133 Deposit Location ...... 134 Deposit Time Limits ...... 134 Payments to Merchants ...... 134

6.8 RELEASING HOLD ON FUNDS ...... 134

6.9 DYNAMIC CURRENCY CONVERSION...... 134 Acquirer Compliance ...... 135 Merchant Requirements ...... 136 Transaction Receipts Requirements for Dynamic Currency Conversion ...... 136

6.10 ORIGINAL CREDIT TRANSACTIONS ...... 137 General Requirements ...... 137 Originating Member Requirements ...... 137 Original Credit Transaction Clearing ...... 137 Original Credit Transaction Reversal ...... 138 Recipient Member Requirements ...... 138 Posting Requirements ...... 138 Cardholder Statements ...... 138 Deposit-Only Account Number ...... 139 Original Credit Transaction Dispute Resolution ...... 139 Original Credit Transaction Pre-Settlement Requirements ...... 139 Immediate Payments ...... 139

6.11 ELECTRONIC COMMERCE ...... 139 General Participation Requirements ...... 139 Electronic Commerce Merchant Requirements ...... 140 Electronic Commerce Merchants that Process Electronic Commerce Transactions .140 Merchant Website ...... 140 Acquirer Requirements ...... 141 Websites ...... 141 Authorizations ...... 141 Electronic Commerce Transactions ...... 141 Data Protection Method Requirements ...... 142 Merchant Domicile Requirements ...... 142 Online Gambling Transactions ...... 142 Special Requirements ...... 142 Special Website Requirements ...... 142 Visa Secure Electronic Commerce ...... 143 General Participation Requirements ...... 143 Digital Certificates ...... 143 Chip Card Requirements ...... 143 3-D Secure Issuer Participation Requirements ...... 143 Disclosure of Merchant Outlet Country ...... 145 Electronic Commerce Acquiring Program ...... 145 Obligation to Merchants ...... 145

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 117 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.12 PREPAYMENTS ...... 145 General Requirements ...... 145 Cardholder Consent ...... 146 Cancelling a Prepayment ...... 146 Non-Provision of Goods or Services ...... 146

6.13 SPECIAL MERCHANT PAYMENT ACCEPTANCE SERVICES ...... 146 In-Transit Transaction Requirements ...... 146 Merchant Description ...... 146 Authorization Requests ...... 146 Gambling Transactions ...... 147 Disbursement of Winnings ...... 147 Gambling while In Transit ...... 147 Proximity Payments ...... 147 Cardholder Verification Limits ...... 147 Cardholder Verification ...... 147 Merchant Outlets ...... 147 Account Funding Transactions ...... 148 Quasi-Cash Transactions ...... 148 General ...... 148 Wire Transfer Merchants ...... 148 Proximity Payments ...... 148 Cash-Back Services ...... 148 Split Shipment Transactions ...... 149

6.14 TRANSACTION LIABILITY ...... 149 Liability for Fallback Transactions ...... 149 Card-Present Counterfeit V PAY Card Transactions ...... 149 Card-Present Non-Counterfeit Fraudulent Transactions ...... 150 Chargebacks ...... 150

6.15 VISA ALERTS ...... 150 Participation Requirements ...... 150 Issuer Requirements ...... 150 Alert Requirements ...... 151 Dispute Resolution ...... 151

6.16 VISA DIRECT SERVICE ...... 151

6.17 VISA PREPAID LOAD SERVICE ...... 151

6.18 POINT-OF-TRANSACTION BALANCE RETURN SERVICE ...... 151

6.19 MERCHANT USE OF ACCOUNT INFORMATION...... 152 Merchant Requirements ...... 152 Reusable Redemption Credentials ...... 152

118 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme THIS PAGE INTENTIONALLY LEFT BLANK Chapter 6 - Payment Acceptance

6.1 V PAY ACCEPTANCE REQUIREMENTS

6.1.1 Display of Marks A V PAY Member must, and must also ensure that its Merchants must, display the appropriate Visa Mark or Visa Marks to indicate the Cards that it accepts for payment.

6.1.1.1 Promotional Material

6.1.1.1.1 A Merchant must not use promotional materials and/or advertisements that apply the V PAY Mark without the prior written approval of its Acquirer. 

6.1.1.1.2 A Merchant must not:  Indicate or imply that Visa endorses any goods or services offered by that Merchant;   Where it is not a Member, indicate or imply that it is a Member and therefore eligible to provide V PAY Products and Services; or   Use the V PAY Marks for any purpose other than those permitted by Visa. 

6.1.2 Honouring Cards Merchants accepting V PAY must accept all V PAY Cards properly presented for payment. 

Merchants accepting only V PAY Cards are not required to accept other Visa products.

6.1.2.1 Uniform Services

6.1.2.1.1 A Merchant must process Transactions of Cardholders whose V PAY Cards are issued by the V PAY Member that is also the Acquirer of that Merchant in exactly the same manner as it processes Transactions with other Cardholders of V PAY Members. 

6.1.2.1.2 An Acquirer may permit a Merchant to provide Cardholders with a discount, promotional offer, or  in-kind incentive, in relation to a Transaction, that may not be available for other V PAY Cards. 

6.1.3 Prohibitions

A Merchant must not:  Add any surcharges to Transactions, unless local law expressly requires that a Merchant be permitted to impose a surcharge. Any surcharge amount, if allowed, must: — Be included in the Transaction Amount and not collected separately; and  — For Visa Europe Transactions, be clearly communicated to the Cardholder and agreed by that Cardholder, before the Transaction is initiated. For ATM Cash Disbursements see Section 6.3.5.12.  Request or use an Account Number for any purpose other than as payment for goods and services. An exception to this requirement applies:  — For Visa Inc., for participants in the Visa Access Token Program, and  — For Visa, for Merchants who use V PAY account information to grant Cardholders access to goods and/or services purchased in advance, as set out in Section 6.19;   Effective until 14 October 2016, accept a V PAY Card for Mail/Phone Order Transactions.

6.1.4 Cardholder and Card Verification

6.1.4.1 Identification Verification

6.1.4.1.1 A Merchant must validate the Cardholder’s identity and verify the V PAY Card in a Face-to-Face Environment or Semi-Attended Environment.

120 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.1.4.1.2 A Merchant is permitted to accept alternative Cardholder Verification Methods to accommodate special needs, as specified in Section 4.1.1.5.

6.1.4.1.3 The PIN must be processed as specified in the:  PIN Management Requirements Documents;  EMV Integrated Circuit Card Specifications for Payment Systems; and  Visa Integrated Circuit Card Specifications.

6.1.4.1.4 A Merchant must not ask the Cardholder to reveal that Cardholder’s PIN to the Merchant.  6.2 MANUAL CASH DISBURSEMENTS A V PAY Member may make Manual Cash Disbursements to other Issuers’ V PAY Cardholders from all of its Branches in accordance with that Issuer’s cash disbursement policy. 

6.2.1 Transaction Processing Requirements

6.2.1.1 Uniform Services

6.2.1.1.1 An Acquirer must both:  Accept all V PAY Cards properly presented for payment; and  Offer and render services uniformly to all V PAY Cardholders.

6.2.1.1.2 An Acquirer may permit a Merchant to provide Cardholders with a discount, promotional offer, or in- kind incentive, in relation to a Transaction, that may not be available for other V PAY Cards. 

6.2.1.2 Floor Limit Manual Cash Disbursements have a Zero Floor Limit. 

6.2.1.3 Transaction Currency Except in the case of Merchant sales of Foreign Currency, including Travellers Cheques, the Transaction Currency for a Manual Cash Disbursement or ATM Cash Disbursement must be the:  Currency dispensed as a result of that Transaction;   Currency in the Authorization Request; and   Currency presented into Interchange. 

6.2.1.4 Fee Disclosure A Transaction Receipt for a Manual Cash Disbursement must inform the Cardholder that the Issuer may assess a Cash Disbursement fee or set-up charge for the Manual Cash Disbursement. 

6.2.1.5 Prohibition An Acquirer must not add any surcharge to a Manual Cash Disbursement, unless local law expressly requires that a V PAY Member be permitted to impose a surcharge. Any surcharge amount, if allowed, must be included in the Transaction Amount and not collected separately. 

6.2.2 Terminal Capability All devices offering Manual Cash Disbursement to V PAY Cardholders must support “enciphered PIN verified Online”.

All devices offering Manual Cash Disbursement to V PAY Cardholders must not support any of the following Cardholder verification methods:  “No CVM required”;  “Plaintext PIN verified offline”; or  “Enciphered PIN verified offline”.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 121 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.2.3 Uncertain Cardholder Identification If Cardholder identification or the V PAY Card’s validity is uncertain, the manual cash Acquirer must contact the Issuer of the V PAY Card for instructions. If the Issuer instructs the manual cash Acquirer to recover the V PAY Card, the manual cash Acquirer must comply with Section 2.6.

6.2.4 Display of Marks An Acquirer must display the V PAY Mark to indicate that V PAY Cards are accepted for Manual Cash Disbursements. 

6.2.5 Cash Disbursement Fees An Issuer will pay a Cash Disbursement Fee to an Acquirer performing a Cash Disbursement, as specified in Section 10.3.1.4.

6.2.6 Proximity Payments

6.2.6.1 Manual Cash Disbursements using a Proximity Payment Device must:  Be authorized Online; and  Have Cardholder Verification performed successfully using a valid Cardholder Verification Method, as set out in Section 6.13.3.2.2.

6.2.6.2 Manual Cash Disbursements are not permitted on V PAY Micro Tags and Portable Payment Devices. 6.3 ATM ACQUIRER REQUIREMENTS

6.3.1 Certification Requirements Before acting as an ATM Acquirer, an Acquirer must be certified by Visa. 

All Acquirers must be certified by Visa to demonstrate their support of Full Chip Data as specified in the EMV Integrated Circuit Card Terminal Specification for Payment Systems and the V PAY Operating Regulations - Scheme.

An ATM Acquirer accepting Proximity Payment Devices at its ATMs must be certified to process Full- Chip Data. 

6.3.2 Card Acceptance Requirements An ATM displaying the V PAY Brand Mark must accept all valid V PAY Cards.

6.3.3 Non Chip-initiated ATM Authorization Requirements If a Chip Card cannot be read, the ATM may complete the Transaction as a Plus Transaction if Plus data is present on the Magnetic Stripe. If the Magnetic Stripe cannot be read, the Transaction must not be processed.

6.3.4 Proximity Payments

6.3.4.1 An ATM Acquirer must process an ATM Cash Disbursement made using a Proximity Payment Device as an ATM Transaction with the POS Entry Mode code value of "07". 

6.3.4.2 An ATM Acquirer must not allow a PIN change to be initiated by a Proximity Payment Device.

An ATM Acquirer may charge an Issuer a decline fee, as specified in Section 3.10.1.2, where an ATM Cash Disbursement made using a Proximity Payment Device, as specified in Section 6.3.4.1 has been declined because the Issuer has not enabled that Proximity Payment Device for use at ATMs.

122 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.3.5 Transaction Processing Requirements

6.3.5.1 V PAY Brand Mark at ATMs

6.3.5.1.1 All newly-installed ATMs must display the V PAY Brand Mark.

6.3.5.1.2 All ATMs that are EMV-Compliant and display the Visa Brand Mark must also display the V PAY Brand Mark.

6.3.5.2 Technology Requirements

6.3.5.2.1 An ATM Acquirer must ensure that the entire unaltered contents of the Magnetic Stripe Image from the Chip on the V PAY Card is read and transmitted. 

6.3.5.2.2 An ATM Acquirer must ensure that all ATMs displaying the V PAY Brand Mark:  Are EMV-Compliant;  Support “enciphered PIN verified Online”; and  Do not support “signature”, “offline PIN”, or “No CVM (Cardholder Verification Method) required”. 

6.3.5.3 ATM Authorizations An ATM Acquirer must submit Authorization Requests in the Transaction Currency.

6.3.5.4 Deferred Clearing Processing

6.3.5.4.1 An ATM Acquirer must ensure that the information in the Authorization and Clearing messages matches the:  Account Number;   Authorization Code;   Acquirer BIN;   Transaction Amount;   Account selection processing code; and   Merchant Category Code. 

6.3.5.5 ATM Expiry Date Editing

6.3.5.5.1 An ATM Acquirer must not return or decline an ATM Transaction based on the expiry date of the Payment Application. 

6.3.5.5.2 All Authorization Requests originating from a Transaction using an Expired Card must be sent Online to the Issuer.

6.3.5.6 Unrecognised Service Code

6.3.5.6.1 An ATM Acquirer must not decline a V PAY Card encoded with an Unrecognised Service Code.

6.3.5.6.2 An ATM Acquirer must send the Transaction to the Issuer for Online Authorization. 

6.3.5.7 Authorization Routing An ATM Acquirer must:  Use the account range table sent to it by Visa to determine the routing of an Authorization Request;   Install and use the account range table within six business days of its receipt from Visa;  Install and use the Plus account range table within three business days of receipt from  Visa; and   Not distribute the account range table without the prior written consent of Visa.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 123 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.3.5.8 ATM Transaction Receipt Requirements An ATM Acquirer must ensure that its ATMs offer a Transaction Receipt for each ATM Cash Disbursement1. This Transaction Receipt must include all the required information, as specified in Transaction Receipts (Exhibit 7I). 

6.3.5.9 Minimum Cash Disbursement An ATM Acquirer must ensure that its ATMs are able to make Cash Disbursements of at least €150, or local currency equivalent, per day, per Account Number. An ATM Acquirer must allow Cardholders the option to obtain €150, or local currency equivalent, in a single Transaction. 

6.3.5.10 Currency or Cheque Disbursement An ATM Acquirer must ensure that its ATMS dispense the local currency of the country in which the ATM is located or display the currency dispensed, including cheques. 

If an ATM dispenses cheques and charges a fee, the V PAY Member must disclose the fee to the Cardholder.

6.3.5.11 Transaction Currency

6.3.5.11.1 The Transaction Currency for an ATM Cash Disbursement must be the:2  Currency dispensed to the Cardholder;  Currency contained within the Authorization Request; and  Currency presented into Interchange.

6.3.5.11.2 For an ATM Cash Disbursement at an Acquirer’s ATM, if the Dynamic Currency Conversion requirements set out in the V PAY Operating Regulations - Scheme have been met then Dynamic Currency Conversion is permitted so that the currency dispensed to the Cardholder may be different to the currency contained in the Authorization Request and the currency presented into Interchange.

6.3.5.12 Transaction Surcharge

6.3.5.12.1 Effective until 14 April 2016, for ATM Transactions initiated outside the Territory and, effective until 30 June 2016, for ATM Transactions initiated inside the Territory, an ATM Acquirer must submit an ATM Transaction for Clearing for the same value as the cash dispensed to the Cardholder, unless local law expressly requires that an ATM Acquirer be permitted to impose a surcharge. 

Effective from 15 April 2016, for ATM Transactions initiated outside the Territory and, effective from 1 July 2016, for ATM Transactions initiated inside the Territory, an ATM Acquirer must submit an ATM Cash Disbursement for Clearing for the same value as the cash dispensed to the Cardholder, plus any Access Fee added to the Transaction Amount. 

6.3.5.12.2 Effective until 14 April 2016, for ATM Transactions initiated outside the Territory and, effective until 30 June 2016, for ATM Transactions initiated inside the Territory, the ATM Acquirer must not add a surcharge or fee to the Transaction Amount for an ATM Transaction, unless local law expressly requires that an ATM Acquirer be permitted to impose a surcharge. 

Effective from 15 April 2016, for ATM Transactions initiated outside the Territory and, effective from 1 July 2016, for ATM Transactions initiated inside the Territory, an ATM Acquirer may add an Access Fee to the Transaction Amount for an ATM Cash Disbursement, unless local law expressly prohibits an ATM Acquirer from adding a surcharge or fee. 

1. A variance to this requirement applies in Germany. 2. This requirement does not apply to Merchant sales of Foreign Currency, including cheques.

124 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.3.5.12.3 Effective until 30 June 2016, an ATM Acquirer that intends to add an Access Fee to the Transaction Amount for an ATM Cash Disbursement must:  Register with Visa; and  Pay the associated fees to Visa as set out in the Visa Europe Fee Guide.

6.3.5.12.4 Effective from 1 July 2016, Visa reserves the right to require that an ATM Acquirer within the Territory, that adds or intends to add an Access Fee, provides Visa with information, including but not limited to. the following:  Notice of intent to impose an Access Fee;  Details of its ATM estate;  Message display and language disclosure related to Access Fees; and  Any other information required to satisfy regulatory requirements.

6.3.5.12.5 Effective from 15 April 2016, for ATM Transactions initiated outside the Territory and, effective from 1 July 2016, for ATM Transactions initiated inside the Territory, an ATM Acquirer that adds an Access Fee to an ATM Cash Disbursement must:  Inform the Cardholder that an Access Fee will be applied in addition to any charges applied by the Issuer. This disclosure must be in English and the local language equivalent;   Disclose the amount of the Access Fee;   Not misrepresent, either explicitly or implicitly, that the Access Fee is applied by Visa;   Ensure the Access Fee is not greater than the Access Fee applied to other transactions processed through any other network at the same ATM;   Ensure the Access Fee is a fixed and flat amount, that does not vary based on the Transaction Amount;   Obtain Cardholder approval of the Access Fee prior to requesting Authorization; and   Provide the ability for the Cardholder to cancel the ATM Cash Disbursement. 

Effective from 15 April 2016, for ATM Transactions initiated outside the Territory and, effective from 1 July 2016, for ATM Transactions initiated inside the Territory, an ATM Acquirer that adds an Access Fee for an ATM Cash Disbursement must separately identify the amount of the Access Fee in both the Authorization Request and the Clearing Record. 

6.3.5.13 Account Selection

6.3.5.13.1 An ATM Acquirer that provides account selection must transmit the Cardholder "from account" selection, unaltered, in the Authorization Request. An Acquirer must also transmit the same information in the Clearing Record for a Deferred Clearing Transaction. 

6.3.5.13.2 If the ATM does not offer account selection, the ATM Acquirer must transmit the "No account specified" code. 

6.3.5.13.3 To meet the requirements for tier II Interchange, an ATM Acquirer must provide Cardholders with one of two options, as shown in Table 6-1:  Table 6-1 Account Selection Options for Tier II Interchange 

Option Required Account Selection Acquirer Must Send:

"From Account" Selection Offered • Checking account Appropriate "From Account” code • • Credit card account "From Account" Selection Not Offered None "No Account Specified" code.

6.3.5.13.4 An Issuer must not alter the Cardholder account selection when responding to an Authorization Request for an ATM Transaction. The “From Account” code in the Authorization Response must match the code in the Authorization Request unless the code is 00 (No Account Specified). 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 125 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.3.5.13.5 All Issuers must be capable of processing ATM Transactions with the “No account specified” code. 

6.3.6 Balance Inquiry Service For an ATM Acquirer to participate in a Balance Inquiry Service, it must:  Obtain certification from Visa;   Display the balance in the currency of the country in which ATM is located, either on the screen or on a receipt; and   Provide a Balance Inquiry Service as a separate, non-financial transaction. 

If an ATM Acquirer supports balance inquiries for any network other than its proprietary network, it must support a Balance Inquiry Service. A participating ATM Acquirer shall receive a fee for each Balance Inquiry, as specified in Section 10.4. 

6.3.7 Fraud Management and Reporting

6.3.7.1 ATM Transaction Exceptions

6.3.7.1.1 If an ATM has the ability to decline a Cardholder’s request for a Cash Disbursement, the ATM Acquirer may only use this function without an Issuer’s permission under the following circumstances:  After four consecutive invalid PIN entries by the Cardholder;   After four consecutive invalid Transaction attempts by the Cardholder; or   After four consecutive Decline Responses. 

6.3.7.1.2 For a cancelled ATM Transaction, the Acquirer must process a Reversal. The amount of the Reversal must be the same as the original Transaction Amount. 

6.3.7.1.3 An Acquirer must ensure that neither its ATM nor its host systems timeout an ATM Transaction in less than 45 seconds. 

6.3.7.1.4 For a misdispense (that is, where the amount of cash dispensed as a result of an ATM Transaction is different from the amount that the Cardholder has requested), an ATM Acquirer must process an ATM confirmation message for the actual amount dispensed. 

6.3.7.2 Multiple ATM Transactions If an ATM allows Cardholders to perform multiple Transactions in a single session, that ATM must:  If that ATM does not retain the Card, request PIN Verification for each Transaction; and   For Chip-initiated Transactions, excluding Proximity Payments, re-read the Card for each Transaction. 

6.3.7.3 ATM Card Retention

6.3.7.3.1 An ATM Acquirer is not required to ensure that its ATMs have the ability to retain Cards. If it does have this ability, it shall only retain a V PAY Card upon the specific request of the Issuer. If a V PAY Card is retained, the ATM Acquirer must:  Log it under dual custody immediately after removal from the ATM; and   Render it unusable and return it to the Issuer. The Chip must not be damaged.

6.3.7.3.2 An ATM Acquirer that retains a V PAY Card in accordance with this Section 6.3.7.3 may collect a handling fee from the Issuer of that V PAY Card as specified in Section 10.7 and the Visa Europe Fee Guide.

6.3.7.3.3 If a hardware or software failure causes mistaken or accidental V PAY Card retention, the ATM Acquirer must return the V PAY Card to the Cardholder using the following procedures:  The Acquirer reviews positive Cardholder identification; or  If the Cardholder does not request return of the V PAY Card within seven business days, the ATM Acquirer must follow the Card retention rules specified in Section 6.3.7.3.1.

126 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.4 AUTHORIZATIONS

6.4.1 General Requirements An Acquirer must provide Authorization Request and Authorization Response services to its own Merchants, including Authorization for Manual Cash Disbursements at any of that Acquirer’s  Branches.

All V PAY Transactions must be Authorized. Offline Authorization parameters are set at Issuer option.

A Merchant must obtain Authorization for a V PAY Transaction on the Transaction Date except for the following types of Transactions where the Transaction Date and the date of Authorization may differ:  Electronic Commerce Transactions  Effective from 15 October 2016, Mail/Phone Order Transactions; and   In-Transit Transactions. 

6.4.1.1 Floor Limits

6.4.1.1.1 An Acquirer must ensure that its Merchants obtain Online Authorization for Transaction Amounts above the relevant Floor Limit for the Transaction. 

6.4.1.1.2 Offline Authorization is allowed provided that the Transaction Amount does not exceed the Floor Limit.

6.4.1.1.3 Visa shall determine and set maximum Floor Limits for Merchant Outlets. 

6.4.1.1.4 An Acquirer may set floor limits that are higher than the Floor Limits specified by Visa, but does so at its own risk. 

6.4.1.1.5 For countries where the Floor Limit is shown in a currency other than the country’s currency a Transaction is considered to have exceeded the Floor Limit if the local currency equivalent value of the Transaction is greater than the value of the Floor Limit shown. 

6.4.1.1.6 Transactions initiated using a Cloud-Based Payments Mobile Application must be sent for Online Authorization.

6.4.1.2 Data Quality Requirements An Acquirer must ensure that all Authorization Requests contain complete and valid data. 

6.4.1.3 Hours of Authorization An Acquirer must provide Authorization services 24 hours a day, seven days a week using one of the following:  The Acquirer directly;   A Visa Scheme Processor; or   Other means approved by Visa. 

6.4.1.4 Authorization Routing

6.4.1.4.1 If an Acquirer chooses to use the account range table provided by Visa to determine the routing of an Authorization Request, it must use the account range table to validate V PAY Cards and must install and use the table within six business days of its receipt from Visa. 

6.4.1.4.2 An Acquirer must not distribute the account range tables used for Authorization routing without the prior written consent of Visa. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 127 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.4.1.5 Authorization Rejection

6.4.1.5.1 An Acquirer must not selectively reject or decline Authorization Requests based on an internally developed table of BINs or Account Numbers. 

6.4.1.5.2 An Acquirer must not develop tables of BINs or Account Numbers using the Visa Interchange Directory. 

6.4.1.6 Authorization Reversals

6.4.1.6.1 An Acquirer that receives an Authorization Reversal from one of its Merchants must accept that Authorization Reversal and forward it to Visa. 

6.4.1.6.2 An Issuer that receives an Authorization Reversal from an Acquirer must release any applicable hold on funds within one business day from the date that the Reversal is received when such Reversal can be matched to a previous Authorization Request. 

6.4.1.6.3 The Acquirer must process an Authorization Reversal for an Online Financial Transaction if either:  The Acquirer, Merchant or terminal did not receive an Authorization Response; or   The Transaction is subsequently voided or cancelled. 

6.4.1.7 Partial Authorization

6.4.1.7.1 All Issuers and their Processors that participate in Partial Authorization must support both:  Transactions for Partial Authorization; and   Authorization Reversals. 

6.4.1.7.2 A Merchant that is capable of receiving Partial Authorizations must, upon receipt of that Partial Authorization:  Immediately submit an Authorization Reversal if the Cardholder elects not to complete the Transaction; and   Ensure that the Transaction Amount submitted in the Clearing Record is no more than the amount approved in the Partial Authorization. 

6.4.1.7.3 For Visa Transactions, the Merchant must submit a Clearing Transaction up to the amount approved in the Partial Authorization or for an amount of one unit of currency up to a maximum of €55 (or local currency equivalent), whichever is lower.

6.4.1.7.4 If a Merchant has received a Partial Authorization and the Cardholder elects not to complete the Transaction, that Merchant must submit an Authorization Reversal for the full amount of the Partial Authorization.  6.5 TRANSACTION RECEIPT REQUIREMENTS V PAY Members must meet the requirements for each type of Transaction Receipt, including the printing and data requirements, as specified in Transaction Receipts (Exhibit 7I). 

6.5.1 Electronic Commerce Transaction Receipts All the data elements specified in Transaction Receipts (Exhibit 7I) must be included on the Transaction Receipt for an Electronic Commerce Transaction. 

An Electronic Commerce Merchant must not return the full Account Number to the Cardholder either in any online communication or on the Transaction Receipt. 

6.5.2 Truncating Account Numbers All Point-of-Transaction Terminals must truncate all but the last four digits of the Account Number on the Cardholder copy of the Transaction Receipt.

128 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.5.3 Legend Wording The Cardholder copy of a Transaction Receipt must bear the legend “Retain this copy for statement verification” or similar wording. At a minimum, this legend must appear in the language of the Transaction Country. 

6.5.4 Prepaid Transactions

6.5.4.1 Merchant Requirements

6.5.4.1.1 A Merchant, that participates in the Point-of-Transaction Balance Return Service, will only receive the available balance for a Prepaid Card, from the Issuer, in conjunction with a Purchase Transaction.

6.5.4.1.2 A Merchant, that participates in the Point-of-Transaction Balance Return Service, must provide the Cardholder of a Prepaid Card, with their available balance on the Transaction Receipt.

6.5.4.1.3 A Merchant must provide the Cardholder of a Prepaid Card with a Transaction Receipt upon completion of the Load Transaction, confirming the amount that has been added to the Prepaid Card. 6.6 TRANSACTION RECEIPT COMPLETION

6.6.1 General Transaction Receipt Information Requirements

6.6.1.1 General Requirements

6.6.1.1.1 A Merchant must:  Generate a Transaction Receipt electronically;  Include a currency symbol (such as €) or words denoting the Transaction Currency as part of the Transaction Amount; and   Provide the Cardholder with a copy.

6.6.1.1.2 If a Transaction Receipt does not contain a currency symbol or words denoting the Transaction Currency, the local currency of the Transaction Country will be deemed to be the Transaction Currency. 

6.6.1.1.3 A Transaction Receipt must not be generated until the Transaction is complete.

6.6.1.2 Returned Merchandise and Adjustments

6.6.1.2.1 Proper disclosure, as specified in Table 6-2, must be made on all copies of the Transaction Receipt near the space for the Cardholder signature or in an area easily seen by the Cardholder. 

If the disclosure is on the back of the Transaction Receipt or in a separate contract, it must be accompanied by a space for the Cardholder's signature or initials. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 129 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

Table 6-2 Proper Disclosure on Transaction Receipt 

Transaction Receipt Wording Use the Following on Return Policies

“No Refund”, “No Exchanges”, or “All Sales Final” Merchant does not: • Accept merchandise in return or exchange; or • Issue a refund to a Cardholder. “Exchange Only” Merchant only accepts merchandise in exchange for merchandise of equal value to the original Transaction Amount. “In-Store Credit Only” Merchant only accepts merchandise for return and delivers an in-store credit document that both: • Equals the value of the returned merchandise; and • Must be used at the Merchant Outlet.

Subject to applicable law, the Merchant must not include on the Transaction Receipt a statement that waives the Cardholder’s right to dispute the Transaction with the Issuer. 

6.6.1.2.2 Effective from 15 October 2016, a Mail/Phone Order Merchant must provide to the Cardholder written notice of the purchase terms and conditions and cancellation policy by mail, email or text message.

6.6.1.3 Proximity Payments

6.6.1.3.1 A Transaction Receipt for a Proximity Payment must contain the minimum data elements set out in Transaction Receipts (Exhibit 7I).

6.6.1.3.2 A Transaction Receipt for a Proximity Payment must indicate that the Transaction was a Proximity Payment, as specified in the Visa Europe Contactless Terminal Requirements and Implementation Guide.

130 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.6.1.4 Electronically Delivered Transaction Receipts

6.6.1.4.1 General Requirements

6.6.1.4.1.1 As specified in Section 6.7.3.1, the Cardholder’s copy of a Transaction Receipt may be delivered to a Cardholder using electronic means, including but not limited to an e-mail or a Short Message Service (SMS) text message. 

Personal data provided by the Cardholder to enable the V PAY Merchant to deliver a copy of a Transaction Receipt to that Cardholder by electronic means:  Must not be stored or used by the V PAY Merchant for any other purpose without the explicit consent of the Cardholder; and   Must be stored in an environment that is compliant with the Payment Card Industry Data Security Standard.

6.6.1.4.2 Delivery Requirements A V PAY Merchant may provide a Cardholder with a copy of a Transaction Receipt using electronic means, as specified in Section 6.6.1.4.1.1, if all of the following conditions apply:  Local law does not require a copy of the Transaction Receipt to be printed immediately at the Point-of-Transaction;   At the time of purchase, the V PAY Merchant informs the Cardholder: — That the copy of the Transaction Receipt will be delivered using electronic means;  — How to obtain (providing clear instructions) the Transaction Receipt in the event the Cardholder does not receive the Cardholder's copy of the Transaction Receipt;   The Cardholder consents to receive a copy of the Transaction Receipt using electronic means, using the delivery method agreed with the V PAY Merchant;   The copy of or a link to the Transaction Receipt is sent to the Cardholder immediately upon completion of the Transaction. If a link to a website is provided, the V PAY Merchant must: — Provide clear instructions to the Cardholder for accessing the Cardholder's copy of the Transaction Receipt on such a website; and  — Effective from 22 April 2017, ensure the link on the website to access the Transaction Receipt is a direct one.  A V PAY Merchant must make the copy of the Transaction Receipt available to the Cardholder, and have the ability to resend it to the Cardholder, effective from 22 April 2017, for at least 120 calendar days after the date of the Transaction. If a link to a website is provided, the V PAY Merchant must make the Cardholder's copy of the Transaction Receipt available to the Cardholder; and   The Cardholder's copy of the Transaction Receipt must contain the data requirements as specified in Transaction Receipts (Exhibit 7I). 

If the Cardholder does not consent to receive the Cardholder's copy of the Transaction Receipt using electronic means, the V PAY Merchant must be able to provide the Cardholder with a printed copy of the record of the Transaction as follows:   If a Transaction takes place at a Merchant Outlet where there is a fixed Point-of-Transaction Terminal on the premises, the record of the Transaction must be printed, as specified in the data requirements in Exhibit 7I; or  If a Transaction takes place at a Merchant Outlet where there is not a fixed Point-of- Transaction Terminal on the premises, the record of the Transaction may be handwritten or printed, as specified in the data requirements in Transaction Receipts (Exhibit 7I).

6.6.1.4.3 Receipt Requirements

6.6.1.4.3.1 The title of the electronically delivered message, as defined in Section 6.6.1.4.1.1, that is used to send a copy of or a link to the Cardholder's copy of the Transaction Receipt must clearly identify:  The V PAY Merchant name and, if applicable, the name of the agent as it will appear in the Clearing Record and Cardholder billing statements; and 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 131 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

 That the electronically delivered message contains the Cardholder copy of the Transaction Receipt or a link to the Cardholder copy of the Transaction Receipt. 

6.6.1.4.3.2 The Cardholder's copy of the Transaction Receipt that is made available to a Cardholder using electronic means must:  Have the Account Number truncated to only show the last four digits of the  Account Number; and   Contain the data requirements as specified in Transaction Receipts (Exhibit 7I).  6.7 TRANSACTION RECEIPT PROCESSING

6.7.1 Multiple Transaction Receipts and Partial Payments A Merchant must include the total cost of goods and services purchased at the same time on a single Transaction Receipt. A Transaction must not be divided across two or more Transaction Receipts. The only exceptions to this requirement are:  Purchases in separate departments of a multiple-department store;   Individual Airline tickets issued to each passenger if required by airline policy;   Individual Cruise Line tickets issued to each passenger if required by Cruise Line policy; and   A Transaction in which part of the cost is paid with a V PAY Card and the other part is paid with a different V PAY Card or other form or payment. 

6.7.2 Credit Refunds

6.7.2.1 Restrictions A Merchant must provide a credit refund in connection with a Transaction by a Credit Transaction Receipt, not by cash or cheque. The only exceptions are for airlines, if required by law or applicable tariff. 

6.7.2.2 Credit Transaction Receipt

6.7.2.2.1 A Merchant may, at its discretion, prepare a Credit Transaction Receipt when a valid Transaction Receipt was previously processed and the Cardholder either cancelled the Transaction later or returned the goods. 

6.7.2.2.2 If a Merchant prepares a Credit Transaction Receipt, the Merchant must then:  Effective from 14 April 2018, submit an Authorization Request to notify an Issuer that a Credit Transaction is being processed;   Prepare a credit that includes the Credit Transaction Receipt date and identifies the original Transaction;   Deliver a completed Credit Transaction Receipt to the Cardholder; and   Deposit the Credit Transaction Receipt within five calendar days of the date that the Credit Transaction Receipt is issued. 

6.7.2.2.3 Effective from 14 October 2017, an Issuer must be able to receive and respond to an Authorization Request for a Credit Transaction. 

6.7.2.2.4 Effective from 14 October 2017, where an Issuer displays pending Transaction information to its Cardholders, that Issuer must display information for a Credit Transaction in the same manner as a purchase Transaction. 

6.7.2.3 Transaction Receipt Reversal or Adjustment

6.7.2.3.1 If a Merchant processes a Transaction Receipt in error, it must process a Reversal or an Adjustment within 30 calendar days of the Transaction Date. 

132 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.7.2.3.2 A Transaction must be reversed using a Reversal or an Adjustment. 

6.7.2.4 Special Credit Refund Requirements for Timeshare Merchants A Timeshare Merchant must provide a full credit refund to the Cardholder when both the Transaction Receipt was processed and the Cardholder cancelled the Transaction within 14 calendar days of the Transaction Date. 

6.7.2.5 Returned Merchandise and Adjustments For Transactions in a Card-Present Environment, a Merchant may limit its acceptance of returned merchandise or establish a policy to make price adjustments provided that the Merchant makes proper disclosure of its returns policy in accordance with Table 6-2. 

6.7.3 Transaction Receipt Delivery to Cardholder A Merchant must provide a completed copy of the Transaction Receipt to the Cardholder at the time that the purchased goods are delivered or services are performed. 

A Transaction Receipt is not required for the following:  Proximity Payments where the Transaction Amount is below the Cardholder Verification Limit, unless requested by the Cardholder;  Transactions at an Unattended Acceptance Terminal that performs only Telephone Service Transactions; and  Transactions at an Unattended Acceptance Terminal that performs only Transactions with a Transaction Amount of €20 (or local currency equivalent) or less.

6.7.3.1 For a Transaction in the Card-Present Environment, a V PAY Merchant must be able to provide a Cardholder with one of the following:  A paper receipt, produced electronically, manually or handwritten as set out in Transaction Receipts (Exhibit 7I); or   Subject to the conditions in Section 6.6.1.4.2, a Transaction Receipt delivered using electronic means, including but not limited to an e-mail or a Short Message Service (SMS) text message, which may contain either the full required receipt data as set out in Transaction Receipts  (Exhibit 7I) or a URL to a website which contains the full required receipt data. 

6.7.4 Transaction Receipt Deposit

6.7.4.1 Deposit Restrictions

6.7.4.1.1 A Merchant must not deposit Transaction Receipts resulting from any Transaction between a Cardholder and another entity. A Merchant must deposit only Transaction Receipts that directly result from Transactions made by a Cardholder with that Merchant. 

6.7.4.1.2 A Merchant or IPSP must not deposit a Transaction Receipt until the Transaction is completed. A Transaction is deemed completed when any one of the following has occurred:  The goods or services are shipped or provided; or  The purchased service is performed.

6.7.4.1.3 A Merchant may not deposit a Transaction Receipt before shipping or providing the goods or services to the Cardholder. 

6.7.4.1.4 A Merchant with multiple Merchant Outlets must identify the location of the relevant Merchant Outlet on each Transaction Receipt. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 133 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.7.4.2 Deposit Location

6.7.4.2.1 A Merchant, except a military base or an International Airline (or an on-board service provider contracted by that Airline), must deposit all Transaction Receipts in the Transaction Country. 

If an Airline ticket is sold by a travel agency, the Transaction Country is the country in which the travel agency is located. 

6.7.4.2.2 Effective until 21 April 2017, a Cruise Line may make a Deposit, relating to a Transaction carried out on-board, at a port-of-call or at the final destination of the Cruise Line. 

Effective until 21 April 2017, where a Deposit is made at a port-of-call, the Transaction Date is the date of the Deposit. If the Deposit is made at the final destination, the Transaction Date is the date of disembarkation of passengers at the final destination. 

6.7.4.3 Deposit Time Limits A Merchant must deposit all V PAY Transaction Receipts within two business days of the Transaction Date. 

6.7.4.4 Payments to Merchants Each Acquirer must pay or credit its Merchant’s or IPSP’s account promptly after the Deposit. These payments must be the same as the Transaction totals, less any applicable discounts or Credit Transaction Receipt totals.  6.8 RELEASING HOLD ON FUNDS

6.8.1 Effective from 1 May 2017, an Issuer must immediately release any hold on the available funds in its Cardholder’s account as soon as it receives the Acquirer Confirmation Advice.

6.8.2 Effective from 22 April 2017, an Issuer must release any hold on the available funds in its Cardholder's account as follows, whichever is earliest:  Immediately upon receipt of a Clearing Record that matches a previous Authorization Request or Authorization Requests; or   Immediately upon receipt of an Authorization Reversal that contains at least the data elements required to match the Authorization Reversal to a previous Authorization Request or Authorization Requests.  6.9 DYNAMIC CURRENCY CONVERSION Dynamic Currency Conversion (DCC) at ATMs is permitted on V PAY Cards.

Acquirers must be registered and certified by Visa before offering Dynamic Currency Conversion at either the Point-of-Transaction or at ATMs.

Acquirers and their Merchants offering Dynamic Currency Conversion must comply with all the requirements set out in the DCC Acquirer and Merchant Standards Manual, to ensure that Cardholders are given all the relevant information to allow them to make a clear and transparent decision as to whether to accept Dynamic Currency Conversion.

Any Acquirer, who is not already a registered DCC Visa Acquirer, and who offers, or intends to offer, Dynamic Currency Conversion at either Point-of-Transaction or at ATMs to V PAY Cardholders must:  Submit an Acquirer Registration Form and DCC Merchant Registration Form(s) to Visa;  Register any third party named in the Acquirer Registration Form by sending in a Visa Europe Agent Registration and Designation Form available on Visa Online;  Provide details of their ATM estate to Visa;  Pay an annual fee to Visa of: — €46,200 for Dynamic Currency Conversion at Point-of-Transaction; and/or — €46,200 for Dynamic Currency Conversion at ATMs;

134 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

 Effective until 21 April 2017, populate the Dynamic Currency Conversion Indicator for Point- of-Transactions, with the exception of ATM Transactions; and  Effective from 22 April 2017, populate the Dynamic Currency Conversion Indicator for Point- of-Transactions.

Each Dynamic Currency Conversion platform and subsequent additional Dynamic Currency Conversion platforms must be separately registered and certified.

If the Cardholder was not properly offered Dynamic Currency Conversion, or was refused the of paying in the Merchant’s local currency, the Issuer has a chargeback right. The Acquirer can then either represent the chargeback or re-process the Transaction in the Merchant’s local currency.

6.9.1 Acquirer Compliance Failure of an Acquirer to comply with the requirements set out in Section 6.9 may result in a penalty of €28,875 per month per Merchant, following a written warning from Visa.

Failure of an Acquirer to comply with the Dynamic Currency Conversion standards set out in the Section 6.9, where a Merchant is found to be providing Dynamic Currency Conversion incorrectly on Visa Transactions at either the Point-of-Transaction Terminals or ATMs may result in the penalty schedule set out in Table 6-3: Table 6-3 Penalty Schedule for Non-Compliance with Dynamic Currency Conversion Program Requirements for V PAY Transactions

Event Visa Action or Fine

Non-compliance with Dynamic Currency Conversion Letter sent to Acquirer Centre Manager scheme rules identified and communicated to Acquirer. Non-receipt of Acquirer plan for corrective action €11,550 per non-compliant Dynamic Currency within one month of original notification letter. Conversion Merchant per calendar month. Failure to implement corrective action within a €23,100 per non-compliant Dynamic Currency reasonable time frame (agreed between Visa and the Conversion Merchant per month. Acquirer). Continued failure to agree and/or implement Visa may both: corrective actions with a reasonable time frame. • Require the Acquirer to terminate the non- compliant Dynamic Currency Conversion Merchant; and • Prohibit the Acquirer from contracting with any new Dynamic Currency Conversion Merchants.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 135 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.9.2 Merchant Requirements

6.9.2.1 A V PAY Merchant offering Dynamic Currency Conversion (DCC) must:  Not impose Dynamic Currency Conversion as the default option;   Prior to initiating Dynamic Currency Conversion, inform the Cardholder that Dynamic Currency Conversion is optional;   Ensure that the Cardholder consents to Dynamic Currency Conversion for each  Transaction;   Not impose any additional requirements on the Cardholder to have the Transaction processed in the local currency;   Not use any language or procedures that may cause the Cardholder to choose Dynamic Currency Conversion by default;   Not misrepresent, either explicitly or implicitly, that its Dynamic Currency Conversion service is a Visa service; and   Inform the Cardholder prior to obtaining Authorization for the Transaction that Dynamic Currency Conversion is a service provided by either the Merchant or Acquirer.

6.9.2.2 A V PAY Merchant may offer Dynamic Currency Conversion on Proximity Payments where the Transaction Amount is above the Cardholder Verification Limit.

6.9.3 Transaction Receipts Requirements for Dynamic Currency Conversion In both a Card-Present Environment and a Card-Absent Environment, a Transaction Receipt representing Dynamic Currency Conversion must show all of the following separately:  Currency symbol of the local currency of the Merchant Outlet;   Transaction amount of the goods or services purchased in the local currency of the Merchant Outlet;   Exchange rate used to determine the Transaction Amount;   Commission or any fees for currency conversion, if applied separately to the exchange rate;   Total Transaction Amount charged by the Merchant in the Transaction Currency, followed by the words “Transaction Currency”; and   A statement, easily visible to the Cardholder, that specifies the following: — Cardholder has been offered a choice of currencies for payment, including the local currency of the Merchant Outlet; and  — That the currency selected by the Cardholder is the Transaction Currency. 

In addition, the Transaction Receipt must indicate that the Dynamic Currency Conversion is conducted by the Merchant, an Acquirer or third party on behalf of that Merchant or Acquirer, or that the Dynamic Currency Conversion is not associated with or endorsed by Visa. 

Acquirers and Merchants who offer Dynamic Currency Conversion at ATMs or the Point-of- Transaction must provide a clear indication on the Transaction Receipt, separately from all other requirements, that either the Merchant or the Acquirer is providing the Dynamic Currency Conversion service.

Prior to initiating Dynamic Currency Conversion, the Merchant must disclose to the Cardholder all of the Transaction Receipt requirements specified in Section 6.9.3. 

136 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.10 ORIGINAL CREDIT TRANSACTIONS

6.10.1 General Requirements

6.10.1.1 An Original Credit Transaction must involve only a single sender and a single recipient. 

6.10.1.2 An Issuer in a country participating in Original Credit Transaction processing, must accept an Original Credit Transaction unless prohibited by local law. If prohibited by local law, the Issuer must submit a written request to Visa to block incoming Original Credit Transactions. 

6.10.1.3 The requirement in Section 6.10.1.2 does not apply where:  The complete Account Number is not displayed on the Card receiving the Original Credit Transaction; and  The Original Credit Transaction is a transfer between individual Cardholders, and classified with one of the following Merchant Category Codes (MCCs): — 6012 - Financial Institutions - Merchandise and Services; or — 4829 - Wire Transfer - Money Orders.

