Payment cards issued by Visa and Mastercard are accepted. Currently, Landsbankinn does not offer acquiring services for other brands. Cards issued by other parties will be rejected unless the merchant has an agreement with another acquiring service provider on such cards.

The following rules apply for all advertising that mentions payment by card:

• The card companies’ logos (Visa and Mastercard) are registered trademarks and their use shall be governed by the relevant trademark rules, and never in a way that can damage the card companies’ public image.
• The card companies’ logos may not be used for other purposes than to advertise the acceptance of such cards by the merchant.
• Merchants are obligated to display the logos or indicate the card types they accept in another prominent manner. Landsbankinn provides the merchants with the logos. Merchants shall not use other versions of card logos than those provided by the Bank.
• Merchants are not obligated to accept all cards issued by the accepted card companies. A merchant exercising their right to reject certain types of cards issued by the accepted card companies is obligated to indicate it clearly during the transaction that certain card types are not accepted, for example if the merchant does not accept company cards. The merchant must never discriminate against card holders on the basis of nationality, gender, age, skin colour or other such factors.

Landsbankinn must be notified immediately of any changes to the merchant’s operations, for example changes in ownership, legal representative, address, bank account or significant changes in the business, such as the products or services offered, in such a way that the business has essentially switched to another field of operation than designated on the merchant’s application for acquiring services. The Bank must also be notified if merchants have become insolvent, or if it is likely that they will be unable to meet their financial obligations. By informing the Bank of such changes, the merchant ensures the safety of transactions, that transactions are linked to correct information and the fulfilment of obligations regarding customer checks and due diligence.

A contract for acquiring services authorises the merchant to accept certain types of payment cards (as stated in the contract) as payment for products and services. The merchant is encouraged to study the contract’s terms and conditions. Situations can arise where the merchant is not authorised to accept cards, as described below. Please note that the list is not exhaustive.

Merchants may not:

• Use payment cards issued in the name of the merchant, or any party connected to the merchant, to create sales and turnover or to extract funds from the business.
• Accept payment on behalf of third parties.
• Grant external parties access to payment acceptance devices.
• Accept payments or perform transactions that do not originate directly from a transaction between the merchant and cardholder.
• Reimburse the cardholder unless the acquiring services account has sufficient balance.
• Divide a sale into two or more separate payments on the same card or on different cards to avoid having to request authorisation for the total amount.
• Use payment acceptance devices or other equipment or information related to card transactions for other purposes than to accept payments for products or services, or for other operations than those disclosed to the Bank.

Transaction receipts and other transaction-related data, such as refunds, order confirmations and proof of delivery, are to be securely retained for up to 18 months. The merchant should be able to present this information if the cardholder requests a chargeback and the merchant must prove that the product or service has been delivered. Deletion of data at the end of the retention period must be done in a secure manner.

The merchant may not retain card details, magnetic strip details, CVV/CVC numbers or card microchip details (known as sensitive authentication data - SAD). It is strictly forbidden to save unprotected transaction information, apart from the cardholder’s name, card number (masked) and expiration date after payment has been authorised. All retention of card details must comply with the highest safety standards, as per PCI-DSS.

The merchant shall:

• Retain all data containing card details or account numbers in encoded form, if possible. Store retained data, both on paper and electronic form, in a safe place, granting access only to staff members who require access to the data for purposes of their work.
• Erase card details and cardholder details, both before storing data and before deleting it.
• Make sure that payment acceptance devices comply with security standards at all times. It is not authorised to tamper with or modify a payment acceptance device without prior approval from the Bank, as it can affect its security and certification.

Payment acceptance devices that Landsbankinn or their partner provides to the merchant comply with the security requirements of relevant standards.

If the merchant is aware of or suspects unauthorised access to sensitive card holder details, they must inform Landsbankinn immediately.

In the event that a security breach regarding handling of personal data has occurred, the merchant is obligated to make necessary arrangements pursuant to the Act on Data Protection and Processing of Personal Data, including notifying the Icelandic Data Protection Authority of the security incident and, if applicable, informing the cardholder.

Recommendations and best practices in case of a security breach can be found on the websites of Visa and Mastercard.

Landsbankinn’s terms and conditions regarding acquiring (PDF)

General instructions on the use of POS equipment and other payment acceptance devices can be found in information from Verifone, the Bank’s partner.

For card present transactions it is important to:

• Follow the instructions on the payment acceptance device.
• Never look away from the POS device and retrieve it as soon as the cardholder has entered the PIN.
• Avoid letting the cardholder deceive or disturb the staff member during payment.

Look out for unusual purchases, such as in regards to quantity, communication during the purchase or other.

It is important to always make sure that the correct amount is displayed on the payment acceptance device, i.e. the amount the cardholder is paying.

If a payment card with a magnetic strip is used for the payment acceptance device, the cardholder must confirm the transaction with their signature. It is not permitted to accept non-microchip payment cards and/or cards that do not support card holder identification by PIN.

Even though contactless transactions or payment confirmations by chip and PIN are the most common ways to pay by card, it is important to know the main details on the payment card itself.

Contactless payments are the most common, where the cardholder’s payment card or smart device (phone, watch) is held near the payment acceptance device during payment. For payments by a smart device, the cardholder does not need to enter a PIN or confirm a transaction by their signature as the authentication is performed in the device itself.

The cardholder does not require authentication for contactless payments at the point of sale, unless the amount is higher than the authorised limit, or if the maximum number of transactions without authentication has been reached.