6.10.1.4 Where an Original Credit Transaction is a transfer between individual Cardholders:  That Transaction must be classified with one of the following Merchant Category Codes (MCCs): — 6012 - Financial Institutions - Merchandise and Services; or — 4829 - Wire Transfer - Money Orders; and  Members must not use Stand-In Processing to process Authorization Requests for that Transaction.

6.10.1.5 An Issuer may:  Initiate an Original Credit Transaction as an Originating Member; and  Receive an Original Credit Transaction as a Recipient Member.

6.10.2 Originating Member Requirements

6.10.2.1 An Originating Member must:  Notify Visa prior to starting to process Original Credit Transactions;  Comply with all requirements notified by Visa and the requirements set out in: — The Payment Card Industry Data Security Standard and applicable laws;  — The Original Credits Member Requirements Manual; and  — The Visa Europe Money Transfer OCT Requirements & Guidelines; and   When sending and managing sender data for an Original Credit Transaction: — Ensure that sender data complies with applicable anti-money laundering regulations and anti-terrorist financing standards; and  — Ensure that proper disclosure complies with local law and is given to the sender regarding the collection of sender data. 

6.10.2.2 Original Credit Transaction Clearing

6.10.2.2.1 Effective until 30 June 2016, an Originating Member must submit the Original Credit Transaction for Clearing within one business day of receiving the Approval Response to the Original Credit Transaction pre-Settlement message, unless a Reversal is sent. 

6.10.2.2.2 Effective from 1 July 2016, an Originating Member must submit the Original Credit Transaction for Clearing within one business day of receiving the Approval Response to the Authorization Request for that Original Credit Transaction, unless a Reversal is sent. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 137 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.10.2.3 Original Credit Transaction Reversal

6.10.2.3.1 A Reversal of an Original Credit Transaction may not be processed if that Transaction is an Online Financial Transaction.

6.10.2.3.2 A Reversal of an Original Credit Transaction is only valid if:  The Cardholder did not complete the Transaction; or   It is due to one of the following processing errors: — Incorrect Account Number;  — Incorrect Transaction Amount;  — Duplicate processing of a Transaction; or  — Incorrect Transaction code for the Clearing Record. 

6.10.2.3.3 An Originating Member must process a Reversal of an Original Credit Transaction within one business day of the Processing Date of that Original Credit Transaction. 

6.10.3 Recipient Member Requirements

6.10.3.1 A Recipient Member must comply with any requirements for the acceptance and processing of Original Credit Transactions that are notified to it by Visa, and the requirements set out in:  The Original Credits Member Requirements Manual; and   The Visa Europe Money Transfer OCT Requirements & Guidelines. 

6.10.3.2 Posting Requirements

6.10.3.2.1 An Issuer that receives an Original Credit Transaction must either:  Post the Original Credit Transaction to the correct Account Number and make the funds available to the Cardholder on the same business day as receiving the Clearing Record relating to that Original Credit Transaction; or  Charge back the Original Credit Transaction to the Originating Member.

A Customer that receives an Original Credit Transaction, which is an International Transaction, must either:  Post that Original Credit Transaction to the Account Number within two business days of receiving the Clearing Record for that Original Credit Transaction; or   Charge back the Original Credit Transaction to the Originating Member. 

6.10.3.2.2 Effective until 17 May 2016, unless prohibited by local law, an Issuer that receives an Authorization Request for an Original Credit Transaction that is identified as relating to an Immediate Payment must post funds equal to the value of that Authorization Request to the Account Number of the receiving Cardholder within 30 minutes of sending an Approval Response.

Effective from 18 May 2016, Issuers will no longer receive Authorization Requests for Original Credit Transactions that relates to Immediate Payments due to the retirement of the Visa Direct Service in Visa.

6.10.3.3 Cardholder Statements An Issuer that receives an Original Credit Transaction:  Must use a clear narrative on Cardholder statements to show the receipt of that payment; and  Must not label that payment as a “refund” on Cardholder statements.

138 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.10.3.4 Deposit-Only Account Number A Recipient Member must:  Notify Visa that a BIN or account range is designated for Deposit-Only Account Numbers;   Ensure that a Deposit-Only Account Number is not used for any purpose other than processing Original Credit Transactions; and   List a compromised Deposit-Only Account Number on an Exception File. 

6.10.3.5 Original Credit Transaction Dispute Resolution All Chargeback reason codes are valid for an Original Credit Transaction if applicable Chargeback conditions are met.

6.10.3.6 Original Credit Transaction Pre-Settlement Requirements

6.10.3.6.1 Effective until 30 June 2016, an Originating Member may choose to send a pre-Settlement message to a Recipient Member stating that an Original Credit will be sent.

6.10.3.6.2 Effective until 30 June 2016, the Originating Member must ensure that the sender data in both the pre-Settlement and Clearing messages is identical. 

6.10.3.6.3 Effective from 1 July 2016, an Originating Member will no longer be able to send a pre-Settlement message to a Recipient Member.

6.10.3.7 Immediate Payments Effective from 18 May 2016, Recipient Members will no longer be able to register with Visa to receive Authorization Requests for Immediate Payments due to the retirement of the Visa Direct Service in Visa. 6.11 ELECTRONIC COMMERCE V PAY Cards may be used for Electronic Commerce Transactions.

6.11.1 General Participation Requirements

6.11.1.1 An Issuer that supports the use of V PAY Cards for Electronic Commerce Transactions must ensure their V PAY Cardholders are provided with all the following information:  Complete personal Account Number (PAN);  Card expiry date; and  Card Verification Value 2 (CVV2).

6.11.1.2 An Issuer must inform its Cardholders in writing about the electronic commerce capability of their V PAY Cards.

NOTE: Visa strongly recommends that an Issuer who supports the use of V PAY Cards for Electronic Commerce Transactions also supports an Authentication Method based on  3–D Secure.

6.11.1.3 An Issuer may limit electronic commerce transactions to those authenticated by an Authentication Method based on 3-D Secure.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 139 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.11.2 Electronic Commerce Merchant Requirements Any Electronic Commerce Merchant who is able to accept and process Transactions on a V PAY Card may display the V PAY Brand Mark as an Acceptance Mark on their website. Such Merchants must accept all valid V PAY Cards.

6.11.2.1 Electronic Commerce Merchants that Process Electronic Commerce Transactions An Acquirer must ensure that its Electronic Commerce Merchants, that perform fewer than one million Electronic Commerce Transactions per year must either:  Use an IPSP that is Payment Card Industry Data Security Standard certified for processing, transmitting and storing account information or Transaction Information; or  Demonstrate that they are Payment Card Industry Data Security Standard compliant and provide evidence of their Payment Card Industry Data Security Standard compliance.

6.11.2.2 Merchant Website

6.11.2.2.1 A Merchant’s website must contain all of the following information:  V PAY Mark in full colour to indicate V PAY Card acceptance;   Complete description of the goods or services offered for sale by that Merchant on  its website;   Return/refund policy (see also Section 6.11.2.2.2);   Customer service contact, including electronic mail address or telephone number;   Address of the Merchant’s Permanent Establishment and, disclosure of the Merchant Outlet country either: — On the same screen view as the payment page used to present the final Transaction Amount; or  — Within the sequence of web pages the Cardholder accesses during the payment  process;   A travel agency acting on behalf of another Merchant must display the location of the travel agency. If an Airline ticket is sold by a travel agency, the Transaction Country is the country in which the travel agency is located.   Transaction Currency;   Export restrictions (if known);   Delivery policy;   The V PAY Merchant's policy on split shipment of goods, as specified in Section 6.13.7;   Consumer data privacy policy; and   Security capabilities and policy for transmission of payment card details. 

6.11.2.2.2 An Electronic Commerce Merchant must:  Include its return/refund policy and other purchase terms and conditions and any applicable cancellation policy on its website;   Have a “click to accept” button, other acknowledgement or checkbox or location for an electronic signature on its website evidencing that the Cardholder has accepted the return/ refund policy; and   Display its purchase terms and conditions and return/refund or cancellation policies to the Cardholder during the order process either: — On the same screen used as the checkout screen indicating the total Transaction  Amount; or  — Within the sequence of web pages accessed by the Cardholder prior to the final  checkout. 

140 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.11.2.2.3 If a Cardholder accesses the website of a High Brand-Risk Merchant or a High Brand-Risk Sponsored Merchant and is then forwarded to the website of the High Brand-Risk Internet Payment Service Provider for payment, the name of the High Brand-Risk Internet Payment Service Provider must appear in the Authorization Request and Clearing Record in conjunction with the name of the High Brand-Risk Merchant or the High Brand-Risk Sponsored Merchant. 

6.11.3 Acquirer Requirements

6.11.3.1 Websites

6.11.3.1.1 An Acquirer must include a term in each of its Merchant Agreements with each of its Electronic Commerce Merchants that provides that the Electronic Commerce Merchant must display the following on its website:  A consumer data privacy policy;   The relevant Merchant’s security capabilities and policy for transmission of payment card details; and  The relevant Merchant’s address of its Permanent Establishment. 

6.11.3.1.2 A Merchant, an Internet Payment Service Provider (IPSP), or a Sponsored Merchant that displays the V PAY Brand Mark on its website must not accept V PAY Cards for the purchase or trade of child abuse imagery or similar goods or services determined by Visa from time to time. Within three calendar days of receipt of notification from Visa, an Acquirer must terminate its agreement with any Merchant, or IPSP, or require an IPSP to terminate its agreement with a Sponsored Merchant, that is in violation of this rule. 

Failure to comply with these obligations may result in fines, as specified in Table 9-18.

6.11.3.1.3 An Acquirer must ensure that its Merchants and Sponsored Merchants have clearly disclosed, during the order process and including on the payment page as set out in Section 6.11.2.2, all of the following to the Cardholder, the: 1  Customer services contact (including telephone number) ;   Terms of conditions of the sale;   Length of the trial period;   Date on which any charges will commence; and   Cancellation policy. 

6.11.4 Authorizations

6.11.4.1 Electronic Commerce Transactions

6.11.4.1.1 An Electronic Commerce Merchant must attempt to obtain the V PAY Card expiry date and forward it as part of the Authorization Request for any Electronic Commerce Transaction. 

An Electronic Commerce Merchant may obtain Authorization for any merchandise to be shipped on any day up to seven calendar days prior to the Transaction Date. For an Electronic Commerce Transaction, the Transaction Date is the date on which the merchandise is shipped. This Authorization is valid for the Transaction Amount if the Transaction Amount is less than 15% higher than the amount for which Authorization was obtained, provided that the additional amount only represents shipping costs and/or applicable taxes. 

6.11.4.1.2 An Electronic Commerce Transaction must be sent Online for Authorization.

6.11.4.1.3 An Electronic Commerce Transaction must be identified in both the Authorization Request and Clearing Record. 

1. If Merchant delivers goods or services internationally, both a local and an internationally accessible telephone number must be included.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 141 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.11.4.2 Data Protection Method Requirements An Acquirer must require its Electronic Commerce Merchants to offer Cardholders a Visa-approved method for protecting personal Cardholder data. 

6.11.5 Merchant Domicile Requirements An Acquirer must only contract with a Merchant Outlet within its Country of Domicile. The country of the Sponsored Merchant, not the country of the IPSP, determines the Acquirer’s jurisdiction.

An Acquirer soliciting Merchant applications through its website must make it clear that the Acquirer can only solicit Merchants domiciled inside the Territory.

6.11.6 Online Gambling Transactions

6.11.6.1 Special Requirements

6.11.6.1.1 An Acquirer must comply with the risk policy for Online Gambling Merchants established by Visa.

6.11.6.1.2 In addition to the requirements specified in Section 6.11.6.1.4, a Transaction completed by a V PAY Member, Merchant, Online Gambling Merchant, IPSP or Sponsored Merchant that processes Online Gambling Transactions, must be identified:  With Merchant Category Code 7995 even when gambling services are not the Merchant's primary business; and   As an Online Gambling Transaction in the Authorization Request and Clearing Record. 

6.11.6.1.3 If a V PAY Member, Merchant, IPSP or Sponsored Merchant is unable to distinguish an Online Gambling Transaction from other Transactions, it must:  Identify all Transactions that it processes as Online Gambling Transactions; and   Inform the Cardholder that its Transactions may be identified on the billing statement as Gambling Transactions. 

6.11.6.1.4 In the case of a Gambling Funds Transfer Transaction, an Acquirer must:  Identify the Transaction as an Online Gambling Transaction; and   Ensure that adequate processes are in place to seek to identify and eliminate attempts by the Gambling Funds Transfer Merchant or the Online Gambling Merchant to circumvent proper identification of the Gambling Funds Transfer Transaction as an Online Gambling  Transaction. 

If Visa determines that an Online Gambling Merchant is facilitating Online Gambling Transactions through Gambling Funds Transfer Transactions, Visa may require the Acquirer of that Online Gambling Merchant to take steps to ensure that the Online Gambling Transaction is identified as an Online Gambling Transaction. 

6.11.6.1.5 An Online Gambling Merchant who carries out Online Gambling Transactions must not deposit a Credit Transaction to disburse winnings to Cardholders, except for an Original Credit Transaction. 

6.11.6.2 Special Website Requirements In addition to the website requirements specified in Section 6.11.2.2, an Acquirer must require an Online Gambling Merchant to provide the following information on its website:  The statement "Internet Gambling may be illegal in the jurisdiction in which you are located; if so, you are not authorised to use your payment card to complete this transaction";   A statement of the Cardholder's responsibility to know the laws concerning online gambling in his or her country of domicile;   A statement prohibiting the participation of minors;   A complete description of all of the following: — Rules of play;  — Cancellation policies; and 

142 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

— Pay-out policies;   A statement recommending that the Cardholder retains a copy of Transaction Records and Merchant policies and rules; and   An Acquirer numeric identifier. 

6.11.7 Visa Secure Electronic Commerce

6.11.7.1 General Participation Requirements

6.11.7.1.1 A V PAY Member that participates in Secure Electronic Commerce Transactions must use  3-D Secure. 

6.11.7.1.2 Unless prior approval has been obtained from Visa, a V PAY Member must not use a Digital Certificate issued in connection with the Visa Enterprise as an Authentication Mechanism for  non-V PAY Products and Services. 

6.11.7.2 Digital Certificates

6.11.7.2.1 A V PAY Member must not use a Digital Certificate issued by Visa as an Authentication Mechanism for a non-Visa Products and Services without the prior approval of Visa. 

6.11.7.2.2 An Acquirer that issues Digital Certificates to its Merchants or Internet Payment Service Providers to enable them to access components of the Visa Enterprise must only use Digital Certificates issued by a Certification Authority. 

6.11.7.3 Chip Card Requirements Chip Cards using Private Keys that are stored on internet-connected servers must meet the risk management and security standards specified in both the:  EMV Integrated Circuit Card Specifications for Payment Systems; and  Visa Integrated Circuit Card Specifications.

6.11.7.4 3-D Secure Issuer Participation Requirements

6.11.7.4.1 Issuer Requirements

6.11.7.4.1.1 An Issuer that participates in Visa Secure Electronic Commerce and supports an Authentication Method for Electronic Commerce Transactions must:  Use an Authentication Mechanism; and  Comply with Visa-established policies, procedures, operating guidelines, and standards specified in the Verified by Visa Issuer Implementation Guide.

6.11.7.4.1.2 During Cardholder enrolment, an Issuer that participates in 3-D Secure must, at a minimum, use a combination of on-Card data and off-Card data for verification and must comply with the Verified by Visa Issuer Implementation Guide and Verified by Visa Issuer Implementation Guide: Activation During Shopping.

6.11.7.4.1.3 An Issuer must comply with the Issuer Authentication standards for Issuers, as specified in the Verified by Visa Issuer Implementation Guide and Verified by Visa Issuer Implementation Guide: Activation During Shopping.

6.11.7.4.1.4 An Issuer that uses 3-D Secure must:  Ensure that its 3-D Secure components have successfully met the requirements of the Visa 3-D Secure Vendor Compliance Testing Program; and   Comply with the Verified by Visa Issuer Implementation Guide. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 143 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.11.7.4.2 3-D Secure Issuer Processing Requirements

6.11.7.4.2.1 An Issuer must include a Cardholder Authentication Verification Value in the following responses to an Authentication Request:  Authentication Confirmation; and   Attempt Response. 

6.11.7.4.2.2 The Cardholder Authentication Verification Value must be validated by the Issuer during Authorization. In the event that the Issuer does not validate the Cardholder Authentication verification Value, the Merchant shall be entitled to treat it as a valid Cardholder Authentication Verification Value. 

6.11.7.4.2.3 An Issuer may only respond to an Authentication Request with an Unable-to-Authenticate  Response if:  Authentication data received from the Merchant does not comply with the 3-D Secure Specification;   The Transaction is attempted with a V PAY Card where the Cardholder is anonymous, such as a prepaid gift card; and   The Transaction is attempted with a Non-Reloadable Card. 

6.11.7.4.2.4 An Issuer must:  Retain a log of all Authentication Requests and Authentication Records;   Provide the log to Visa when required to do so by the Dispute Resolution Rules; and  Submit a copy of all Authentication Records to Visa.

6.11.7.4.3 3-D Secure Acquirer Participation Requirements

6.11.7.4.3.1 An Acquirer must support 3-D Secure for its Electronic Commerce Merchants. 

6.11.7.4.3.2 An Acquirer must inform their Electronic Commerce Merchants of Visa Secure Electronic Commerce.

6.11.7.4.3.3 An Acquirer that participates in 3-D Secure must comply with the Verified by Visa Merchant and Acquirer Implementation Guide.

6.11.7.4.3.4 An Acquirer must comply with the risk management and security standards relating to Chip Cards communicated to the Acquirer by Visa. 

6.11.7.4.3.5 An Acquirer and its Merchant that participate in 3-D Secure must maintain or implement fraud and risk practices in addition to 3-D Secure such as, but not limited to:  Address verification services;  Card Verification Value 2; and  Velocity checks.

6.11.7.4.3.6 An Acquirer that uses a Licensed Mark in its 3-D Secure program must:  Comply with the Visa Product Brand Standards relating to the Licensed Mark;   Ensure that its 3-D Secure components have been acquired from a vendor certified by  Visa; and   Ensure that its Merchant Agreements provides that if the Merchant is using the V PAY Mark then it must: — Use certified and operational 3-D Secure software on their websites; — Comply with the Visa Product Brand Standards relating to the V PAY Mark;  — Not use the V PAY Mark in a way that implies endorsement of any other product or service or third party standards for authentication; and — Not use the V PAY Mark to indicate payment acceptance. 

144 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.11.7.4.3.7 An Acquirer must include provision in its Merchant Agreement with its Electronic Commerce Merchants that require those Electronic Commerce Merchants and their Processors that process Transactions using 3-D Secure to:  Comply with the requirements specified in the Payment Card Industry Data Security Standard, Verified by Visa Issuer Implementation Guide: Activation during Shopping and Merchant Implementation Guide; and   Include the following in an Authorization Request: — For ECI value “5,” the Cardholder Authentication Verification Value; and  — For ECI value “6,” the Cardholder Authentication Verification Value, if the Cardholder Authentication Verification Value was provided by the Issuer. Acquirers must ensure that their Electronic Commerce Merchants comply with the requirements above. 

6.11.8 Disclosure of Merchant Outlet Country An Electronic Commerce Merchant and, effective from 15 October 2016, a Mail/Phone Order Merchant, must disclose the Merchant Outlet country of the Merchant Outlet at the time of presenting payment options to the Cardholder. 

6.11.9 Electronic Commerce Acquiring Program All Acquirers that process Electronic Commerce Transactions must comply with the requirements of a Visa Electronic Commerce Acquiring Program as set out in Section 6.11.9.1.

Failure to comply will incur financial penalties as set out in Section 9.2.16.

6.11.9.1 Obligation to Merchants An Acquirer of Electronic Commerce Merchants must:  Directly notify its Merchants that Visa Secure Electronic Commerce methods are available;  Provide to Merchants, on request, the capability to accept a Visa-Recognised Payment Authentication Method; and  Ensure that all High Brand-Risk Merchants and High Brand-Risk Sponsored Merchants process Electronic Commerce Transactions using a Visa-Recognised Payment Authentication Method. 6.12 PREPAYMENTS

6.12.1 General Requirements

6.12.1.1 A Prepayment must:  Be equal to the total cost of the goods or services if that Prepayment is for the full payment of those goods or services; or   Be less than the cost of the goods or services if that Prepayment is for the partial payment of those goods and services. 

6.12.1.2 The amount of a Prepayment must be off-set against the total cost of the goods or services to be paid by the Cardholder. 

6.12.1.3 A Merchant can accept a single Prepayment that is for the full cost of the goods or services if:  The Transaction is for the purchase of custom-made goods or services; or   In a Face-to-Face Environment, not all of the items purchased in the Transaction are immediately available but will be shipped or provided at a later date. 

6.12.1.4 Any Merchants can accept a Prepayment that is for the partial cost of the goods or services. 

6.12.1.5 Partial and full Prepayments must have a Zero Floor Limit. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 145 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.12.2 Cardholder Consent

When initiating a first or only Prepayment, the Cardholder must consent to, and the Merchant must provide, all of the following in writing to the Cardholder:  Description of the goods or services to be provided;   Terms of the service to be provided;   The date and time the goods or services will be provided to the Cardholder;   Transaction Amount of that Prepayment;   Where the Prepayment is for the partial payment of goods or services, the total purchase price of those goods or services;   Terms of final payment, including the amount and currency;   Cancellation and refund policies, including, but not limited to, the date and time by which the Cardholder can cancel the purchase of the goods or services without forfeiting any payment that has been made; and   Any associated charges. 

6.12.3 Cancelling a Prepayment

6.12.3.1 If a Cardholder cancels the purchase of goods and services that have been subject to a Prepayment and the cancellation is made within the terms of the cancellation policy, the Merchant must provide to the Cardholder both of the following within three business days:  Cancellation or refund confirmation in writing; and   Credit Transaction Receipt for the amount paid by the Cardholder and that was agreed as refundable in the cancellation policy. 

6.12.3.2 If the Cardholder does not pay the balance for or does not cancel the purchase of goods and services that have been subject to a Prepayment within the terms of the cancellation policy, the Merchant may retain the Prepayment(s) only if the Merchant has disclosed in the cancellation policy that the Prepayment is non-refundable. 

6.12.4 Non-Provision of Goods or Services If the Merchant fails to adhere to the terms of the sale or service, the Merchant must refund the sum of any Prepayment(s) paid.  6.13 SPECIAL MERCHANT PAYMENT ACCEPTANCE SERVICES

6.13.1 In-Transit Transaction Requirements

6.13.1.1 Merchant Description The Acquirer must include in the Clearing Record for an In-Transit Transaction a description containing, at a minimum, the following information:  The Merchant's primary place of business or country of incorporation in the Merchant country field;   The Merchant's customer service telephone number and the country in which that Merchant is located in Merchant city field; and   The word “In-Transit” following the Merchant name in the Merchant name field. 

6.13.1.2 Authorization Requests For In-Transit Transactions, a Merchant may submit an Authorization Request either while in transit or at the final destination, provided that the Authorization Request is submitted within 24 hours of the passenger transport vehicle reaching its final destination. If the data required for obtaining Authorization is stored for processing until arrival at the final destination, the Merchant must ensure that such data must be encrypted and kept in a secure location to which access is limited to authorized personnel only. 

146 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.13.2 Gambling Transactions

6.13.2.1 Disbursement of Winnings A Gambling Merchant may only disburse winnings as an Original Credit Transaction and not in the form of cash, cheque or any other payment method. Where an Original Credit Transaction is used to disburse winnings, that Gambling merchant must ensure that:  The Original Credit Transaction is processed to the same Account Number that was used in the Gambling Transaction which placed the winning wager; and   The Gambling Transaction representing the winning wager was lawfully made and properly identified. 

6.13.2.2 Gambling while In Transit A Gambling Merchant must ensure that an In-Transit Transaction that is a Gambling Transaction is processed as a Quasi-Cash Transaction as set out in Section 6.13.5. 

6.13.3 Proximity Payments

6.13.3.1 Cardholder Verification Limits

6.13.3.1.1 The default Cardholder Verification Limit for V PAY Transactions within the Territory is 20 euros. For Proximity Payments that are Country-to-Country Transactions (excluding International Transactions), this limit of 20 euros must be used as a basis to calculate any liability for the Transaction.

6.13.3.1.2 Country-specific Cardholder Verification Limits for V PAY Transactions are set out in Table 6-4: Table 6-4 Country-specific Cardholder Verification Limits for V PAY Transactions

Applicable Limit

Visa 20 EUR Austria 25 EUR Bulgaria 25 BGN Germany 25 EUR Italy 25 EUR Netherlands 25 EUR

6.13.3.1.3 At the discretion of Visa, countries within the Territory may set a country-specific Cardholder Verification Limit for V PAY Transactions that differs from the default Cardholder Verification Limit.

6.13.3.2 Cardholder Verification

6.13.3.2.1 Cardholder Verification is not required for Proximity Payments where the Transaction Amount is equal to or below the Cardholder Verification Limit.

6.13.3.2.2 For Proximity Payments where the Transaction Amount is above the Cardholder Verification Limit, Cardholder Verification must be performed by Online PIN Verification.

6.13.3.2.3 The Cardholder Verification at ATMs enabled for Proximity Payment Devices must be Online PIN Verification.

6.13.3.3 Merchant Outlets All Merchant Outlets that accept Proximity Payments must also accept all other Chip-initiated Transactions.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 147 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.13.4 Account Funding Transactions An Account Funding Transaction must:  Be processed as a purchase Transaction;   Effective from 15 May 2016, not represent a payment to a Merchant or to any entity that, in the opinion of Visa, is operating as a Merchant;  If authorized, identify the Account Funding Transaction in the Authorization and Clearing Record; and  Be cleared for the same Transaction Amount approved in the Authorization. 

6.13.5 Quasi-Cash Transactions

6.13.5.1 General

6.13.5.1.1 All Quasi-Cash Transactions must be:  Processed as a purchase; and   Not processed as a Cash Disbursement. 

These conditions do not apply to the sale of Foreign Currency and Travellers Cheques, which may be processed as Manual Cash Disbursements by Members and by non-Member financial institutions that have the authority to make Manual Cash Disbursements.

6.13.5.1.2 Where a Quasi-Cash Transaction occurs, it must be identified as a Quasi-Cash Transaction in both the Authorization Request and the Clearing Record. 

6.13.5.2 Wire Transfer Merchants If a Wire Transfer Merchant disburses cheques or money orders it must:  Advise the Cardholder that it is the Merchant for the Transaction only and it is not the recipient of the funds represented by the cheque or money order;  Ensure that the cheque or money order is only encashed by the party to whom that cheque or money order has been made payable; and  Disclose any fee to the Cardholder and include it on the Transaction Receipt.

6.13.5.3 Proximity Payments

6.13.5.3.1 Quasi-Cash Transactions using a Proximity Payment Device must:  Be authorized Online; and  Have Cardholder Verification performed successfully using a valid Cardholder Verification Method, as specified in Section 6.13.3.2.2.

6.13.5.3.2 Quasi-Cash Transactions are not permitted on Portable Payment Devices and V PAY Micro Tags.

6.13.6 Cash-Back Services In domestic markets where a Cash-Back service exists, a V PAY Merchant may provide Cash-Back to eligible V PAY Cardholders, the Merchant must:  Provide Cash-Back only in conjunction with a purchase;   Authorize and complete this Transaction as a purchase and uniquely identify the Cash-Back portion of the Transaction Amount; and   Ensure Proximity Payments: — Are authorized Online; and — Have Cardholder Verification performed successfully using a valid Cardholder Verification Method, as specified in Section 6.13.3.2.2.

148 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.13.7 Split Shipment Transactions

6.13.7.1 V PAY Merchant accepting V PAY Cards in a Card-Absent Environment may carry out a Split Shipment Transaction if all of the following apply:  The portion of the Transaction Amount, which relates to merchandise, in an individual Transaction Receipt matches the value of the merchandise that is sent with the associated shipment;   The aggregate of all the Transaction Receipts must not exceed the total Transaction Amount of the Authorization by more than 15 percent;   The following information is the same for the Authorization and each Transaction Receipt: — Account Number;  — Expiration date of the V PAY Card; and  — Merchant Outlet;   The V PAY Merchant has provided proper disclosure, at a minimum on its website's payment page, to inform the Cardholder of its split shipment policy; and   With each shipment of the merchandise to the Cardholder, the V PAY Merchant must communicate to the Cardholder the portion of the overall Transaction Amount that is associated with that individual shipment, and the portion of the overall Transaction Amount and merchandise still to be shipped to the Cardholder. 

6.13.7.2 For a Split Shipment Transaction, an Acquirer must include in each Clearing Record a Multiple Clearing Sequence Number to sequentially identify and link all the Clearing Records associated with the single Authorization. 

6.13.7.3 The following information must be the same in each Clearing Record that is associated with a Split Shipment Transaction:  Account Number;   Expiration date for the Card; and   Merchant Outlet.  6.14 TRANSACTION LIABILITY

6.14.1 Liability for Fallback Transactions Transactions accepted as Fallback Transactions are the liability of the Issuer if the Transaction is Authorized by the Issuer, the appropriate values identifying the Transaction as a Fallback Transaction are included within the related Authorization Request or Authorization Response, and the correct acceptance procedures are followed.

6.14.2 Card-Present Counterfeit V PAY Card Transactions Counterfeit V PAY Card Transactions completed in a Card-Present Environment are the liability of the Acquirer if the Transaction does not take place at an EMV-Compliant device.

Counterfeit V PAY Card Transactions completed in a Card-Present Environment are the liability of the Issuer if both of the following conditions apply:  The Transaction takes place at an EMV-Compliant or EMV PIN-Compliant Device; and  The Transaction is Chip-initiated and is correctly processed to completion in accordance with EMV Integrated Circuit Card Specifications for Payment Systems and the Transaction Acceptance Device Requirements.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 149 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.14.3 Card-Present Non-Counterfeit Fraudulent Transactions Non-Counterfeit fraudulent Transactions completed in a Card-Present Environment are the liability of the Acquirer if all of the following conditions apply:  Transaction takes place at a Point-of-Transaction Terminal that is not EMV PIN-Compliant or EMV-Compliant; and  PIN Verification was not performed.

Non-Counterfeit fraudulent Transactions completed in a Card-Present Environment are the liability of the Issuer if all of the following conditions apply:  The Transaction takes place at an EMV-Compliant or EMV PIN-Compliant Device;  Correct acceptance procedures have been followed including compliance with  Appendix C, "Maximum Authorised Floor Limits"; and  If the Transaction is Chip-initiated and the Transaction is correctly processed to completion in accordance with EMV Integrated Circuit Card Specifications for Payment Systems and the Transaction Acceptance Device Requirements.

6.14.4 Chargebacks An Issuer may charge Transactions back to an Acquirer under certain conditions. Table 8-2 specifies the reasons and time limits for Chargebacks.

Before exercising a Chargeback, the Issuer must attempt to settle the Transaction as specified in Section 8.2.4.1. 6.15 VISA ALERTS

6.15.1 Participation Requirements

6.15.1.1 Issuers wishing to participate in either the Visa Alerts Full Service or the Visa Alerts Data Feed Service must register with Visa.

6.15.2 Issuer Requirements

6.15.2.1 Issuers participating in a Visa Alerts Service must provide Cardholders enrolled in Visa Alerts with a set of terms and conditions including all of the following:  Terms regarding the use of personal data, in compliance with applicable local law, including explicit consents as required;  The cancellation policy for Visa Alerts;  The applicable fees for using Visa Alerts; and  Details of how to unsubscribe from Visa Alerts.

6.15.2.2 Issuers are responsible for setting the Cardholder fees for Visa Alerts.

6.15.2.3 Issuers participating in a Visa Alerts Service must ensure that the Cardholder details communicated to Visa are correct and kept up-to-date. Such information must be communicated through the Cardholder enrolment and update interface of the Visa Alerts Service.

6.15.2.4 Issuers participating in a Visa Alerts Service may only use the Cardholder data collected through the use of that service for purposes other than sending Alerts if explicit consent has been granted by the Cardholder.

150 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.15.3 Alert Requirements

6.15.3.1 Alerts must adhere to the Visa Product Brand Standards.

6.15.3.2 Alerts must not contain either the V PAY Brand Mark or the Visa Brand Mark.

6.15.3.3 Alerts must include all of the following in the body of the Alert:  As required by local law, details of how the Cardholder can unsubscribe from Visa Alerts;  At least one reference to “Visa”; and  At least one of the following data fields: — The last four digits of the Account Number; — Merchant name; — Transaction Amount; — Transaction Currency; — Transaction Date; — Transaction time; or — Balance of the Card account (if provided by the Issuer).

6.15.4 Dispute Resolution Alerts will not be considered as evidence for dispute resolution. 6.16 VISA DIRECT SERVICE Effective from 18 May 2016, the Visa Direct Service is no longer available in Visa. Members should refer to Section 6.10 for all requirements for Original Credit Transactions. 6.17 VISA PREPAID LOAD SERVICE Members that participate in the Visa Prepaid Load Service must comply with the requirements specified in the Visa Europe Prepaid Card Products Member Implementation Guidelines. 

A participating Acquirer must:  Update its Merchant Agreement to include the Visa Prepaid Load Service;   Ensure participating Merchants comply with the requirements specified in the Visa Europe Prepaid Card Products Member Implementation Guidelines;   Ensure the Processing Date is within two calendar days of the Transaction Date of the Transaction processed using the Visa Prepaid Load Service;   Only process Reversals to correct errors at the Point-of-Transaction; and   Not adjust a Transaction processed using the Visa Prepaid Load Service, except for Reversals to correct errors at the Point-of-Transaction.  6.18 POINT-OF-TRANSACTION BALANCE RETURN SERVICE An Acquirer whose Merchant participates in the Point-of-Transaction Balance Return Service must ensure that the Merchant includes the available balance for the Prepaid Card on the Cardholder copy of the Transaction Receipt.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 151 V PAY Operating Regulations - Scheme Chapter 6 - Payment Acceptance

6.19 MERCHANT USE OF ACCOUNT INFORMATION

6.19.1 Merchant Requirements Where a Cardholder is using their Account Number to access previously purchased goods and services, the Merchant must:  Not perform Cardholder Verification at the point of interaction;   Limit its use of Cardholder account information to the generation of secure, irreversible and unique redemption credentials both: — At the time the service is purchased; and  — At the point of access to verify the redemption credentials;   Generate redemption credentials using only: — The Account Number; or  — The Account Number and the Card expiry date;   Not display V PAY branding at the point of interaction unless that point of interaction is also a Point-of-Transaction; and   Ensure the Card used for redemption is linked to the same Account Number used for the Transaction to purchase the goods and/or services. 

6.19.2 Reusable Redemption Credentials Where a Cardholder is using their Account Number to access previously purchased goods and/or services more than once, using the same redemption credentials each time, the Merchant must:  Permit the transfer of a Card’s purchase record to another Card for a legitimate reason, for example being lost or stolen; and  Submit an Account Verification of the Card the purchase record is being transferred to, whenever a Card’s purchase record is transferred to another Card.

152 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Payment Processing

7.1 BIN PROCESSING ...... 155

7.2 AUTHORIZATION, CLEARING AND SETTLEMENT ...... 155 Use of Transaction Identifier ...... 155 Authorizations ...... 155 Reporting Requirements ...... 155 Partial Authorization ...... 155 Responsibility for Losses ...... 155 Currency Conversion ...... 156 Online Financial Transactions ...... 156

7.3 PAYMENT SERVICE STANDARDS ...... 156 Authorization Requirements ...... 156 Hours of Authorization ...... 156 V PAY Member Performance Standards ...... 156 Chip Card Authorization Requirements ...... 156 Assured Transaction Response Standards ...... 156 Credit Transaction Posting Time Frame ...... 156 Issuer Liability for V PAY Transactions ...... 157 Clearing and Settlement Requirements ...... 157 Reimbursement for Interchange Transactions ...... 157 Billing Currency ...... 157 Transaction Processing Requirements ...... 157 Data Quality Requirements ...... 157 Transaction Currency ...... 157 Prepaid Card Transaction Requirements ...... 157 Clearing Requirements ...... 157 Original Transaction Receipts with Invalid Account Numbers ...... 157 Transaction Receipt Processing Time Limits for V PAY Transactions ...... 158 Processing Time Limits for Proximity Payments ...... 158 Airline Transaction Record Requirements ...... 158

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 153 V PAY Operating Regulations - Scheme Chapter 7 - Payment Processing

7.4 SATISFYING PAYMENT OBLIGATIONS FOR SETTLEMENT SERVICES ...... 158 V PAY Member Settlement Bank ...... 158 Visa Settlement Bank ...... 158 Financial and Collateral Obligations ...... 158 Offset of Settlement and other Obligations ...... 158 General Clearing Requirements ...... 158 Notification and Correction of Duplicate Data and Erroneous Data ...... 159 V PAY Member Reversal of Duplicate Data ...... 159 V PAY Member Reversal or Adjustment of Credit Transactions ...... 159 Settlement ...... 159 Settlement Currency Requirements ...... 159 Settlement Bank Requirements ...... 159 Funds Transfer Requirements ...... 160 Funds Transfer Procedures ...... 161 Reporting ...... 161 Late Settlement Fees ...... 161

154 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 7 - Payment Processing

7.1 BIN PROCESSING Each V PAY Member must be, and must ensure that its Visa Scheme Processors are capable of accepting any V PAY BIN and performing the associated processing for that BIN for any purpose set out in the Member’s or the Visa Scheme Processor’s BIN Licensing Agreement Form (Exhibit 4A).  7.2 AUTHORIZATION, CLEARING AND SETTLEMENT

7.2.1 Use of Transaction Identifier

7.2.1.1 V PAY Members and Processors must receive the Transaction Identifier in the Authorization Request or Authorization Response message.

7.2.1.2 V PAY Members and Processors must, if a Transaction Identifier is present in the Authorization Request, include that Transaction Identifier in any related Transaction.

7.2.1.3 If a Transaction is completed Offline, a Transaction Identifier must be assigned during Clearing, and  V PAY Members and Processors must use that Transaction Identifier in any related Transaction.

7.2.2 Authorizations

7.2.2.1 Reporting Requirements

7.2.2.1.1 Members who process Transactions must submit to Visa a daily transmission file detailing those Transactions, including Authorization Responses that are Approval Responses or Decline Responses.

7.2.2.1.2 Members must not report transactions where a Cardholder has chosen to use a payment brand or application that is not part of the Visa scheme and is therefore not subject to the requirements of the  V PAY Operating Regulations - Scheme.

7.2.2.1.3 Issuers must report a Chargeback within 15 calendar days of that Chargeback being raised.

7.2.2.1.4 Acquirers must report a Representment within 15 calendar days of that Representment being raised.

7.2.2.2 Partial Authorization

7.2.2.2.1 An Acquirer that offers the receipt Partial Authorization to its Merchants must:  Identify the Partial Authorization in the Authorization Request for all Transactions;   Upon receipt of a Partial Authorization, immediately submit an Authorization Reversal if the Cardholder elects not to complete the Transaction; and   After receiving a Partial Authorization, ensure that the Transaction Amount submitted in the Clearing Record is for no more than the amount approved in the Partial Authorization. 

7.2.2.2.2 An Acquirer must ensure that their Merchants that deploy Automated Fuel Dispensers are capable of receiving Partial Authorization for Transactions conducted at those Automated Fuel Dispensers.

7.2.2.3 Responsibility for Losses An Acquirer is liable for losses suffered by an Issuer on a Transaction if the Acquirer or its Merchant does any of the following:  Ignores a Decline Response and grants an Authorization; or  Fails to obtain Authorization for Transactions above the Floor Limit.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 155 V PAY Operating Regulations - Scheme Chapter 7 - Payment Processing

7.2.2.4 Currency Conversion

7.2.2.4.1 Visa applies the Currency Conversion Rate to Transaction Receipts, Credit Transaction Receipts, Cash Disbursements and Reversals. The Currency Conversion Rate for Transactions shall be either the:  Wholesale market rate; or  Government-mandated rate, in effect one day prior to the Processing Date, plus or minus a percentage determined by, and passed on to, the Issuer.

7.2.2.4.2 The Currency Conversion Rate of zero per cent applies to Visa Europe Transactions.

7.2.2.5 Online Financial Transactions When an Authorization Request for an Online Financial Transaction using a V PAY Card originates at an ATM or a Point-of-Transaction Terminal, the Acquirer must ensure that the Authorization Request includes both the:  Entire unaltered contents of the Magnetic Stripe Image in the Full-Chip; and   Final Transaction Amount.  7.3 PAYMENT SERVICE STANDARDS

7.3.1 Authorization Requirements

7.3.1.1 Hours of Authorization A V PAY Member must provide Authorization services 24 hours a day, seven days a week, using one of the following:  The Acquirer directly;   Another Visa Scheme Processor; or   Other means approved by Visa. 

7.3.2 V PAY Member Performance Standards

7.3.2.1 Chip Card Authorization Requirements

7.3.2.1.1 For an Authorization of a Transaction processed below the Floor Limit, an Issuer must ensure that the controls contained in each Chip are capable of:  Instructing the terminal to go Online; or   Approving the Transaction Offline. 

7.3.2.1.2 When Offline Authorization controls are defined in the Chip and upper limits for consecutive offline Transactions is specified, Transactions must go Online if the applicable upper limit is exceeded. If the terminal is unable to go Online, the Transaction must be declined. 

7.3.2.1.3 The Issuer must:  Meet the assured Transaction response standards; and  Participate in a Card Verification Service. 

7.3.2.1.4 An Issuer must not send a Referral Response to any V PAY Transaction Authorization Request.

7.3.2.2 Assured Transaction Response Standards The maximum time limit an Issuer must respond to an Authorization Request within is five seconds.

7.3.2.3 Credit Transaction Posting Time Frame An Issuer must post a Credit Transaction to a Cardholder’s account within five calendar days from the Settlement Date.

156 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 7 - Payment Processing

7.3.3 Issuer Liability for V PAY Transactions An Issuer is responsible and liable for the parameter values and processing options contained in the Chip.

An Issuer is liable for all Transactions completed outside the Territory, with a Card that bears the V PAY Brand Mark and is processed in accordance with the V PAY Operating Regulations - Scheme.

7.3.4 Clearing and Settlement Requirements

7.3.4.1 Reimbursement for Interchange Transactions Each Issuer must pay the Acquirer the amount due for Transactions occurring with the use of a valid V PAY Card. 

7.3.4.2 Billing Currency

7.3.4.2.1 An Issuer shall receive Interchange in its Billing Currency. If the Issuer uses more than one Billing Currency, it must have a separate BIN for each. 

7.3.4.2.2 An Issuer must ensure that the denominated currency of the BIN, on which the Card is issued, is the same as the Billing Currency as specified in Section 1.5.2.1.7.

7.3.5 Transaction Processing Requirements

7.3.5.1 Data Quality Requirements An Acquirer must ensure that all Authorization Requests contain complete and valid data. 

7.3.5.2 Transaction Currency An Acquirer must enter all original Presentments into Interchange in the exact amount of Transaction Currency authorised by the Cardholder. 

7.3.5.3 Prepaid Card Transaction Requirements A Transaction for the purchase of a Prepaid Card at an Unattended Acceptance Terminal must:  Have a Zero Floor Limit;   Be processed as a retail purchase; and   Include the Prepaid Card indicator that is present in the Authorization Request in the Clearing Record. 

7.3.6 Clearing Requirements

7.3.6.1 Original Transaction Receipts with Invalid Account Numbers

7.3.6.1.1 If it appears that the Transaction Receipt resulted from the use of a Counterfeit V PAY Card, the Acquirer must comply with Section 2.3.

7.3.6.1.2 If the Acquirer can identify the Issuer, the Issuer is liable.

7.3.6.1.3 If a Cardholder does not recognise a Transaction, the Acquirer should provide the Issuer with additional information beyond the data required in the Clearing Record to determine Transaction validity.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 157 V PAY Operating Regulations - Scheme Chapter 7 - Payment Processing

7.3.6.2 Transaction Receipt Processing Time Limits for V PAY Transactions The Processing Date and Transaction Date are each counted as one day. 

An Acquirer must ensure that the Processing Date in the Clearing Record for Transactions that are entered into Interchange is as follows:  For Transactions processed using the Visa Prepaid Load Service, no later than two calendar days from the Transaction Date;   For ATM Transactions using a V PAY Card, no later than five calendar days from the Transaction Date; and   For all other Transactions using a V PAY Card, no later than three calendar days from the Transaction Date, excluding Local Non-Processing Days, and the same date on which the Acquirer transmits its outgoing Interchange.

7.3.6.3 Processing Time Limits for Proximity Payments The Processing Date for Proximity Payments must not be more than two calendar days from the Transaction Date.

7.3.6.4 Airline Transaction Record Requirements All Transactions originating at an Airline must include the Airline Ticket Identifier in the Clearing Record. 7.4 SATISFYING PAYMENT OBLIGATIONS FOR SETTLEMENT SERVICES

7.4.1 V PAY Member Settlement Bank Irrevocable payment by Visa, in immediately available funds, of an amount due in respect of a Settlement Obligation owed to a V PAY Member, to the Settlement Bank account designated by that V PAY Member shall discharge Visa’s Settlement Obligation to the extent of the irrevocable payment made. 

7.4.2 Visa Settlement Bank Irrevocable payment by the V PAY Member, in immediately available funds, of an amount due in respect of a Settlement Obligation owed to the Visa, to the Settlement Bank account designated by Visa, shall discharge that V PAY Member’s Settlement Obligation to the extent of the irrevocable payment made. 

7.4.3 Financial and Collateral Obligations

7.4.3.1 Visa may impose financial or other obligations on a V PAY Member, including financial collateral obligations to cover the V PAY Member’s Settlement Obligations in connection with Settlement systems (International Settlement, National Net Settlement or Area Net Settlement) operated by Visa. If a V PAY Member fails to satisfy financial obligations, Visa may collect such financial obligations using a Fee Collection Transaction.

7.4.3.2 Visa may, at its discretion, require a V PAY Member to fund, in advance, that V PAY Member’s expected Settlement Obligations, if positions forecasted by Visa exceed Visa’s available liquidity.

7.4.4 Offset of Settlement and other Obligations Subject to applicable law, Visa may offset certain Settlement Obligations and other obligations in calculating Settlement Amounts owed to a V PAY Member. This right may be implemented by a Fee Collection Transaction. 

7.4.5 General Clearing Requirements For Domestic Transactions, the following rules that govern the Clearing of all Transactions may be superseded by Private Agreements.

158 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 7 - Payment Processing

7.4.6 Notification and Correction of Duplicate Data and Erroneous Data If a Sending V PAY Member detects duplicate data, or erroneous data prior to sending that data in an Interchange File, that Sending Member must correct the duplicate data or erroneous data before submitting that data in an Interchange File. 

7.4.7 V PAY Member Reversal of Duplicate Data

7.4.7.1 Where a reversal is initiated by a Sending V PAY Member to correct duplicate data or erroneous data and such Reversal has resulted in any foreign exchange loss to Visa or the Receiving V PAY Member due to currency fluctuation between the Processing Date of the Transaction relating to the duplicate data or erroneous data and the Processing Date of the Reversal of that Transaction, the Sending V PAY Member shall pay Visa or the Receiving V PAY Member (as applicable) a fee as specified in the Visa Europe Fee Guide. 

7.4.7.2 An Issuer must reverse the Transaction relating to the duplicate data or erroneous data from its Cardholder records upon receipt of the Reversal information.

7.4.8 V PAY Member Reversal or Adjustment of Credit Transactions To correct processing errors in a Credit Transaction, an Acquirer must use only either:  A Reversal; or   An Adjustment, and it must do so within 30 calendar days of the Processing Date of that Credit Transaction. 

7.4.9 Settlement

7.4.9.1 Settlement Currency Requirements

7.4.9.1.1 A V PAY Member must designate one or more Settlement Currencies for use in the International Settlement Service. 

7.4.9.1.2 A V PAY Member must maintain a Settlement account with a Settlement Bank for each designated Settlement Currency. Visa will settle Interchange in the currency that is designated for the relevant Settlement account. 

7.4.9.1.3 If a V PAY Member wishes to change any of its designated Settlement Currencies, it must complete the relevant Funds Transfer Instruction Form and submit the form to Visa. 

7.4.9.2 Settlement Bank Requirements

7.4.9.2.1 Visa must approve the Settlement Bank for V PAY Members settling through the Visa Enterprise. Each V PAY Member settling through the Visa Enterprise must submit its proposed Settlement Bank to Visa in order to obtain such approval.

7.4.9.2.2 Visa must approve the Settlement Bank for Members settling through the Visa Enterprise. Each Member settling through the Visa Enterprise must submit its proposed Settlement Bank to Visa in order to obtain such approval.

7.4.9.2.3 [A] Visa may require a V PAY Member that settles through VisaNet to change Settlement Bank arrangements if Visa determines that either the:  Settlement Bank is not operated in a safe and sound manner; or   Use of the Settlement Bank exposes Visa or its V PAY Members to risk of financial  loss. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 159 V PAY Operating Regulations - Scheme Chapter 7 - Payment Processing

7.4.9.2.4 Visa requires a Member to ensure that:  Settlement bank is operated in a safe and sound manner; or  The use of the Settlement Bank does not expose Visa Customers or Members to risk of financial loss.

7.4.9.3 Funds Transfer Requirements

7.4.9.3.1 A V PAY Member must maintain sufficient funds in each Settlement account at its designated Settlement Bank to complete Settlement at the required time. 

7.4.9.3.2 A V PAY Member must maintain sufficient funds in each account used for Settlement Service and/or any other Settlement Service at the Correspondent Bank or Intermediary Bank, if the Settlement Bank uses a Correspondent Bank or Intermediary Bank. 

7.4.9.3.3 [A] For the purpose of the International Settlement Service using the Visa System, a Settlement Bank shall transfer funds covering the Settlement Amount every business day. 

7.4.9.3.4 For the purpose of the National Net Settlement Service, Area Net Settlement Service and the Product Net Settlement Service using the Visa System, a Settlement Bank shall transfer funds covering the Settlement Amount every business day.

7.4.9.3.5 [A] For the purpose of the International Settlement Service using BASE II:  Settlement Amounts with Processing Dates of Saturday, Sunday and Monday will all be combined into one settlement fund transfer on that Monday; and  For Settlement in US dollars only, Settlement Amounts with Processing Dates of United States holidays observed by Federal Reserve Banks of the United States will all be combined into one settlement fund transfer on the next business day following that holiday.

7.4.9.3.6 [A] For the purpose of the International Settlement Service using the Visa Europe Clearing and Settlement Service:  Settlement Amounts with Processing Dates of Saturday, Sunday and Monday will all be combined into one settlement fund transfer on that Monday; and  For all Settlement Currencies, if a holiday as specified in Section 7.4.9.3.7 occurs between the Processing Date and the Value Date, all Settlement Amounts of the same Value Date will be combined into one Settlement Amount and transferred on the Value Date which has taken the holiday into account.

7.4.9.3.7 The Central Bank associated with a Settlement Currency determines the holidays and business days for each Settlement Currency. 

7.4.9.3.8 [A] If Visa Inc. cannot complete the Settlement Service processing cycle in sufficient time to effect funds transfers, it will:  Postpone Settlement;  Notify Customers and Visa of the situation; and  Make Settlement on the next day that the Visa Inc.’s Settlement Bank is open.

7.4.9.3.9 If Visa cannot complete the processing cycle for the Visa Enterprise in sufficient time to effect funds transfers, it will:  Postpone Settlement;  Notify Members of the situation; and  Make Settlement on the next day that the Visa’s Settlement Bank is open.

7.4.9.3.10 A V PAY Member is responsible for any funds transfer charges charged by its Settlement Bank. 

160 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 7 - Payment Processing

7.4.9.4 Funds Transfer Procedures

7.4.9.4.1 [A] For Members processing Transactions through the International Settlement Service using the Visa Europe Clearing and Settlement Service, the National Net Settlement or the Area Net Settlement, Visa transfers funds for Settlement from its Settlement account to the Settlement account of the Customer or Member, and Customers and Members shall transfer funds for Settlement from their Settlement accounts to Visa’s Settlement account. 

7.4.9.4.2 [A] For Members processing Transactions through the International Settlement Service using BASE II, Visa transfers funds for Settlement from its Settlement account to the Settlement account of the V PAY Member, and V PAY Members shall transfer funds for Settlement from their Settlement accounts to Visa’s Settlement account. 

7.4.9.4.3 Members and their agents processing Transactions through the International Settlement Service, the National Net Settlement or the Area Net Settlement, will only be permitted one funds transfer settlement reporting entity (FTSRE), per Settlement Currency, per Settlement Service.

7.4.9.4.4 Principal Members who process Settlement on behalf of other Principal Members must use a separate FTSRE for each Principal Member for whom Settlement is processed.

7.4.9.4.5 Visa may require Members and their agents to pre-fund their Settlement Amount.

7.4.9.5 Reporting

7.4.9.5.1 Members and their agents must report their daily Settlement Amount to Visa each day.

7.4.9.5.2 All Members and their agents must report any failure by a Member to transfer the Settlement Amount, including the reason for such failure, to Visa.

7.4.9.6 Late Settlement Fees If a V PAY Member fails to transfer the Settlement Account, the V PAY Member must pay a Late Settlement Fee. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 161 V PAY Operating Regulations - Scheme THIS PAGE INTENTIONALLY LEFT BLANK Dispute Resolution

8.1 MUTUAL ASSISTANCE ...... 166

8.2 CHARGEBACK AND REPRESENTMENT PROCESS ...... 166 Chargeback and Representment Process ...... 166 Chargeback and Representment Transmission ...... 166 Clearing and Settlement ...... 166 Documentation ...... 166 Chargeback Reduction Service ...... 167 Overview ...... 167 Return of Chargebacks ...... 167 Chargeback ...... 167 Attempt to Settle ...... 167 Reasons and Time Limits for Specific Transaction Types ...... 168 Chargebacks in Numerical Order ...... 168 Chargeback Time Limits ...... 168 Reversal of Chargebacks ...... 168 Transaction Chargeback Method ...... 168 Chargeback Bundling ...... 169 Processing Requirements ...... 169 General requirements ...... 169 Online banking requirements ...... 169 Telephone banking requirements ...... 169 Cardholder letters ...... 170 Chargeback Amount ...... 170

8.3 REPRESENTMENT...... 170 Representment Reasons, Conditions and Time Limits ...... 170 Representment Documentation Requirements ...... 171 Compelling Evidence ...... 171 Representment Amount ...... 172 Currency Conversion Difference ...... 172

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 163 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Resolution

8.4 DISPUTE GROUP 2 — FRAUD ...... 173

8.5 DISPUTE GROUP 3 — AUTHORIZATION ...... 190

8.6 DISPUTE GROUP 4 — PROCESSING ERROR ...... 195

8.7 DISPUTE GROUP 5 — CANCELLED/RETURNED ...... 203

8.8 DISPUTE GROUP 6 — NON-RECEIPT GOODS/SERVICES ...... 221

8.9 ARBITRATION ...... 228 Reason ...... 228 Pre-Arbitration Conditions ...... 228 Pre-Arbitration Attempt ...... 228 Pre-Arbitration Response ...... 228 Pre-Arbitration Acceptance or Rebuttal ...... 229 Arbitration Process ...... 229 Filing Reasons ...... 229 Filing Procedures ...... 229 Invalid Request ...... 230 Valid Request ...... 230 Financial Liability ...... 231 Review Fee ...... 231 Filing Fee ...... 231 Exceptions to the Arbitration Process ...... 231

8.10 COMPLIANCE ...... 231

8.11 FILING CONDITIONS ...... 231

8.12 PRE-COMPLIANCE CONDITIONS ...... 231 Pre-Compliance Attempt ...... 231 Pre-Compliance Acceptance or Rebuttal ...... 232 Pre-Compliance Acceptance ...... 232 Pre-Compliance Rebuttal ...... 232 Pre-Compliance Response ...... 232

8.13 COMPLIANCE PROCESS ...... 232 Filing Reasons ...... 232 Chargeback Reduction Service Return ...... 232 Split Transaction ...... 233 Account Generated Counterfeit Fraud ...... 233 Transaction Not Recognised ...... 233 Declined Authorization ...... 233 Non-matching Account Number ...... 233 Paid By Other Means ...... 233 Electronic Commerce Transaction (Attempts Authentication) ...... 234 Cardholder Letter ...... 234

164 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Resolution

Compliance Process For 3–D Secure Transactions ...... 235 Filing Procedures ...... 237 Filing Authority ...... 237 Time Limits ...... 237 Required Documentation ...... 237 Filing Fee ...... 237 Invalid Request ...... 238 Visa ...... 238 Valid Request ...... 238 Visa Notification ...... 238 Opposing V PAY Member’s Response ...... 238 Requesting V PAY Member’s Withdrawal ...... 238 Compliance Decision ...... 238 Financial Liability ...... 238 Review Fee ...... 239 Filing Fee ...... 239 Exceptions to the Compliance Process ...... 239

8.14 APPEAL RIGHTS ...... 239 Appeal Amount ...... 239

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 165 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Resolution

8.1 MUTUAL ASSISTANCE A V PAY Member must attempt to offer mutual assistance to other V PAY Members to resolve disputes between:  Its Cardholder and another V PAY Member’s Merchant; and   Its Merchant and another V PAY Member’s Cardholder. 

If a Cardholder or Merchant accepts financial liability for a Transaction, its V PAY Member must reimburse the V PAY Member that is the other party to that Transaction directly.  8.2 CHARGEBACK AND REPRESENTMENT PROCESS The V PAY reason codes are based on the Visa dispute resolution reason codes. This is to ensure ease of Issuer and Acquirer processing and provide consistency between Visa products.

8.2.1 Chargeback and Representment Process After receiving a Presentment, an Issuer may charge back a Transaction to the Acquirer under the conditions specified in Section 8.2.4.1. 

The Acquirer may then represent the Chargeback to the Issuer in accordance with the Dispute Resolution Rules. If the Acquirer represents the Chargeback to the Issuer, the Issuer must not charge back the Transaction a second time and the Acquirer must not represent the Transaction a second time. Figure 8-1 illustrates this process. 

ACQUIRER ISSUER Presentment Chargeback

Pre-Arbitration Representment (if required)

Arbitration

Figure 8-1 Chargeback and Representment Process

A V PAY Member may have the right to file for Arbitration after completing this Chargeback and Representment cycle, or in some instances Compliance may be available. 

8.2.2 Chargeback and Representment Transmission

8.2.2.1 Clearing and Settlement A V PAY Member may transmit a Chargeback or Representment through the Visa Enterprise, Interchange tapes or by other means under a Private Agreement. 

8.2.2.2 Documentation

8.2.2.2.1 A V PAY Member sending Chargeback or Representment documentation (as required by the Dispute Resolution Rules), must do so within five calendar days of the Processing Date of the Chargeback or Representment, using an Electronic Documentation Transfer Method. 

8.2.2.2.2 The V PAY Member must not send Chargeback or Representment documentation by mail, fax or any other non-automated method.

166 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Resolution

8.2.3 Chargeback Reduction Service

8.2.3.1 Overview If a Chargeback Reduction Service rejects a Chargeback on the basis that it is invalid or incomplete, the Issuer may either:  Correct the rejected record and resubmit it as a Chargeback within the applicable Chargeback Period (as set out in the Dispute Resolution Rules); or   Accept financial liability for the Transaction. 

Rejected Chargebacks are not considered completed Chargebacks. 

8.2.3.2 Return of Chargebacks A Chargeback Reduction Service may return an invalid Chargeback to the Issuer if all Chargeback requirements (as set out in the Dispute Resolution Rules) are not met. 

8.2.4 Chargeback An Issuer may charge back a Transaction to an Acquirer under certain conditions.

8.2.4.1 Attempt to Settle

8.2.4.1.1 Before exercising a Chargeback, the Issuer must attempt to honour the Transaction. 

8.2.4.1.2 If the Issuer has attempted, but failed, to honour a Transaction and the Issuer has already billed the Transaction to the Cardholder, the Issuer must credit the Cardholder for the Chargeback amount. 

8.2.4.1.3 An Issuer must credit its Cardholder's account for the amount in dispute, whether or not a Chargeback was initiated, if the dispute involves an Electronic Commerce Transaction and the requirements as specified in the Dispute Resolution Rules for a Chargeback are met for any of the following Chargebacks:  Reason Code 30, “Services Not Provided or Merchandise Not Received”;   Reason Code 53, “Not as Described or Defective Merchandise”;   Reason Code 83, “Fraud—Card-Absent Environment”; and   Reason Code 85, “Credit Not Processed”. 

8.2.4.1.4 The Issuer must not be reimbursed twice for the same Transaction. 

8.2.4.1.5 A Cardholder must not be credited twice as a result of both a:  Chargeback; and   Credit processed by a Merchant. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 167 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Resolution

8.2.4.2 Reasons and Time Limits for Specific Transaction Types

8.2.4.2.1 Original Credit Transaction Chargeback Reasons Table 8-1 lists the only Chargebacks that apply to an Original Credit Transaction. These Chargeback reason codes may also apply to other types of Transactions. 

Table 8-1 Original Credit Transaction Chargeback Reasons

Chargeback Reasons Reason Code Time Limit (Calendar Days) from the Processing Date of the Transaction1

Non-Matching Account Number 77 75 Duplicate Processing 82 120 Credit Not Processed 85 120

1. Unless otherwise specified in the V PAY Operating Regulations - Scheme.

8.2.4.3 Chargebacks in Numerical Order Table 8-2 Chargebacks at a Glance: Listed in Numerical Order

Reason Code Reason Code Title Dispute Group

30 Services Not Provided or Merchandise Not Received 6 53 Not as Described or Defective Merchandise 5 62 Counterfeit Transaction 2 72 No Authorization 3 76 Incorrect Currency 4 77 Non-Matching Account Number 4 78 Service Code Violation 3 81 Fraud—Card Present Environment 2 82 Duplicate Processing 4 83 Fraud—Card Absent Environment 2 85 Credit Not Processed 5 86 Reason Code 86 — Paid by Other Means 4 90 Non-Receipt of Cash or Load Transaction Value at ATM or 6 Load Device 93 Effective until 30 June 2016, Merchant Fraud Performance 2 Program Effective from 1 July 2016, Visa Fraud Monitoring Program

8.2.4.4 Chargeback Time Limits

8.2.4.4.1 The Chargeback time limit is calculated from the Processing Date of the disputed Transaction. 

8.2.4.4.2 Such Chargeback time limit begins on the calendar day following this date. 

8.2.4.5 Reversal of Chargebacks The reversal of a Chargeback relating to an Original Credit Transaction must be processed within one calendar day of the Processing Date of that Chargeback. 

8.2.4.6 Transaction Chargeback Method When an Issuer charges back Transactions, it must charge back each Transaction separately except where Chargeback bundling is allowed as specified in Section 8.2.4.7.

168 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Resolution

8.2.4.7 Chargeback Bundling One Chargeback under Reason Code 83 — Fraud — Card-Absent Environment may contain up to 25  low-value fraudulent Transactions if all of the following apply:  Chargeback uses the Acquirer Reference Number/Tracing Data, as set out in the Dispute Resolution Form questionnaire (Exhibit 2E), of the earliest Transaction;  Each Transaction relates to the same Account Number, Acquirer and Merchant Outlet;  Fraud activity is reported through the Visa Scheme Processor using an applicable fraud type code for each Transaction;  Each Transaction Amount is equal to or less than €25 or local currency equivalent;  The total cumulative value of Transactions is less than or equal to €250 or local currency equivalent so that the value of the Chargeback does not exceed €250; and  All of the Transactions appear on a summary of low-value Transactions, as set out in the Dispute Resolution Form questionnaire (Exhibit 2E).

8.2.5 Processing Requirements

8.2.5.1 General requirements If an Issuer is required to provide an Acquirer with a signed Cardholder certification as documental evidence denying participating in or authorising the Transaction for asserted fraudulent use of a V PAY Card or Account Number, the signed Cardholder certification must include at least the following:  Cardholder’s Account Number (complete or partial Account Number is acceptable);  Merchant name(s); and  Transaction Amount(s).

Each separate communication from a Cardholder reporting the fraudulent use of a Card or Account Number requires a separate certification.

8.2.5.2 Online banking requirements When a signed Cardholder certification is received in a secure online banking environment, the Issuer must provide, in addition to the Chargeback Dispute Resolution Form, a document containing:  The requirements set out in Section 8.2.5.1;  The unique identity; and  Confirmation from the Issuer that the unique identity represents the Cardholder’s signature.

In this environment, any method used by the Cardholder that establishes a unique identity through use of a password or other log-on identification method is considered a valid Cardholder signature.

8.2.5.3 Telephone banking requirements Cardholder certification of fraud may be obtained by an Issuer in a secure telephone banking environment for certifications in which the Transaction Amount of each Transaction does not exceed:  $1,000 or local currency equivalent for International Transactions; or  €1,000 or local currency equivalent for Visa Europe Transactions.

When Cardholder certification of fraud is received by telephone, the Issuer must identify the Cardholder using the same level of security they would require to complete the transfer of funds to another financial institution.

In addition to the requirements set out in Section 8.2.5.1, the Issuer must provide the following details on the Chargeback Dispute Resolution Form:  Time and date of the call; and  For Visa Europe Transactions only, the name of the Issuer’s representative who responded to the call (if available).

The facility to obtain Cardholder certification of fraud in a secure telephone banking environment may be withdrawn from an Issuer that fails to comply with the requirements set out in this Section 8.2.5.3 or in any other applicable rules.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 169 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Resolution

8.2.5.4 Cardholder letters If an Acquirer provides sufficient evidence that a Cardholder letter is required for legal proceedings, for a law enforcement investigation, or if required by applicable laws or regulations, the Issuer must supply a Cardholder letter to the Acquirer. The required documentation is either:  Evidence that the signed Cardholder letter is required for legal proceedings (e.g., court order or subpoena); or   Acquirer certification that the signed Cardholder letter is required by applicable laws or regulations or for a law enforcement investigation. 

All documentation that must be provided by an Issuer as required for each Chargeback reason in the Dispute Resolution Rules must be provided in English. 

8.2.5.5 Chargeback Amount The Issuer must charge back in the Billing Currency for either:  Actual amount billed to the Cardholder; or   Partial Transaction Amount equal to the disputed amount.  8.3 REPRESENTMENT

8.3.1 Representment Reasons, Conditions and Time Limits An Acquirer may represent a Transaction to the Issuer for one of the reasons listed in Table 8-3 within 45 calendar days from the Processing Date of that Chargeback (unless otherwise specified below).  Table 8-3 Representment Reasons, Conditions and Time Limits 

Representment Reason Conditions Time Limit for Representment (calendar days)

Mis-sorted Chargeback None 45 1 Missing or incomplete documentation An Acquirer must allow five calendar days 45 2 to support Chargeback from the Processing Date of the Chargeback to receive the documents from the Issuer. On receipt of the documentation or after five calendar days, the Acquirer must process a Representment within 45 days from the Processing Date of that Chargeback. Invalid Acquirer Reference Number/ None 452 Tracing Data or Account Number Improper Chargeback See each Chargeback listed in reason codes 452 Additional information available to See each Chargeback listed in reason codes 452 remedy the Chargeback Improper ATM Cash Disbursement Acquirer submits the required document to 452 Chargeback remedy Chargeback. See the ATM Cash Disbursement reason codes in Table 8-2.

1. Time limit for Representment is calculated from the receipt date of the Chargeback documentation. 2. Time limits are calculated from the Processing Date of the Chargeback. The Processing Date of the Chargeback is not counted as one day. The Processing Date of the Representment is counted as one day.

170 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Resolution

8.3.1.1 Representment Documentation Requirements

8.3.1.1.1 An Acquirer must provide the Issuer with the Representment documentation required translated into English for any non-English documentation. 

8.3.1.1.2 The V PAY Member must not send Representment documentation by mail, fax or any other non- automated method.

8.3.1.2 Compelling Evidence

An Acquirer may submit any type of compelling evidence at the time of Representment provided the Chargeback reason code is 30, 53 or 83. Table 8-4 lists examples that an Acquirer may provide, but they are not restricted to just these types of compelling evidence.

Table 8-4 Use of Compelling Evidence 

Types of Compelling Evidence Applicable Chargeback Reason Code

Documentation to prove: 30, 53, 83 • A link between the person receiving the merchandise/service and the Cardholder; or • That the Cardholder disputing the Transaction is in possession of and/or using the merchandise/service. For a Transaction in a Card-Absent Environment in which the merchandise is 30, 83 collected from the Merchant’s location, any of the following: • Cardholder signature on the pick-up form; • Copy of identification presented by the Cardholder; or • Details of identification presented by the Cardholder. For a Transaction in a Card-Absent Environment in which the merchandise is 30, 83 delivered, documentation (evidence of delivery and time delivered) that the item was delivered to the same physical address for which the Merchant received an Address Verification Service match of “Y” or “M” (if applicable). A signature is not required as evidence of delivery. For an Electronic Commerce Transaction representing the sale of digital goods 30, 83 downloaded from a Merchant’s website/application, description of the goods or services downloaded with the date and time such goods or services were downloaded, and two or more of the following: - Purchaser's IP address and the device's geographical location at the date and time of the Transaction; - Device ID number and name of device, if available; - Purchaser's name and e-mail address linked to the customer profile held by the Merchant; - Evidence that the profile set up by the purchaser on the Merchant’s website or application was accessed by the purchaser, and has been successfully verified by the Merchant before the Transaction Date; - Proof that the Merchant’s website/application was accessed by the Cardholder for the goods or services on or after the Transaction Date; and/or - Evidence that the same device and Card used in the disputed Transaction was used in any previous Transaction that was not disputed. For a Transaction in which merchandise was delivered to a business address, 30, 83 documentation to show that the merchandise was delivered and that, at the time of delivery, the Cardholder was working for the company at that business address. A signature is not required as evidence of delivery. Effective from 15 October 2016, for a Mail/Phone Order Transaction, a signed 83 order form.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 171 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Resolution

Table 8-4 Use of Compelling Evidence (Continued) 

Types of Compelling Evidence Applicable Chargeback Reason Code

For a Transaction at a passenger transport Merchant, evidence that the services 30, 83 were provided, and any of the following: • Proof that the ticket was received at the Cardholder’s billing address; • Documentation to show that the ticket or boarding pass was scanned at the gate; • Details of frequent flyer miles relating to the disputed Transaction that were earned or redeemed, including address and telephone number, that establish a link to the Cardholder; or • Documentation of the following additional Transactions related to the original Transaction: purchase of seat upgrades; payment for extra baggage; or purchases made on board the passenger transport. For a Transaction in a Card-Absent Environment, documentation to show that the 83 Transaction uses an IP address, e-mail address, or address and telephone number that had been used in a previous, undisputed Transaction. Evidence that the Transaction was completed by a member of the 83 Cardholder’s household or family. Evidence that the person who signed for the merchandise was authorized to sign 30 for the Cardholder or is known by the Cardholder. Evidence of other non-disputed payments for the same merchandise or service. 83

For Visa Europe Transactions, evidence that the Cardholder has been compensated 30, 53 for the value of the merchandise/service through another method.

8.3.1.3 Representment Amount The Representment amount must include one of the following:  Same amount in the same Transaction Currency as in the original Presentment;   Partial Transaction Amount to remedy the Chargeback; or   Same or corrected amount in the Settlement Currency as received by the Acquirer for the Chargeback. 

8.3.2 Currency Conversion Difference

8.3.2.1 The Acquirer is liable for any difference between the amount of the Chargeback and the Representment amount. 

8.3.2.2 The Issuer is liable for any difference between the amount originally presented and the Representment amount. 

172 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 2 — Fraud

8.4 DISPUTE GROUP 2 — FRAUD Effective until 30 June 2016, a fraudulent Transaction was processed, or the Account Number used to process the Transaction was fictitious or no longer valid, or a Merchant was identified by the Merchant Fraud Performance Program.

Effective from 1 July 2016, a fraudulent Transaction was processed, or the Account Number used to process the Transaction was fictitious or no longer valid, or a Merchant was identified by the Visa Fraud Monitoring Program.

The following reason codes are applicable:  62—Counterfeit Transaction;  81—Fraud—Card-Present Environment;  83—Fraud—Card-Absent Environment;  Effective until 30 June 2016, 93—Merchant Fraud Performance Program; and  Effective from 1 July 2016, 93—Visa Fraud Monitoring Program. Table 8-5 General Requirements for Dispute Group 2 - Fraud

Chargeback Representment

Time Limit Effective until 30 June 2016: 45 calendar days from the Chargeback 1. 120 calendar days from the Processing Date. Processing Date. 2. For Chargeback reason code 93, the Chargeback time limit is 120 calendar days from the date of the identification by the Merchant Fraud Performance Program. Effective from 1 July 2016: 1. 120 calendar days from the Processing Date. 2. For Chargeback reason code 93, the Chargeback time limit is 120 calendar days from the date of the identification by the Visa Fraud Monitoring Program.

General Rights and None Refer to individual reason codes Limitations

Additional Information 1. An Issuer must report fraud activity through the Visa Enterprise as specified in Section 2.3.5. 2. For reason code 83, an Acquirer may represent with compelling evidence of Cardholder participation.

Reason Code 62—Counterfeit Transaction A Counterfeit V PAY Card was used for a Transaction that received Authorization but the Authorization Request did not include the required data or contained altered data.

Reason Code 81—Fraud—Card-Present Environment A Merchant did not obtain a PIN in a Card-Present Environment, and the Merchant completed the Transaction without the Cardholder’s permission, or a Transaction was processed with a Fictitious Account Number, or no valid V PAY Card was outstanding bearing the Account Number on the Transaction Receipt.

Reason Code 83—Fraud—Card-Absent Environment An Electronic Commerce Transaction or, effective from 15 October 2016, a Mail/Phone Order Transaction, was processed without the Cardholder’s permission, or a Fictitious Account Number was used, or no valid V PAY Card was outstanding bearing the Account Number on the Transaction Receipt.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 173 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 2 — Fraud

Reason Code 93—Merchant Fraud Performance Program Effective until 30 June 2016, Visa notified the Issuer that the Transaction is identified by the Merchant Fraud Performance Program.

Reason Code 93—Visa Fraud Monitoring Program Effective from 1 July 2016, Visa notified the Issuer that the Transaction is identified by the Visa Fraud Monitoring Program.

174 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 2 — Fraud

62 Reason Code 62 — Counterfeit Transaction A Counterfeit Card was used for a Transaction that received Authorization but the Authorization Request did not include the required data, or contained altered data.

Dispute Group 2 Reason Code 62 Condition 2 Cardholder denies authorising or participating in the disputed Transaction and both of the following (for qualifying Transactions and effective dates, refer to Additional Information):  Card is a V PAY Card; and  Card-Present Transaction did not take place at a Chip-Reading Device.

Additional Information

1. Prior to initiating a Chargeback, the Issuer should research relevant data in the Authorization message. 2. For a dispute involving an ATM Transaction, the Issuer must make a pre-Arbitration attempt prior to filing for Arbitration if the ATM Transaction Record is required. 3. The Issuer must certify in the pre-Arbitration attempt that the ATM Transaction Record is required by the Cardholder or for legal or insurance purposes.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 175 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 2 — Fraud

62 Reason Code 62 — Counterfeit Transaction — Condition 2 Cardholder denies authorising or participating in the disputed Transaction and both of the following (for qualifying Transactions and effective dates, refer to Additional Information):  Card is a V PAY Card; and  Card-Present Transaction did not take place at a Chip-Reading Device.

Chargeback Rights and Limitations

1. The Issuer must on or before the Chargeback Processing Date, report the fraud activity as counterfeit fraud. 2. Chargeback is invalid for all Transactions authorised by the Issuer, except for Magnetic Stripe read ATM Transactions involving V PAY Cards carrying Plus functionality.

Chargeback Member Message Text

V PAY EMV CARD, NON EMV DEVICE

Chargeback Documentation

All of the following: 1. The Dispute Resolution Form questionnaire (Exhibit 2E). For Transactions with a Transaction Amount less than or equal to €25.00 or local currency equivalent, the Dispute Resolution Form questionnaire must certify that all of the following were completed on or before the Processing Date of the Chargeback: a) Cardholder denies authorization of or participation in the Transaction; b) For Chargebacks with a Processing Date up to and including 14 October 2016, status of the Card at the time of the Transaction (e.g. lost, stolen, counterfeit); and c) Date that the fraud activity was reported as counterfeit fraud; and 2. For Transactions with a Transaction Amount equal to or greater than €25.01 or local currency equivalent, a Cardholder letter denying authorization of or participation in the Transaction as specified in Section 8.2.5.5.

176 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 2 — Fraud

Reason Code 62 — Counterfeit Transaction — Condition 2 (Continued)

Representment Rights and Limitations

For a Representment due to an Issuer failing to meet the requirements specified in Chargeback Rights and Limitations 1, the Acquirer must provide information/documentation to support this claim.

Representment Condition Member Message Text Documentation

1. Credit or Reversal was Either that applies: None required processed 1. V PAY CRED MMDDYY ARN X...X (23 or 24 digits) 2. V PAY REVERSAL MMDDYY 2. Issuer did not meet the V PAY X...X (Specify the reasons) As applicable Chargeback conditions 3. Acquirer can remedy the Any that apply: 1. Documents to prove correct Chargeback 1. V PAY CHIP READ Authorization Request TRANSACTION contained the correct data. 2. V PAY X...X (Specify the 2. The Dispute Resolution Form reasons) questionnaire (Exhibit 2E). 3. V PAY AUTH DATE MMDDYY CODE X...X 4. V PAY POS XX (Specify POS Entry Mode code value) 5. V PAY AUTHENTICATION CRYPT IN AUTH

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 177 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 2 — Fraud

81 Reason Code 81 — Fraud — Card-Present Environment A Merchant did not obtain a PIN in a Card-Present Environment, and the Merchant completed the Transaction without the Cardholder’s permission, or a Transaction was processed with a Fictitious Account Number, or no valid Card was outstanding bearing the Account Number on the Transaction Receipt.

Condition Description Page

1 Cardholder did not authorise or participate in a Card-Present Environment 179 Transaction.

2 Fraudulent Transaction was completed in a Card-Present Environment using a 181 Fictitious Account Number or no valid Card was issued or outstanding that bears the Account Number and no Authorization was obtained.

178 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 2 — Fraud

81 Reason Code 81 — Fraud — Card-Present Environment — Condition 1 Cardholder did not authorise or participate in a Card-Present Environment Transaction.

Chargeback Rights and Limitations

1. The Issuer must on or before the Chargeback Processing Date report the fraud activity in the fraud advice reports. 2. Chargeback is invalid for ATM Transactions. 3. Chargeback is invalid for Proximity Payments.

Chargeback Member Message Text

V PAY NO PIN

Chargeback Documentation

All of the following: 1. The Dispute Resolution Form questionnaire (Exhibit 2E). For Transactions with a Transaction Amount less than or equal to €25.00 or local currency equivalent, the Dispute Resolution Form questionnaire must certify that all of the following were completed on or before the Processing Date of the Chargeback: a) Cardholder denies authorization of or participation in the Transaction; b) For Chargebacks with a Processing Date up to and including 14 October 2016, status of the Card at the time of the Transaction (e.g. lost, stolen, counterfeit); and c) Date that the fraud activity was reported in the fraud advice reports; and 2. For Transactions with a Transaction Amount equal to or greater than €25.01 or local currency equivalent, a Cardholder letter denying authorization of or participation in the Transaction as specified in Section 8.2.5.5.

Representment Rights and Limitations

None

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 179 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 2 — Fraud

Reason Code 81 — Fraud — Card-Present Environment — Condition 1 (Continued)

Representment Condition Member Message Text Documentation

1. Credit or Reversal was Either that applies: None required processed. 1. V PAY CRED MMDDYY ARN X...X (23 or 24 digits); or 2. V PAY REVERSAL MMDDYY. 2. Issuer did not meet the V PAY X...X (Specify the reason) As applicable applicable Chargeback conditions. 3. Acquirer can remedy the None required 1. Both: Chargeback. a) The Dispute Resolution Form questionnaire (Exhibit 2E); and b) Documents to prove Cardholder participated in the Transaction; or 2. Effective for Transactions with a Processing Date on or after 22 April 2017, for a Transaction in a Card-Absent Environment that is subsequent to an initial Transaction in a Card-Present Environment, evidence that all Transactions occurred during the same rental period, stay or trip and the initial Transaction was made with a valid PIN or CDCVM.

180 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 2 — Fraud

81 Reason Code 81 — Fraud — Card-Present Environment — Condition 2 Fraudulent Transaction was completed in a Card-Present Environment using a Fictitious Account Number or no valid Card was issued or outstanding that bears the Account Number and no Authorization was obtained.

Chargeback Rights and Limitations

1. The Issuer must on or before the Chargeback Processing Date report the fraud activity in the fraud advice reports. 2. Chargeback is invalid if the Transaction received an Authorization. 3. Chargeback is invalid for Proximity Payments.

Chargeback Member Message Text

Any that apply: 1. V PAY NO SUCH CARD; 2. V PAY FICTITIOUS ACCOUNT NUMBER; or 3. V PAY RR DATE MMDDYY, if requested Transaction Receipt not fulfilled.

Chargeback Documentation

None required

Representment Rights and Limitations

None

Representment Condition Member Message Text Documentation

1. Credit or Reversal was Either that applies: None required processed. 1. V PAY CRED MMDDYY ARN X...X (23 or 24 digits); or 2. V PAY REVERSAL MMDDYY. 2. Issuer did not meet the V PAY X...X (Specify the reason) As applicable applicable Chargeback conditions. 3. Acquirer can remedy the V PAY AUTH DATE MMDDYY Both: Chargeback. CODE X...X (if applicable) a) The Dispute Resolution Form questionnaire (Exhibit 2E); and b) Evidence of a PIN.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 181 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 2 — Fraud

83 Reason Code 83 — Fraud — Card-Absent Environment An Electronic Commerce Transaction or, effective from 15 October 2016, a Mail/Phone Order Transaction, was processed without the Cardholder’s permission, or a Fictitious Account Number was used, or no valid Card was outstanding bearing the Account Number on the Transaction Receipt.

Condition Description Page

1 Cardholder did not authorize or participate in a Card-Absent Environment 183 Transaction.

2 No valid V PAY Card was issued or outstanding that bears the Account Number, or 186 a fraudulent Transaction was completed in a Card-Absent Environment using a Fictitious Account Number and no Authorization was obtained.

Additional Information

1. Effective until 30 June 2016, an Electronic Commerce Merchant identified by the Global Merchant Chargeback Monitoring Program must include ECI value “7” and is subject to this Chargeback for the period of time it remains in the Global Merchant Chargeback Program, plus three additional months. 2. Effective from 1 July 2016, an Electronic Commerce Merchant identified by the Visa Chargeback Monitoring Program must include ECI value “7” and is subject to this Chargeback for the period of time it remains in the Visa Chargeback Monitoring Program, plus three additional months. 3. An Issuer must report all fraud activity as specified in the Section 2.3.5. 4. For Representment Rights and Limitations 1, an Acquirer must provide information/documentation such as evidence indicating Transactions were not reported as fraud. 5. For Chargeback Rights and Limitations 1, use the Electronic Commerce Indicator or the Merchant Category Code to determine the type of Transaction.

182 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 2 — Fraud

83 Reason Code 83 — Fraud — Card-Absent Environment — Condition 1 Cardholder did not authorize or participate in a Card-Absent Environment Transaction.

Chargeback Rights and Limitations

1. On or before the Chargeback Processing Date, the Issuer must report the fraud activity in the fraud advice reports. 2. Chargeback is valid for an Electronic Commerce Transaction where the Issuer responded to an Authentication Request (PAReq) with either: a) An Unable-to-Authenticate Response (PARes value “U”) or Authentication Denial (PARes value “N”); or b) A Cardholder Authentication Verification Value and Authentication Identifier, but either the: i. Acquirer did not provide a Cardholder Authentication Verification Value in the Authorization Request; or ii. Cardholder Authentication Verification Value results code is “0”. 3. Chargeback does not apply to a Secure Electronic Commerce Transaction processed with Electronic Commerce Indicator value “5” in the Authorization Request, if both: a) Issuer responded to an Authentication Request with an Authentication Confirmation (PARes value “Y”) using 3-D Secure; and b) The Cardholder Authentication Verification Value was included in the Authorization Request. 4. Chargeback does not apply to a Non-Authenticated Security Transaction coded with ECI value “6” if either: a) Issuer or Visa on behalf of the Issuer responded to an Authentication Request with a Non-Participation Message (VERes value “N”); or b) Both: i. Issuer, or Visa on behalf of the Issuer, responded to an Authentication Request with an Attempt Response (PARes value “A”) using 3-D Secure; and ii. A Cardholder Authentication Verification Value was included in the Authorization. 5. Chargeback is invalid for Transactions where both: a) The Card Verification Value 2 results code in the Authorization message is “U – Issuer not participating in CVV2 program”; and b) The Card Verification Value 2 presence indicator in the Authorization Request is one of the following: i. “1 – CVV2 value is present”; ii. “2 - CVV 2 value is on the V PAY Card but is illegible”; or iii. “9 - Cardholder states CVV2 is not present on the V PAY Card”. 6. Chargeback is invalid for Transaction where all of the following apply: a) The Card Verification Value 2 presence indicator in the Authorization Request is “1 - CVV2 value is present”; b) The Card Verification Value 2 results code in the Authorization message is “N - No match”; and c) The Authorization request was approved. 7. One Chargeback may contain up to 25 Transactions if all of the following apply: a) Chargeback uses the Acquirer Reference Number/Tracing Data, as set out in Exhibit 2E, of the earliest Transaction; b) Each Transaction relates to the same Account Number, Acquirer and Merchant Outlet; c) Fraud activity is reported in the fraud advice reports using an applicable fraud type code for each Transaction; d) Each Transaction Amount is equal to or less than €25 or local currency equivalent; e) The total cumulative value of Transactions is less than or equal to €250 or local currency equivalent so that the value of the Chargeback does not exceed €250; and f) All of the Transactions appear on a summary of low-value Transactions, as set out in Exhibit 2E.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 183 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 2 — Fraud

Reason Code 83 — Fraud — Card-Absent Environment — Condition 1 (Continued)

Chargeback Member Message Text

One of the following, as applicable: 1. V PAY UNABLE TO AUTHENTICATE RESPONSE 2. V PAY AUTHENTICATION DENIAL 3. V PAY CAVV AND AUTHENTICATION IDENTIFIER MISSING IN AUTH 4. V PAY SEE 3-D SECURE RESPONSE SENT MMDDYY

Chargeback Documentation

All of the following: 1. The Dispute Resolution Form questionnaire (Exhibit 2E). For Transactions with a Transaction Amount less than or equal to €25.00 or local currency equivalent (including bundled low-value fraudulent Transactions as specified in Section 8.2.4.7), the Dispute Resolution Form questionnaire must certify that all of the following were completed on or before the Processing Date of the Chargeback: a) Cardholder denies authorization of or participation in the Transaction; b) For Chargebacks with a Processing Date up to and including 14 October 2016, status of the Card at the time of the Transaction (e.g. lost, stolen, counterfeit); and c) Date that the fraud activity was reported through the fraud advice reports; 2. For bundled low-value fraudulent Transactions as specified in Section 8.2.4.7, the information required on a summary of low-value Transactions, as set out in Exhibit 2E; and 3. For Transactions with a Transaction Amount equal to or greater than €25.01 or local currency equivalent, a Cardholder letter denying authorization of or participation in the Transaction as specified in Section 8.2.5.5.

184 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 2 — Fraud

Reason Code 83 — Fraud — Card-Absent Environment — Condition 1 (Continued)

Representment Rights and Limitations

1. For a Representment due to an Issuer failing to meet the requirements as specified in Chargeback Rights and Limitations 2, the Acquirer must provide information/documentation to support this claim. 2. Transaction Record contains evidence that both: - PIN was obtained; and - Electronic Imprint (use of POS Entry Mode code 02, 90, or 05). 3. Merchant attempted to authenticate the Cardholder using 3-D Secure, but the Cardholder was not participating.

Representment Condition Member Message Text Documentation

1. Credit or Reversal was Either that applies: None Required processed. 1. V PAY CRED MMDDYY ARN X...X (23 or 24 digits); or 2. V PAY REVERSAL MMDDYY 2. Issuer did not meet the V PAY X...X (Specify the As applicable applicable Chargeback reason) conditions. 3. Acquirer can remedy the None Required 1. The Dispute Resolution Form Chargeback. questionnaire (Exhibit 2E). 2. Evidence of PIN. 3. If a “Non-Authenticated Security Transaction” was processed with an Electronic Commerce Indicator value “6” in the Authorization Request, proof that the Issuer responded to the Authentication Request with a Cardholder Authentication Verification Value (if applicable). 4. Compelling evidence that the Cardholder participated in the Transaction. 5. Effective for Transactions with a Processing Date on or after  22 April 2017, for a Transaction in a Card-Absent Environment that is subsequent to an initial Transaction in a Card-Present Environment, evidence that all Transactions occurred during the same rental period, stay or trip and the initial Transaction was made with a valid PIN or CDCVM.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 185 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 2 — Fraud

83 Reason Code 83 — Fraud — Card-Absent Environment — Condition 2 No valid V PAY Card was issued or outstanding that bears the Account Number, or a fraudulent Transaction was completed in a Card-Absent Environment using a Fictitious Account Number and no Authorization was obtained.

Chargeback Rights and Limitations

1. Chargeback is invalid if Authorization was obtained. 2. Chargeback does not apply to a Secure Electronic Commerce Transaction processed with Electronic Commerce Indicator value “5” in the Authorization Request if both: a) Issuer responded to an Authentication Request with an Authentication Confirmation (PARes value “Y”) using 3-D Secure; and b) The Cardholder Authentication Verification Value was included in the Authorization Request. 3. Chargeback does not apply to a Non-Authenticated Security Transaction coded with ECI value “6” if either: a) Issuer, or Visa on behalf of the Issuer, responded to an Authentication Request with a Non-Participation Message (VERes value “N”); or b) Both: i. Issuer, or Visa on behalf of the Issuer, responded to an Authentication Request with an Attempt Response (PARes value “A”) using 3-D Secure; and ii. A Cardholder Authentication Value was included in the Authorization Request. 4. Chargeback is invalid for Transactions where all of the following apply: a) The Card Verification Value 2 results code in the Authorization message is “U – Issuer not participating in CVV2 program”; b) The Card Verification Value 2 presence indicator in the Authorization Request is “1 – CVV2 value is present”; c) The Card Verification Value 2 results code in the Authorization message is “N - No match”; and d) The Authorization request was approved. 5. One Chargeback may contain up to 25 Transactions if all of the following apply: a) Chargeback uses the Acquirer Reference Number/Tracing Data, as set out in Exhibit 2E, of the earliest Transaction; b) Each Transaction relates to the same Account Number, Acquirer and Merchant Outlet; c) Fraud activity is reported in the fraud advice reports using an applicable fraud type code for each Transaction; d) Each Transaction Amount is equal to or less than €25 or local currency equivalent; e) The total cumulative value of Transactions is less than or equal to €250 or local currency equivalent so that the value of the Chargeback does not exceed €250; and f) All of the Transactions appear on a summary of low-value Transactions, as set out in Exhibit 2E.

Chargeback Member Message Text

Any that apply: 1. V PAY NO SUCH CARD; 2. V PAY FICTITIOUS ACCOUNT NUMBER; or 3. V PAY RR DATE MMDDYY, if requested Transaction Receipt not fulfilled.

186 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 2 — Fraud

Reason Code 83 — Fraud — Card-Absent Environment — Condition 2 (Continued)

Chargeback Documentation

For bundled low-value fraudulent Transactions as specified in Section 8.2.4.7, the Dispute Resolution Form questionnaire (Exhibit 2E) and the information required on a summary of low-value Transactions, as set out in Exhibit 2E.

Representment Rights and Limitations

None

Representment Condition Member Message Text Documentation

1. Credit or Reversal was Either that applies: None required processed. 1. V PAY CRED MMDDYY ARN X...X (23 or 24 digits); or 2. V PAY REVERSAL MMDDYY. 2. Issuer did not meet the V PAY X...X (Specify the As applicable applicable Chargeback reason) conditions. 3. Acquirer can remedy the V PAY AUTH MMDDYY 1. The Dispute Resolution Form Chargeback. CODE X...X (If applicable) questionnaire (Exhibit 2E). 2. Evidence of PIN. 3. If a “Non-Authenticated Security Transaction” was processed with an Electronic Commerce Indicator value “6” in the Authorization Request, proof that the Issuer responded to the Authentication Request with a Cardholder Authentication Verification Value (if applicable). 4. Effective for Transactions with a Processing Date on or after 22 April 2017, for a Transaction in a Card- Absent Environment that is subsequent to an initial Transaction in a Card- Present Environment, evidence that all Transactions occurred during the same rental period, stay or trip and the initial Transaction was made with a valid PIN or CDCVM.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 187 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 2 — Fraud

93 Reason Code 93 — Effective until 30 June 2016, Merchant Fraud Performance Program Effective until 30 June 2016, Visa notified the Issuer that the Transaction is identified by the Merchant Fraud Performance Program.

Dispute Group 2 Reason Code 93 Condition 1 Both: 1. Visa notified the Issuer that the Transaction is identified by the Merchant Fraud Performance Program; and 2. Issuer had not successfully charged back the Transaction for another reason.

Additional Information

If an Issuer has charged back the Transaction using another reason code and the Acquirer successfully represented, the Issuer may charge back the Transaction as a second first Chargeback only when notification is received that the Merchant is identified by the Merchant Fraud Performance Program. The time limit for the second Chargeback begins with the date the notification is received.

Chargeback Rights and Limitations

The Chargeback is invalid for Emergency Cash Disbursements

Chargeback Member Message Text

V PAY MFP RPT DT MMDDYY

Chargeback Documentation

None required

Representment Rights and Limitations

None

Representment Condition Member Message Text Documentation

1. Credit or Reversal was Either that applies: None required processed 1. V PAY CRED MMDDYY ARN X...X (23 or 24 digits); or 2. V PAY REVERSAL MMDDYY 2. Issuer did not meet the V PAY X...X (Specify the reason) None required applicable Chargeback conditions 3. Acquirer can remedy the V PAY PREV CB MMDDYY RC XX None required Chargeback

188 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 2 — Fraud

93 Reason Code 93 — Effective from 1 July 2016, Visa Fraud Monitoring Program Effective from 1 July 2016, Visa notified the Issuer that the Transaction is identified by the Visa Fraud Monitoring Program.

Dispute Group 2 Reason Code 93 Condition 1 Both: 1. Visa notified the Issuer that the Transaction is identified by the Visa Fraud Monitoring Program; and 2. Issuer had not successfully charged back the Transaction for another reason.

Additional Information

If an Issuer has charged back the Transaction using another reason code and the Acquirer successfully represented, the Issuer may charge back the Transaction as a second first Chargeback only when notification is received that the Merchant is identified by the Visa Fraud Monitoring Program. The time limit for the second Chargeback begins with the date the notification is received.

Chargeback Rights and Limitations

The Chargeback is invalid for Emergency Cash Disbursements

Chargeback Member Message Text

V PAY VFMP RPT DT MMDDYY

Chargeback Documentation

None required

Representment Rights and Limitations

None

Representment Condition Member Message Text Documentation

1. Credit or Reversal was Either that applies: None required processed 1. V PAY CRED MMDDYY ARN X...X (23 or 24 digits); or 2. V PAY REVERSAL MMDDYY 2. Issuer did not meet the V PAY X...X (Specify the reason) None required applicable Chargeback conditions 3. Acquirer can remedy the V PAY PREV CB MMDDYY RC XX None required Chargeback

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 189 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 2 — Fraud

8.5 DISPUTE GROUP 3 — AUTHORIZATION

A Merchant or V PAY Member failed to follow the proper Authorization procedures.

The following reason codes are applicable:  72—No Authorization; and  78—Service Code or Application Usage Controls (AUC) Violation. Table 8-6 General Requirements for Dispute Group 3—Authorization

Chargeback Representment

Time Limit 75 calendar days from the Transaction 45 calendar days from the Chargeback Processing Date. Processing Date.

General Rights and None Refer to individual reason codes. Limitations

Additional Information 1. If the V PAY Members’ Authorization records conflict, the V.I.P. System or Visa Europe Authorisation Service record will prevail at Arbitration. 2. At its option, a V PAY Member may provide any additional documentation or information to support the Chargeback or Representment.

Reason Code 72—No Authorization Authorization was required for a Transaction, but the Merchant did not obtain Authorization.

Reason Code 78—Service Code or Application Usage Controls (AUC) Violation The Service Code or the Application Usage Controls on the Chip indicated that the V PAY Card was invalid for the Transaction and the Merchant did not obtain Authorization.

190 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 3 — Authorization

72 Reason Code 72 — No Authorization Authorization was required for a Transaction but the Merchant did not obtain Authorization.

Dispute Group 3 Reason Code 72 Condition 1 Transaction exceeded the Floor Limit and Authorization was not obtained on the Transaction Date.

Additional Information

1. If a V PAY Member’s Authorization records conflict, the Authorization record within the Visa Scheme Processor will prevail for Arbitration.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 191 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 3 — Authorization

72 Reason Code 72 — No Authorization — Condition 1 Transaction exceeded the Floor Limit and Authorization was not obtained on the Transaction Date.

Chargeback Rights and Limitations

1. Chargeback is invalid if any of the following apply: a) Transaction was authorised by Stand-In Processing; or b) Authorized amount is greater than the Transaction amount. 2. If Authorization was obtained for an amount less than the Transaction Amount, Chargeback is limited only to the amount that was not Authorized. 3. Authorization is invalid if Merchant used invalid or incorrect Transaction data, for example: a) Incorrect Transaction Date; b) Incorrect Merchant Category Code; c) Incorrect indicator for the Merchant or Transaction type; and d) Incorrect country code/state or special condition indicator. 4. For an Automated Fuel Dispenser, Chargeback is valid only for the amount exceeding the Transaction Amount represented by the Status Check Authorization. 5. Chargeback is invalid if the Cardholder Authentication Verification Value was not validated during Authorization of an Electronic Commerce Transaction. 6. Chargeback is valid if the Transaction was for an offline-Authorized V PAY Transaction for an amount exceeding the Merchant’s Floor Limit. 7. Chargeback is limited only to the amount that was not authorized if a Partial Authorization was obtained for an amount less than the Transaction Amount and the Clearing Record includes the Authorization Code.

Chargeback Member Message Text

As applicable: 1. V PAY NO AUTHORIZATION; 2. V PAY TRAN EXCEEDS AUTH AMOUNT; or 3. V PAY EMV CARD, NO AUTH, EXCD CHIP FLOOR LIMIT.

Chargeback Documentation

None required

Representment Rights and Limitations

None

192 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 3 — Authorization

Reason Code 72 — No Authorization — Condition 1 (Continued)

Representment Condition Member Message Text Documentation

1. Credit or Reversal was Either that applies: None required processed 1. V PAY CRED MMDDYY ARN X...X (23 or 24 digits); or 2. V PAY REVERSAL MMDDYY. 2. Issuer did not meet the V PAY X...X (Specify the reason) As applicable applicable Chargeback conditions 3. Acquirer can remedy the Either that applies: 1. Documents to prove Chargeback 1. V PAY AUTH DATE MMDDYY Authorization was obtained. CODE X...X AMT €XXX 2. The Dispute Resolution Form 2. V PAY TRAN DATE IS questionnaire (Exhibit 2E). MMDDYY NOT MMDDYY

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 193 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 3 — Authorization

78 Reason Code 78 — Service Code or Application Usage Controls (AUC) Violation The Application Usage Controls on the Chip indicated that the V PAY Card was invalid for the Transaction and the Merchant did not obtain Authorization, or the Service Code indicated that Online Authorization was required for the Transaction type and the Merchant did not obtain Authorization.

Dispute Group 3 Reason Code 78 Condition 1 Both: 1. A Merchant completed a Chip Transaction when the Service Code or AUC indicated that the V PAY Card was invalid for the Transaction type; and 2. Merchant did not obtain Authorization.

Chargeback Rights and Limitations

Chargeback is valid for a below-Floor Limit Transaction where the Service Code on the V PAY Card indicated “Positive Authorization mandatory” (Online Authorization required).

Chargeback Member Message Text

V PAY TRANSACTION

Chargeback Documentation

None required

Representment Rights and Limitations

None

Representment Condition Member Message Text Documentation

1. Credit or Reversal was Either that applies: None required processed 1. V PAY CRED MMDDYY ARN X...X (23 or 24 digits); or 2. V PAY REVERSAL MMDDYY. 2. Issuer did not meet the V PAY X...X (Specify the reason) None required applicable Chargeback conditions 3. Acquirer can remedy the V PAY AUTH DATE MMDDYY The Dispute Resolution Form Chargeback questionnaire (Exhibit 2E) and documentation to prove Authorization was obtained.

194 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 4 — Processing Error

8.6 DISPUTE GROUP 4 — PROCESSING ERROR A Merchant, an Originating Member, or an Acquirer processed a Transaction incorrectly.

The following reason codes are applicable:  76—Incorrect Currency;  77—Non-Matching Account Number;  82—Duplicate Processing; and  86—Paid by Other Means. Table 8-7 General Requirements for Dispute Group 4—Processing Error

Chargeback Representment

Time Limit 1. 120 calendar days from the 45 calendar days from the Chargeback Transaction Processing Date. Processing Date 2. For an Original Credit Transaction, the Chargeback time limit is 120 calendar days from the Processing Date of the Original Credit Transaction.

General Rights and None Refer to the individual reason codes Limitations

Additional Information At its option, a V PAY Member may provide any additional documentation or information to support the Chargeback or Representment.

Reason Code 76—Incorrect Currency The Cardholder was not advised that Dynamic Currency Conversion would occur or was refused the choice of paying in the Merchant’s local currency.

Reason Code 77—Non-Matching Account Number An Original Credit Transaction was processed using an Account Number that does not match any on the Issuer’s master file.

Reason Code 82—Duplicate Processing A single Transaction with the same Account Number was processed more than once.

Reason Code 86—Paid by Other Means Merchandise or service was received but paid for by other means.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 195 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 4 — Processing Error

76 Reason Code 76 — Incorrect Currency The Cardholder was not advised that Dynamic Currency Conversion would occur or was refused the choice of paying in the Merchant’s local currency.

Additional Information

1. The Transaction Currency appearing on the Transaction Receipt must be the currency approved by the Cardholder. 2. If Dynamic Currency Conversion is not approved at the Point-of-Transaction, the Transaction Currency must be in the Merchant’s local currency.

196 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 4 — Processing Error

76 Reason Code 76 — Incorrect Currency — Condition 1 The Cardholder was not advised that Dynamic Currency Conversion would occur or was refused the choice of paying in the Merchant’s local currency.

Chargeback Rights and Limitations

1. Dynamic Currency Conversion occurred and the Cardholder was either: a) Not advised that Dynamic Currency Conversion would take place; or b) Refused the choice of paying in the Merchant’s local currency. 2. Chargeback is valid for the entire Transaction Amount.

Chargeback Member Message Text

Either that applies: 1. V PAY DCC— CARDHOLDER NOT ADVISED; or 2. V PAY DCC— CARDHOLDER REFUSED OPTION OF LOCAL CURRENCY.

Chargeback Documentation

1. The Dispute Resolution Form questionnaire (Exhibit 2E). 2. A Cardholder letter stating the Cardholder was not advised that Dynamic Currency Conversion would occur or was not offered a choice to pay in the Merchant’s local currency. 3. Copy of the Cardholder’s Transaction Receipt (if available).

Representment Rights and Limitations

If the Chargeback is valid, the Acquirer may only represent the Transaction in the Merchant’s local currency for the Transaction Amount prior to Dynamic Currency Conversion. The Representment must: 1. Exclude fees or commission charges directly related to Dynamic Currency Conversion that were applied to the Transaction; and 2. Include a copy of the Dynamic Currency Conversion Transaction Receipt.

Representment Condition Member Message Text Documentation

1. Credit or Reversal was Either that applies: None required processed 1. V PAY CRED MMDDYY ARN X...X (23 or 24 digits); or 2. V PAY REVERSAL MMDDYY. 2. Issuer did not meet the V PAY X...X (Specify the reason) None required applicable Chargeback conditions 3. Acquirer can remedy the None required Both: Chargeback 1. The Dispute Resolution Form questionnaire (Exhibit 2E); and 2. Acquirer certification that the Merchant is registered to offer Dynamic Currency Conversion.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 197 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 4 — Processing Error

77 Reason Code 77 — Non-Matching Account Number An Originating Member processed an Original Credit Transaction for an Account Number not matching any on the Issuer’s master file.

Dispute Group 4 Reason Code 77 Condition 2

Additional Information

An incorrectly entered Account Number must be processed as an original Presentment. Acquirer may be responsible for any late Presentment.

Chargeback Rights and Limitations

Chargeback minimum for a T&E Transaction is US $25 or equivalent.

Chargeback Member Message Text

ACCOUNT CLOSED ACCOUNT NOT ON FILE

Chargeback Documentation

None required

Representment Rights and Limitations

None

Representment Conditions Member Message Text Documentation

1. Reversal was processed. REVERSAL MMDDYY None required 2. Issuer did not meet the X...X (Specify the reason) None required applicable Chargeback conditions. 3. Originating Member can X...X (Specify the reason) None required remedy the Chargeback.

198 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 4 — Processing Error

82 Reason Code 82 — Duplicate Processing A single Transaction with the same Account Number was processed more than once.

Dispute Group 4 Reason Code 82 Condition 1 One Acquirer or Originating V PAY Member processed the Transaction more than once.

Chargeback Rights and Limitations

None

Chargeback Member Message Text

V PAY TRAN DATE MMDDYY, REF X...X (23- or 24-digit Acquirer Reference Number or applicable Tracing Data, for the valid Transaction)

Chargeback Documentation

None required

Representment Rights and Limitations

None

Representment Condition Member Message Text Documentation

1. Credit or Reversal was Either that applies: None required processed 1. V PAY CRED MMDDYY ARN X...X (23 or 24 digits); or 2. V PAY REVERSAL MMDDYY. 2. Issuer did not meet the V PAY X...X (Specify the reason) None required applicable Chargeback conditions 3. Acquirer can remedy the For an ATM Transaction processed For an ATM Transaction, none Chargeback more than once, either that required. applies: For all other Transactions, both: 1. V PAY CASH DISPNS SEQ 1. The Dispute Resolution Form #XXXXX AND  questionnaire (Exhibit 2E); and #SEQ XXXXX; or 2. Submit two separate 2. V PAY ACQR CERTS ATM IN Transaction Receipts or other BALANCE ON MMDDYY. record to prove separate Transactions were processed.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 199 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 4 — Processing Error

86 Reason Code 86 — Paid by Other Means Merchandise or service was received but paid by other means.

Condition Description Page

1 Cardholder paid for the same merchandise or service by other means. 201

200 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 4 — Processing Error

86 Reason Code 86 — Paid by Other Means — Condition 1 Cardholder paid for the same merchandise or service by other means.

Chargeback Rights and Limitations

1. For services paid by other means, Cardholder must attempt to resolve with Merchant. 2. Prior to exercising the Chargeback right, Cardholder must attempt to resolve with Merchant, unless prohibited by local law. 3. Chargeback invalid for the partial Prepayment if the balance payment is not authorized and the balance was not paid by alternate means. 4. Chargeback invalid if payment for services made to two different Merchants, such as payment to travel agent and T&E Merchant, unless there is evidence that the payment was passed from one Merchant to the other. 5. Chargeback is valid when the contract reflects that the Merchant accepted a voucher issued by a third party as payment for goods or services rendered, and subsequently bills the Cardholder because the Merchant is unable to collect payment from the third party.

Chargeback Member Message Text

None required

Chargeback Documentation

All of the following: 1. The Dispute Resolution Form questionnaire (Exhibit 2E); 2. Evidence that Merchant received payment by other means except for Chargeback Rights and Limitations 5; 3. For Chargeback Rights and Limitations 5, proof that Merchant accepted the voucher for payment toward merchandise or service (for example, rental contract showing that voucher was accepted by  Merchant); and 4. Issuer certification that Cardholder attempted to resolve with Merchant, unless prohibited by local law.

Representment Rights and Limitations

None

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 201 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 4 — Processing Error

Reason Code 86 — Paid by Other Means — Condition 1 — (Continued)

Representment Conditions Member Message Text Documentation

1. Credit or Reversal was Either that applies: None required processed. 1. V PAY CRED MMDDYY ARN X...X (23 or 24 digits); or 2. V PAY REVERSAL MMDDYY. 2. Issuer did not meet the V PAY X...X (Specify the None required applicable Chargeback reason) conditions. 3. Acquirer can remedy the None required Both: Chargeback. 1. The Dispute Resolution Form questionnaire (Exhibit 2E); and 2. Documents (other than Transaction Receipt) to prove that Merchant did not receive payment by other means for the same merchandise or service.

202 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 5 — Cancelled/Returned

8.7 DISPUTE GROUP 5 — CANCELLED/RETURNED A Cardholder returned merchandise and the Merchant did not process a Credit Transaction Receipt.

The following reason codes are applicable:  53—Not as Described or Defective Merchandise  85—Credit Not Processed Table 8-8 General Requirements for Dispute Group 5 - Cancelled/Returned

Chargeback Representment

Time Limit 1. 120 calendar days from the 45 calendar days from the Chargeback Transaction Processing Date or the Processing Date. applicable dates specified in each Chargeback reason code. 2. For an Original Credit Transaction, the Chargeback time limit is 120 calendar days from the Processing Date of an Original Credit Transaction.

General Rights and Refer to reason code Refer to reason code. Limitations

Additional Information At its option, a V PAY Member may provide any additional documentation or information to support the Chargeback or Representment.

Reason Code 53—Not as Described or Defective Merchandise The Cardholder received damaged or defective merchandise, or the merchandise or service did not match what was described on the Transaction Receipt or other documentation presented at the time of purchase.

Reason Code 85—Credit Not Processed A Merchant did not process a Credit Transaction Receipt as required.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 203 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 5 — Cancelled/Returned

53 Reason Code 53 — Not as Described or Defective Merchandise The Cardholder received damaged, defective or counterfeit merchandise, or the merchandise or service did not match what was described on the Transaction Receipt or other documentation presented at the time of purchase.

Condition Description Page

1 Cardholder returned merchandise or cancelled services that did not match what was 205 described on the Transaction Receipt or other documentation presented at the time of purchase. This condition is only applicable for Electronic Commerce Transactions and, effective from 15 October 2016, Mail/Phone Order Transactions. 2 Merchandise received by Cardholder was damaged or defective and Cardholder 205 returned the merchandise to the Merchant. This condition is only applicable for Electronic Commerce Transactions and, effective from 15 October 2016, Mail/Phone Order Transactions. 3 Merchandise purchased by the Cardholder was identified as counterfeit by: 207 • The owner of the intellectual property or its authorised representative; • A customs agency, law enforcement agency or other government agency; or • A neutral bona fide expert. This condition is applicable for all Transaction types. 4 Cardholder disputes the quality of merchandise or services received. This condition is 208 only applicable for Electronic Commerce Transactions and, effective from 15 October 2016, Mail/Phone Order Transactions. 5 Cardholder claims that the terms of sale were misrepresented by the Merchant. This 209 condition is only applicable for Electronic Commerce Transactions and, effective from 15 October 2016, Mail/Phone Order Transactions.

Additional Information

1. For condition 1 only, Visa recommends that the Issuer provide a copy of the Transaction Receipt or other documentation containing a written description of the merchandise or services purchased. 2. Proof of shipping does not constitute proof of receipt. 3. The return of merchandise condition is met if the Merchant refuses to provide a return merchandise authorization or return address and the Issuer can provide evidence of this refusal. 4. The Issuer may be required to provide proof of shipping or returned merchandise. 5. For conditions 1 and 2 only, a neutral third party opinion is not mandatory, but the Member may obtain one to support its claim. 6. For condition 3 only, the Issuer may be required to provide a copy of the notification obtained by the Cardholder identifying the merchandise as counterfeit. 7. For condition 3 only, unless the Acquirer’s Representment successfully remedies the Chargeback, Visa recommends that the Issuer report to Visa the Cardholder’s claim of counterfeit merchandise. 8. For condition 5 only, Chargeback Rights and Limitation 5 is based on the type of merchandise or services sold and not solely on the Merchant Category Code. 9. The Issuer may provide a copy of the Transaction Receipt or other documentation containing a written description of the merchandise or services purchased, if available.

204 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 5 — Cancelled/Returned

53 Reason Code 53 — Not as Described or Defective Merchandise — Condition 1 Cardholder returned merchandise, attempted to return merchandise, or cancelled services that did not match what was described on the Transaction Receipt or other documentation presented at the time of purchase.

Chargeback Rights and Limitations

1. Chargeback valid for Electronic Commerce Transactions and, effective from 15 October 2016, Mail/Phone Order Transactions only. 2. Chargeback amount is limited to the unused portion of the service or returned merchandise. 3. Before the Issuer may initiate a Chargeback, the Cardholder must return the merchandise or cancel the services. If the Cardholder is unable to return merchandise which was delivered or installed by the Merchant, the Cardholder may instead attempt to return the merchandise. 4. Prior to exercising the Chargeback1 the Issuer must wait 15 calendar days from: a) The date the merchandise was returned; b) The date the service was cancelled; or c) The date the Cardholder attempted to return the merchandise. 5. For merchandise or services provided after the Transaction Processing Date, Chargeback time frame is calculated from the date the Cardholder received the merchandise or services. 6. Chargeback amount must not exceed original Transaction Amount. 7. The Issuer must determine that the Cardholder attempted to resolve the dispute with the Merchant unless local law prohibits or amends this requirement. 8. An Issuer must not initiate a Chargeback for disputes regarding Value-Added Tax (VAT). 9. Chargeback minimum for a T&E Transaction is US $25 or equivalent. 10.Chargeback is invalid if returned merchandise is being held by any customs agency except the Merchant’s country’s customs agency. 11. Chargeback is valid: a) If returned merchandise is refused by the Merchant and Issuer can provide evidence of refusal; or b) For returned goods held within the Merchant’s country’s customs agency. 12. For a Prepayment, the Chargeback time frame is 120 calendar days from the Processing Date of the final Prepayment.

1. Does not apply if waiting period causes Chargeback to exceed Chargeback time frame or if the Chargeback was already processed prior to the goods being received.

Chargeback Member Message Text

NOT AS DESCRIBED

Chargeback Documentation

1. The Dispute Resolution Form questionnaire (Exhibit 2E), stating all of the following, as applicable: a) Date merchandise was returned or service was cancelled; b) Name of shipping company; c) Invoice/tracking number (if available); d) Date Merchant received the merchandise; e) If applicable, a detailed explanation on how and when the Cardholder attempted to return the merchandise; f) If applicable the location of the merchandise; g) Cardholder attempted to resolve the dispute with the Merchant; h) Explanation of what was not as described; and i) Date Cardholder received merchandise or services, if Chargeback time frame is calculated from date  of receipt. 2. Proof that Merchant refused return of merchandise, refused to provide a return merchandise authorization, or informed the Cardholder not to return the merchandise, if applicable.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 205 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 5 — Cancelled/Returned

Reason Code 53 — Not as Described or Defective Merchandise — Condition 1 (Continued)

. Representment Rights and Limitations

None

Representment Member Message Text Documentation Conditions

1. Credit or Reversal Either that applies: None required was processed. 1. CRED MMDDYY ARN X...X (23 or 24 digits); or 2. REVERSAL MMDDYY. 2. Issuer did not meet X...X (Specify the reason) None required the applicable Chargeback conditions. 3. Acquirer can RETURNED MDSE NOT All: remedy the RECEIVED (if applicable) 1. The Dispute Resolution Form questionnaire Chargeback. (Exhibit 2E); 2. Documents to prove that the service or merchandise was correctly described; and 3. If applicable documentation to prove that the Cardholder did not attempt to return the merchandise. 4. Acquirer can None required Both: provide compelling 1. The Dispute Resolution Form questionnaire evidence. (Exhibit 2E); and 2. Compelling evidence.

206 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 5 — Cancelled/Returned

53 Reason Code 53 — Not as Described or Defective Merchandise — Condition 2 Merchandise received by Cardholder was damaged or defective and Cardholder returned or attempted to return the merchandise to the Merchant.

Chargeback Rights and Limitations

1. Chargeback valid for Electronic Commerce Transactions and, effective from 15 October 2016, Mail/Phone Order Transactions only. 2. Chargeback amount is limited to the value of the returned merchandise. 3. Before the Issuer may initiate a Chargeback, the Cardholder must return the merchandise or cancel the services. If the Cardholder is unable to return merchandise which was delivered or installed by the Merchant, the Cardholder may instead attempt to return the merchandise. 4. Prior to exercising the Chargeback1, the Issuer must wait 15 calendar days from: a) The date the merchandise was returned; b) The date the Cardholder attempted to return the merchandise; or c) The date the service was cancelled. 5. For merchandise provided after the Transaction Processing Date, Chargeback time frame is calculated from the date the Cardholder received the merchandise. 6. Chargeback amount must not exceed original Transaction Amount. 7. The Issuer must determine that the Cardholder attempted to resolve the dispute with the Merchant unless local law prohibits or amends this requirement. 8. An Issuer must not initiate a Chargeback for disputes regarding Value-Added Tax (VAT). 9. Chargeback minimum for a T&E Transaction is US $25 or equivalent. 10.For a Prepayment, the Chargeback time frame is 120 calendar days from the Processing Date of the final Prepayment. 11. Chargeback is invalid if returned merchandise is being held by any customs agency except the Merchant’s country’s customs agency. 12. Chargeback is valid: a) If returned merchandise is refused by the Merchant and Issuer can provide evidence of refusal; or b) For returned goods held within the Merchant’s country’s customs agency.

1. Does not apply if waiting period causes Chargeback to exceed Chargeback time frame or if the Chargeback was already processed prior to the goods being received.

Chargeback Member Message Text

DEFECTIVE MERCHANDISE

Chargeback Documentation

1. The Dispute Resolution Form questionnaire (Exhibit 2E), stating all of the following, as applicable: a) Date merchandise was returned or service was cancelled; b) Name of shipping company; c) Invoice/tracking number (if available); d) Date Merchant received the merchandise; e) Cardholder attempted to resolve the dispute with the Merchant; f) If applicable, a detailed explanation on how and when the Cardholder attempted to return the merchandise; g) If applicable, the location of the merchandise; h) Explanation of what was defective; and i) Date Cardholder received merchandise or services, if Chargeback time frame is calculated from date  of receipt. 2. Proof that Merchant refused return of merchandise, refused to provide a return merchandise authorization, or informed the Cardholder not to return the merchandise, if applicable.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 207 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 5 — Cancelled/Returned

Reason Code 53 — Not as Described or Defective Merchandise — Condition 2 (Continued)

. Representment Rights and Limitations

None

. Representment Member Message Text Documentation Conditions

1. Credit or Reversal Either that applies: None required was processed. 1. CRED MMDDYY ARN X...X(23 or 24 digits) 2. REVERSAL MMDDYY 2. Issuer did not meet X...X (Specify the reason) None required the applicable Chargeback conditions. 3. Acquirer can RETURNED MDSE NOT All: remedy the RECEIVED (if applicable) 1. The Dispute Resolution Form questionnaire Chargeback. (Exhibit 2E); 2. Documents to prove that the merchandise was not defective; and 3. If applicable, documentation to prove that the Cardholder did not attempt to return the merchandise. 4. Acquirer can None required Both: provide compelling 1. The Dispute Resolution Form questionnaire evidence. (Exhibit 2E); and 2. Compelling evidence.

208 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 5 — Cancelled/Returned

53 Reason Code 53 — Not as Described or Defective Merchandise — Condition 3 Merchandise purchased by the Cardholder was identified as counterfeit by:  The owner of the intellectual property or its authorised representative;  A customs agency, law enforcement agency or other government agency; or  A neutral bona fide expert.

Chargeback Rights and Limitations

1. Chargeback time frame is calculated from either: a) The date the Cardholder received the merchandise but no later than 540 days from the Transaction Processing Date; or b) The date the Cardholder was notified that the merchandise was counterfeit, not to exceed 540 days from the Transaction Processing Date. 2. Chargeback amount must not exceed original Transaction Amount. 3. The Cardholder is not required to return the merchandise or attempt to resolve the dispute with the Merchant. 4. If the Cardholder was advised that the merchandise ordered was counterfeit, the Chargeback may be valid even if the Cardholder has not received the merchandise. 5. An Issuer must not initiate a Chargeback for disputes regarding Value-Added Tax (VAT). 6. Cardholder is not responsible for goods held within its own country’s customs agency or the customs agency of the Merchant’s country.

Chargeback Member Message Text

COUNTERFEIT MERCHANDISE

Chargeback Documentation

The Dispute Resolution Form questionnaire (Exhibit 2E), stating all of the following: 1. Certification that the Cardholder received notification that the merchandise is counterfeit from: a) The owner of the intellectual property or its authorised representative; b) A customs agency, law enforcement agency or other government agency; or c) A neutral bona fide expert. 2. Date Cardholder received the merchandise or received notification that the merchandise was counterfeit; 3. Description of the counterfeit merchandise; 4. Disposition or current location of the merchandise; and 5. Information about the person or entity that indicated the merchandise to be counterfeit, including the name of the person and/or entity providing the notification, and validation that the person or entity is qualified to provide the notification.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 209 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 5 — Cancelled/Returned

Reason Code 53 — Not as Described or Defective Merchandise — Condition 3 (Continued)

Representment Rights and Limitations

None

Representment Conditions Member Message Text Documentation

1. Credit or Reversal was Either that applies: None required processed. 1. CRED MMDDYY ARN X...X (23 or 24 digits); or 2. REVERSAL MMDDYY 2. Issuer did not meet the X...X (Specify the reason) None required applicable Chargeback conditions. 3. Acquirer can remedy the None required Documents to support the Merchant's Chargeback. claim that the merchandise is not counterfeit.

210 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 5 — Cancelled/Returned

53 Reason Code 53 — Not as Described or Defective Merchandise — Condition 4 Cardholder disputes the quality of merchandise or services received.

Chargeback Rights and Limitations

1. Chargeback valid for Electronic Commerce Transactions and, effective from 15 October 2016, Mail/Phone Order Transactions only. 2. Chargeback amount must not exceed original Transaction Amount. 3. The Issuer must determine that the Cardholder attempted to resolve the dispute with the Merchant (not applicable if prohibited by local law). 4. Chargeback minimum for a T&E Transaction is US$25 or local currency equivalent. 5. Chargeback is invalid if returned merchandise is being held by any customs agency except the Merchant’s country’s customs agency. 6. Prior to exercising the Chargeback: a) The Issuer must wait 15 calendar days from: i. The date the merchandise was returned; ii. The date the Cardholder attempted to return the merchandise; or iii. The date the service was cancelled; b) The Cardholder must return the merchandise or cancel the services. If the Cardholder is unable to return merchandise which was delivered or installed by the Merchant, the Cardholder may instead attempt to return the merchandise. 7. For merchandise or services provided after the Processing Date of the Transaction, Chargeback timeframe is calculated from the date the Cardholder received the merchandise or services. 8. For a Prepayment, the Chargeback time frame is 120 calendar days from the Processing Date of the final Prepayment. 9. An Issuer may process a Chargeback up to 60 days from the date the Cardholder notified them of the dispute if: a) The Cardholder can provide evidence that ongoing negotiations with the Merchant to resolve the dispute started within 120 days of the Processing Date of the Transaction; and b) The Processing Date of the Chargeback does not exceed 540 days from the Processing Date of the Transaction.

Chargeback Member Message Text

None Required

Chargeback Documentation

Both: 1. The Dispute Resolution Form questionnaire (Exhibit 2E), stating all of the following, as applicable: a) A detailed explanation of what was not as described and detailed information regarding the quality of the merchandise or service; b) The date the Cardholder received the merchandise or services; c) The Cardholder attempted to resolve the dispute with the Merchant; d) The date the merchandise was returned or the service was cancelled; e) If applicable, a detailed explanation on how and when the Cardholder attempted to return the merchandise; f) The location of the merchandise, if applicable; g) The name of the shipping company; h) An invoice or tracking number (if available); and i) The date the Merchant received the merchandise. 2. Proof that the Merchant refused the return of the merchandise, refused to provide a return merchandise authorisation, or informed the Cardholder not to return the merchandise, if applicable.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 211 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 5 — Cancelled/Returned

Reason Code 53 — Not as Described or Defective Merchandise — Condition 4 (Continued)

Representment Rights and Limitations

None

Representment Member Message Text Documentation Conditions

1. Credit or Reversal Either that applies: None required was processed. 1. CRED MMDDYY ARN X...X (23 or 24 digits); or 2. REVERSAL MMDDYY 2. Issuer did not meet X...X (Specify the reason) None required the applicable Chargeback conditions. 3. Acquirer can RETURNED MDSE NOT All of the following: remedy the RECIEVED (if applicable) 1. The Dispute Resolution Form questionnaire Chargeback. (Exhibit 2E); 2. Merchant rebuttal addressing the Cardholder’s claims; and 3. If applicable, documentation to prove that the Cardholder did not attempt to return the merchandise.

212 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 5 — Cancelled/Returned

53 Reason Code 53 — Not as Described or Defective Merchandise — Condition 5 Cardholder claims that the terms of sale were misrepresented by the Merchant.

Chargeback Rights and Limitations

1. Chargeback valid for Electronic Commerce Transactions and, effective from 15 October 2016, Mail/Phone Order Transactions only. 2. Chargeback minimum for a T&E Transaction is US $25 or equivalent. 3. Before the Issuer may initiate a Chargeback, the Cardholder must attempt to resolve the dispute with the Merchant, unless local law prohibits or amends this requirement. 4. The Chargeback amount must not exceed the original Transaction Amount 5. The Chargeback applies for any of the following: a) Transactions at Timeshare Merchants or Merchants that resell timeshares, advertise the resale of timeshares, or Merchants that recover timeshare reseller fees; b) Transactions that take place in a Card-Absent Environment with Merchants that sell the following merchandise or services: i. The recovery, consolidation, reduction or amendment of existing financial products or services; ii. Computer software, including anti-virus software that is sold using inaccurate online advertisements, or, malicious software downloads to the Cardholder’s personal computer or other electronic device; iii. Business opportunities where the Merchant: a) Suggests, through written representations, that an income will be generated; or b) Recommends, through written representations, that the Cardholder purchases additional items (such as better sales leads) to generate more income; and iv. For Visa Europe Transactions, merchandise that has been purchased through a trial period, or, as a one off purchase where the Cardholder was not clearly advised of further billing after the purchase date. 6. Chargeback is invalid for: a) An ATM Cash Disbursement; b) A dispute regarding Value-Added Tax (VAT); and c) A dispute related solely to the quality of merchandise or services provided 7. The Chargeback timeframe is 120 calendar days from: a) The last date that the Cardholder expected to receive the merchandise or services; or b) The date on which the Cardholder was first made aware that the merchandise or services would not be provided. 8. An Issuer may process a Chargeback up to 60 days from the date the Cardholder notified them of the dispute if the Cardholder can provide evidence that ongoing negotiations with the Merchant to resolve the dispute started within 120 days of the Processing Date of the Transaction, and; 9. The Processing Date of the Chargeback must not exceed 540 days from the Processing Date of the Transaction.

Chargeback Member Message Text

TERMS OF SALE MISREPRESENTED

Chargeback Documentation

Both: 1. The Dispute Resolution Form questionnaire (Exhibit 2E), stating all of the following, as applicable: a) The date the merchandise or service was cancelled; b) The date the Merchant received the merchandise; c) That the Cardholder attempted to resolve the dispute with the Merchant; and d) The date the Cardholder received the merchandise or services. 2. Documentation from the Cardholder describing how the Merchant’s written representations do not match the terms of sale to which the Cardholder agreed.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 213 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 5 — Cancelled/Returned

Reason Code 53 — Not as Described or Defective Merchandise — Condition 5 (Continued)

Representment Rights and Limitations

None

Representment Member Message Text Documentation Conditions

1. Credit or Reversal Either that applies: None required was processed. 1. CRED MMDDYY ARN X...X (23 or 24 digits); or 2. REVERSAL MMDDYY 2. Issuer did not meet X...X (Specify the reason) None required the applicable Chargeback conditions. 3. Acquirer can X...X (Specify the reason) Both: remedy the 1. The Dispute Resolution Form questionnaire Chargeback. (Exhibit 2E); and 2. Documentation to prove that the terms of sale of the merchandise or services were not misrepresented.

214 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 5 — Cancelled/Returned

85 Reason Code 85 — Credit Not Processed A Merchant did not process a Credit Transaction Receipt as required.

Condition Description Page

1 Cardholder received a Credit Transaction Receipt or voided Transaction Receipt 216 that was not processed.

2 All of the following: 217 1. Cardholder returned merchandise, cancelled merchandise, or cancelled services; 2. Merchant did not issue or process a Credit Transaction Receipt; and 3. Either: a) Merchant did not properly disclose or did disclose but did not correctly apply, a limited return or cancellation policy at the time of the Transaction; or b) Merchant did not issue or process a Credit Transaction Receipt for cancelled merchandise or services related to an off-premises, distance selling contract, which is always subject to a 14 day cancellation period.

3 All of the following: 219 1. V PAY Cardholder cancelled the Timeshare Transaction; 2. Cancellation was within 14 days from the contract date; and 3. Merchant did not issue a Credit Transaction Receipt.

Additional Information

1. The 120 calendar-day Chargeback time limit is calculated from one of the following dates1: a) Date on the Credit Transaction Receipt; b) Date of the Cardholder letter if Credit Transaction Receipt is undated; and c) Date the Issuer received the Cardholder letter, if both the Credit Transaction Receipt and Cardholder letter are undated. 2. For International Transactions, refund acknowledgements and credit letters do not qualify as Credit Transaction Receipts unless they contain all required data.1 3. A lost ticket application or refund application is not considered a Credit Transaction Receipt.1 4. An Issuer must not initiate a Chargeback regarding Value-Added tax (VAT) unless the Cardholder provides a Credit Transaction Receipt.1 5. Proof of shipping does not constitute proof of receipt.2 6. If merchandise was shipped prior to cancellation the Cardholder must return the merchandise, if received.2 7. If multiple Member message texts are used, a V PAY Member may submit an Dispute Resolution Form questionnaire. 8. Visa recommends that the Issuer provide a copy of the cancellation notification to the Merchant.3

1. Applies to condition 1 only. 2. Applies to condition 2 only. 3. Applies to condition 3 only.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 215 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 5 — Cancelled/Returned

85 Reason Code 85 — Credit Not Processed — Condition 1 Cardholder received a Credit Transaction Receipt or voided Transaction Receipt that was not processed.

Chargeback Rights and Limitations

1. Issuer must wait 15 calendar days from date on the Credit Transaction Receipt before initiating a Chargeback.1 2. If the Credit Transaction Receipt is undated, the 15 calendar day waiting period does not apply.1 3. Chargeback is valid if a “void” or “cancelled” notation appears on the Transaction Receipt. 4. Chargeback is invalid for disputes regarding the quality of service rendered or the quality of merchandise. 5. Chargeback invalid for ATM Cash Disbursements.

1. Does not apply if waiting period causes Chargeback to exceed Chargeback time frame or if the Chargeback was already processed prior to the goods being received.

Chargeback Member Message Text

V PAY CREDIT NOT PROCESSED

Chargeback Documentation

Both: 1. The Dispute Resolution Form questionnaire (Exhibit 2E); and 2. Copy of Credit Transaction Receipt or voided Transaction Receipt.

Representment Rights and Limitations

None

Representment Condition Member Message Text Documentation

1. Credit or Reversal was Either that applies: None required processed 1. V PAY CRED MMDDYY ARN X...X (23 or 24 digits); or 2. V PAY REVERSAL MMDDYY. 2. Issuer did not meet the V PAY X...X (Specify the reason) None required applicable Chargeback conditions 3. Acquirer can remedy the V PAY X...X (specify the reason) None required Chargeback

216 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 5 — Cancelled/Returned

85 Reason Code 85 — Credit Not Processed — Condition 2 All of the following: 1. Cardholder returned merchandise, cancelled merchandise, or cancelled services; 2. Merchant did not issue or process a Credit Transaction Receipt; and 3. Either: a) Merchant did not properly disclose or did disclose but did not correctly apply, a limited return or cancellation policy at the time of the Transaction; or b) Merchant did not issue or process a Credit Transaction Receipt for cancelled merchandise or services related to an off-premises, distance selling contract, which is always subject to a 14 day cancellation period.

Chargeback Rights and Limitations

1. Issuer must wait 15 calendar days from the date the merchandise was returned prior to exercising the Chargeback. This requirement does not apply if waiting period causes Chargeback to exceed Chargeback time frame or if the Chargeback was already processed prior to the goods being received. 2. Chargeback amount is limited to either the: a) Value of the unused portion of the cancelled service; or b) Value of the merchandise returned. 3. For merchandise provided on or after the Transaction Processing Date, the 120 calendar day Chargeback time limit is calculated from the date the merchandise was received. 4. If the merchandise is returned to the Merchant prior to exercising the Chargeback, the Issuer must determine and certify that the Cardholder attempted to resolve the dispute with the Merchant (not applicable if prohibited by local law). 5. Chargeback is valid if returned merchandise is refused by the Merchant. 6. Chargeback is invalid for disputes regarding the quality of service rendered or the quality of merchandise. 7. Chargeback invalid for ATM Cash Disbursements. 8. Chargeback is invalid if returned merchandise is being held by any customs agency except the Merchant’s country’s customs agency. This does not apply to off-premises, distance selling Transactions. 9. Chargeback is valid for returned goods held within the Merchant’s country’s customs agency. 10.Chargeback must not exceed original Transaction Amount. 11. The cancellation period for off-premises, distance selling does not apply to contracts for goods or services where: a) Price is dependent on fluctuations in the financial market; b) Made to measure goods are supplied; c) Goods are liable to deteriorate or expire rapidly; d) Sealed goods, subject to health and safety provisions, are supplied; e) Goods are not received in physical form (software download); f) The Transaction is a T&E Transaction; and g) The Merchant Outlet is located in Israel, Switzerland or Turkey.

Chargeback Member Message Text

Any that apply: 1. V PAY MERCHANDISE RETURNED MMDDYY 2. V PAY SERVICE CANCELLED MMDDY; or 3. MERCHANDISE CANCELLED MMDDYY.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 217 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 5 — Cancelled/Returned

Reason Code 85 — Credit Not Processed — Condition 2 (Continued)

Chargeback Documentation

1. The Dispute Resolution Form questionnaire (Exhibit 2E), stating all of the following: a) Date merchandise was cancelled or returned or service cancelled; b) Name of shipping company, if applicable; c) Invoice/tracking number, if available; d) Date Merchant received merchandise, if available; and e) Issuer certification that Cardholder attempted to resolve with Merchant. 2. Proof that Merchant refused return of merchandise, refused to provide a return merchandise authorization, or informed the Cardholder not to return the merchandise, if applicable. 3. For off-premises, distance selling contracts, both of the following: a) Proof of off-premises, distance selling contract start date; and b) Proof of Cardholder cancellation within the 14 day cancellation period.

Representment Rights and Limitations

1. None

Representment Condition Member Message Text Documentation

1. Credit or Reversal was Either that applies: None required processed 1. V PAY CRED MMDDYY ARN X...X (23 or 24 digits); or 2. V PAY REVERSAL MMDDYY 2. Issuer did not meet the V PAY X...X (Specify the reason) None required applicable Chargeback conditions 3. Acquirer can remedy the V PAY RETURNED MDSE NOT 1. The Dispute Resolution Form Chargeback RECEIVED (if applicable) questionnaire (Exhibit 2E); and 2. Transaction Receipt or other records to prove Merchant properly disclosed a limited return or cancellation policy at the time of the Transaction; or 3. Documents to prove that Transaction was not cancelled within 14 calendar days of the contract date or receipt date of the contract or related documents.

218 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 5 — Cancelled/Returned

85 Reason Code 85 — Credit Not Processed — Condition 3 All of the following: 1. V PAY Cardholder cancelled the Timeshare Transaction; 2. Cancellation was within 14 days from the contract date; and 3. Merchant did not issue a Credit Transaction Receipt.

Chargeback Rights and Limitations

1. Chargeback is valid for a Timeshare Transaction that is not processed with the correct Merchant Category Code. 2. Chargeback is invalid for disputes regarding the quality of service rendered or the quality of merchandise. 3. Chargeback invalid for ATM Cash Disbursements.

Chargeback Member Message Text

V PAY TIMESHARE CANC MMDDYY CONTRACT RECEIPT MMDDYY (contract receipt date, if applicable)

Chargeback Documentation

None required

Representment Rights and Limitations

None

Representment Condition Member Message Text Documentation

1. Credit or Reversal was Either that applies: None required processed 1. V PAY CRED MMDDYY ARN X...X (23 or 24 digits); or 2. V PAY REVERSAL MMDDYY 2. Issuer did not meet the V PAY X...X (Specify the reason) None required applicable Chargeback conditions 3. Acquirer can remedy the None required Both: Chargeback 1. The Dispute Resolution Form questionnaire (Exhibit 2E); and 2. Documents to prove that the Transaction was not cancelled within 14 calendar days of the contract date.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 219 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 5 — Cancelled/Returned

85 Reason Code 85 — Credit Not Processed — Condition 6 An Original Credit Transaction was not accepted because either: 1. Recipient refused the Original Credit; or 2. The Original Credit Transaction was prohibited by local law.

Chargeback Rights and Limitations

None

Chargeback Member Message Text

V PAY RECIPIENT REFUSES CREDIT NOT ALLOWED BY LOCAL LAW

Chargeback Documentation

None required

Representment Rights and Limitations

None

Representment Condition Member Message Text Documentation

1. Credit or Reversal was V PAY REVERSAL MMDDYY None required processed 2. Issuer did not meet the V PAY X...X (Specify the reason) None required applicable Chargeback conditions 3. Originating V PAY Member V PAY X...X (Specify the reason) None required can remedy the Chargeback

220 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 6 — Non-Receipt Goods/Services

8.8 DISPUTE GROUP 6 — NON-RECEIPT GOODS/SERVICES A Cardholder did not receive ordered merchandise or services, or cash from an ATM, or Load Transaction value from a Load Device.

The following reason codes are applicable:  30—Services Not Provided or Merchandise Not Received  90—Non-Receipt of Cash or Load Transaction Value at an ATM or Load Device Table 8-9 General Requirements for Dispute Group 6 - Non-Receipt Goods/Services

Chargeback Representment

Time Limit 120 calendar days from the Transaction 45 calendar days from the Chargeback Processing Date Processing Date

General Rights and None Refer to individual reason code Limitations

Additional Information At its option, a V PAY Member may provide any additional documentation or information to support the Chargeback or Representment.

Reason Code 30—Services Not Provided or Merchandise Not Received Merchant was unable or unwilling to provide services (including Visa Prepaid Load Services), or Cardholder or authorized person did not receive the merchandise at the agreed-upon location or by the agreed-upon date. This reason code is only applicable for Electronic Commerce Transactions and, effective from 15 October 2016, Mail/Phone Order Transactions.

Reason Code 90—Non-Receipt of Cash or Load Transaction Value at an ATM or Load Device Cardholder participated in the Transaction, and did not receive, or received only a portion of cash or Load Transaction value.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 221 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 6 — Non-Receipt Goods/Services

30 Reason Code 30 — Services Not Provided or Merchandise Not Received Merchant was unable or unwilling to provide services (including Visa Prepaid Load Services), or Cardholder or authorized person did not receive the merchandise at the agreed-upon location or by the agreed-upon date.

Condition Description Page

1 Cardholder or authorized person participated in the Transaction, and did not receive 223 purchased services or ordered merchandise, because Merchant was unwilling or unable to provide the services or merchandise. This condition is only applicable for Electronic Commerce Transactions and, effective from 15 October 2016, Mail/Phone Order Transactions.

Additional Information

1. For purchased services, if the services were to be provided after the Processing Date of the Transaction, the 120 calendar-day time frame is calculated from the date that the Cardholder expected to receive the service, or when the Cardholder was first made aware that the services would not be provided. This time- frame must not exceed 540 calendar days from the Processing Date of the Transaction. 2. For ordered merchandise: a) If the merchandise were to be provided after the Transaction Processing Date, the 120 calendar day time frame is calculated from the last expected date that the Cardholder expected to receive the merchandise or when the Cardholder was first made aware that the merchandise would not be provided. This time- frame must not exceed 540 calendar days from the Processing Date of the Transaction. b) Proof of shipping does not constitute proof of receipt. c) If the merchandise was to be provided after the Processing Date of the Transaction, the 120 calendar-day time frame is calculated from the date that the Cardholder expected to receive the merchandise.

222 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 6 — Non-Receipt Goods/Services

30 Reason Code 30—Services Not Provided or Merchandise Not Received — Condition 1 Cardholder or authorized person participated in the Transaction, and did not receive purchased services or ordered merchandise, because Merchant was unwilling or unable to provide the services or merchandise.

Chargeback Rights and Limitations

1. Chargeback valid for Electronic Commerce Transactions and, effective from 15 October 2016, Mail/Phone Order Transactions only. 2. Prior to exercising the Chargeback, Cardholder must attempt to resolve the dispute with the Merchant or the Merchant’s liquidator, if applicable (not applicable if prohibited by local law). 3. If the date services were expected or the expected delivery date of the merchandise is not specified, Issuer must wait until 15 calendar days from the Transaction Date before exercising the Chargeback. This requirement does not apply if the waiting period causes Chargeback to exceed Chargeback time frame or if the Chargeback was already processed prior to the goods being received. 4. For Visa Europe Transactions involving disputes related to non-receipt of travel services from a provider who has failed and where these services are covered by a bonding authority/insurance scheme, the Issuer must attempt to obtain reimbursement from the relevant bonding authority/insurance scheme prior to exercising a Chargeback. This requirement does not apply if prohibited by local law. If this requirement is applicable, the Issuer must exercise the Chargeback within 60 days of the bonding authority/insurance scheme’s letter/advice. This time-frame must not exceed 540 calendar days from the Processing Date of the Transaction. 5. For disputes involving merchandise: a) Prior to exercising a Chargeback, if merchandise was delivered after agreed upon delivery date, the Cardholder must attempt to return the merchandise; or b) If the merchandise was returned due to late delivery, the Issuer must wait at least 15 calendar days from the date the Cardholder returned or attempted to return the merchandise prior to exercising the Chargeback1. 6. Chargeback amount is limited to the portion of services, merchandise or tickets not received. 7. Chargeback minimum for a T&E Transaction is US $25 or equivalent. 8. Chargeback is invalid: a) For ATM Cash Disbursements; b) If the Cardholder cancelled services prior to the expected service being rendered or cancelled merchandise prior to the expected delivery date; c) For disputes regarding the quality of the service rendered or merchandise received; d) When the Cardholder states that the Transaction was fraudulent; e) For the partial Prepayment when the remaining balance was not paid and the Merchant is willing and able to provide the service or merchandise; or f) For disputes involving merchandise: if merchandise is being held by the customs agency of the Cardholder’s country. 9. Merchant is responsible for goods held at a customs agency that is not the Cardholder’s country’s  customs agency.

Chargeback Member Message Text

SERVICES NOT RENDERED BY MMDDYY MERCH NOT RECEIVED MMDDYY

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 223 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 6 — Non-Receipt Goods/Services

Reason Code 30—Services Not Provided or Merchandise Not Received — Condition 1 (Continued)

Chargeback Documentation

1. For services not rendered, both: a) The Dispute Resolution Form questionnaire (Exhibit 2E), stating both: i. Services not rendered by expected date; and ii. Cardholder attempt to resolve with Merchant; or iii. For Chargeback Rights and Limitations 4, an explanation of the attempt to resolve the dispute with the bonding authority/insurance scheme; and date of bonding authority/insurance scheme’s letter/ advice (not applicable if prohibited by local law); and b) A detailed description of the services ordered but not rendered. This description must contain additional information beyond the data required in the Clearing Record. 2. For merchandise not received, both: a) The Dispute Resolution Form questionnaire (Exhibit 2E), stating any of the following: i. Merchandise was not received; ii. Expected arrival date of the merchandise; or iii. Merchandise not received at agreed-upon location (Issuer must specify); or iv. Cardholder attempted to resolve with Merchant; or v. Merchandise returned MMDDYY; and b) A detailed description of the merchandise ordered but not received. This description must contain additional information beyond the data required in the Clearing Record. 3. For Visa Europe Transactions only, in addition to the requirements specified above, the Issuer must also provide a Cardholder letter for Chargebacks where the Cardholder is disputing three or more Transactions where services were not rendered or merchandise was not received and that fall within a single 15-calendar day period.

Representment Rights and Limitations

None

224 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 6 — Non-Receipt Goods/Services

Reason Code 30—Services Not Provided or Merchandise Not Received — Condition 1 (Continued)

Representment Member Message Text Documentation Conditions

1. Credit or Reversal Either that applies: None required was processed. 1. CRED MMDDYY ARN X...X  (23 or 24 digits); or 2. REVERSAL MMDDYY. 2. Issuer did not meet X...X (Specify the reason) None required the applicable Chargeback conditions. 3. Acquirer can None required Both: remedy the 1. The Dispute Resolution Form Chargeback. questionnaire (Exhibit 2E); and 2. Documentation to prove that: a) Cardholder received the services; b) The merchandise or ticket was received by Cardholder or authorized person on agreed-upon date or at agreed-upon location; or c) For Airline Transactions, evidence showing that the name is included in the manifest for the departed flight and it matches the name provided on the purchased itinerary. 4. Acquirer can None required Both: provide compelling 1. The Dispute Resolution Form evidence. questionnaire (Exhibit 2E); and 2. Compelling evidence.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 225 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 6 — Non-Receipt Goods/Services

90 Reason Code 90 — Non-receipt of Cash or Load Transaction Value at an ATM or Load Device

Dispute Group 6 Reason Code 90 Condition 1 Cardholder participated in the Transaction, and did not receive cash, or received only a portion of cash or Load Transaction value.

Additional Information

1. For a dispute involving an ATM Transaction, the Issuer must make a pre-Arbitration attempt prior to filing for Arbitration if the ATM Transaction Record is required. 2. The Issuer must certify in the pre-Arbitration attempt that the ATM Transaction Record is required by the Cardholder or for legal or insurance purposes. 3. The Acquirer must provide a copy of the ATM Transaction Record at pre-Arbitration to prove disbursed cash amount. The Transaction Record must be in English with an explanation or key to the data fields in the Transaction Record.

Chargeback Rights and Limitations

1. Chargeback is limited to the amount not received. 2. Chargeback is invalid when the Cardholder states that the Transaction was fraudulent or the Transaction was posted twice.

Chargeback Member Message Text

Either that applies: 1. V PAY CASH/VALUE NOT RECEIVED; or 2. V PAY CASH/VALUE AMT €XXXX RECD €XXXX.

Chargeback Documentation

None required

Representment Rights and Limitations

None

226 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Group 6 — Non-Receipt Goods/Services

Reason Code 90 — Non-receipt of Cash or Load Transaction Value at an ATM or Load Device (Continued)

Representment Condition Member Message Text Documentation

1. Credit or Reversal was Either that applies: None required processed 1. V PAY CRED MMDDYY ARN X...X (23 or 24 digits); or 2. V PAY REVERSAL MMDDYY. 2. Issuer did not meet the V PAY X...X (Specify the reason) None required applicable Chargeback conditions 3. Acquirer can remedy the None required Both: Chargeback 1. The Dispute Resolution Form questionnaire (Exhibit 2E); and 2. A copy of the ATM Cash Disbursement Transaction log containing at least: a) Account Number; b) Transaction Date; c) Transaction time or sequential number identifying the individual Transactions; and d) Indicator that confirms that the ATM Cash Disbursements were successful.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 227 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Resolution

8.9 ARBITRATION Arbitration allows Visa to assign liability for a disputed Transaction when the Chargeback and Representment process fails to resolve the dispute. 

8.9.1 Reason If V PAY Members cannot resolve a dispute through the Chargeback and Representment process, a  V PAY Member may request Arbitration within the allowable time limits, as set out in Section 8.9.3.2.2. A requesting V PAY Member is liable for any difference, due to currency fluctuation, between the Transaction Amount and the amount of the Chargeback or the amount of the Representment. 

8.9.2 Pre-Arbitration Conditions Before filing for Arbitration, the requesting V PAY Member must make a pre-Arbitration attempt to resolve the dispute if any of the following conditions apply:  New documentation or information is being provided to the opposing V PAY Member about the dispute;   For Visa Europe Transactions, the Acquirer represented with compelling evidence that the Cardholder participated in the Transaction: — An Issuer’s attempt to contact the Cardholder is no longer sufficient; — The Issuer must:  Contact the Cardholder to review the compelling evidence; and  Provide documentation detailing how the compelling evidence has been addressed by the Cardholder and why the Cardholder continues to dispute the Transaction;  The Issuer changes the reason code for the dispute after the Representment was  processed; or   The Transaction is an ATM Transaction and the ATM Transaction Record is required, in which case, the Issuer must certify that either: — The Cardholder requires a copy of the ATM Transaction Record; or  — The ATM Transaction Record is required for legal or insurance purposes. 

The Acquirer or Load Acquirer must provide a copy of the ATM Transaction Record at pre-arbitration to prove disbursed cash amount or Load Transaction value. For ATM Transactions, the Transaction Record must be provided together with an explanation or key to the data fields in English. 

8.9.2.1 Pre-Arbitration Attempt

8.9.2.1.1 A pre-Arbitration Attempt must include the information required in the Dispute Resolution Form  (Exhibit 2E). 

The requesting Customer or Member and the opposing Customer or Member must provide this information in English, as well as the following:  Any supporting documentation relevant to the Transaction in dispute; and  All definitions to the relevant data fields that are contained within that supporting evidence.

8.9.2.1.2 When a V PAY Member undertakes a pre-Arbitration attempt, that pre-Arbitration attempt must be initiated using the Electronic Documentation Transfer Method, at least 30 calendar days prior to the Arbitration filing date. 

8.9.2.2 Pre-Arbitration Response A V PAY Member must provide a copy of the Transaction Record for an ATM Transaction in response to a pre-Arbitration request from another V PAY Member. 

228 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Resolution

8.9.2.3 Pre-Arbitration Acceptance or Rebuttal

8.9.2.3.1 If, as a result of the pre-Arbitration attempt, the opposing V PAY Member accepts financial responsibility for the disputed Transaction, it must:  Process the acceptance using the Electronic Documentation Transfer Method; and  Credit the requesting V PAY Member for the final monetary amount received by that requesting V PAY Member, which relates to the disputed Transaction, through the Visa Enterprise, as specified in the Visa Europe Fee Guide within 30 calendar days of the submission of that pre-Arbitration attempt. 

8.9.2.3.2 If the opposing V PAY Member does not accept financial responsibility as a result of the pre- Arbitration attempt, the requesting V PAY Member may file for Arbitration. 

8.9.2.3.3 An opposing V PAY Member may communicate its acceptance or rebuttal of a pre-Arbitration attempt using the Electronic Documentation Transfer Method. 

8.9.3 Arbitration Process

8.9.3.1 Filing Reasons A V PAY Acquirer may file for Arbitration if an Issuer has processed a prohibited second Chargeback following any Representment. 

A V PAY Issuer may file for Arbitration if:  Required documentation (as set out in the V PAY Operating Regulations - Scheme) to support the Representment was incomplete or not transmitted within five calendar days of the Processing Date of the Representment;   Acquirer improperly represented a Chargeback to the Issuer;   Acquirer processed a prohibited second Representment; or   Acquirer Reference Number or Tracing Data or Account Number did not match the original data in the first Presentment or Chargeback record. 

8.9.3.2 Filing Procedures

8.9.3.2.1 Filing Authority The requesting V PAY Member must file its Arbitration request with Visa.

8.9.3.2.2 Time Limits The requesting V PAY Member must file its request for Arbitration and all documentation required in accordance with Section 8.9.3.2.3, using the Electronic Documentation Transfer Method, within:  30 calendar days of the Processing Date of the Chargeback or the Representment if pre- Arbitration was not initiated; or   60 calendar days of the Processing Date of the Chargeback or the Representment if pre- Arbitration was initiated. The 60 calendar-day period includes the 30 calendar days pre- Arbitration waiting period. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 229 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Resolution

8.9.3.2.3 Required Documentation When seeking Arbitration, the requesting V PAY Member must provide all of the following, in English:  Information required in the Dispute Resolution Form questionnaire, as applicable;   Any supporting documentation relevant to the Transaction in dispute; and   All definitions to the relevant data fields that are contained within that supporting evidence. 

Visa reserves the right to only consider documentation as part of a ruling that meets the requirements set out in this section.

Additional information or documentation not previously provided to the opposing V PAY Member must not be included in the case filing for Arbitration.

8.9.3.2.4 Filing Fee If a request for Arbitration is made, a filing fee, as specified in Section 8.9.3.7 will be collected from the requesting V PAY Member through the Visa Enterprise, as specified in the Visa Europe Fee Guide.

8.9.3.3 Invalid Request

8.9.3.3.1 Arbitration and Compliance Committee If a request for Arbitration is rejected by the Arbitration and Compliance Committee, the filing fee set out in Section 8.9.3.2.4 may still be charged. 

If Visa determines that a request is invalid, Visa may reject the case and retain the filing fee in certain circumstances, such as:  Requesting V PAY Member did not file the request within the required time limits;   Multiple Acquirers, Issuers, Account Numbers, Merchants and filing reasons are involved;  A bundled case filing, containing more than 10 Chargebacks was submitted; or   Bundled low-value fraudulent Visa Europe Transactions as specified in Section 8.2.4.7 must not be included as part of a bundled case filing.

8.9.3.4 Valid Request

8.9.3.4.1 Notification The requesting V PAY Member and the opposing V PAY Member shall be notified of acceptance of the Arbitration case. 

8.9.3.4.2 Opposing Member’s Response If the opposing V PAY Member chooses to respond, they must do so within 14 calendar days of the Visa notification date using the Electronic Documentation Transfer Method, stating either that:  It does not accept financial liability for the Transaction and submit evidence stating its  case; or   It accepts financial liability for the Transaction. 

8.9.3.4.3 The requesting V PAY Member may withdraw its request for Arbitration. If this withdrawal is due to the opposing V PAY Member's acceptance of liability for the disputed Transaction, the filing fee will be collected from the responsible V PAY Member at the time that the case is closed, as specified in the Visa Europe Fee Guide. The responsible V PAY Member will be notified as to its financial responsibility for the disputed Transaction. 

8.9.3.4.4 Arbitration Decision The Arbitration and Compliance Committee shall base its decision on all information available to it at the time of reaching the decision, including but not limited to, the provisions of the V PAY Operating Regulations - Scheme effective on the Transaction Date and may, at its sole discretion, consider other factors such as the objective of ensuring fairness. The decision shall be both:  Issued in writing and delivered to both parties involved in the Arbitration; and   Final and not subject to any challenge, except for any permitted right of appeal. 

230 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Resolution

8.9.3.5 Financial Liability

8.9.3.5.1 The decision of the Arbitration and Compliance Committee may result in either:  Full liability being assigned to one V PAY Member; or   Shared financial liability. 

8.9.3.5.2 The responsible V PAY Member is financially liable for the Transaction Amount.

8.9.3.5.3 If the opposing V PAY Member is responsible, the requesting V PAY Member may collect this amount from the opposing V PAY Member within 60 calendar days of written notification from the Arbitration and Compliance Committee. 

8.9.3.6 Review Fee The responsible V PAY Member is financially liable for the €270 review fee, as specified in the Visa Europe Fee Guide which will be collected within 30 calendar days of written notification from the Arbitration and Compliance Committee, at the time of case closure.

8.9.3.7 Filing Fee The responsible V PAY Member is financially liable for the €270 filing fee which will be collected within 30 calendar days of written notification from the Arbitration and Compliance Committee, at the time of case closure. 

8.9.4 Exceptions to the Arbitration Process If a V PAY Member either misses a deadline or fails to submit documentation electronically due to a Visa Scheme Processor failure, Visa may negate the impact of such failure by granting an exception to the dispute resolution time limits or documentation requirements. 8.10 COMPLIANCE Compliance allows a V PAY Member that has no Chargeback, Representment, pre-Arbitration or Arbitration right to file a complaint against a V PAY Member for a violation of the V PAY Operating Regulations - Scheme. A requesting V PAY Member is liable for any difference, due to currency fluctuation, between the Transaction Amount and the amount of the Chargeback or the amount of the Representment.  8.11 FILING CONDITIONS A V PAY Member may file for Compliance if all of the following are true:  A violation of the V PAY Operating Regulations - Scheme has occurred;   The V PAY Member has no right to Chargeback or Representment in relation to such  violation;   The V PAY Member incurred, or will incur, a financial loss as a direct result of the violation;   The V PAY Member would not have incurred the financial loss had the violation not occurred; and   A violation not involving a Transaction is resolved, as specified in Section 9.1, and as deemed appropriate by Visa. 8.12 PRE-COMPLIANCE CONDITIONS Before filing for Compliance, the requesting V PAY Member must attempt to resolve the dispute with the opposing V PAY Member by sending a pre-Compliance attempt. 

8.12.1 Pre-Compliance Attempt A pre-Compliance attempt must include the information required in the Dispute Resolution Form questionnaire (Exhibit 2E) and the following information:  Planned date for filing the case for Compliance; and   All other pertinent documentation relevant to the rule in dispute. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 231 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Resolution

The pre-Compliance attempt must be sent to the opposing V PAY Member using the Electronic Documentation Transfer Method at least 30 calendar days prior to the Compliance filing date. 

The requesting Customer or Member and the opposing Customer or Member must provide this information in English, as well as the following:  Any supporting documentation relevant to the Transaction in dispute; and  All definitions to the relevant data fields that are contained within that supporting evidence.

8.12.2 Pre-Compliance Acceptance or Rebuttal

8.12.2.1 Pre-Compliance Acceptance If, as a result of the pre-Compliance attempt, the opposing V PAY Member accepts financial liability for the disputed Transaction, it must credit the requesting V PAY Member for the final monetary amount of financial loss incurred by that requesting V PAY Member, which related to the violation of a rule in the V PAY Operating Regulations - Scheme, through the Visa Enterprise, (as specified in the Visa Europe Fee Guide, within 30 calendar days of the date of submission of that pre-Compliance attempt. 

8.12.2.2 Pre-Compliance Rebuttal If the opposing V PAY Member does not accept financial liability as a result of the pre-Compliance attempt, the requesting V PAY Member may file for Compliance. 

8.12.2.3 Pre-Compliance Response An opposing V PAY Member must communicate its acceptance or rebuttal of a pre-Compliance attempt using the Electronic Documentation Transfer Method.  8.13 COMPLIANCE PROCESS

8.13.1 Filing Reasons A V PAY Member may file for Compliance for any violation of the V PAY Operating Regulations - Scheme by a V PAY Member, including the Transaction violations listed in Section 8.13.1. 

8.13.1.1 Chargeback Reduction Service Return

8.13.1.1.1 An Issuer may file for Compliance where a Chargeback Reduction Service returned a valid Chargeback or Representment to that Issuer resulting from an Acquirer transmitting incorrect or invalid data in a Clearing Record such as:  Incorrect Transaction Date;   Incorrect Merchant Category Code;   Invalid indicator for the Merchant or Transaction type; and   Incorrect state/country code or special condition indicator. 

8.13.1.1.2 In order to file for Compliance for this reason, the Issuer must provide both:  Evidence of such incorrect or invalid data; and   Evidence that the Member was able to meet Chargeback or Representment conditions. 

8.13.1.1.3 A V PAY Member may file for Compliance where a Chargeback Reduction Service returns a Chargeback or a Presentment which relates to a Transaction with a valid Authorization. 

In order to file for Compliance for this reason, the V PAY Member must provide the following evidence:  Disputed Transaction Receipt;   Proof that the Transaction received an Authorization; and   Evidence of a Chargeback Reduction Service return. 

232 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Resolution

8.13.1.2 Split Transaction

8.13.1.2.1 An Issuer may file for Compliance where it suspects that a Merchant has avoided obtaining a single Authorization for a Transaction by preparing two or more Transaction Receipts and no Authorization was obtained for the combined amount of the Transaction Receipts or a Merchant received a Decline Response and split the sale into two or more Transactions in order to obtain an Authorization. 

8.13.1.2.2 To be considered a split Transaction, the separate Transaction Receipts must both contain all of the following:  Same Account Number and expiry date;  Same Transaction Date. Visa considers undated Transactions to have the same Transaction Date;  Same Merchant Outlet;  Initials of the same sales clerk or code, indicating the same department number. Visa considers Transactions without initials or department numbers to have the same clerk or sales department; and  Sequential printed numbers. Visa considers Transaction Receipts without numbers to be consecutively numbered.

A Merchant’s cash register imprint showing consecutive Transactions will take precedence over preprinted numbers on the Transaction Receipts.

8.13.1.2.3 If the Issuer files for Compliance for the reason set out in this section, it must provide all of the following as evidence:  Original or copy of the Transaction Receipts; and  Evidence of attempted Authorization for the full Transaction Amount.

8.13.1.2.4 The purchase of multiple Airline tickets or multiple Cruise Line tickets issued at the same time on the same Account Number, which receive individual Authorization, is considered to be a single Transaction. 

8.13.1.3 Account Generated Counterfeit Fraud Card-Present, counterfeit Transactions, if all of the following conditions are fulfilled:  Transaction did not take place at a Chip-Reading Device;  Account Number was not resident on the Issuer’s master file on the Transaction Date; and  All valid Cards bearing Account Numbers within the same Account Range as the counterfeit Card are issued as part of the V PAY Program.

8.13.1.4 Transaction Not Recognised The Cardholder does not recognise the Transaction and additional information beyond the data required in the Clearing Record is needed to assist the Cardholder in identifying the Transaction but the Acquirer was unwilling to assist in the provision of further detail.

8.13.1.5 Declined Authorization A Merchant completed a Transaction after an Authorization Request received a Decline Response.

8.13.1.6 Non-matching Account Number Transaction did not receive Authorization and was processed using an Account Number that does not match any on the Issuer’s master file.

8.13.1.7 Paid By Other Means Merchandise or service was received but paid by other means.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 233 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Resolution

8.13.1.8 Electronic Commerce Transaction (Attempts Authentication) An Issuer may file for Compliance in respect of an Electronic Commerce Transaction coded with ECI value “6” where:  A Cardholder, who has not asserted that the Electronic Commerce Transaction was fraudulent, required additional information about that Electronic Commerce Transaction; and  The Acquirer did not respond to the Retrieval Request from the Cardholder’s Issuer with a Fulfilment, or the Acquirer responded to the Retrieval Request with a Nonfulfillment Message code “03” or “04”.

In order to file for Compliance for this reason, the Issuer must provide as evidence the Cardholder letter requesting more information about that Electronic Commerce Transaction.

In order to remedy the Compliance, the Acquirer must provide the Dispute Resolution Form and either:  A copy of the Transaction Receipt; or   A detailed description of the goods or services purchased, and any other Transaction data that was not required in the Clearing Record. 

8.13.1.9 Cardholder Letter An Acquirer may file for Compliance if it requires or its Merchant requires a signed Cardholder letter for legal purposes, as specified in Section 8.2.5.5. 

234 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Resolution

8.13.2 Compliance Process For 3–D Secure Transactions An Issuer may file for Compliance when participation in the 3-D Secure service or authentication is in dispute. Table 8-10 to Table 8-12 specify the dispute procedure, required documentation and the distribution of liability.

Table 8-10 specifies the Compliance process for Transactions using 3-D Secure when both the Issuer and the Cardholder participate in the service, but the Issuer declined authentication for the Transaction: Table 8-10 3-D Secure Compliance Process—Issuer Declined

Issuer Checks Pre-Compliance Response Compliance Response

ECI 5 Received

• Issuer checks Issuer requests Issuer may start Visa arbitrates • If proof Access Control proof of positive Compliance if provided is Server (ACS) for authentication proof provided is valid—Issuer Payer (such as PARes not satisfactory liable; or Authentication message) from the • If proof Response Acquirer provided is (PARes) invalid— showing Acquirer liable. declined authentication; If no proof is • Issuer may available — check Acquirer liable Authentication History Server (AHS) to validate PARes record; • If ACS/AHS shows decline response in PARes—Issuer starts pre- compliance; • If PARes shows ‘Yes’ response— Issuer is liable.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 235 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Resolution

Table 8-11 specifies the Compliance process for Transactions using 3-D Secure when both the Issuer and Cardholder participate in the service, but the Issuer was not given the opportunity to authenticate the Transaction. Table 8-11 3-D Secure Compliance Process—Issuer Unable to Authenticate

Issuer Checks Pre-Compliance Response Compliance Response

ECI 5 Received

Issuer checks own Issuer requests Issuer may start Visa arbitrates • If proof records to verify proof of attempted Compliance if provided is both: authentication proof provided is valid—Issuer liable; or • Cardholder was (such as “VEReq”/ not satisfactory enrolled in 3-D VERes” pair or • If proof Secure service “CRRes”) from the provided is at time of Acquirer. The invalid— Acquirer liable Transaction “CRRes” must “VEReq”/ prove the Cache If no proof is ”VERes” pair was updated no available — were not more than 24 Acquirer liable received; and hours prior to the • If records Transaction. confirm these, Issuer starts pre- Compliance.

Table 8-12 specifies the Compliance process for Transactions using 3-D Secure when both the Issuer and Cardholder participate in the service, but the Issuer never received a Payer Authentication Request (PAReq)/Payer Authentication Response (PARes) for the Transaction. Table 8-12 3-D Secure Compliance Process—PAReq Not Received by Issuer

Issuer Checks Pre-Compliance Response Compliance Response

ECI 5 Received

Issuer checks own Issuer requests Issuer may start Visa arbitrates • If proof records for a proof of positive Compliance if provided is PAReq/PARes pair. authentication proof provided is valid—Issuer If not found, Issuer (such as PARes not satisfactory liable; or may check “AHS”. message) from the • If proof Acquirer provided is invalid— Acquirer liable If no proof is available — Acquirer liable

236 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Resolution

8.13.3 Filing Procedures

8.13.3.1 Filing Authority

8.13.3.1.1 The requesting V PAY Member must file its Compliance request with Visa.

8.13.3.1.2 A requesting V PAY Member must file its request for Compliance and all documentation required in accordance with Section 8.13.1.1 using the Electronic Documentation Transfer Method. 

8.13.3.2 Time Limits

8.13.3.2.1 When initiating Compliance, the requesting V PAY Member must file its Compliance within 90 calendar days.

For all Transactions except for Credit Transactions that are deemed to be fraudulent, this time limit is calculated as beginning on the day following either:  The Processing Date; or  The "date of discovery", which is the date on which the requesting Customer or requesting Member discovered that a violation had occurred (not to exceed two years from the Transaction Date), if the Customer or Member provides evidence that this is the date on which the financial loss was discovered.

For Credit Transactions that are deemed to be fraudulent, this time limit is calculated as beginning on the day following one of the following dates:  The Processing Date of the Reversal of the fraudulent Credit Transaction;  The Processing Date of the original Transaction that is deemed to be fraudulent; or  The Processing Date of the withdrawal, from the account, of the funds that relate to that fraudulent Credit Transaction.

8.13.3.2.2 If the requesting V PAY Member does not file its Compliance request within the time limits specified above, it loses its Compliance right and is financially liable for the dispute which is the subject of that Compliance request. 

8.13.3.3 Required Documentation When filing for Compliance, the requesting V PAY Member must submit all of the following, in English:  Information required in a summary of Compliance, as set out in the Dispute Resolution Form questionnaire (Exhibit 2E) for each violation of the V PAY Operating Regulations - Scheme;   Information required in a pre-Compliance attempt, as set out in the Dispute Resolution Form questionnaire (Exhibit 2E);   If the Compliance involves a prior Chargeback, a completed Dispute Resolution Form (Exhibit 2E) for each Chargeback or Representment;   Any supporting documentation relevant to the violation of the V PAY Operating Regulations - Scheme; and  Documentation substantiating that a financial loss would not have resulted had the violation of the V PAY Operating Regulations - Scheme not occurred.  Visa reserves the right to only consider documentation as part of a ruling that meets the requirements set out in this section.

Additional information or documentation not previously provided to the opposing V PAY Member prior to filing the Compliance case must not be included in the case filing for Compliance. 

8.13.3.4 Filing Fee If a request for Compliance relating to a V PAY Member’s breach of the V PAY Operating Regulations - Scheme is made by a V PAY Member, a filing fee as specified in Section 8.13.5.7 will be collected from the requesting Member, as specified in the Visa Europe Fee Guide.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 237 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Resolution

8.13.4 Invalid Request

8.13.4.1 Visa If a request for Compliance is rejected by the Arbitration and Compliance Committee, the requesting V PAY Member may still be charged the filing fee.

If Visa determines that a request is invalid, it may reject the case and retain the filing fee in circumstances, such as:  Requesting V PAY Member did not file the request within the required time limits;  Multiple Acquirers, Issuers, Account Numbers, Merchants and filing reasons are involved; or  A bundled case filing, containing more than 10 bundled Chargebacks, was submitted.

8.13.5 Valid Request

8.13.5.1 Visa Notification The requesting V PAY Member and the opposing V PAY Member shall be notified of acceptance of the Compliance case.

8.13.5.2 Opposing V PAY Member’s Response If the opposing V PAY Member chooses to respond, they must do so within 14 calendar days of the Visa notification date using the Electronic Documentation Transfer Method, stating either that:  It does not accept financial liability for the Transaction and submit evidence stating its  case; or   It accepts financial liability for the Transaction. 

8.13.5.3 Requesting V PAY Member’s Withdrawal The requesting V PAY Member may withdraw its request for Compliance.

If this withdrawal is due to the opposing V PAY Member’s acceptance of liability for the financial loss resulting from a Transaction that was in violation of the rule in the V PAY Operating Regulations - Scheme, the filing fee will be collected from the responsible V PAY Member through the Visa Enterprise at the time that the case is closed, as specified in the Visa Europe Fee Guide. The responsible Member will be notified as to its financial responsibility. 

8.13.5.4 Compliance Decision The Arbitration and Compliance Committee bases its decision on all information available to it at the time of reaching the decision, including, but not limited to, the provisions of the V PAY Operating Regulations - Scheme effective on the Transaction Date and may, at its sole discretion, consider other factors such as the objective of ensuring fairness. 

The decision is both:  Issued in writing and delivered to both parties involved in the Compliance; and   Final and not subject to any challenge, except for any permitted right of appeal. 

8.13.5.5 Financial Liability

8.13.5.5.1 The decision of the Arbitration and Compliance Committee may result in either:  Full liability being assigned to one V PAY Member; or   Shared financial liability. 

8.13.5.5.2 The responsible V PAY Member is financially liable for the Transaction Amount.

If the opposing V PAY Member is responsible, the requesting V PAY Member may collect this amount from the opposing V PAY Member through the Visa Scheme Processor within 60 calendar days of written notification from the Arbitration and Compliance Committee. 

238 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 8 - Dispute Resolution

8.13.5.6 Review Fee The responsible V PAY Member is financially liable for the €270 review fee, as specified in the Visa Europe Fee Guide, which will be collected within 30 calendar days of written notification from the Arbitration and Compliance Committee, at the time of case closure.

8.13.5.7 Filing Fee The responsible V PAY Member is financially liable for the €270 Filing Fee, as specified in the Visa Europe Fee Guide, which will be collected within 30 calendar days of written notification from the Arbitration and Compliance Committee, at the time of case closure.

8.13.6 Exceptions to the Compliance Process If a Member misses a deadline or fails to submit documentation electronically due to a Visa Scheme Processor failure, Visa may negate the impact of such failure by granting an exception to the dispute resolution time limits or documentation requirements. 8.14 APPEAL RIGHTS

8.14.1 Appeal Amount The euro appeal amount, or local currency equivalent of the case, determines whether the adversely affected V PAY Member may appeal the decision, as shown in Table 8-13.  Table 8-13 Arbitration and Compliance Appeal Rights 

Disputed Amount Appeal Right Appeal Authority

Less than €4,000 No Not applicable €4,000 to €80,000 Only if V PAY Member can provide Arbitration & Compliance new evidence not previously available Committee Greater than €80,000 Only if V PAY Member can provide Arbitration & Compliance new evidence not previously available Committee

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 239 V PAY Operating Regulations - Scheme THIS PAGE INTENTIONALLY LEFT BLANK Fines and Penalties

9.1 REGULATION ENFORCEMENT ...... 243 Fines and Penalties ...... 243 Fines and Penalties Process ...... 243 Allegations ...... 243 Investigation ...... 243 Fines and Penalties Rules ...... 243 Repetitive Violations ...... 243 Investigative Costs ...... 243 Fine Payment ...... 243

9.2 FINES AND PENALTIES SCHEDULE ...... 244 General ...... 244 Egregious Violations ...... 244 Penalties for Compromised Account Information and Transaction Information . . . . . 245 Penalties for Non-Compliance of the Account Information Security Program . . . . . 246 Data Quality Improvement Compliance Program—Fines ...... 246 Penalty for V PAY Member Failure to Comply with Fraud Activity Reporting ...... 247 Penalties for Violations of the Merchant Fraud Performance Program ...... 247 Penalties for Illegal or Prohibited Transactions ...... 248 Global Compromised Account Recovery Program ...... 248 Global Compromised Account Recovery Funds Distribution and Administration  Fee ...... 248 Acquirer Penalty for V PAY Member Failure to Comply with PIN Security  Requirements and PIN Security Self-Audit Requirements ...... 249 Acquirer Penalties for Merchants Exceeding Acceptable Chargeback Ratios ...... 249 Penalties for Violations of the Acquirer Performance Metric Program ...... 251 Penalties for V PAY Member Failure to Comply with the Chip Interoperability  Compliance Program ...... 251 Penalties for Incorrect Use of Dynamic Currency Conversion on V PAY  Transactions ...... 252 Acquirer Penalties for Non-Compliance of the Visa Merchant Alert Services Requirements ...... 252 Chip and PIN Disputes Compliance Program ...... 253

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 241 V PAY Operating Regulations - Scheme Chapter 9 - Fines and Penalties

Notification ...... 253 Penalties ...... 253 Penalties for V PAY Member Failure to Comply with the Electronic Commerce  Merchant Monitoring Program ...... 253

242 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 9 - Fines and Penalties

9.1 REGULATION ENFORCEMENT

9.1.1 Fines and Penalties Visa may impose fines and penalties on V PAY Members for failure to comply with the V PAY Operating Regulations - Scheme.

9.1.2 Fines and Penalties Process

9.1.2.1 Allegations Allegations of violations of the V PAY Operating Regulations - Scheme may be brought by any of the following:  Visa;  A V PAY Member; or  A Visa employee.

9.1.2.2 Investigation Where a suspected violation, by a V PAY Member, of a rule set out in the V PAY Operating Regulations - Scheme comes to the notice of Visa, Visa will investigate the suspected violation and promptly notify that V PAY Member that either:  No violation has been committed; or   A violation has been committed, in which case, Visa will state the action to be taken by the V PAY Member and/or Visa as a result of such violation, including specifying a time frame for the V PAY Member to remedy the violation. 

9.1.3 Fines and Penalties Rules

9.1.3.1 Repetitive Violations A V PAY Member shall be deemed to have committed a “repetitive violation” if that V PAY Member commits a violation of a rule set out in the V PAY Operating Regulations - Scheme and, that same V PAY Member, commits any repeat violation of that same rule within a 12-month period starting from the date by which the first violation is required to be rectified (in accordance with the notification from Visa pursuant to Section 9.1.2.2). In addition to any other fines and penalties set out in the V PAY Operating Regulations - Scheme for violating that rule, Visa may impose the fines specified in Table 9-1.

9.1.3.2 Investigative Costs Visa may require a V PAY Member to reimburse all investigative costs incurred by Visa in investigating a suspected violation of any rule set out in the V PAY Operating Regulations - Scheme by that V PAY Member in accordance with Section 9.1.3.3. This is in addition to any fines that may be imposed for the violation.

9.1.3.3 Fine Payment Visa may collect any fine or investigative cost from a V PAY Member via the International Settlement Service. The V PAY Member will receive a notification from Visa in respect of such cost or fine.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 243 V PAY Operating Regulations - Scheme Chapter 9 - Fines and Penalties

9.2 FINES AND PENALTIES SCHEDULE

9.2.1 General Visa may collect the fine listed in the first line of Table 9-1 below, for any first violation of a rule set out in the V PAY Operating Regulations - Scheme where no specific fine has been prescribed for that violation elsewhere in the V PAY Operating Regulations - Scheme.

Visa may collect the fines listed in Table 9-1 below (which shall escalate as set out in that table) for any “repetitive violations” (as described in Section 9.1.3.1) where no specific fines have been prescribed for repeat violations of a rule elsewhere in the V PAY Operating Regulations - Scheme. Where a specific fine has been prescribed for the first violation only elsewhere in the V PAY Operating Regulations - Scheme, the escalation fines in Table 9-1 (that is the fines listed after the first line of Table 9-1) shall be in addition to that fine for each “repetitive violation”. Table 9-1 General Schedule of Fines

Violation Fine

First violation of rule Warning letter with specific date for correction and €400 fine Second violation of same rule in a 12-month period €4,000 fine after date of correction specified in the notification of first violation Third violation of same rule in a 12-month period €8,000 fine after date of correction specified in the notification of first violation Fourth violation of same rule in a 12-month period €20,000 fine after date of correction specified in the notification of first violation Five or more violations of same rule in a 12-month Visa’s discretion period after date of correction specified in the notification of first violation If the 12-month period is not violation-free and the Additional fine equal to all fines levied during that  fines total €20,000 or more 12-month period

9.2.2 Egregious Violations V PAY Members that perform an Egregious Violation of the V PAY Operating Regulations - Scheme may be levied a fine as set out in Table 9-2. Table 9-2 General Penalty Schedule—Egregious Violations

Violation Fine

First violation of rule Warning letter with specific date for correction and €50,000 penalty (payment of the fine shall be suspended until end date for correction) Second violation of the same rule in a 12-month €100,000 period after notification of first violation Monthly increase thereafter for non-correction of €150,000 above previous month’s total penalties. For the same violation example, if month 3 = €300,000;  month 4= €450,000 and so forth Eight or more violations of the same rule in a 12- Visa’s discretion month period after notification of first violation If the 12-month period is not violation-free and the An additional penalty equal to all fines levied during penalties total €250,000 or more that 12-month period

244 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 9 - Fines and Penalties

9.2.3 Penalties for Compromised Account Information and Transaction Information

9.2.3.1 Effective for Account Data Compromise Events initiated on or after 1 May 2016, at the discretion of Visa, an Acquirer not complying with Section 2.7.3 may be subject to fines for compromised account information, as set out in Table 9-3, at any Merchant type specified in Table 9-4 for cases involving less than three Acquirers. Account Data Compromise Events that meet the criteria for the Visa Europe PFI Lite service, as defined in the Visa Europe What To Do If Compromised Guide, are excluded from these penalties.

Table 9-3 Effective from 1 May 2016, Fines for Compromised Account Information

Violation Visa Fine

Compromised Account Number only €3 Compromised Account Number and Card €18 Verification Value 2 data

Table 9-4 Merchant Type

Merchant Type Number of Transactions per year

Level 1 More than 6,000,000 Level 2 1,000,001 - 6,000,000 Level 3 (Electronic Commerce Merchants only) 20,000 - 1,000,000 Level 4 1 - 1,000,000

9.2.3.2 Effective for Account Data Compromise Events initiated up to and including 30 April 2016, a V PAY Member not complying with Section 2.7.3 may be subject to fines, as set out in Table 9-5.

Effective for Account Data Compromise Events initiated on or after 1 May 2016, for cases involving three or more Acquirers, a V PAY Member not complying with Section 2.7.3, may be subject to fines, as set out in Table 9-5.

These fines are dependent on the Processor or type of Merchant, as specified in Table 9-5. Visa may continue to fine the Acquirer until such time as Visa is satisfied that the V PAY Member has demonstrated remediation as specified in Section 9.2.3 with the Payment Card Industry Data Security Standard.

Table 9-5 Compromised Account Penalty Schedule

Event Visa Penalty for Merchant Type (€)

Level 1 Level 2 Level 3 Level 4 Processor Merchant Other Processor

Initial Fine 50,000 25,000 10,000 2,5001 50,000 25,000 10,000 Insufficient remediation 30,000 15,000 5,000 5,000 30,000 15,000 5,000 after 90 days1 Insufficient remediation 50,000 25,000 10,000 10,000 50,000 25,000 10,000 after 120 days Insufficient remediation 75,000 50,000 15,000 15,000 75,000 30,000 25,000 after 150 days Insufficient remediation 75,000 50,000 15,000 15,000 75,000 30,000 25,000 after 180 days

1. Refer to Section 2.3.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 245 V PAY Operating Regulations - Scheme Chapter 9 - Fines and Penalties

Effective until 30 April 2016, sufficient remediation requires that a V PAY Member demonstrates to Visa, within the time frames as specified in Table 9-5, that the Merchant, Merchant Processor, Processor or Internet Payment Service Provider (IPSP) has provided evidence of the following:  Removal of all sensitive authentication data and limit data retention;  The perimeter, internal and wireless networks have been protected;  All applications are secured; and  Data is protected through monitoring and access control.

The removal of all Card Verification Value 2 (CVV2) data must be achieved by all Merchants, Merchant Processors, Processors and IPSPs within 30 calendar days of notification.

9.2.3.3 Penalties for Non-Compliance of the Account Information Security Program Effective until 30 April 2016, a Member not complying with the requirements in Section 2.7 will be subject to the fines in Table 9-6: Table 9-6 Effective until 30 April 2016, Penalties for Non-compliance of the Account Information Security Program

Event Visa Fine

Confirmation of compliance status of Merchant and/or €5,250 per incident of non-compliance third parties, or Member self-certification not received by Visa within 30 days of notification by Visa. Confirmation of compliance status of Merchant and/or €10,500 per incident of non-compliance third parties, or Member self-certification not received by Visa within 90 days of notification by Visa. Confirmation of compliance status of Merchant and/or €26,250 per incident of non-compliance third parties, or Member self-certification not received by Visa within 120 days of notification by Visa. The Member will continue to be charged this fee every 30 calendar days until compliance is achieved.

9.2.4 Data Quality Improvement Compliance Program—Fines An Acquirer must ensure that all Authorization Requests and Clearing Records contain complete and valid data. If Visa determines that an Acquirer has failed to do so, that Acquirer may, at Visa’s discretion, be subject to the fines and penalties set out in Table 9-7.  Table 9-7 Data Quality Improvement Compliance Program—Fines

Violation Time Period Visa Action or Fine

Problem Not Resolved After Second Notification Letter

Problem not resolved after receipt 60 calendar days €4,000 of notification Problem not resolved after receipt 90 calendar days €8,000 of notification Problem not resolved after receipt 120 calendar days, plus every 30 €20,000 per month of notification calendar days for each subsequent month until compliance is achieved

Resolution Date Not Met

Problem not resolved by the Agreed-upon resolution date €4,000 agreed-upon date

246 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 9 - Fines and Penalties

Table 9-7 Data Quality Improvement Compliance Program—Fines (Continued)

Violation Time Period Visa Action or Fine

Problem not resolved Within 30 calendar days of the €8,000 agreed-upon resolution date Problem not resolved Within 60 calendar days of the €20,000 per month agreed-upon resolution date, plus every 30 calendar days for each subsequent month until compliance is achieved

9.2.5 Penalty for V PAY Member Failure to Comply with Fraud Activity Reporting If a V PAY Member fails to comply with the requirements set out in Section 2.3.5, that V PAY Member may, at Visa discretion, be subject to the fines set out in Table 9-8: Table 9-8 Issuer Penalties for Failure to Comply with Fraud Activity Reporting

Occurrence Warning Letter Suspension of Fraud Fine (Minimum Onsite V PAY Chargeback Rights1 Amount) Member Audit

First calendar quarter Yes Not applicable €0 Not applicable Second consecutive Yes Not applicable €0 Not applicable calendar quarter Third consecutive Not applicable 90 calendar days €20,000 Not applicable calendar quarter Fourth consecutive Not applicable 180 calendar days €40,000 Yes calendar quarter Fifth consecutive Not applicable Until compliance Visa’s decision based Not applicable calendar quarter upon re-evaluation

1. Chargeback reason codes are set out in the Dispute Resolution rules.

9.2.6 Penalties for Violations of the Merchant Fraud Performance Program An Acquirer must monitor the Intra-regional Transactions of its Merchant Outlets to determine whether the fraud performance thresholds specified in the Visa Merchant Fraud Performance Program Guide have been met or exceeded and where those thresholds have been exceeded, an Acquirer shall work together with its Merchants to bring those Merchant Outlets’ fraud levels back to below the threshold. 

If a Merchant’s Merchant Outlet continues to meet or exceed the fraud performance thresholds specified in the Visa Merchant Fraud Performance Program Guide:  The Acquirer of that Merchant will be liable under Chargeback Reason Code 93, “Merchant Fraud Performance Program” for fraudulent Transactions at that Merchant Outlet;  Visa may, at Visa’s discretion, apply the escalating financial penalties set out in the Visa Merchant Fraud Performance Program Guide to that Acquirer; and  Visa may disqualify the Merchant Outlet from using the Visa Enterprise and the Acquirer must ensure that this is enforced.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 247 V PAY Operating Regulations - Scheme Chapter 9 - Fines and Penalties

9.2.7 Penalties for Illegal or Prohibited Transactions An Acquirer that processes Transactions that are for the purchase of illegal or prohibited goods or services may be subject to penalties, as specified in Table 9-9.

Within five business days of being notified by Visa of a suspected violation, the Acquirer must provide:  Evidence that the suspected violation has been remedied; or  Documentary evidence refuting the suspected violation.

Failure to provide one of the above may result in the penalties described in Table 9-9 and remedying a violation does not necessarily eliminate fine liability.

Table 9-9 Penalties Schedule for Illegal or Prohibited Transactions

Violation Visa Action or Fine

First violation Member is assessed a fine of €25,000 per: • Merchant or Sponsored Merchant; or • Merchant URL or per Sponsored Merchant URL, that is identified per calendar month of non-compliance. Subsequent violation after notification of first Member is assessed a fine of €50,000 per: violation • Merchant or Sponsored Merchant; or • Merchant URL or per Sponsored Merchant URL, that is identified. The fine will increase by €25,000 for each subsequent calendar month of non-compliance up to a maximum of €100,000. Non-compliance may also result in the Acquirer being subject to corporate risk reduction measures, as specified, which may include revocation of acquiring privileges.

9.2.8 Global Compromised Account Recovery Program An Issuer may recover a portion of its estimated incremental counterfeit fraud losses and operating expenses resulting from an Account Data Compromise Event involving compromise of Magnetic Stripe Data and/or PIN data under the Global Compromised Account Recovery Program. The Global Compromised Account Recovery Program is used to assign liability for such losses. 

9.2.8.1 Global Compromised Account Recovery Funds Distribution and Administration Fee Visa will debit the Acquirer responsible for the breached entity and credit the eligible Issuer(s) with the amount recovered under the Global Compromised Account Recovery Program. Visa will deduct an administration fee of three per cent from the amount that each Issuer recovers under the program. This fee will be a minimum of US $25, up to a maximum of US $500, per payment to each Issuer of an amount in accordance with the program.

248 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 9 - Fines and Penalties

9.2.9 Acquirer Penalty for V PAY Member Failure to Comply with PIN Security Requirements and PIN Security Self-Audit Requirements A V PAY Member may, at Visa’s discretion, be subject to fines specified in Table 9-10 if that V PAY Member fails to comply with Section 2.7.5.1. Table 9-10 Acquirer Fines for Member Failure to Comply with PIN Security Requirements and PIN Security Self-audit Requirements

Calendar Days Fine

Within 29 calendar days of its annual due date No fine Within 30 calendar days to 59 calendar days of its annual due date €8,000 fine Within 60 calendar days to 89 calendar days of its annual due date €8,000 fine Within 90 calendar days to 119 calendar days of its annual due date €8,000 fine Within 120 calendar days and every 30 calendar days of its annual due date €20,000 fine

9.2.10 Acquirer Penalties for Merchants Exceeding Acceptable Chargeback Ratios An Acquirer that has Merchants placed in the Global Brand Protection Program, and/or, effective until 30 June 2016, the Global Merchant Chargeback Monitoring Program may, at Visa’s discretion, be subject to the penalties set out in Table 9-11 and Table 9-12. The Chargeback ratio referred to is two percent Chargeback of all International Transactions and Country-to-Country Transactions that have originated from the Merchants, Sponsored Merchants, High Brand-Risk Merchants, High Brand-Risk Sponsored Merchants and High Brand-Risk Internet Payment Service Providers.

Table 9-11 Acquirer Penalties for Merchants in the Global Merchant Chargeback Monitoring Program

Event Month Visa Action or Fine

Merchant meets or exceeds the specified Months 1–3 • Three-month remediation Chargeback ratio period to reduce Chargebacks. • No fine. Merchant meets or exceeds the specified Months 4–10 • US $100 per Chargeback for Chargeback ratio every month the Merchant meets or exceeds the program thresholds. • If the Acquirer and/or Merchant have not implemented procedures to reduce Chargebacks, Visa may assess a fine of US $200. Merchant meets or exceeds the specified Month 11 and • US $100 per Chargeback for Chargeback ratio subsequent every month the Merchant months meets or exceeds the program thresholds. • If the Acquirer and/or Merchant have not implemented procedures to reduce Chargebacks, Visa may assess a fine of US $200. • Visa may disqualify the Merchant from participation in the Visa Enterprise.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 249 V PAY Operating Regulations - Scheme Chapter 9 - Fines and Penalties

Table 9-12 Acquirer Penalties for their High Brand-Risk Merchants, Sponsored Merchants and High Brand-Risk Sponsored Merchants in the Global Brand Protection Program

Event Month Visa Action or Fine

High Brand-Risk Merchant, Sponsored Months 1–3 US $100 per Chargeback per month Merchant or High Brand-Risk Sponsored for each identified Merchant Outlet. Merchant meets or exceeds the specified Chargeback ratio High Brand-Risk Merchant, Sponsored Months 4–5 If the Acquirer and/or Merchant, High Merchant or High Brand-Risk Sponsored Brand-Risk Merchant, Sponsored Merchant meets or exceeds the specified Merchant or High Brand-Risk Chargeback ratio Sponsored Merchant have not implemented procedures to reduce Chargebacks, Visa may assess a fine of US $200. High Brand-Risk Merchant, Sponsored Month 6 and • If the Acquirer and/or Merchant, Merchant or High Brand-Risk Sponsored subsequent months High Brand-Risk Merchant, Merchant meets or exceeds the specified Sponsored Merchant or High Chargeback ratio Brand-Risk Sponsored Merchant have not implemented procedures to reduce Chargebacks, Visa may assess a fine of US $200. • Visa may disqualify the Merchant, High Brand-Risk Merchant, Sponsored Merchant or High Brand-Risk Sponsored Merchant from participation in the Visa Enterprise. High Brand-Risk Merchant, Sponsored Visa may disqualify the Merchant, Merchant or High Brand-Risk Sponsored High Brand-Risk Merchant, Sponsored Merchant meets or exceeds the specified Merchant or High Brand-Risk Chargeback ratio without an effective Sponsored Merchant from Chargeback reduction plan, and two of the participation in the Visa Enterprise. following levels of Chargeback activity are reached: • High Brand-Risk Merchant, Sponsored Single month N/A Merchant or High Brand-Risk Sponsored Merchant’s Chargeback ratio is two or more times the Chargeback ratio in a single month • High Brand-Risk Merchant, Sponsored Single month N/A Merchant or High Brand-Risk Sponsored Merchant is assessed fees for 3,000 or more Chargebacks in a single month • High Brand-Risk Merchant, Sponsored When reached N/A Merchant or High Brand-Risk Sponsored Merchant is assessed a total of US $1 million or more in Global Brand Protection Program fees Acquirer does not identify a High Brand-Risk When violation US $25,000 per Merchant per month. Merchant or High Brand-Risk Sponsored occurs Merchant with the correct Merchant Category Code, as specified in Section 2.3.9.3

250 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 9 - Fines and Penalties

9.2.11 Penalties for Violations of the Acquirer Performance Metric Program The Acquirer Performance Metric Program monitors the Acquirer’s overall International and Country- to-Country Chargeback performance.

An Acquirer placed in the Acquirer Performance Metric Program may, at Visa’s discretion, be subject to the penalties set out in Table 9-13. The Chargeback ratio referred to in Table 9-13 is 1.5  per cent Chargeback of all International and all Country-to-Country Transactions that have originated from that Acquirer. Table 9-13 Penalty Schedule for Non-Compliance with the Acquirer Performance Metric Program

Event Visa Action or Fine

Acquirer meets or exceeds the Chargeback ratio €20,000 for every month the Acquirer meets or exceeds thresholds the program thresholds

Acquirer meets or exceeds the Chargeback ratio €40,000 for every month the Acquirer meets or thresholds more than three times in a rolling 12- exceeds the program thresholds month period Acquirer meets or exceeds the Chargeback ratio €80,000 for each subsequent month the thresholds are thresholds more than six times in a rolling 12- met or exceeded and the Acquirer is eligible for the month period implementation of risk reduction procedures, as specified in Section 2.2.1.

9.2.12 Penalties for V PAY Member Failure to Comply with the Chip Interoperability Compliance Program A V PAY Member will be subject to the Chip Interoperability Compliance Program if Visa determines that the V PAY Member satisfies the conditions specified in Section 4.2.2.4.2.

A V PAY Member may, at Visa’s discretion, be subject to the penalties specified in Table 9-14 if Visa determines that the V PAY Member that is subject to the Chip Interoperability Compliance Program in accordance with Section 4.2.2.4.2 has failed to either:  Establish and commit to an agreed-upon Chip interoperability resolution plan; or  Make satisfactory progress toward resolution of the Chip interoperability problem in accordance with any agreed-upon Chip interoperability resolution plan and provide progress reports to Visa. Table 9-14 V PAY Member Penalties for Non-Compliance with the Chip Interoperability Compliance Program

Violation Visa Action or Fine

Initial identification and confirmation of a Chip V PAY Member receives notification that: interoperability problem • The V PAY Member may be fined; and • The V PAY Member must establish and commit to an agreed-upon resolution plan to resolve the Chip interoperability problem to Visa within 30 calendar days of such notification. Chip interoperability problem not addressed by €10,000 fine providing an agreed-upon resolution plan to Visa or the agreed-upon resolution plan is not followed within 30 calendar days of initial notification Chip interoperability problem not addressed by €50,000 fine providing an agreed-upon resolution plan to Visa or the agreed-upon resolution plan is not followed within 60 calendar days of initial notification

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 251 V PAY Operating Regulations - Scheme Chapter 9 - Fines and Penalties

Table 9-14 V PAY Member Penalties for Non-Compliance with the Chip Interoperability Compliance Program (Continued)

Violation Visa Action or Fine

Chip interoperability problem not addressed by €100,000 fine providing an agreed-upon resolution plan to Visa or the agreed-upon resolution plan is not followed within 90 calendar days of initial notification Chip interoperability problem not addressed by €100,000 fine and €100,000 per subsequent providing an agreed-upon resolution plan to Visa or the month, and the case will be referred to Visa for its agreed-upon resolution plan is not followed within 120 consideration calendar days of initial notification

9.2.13 Penalties for Incorrect Use of Dynamic Currency Conversion on V PAY Transactions Failure of an Acquirer to comply with the requirements set out in Section 6.9 may result in a fine of €28,875 per month per Merchant, following a written warning from Visa.

Failure of an Acquirer to comply with the Dynamic Currency Conversion Standards set out in Section 6.9, where a Merchant is found to be providing Dynamic Currency Conversion incorrectly on V PAY Transactions at either Point-of-Transaction Terminals or ATMs may result in the following penalty schedule set out in Table 9-15: Table 9-15 Penalty Schedule for Non-Compliance with DCC Program Requirements

Event Visa Action/Fine

Non-compliance with Dynamic Currency Conversion Letter sent to Acquirer rules is identified and communicated to Acquirer Acquirer plan for corrective action not received by €11,550 fine per calendar month per non-compliant Visa within one month of original notification letter Merchant performing Dynamic Currency Conversion Failure to implement corrective action within a €23,100 fine per calendar month per non-compliant reasonable time frame (as agreed between Visa and Merchant performing Dynamic Currency Conversion the Acquirer) Continued failure to agree and/or implement Visa may both: corrective actions within a reasonable time frame • Require the Acquirer to terminate the non- compliant Merchant performing Dynamic Currency Conversion; and • Prohibit the Acquirer from contracting with any new Merchants wishing to perform Dynamic Currency Conversion

9.2.14 Acquirer Penalties for Non-Compliance of the Visa Merchant Alert Services Requirements An Acquirer must list all Merchants on the Visa Merchant Alert Service, as specified in Section 2.3. The following table lists the fines for violation of this requirement. Table 9-16 Penalties for Non-Compliance of Visa Merchant Alert Services Requirements1

Violation Penalty

Each violation Minimum fine of €5,0002 per occurrence

1. Reference should also be made to the Visa Merchant Alert Service User Guide. 2. There is no maximum monthly penalty.

252 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 9 - Fines and Penalties

9.2.15 Chip and PIN Disputes Compliance Program The Chip and PIN Disputes Compliance Program provides the framework for a V PAY Member or V PAY Member’s agent to establish an agreed-upon resolution plan and effect a timely resolution.

9.2.15.1 Notification A V PAY Member that is inappropriately processing EMV Transactions or disputes, or operating without due diligence, will be contacted by Visa to clarify their operational practices and, as necessary, agree a corrective plan.

Visa reserves the right to undertake an on-site review and/or impose sanctions, should any of the following occur:  An action plan cannot be agreed; and  An agreed action plan is not delivered within the agreed time frame.

9.2.15.2 Penalties Should satisfactory corrective action not be taken by an identified V PAY Member, penalties may be assessed in accordance with Table 9-17.

Table 9-17 V PAY Member Penalties for Non-Compliance with the Chip and PIN Disputes Compliance Program

Beginning of Month Status of Violation Visa Action

Month 1 Initial confirmation of V PAY Member is warned in writing that Visa will take violation action if the situation is not addressed to the satisfaction of the Visa within 30 calendar days Month 2 Unaddressed violation • Visa will revoke the V PAY Member’s right to use specific chargeback or representment rights relating to the area of violation • V PAY Member is provided with a secondary warning that fines may apply if the situation is not addressed to the satisfaction of Visa within 60 calendar days Months 4-5 Unaddressed violation V PAY Member is fined €27,000 per month Month 6+ Unaddressed violation V PAY Member is fined €54,000 per month

9.2.16 Penalties for V PAY Member Failure to Comply with the Electronic Commerce Merchant Monitoring Program An Acquirer is subject to the penalties specified in Table 9-18 if it fails to terminate a Merchant, Internet Payment Service Provider (IPSP), or Sponsored Merchant that displays a V PAY Mark on its website or accepts V PAY Cards in such a way that is deemed to bring the Visa brand or organisation into disrepute: Table 9-18 Acquirer Penalties for Non-Compliance with the Electronic Commerce Merchant Monitoring Program

Event Visa Action and Penalty

First identification of a Merchant or its principals, IPSP or Notification of violation sent to Acquirer Sponsored Merchant deemed to be bringing the brand into with a request that URL of either the disrepute Merchant or Sponsored Merchant be terminated within three working days Merchant or its principals, IPSP or Sponsored merchant not € 150,000 fine per URL of either the terminated within three working days of notification Merchant or the Sponsored Merchant

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 253 V PAY Operating Regulations - Scheme Chapter 9 - Fines and Penalties

Table 9-18 Acquirer Penalties for Non-Compliance with the Electronic Commerce Merchant Monitoring Program (Continued)

Event Visa Action and Penalty

Second identification of the same Merchant or its principals, IPSP € 300,000 fine per URL of either the or Sponsored Merchant identified in a 12-month period or V PAY Merchant or the Sponsored Merchant Member failure to terminate within the required time frame (three further working days) Third identification of the same Merchant or its principals, IPSP or € 500,000 fine per URL of either the Sponsored Merchant identified in a 12-month period or V PAY Merchant or the Sponsored Merchant Member failure to terminate within required time frame (three further working days) Fourth identification of the same Merchant or its principals, IPSP € 1,000,000 fine per URL of either the or Sponsored Merchant identified in a 12-month period or V PAY Merchant or Sponsored Merchant Member failure to terminate within required time frame (three further working days) Any further identification of the same Merchant or its principals, Visa will assess further penalties and/or IPSP or Sponsored Merchant identified in a 12-month period or  revoke Acquiring privileges V PAY Member failure to terminate within required time frame (three further working days)

254 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Fees

10.1 INTRODUCTION ...... 257

10.2 V PAY INTERCHANGE REIMBURSEMENT FEES ...... 257 Default Interchange Reimbursement Fees ...... 257 Registration of Domestic Interchange Reimbursement Fees ...... 257 Visa Europe Proximity Payment Interchange Reimbursement Fee ...... 257

10.3 CASH DISBURSEMENTS ...... 258 ATM Cash Disbursement and Incentive Fees ...... 258 Tier Requirements ...... 258 ATM Cash Disbursement Fees for Visa Europe Transactions ...... 258 ATM Cash Disbursement Fees for International Transactions ...... 258 Issuer ATM Fees ...... 259 Manual Cash Disbursement Fee ...... 259 Manual Cash Disbursement Fees for Visa Europe Transactions ...... 259 Manual Cash Disbursement Fees for International Transactions ...... 259

10.4 DYNAMIC CURRENCY CONVERSION AT ATM CURRENCY CONVERSION  FEE ...... 259

10.5 INTERCHANGE REIMBURSEMENT FEES FOR INTERNATIONAL  TRANSACTIONS ...... 259 Requirement and Fee Structure ...... 259 Fee Amount ...... 260 Retrospective Manual Adjustments ...... 260 Member Requirements ...... 260 Retrospective Manual Adjustments to Fees ...... 260 Retrospective Manual Adjustments to Fees for Domestic Transactions ...... 261

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 255 V PAY Operating Regulations - Scheme Chapter 10 - Fees

10.6 VISA DIRECT TRANSFERS ...... 261

10.7 HANDLING FEES FOR RECOVERED V PAY CARDS ...... 261

10.8 GLOBAL MERCHANT CHARGEBACK MONITORING PROGRAM— CHARGEBACK HANDLING FEE DETAILS ...... 261 CHARGEBACK HANDLING FEES ...... 261

256 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 10 - Fees

10.1 INTRODUCTION This chapter contains V PAY Member-to-Member fees. For all other fees please consult the Visa Europe Fee Guide. 10.2 V PAY INTERCHANGE REIMBURSEMENT FEES The V PAY Interchange Reimbursement Fees serve as fees between Members of Visa, and only apply as the default Interchange Reimbursement Fees for Domestic Transactions in Visa countries where a V PAY Member’s domestic operating regulations do not provide for an equivalent fee.

For the avoidance of doubt, no Interchange Reimbursement Fees applicable to International Transactions shall be applied, by default, to Visa Europe Transactions.

10.2.1 Default Interchange Reimbursement Fees Table 10-1 lists the default Interchange Reimbursement Fees applied to V PAY Transactions where both the Card is issued and the Merchant Outlet is located within the European Economic Area. Table 10-1 Interchange Reimbursement Fees for V PAY Transactions Within the European Economic Area

Transaction type Percentage of Transaction + per Transaction value

V PAY EMV-Compliant 0.15% + €0.0151 V PAY Electronic commerce 0.15% + €0.0151 V PAY Proximity Payment 0.15% + €0.025 V PAY Non-qualified 0.40% + €0.0401

1. For Prepaid Transactions, an additional €0.01 per Transaction applies.

Table 10-2 lists the default Interchange Reimbursement Fees applied to V PAY Transactions where either or both the Card is issued and/or the Merchant Outlet is located within the Territory but outside the European Economic Area. Table 10-2 Interchange Reimbursement Fees for V PAY Transactions Outside the European Economic Area

Transaction type Per Transaction

V PAY EMV-Compliant €0.15 V PAY Electronic commerce €0.15 V PAY Proximity Payment €0.06 V PAY Non-qualified €0.22

10.2.2 Registration of Domestic Interchange Reimbursement Fees V PAY Members must register the domestic Interchange Reimbursement Fees with Visa, and notify Visa of any changes to such registered domestic Interchange Reimbursement Fees.

10.2.3 Visa Europe Proximity Payment Interchange Reimbursement Fee Proximity Payments fulfilling the qualification criteria set out in this section are eligible for the Visa Europe Proximity Payment Interchange Reimbursement Fee as set out in Section 10.2.1.

To be eligible for the Visa Europe Proximity Payment Interchange Reimbursement Fee, the V PAY Transaction must be a Proximity Payment and:  Have a Transaction Amount of less than or equal to €15;  Have obtained Offline Authorization; and  Comply with the Visa Contactless Payments Specification.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 257 V PAY Operating Regulations - Scheme Chapter 10 - Fees

10.3 CASH DISBURSEMENTS

10.3.1 ATM Cash Disbursement and Incentive Fees A Cash Disbursement Fee is paid by the Issuer to the Acquirer performing an ATM Cash Disbursement.

10.3.1.1 Tier Requirements

10.3.1.1.1 A tier I ATM Acquirer must do all of the following:  Provide the basic cash withdrawal services;   Accept all valid Cards;   Use the Multicurrency Service for Authorization Requests; and   Use the routing tables provided by Visa for Transaction routing. 

10.3.1.1.2 A tier II ATM Acquirer must provide all the tier I functions, and comply with all of the following:  Participate in a Card Verification Service;   Offer customer account selection options, as specified in Section 6.3.5.13.3; and   Either: — Use the Custom Payment Service and be certified by Visa if the Acquirer processes Deferred Clearing Transactions; or  — Participate in a process that enables Online Financial Transactions. 

10.3.1.2 ATM Cash Disbursement Fees for Visa Europe Transactions The fee paid by an Issuer to an Acquirer for performing an ATM Cash Disbursement is €0.44 plus 0.15% of the disbursed amount (up to maximum fee of €0.75 per ATM Cash Disbursement) and, effective from 1 July 2016, where no Access Fee has been added to the Transaction Amount of that ATM Cash Disbursement.

10.3.1.3 An Issuer will not pay a Cash Disbursement Fee for ATM Cash Disbursements that are Domestic Transactions or Visa Europe Transactions, if an Access Fee has been added.

10.3.1.4 ATM Cash Disbursement Fees for International Transactions Table 10-3 lists the fee paid by an Issuer to an Acquirer for International Transactions originating at a Visa/Plus ATM. Table 10-3 Fees for ATM Cash Disbursements at Compliant ATMs1 

Issuer Pays Acquirer Receives

Access Fee added to the Transaction Amount of an ATM Cash US $0.50 + 0.15% US $0.50 + 0.15% Disbursement. No Access Fee added to the Transaction Amount of an ATM US $1.50 US $1.50 Cash Disbursement.

1. An ATM is deemed to be compliant (meet the tier II requirements) if it processes ATM Cash Disbursements using the Single Message System or is a qualified Custom Payment Service ATM.

258 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 10 - Fees

10.3.1.5 Issuer ATM Fees The Issuer is charged the following ATM fees: Table 10-4 Miscellaneous Fees

Decline Fee (if Issuer supports Balance Inquiry) €0.10 per Decline Response Decline Fee (if Issuer does not support Balance €0.25 per Decline Response Inquiry) Balance Inquiry Fee (if Issuer supports Balance €0.25 per Balance Inquiry Inquiry) Balance Inquiry Fee (if Issuer does not support €0.25 per Balance Inquiry Balance Inquiry)

PIN Management Fee

Visa Europe Transactions €0.75 Domestic Transactions €0.30

10.3.2 Manual Cash Disbursement Fee

10.3.2.1 Manual Cash Disbursement Fees for Visa Europe Transactions The Cash Disbursement Fee for a Manual Cash Disbursement is €2.75, plus 0.33% of the amount disbursed.

10.3.2.2 Manual Cash Disbursement Fees for International Transactions An Issuer must pay a Cash Disbursement Fee of US $1.75 plus 0.33% of the disbursed amount to the Acquirer for performing a Cash Disbursement. 10.4 DYNAMIC CURRENCY CONVERSION AT ATM CURRENCY CONVERSION FEE ATM Acquirers that provide Dynamic Currency Conversion on Transactions at ATMs will:  Receive the Cash Disbursement Fee from the Issuer, see Section 10.3; and  Pay the Issuer a fee of €0.27 for each ATM Transaction where Dynamic Currency Conversion was performed. 10.5 INTERCHANGE REIMBURSEMENT FEES FOR INTERNATIONAL TRANSACTIONS [A] The agreed acceptance domain for V PAY is currently limited to countries within Visa. Should a V PAY transaction take place outside these countries and be processed to completion, Interchange Reimbursement Fees for International Transactions will apply.

10.5.1 Requirement and Fee Structure [A] An Acquirer reimburses the Issuer an Interchange Reimbursement Fee for each International Transaction. This fee is calculated as a percentage of net sales (Transaction Receipt totals less credit Transaction Receipts).

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 259 V PAY Operating Regulations - Scheme Chapter 10 - Fees

10.5.2 Fee Amount [A] The Interchange Reimbursement Fees shown in Table 10-5 apply to all International Transactions at terminals that provide Full-Chip Data, excluding ATM Transactions and Manual Cash Disbursements. Table 10-5 Interchange Reimbursement Fees

Full-Chip Data Device Full-Chip Data Device1 Secure Electronic Standard Default Rate with PIN Capability1 Commerce

1.10% for all qualified 1.00% 1.44% 1.60% Transactions

1. To qualify for these incentive fees, the Acquirer must provide the Full-Chip Data to the Issuer.

10.5.3 Retrospective Manual Adjustments [A] The fees specified in this section may refer to Interchange Reimbursement Fees, Cash Disbursement Fees and other Visa Member-to-Member fees.

[A] This section specifies the process and rules that apply for retrospective manual adjustments to fees that have been incorrectly applied to Transactions between V PAY Members.

10.5.3.1 Member Requirements [A] V PAY Members are responsible for submitting accurate data so that the appropriate fees are applied to Transactions.

10.5.3.2 Retrospective Manual Adjustments to Fees [A] The following rules apply where Transactions have been assessed with incorrect fees:  Visa will validate and calculate the financial impact to V PAY Members;  Where an error is caused by a V PAY Member, Visa will share the details of the error with other Members, as appropriate, in order to agree a resolution;  Where V PAY Members do not reach an agreement on resolution, Visa will review each case and may make financial adjustments to apply retrospectively. Visa’s decision will be final;  The period for calculating retrospective adjustments is limited to a maximum of 12 months prior to the earlier of either of the following dates: — The date of notification to Visa by the V PAY Member; or — The date of discovery by Visa;  Visa will make manual adjustments until the error has been corrected; and  Where errors are caused by V PAY Members, Visa reserves the right to recover, from those Members, the administration costs associated with carrying out retrospective financial adjustments.

260 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Chapter 10 - Fees

10.5.3.3 Retrospective Manual Adjustments to Fees for Domestic Transactions

10.5.3.3.1 [A] As specified in Section 10.2.2, V PAY Members must register their fees for Domestic Transactions with Visa.

10.5.3.3.2 [A] Where fees for Domestic Transactions are registered with Visa and become effective before their implementation, Visa will retrospectively adjust those fees as appropriate.

10.5.3.3.3 [A] In cases where the structure of the fees for Domestic Transactions requires it, Visa will determine the appropriate way to implement the fees.

10.5.3.3.4 [A] Where necessary, Visa will review and make a final decision. 10.6 VISA DIRECT TRANSFERS Effective until 17 May 2016, a Service Provider Member must pay the Recipient Member a fee of €0.02 for each Visa Direct Transfer. 10.7 HANDLING FEES FOR RECOVERED V PAY CARDS Effective until 15 October 2016, Table 10-6 specifies the handling fees charged to the Issuer for recovered V PAY Cards.  Table 10-6 Effective until 15 October 2016, Handling Fee for Recovered V PAY Cards

V PAY Card recovered at a Merchant or ATM  €12 V PAY Card recovered at a Merchant outside of Visa Europe €12

If an Acquirer pays a reward, as specified in Table 10-7, to its Merchants or tellers for the recovery of V PAY Cards, it may collect the reward amount from the Issuer. Table 10-7 Rewards for Recovered V PAY Cards

Paid to Reward amount (€)

Merchant 25 - 150 Teller/Disbursing V PAY Member 0 - 150

10.8 GLOBAL MERCHANT CHARGEBACK MONITORING PROGRAM— CHARGEBACK HANDLING FEE DETAILS Effective until 30 June 2016, Visa monitors International Transactions and Country-to-Country Transactions to identify Merchant Outlets that generate excessive Chargebacks in relation to International Transactions and Country-to-Country Transactions.

10.8.1 Chargeback Handling Fees Effective until 30 June 2016, if a Merchant has been placed on the Global Merchant Chargeback Monitoring Program, and a Chargeback is received in relation to an International Transaction or Country-to-Country Transaction at any Merchant Outlet of that Merchant, Visa will charge that Merchant’s Acquirer the handling fee as specified in Section 2.3.9.2.4.

If a Merchant has been placed on the Global Merchant Chargeback Monitoring Program and that Merchant or its Acquirer has not implemented procedures to reduce Chargebacks relating to International Transactions or Country-to-Country Transactions originating at a Merchant Outlet, Visa may charge the Acquirer an increased handling fee as set out in the Visa Core Rules and Visa Product and Service Rules for each such Chargeback received for that Merchant.

Visa will collect such Chargeback handling fee from the Acquirer and disburse it to the Issuer that initiated the Chargeback, subject to a €24 administration fee using the Visa System.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 261 V PAY Operating Regulations - Scheme THIS PAGE INTENTIONALLY LEFT BLANK Exhibits

RISK Exhibit 1A Lost or Stolen V PAY Card Report ...... 265 Exhibit 1C Recovered Card Advice ...... 266

DISPUTE RESOLUTION Exhibit 2E Dispute Resolution Forms - Instructions ...... 268

BIN ...... 272

LICENCE AGREEMENT Exhibit 5B Licensed Software and Designated Computers ...... 274

TRANSACTION RECEIPTS Exhibit 7I Transaction Receipts ...... 276

PROXIMITY PAYMENTS Exhibit 8A Visa Contactless Payment Specification Data Field Descriptions ...... 279 Exhibit 8B Visa Contactless Payment Specification Data Field Descriptions ...... 280

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 263 V PAY Operating Regulations - Scheme Appendix A - Exhibits

RISK

Exhibit 1A Lost or Stolen V PAY Card Report ...... 265 Exhibit 1C Recovered Card Advice ...... 266

264 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Appendix A - RISK Exhibit 1A

Exhibit 1A Lost or Stolen V PAY Card Report

General Information

Attention: Date of Report: Time of Report: Date Fax Received: Lost Stolen If Account Number unavailable, list Issuer

Cardholder Information

Account Number Cardholder Name First Middle Last Billing Address/City/County/Post Code/Country Home Telephone Number Temporary Telephone Number

Cardholder Identification Information

Date of Loss/Theft Place of Loss/Theft Circumstances of Loss/Theft ID Number ID Type Date of Birth Number of Cards Issued Number of Cards missing

Additional Cardholder Information

Last Purchase Date Cardholder advised in writing? YesNo Cardholder advised not to use card with same number? YesNo

Emergency Service Request Information

Emergency Services Requested? YesNo

Notification Information

Issuer Notified? YesNo By Date Time Spoke to BIN# Telephone/Fax

GCAS Information Only

Date Received By Time Verification Number Advised of Verification Number: YesNo Operator Number Base Blocked: YesNo

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 265 V PAY Operating Regulations - Scheme Appendix A - RISK Exhibit 1C

Exhibit 1C Recovered Card Advice

Date: Issuer: BIN# Acquirer: BIN# Recovered Card Account Number: Recovery Notification (Date and Time)1 Method of Recovery:

Amount of Reward Paid to Merchant or Teller: Total Amount of Fee Collection: Fee Collection Input Date:

1. See Section 2.6.6.

266 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Appendix A - Exhibits

DISPUTE RESOLUTION

Exhibit 2E Dispute Resolution Forms - Instructions ...... 268

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 267 V PAY Operating Regulations - Scheme Appendix A - DISPUTE RESOLUTION Exhibit 2E

Exhibit 2E Dispute Resolution Forms - Instructions

Chargeback/Representment Documentation Transmittal Use these forms for Chargebacks and for Representments to Chargebacks to provide the opposing V PAY Member with information about the dispute. These forms must be completed and sent each time supporting documents for a Chargeback or Representment are provided to the opposing V PAY Member. For some Chargeback reason codes, a V PAY Member message text may be used in lieu of this form.

Always complete the V PAY Member Information, Cardholder Information, Transaction Information and Member Contact Information sections of the form. Complete the Chargeback Reason and Representment Reason sections as follows:  For Chargebacks, check the appropriate Chargeback reason code and convey all the relevant information about the dispute in the fields provided. Some fields may apply to more than one Chargeback reason code in the dispute group; and  For Representments, indicate the Chargeback reason code that was received, the Receipt Date of the Chargeback and convey all the relevant information about the Representment in the fields provided. Some fields may apply to more than one Chargeback reason code in the dispute group.

If the Chargeback reason code is changed at pre-Arbitration, the Issuer must send the Acquirer the required information and any supporting documentation required for the new reason code. The Issuer may change its reason code only if the change is based on new information provided by the Acquirer upon Representment.

For both Chargebacks and Representments, if further explanation is necessary, use the Additional Information section provided on each form. Members may attach additional pages to the form if necessary.

Always complete the estimated Input Date/Settlement Date.

Attach related documentation to this transmittal and send to the Receiving Member through the Electronic Documentation Transfer Method.

Visa recommends that Members always provide all documentation and information that best support their case.

Dispute Resolution Forms

To BIN This field must contain the unique six-digit number assigned by Visa to the Receiving Member or Visa Scheme Processor

From BIN This field must contain the unique six-digit number assigned by Visa to the Sending Member or Visa Scheme Processor

Chargeback If used, this field must contain a unique six-digit number assigned by the Issuer to Reference Number identify the source of the Chargeback. If present, the Acquirer must return the same number in any Representment

Account Number The Account Number field must contain the Account Number. If the Account Number exceeds 16 digits, the Account Number extension field must be used. If the Account Number consists of fewer than 16 digits, the field must be zero-filled to the right of the Account Number

Cardholder Name This field may contain the name of the Cardholder that appears on the V PAY Card

268 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Appendix A - DISPUTE RESOLUTION Exhibit 2E

Dispute Resolution Forms (Continued)

Acquirer Reference The Acquirer Reference Number, as shown in the original Presentment, must be Number included in all Chargebacks, Retrieval Requests and Representments.

If multiple low-value fraudulent Transactions are charged back in a single Chargeback record, the Acquirer Reference Number must be from the Transaction with the earliest Endorsement Date. Single Message System: This field must contain the 24-digit Acquirer Reference Number or Tracing Data.

MCC (Merchant This field must contain the appropriate four-digit Merchant Category Code, as Category Code) specified in Visa Europe Merchant Data Standards.

Merchant Name This field must contain the same name as the Merchant or Acquirer name (for Cash Disbursements) appearing on the Transaction Receipt. It should be the “doing business as” (DBA) name of the Merchant or V PAY Member or a name more recognised to Cardholders. It must consist of no more than 25 Roman alphabet characters

Merchant Location The location, in Roman alphabet letters, of the Merchant Outlet or V PAY Member location where the Transaction occurred. City names that contain more than 13 characters must be abbreviated. Visa may grant a variance for this requirement upon receipt of written request

Transaction Date The Transaction Date is the actual date on which a Transaction occurred. The Transaction Date must be expressed as a six digit code in the format “MMDDYY”

Processing Date The Processing Date is the date (based on Greenwich Mean Time) on which a V PAY Member submits the Interchange Data to, and the data is accepted by, a Visa Interchange Centre. The Processing Date must be expressed as a six-digit code in the format “MMDDYY”

Transaction On the Issuer Chargeback Form, this field must contain the actual billed amount in the Amount Billing Currency. On the Acquirer Representment Form, this field must contain the original Presentment amount in the Transaction Currency or the Chargeback amount received in the Settlement Currency

Disputed Amount This field must contain the actual disputed amount, if different to the Transaction Amount.

Summary of Low-Value Fraudulent Transactions A Member can submit a summary of low-value fraudulent Transactions for multiple unauthorized Transactions charged back under Reason Code 83 “Fraud - Card-Absent Environment". The summary should list a maximum of 25 transactions for each Chargeback record and include the Acquirer Reference Number and the value of each Transaction.  The Transactions must be equal to or less than €25 (or local currency equivalent) each to be charged back as part of a multiple Chargeback record; and  The Chargeback record and the total value of Transactions in the Chargeback record must not be greater than €250.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 269 V PAY Operating Regulations - Scheme Appendix A - DISPUTE RESOLUTION Exhibit 2E

Summary of Arbitration

When submitting an Arbitration, provide:  Any relevant Arbitration qualification information. This includes the Processing Date of the Chargeback or Presentment, the date of the arbitration request (a copy of the request should be attached), details of the V PAY Operating Regulations - Scheme in dispute, and the reasons for refusal.  A chronology of the events. This includes the Transaction Date, the Processing Date, the Acquirer Reference Number, the Processing Dates of the first Chargeback and Representment and the reason codes.

If multiple Transactions are in dispute, Arbitration documentation should be sent for each Transaction. The following supporting documentation should be included with the summary:  A copy of the Transaction Receipt;  A copy of the Dispute Resolution Form; and  A copy of the written Cardholder complaint.

The date of the Arbitration request must be within 60 days of either the Processing Date of the Chargeback or Representment, or the date of the pre-Arbitration attempt.

Summary of Compliance

When submitting a Compliance, all of the requirements in Section 8.11 must be met before a Compliance request can be accepted.

The submission should explain which V PAY Operating Regulations - Scheme have been violated and why their financial loss would not have occurred otherwise. The submission should also contain any relevant information about the alleged violation, including the date it occurred and the date it was discovered.

The Member should list any supporting documentation they are supplying with their submission, including Cardholder letters, Merchant correspondence, copies of Transaction Receipts, Credit Transaction Receipts, logs and forms. Any documentation that is not in English must be translated.

Pre-Arbitration Attempt

A Member may make an attempt to resolve the dispute with the opposing Member before they make their submission to the Visa Europe Arbitration Committee. The pre-Arbitration attempt has two stages, the request and the response.

The request should include:  New information or documentary evidence, with an explanation; and  All relevant details of the disputed Transaction or Transactions, including the Transaction Date, the Processing Date, and the Chargeback and Representment dates.

The opposing Member’s response to the request must state that they either:  Accept the case and agree to credit the Member via miscellaneous funds disbursement on a given date; or  Decline the case and an explanation for this decision.

270 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Appendix A - DISPUTE RESOLUTION Exhibit 2E

Pre-Compliance Attempt

A Member must make an attempt to resolve a Compliance issue with the opposing Member before they make their submission to the Visa Europe Compliance Committee. The pre-Compliance attempt has two stages, the request and the response.

The request should include:  Details of the alleged violation of the V PAY Operating Regulations - Scheme; and  An explanation of the resulting financial loss to the Member.

The opposing Member’s response to the request must state that they either:  Accept the case and agree to credit the Member via miscellaneous funds disbursement on a given date; or  Decline the case and an explanation for this decision.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 271 V PAY Operating Regulations - Scheme Appendix A - Exhibits

BIN

The following BIN exhibits are available to download as forms from Visa Online. These forms can be filled in electronically and submitted to Visa in line with the existing submission process:  Exhibit 4A- BIN Licensing Agreement Form  Exhibit 4B-1- BIN Licensee Transfer Request  Exhibit 4B-2- BIN User Transfer Request Form  Exhibit 4D- Member Portfolio Sale Notification  Exhibit 4E-1- BIN Release Request  Exhibit 4E-2 - Reversal of BIN Release Request  Exhibit 4F- Visa Interchange Directory Update Form

272 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Appendix A - Exhibits

LICENCE AGREEMENT

Exhibit 5B Licensed Software and Designated Computers ...... 275

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 273 V PAY Operating Regulations - Scheme Appendix A - LICENCE AGREEMENT Exhibit 5B

Exhibit 5B Licensed Software and Designated Computers

Licensed Software Machine-Readable Code Designated Computer

Object Only Object and Source

Visa Resolve Online (VROL)

274 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Appendix A - Exhibits

TRANSACTION RECEIPTS

Exhibit 7I Transaction Receipts ...... 277

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 275 V PAY Operating Regulations - Scheme Appendix A - TRANSACTION RECEIPTS Exhibit 7I

Exhibit 7I Transaction Receipts This exhibit specifies the data requirements for all Transaction Receipts unless an exception is given below.

Table A-1 Data Requirements: Cardholder copy of Transaction Receipt

Transaction Data Requirements1

Merchant Merchant Outlet and, at a minimum, Merchant city and state/province where applicable. Transaction Amount indicated in Transaction Currency Transaction Date Account Number (all but four digits of the Account Number on the Cardholder copy of the Transaction Receipt must be disguised or suppressed, as specified in Section 6.5.2.) Authorization Code (if provided by the Issuer) Transaction type (purchase or credit) Description of goods or services Embossed Card data (where Card data is captured manually) The application identifier of the selected application The application preferred name (if the character set is supported by the printer) or the application label Available Balance (for Prepaid Cards only, as specified in Section 6.5.4.1.2) Indication of a Proximity Payment (for a Proximity Payment, in accordance with the Visa Europe Contactless Terminal Requirements and Implementation Guide), where options include but are not limited to: • Print “V PAY Contactless” on the Transaction Receipt; or • If the Transaction Receipt printer is capable, display an image to indicate a Proximity Payment, which can be printed in place of, or in addition to, the word “Contactless”.

1. See Section 6.5 for additional data requirements; this includes information for Electronic Commerce Transaction Receipts.

Table A-2 Additional Data Requirements: ATM Cash Disbursement or Load Transaction

Transaction Data Requirements

ATM Acquirer name and/or name of affiliated domestic or regional network ATM Device street location or location code ATM city Type of account accessed

Table A-3 Additional Data Requirements: Automated Dispensing Machine and Unattended Acceptance Terminal

Transaction Data Requirements

Terminal Location (city and country)

Location or location code of Automated Dispensing Machine

Identification of Transaction Currency

276 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Appendix A - TRANSACTION RECEIPTS Exhibit 7I

Table A-4 Additional Data Requirements: Electronic Commerce Transactions

Transaction Data Requirements1

Merchant online address Merchant country Return/refund policy (if restricted) Customer service contact details

1. See Section 6.5 for additional data requirements.

Table A-5 Additional Data Requirements: Handwritten Transaction Receipt

Transaction Data Requirements

Method of data capture (Chip, Magnetic Stripe, Proximity Payment or key entered)

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 277 V PAY Operating Regulations - Scheme Appendix A - Exhibits

PROXIMITY PAYMENTS

Exhibit 8A Visa Contactless Payment Specification Data Field Descriptions ...... 280 Exhibit 8B Visa Contactless Payment Specification Data Field Descriptions ...... 281

278 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Appendix A - PROXIMITY PAYMENTS Exhibit 8A

Exhibit 8A Visa Contactless Payment Specification Data Field Descriptions

This exhibit specifies the data field requirements for Proximity Payments, as specified in the V PAY Operating Regulations, Section 4.1.2.7 and Section 4.2.3.4, and as set out in the Visa Contactless Payment Specification.

Table A-6 Data Fields used by Proximity Payments Devices

Name Description

Application Currency Indicates the currency in which the Transaction Amount is managed according Code to the ISO Standard 4217. Application Program Indicates the Application Program ID of the card application. Identifier (Program ID) Card CVM Limit For domestic Proximity Payments where this value is exceeded, a Cardholder Verification Method (CVM) is required by the Proximity Payment Device. Form Factor Indicator The Form Factor Indicator (FFI) describes the form factor of the payment device and the type of contactless interface over which the Transaction is conducted. Issuer Country Code Indicates the country of the Issuer, represented according to the ISO Standard 3166. VLP Available Funds A counter that is decremented by the Transaction Amount for qVSDC offline approval requests. VLP Funds Limit Issuer limit for the VLP Available Funds; it is the value to which the VLP Available Funds is reset. VLP Reset Threshold Minimum value to which the VLP Available Funds is allowed to be decremented before the Proximity Payment Device requests online processing. VLP Single Transaction Maximum amount allowed for a single qVSDC offline Transaction. Limit

Table A-7 Data Fields used by Terminals accepting Proximity Payments

Name Description

Form Factor Indicator The Form Factor Indicator (FFI) describes the form factor of the payment device and the type of contactless interface over which the Transaction is conducted. Reader Contactless Floor Indicates the Floor Limit for the Proximity Payment of the reader. If the Limit Transaction Amount is greater than the Reader Contactless Floor Limit, then the reader requires online processing for the Transaction. Reader Contactless Indicates the Proximity Payment limit of the reader. Transaction Limit If the Transaction Amount is greater than or equal to the Reader Contactless Transaction Limit, then a Proximity Payment is not permitted. Switching the Transaction over to another interface is permitted. Reader CVM Required Indicates the Cardholder Verification Method (CVM) limit of the reader. Limit If the Transaction Amount is greater than or equal to the Reader CVM Required Limit, then the reader requires a CVM for the Proximity Payment.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 279 V PAY Operating Regulations - Scheme Appendix A - PROXIMITY PAYMENTS Exhibit 8B

Exhibit 8B Visa Contactless Payment Specification Data Field Descriptions

This exhibit specifies the data field requirements for Proximity Payments performed with Portable Payment Devices, as specified in V PAY Operating Regulations, Section 4.1.2.6 and Section 4.2.3.4 and as set out in the Visa Mobile Contactless Payment Specification (VMCPS).

Table A-8 Data Fields used by Portable Payment Devices

Name Description

Application Currency Indicates the currency in which the Transaction Amount is managed according Code to the ISO Standard 4217. Application Program Indicates the Application Program ID of the card application. Identifier (Program ID) Card CVM Limit For domestic Proximity Payments where this value is exceeded, a Cardholder Verification Method (CVM) is required by the Proximity Payment Device. Issuer Country Code Indicates the country of the Issuer, represented according to the ISO Standard 3166.

280 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Visa System Software Licence

Licence Grant A V PAY Member may request from Visa, a licence to use any of the computer software listed in Licensed Software and Designated Computers (Exhibit 5B). In this section, these software packages, including associated documentation, are referred to as “software” or “licensed software.”

Visa grants a non-exclusive, non-transferable and non-assignable licence to use the software to any V PAY Member that first obtains the approval of Visa and pays any applicable licence fees. The software must be used solely in the development and operation of the V PAY Member’s V PAY Program.

Object and Source Code Visa will provide the V PAY Member with only machine-readable object code for licensed software unless Licensed Software and Designated Computers (Exhibit 5B) indicates that both machine-readable object code and source code will be provided.

Software Installed outside of Visa Europe A V PAY Member must submit its request for a license to Visa.

Restrictions The licensed software is available to the V PAY Member subject to the confidentiality, warranty, indemnification and limitation of liability provisions of the V PAY Operating Regulations. THESE PROVISIONS LIMIT AND DISCLAIM THE WARRANTIES AND RESPONSIBILITIES OF VISA.

Delivery Upon delivery and before opening any packaging material, a V PAY Member must inspect the package for external signs of damage and promptly notify Visa and the carrier of any damage.

Licence, Installation, Training, Maintenance and Support Fees Visa determines the fees for the licensing, installation, training, maintenance and support of the software. A V PAY Member may obtain a fee schedule from Visa.

Limitations on Use

Designated Computer A V PAY Member must use the licensed software only in a single designated computer, unless the designated computer malfunctions. In that case, the V PAY Member may use the licensed software in another designated backup computer during the malfunction period. The V PAY Member may also change the computer designated to run the software upon 30 calendar days’ prior written notice to Visa. The notice must specify the date when the transfer will occur.

15 April 2017 VISA EUROPE CONFIDENTIAL INFORMATION - Member Use Only 281 V PAY Operating Regulations Appendix B - Visa System Software Licence

Notification of Relocation The V PAY Member must promptly notify Visa of any change in the street address where the software is installed. The software must not be relocated across national or Visa regional boundaries without the prior written permission of Visa.

Reverse Engineering If Visa has provided only machine-readable object code, the V PAY Member must not attempt to decompile, disassemble or reverse-engineer the licensed software.

Software Ownership and Confidentiality

Software Ownership The licensed software, including all modifications and enhancements, regardless of who performed them, is the sole property of Visa. A V PAY Member obtains no rights of ownership in the licensed software due to any licence granted in this chapter.

Confidentiality Requirements A V PAY Member that receives licensed software must treat the software as confidential and proprietary information of Visa. The V PAY Member must only:  Disclose it to employees if they need to know;  Disclose it to consultants under an agreement to keep the information confidential; and  Use the software for the purposes for which it was licensed to the V PAY Member.

Copies of Licensed Software

Copyright Notice A V PAY Member may make one copy of the licensed software, including associated documentation, provided that the physical media and the initial screen presented to the user when the software is accessed indicates, in the following language, that it is the property of Visa:

“This copy of the (name of licensed software listed in Licensed Software and Designated Computers (Exhibit 5B) is the property of Visa as its interest may appear and is protected under the Copyright, Trade Secret and confidentiality laws of each of the countries in which it is licensed.”

Records The V PAY Member must keep a record showing where the copy of the licensed software resides and in whose custody it is held.

Termination

Voluntary Termination by a V PAY Member A V PAY Member may voluntarily terminate a licence for any licensed software after giving 60 calendar days’ written notice to Visa.

Term of Licence Grant The term of the licence is for as long as the V PAY Member:  Is a V PAY Member; and  Is not in material breach of the terms and conditions of this appendix.

The licence grant automatically terminates upon withdrawal or termination of the V PAY Member.

Termination for Material Breach If a V PAY Member fails to pay any licence or maintenance fees, taxes, duties or other licensed software amounts due within 60 calendar days after receiving notification that these amounts are unpaid, there will exist a material breach of the licence for the software. This material breach will entitle Visa, at its option, to terminate the licence on the date specified in a subsequent notification.

282 VISA EUROPE CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations Appendix B- Visa System Software Licence

If a V PAY Member fails in any material respect to comply with the requirements applicable to licensed software contained in this chapter, other than a failure to pay as specified above, Visa may terminate the software licence upon notification given at least 48 hours prior to the effective date of termination.

Return of Software If a software licence is terminated, for any reason, the V PAY Member:  Must return to Visa all copies of the software, including all documentation, within 30 calendar days from the date of termination; and  Is responsible for all costs, expenses and fees arising from termination of the licence. Visa will make no refund of any part of the licence fee to the V PAY Member.

Enhancements and Modifications

Enhancements Visa is under no obligation to develop any enhancements or maintenance modifications for the software. However, it is the present intention of Visa to furnish the V PAY Member with enhanced versions of the software, when available, for a fee to be determined by Visa.

The V PAY Member must install and operate the most recent release and version of the licensed software and use its best efforts to maintain the licensed software with any updates supplied by Visa.

Modifications Visa is not responsible for any modifications made to the software by any party other than Visa or its authorised agents.

A V PAY Member wishing to modify the licensed software, either on its own or using a Third Party, must notify Visa prior to implementing the modifications on any systems that access the Visa System. If Visa determines that the proposed modifications pose risks to the Visa System, Visa will require recertification prior to permitting access to the Visa System.

If the V PAY Member’s modifications require special problem diagnosis or other support from Visa, that support will be performed and charged at cost to the V PAY Member.

Modifications that are made by a V PAY Member or its third party are the sole property of Visa. V PAY Members must provide Visa with all related software source code and documentation, in a form reasonably satisfactory to Visa, for all modifications made by the V PAY Member or its third party.

Visa has no obligation to maintain or provide other support for licensed software that has been modified by a V PAY Member or its Third Party. In no way does this alter or modify the V PAY Member’s duty and obligation to maintain the confidentiality of the software.

Non-Transferability

Assignment of Licence A licence for software may not, in whole or in part, voluntarily or by operation of law, be assigned, sub- licensed, encumbered, extended or otherwise transferred. The V PAY Member further agrees that it will not distribute or market any version of the software.

Assignment to Visa System Processors The V PAY Member may provide the most recent version of the software to a Visa System Processor that has executed a signed letter of agreement. This Visa System Processor must operate the software exclusively for the V PAY Member’s V PAY Program. The V PAY Member employing the Visa System Processor for this purpose remains the Licensee of the software.

Title to, and Risk of, Loss Title to, and risk of, loss of the physical media that contains the software passes to the V PAY Member when it is delivered to the carrier by Visa or its representative. Title to, and risk of, loss remain with the V PAY Member if the software is returned to Visa or its representative for service.

15 April 2017 VISA EUROPE CONFIDENTIAL INFORMATION - Member Use Only 283 V PAY Operating Regulations Appendix B - Visa System Software Licence

Exclusion of Warranties SOFTWARE IS PROVIDED TO THE V PAY MEMBER “AS IS,” WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THERE IS NO WARRANTY THAT THE SOFTWARE DOES NOT INFRINGE A PATENT, TRADEMARK, COPYRIGHT OR TRADE SECRET.

Disclaimer of Liability NEITHER VISA NOR ANY OF ITS REGIONS WILL BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES RESULTING FROM:  VISA PERFORMANCE OR FAILURE TO PERFORM UNDER THE TERMS OF A LICENCE OF SOFTWARE  THE FURNISHING, PERFORMANCE OR USE OF SOFTWARE, OR ANY PRODUCTS OR OTHER MATERIALS RELATED TO SOFTWARE

WHETHER RESULTING FROM BREACH OF CONTRACT, BREACH OF WARRANTY, NEGLIGENCE OR OTHERWISE, EVEN IF VISA OR ANY OF ITS REGIONS, HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. IN NO EVENT WILL THE TOTAL LIABILITY, IF ANY, OF VISA TO A V PAY MEMBER ARISING FROM ANY AND ALL CAUSES OF ACTION EXCEED THE LICENCE FEE PAID BY THE V PAY MEMBER FOR THE LICENSED SOFTWARE.

Indemnity The V PAY Member agrees to indemnify and hold Visa harmless from, all losses, liabilities, costs, damages and expenses, including reasonable attorney’s fees, to which Visa may be subject or that may be incurred by Visa in connection with any Claims or actions by any party or parties arising from, or in connection with, this licence, the software, or the use thereof.

Taxes The V PAY Member agrees to pay, either directly to the appropriate governmental agency or to Visa any municipal, local, regional or national taxes based on a licence of software, however designated or levied. This obligation does not include taxes based on the net income of Visa.

284 VISA EUROPE CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations Maximum Authorised Floor Limits

Each V PAY Member that is an Acquirer, at its discretion, assigns Floor Limits to its Merchants. However, certain maximum authorised Floor Limits have been established by Visa to minimise as much as possible the amount of risk in Interchange Transactions. The Merchant must obtain Authorization from its authorizing Processor for Transaction Amounts above these Floor Limits. A V PAY Member may elect to set Floor Limits that are lower or higher than the authorized maximum, but higher limits are set at the Member’s own risk. If higher Floor Limits than the authorized maximum are established and create problems, Visa will take appropriate action.

All of the following Transactions have a Zero Floor Limit:  Effective until 30 June 2016, Transactions originating at a Merchant Outlet identified by the Merchant Fraud Performance Program indicator “1” or “3” in the special condition indicator field of the Clearing Record;  Effective from 1 July 2016, Transactions originating at a Merchant identified by the Visa Fraud Monitoring Program indicator “1” or “3” in the special condition indicator field of the Clearing Record;  ATM Transactions;  Cash Disbursements;  In-Transit Transactions;  Quasi-Cash Transactions;  Transactions at an Unattended Acceptance Terminal initiated by Magnetic Stripe;  Electronic Commerce Transactions; and  Effective from 15 October 2016, Mail/Phone Order Transactions.

Visa may revise Floor Limits and may establish unique Floor Limits for specific Merchant Category Codes (MCCs) in specific countries.

For countries not listed in this appendix, the maximum authorised Floor Limits are those established as the default Floor Limit found in this appendix. Maximum Floor Limits are shown in either the country’s respective currency or US dollars.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 285 V PAY Operating Regulations - Scheme Appendix C - Maximum Authorised Floor Limits

DEFAULT FLOOR LIMITS FOR UNATTENDED ACCEPTANCE TERMINALS

The default Floor Limits for Unattended Acceptance Terminals are shown in Table C-1.

Table C-1 Default Floor Limits for Unattended Acceptance Terminals

Merchant Type MCC Non-Chip Floor Chip Floor Proximity Payment Limit Limit Limit

Unattended Acceptance Terminals 4111 0EUR 20EUR 20 within the Territory 4112 4131 4784 7523 Unattended Acceptance Terminals 00EUR 20 within the Territory (excluding MCC 4111, 4112, 4131, 4784 and 7523)

COUNTRY-SPECIFIC FLOOR LIMITS Table C-2 Country-Specific floor limits within the Territory

Country Currency (Euro unless Chip and Non Chip Proximity Payment Floor Limit stated) Floor Limit

Andorra 0 20

Austria 0 20 Belgium 0 20 Bulgaria BGN 0 25 Croatia HRK 0 150 Cyprus 0 20 Czech Republic CZK 0 500 Denmark DKK 0 140 Estonia 0 20 Finland 0 20 France 0 20 Germany 0 20 Gibraltar GBP 0 15 Greece 0 20 Greenland DKK 0 140 Hungary HUF 0 6,000 Iceland ISK 0 3,000 Israel ILS 0 90 Italy 0 20 Latvia 0 20 Liechtenstein 0 20 Lithuania 0 20

286 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Appendix C - Maximum Authorised Floor Limits

Table C-2 Country-Specific floor limits within the Territory (Continued)

Country Currency (Euro unless Chip and Non Chip Proximity Payment Floor Limit stated) Floor Limit

Luxembourg 0 20 Malta 0 20 Monaco 0 20 Netherlands 0 20 Norway NOK 0 160 Poland PLN 0 80 Portugal 0 20 Republic of Ireland 0 20 Romania RON 0 85 San Marino 0 20 Slovakia 0 20 Slovenia 0 20 Spain 0 20 Sweden 0 20 Switzerland CHF 0 20 Turkey TRY 0 50 United Kingdom GBP 0 15 Vatican City 0 20

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 287 V PAY Operating Regulations - Scheme THIS PAGE INTENTIONALLY LEFT BLANK Defined Terms

Numerics 3-D Secure The Authentication Method that is the global authentication standard for Electronic Commerce Transactions. 

A Access Control Server (ACS) A server operated by the Issuer or its processor that validates Cardholder participation in the Verified by Visa program, performs Cardholder verification at time of purchase, and provides other functions as specified in the Verified by Visa Issuer Implementation Guide. 

Access Fee A fee that is applied by an Acquirer to a Cardholder for an ATM Cash Disbursement. 

Account Data Compromise Event An event in which a security breach puts account data at risk of being stolen.

Account Funding Transaction A Transaction that transfers funds from a Cardholder's account to another Cardholder's account.

Account Number An Issuer-assigned number that identifies an account in order to post a Transaction. 

Acquirer A Member that (a) enters into an agreement with a Merchant for the display of any of the Licensed Marks and the acceptance of Visa Products and Services or (b) disburses currency to a Cardholder. 

Acquirer Confirmation Advice A message sent from an Acquirer to an Issuer confirming the final Transaction Amount. 

Acquirer Device Validation Toolkit (ADVT) A set of Cards or simulated Cards and test scenarios used to validate new or upgraded Chip-Reading Devices that are EMV-Compliant.

Acquirer Reference Number An identification number included in a Clearing Record.

Activation and Load Service A service that enables the activation of Prepaid Cards, and the activation of funds associated with a Load Transaction to a Prepaid Card, at a Prepaid Partner. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 289 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

Adjustment A Single Message System message used to partially or fully negate or cancel a Transaction that has been sent through Interchange in error.

Affiliate With respect to any Person shall mean any other Person controlling or controlled under common Control with such Person. 

Airline A Merchant that transports passengers on an aircraft. 

Airline Ticket Identifier A 13-digit number on a Transaction Receipt for a Transaction involving an Airline comprising either:  The servicing carrier code and a transmission control number, excluding the check-digit, if the Airline ticket is printed on a transitional automated ticket form; or   A carrier number, form number and serial number, excluding the check-digit, if the airline ticket is printed on an automated ticket/boarding pass form. 

Alert A message sent by a Visa Alerts Service to a Cardholder by email, SMS (Short Message Service) or push notification.

Application Transaction Counter (ATC) A counter contained in the dynamic data elements of a Visa Smart Payment application that incrementally records the number of Transactions initiated for the Visa Smart Payment application since the application was personalised.

Application Usage Controls (AUC) A data element contained within the Chip that indicates Issuer-specified restrictions on the services and geographic usage allowed for the Card.

Approval Response An Authorization Response where the Transaction is approved. 

Approved Manufacturer A manufacturer of V PAY Cards that Visa certifies or approves to produce one or more Card products on behalf of an Issuer. 

Arbitration A process whereby financial liability for Transactions processed through Interchange that are presented and charged back is determined. 

Arbitration and Compliance Committee A committee that resolves certain disputes that arise from Chargebacks or from violations of any rules governing a V PAY Transaction. 

Area Net Settlement A Settlement service participated in by some or all V PAY Members within a group of countries sharing a common currency, to settle Transactions. 

ATM An Unattended Acceptance Terminal that has Electronic Capability, accepts PINs and disburses currency. 

290 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

ATM Acquirer An Acquirer that provides ATM services. 

ATM Cash Disbursement A Cash Disbursement obtained at an ATM displaying the V PAY Brand Mark or Plus Symbol, for which the V PAY Cardholder’s PIN is accepted. 

ATM Mark A Mark that denotes ATM acceptance. 

ATM Transaction A Transaction by a Cardholder that takes place at an ATM. 

Attempt Response A message from an Issuer who uses 3-D Secure in response to an Authentication Request from a Merchant who uses 3-D Secure, indicating that the Cardholder is not participating in 3-D Secure. 

Authentication Confirmation A message from an Issuer who uses 3-D Secure in response to an Authentication Request, confirming Cardholder authentication. 

Authentication Denial A message from an Issuer who uses 3-D Secure in response to an Authentication Request from a Merchant who uses 3-D Secure, denying Cardholder authentication. 

Authentication Identifier Effective until 14 March 2012, a unique value for each authentication Transaction, as specified in the 3-D Secure Implementation Guides. 

Authentication Mechanism A Visa -approved method that validates a participant’s identity in an Electronic Commerce Transaction. 

Authentication Method A protocol that is set by Visa that establishes the minimum standards for authenticating the Cardholder in an Electronic Commerce Transaction. 

Authentication Record A record of 3-D Secure authentication status from an Issuer who uses 3-D Secure in response to an Authentication Request from a Merchant who uses 3-D Secure. 

Authentication Response A response to an Authentication Request by an Issuer who uses 3-D Secure or a response by Visa on behalf of that Issuer. Authentication Responses include, but are not limited to:   Attempt Responses;   Authentication Confirmations;   Authentication Denials; and   Unable-to-Authenticate Responses. 

Authorization The approval of a Transaction by either an Issuer, a Visa Scheme Processor or Stand-In Processing. 

Authorization Code A code that an Issuer or its Visa Scheme Processor, or Stand-In Processing, provides as part of an Authorization Response to indicate an approval of a Transaction. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 291 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

Authorization Request A Merchant’s or Acquirer’s request for an Authorization. 

Authorization Response An Issuer's reply to an Authorization Request, which may be an Approval Response, a Decline Response, a Pickup Response or a Referral Response. 

Authorization Reversal A process whereby a Merchant requests cancellation of an Authorization. 

Automated Fuel Dispenser An Unattended Acceptance Terminal that dispenses only fuel. 

B Balance Inquiry A Cardholder request for their account balance that is initiated at an ATM and processed as a separate, non-financial Transaction. 

Balance Inquiry Service An ATM service that allows a Cardholder to check their account balance.

BASE II The VisaNet system that provides deferred Clearing and Settlement services to V PAY Members. 

Billing Currency The currency in which an Issuer bills a Cardholder for Transactions. 

BIN A six digit number assigned by ISO to Visa and used to identify a V PAY Member for Authorization, Clearing, or Settlement processing. 

Branch The office of a V PAY Member where Manual Cash Disbursements are made and Cards may also be issued, excluding drive-through windows providing reduced customer services, in-store counters, or service centers that do not store cash on the premises. 

C Card A payment card, device or any other electronic or virtual product or account, which is capable of completing a payment Transaction and is issued by a V PAY Member for use in connection with the Visa Enterprise and bears a Licensed Mark. 

Card-Absent Environment An environment where a Transaction is completed under both of the following conditions:  Cardholder is not present; and   Card is not present.

Card Distribution Point A location, other than a Branch, where a Card may be issued or distributed. 

Cardholder A Person who is issued with and authorised to use a valid V PAY Card. 

Cardholder-Activated Transaction A Transaction that is initiated by a Cardholder at an Unattended Acceptance Terminal. 

292 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

Cardholder Agreement A contract between a Cardholder and an Issuer containing their respective rights, duties and obligations for participation in the Issuer's V PAY Card Program and/or V PAY Card Product.

Cardholder Authentication Verification Value A unique value transmitted by an Issuer, or by Visa, in response to an Authentication Request. 

Cardholder Dispute Chargeback Resolution A form of resolution which permits the funding of Chargebacks under reason code 85 where the Acquirer is unable to recover the cost of such Chargebacks directly from the Merchant.

Cardholder Verification The process of validating a Cardholder’s identity through verification of the Cardholder’s signature, PIN or other methods approved by Visa. 

Cardholder Verification Limit The Transaction Amount for Proximity Payments above which Cardholder Verification must be performed.

Cardholder Verification Method Type or types of Cardholder Verification defined and prioritised by the issuer, usually stored in the Card or the Issuer's host system. 

Card-Present Environment An environment that comprises the condition of either a Face-to-Face Environment, Semi-Attended Environment or an Unattended Environment.

Card Verification Service A service where Card Verification Values in an Authorization Request are validated on behalf of an Issuer. 

Card Verification Value (CVV) A unique check value that is calculated from the data encoded on the Magnetic Stripe using a secure cryptographic process and is used to validate Card information during the process of obtaining Authorization. 

Card Verification Value 2 (CVV2) Effective until 14 October 2016, a unique check value printed on the back of a V PAY Card, which is generated using a secure cryptographic process. 

Effective from 15 October 2016, a unique check value, generated using a secure cryptographic process, that may be displayed either statically or dynamically on the back of a V PAY Card. Where the value is displayed dynamically, this may be referred to as dCVV2. 

Car Rental Merchant Effective until 21 April 2017, a Merchant whose primary business is the rental of cars. 

Cash-Back Cash obtained from a Merchant through use of a V PAY Card, in conjunction with, and processed as, a Retail Transaction. 

Cash Disbursement A Transaction under which currency is paid out to a Cardholder using a V PAY Card, excluding  Cash-Back. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 293 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

CDCVM An Issuer-approved method, recognised by Visa, for capturing the Cardholder Verification Method on a Portable Payment Device to verify a Cardholder’s identity. 

Cash Disbursement Fee A fee paid by an Issuer to an Acquirer for performing a Cash Disbursement. 

Central Bank A government agency responsible for the supervision and operation of banking activities for a national government. 

Certification Authority An entity that issues and manages Digital Certificates for use with V PAY Products and Services in accordance with Visa-specified requirements. 

Chargeback A Transaction that an Issuer returns to an Acquirer. 

Chargeback Period The number of calendar days from the Processing Date, as set out in the Dispute Resolution Rules, of a Transaction Receipt during which time the Issuer may exercise a Chargeback right. 

Chargeback Reduction Service An approved service that screens Presentments and Chargebacks and returns certain invalid items to the Acquirer or Issuer, as appropriate. 

Chip An electronic component designed to perform processing or memory functions. 

Chip Card A Card embedded with a Chip that communicates information to a Point-of-Transaction Terminal. 

Chip-initiated Transaction A Transaction using a Chip Card that is both EMV- and VIS- Compliant that is processed at a Chip- Reading Device using Full Chip Data, and limited to Visa Smart Payments.

Chip-Reading Device A Point-of-Transaction Terminal capable of reading, communicating and processing Transaction data from a Chip Card. 

Chip Transaction A Transaction where the Chip on a Chip Card is read by a Chip-Reading Device. 

Claim Any claim, including any claim for personal injury, property losses, damages (including lost profits or savings, indirect, consequential, special, exemplary, punitive, or incidental), losses, penalties, fines, suits, expenses and costs (including attorney’s fees) involving ant of the parties set out in the V PAY Operating Regulations - Scheme, Section 1.15.

Clearing All of the functions necessary to collect a Clearing Record from an Acquirer in the Transaction Currency and deliver it to the Issuer in the Billing Currency, or to reverse this Transaction or to process a Fee Collection Transaction. 

294 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

Clearing Record A record of a Presentment, Chargeback, Representment, Reversal or Adjustment in the format necessary to clear the Transaction. 

Cloud-Based Payments Mobile Application A cloud-based payments application used in a Portable Payment Device, as specified in the Visa Cloud- Based Payments Specifications.

Compliance A process whereby disputes that arise from violations of any rules governing a Transaction (when the requesting V PAY Member can certify that a financial loss has occurred or will occur for a specific amount), and no Chargeback right is available, are determined.

Confidential Information Any information not available to the general public, which has been disclosed by Visa to that V PAY Member, including the V PAY Operating Regulations - Scheme and any other technical specifications.

Contactless Indicator The Trademark as set out below:

Contactless Symbol The Trademark as set out below:

Copy Request A Retrieval Request that is processed through an Electronic Documentation Transfer Method. 

Copy Request Identifier An identification number assigned to a Copy Request. 

Correspondent Bank A depository institution that holds an account with, or on behalf of, a Settlement Bank and engages in an exchange of services with that bank. 

Counterfeit Card One of the following:  A device or an instrument that is printed, embossed or encoded so as to purport to be a V PAY Card, but that is not a V PAY Card because an Issuer did not authorise its printing, embossing, or encoding;   An instrument that is printed with the authority of the Issuer and that is subsequently embossed or encoded without the authority of the Issuer; or   A V PAY Card that an Issuer has issued and that is altered or re-fabricated, except one on which the only alteration or re-fabrication comprises modification of the signature panel or Cardholder signature. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 295 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

Country-to-Country Transaction A Transaction where the Issuer of the V PAY Card used is located in one country, and the Merchant Outlet or ATM where the V PAY Card is used is located in a different country. 

Credit Transaction A Transaction where a Merchant's refund or price adjustment is credited to a Cardholder's account. 

Credit Transaction Receipt A Transaction Receipt evidencing a Credit Transaction. 

Cruise Line A Merchant that sells tickets for, and provides, travel and overnight accommodation on a ship or boat. 

Cryptogram A value resulting from a process using an encryption algorithm and key data elements. 

Currency Conversion Rate The Currency Conversion Rate1 is: 1. For Visa Inc. Transactions, the currency conversion rate set by Visa Inc. from the range of rates available in the wholesale currency markets for the applicable Processing Date, which rate may vary from the rate Visa Inc. itself receives;  2. a) For Visa Europe Transactions where either Member is connected to BASE II, the currency conversion rate that Member receives is set by Visa Inc. from the range of rates available in the wholesale currency markets for the applicable Processing Date, which rate may vary from the rate Visa Inc. itself receives;  b) For Visa Europe Transactions where the Member is connected to the Visa Europe Clearing and Settlement Service, the currency conversion rate the Member receives is set by Visa Europe from the range of rates available in the wholesale currency markets for the applicable Processing Date, which rate may vary from the rate Visa Europe itself receives;  3. a) For International Transactions where the Customer or Member is connected to BASE II, the currency conversion rate the Customer or Member receives is set by Visa Inc. from the range of rates available in the wholesale currency markets for the applicable Processing Date, which rate may vary from the rate Visa Inc. itself receives;  b) For International Transactions where the Customer or Member is connected to the Visa Europe Clearing and Settlement Service, the currency conversion rate the Customer or Member receives is set by Visa Europe from the range of rates available in the wholesale currency markets for the applicable Processing Date, which rate may vary from the rate Visa Europe itself receives; or  4. A rate mandated by a government or a governing body in effect for the applicable Processing Date for a Transaction. 

An Issuer shall set the conversion rate to its Cardholders and an Acquirer shall set the conversion rate to its Merchants, consistent with applicable law. 

Custom Payment Service A payment service that accommodates specific payment environments with an identifier that remains with the Transaction throughout its life cycle. 

D Data Capture-Only Capability Point-of-Transaction Capability where the Transaction Receipt data is electronically captured for Deposit purposes, but the terminal does not have the capability to go Online.

296 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

Data Protection Method A method for the protection of Account Numbers and other Cardholder data, as specified in the Payment Card Industry Data Security Standard. 

Decline Response An Authorization Response where the Transaction is declined. 

Dedicated File Name A unique alphanumeric name used by a V PAY Card to identify an application that is supported on the V PAY Card, as specified in the EMV Integrated Circuit Card Specifications for Payment Systems.

Default Infrastructure The processor of last resort that a Member should utilise when its processing infrastructure has failed or is otherwise unavailable.

Deferred Clearing Transaction A Transaction that is authorized, cleared and settled in two separate messages. 

Deposit The submission of a Transaction Receipt by a Merchant or an Internet Payment Service Provider to an Acquirer, resulting in a credit or debit to the Merchant’s or Internet Payment Service Provider's Visa Card account. 

Deposit-Only Account Number An Account Number established by an Issuer used exclusively to receive an Original Credit Transaction on behalf of one or more of its Cardholders. 

Deposit Transaction Receipt The first Transaction Receipt in a Delayed Delivery Transaction. 

Digital Certificate A digitally signed credential used to authenticate the holder of the credential or to ensure the integrity of the message it is signing. 

Dispute Resolution Form A document or an Electronic Document Transfer Method questionnaire that contains the information specified in Exhibit 2E “Dispute Resolution Forms - Instructions”. It is used, in conjunction with the Electronic Document Transfer Method, by Customers and Members of Visa to provide an opposing Customer or Member with information relating to a dispute. 

Dispute Resolution Rules The rules governing disputes between Members regarding the Settlement of Transactions, as communicated to Members by Visa from time to time. 

Distribution Channel Vendor A third party that is registered by an Issuer with Visa to handle, store or ship Non-Personalized Prepaid Cards. 

Domestic Transaction A Transaction where the Issuer of the V PAY Card used and the Merchant Outlet or ATM where the V PAY Card is used are located in the same country. 

Dynamic Currency Conversion (DCC) The conversion of the purchase price of goods or services from the currency of the Merchant Outlet to the Billing Currency, as agreed to by the Cardholder and Merchant. That currency becomes the Transaction Currency, regardless of the Merchant’s local currency. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 297 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

Dynamic Data Authentication A cryptographic value generated by a Chip on a V PAY Card for an Offline Authorization that uses Transaction-specific data elements and is verified by a Chip-Reading Device to protect against skimming. 

E Edit Package The software that the Visa Enterprise supplies to Visa Scheme Processors to:  Validate Interchange data destined for the Visa System;   Process Interchange data sent from the Visa Scheme Processor to the Visa System; and   Process Transactions from the Visa System received by the Visa Scheme Processor. 

Egregious Violation A violation of the V PAY Operating Regulations - Scheme that in Visa’s opinion is wilful and/or excessive and is knowingly committed by a V PAY Member.

Electronic Commerce Indicator (ECI) A Transaction Identifier for Electronic Commerce Transactions. 

Electronic Commerce Merchant A Merchant that conducts the sale of goods or services electronically over the internet. 

Electronic Commerce Transaction A Transaction between a Merchant and Cardholder over the internet. 

Electronic Consumer Device An electronic device that contains one or more Cards and that may also contain payment devices from other payment systems. Electronic Consumer Devices include but are not limited to mobile phones and tablets.

Electronic Documentation Transfer Method An electronic documentation transfer method approved by Visa. 

EMVCo EMVCo LLC, a limited liability company existing under the laws of Delaware. 

EMV-Compliant A Card or Point-of-Transaction Terminal application that complies with the requirements set by EMVCo, as amended by EMVCo from time to time and has been tested, approved and remains approved by EMVCo, Visa or their appointed agents. 

EMV-Online Card Authentication Cryptogram A cryptographic validation of the legitimacy of the V PAY Card and of the information set out in an Authorization Request using a Cryptogram conforming to the technical specifications set by EMVCo, as amended by EMVCo from time to time.

EMV PIN-Compliant A Chip-Reading Device that complies with the PIN requirements of the V PAY Operating Regulations - Scheme and the PIN Management Manuals or is approved and certified by the PCI SSC.

EMV PIN Transaction A Chip-initiated Transaction (excluding an ATM Transaction) that is verified using either Online PIN verification or Offline PIN Verification.

Euro Area Net Settlement An Area Net Settlement service where the Transaction Currency and the Settlement Currency is euro.

298 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

European Economic Area The member states of the European Union, and Iceland, Liechtenstein and Norway.

Exception File A file of Account Numbers for which the Issuer has pre-determined the Authorization Response, which a V PAY Member accesses Online. 

Expired Card A V PAY Card on which the embossed, encoded or printed expiry date has passed. 

F Face-to-Face Environment An environment where a Transaction is completed under all of the following conditions:  V PAY Card or Proximity Payment Device is present;   Cardholder is present; and   Individual representing the Merchant or Acquirer completes the Transaction. 

Fallback Transaction Where a Chip-Reading Device’s inability to read the Chip prevents a Chip-initiated Transaction from being completed and the Transaction is instead completed using an alternative means of data capture and transmission.

Fee Collection Transaction A Transaction used to collect the financial obligations of a V PAY Member.

Fictitious Account Number An Account Number that has not been issued by the V PAY Member that is licensed to use the BIN relating to such Account Number. 

Floor Limit A currency amount for single Transactions for specific types of Merchant and specific types of Transaction above which Authorization is required. 

Foreign Currency A currency other than the official national currency of the country where the Merchant Outlet, Branch or Unattended Acceptance Terminal is located. 

Fulfilment Vendor A third party which Visa certifies or approves to handle, store or ship V PAY Cards for Issuers. 

Full-Chip Data Data that:  Conforms to EMVCo minimum mandated requirements;   Supports cryptographic validation Online; and   Records the V PAY Card and terminal interactions completed during a Transaction. 

G Gambling Funds Transfer Merchant A Merchant, who is not the Online Gambling Merchant, that facilitates a Gambling Funds Transfer Transaction. 

Gambling Funds Transfer Transaction A Transaction between a Cardholder and a Merchant for the electronic transfer of funds for the purpose of performing an Online Gambling Transaction, where the Merchant transfers those funds, directly or indirectly, to the Online Gambling Merchant via an electronic purse. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 299 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

Gambling Merchant A Merchant that provides any form of gambling as a service. 

Gambling Transaction A Transaction for the purchase of any form of gambling services. 

Global Compromised Account Recovery Program (GCAR) A program that allows Customers and Members worldwide to recover incremental counterfeit fraud losses, and operating expenses resulting from an Account Data Compromise Event, as set out in the document entitled Visa Europe Global Compromised Account Recovery Guide, as amended from time to time. 

Global Fraud Information Service (GFIS) A secure online resource that provides Members with up-to-date information from Visa.

Governmental Authority Any national, federal, state or local government body in any jurisdiction, the European Commission and any other supranational body or any court, tribunal, arbitrator in any jurisdiction. 

Guest Folio A Lodging Merchant’s or Cruise Line’s guest file. 

H High Brand-Risk Internet Payment Service Provider An Internet Payment Service Provider that enters into a contract with one or more High Brand-Risk Sponsored Merchants. 

High Brand-Risk Merchant A Merchant that is required to use one of the following Merchant Category Codes, as amended from time to time by Visa:  5962, "Direct Marketing-Travel-Related Arrangement Services";  5966, "Direct Marketing-Outbound Telemarketing Merchants";  5967, "Direct Marketing-Inbound Telemarketing Merchants";  7995, "Betting, including Lottery Tickets, Casino Gaming Chips, Off-Track Betting, and Wagers at Race Tracks";  5912, “Drug Stores, Pharmacies”;   5122, “Drugs, Drug Proprietaries, Druggists’ Sundries”; or   5993, “Cigar Stores and Stands”, Merchants selling cigarettes in a Card-Absent  Environment. 

High Brand-Risk Sponsored Merchant A Sponsored Merchant that is assigned a Merchant Category Code designated for High Brand Risk Merchants. 

I, J Immediate Payment Effective until 17 May 2016, a Visa Direct Transfer, where the Recipient Member makes the funds sent via the Original Credit Transaction available to the Cardholder within 30 minutes of sending an Approval Response to the Service Provider Member.

Imprint Cardholder data embossed, printed or encoded on a V PAY Card, which is transferred on to a Transaction Receipt either manually or electronically. 

300 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

Independent Sales Organisation An entity that is not eligible for membership in Visa, has no direct connection to the Visa System and provides V PAY Members with Card-related support services.

Input Date The Edit Package run date on which a V PAY Member submits its outgoing Interchange File, or, for Domestic Transactions, the date on which the V PAY Member processes its outgoing Interchange File.

Instalment Transaction Effective until 21 April 2017, the single purchase of goods or services billed to a Cardholder’s account in multiple segments, over a period of time agreed to between that Cardholder and a Merchant.

Effective from 22 April 2017, a Transaction in a series of Transactions that use a Stored Credential and that represent Cardholder agreement for the Merchant to initiate one or more future Transactions over a period of time for a single purchase of goods or services.

Interchange The exchange of Clearing Records between V PAY Members. 

Interchange File An electronic file containing a V PAY Member’s Interchange data. 

Interchange Reimbursement Fee A fee reimbursed by a V PAY Member in the Clearing and Settlement of an Interchange Transaction. 

Interchange Transaction A Transaction where the Issuer and the Acquirer are different.

Intermediary Bank A depository institution, specified by a V PAY Member or by Visa, through which a Settlement funds transfer must be processed for credit to a Settlement account at another depository institution.

International Airline An Airline that sells tickets directly in its own name in two or more countries, or operates scheduled flights between two or more countries, or both. 

International ATM Cash Disbursement Fee A fee payable by an Issuer for an ATM Cash Disbursement for International Transactions. 

International Authorization The Authorization of an International Transaction.

International Organisation for Standardisation (ISO) The specialised international agency that establishes and publishes international technical standards.

International Settlement Service [A] A Settlement service that each V PAY Member must be capable of participating in and which is used for all Transactions that do not qualify for National Net Settlement, Area Net Settlement or Product Net Settlement services. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 301 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

International Transaction A Transaction where (i) the Merchant Outlet or ATM acquiring such Transaction is located in the Territory, where the issuer of the V PAY Card used for such Transaction is a Customer, or (ii) the Merchant Outlet or ATM acquiring such Transaction is located outside the Territory, where the Issuer of the V PAY Card used for such Transaction is a Member. 

Internet Payment Service Provider (IPSP) An entity that contracts with an Acquirer for the purpose of providing online payment services to a Sponsored Merchant. 

In-Transit Transaction A Transaction for the purchase of goods or services on board an aircraft, boat, bus, ferry, ship or  train. 

Issuer A V PAY Member that issues Cards to a Cardholder and maintains the contractual privity relating to such V PAY Card with that Cardholder. 

K Key Management Service A service that helps V PAY Members to process, store and transmit V PAY Member keys, to protect the security of PINs. 

L Late Settlement Fee The fee that Visa collects from a V PAY Member for failure to transfer the Settlement Amount as part of the International Settlement Service at the Settlement Bank on the date due. 

Liability As specified in the V PAY Operating Regulations - Scheme, Section 1.15 any liability under any theory or form of action whatsoever, in law or in equity, including, without limitation, contract or tort (including negligence) even if the responsible party has been notified of the possibility of such damages. The term also includes liability for infringement of others’ intellectual property rights or any liability for Claims of third parties.

Licensed Marks Visa Marks and non-Visa Marks. 

Load Acquirer A Member that operates Load Devices and support systems that allow consumers to:  Load value to a Reloadable Card; and  Unload value from a Reloadable Card, where applicable.

Load Device An ATM or stand-alone device that a Cardholder uses to add or remove value from a stored value application on a Chip Card.

Load Transaction A Transaction that adds monetary value to a Card at a Point-of-Transaction Terminal. 

Local Non-Processing Days A day on which the Central Bank, for the local currency of the country in which the Acquirer operates is closed. 

302 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

Lodging Merchant A Merchant that sells and provides overnight accommodation at a fixed location. 

Lodging Merchants include establishments such as apartments, bed and breakfast establishments, cabins, condominiums, cottages, hostels, hotels, inns, motels, resorts, houses rented as short-term accommodation, and, effective until 21 April 2017, campgrounds. 

M Magnetic Stripe The magnetic tape on a V PAY Card that contains the necessary information to complete a Transaction. 

Magnetic Stripe Data Data contained in the Magnetic Stripe and replicated in the Chip.

Magnetic Stripe Image The minimum Chip payment data replicating the Magnetic Stripe information required to process a Transaction that is EMV-Compliant. 

Magnetic-Stripe Terminal A terminal that reads the Magnetic Stripe on a V PAY Card. 

Mail/Phone Order Merchant A Merchant that completes a Mail/Phone Order Transaction.

Mail/Phone Order Transaction A Transaction where a Cardholder orders goods or services from a Merchant by telephone, mail or other means of telecommunication, and neither the Card nor the Cardholder is present at the Merchant Outlet. 

Manual Cash Disbursement A Cash Disbursement obtained with a V PAY Card in a Face-to-Face Environment. 

Member Financial institutions or other entities that use or offer for use V PAY Products and Services under sublicense from Visa or an Affiliate of Visa. 

Member Identification Area The area on the front of a V PAY Card that is not covered by the Marks.

Member Message Field A text field record of a Chargeback or Representment that contains pre-formatted messages.

Merchant Any Person that enters into an agreement with an Acquirer for participation in the Visa Enterprise for the acceptance of V PAY Cards for purposes of originating payment Transactions under any Visa Marks. 

Merchant Agreement A contract between a Merchant and an Acquirer containing their respective rights, duties and obligations for participation in the Acquirer’s V PAY Card Program and/or V PAY Card Product. 

Merchant Category Code (MCC) A code designating the principal trade, profession, or line of business in which a Merchant is  engaged. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 303 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

Merchant Outlet Either:  The physical premises of the Merchant at which the Transaction is completed; or   For an Electronic Commerce Merchant, Sponsored Merchant, or, effective from 15 October 2016, a Mail/Phone Order Merchant, the Merchant Outlet shall be: — Where the Electronic Commerce Merchant, Sponsored Merchant, or, effective from  15 October 2016, a Mail/Phone Order Merchant, has a Permanent Establishment, the address of the Permanent Establishment through which the Transaction is completed;  — If the Electronic Commerce Merchant, Sponsored Merchant or, effective from 15 October 2016, a Mail/Phone Order Merchant, does not have a Permanent Establishment, the address for which the Electronic Commerce Merchant, Sponsored Merchant ,or, effective from 15 October 2016, a Mail/Phone Order Merchant, holds a valid business  license; and  — If the Electronic Commerce Merchant, Sponsored Merchant ,or, effective from  15 October 2016, a Mail/Phone Order Merchant, does not have a Permanent Establishment and does not hold a valid business license, the Electronic Commerce Merchant's, Sponsored Merchant's, or, effective from 15 October 2016, a Mail/Phone Order Merchant’s, address for correspondence for the payment of its taxes relating to its sales activity. 

Merchant Server Plug-In A software module used by an Electronic Commerce Merchant to enable the Merchant to process Transactions that are 3-D Secure. 

Merchant Service Charge A fee that is set, and charged, by an Acquirer to a Merchant under a Merchant Agreement.

MIF Multilaterally agreed (s) paid by an Acquirer to a separate Issuer or vice versa.

MIF Plus Plus Pricing in a Merchant Agreement where the Merchant Service Charge for Transactions referred to in the Merchant Agreement and on invoices is broken down into separate components comprising the MIF, all other fees applicable to Transactions and the Acquirer’s fee (including the margin).

Mobile Acceptance Terminal A Point-of-Transaction Terminal that consists of a hardware accessory and any mobile device (including but not limited to mobile phones and tablets) owned or operated by the Merchant.

Such terminals may be known as mPOS.

Multiple Clearing Sequence Number (MCSN) A unique sequence number assigned by an Acquirer that distinguishes a specific Clearing Record among multiple Clearing Records being submitted for a single Authorization. 

N National Net Settlement A Settlement service participated in by some or all V PAY Members to settle Transactions within a given country in the currency or currencies of that country. 

National Organisation An organisation to which Visa delegates, in whole or in part, its responsibility for the development, operation and administration of Visa Card Programs and/or Visa Card Products in any country or countries inside the Territory, including, but not limited to, (i) the development and implementation of products, services, systems, programs and strategies to address unique market conditions within such country or countries, (ii) coordination of Member activities (as relevant), and (iii) the promulgation of rules, regulations and policies applicable to Members operating within such country or countries. 

304 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

New Channel An environment in which payment is initiated via any device that does not use an HTML browser to process an Authentication Request. 

Non-Personalized Card A Card that has an Account Number and expiry date printed or encoded on it but does not bear a Cardholder’s name. These Cards may have a generic identifier, or in the case of Prepaid Cards, the name field may be blank. 

Non-Reloadable Card A Prepaid Card that is funded with monetary value only once. 

Non-Visa Marks Any Trademarks that are developed after 1 October 2007 by Visa or any of its Affiliates for use in respect of the Visa Products and Services or relating to the management, operation, maintenance or promotion of or participation in, the Visa System, which are not Visa Marks or New Visa Marks or confusingly similar to Visa Marks. 

O Offline An environment where Transactions may be completed without Online Authorization by an Issuer, its Processor or Stand-In Processing and authentication or verification for Transactions occurs using parameters encoded in the Chip. 

Offline Authorization An Issuer-controlled process that allows an Authorization Request for a Transaction to be processed Offline in accordance with the Merchant's floor limit and the Issuer-defined Chip controls or the Service Code, as applicable, in a below-Floor Limit environment without sending the request to the Issuer. 

Offline Data Authentication A process whereby a Chip Card is validated at the Point-of-Transaction, as specified in the Visa Integrated Circuit Card Specifications.

Offline PIN Verification A process used to verify the Cardholder’s identity by comparing the PIN entered at the Chip-Reading Device to the PIN value contained in the Chip.

Online An environment where authentication or verification occurs using an electronic communications network other than voice. 

Online Authorization A method of requesting an Authorization Online. 

Online-Capable Capable of obtaining Online Authorization, but may be subject to standard Floor Limits.

Online Financial Transaction A Transaction that is authorized, cleared and settled in a single Online message. 

Online Gambling Merchant An Electronic Commerce Merchant that facilitates Online Gambling Transactions. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 305 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

Online Gambling Transaction An Electronic Commerce Transaction for the purchase of any form of gambling services over the internet. Gambling services include the following:  Betting;   Lotteries;   Casino-style games;   Funding an account established by the Merchant on behalf of the Cardholder; and   Purchase of value for proprietary payment mechanisms, such as electronic gaming chips. 

Online-Only Operating to a Zero Floor Limit, with Online Authorization obtained for every Transaction.

A V PAY Card that requests Online Authorization for every Transaction, regardless of whether the Transaction is initiated using the Chip or the Magnetic Stripe of the V PAY Card, and where an Authorization cannot be obtained, requests a Decline Response.

Optional Issuer Fee Also known as: OIF A fee that an Issuer may charge a Cardholder by the application of a percentage increase to the Currency Conversion Rate which the Visa Systems use to determine the Transaction Amount in the Billing Currency for each Country-to-Country Transaction. 

Original Credit Transaction A Transaction initiated by a V PAY Member either directly or on behalf of its Merchant that results in a credit to the Account Number of a V PAY Card for a purpose other than refunding a purchase. 

Originating Member An Issuer or Acquirer that initiates an Original Credit Transaction. 

P PAReq An Authentication Request sent from the Merchant Server Plug-In (MPI) to the Access Control Server of an Issuer. 

PARes An Authentication Response sent from the Access Control Server of an Issuer to the Merchant Server Plug-In (MPI). 

Partial Authorization An Authorization for an amount less than the amount requested by a Merchant for a Transaction on a V PAY Card. 

Passcode A code entered by the Cardholder into the Electronic Consumer Device and used by the Portable Payment Device to authenticate the Cardholder. 

Payment Application A software application contained within a Chip or payment data encoded on a Magnetic Stripe that defines the parameters for processing a V PAY Transaction and meets the minimum requirements of the relevant V PAY Card Program and V PAY Card Product. 

Payment Services Directive (PSD) The European Parliament and Council directive 2007/64/EC and any subsequent changes.

306 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

PCI Forensic Investigator (PFI) A company or organisation that has been approved by the PCI Security Standards Council to conduct forensic investigations into data compromise events that are suspected of exposing Cardholder data.

PCI SSC Payment Card Industry Security Standards Council. 

Permanent Establishment A fixed place of business through which an Electronic Commerce Merchant or, effective from  15 October 2016, a Mail/Phone Order Merchant, conducts its business, regardless of website or server locations. 

Person Any natural person, general partnership, limited partnership, limited liability company, limited liability partnership, joint venture, firm corporation, association, incorporated organisation, unincorporated organisation, trust or other enterprise, or any Government Authority. 

Pickup Response An Authorization Response where the Transaction is declined and confiscation of the V PAY Card is requested. 

PIN A personal identification numeric code that is used to identify a Cardholder in an Authorization Request. 

PIN Entry Device (PED) A device used for secure PIN entry and processing as defined in the Payment Card Industry PED Security Requirements.

PIN Verification A procedure used to verify Cardholder identity when a PIN is used in an Authorization Request. 

PIN Verification Service A service that Visa provides to its Members for the verification of Cardholder PINs transmitted with Authorization Requests. 

Plus ATM An ATM that displays the Plus Symbol and not the Visa Brand Mark. 

Plus Program A program through which a Plus participant provides ATM services to Cardholders by acting as an Issuer, an ATM Acquirer, or both. 

Plus Symbol The Licensed Mark meeting the specifications as set out in the Visa Product Brand Standards.

Plus Transaction A Transaction completed with a V PAY Card bearing the Plus Symbol at a Merchant or Acquirer.

Point-of-Transaction The physical location where a Merchant or Acquirer (in a Face-to-Face Environment or Semi Attended Environment) or an Unattended Acceptance Terminal (in an Unattended Environment) completes a Transaction Receipt or a Transaction Record.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 307 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

Point-of-Transaction Balance Return An Authorization Response in which an Issuer of Prepaid Cards provides the available balance for participating Merchants to print on the Transaction Receipt. 

Point-of-Transaction Balance Return Service A service that provides a Point-of-Transaction Balance Return. 

Point-of-Transaction Terminal A device used at the Point-of-Transaction that has a corresponding Point-of-Transaction capability. 

Portable Payment Device A Portable Payment Device is a Proximity Payment Device that resides in an Electronic Consumer Device. 

POS Entry Mode An Authorization or Online Financial Transaction field indicating the method used to obtain and transmit the Cardholder information necessary to complete a Transaction, that is manual key entry, or Chip read. 

Post-Issuance Application Change A method that enables an Issuer to modify or block an application already residing on a Chip.

Post-Issuance Application Load A method that enables an Issuer to add an application or service to the contents of a Chip without reissuing a Card.

Post-Issuance Updates A method that enables an Issuer to update information stored in a Chip without reissuing the V PAY Card. There are two types of Post-Issuance Updates:  Post-Issuance Application Change; and   Post-Issuance Application Load. 

Prepaid Account An account established by an Issuer, with previously deposited, authorized or transferred funds, which is decreased by purchase Transactions, Cash Disbursements or account fees. 

Prepaid Card A Card used to access funds in a Prepaid Account or a Card where monetary value is stored on a  Chip. 

Prepaid Card Transaction The act between a Cardholder using a Prepaid Card and a Merchant or an Acquirer resulting in a Transaction Receipt. 

Prepaid Partner A Customer, Member, Merchant or third party (excluding co-brand partners, Approved Manufacturers, Fulfilment Vendors and Third Party Personalizers) that has a contract with an Acquirer to sell, activate and/or perform Load Transaction processing of Prepaid Cards. 

Prepayment A Transaction for the prepayment of goods or services that are to be provided at an agreed time that is later than the time of the Transaction. 

308 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

Presentment A Clearing Record that an Acquirer presents to an Issuer through Interchange, either initially (a first Presentment) or after a Chargeback (a Representment). 

Private Agreement A bilateral agreement between V PAY Members, relating to the process of obtaining an Authorization or Clearing and Settlement of Domestic Transactions. 

Private Keys The secret portion of the cryptographic method used for verification during a Transaction.

Processing Date The date (based on Greenwich Mean Time) on which Interchange data submitted by a V PAY Member to an Interchange Centre is accepted and processed for Settlement by that Interchange Centre. 

Processor A Person, who is not a Member, that stores, processes or transmits Cardholder or Transaction data for Visa, Members or other sublicensees of Visa and/or Merchants. 

Proximity Payment A Transaction conducted over an approved wireless interface in a Card-Present Environment. 

Proximity Payment Device A Card that makes a Proximity Payment. 

Public Keys The non-secret portion of the cryptographic method used for verification during a Transaction. 

Q Quasi-Cash Transaction A Transaction representing a Merchant’s or V PAY Member’s sale of items that are directly convertible to cash. 

R Receiving Member A Member receiving a Transaction through Interchange. 

Recipient Member An Issuer that receives an Original Credit Transaction. 

Recurring Transaction Effective until 21 April 2017, multiple Transactions processed pursuant to a Recurring Transaction Agreement.

Effective from 22 April 2017, a Transaction in a series of Transactions that use a Stored Credential and that are processed at fixed, regular intervals (not to exceed one year between Transactions), representing Cardholder agreement for the Merchant to initiate future Transactions for the purchase of goods or services provided at regular intervals.

Reference Exchange Rate For the purposes of the Payment Services Directive (PSD) this rate shall be the same as the Currency Conversion Rate. See also Currency Conversion Rate.

Referral Response An Authorization Response where the Issuer requests further information before completing the Transaction. 

NOTE: A V PAY Card cannot generate a Referral Response.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 309 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

Reloadable Card A Prepaid Card that may be funded with monetary value more than once. 

Representment A Clearing Record that an Acquirer presents to an Issuer through Interchange after a Chargeback. 

Retail Transaction A Transaction at a Merchant Outlet that is not one of the following:  A Mail/Phone Order Merchant; or   Electronic Commerce Merchant. 

Retrieval Request An Issuer's request for a Transaction Receipt, which could include the original, a paper copy or facsimile, or an electronic version thereof. 

Reversal A Deferred Clearing Transaction or an Online Financial Transaction used to negate or cancel a Transaction that has been sent through Interchange in error. 

S Secure Electronic Commerce Transaction An Electronic Commerce Transaction that has been authenticated using an Authentication Method. 

Secure Sockets Layer (SSL) A protocol that uses Public Key encryption for the secure processing of Transactions over the internet and other networks.

Semi-Attended Environment An environment where a Transaction is completed under all of the following conditions:  Card or Proximity Payment Device is present;  Cardholder is present; and  Cardholder completes the Transaction and, if required, an individual representing the Merchant or Acquirer assists the Cardholder to complete the Transaction.

Sender Effective until 17 May 2016, a Cardholder sending money via Visa Direct.

Sending Member A V PAY Member entering a Transaction into Interchange.

Service Code A valid sequence of digits that is encoded in a Magnetic Stripe and replicated on the Magnetic Stripe Image in a Chip that identifies the circumstances under which the V PAY Card is valid and defines requirements for processing a Transaction with the V PAY Card. 

Service Provider Member Effective until 17 May 2016, an Issuer participating in the Visa Direct Service.

Settlement The reporting of Settlement Amounts owed by one V PAY Member to another, or to Visa, as a result of Clearing. 

Settlement Amount The daily net amount expressed in a V PAY Member’s Settlement Currency resulting from Clearing. These amounts include Transaction and Fee Collection Transaction totals, expressed in a Settlement Currency of the V PAY Member. 

310 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

Settlement Bank A bank, including a Correspondent Bank or an Intermediary Bank, that is:  Located in the country where the Settlement Currency of a V PAY Member is the local currency; and   Authorised to execute Settlement of Interchange on behalf of the V PAY Member or the V PAY Member's bank. 

Settlement Currency A currency used for Settlement. 

Settlement Date The date on which Visa initiates the transfer of Settlement Amounts for Settlement. 

Settlement Loss The amounts actually payable by one Member to another Member pursuant to the provisions of any drafts or other instruments processed in accordance with the Operating Regulations and shall not include any consequential damages or expenses incurred in attempting to settle such drafts or other instruments, or any interest expenses, whether actually incurred or imputed, associated with delays in settlement.

Settlement Obligation The obligations of a Member of Visa to pay a Settlement Amount owed to another Member or to  Visa. 

Single Message System A service that processes Online Financial Transactions and Deferred Clearing Transactions through a single interface for purchases and ATM Transactions. 

Split Shipment Transaction A single Transaction for which a V PAY Merchant receives one Authorization but completes more than one Transaction Receipt for the purpose of splitting the shipment of multiple goods that are purchased in that single Transaction.

Sponsored Merchant A business that contracts with an Internet Payment Service Provider for that Internet Payment Service Provider to (a) conduct the sale of that business' goods and/or services electronically over the internet and (b) provide payment services for those goods and/or services, in each case on that business' behalf. 

Standard Rate The default Interchange Reimbursement Fee set by Visa. 

Stand-In Processing The component that provides Authorization on behalf of an Issuer when the Issuer or its Visa Scheme Processor is unavailable. 

Static Data Authentication A type of Offline Data Authentication whereby the terminal validates a cryptographic value placed on the card during personalisation. This validation protects against some types of counterfeit, but does not protect against copying and replaying.

Stored Credential Effective from 22 April 2017, information (including, but not limited to, an Account Number or Token) that is stored by a Merchant or its agent, a Payment Facilitator, or a Digital Wallet Operator to process future Transactions.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 311 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

Substitute Transaction Receipt Effective until 21 April 2017, a paper form or record that is not a Sales Draft and that a V PAY Member or a Merchant provides in response to a Retrieval Request. 

T Tactile Brand Mark A raised surface element on a Card that surrounds either the Visa Brand Mark or the V PAY Brand Mark, as set out in the Visa Product Brand Standards.

T&E Transaction

A Transaction at a Merchant that provides goods and services related to travel and entertainment. 

Travel and entertainment includes all of the following: Airlines, effective until 21 April 2017, Car Rental Merchants, Cruise Lines; Lodging Merchants, travel agencies, effective from 22 April 2017, Vehicle Rental Merchants, and, where the Merchant is located in the Visa Inc. (US) Region, passenger  railways. 

Telephone Service Transaction A Transaction in which a Cardholder uses a V PAY Card to purchase a telephone call. 

Terminal Risk Management A process performed by a Chip-Reading Device to protect a V PAY Member from fraud by:  Initiating Online Issuer Authorization for above-Floor Limit Transactions;   Ensuring random Online processing for below-Floor Limit Transactions; and   Performing Transaction velocity checking. 

Territory Andorra, Austria, Bear Island, Belgium, Bulgaria, Channel Islands, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Faeroe Island, Finland, France (including its "DOM-TOMs"), Germany, Gibraltar, Greece, Greenland, Hungary, Iceland, Ireland, Isle of Man, Israel, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Monaco, the Netherlands, Norway, Poland, Portugal, Romania, San Marino, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey, Vatican City, the United Kingdom, including the territories and possessions thereof, and any other jurisdiction which becomes a full member state of the European Union, and including any military bases, embassies or diplomatic consulates of the foregoing jurisdictions which are located outside of the Territory and excluding any military bases, embassies or diplomatic consulates located in the Territory of those jurisdictions which are located outside of the Territory. 

Third-Party Personaliser A third party that Visa certifies or approves to personalise V PAY Cards for Issuers. 

Timeshare Merchant A Merchant that manages the sales, rentals or other uses of condominiums, holiday homes, holiday clubs or apartments known as "timeshares" and does not provide full-service lodging (for example, lodgings offering room service). 

Tracing Data In a Single Message System message, the transmission date and time, systems trace audit number, retrieval reference number, Transaction Identifier and identity of the Acquirer. 

Trademark Trademarks, trade names, corporate names, business names, trade styles, get up, trade dress, product and service names, words, symbols, devices, service marks, logos, taglines, sounds, combinations thereof, other source or business identifiers and general intangibles of like nature, together with goodwill associated therewith, whether registered or unregistered, arising under the laws of any jurisdiction, and registrations and applications for registration with respect to any of the foregoing. 

312 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

Transaction The act between a Cardholder and a Merchant or an Acquirer that results in a Transaction Receipt. 

Transaction Amount The monetary value of a Transaction. 

Transaction Country The country where a Merchant Outlet is located, regardless of the Cardholder’s location when a Transaction occurs. For Transactions completed aboard an aircraft or a Cruise Line vessel, the Transaction Country is where the Merchant deposits the Transaction Receipt. 

Transaction Currency The currency in which a Transaction is originally completed. 

Transaction Date The date on which a Transaction between a Cardholder and a Merchant or an Acquirer occurs, except where otherwise specified in the V PAY Operating Regulations - Scheme. 

Transaction Identifier A unique value assigned to each Transaction to maintain an audit trail throughout the life cycle of the Transaction and all related transactions. 

Transaction Information Information necessary for processing Transactions, as specified in the Payment Card Industry Data Security Standard. 

Transaction Receipt An electronic or paper record of a Transaction (or a copy), generated at the Point-of-Transaction, with one copy retained by the Acquirer or Merchant and, at the option of the Cardholder, one copy retained by the Cardholder. 

Transaction Record A paper record evidencing that a Transaction has taken place, which is produced by a Point-of- Transaction Terminal and retained by the Acquirer or Merchant. 

Travellers Cheque Cheques bearing the Visa Mark issued by Members under the Travellers Cheque Program.

Travellers Cheque Program The program for the issuance of Travellers Cheques operated by Visa in accordance with the Visa International Travellers Cheque Operating Regulations.

U Unable-to-Authenticate Response

A message from an Issuer who uses 3-D Secure in response to an Authentication Request indicating that the Issuer is unable to authenticate the Cardholder for reasons other than those that result in an Authentication Denial. 

Unattended Acceptance Terminal A Cardholder-operated device that reads, captures and transmits Card information in an environment where there is no individual representing the Merchant or the Acquirer present to complete the Transaction. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 313 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

Unattended Environment An environment where a Transaction is completed under all of the following conditions:  Card is present;   Cardholder is present;   Cardholder completes the Transaction directly at an Unattended Acceptance Terminal; and   Authorization, if required, is obtained electronically. 

Examples of terminals deployed in an Unattended Environment include:  Vending machines;   Parking and transit terminals (MCC 4111, 4112, 4784, 4131, 7523);   Automated Fuel Dispensers;   ATMs; and   Terminals performing Gambling Transactions. 

Unload Transaction A Transaction where monetary value is removed from a Reloadable Card and transferred to another account held by the same financial institution.

Unrecognised Service Code A Service Code that cannot be recognised by a Chip-Reading Device.

Unscheduled Credential-on-File Transaction Effective from 22 April 2017, a Transaction in a series of Transactions using a Stored Credential for a fixed or variable amount that does not occur on a scheduled or regularly occurring Transaction Date, where the Cardholder has provided consent for the Merchant to initiate one or more future Transactions.

V Value Date The date on which the Settlement Amount is transferred from the party making the payment to the party receiving the payment.

Vehicle Rental Merchant Effective from 22 April 2017, a Merchant that offers cars, vans, trucks, trailers and other similar vehicles for rental, and who is assigned one of the following Merchant Category Codes:  3351-3500: Car Rental Agencies;   7512: Car Rental Agencies (Not Elsewhere Classified); or   7513: Rentals - Trucks and Trailers. 

VERes A response message type that indicates whether a Card is enrolled in or eligible for 3-D Secure and if a Transaction can be authenticated in 3-D Secure. 

Verified by Visa An Authentication Method based on the 3-D Secure Specification. 

V.I.P. System The VisaNet Integrated Payment System (V.I.P. System), comprised of BASE I and the Single Message System used for single message authorization in connection with financial transaction processing. 

Visa Alerts A service provided by an Issuer, participating in a Visa Alerts Service, to their Cardholders that enables their Cardholders to receive Alerts.

314 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

Visa Alerts Data Feed Service A service offered by Visa to its Issuers where Visa is responsible for the generation of Alert data and the Issuer is responsible for the delivery of the Alerts.

Visa Alerts Full Service A service offered by Visa to its Issuers where Visa is responsible for both the generation and delivery of Alerts.

Visa Alerts Service An Alert processing service provided by Visa to its Issuers consisting of the Visa Alerts Full Service or Visa Alerts Data Feed Service.

Visa Brand Mark The Licensed Mark meeting the specifications as set out in the Visa Product Brand Standards. 

Visa Brand Mark with the Electron Identifier The Licensed Mark meeting the specifications as set out in the Visa Product Brand Standards. 

Visa Card Product Both the product name for a Card and its associated service features through which a Member provides payment services to Cardholders.

Visa Card Program A program through which a Member provides payment services to Cardholders or Merchants by acting as an Issuer, an Acquirer, or both.

Visa Direct Effective until 17 May 2016, a money transfer service offered by an Issuer to its Cardholders, enabling Cardholders to transfer funds from one Cardholder's account to another Cardholder's account.

Visa Direct Mobile Application Effective until 17 May 2016, a mobile application providing Cardholders with access to Visa Direct.

Visa Direct Service Effective until 17 May 2016, a service provided by Visa to its Issuers, which provides the money transfer processing for Visa Direct.

Visa Direct Transfer Effective until 17 May 2016, a funds transfer that consists of two interdependent Transactions:  The Account Funding Transaction (AFT)—the debit Transaction in the funds transfer; and  Original Credit Transaction (OCT)—the credit Transaction in the funds transfer.

Visa Electron Payment Application A software application contained within a Chip or payment data encoded on a Magnetic Stripe that defines the parameters for processing a Transaction using a Visa Electron Card.

Visa EMV Public Keys The Public Keys issued to validate Digital Certificates issued by the Visa Inc. EMV Certification Authority. 

Visa Enterprise The worldwide enterprise comprised of Visa and its Affiliates, providing products and services that include authorizing, processing, clearing and settling of financial transactions and management and processing of information in connection with financial payments under any Visa Marks or using the Visa System. 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 315 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

Visa Europe The company, Visa Europe Limited, registered in England and Wales with its registered address at One Sheldon Square, London W2 6TT with company number 5139966. 

Visa Europe Authorization Service The system for authorization processing of dual-message transactions, and authorization and clearing processing of financial transactions operated by Visa. 

Visa Europe Clearing and Settlement Service The system and services for Clearing and Settlement, developed, owned and operated by Visa from time to time. 

Visa Europe Competitor Any Person which (a) owns or controls a payment card system or is directly or indirectly owned or controlled by an entity that owns or controls a payment card system; and (b) such entity poses a substantial risk of disloyal competition in favour of such other payment card system, to the detriment of Visa. 

Visa Europe Non-Electronic Interchange Reimbursement Fee An Interchange Reimbursement Fee for any Visa Europe Transaction using a Card that does not meet the requirements for any other Interchange Reimbursement Fee as specified in Section 10.2.1.

Visa Europe Settlement Service A service that allows Members to consolidate the Settlement functions of the Visa Europe Systems into one centralized function and benefit from flexible reporting options, as specified in the Visa Europe System Manuals.

Visa Europe Transaction A Transaction where the Issuer of the Card used is a Member, and the Merchant Outlet or ATM where the Card is used is located in the Territory. For Transactions completed aboard any passenger transport vehicle such as an aircraft or a cruise line vessel, a Transaction shall be considered a Visa Europe Transaction when the Merchant deposits the Transaction Receipt in the Territory. 

Visa Extended Access Server The network interface point to the Visa System, and any associated hardware and software, provided by Visa to its Members and Visa System Processors for Transaction and data routing and  processing. 

Visa Global ATM Program A global program where an ATM participant provides Cash Disbursement services to Cardholders by acting as an Issuer, an ATM Acquirer, or both. 

Visa Inc. The corporation, Visa Inc., organised and existing under the laws of the State of Delaware, United States of America with a principal place of business at 900 Metro Centre Boulevard, Foster City, California 94404. 

Visa Inc. Competitor Any Person which (a) owns or controls a payment card system or is directly or indirectly owned or controlled by an entity that owns or controls a payment card system; and (b) such entity poses a substantial risk of disloyal competition in favour of such other payment card system, to the detriment of Visa Inc. outside the Territory.

Visa Interchange Centre The Visa facility that operates the Visa data processing systems and support networks.

316 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

Visa Interchange Directory A directory established and maintained by Visa Inc. setting out contact information for Members and Processors. 

Visa Marks Trademarks incorporating the term "Visa" and all Trademarks owned or used by Visa Inc. or any of its Affiliates or Visa Europe or any of its Affiliates at 1 October 2007, as amended from time to time to include new Visa Marks, and that are licensed by Visa. 

VisaNet The systems and services owned by Visa Inc. (as may be modified or enhanced from time to time), including the V.I.P. System, BASE II and Visa Europe Authorization Service, and related components, through which Online Financial Transactions, Authorization, Clearing and Settlement services are delivered to V PAY Members from time to time. 

VisaNet Settlement Service A service that allows V PAY Members to consolidate the Settlement functions of the Visa Inc. Systems into one centralised function and benefit from flexible reporting options, as specified in the VisaNet Settlement Services (VSS) User's Guide, Volumes 1 and 2. 

Visa/Plus ATM An ATM that:  Displays the V PAY Brand Mark or the Visa Brand Mark and the Plus Symbol; and   May also display the Visa Brand Mark with the Electron Identifier. 

Visa Prepaid Load Service A service that enables Settlement of funds associated with a Load Transaction to a Prepaid Card at a Prepaid Partner. 

Visa Products and Services Products and/or services of the Visa Enterprise relating to financial services, payments, related information technology and information processing services, including credit Cards and debit Cards and Authorization, processing, Clearing and Settlement services marketed, offered, provided, sold or distributed in connection with the Visa Enterprise. 

Visa-Recognised Payment Authentication Method The Visa Secure Electronic Commerce methods that are approved by Visa and that a Member must use within the Interchange domain. Currently these are:  “Chip Electronic Commerce” as defined in the Chip Electronic Commerce Specifications  Version 1.0, using the Chip Authentication Cryptogram to replace the Cardholder  signature; and  Verified by Visa (VbV).

Visa Reserved BIN Range A range of BINs, assigned and licensed by Visa, that is used internally by an organisation solely to create reserved, private identifiers in the place of an Account Number.

Visa Secure Electronic Commerce A payment service that provides payment information security over the internet and other networks for Cardholders using a V PAY Card and Cardholder Access Device to conduct an Electronic Commerce Transaction.

Visa Smart Debit/Credit Personalisation Assistant Profile A Card definition used by a Member for the personalisation of a Card, and by Visa to validate data on Cards being issued by a Member.

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 317 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

Visa Smart Debit/Credit Personalisation Assistant Tool A web-based tool, available from Visa Online, allowing Issuers implementing a Chip program to design the personalisation settings for their Chip Cards, thereby ensuring compliance with Visa requirements and recommendations for their Visa Card Product. This tool is also known by the acronym VPA.

Visa Smart Payment Effective until 14 October 2016, EMV-Compliant and either VIS-Compliant or CPA-Compliant applications that provide payment service options and controls to Issuers of V PAY Cards bearing the Visa Brand Mark, the Visa Brand Mark with the Electron Identifier or the Plus Symbol. 

Effective from 15 October 2016, EMV-Compliant and VIS-Compliant applications that provide payment service options and controls to Issuers of V PAY Cards bearing the Visa Brand Mark, the Visa Brand Mark with the Electron Identifier or the Plus Symbol. 

Visa System The information technology and other systems and platforms for global data processing and payment Authorization, Clearing and Settlement, including VisaNet and the Visa Europe Clearing and Settlement used by the Visa Enterprise. 

Visa Scheme Processor A V PAY Member or third party that provides Authorization, Clearing, Settlement, or payment-related processing services for Merchants, or V PAY Members. 

VIS-Compliant

Effective until 14 October 2016, a V PAY Card application that complies with one of the following:  The requirements specified in the Visa Integrated Circuit Card Specifications; or   The requirements specified in the EMV Common Payment Application Specifications, where the V PAY Card has been: — Personalised to a "Common Core Definition"-compliant profile; and  — Approved by EMVCo. 

Effective from 15 October 2016, a V PAY Card application that complies with the requirements specified in the Visa Integrated Circuit Card Specifications. 

V PAY Brand Mark The Licensed Mark meeting the specifications as set out in the Visa Product Brand Standards. 

V PAY Card A Chip Card that bears the V PAY Brand Mark, enabling a Cardholder to obtain goods, services, or cash from a V PAY Merchant, Acquirer or ATM.

V PAY Card Product Both the Product Name for a V PAY Card and its associated service features through which a Member provides payment services to Cardholders.

V PAY Card Program A program through which a V PAY Member provides product payment services to Cardholders or Merchants using Cards that bear the V PAY Brand Mark by acting as an Issuer, an Acquirer or both.

V PAY Member A V PAY Member issues Cards bearing the V PAY Mark and/or contracts with Merchants for acceptance of V PAY Cards.

V PAY Merchant A Merchant that displays the V PAY Brand Mark.

318 VISA CONFIDENTIAL INFORMATION - Member Use Only 15 April 2017 V PAY Operating Regulations - Scheme Appendix D - Defined Terms

V PAY Micro Tag A Proximity Payment Device that is not a:  Standard plastic payment Card; or   Portable Payment Device. 

V PAY Payment Application EMV-Compliant Chip-based applications that provide payment service options and controls to Issuers of Chip Cards bearing the V PAY Brand Mark.

V PAY Product An unembossed “Chip only” Card developed in Visa.

V PAY Products and Services Products and/or services of the Visa Enterprise relating to financial services, payments, related information technology and information processing services, including V PAY Cards, Authorization, processing, Clearing and Settlement services marketed, offered, provided, sold or distributed in connection with the Visa Enterprise. 

V PAY Transaction A Chip-initiated Transaction completed with a V PAY Card at a V PAY Merchant or Acquirer.

W Workout Period

Effective from 1 July 2016, in conjunction with the Visa Chargeback Monitoring Program and the Visa Fraud Monitoring Program, a three month remediation period during which Visa manages a corrective action plan between a Merchant and its Acquirer to bring the Merchant's Chargeback or fraud activity below program thresholds. The Workout Period is not applicable to either of the following Merchants:  High Brand-Risk Merchants; or   Merchants in either the Visa Chargeback Monitoring High-Risk Program or the Visa Fraud Monitoring High-Risk Program. 

X, Y, Z Zero Floor Limit A Floor Limit with a currency amount of zero (that is, Authorization is required for all Transactions). 

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 319 V PAY Operating Regulations - Scheme THIS PAGE INTENTIONALLY LEFT BLANK Visa Business News

The Visa Business News (VBNs) articles referenced in the Summary of Changes section of the V PAY Operating Regulations - Scheme are listed in Table E-1. Full copies of these letters are available to download from Visa Online.

Table E-1 VBNs referenced in the V PAY Operating Regulations - Scheme

Reference Title Date Published Sections Referenced

AI06001 Rules Related to Transaction Receipts Will 10 November 2016 • Section 6.6.1.4.1 Be Updated • Appendix D, "Defined Terms" AI06095 Mail Orders Will Be Exempted From CVV2 1 December 2016 Section 2.3.1 Requirements AI06261 Requirement for DCC Indicator at ATMs 2 February 2017 Section 6.9 Will Be Introduced

15 April 2017 VISA EUROPE CONFIDENTIAL INFORMATION - Member Use Only 321 V PAY Operating Regulations - Scheme THIS PAGE INTENTIONALLY LEFT BLANK Forms

15 April 2017 VISA CONFIDENTIAL INFORMATION - Member Use Only 323 V PAY Operating Regulations - Scheme Card Acceptance Complaint Form

The Card Acceptance Complaint Form is to be used by Members to report to Visa any Merchant or Cardholder complaints (domestic or international) concerning Card acceptance or Transaction processing issues that are of concern to the Member and are not addressed by existing Chargeback or Compliance rights. Visa maintains a centralised database of these complaints that includes specific information concerning the parties involved and the nature of the complaints. It is used to determine the nature and extent of problems, and also to aid Visa in the evaluation of rule enhancements and the identification of abusive practices, specific problem Merchants or Cardholders, and other patterns of concern.

The use of this form is optional. It may be submitted at any time the Member deems appropriate. Visa will investigate complaints when appropriate and reserves the right to intervene at its discretion; however, submission of this form is not intended to be a replacement for Member customer service. Under no circumstances is this form to be provided to a Cardholder, a Merchant, or any other third party. Each form must be completed and submitted by the Member receiving the complaint. This form must not be used in situations where Chargeback, Arbitration, Compliance, or Resolution Rights are available to the Member.

While the majority of complaints are self-explanatory, the following examples clarify certain categories.

103 Non-Acceptance of Card A Merchant refused to accept a valid Visa Card where the Visa Marks were displayed. A detailed explanation of why the card was not accepted must be provided. Please indicate the type of card product not accepted (for example, Visa Classic Card, Visa Business Card, Visa Gold Card, Visa Electron Card, Visa TravelMoney).

105 Erroneous Merchant Description The Merchant with whom the Cardholder did business used a different Merchant description when the Transaction was processed that was not recognised by the Cardholder on his billing statement, thus resulting in an unnecessary Cardholder inquiry.

106 Authorization-Related Complaints This category is to be used for any Authorization-related complaint either from the Cardholder (for example, unnecessary referrals or time-consuming authorization procedures) or Merchant. A detailed explanation of the Authorization-related complaint must be provided.

108 Nature of Merchant Business Visa Cards are accepted by a Merchant whose business is one that the Cardholder finds morally or ethically offensive. Examples include furriers or pornographers.

111 Merchant Re-Billing After Chargeback A Transaction has already been disputed and credited (usually due to a successful Chargeback by the Issuer) but has been re-billed by the Merchant.

113 Incorrect Merchant Category Code Used A Transaction was processed by a Merchant with an incorrect Merchant Category Code (MCC). (Use the Consumer Dispute Complaint Form for a retail or T&E Transaction processed as a Cash Disbursement.)

199 Other This category is to be used for any other Card acceptance complaints received from either a Cardholder or Merchant. A detailed explanation of the complaint is required. If the complaint concerns a consumer protection dispute, please use the Consumer Dispute Complaint Form.

Please complete the form and then either; email a scanned copy to the customer support email address: [email protected]; or post it to: Customer Support, Visa, P.O. Box 39662, London W2 6WH, United Kingdom. Card Acceptance Complaint Form

Members should complete this form upon the discovery of suspected Card acceptance or Transaction processing violations that may be protected through the enforcement of Visa rules, but are not covered under Chargeback or Compliance rights. Visa e will maintain a record of all complaints received. For possible enforcement action, all supporting documentation must be attached and all fields must be completed in English (or an English translation must be provided). This form must be completed by a Member and may not be given to a Cardholder, a Merchant, or any other third party. Members must submit this form and any documentation to Visa.

INSTRUCTIONS: Please type or print in upper-case letters.

Member Record Number: ______Region Record Number: ______Issuer Name: ______BIN: ______Country: Acquirer Name: ______BIN: ______Country: Cardholder Name: ______Account Number: ______Cardholder City: ______Cardholder Country: ______Acquirer Reference Number: ______Amount in dispute (in Transaction Currency): ______Merchant Name: ______Merchant Address: ______Merchant Location (city): ______Merchant Category Code Used: ______Postal Code: ______Correct Merchant Category Code ______

Check the description of the complaint most applicable, provide a brief explanation, and attach any documentation.

101 Surcharge Imposed 108 Nature of Merchant Business 102 Minimum/Maximum Transaction Amount Imposed 109 Improper Use of Service Marks 103 Non-Acceptance of Card 110 Currency Conversion Issues 104 Additional ID Required for Card Acceptance 111 Merchant Re-Billing after Chargeback 105 Erroneous Merchant Description 112 Card Confiscated 106 Authorization-Related Complaints 113 Incorrect Merchant Category Card Used 107 Car Rental Merchant Required Purchase of CDW 199 Other (provide detailed explanation)

Explanation: ______Transaction Date: ______Date of Cardholder Complaint: ______Was a Chargeback processed for this Transaction: No Yes Which Chargeback: ______Date: Was a Chargeback represented?: No Yes ______Date: ______Was the Cardholder credited?: No Yes Date:______Amount:______Due to Chargeback? Write-off? Reason Chargeback or Compliance rights do not apply: ______

Complaint Submitted by:

Contact Name: ______Member Name: ______Title: ______Mailing Address: ______Telephone Number: ______Fax: ______Email Address: ______Date:______

Please complete the form and then either; email a scanned copy to the customer support email address: [email protected]; or post it to: Customer Support, Visa, P.O. Box 39662, London W2 6WH, United Kingdom. Consumer Dispute Complaint Form

The Consumer Dispute Complaint Form is to be used by Members to report to Visa any Merchant or Cardholder complaints (domestic or international) concerning consumer protection issues that are of concern to the Member and are not addressed by existing Chargeback or Compliance rights. Visa maintains a centralized database of these complaints that includes specific information concerning the parties involved and the nature of the complaints. It is used to determine the nature and extent of problems, and also to aid Visa in the evaluation of rule enhancements and the identification of abusive practices, specific problem Merchants or Cardholders, and other patterns of concern.

The use of this form is optional. It may be submitted at any time the Member deems appropriate. Visa will investigate complaints when appropriate and reserves the right to intervene at its discretion; however, submission of the form is not intended to be a replacement for Member customer service. Under no circumstances is this form to be provided to a Cardholder, a Merchant, or any other third party. Each form must be completed and submitted by the Member receiving the complaint. This form must not be used in situations where Chargeback, Arbitration, Compliance, or Resolution Rights are available to the Member

While the majority of complaints are self-explanatory, the following examples clarify certain categories.

01 Merchandise/Service Not as Described/Expected or Not Received The merchandise or service the Cardholder purchased or contracted for was not as described, not as expected, or not received (for complaints that do not meet existing Chargeback conditions for Chargeback reason codes 30, 53, or 90). 02 Defective Merchandise Merchandise purchased was defective (for complaints that do not meet existing Chargeback conditions for Chargeback reason code 56). 03 No Credit for Returned Merchandise Merchandise was returned by post to the Merchant or returned in person to the Merchant location, and no credit was provided (for complaints that do not meet existing Chargeback conditions for Chargeback reason code 85). 04 Merchant Procedure The Cardholder objects to a questionable Merchant procedure as a condition of sale. Examples include requiring the Cardholder to sign a blank, imprinted Transaction Receipt or depositing a Transaction Receipt that was to be held only as security until the return of rental equipment. 06 Retail Transaction Processed as Cash Disbursement A retail Transaction was processed as a Cash Disbursement, thus subjecting the Cardholder to additional fees and restricting Chargeback rights. Cardholder has evidence of the retail Transaction (for complaints that are not covered by Chargeback reason code 80). 07 Airline, Car Rental, or Hotel Dispute This category is to be used for any Airline, car rental, or Hotel dispute that is not covered in existing Chargeback or Compliance rights. 08 VAT Refund/Other Customs Dispute The Cardholder travelled internationally and did not receive the VAT/TVA refund he believes is due. (VAT is a Value-Added Tax which may be refunded to foreign customers under certain conditions.) Any other customs-related dispute must be clearly explained. 10 Cancelled Transaction The Transaction was cancelled in process. The Cardholder never took possession of the merchandise or received any services. 14 Alleged Fraudulent MO/TO Solicitation Scheme The Cardholder was the victim of a fraudulent telephone or direct mail contest or lottery scheme. For example, the Cardholder may have been coerced into providing his Account Number as “identification” to claim a “prize” and later was charged for merchandise which was not ordered (and may or may not have been received), or the Cardholder was guaranteed to win a certain amount by purchasing lottery tickets either by telephone or mail. 99 Other The Cardholder complaint is not addressed in any individual category, but the Member feels Visa should be informed. A detailed description of the complaint must be provided by the submitting Member. This category may be used for any Merchant complaints.

Please complete the form and then either; email a scanned copy to the customer support email address: [email protected]; or post it to: Customer Support, Visa, P.O. Box 39662, London W2 6WH, United Kingdom. Consumer Dispute Complaint Form

Members should complete this form for consumer protection-related disputes that do not meet the criteria of any existing Chargeback or Compliance right. Visa will maintain a record of all complaints received. For the complaint to be included in the database, supporting documentation is required. This form and any applicable documentation must be completed in English (or an English translation must be provided). This form must be completed by a Member and must not be given to a Cardholder, a Merchant, or any third party. Members must submit this form to Visa.

INSTRUCTIONS: Please type or print in upper-case letters.

Member Record Number: ______Region Record Number: ______Issuer Name: ______BIN: ______Country: Acquirer Name: ______BIN: ______Country: Cardholder Name: ______Account Number: ______Cardholder City: ______Cardholder Country: ______Acquirer Reference Number: ______Amount in dispute (in Transaction Currency): ______Merchant Name: ______Merchant Address: ______Merchant Location (city): ______Merchant Category Code Used: ______Postal Code: ______Correct Merchant Category Code ______

Check the description of the complaint most applicable, provide a brief explanation, and attach any documentation.

01 Merchandise/Service Not as Described/Expected or  09 Altered Draft/Overcharge Not Received 10 Cancelled Transaction 02 Defective Merchandise 11 Multiple Imprinting of Drafts 03 No Credit for Returned Merchandise 12 Quality of Merchandise or Service (T&E Only) 04 Questionable Merchant Procedure 13 Quality of Merchandise or Service (All Other Merchants) 05 Merchant Refund/Return Policy 14 Alleged Fraudulent MO/TO Solicitation Scheme 06 Retail Transaction Processed as Cash Disbursement 15 Alleged Merchant Extortion/Intimidation 07 Airline, Car Rental or Hotel Dispute 99 Other (provide detailed explanation) 08 VAT Refund/Other Customs Dispute

Explanation: ______Transaction Date: ______Date of Cardholder Complaint: ______Was a Chargeback processed for this Transaction: No Yes Which Chargeback: ______Date: Was a Chargeback represented?: No Yes ______Date: ______Was the Cardholder credited?: No Yes Date:______Amount:______Due to Chargeback? Write-off? Reason Chargeback or Compliance rights do not apply: ______Contact Name: ______Member Name: ______Title: ______Mailing Address: ______Telephone Number: ______Fax: ______Email Address: ______Date:______

Please complete the form and then either; email a scanned copy to the customer support email address: [email protected]; or post it to: Customer Support, Visa, P.O. Box 39662, London W2 6WH, United Kingdom. V PAY Operating Regulations - Comment Form

It is the intention of the Visa Operating Regulations development staff to make our publications easy to use and understand. Please use this form to forward any suggestions you may have for improving this document. All input is welcome.

Member Information

Principal Member Business ID: ______Billable BIN: ______

Member Name: ______Telephone: ______

Contact Name: ______

Legal Address: ______

Address Line 2: ______

Address Line 3: ______

Comments

Please complete the form and then either; email a scanned copy to the customer support email address: [email protected]; or post it to: Customer Support, Visa, P.O. Box 39662, London W2 6WH, United Kingdom.