When the card microchip is inserted into a card reader to process payment, the transaction shall be performed in the manner designated on the payment acceptance device, usually by entering a PIN. The cardholder may not give out their PIN to others. The payment acceptance devices should be equipped with covers to ensure privacy when the cardholder enters their PIN to confirm a payment.

In cases where a specific keypad connected to the payment acceptance device is used to enter the PIN, it must be ensured that the device itself is always visible to the salesperson.

The card is locked if a wrong PIN is entered three times in a row, meaning that the cardholder needs to contact the issuer of the card to reopen it.

If the payment acceptance device is unable to read the card microchip, the magnetic strip can be used to process payment.

The transaction shall only be confirmed by signature if the payment acceptance device prompts the cardholder to do so or if other methods, such as PIN entry or smart device authentication, are not available. If the magnetic strip is used, it is highly important to review the receipt and compare the card number, expiration date and card type (Visa or MasterCard) to see if anything indicates that the card is fraudulent. If all information seems correct, the cardholder is asked to sign the receipt and the transaction is confirmed.

General instructions on the use of payment acceptance devices for online transactions can be found in information from Verifone, the Bank’s partner.

The following text refers to payments where the cardholder is not present at the point of sale and does not present the payment card for payment, e.g. during online transactions, wire transfers or payments processed via electronic communications networks, such as by web key.

A transaction is considered a MOTO transaction when the merchant enters the cardholder’s card details at the request and according to the instructions of the cardholder. MOTO transactions do not entail authentication or the cardholder’s confirmation of the payment.

The following information is required to perform a MOTO transaction:

• Card number
• Card expiration date
• Card CVV/CVC number. The card CVV/CVC number is a three-digit number located on the back of the payment card.

The merchant is solely responsible for a transaction made without the cardholder’s confirmation/authentication. Is it important for the merchant to preserve all documentation regarding the transaction, such as order confirmations, communication with the cardholder and the cardholder’s confirmation of the receipt of products and services, in order to defend themselves against chargeback claims.

Specific security measures must be observed when the cardholder is not present at the point of sale. Below are some points to consider as they may indicate an attempt at fraud.

• CVV/CVC number and card number do not match.
• The cardholder is a new customer placing many orders or large orders. Known cardholders pose less risk than new cardholders.
• One or more of the cards used for payment are declined and another card immediately used for payment.
• One or more parties place many orders that are paid with a number of different cards, either belonging to the same cardholder or many different cardholders. All orders are to be delivered to the same location.
• Many orders from the same party are paid with many different cards, either belonging to the same cardholder or different cardholders. Be especially careful if more than one card is declined.
• The cardholder requests immediate delivery of the product and does not seem to mind paying for expensive shipping.
• Orders with an unusual point of delivery without a specific explanation.
• The cardholder requests delivery to be made to a third party, e.g. a taxi driver sent by the cardholder to collect a product.
• The cardholder’s email address does not match their name, or the cardholder provides an email address, name or address indicative of irregular or false names.

If suspicions of fraud arise we advise you to take further steps to confirm the cardholder’s identity, such as contacting the provided email address or phone number.

When a product is delivered to an address, we recommend that the cardholder is asked to sign a delivery receipt to prove that the product was delivered to the correct buyer. If the cardholder request that the product be delivered to a post office box or mailbox, it is important to have proof that the product was delivered to a specific location and that the delivery information has been sent to the cardholder.

The merchant is obligated to correct transactions wrongfully made to a card account, such as duplicated charges for the same transaction, transactions made without authorisation requests or charges made for sales that did not go through.

The international card companies and Landsbankinn also keep track of transactions. Landsbankinn corrects false transactions at its own initiative or if instructed to do so by the card companies.

Transactions must also be reversed if the card issuer has voided or cancelled a transaction. Reversals shall be processed within 30 days from the original transaction.

The merchant is not authorised to resubmit a transaction or the part of a transaction that has been reversed.

Refunds are only authorised as reimbursement for products or services originally paid for by card. Generally, a refund shall be processed to the same card account as the one used for the refunded charge.

Refunds may only be carried out in accordance with the acquiring service terms as they are at any given time. Refunds require authorisation requests but the cardholder’s confirmation is not needed. To confirm a refund in a POS devices, the merchant needs to enter their assigned PIN. By entering the PIN, the merchant takes responsibility for the refund towards the acquiring service provider. It is important to keep the PIN safe.

It is not authorised to refund a card payment by cash or process a refund to a payment card if the product or service was originally paid for in cash.

The amount of the refund is charged to the merchant’s acquiring service account. The refund might be declined if the acquiring service account balance is not sufficient for the refunded amount.

Landsbankinn reserves the right to limit or hold refunds temporarily or permanently. Furthermore, Landsbankinn can at any given time request guarantees for merchants’ refunds.

Specific settlements are not required for payment acceptance devices where all authorised payments are automatically settled. The merchant should contact Landsbankinn’s customer service if transactions are not submitted for settlement.

A chargeback can occur if the legitimacy of a transaction is disputed, if a product/service has not been delivered/performed or if a failure occurred during the processing of the payment. The most common reasons for chargebacks are:

• A cardholder has not authorised or does not recall authorising a transaction on their card, the amount is incorrect or the cardholder does not recognise the merchant.
• A card transaction was made even though the cardholder has already cancelled a credit card payment agreement or such agreement has expired.
• The merchant has promised the cardholder a refund for a purchase of a product/service but not done so.
• A product has not been delivered or a service has not been performed.

It is important that the merchant monitor the merchant portal closely to check for chargeback notifications, since response deadlines can be tight.

Chargeback notifications are published in the merchant portal. If the card company policies allow for objections to chargeback claims, the merchant has 7 calendar days to respond and provide the required information to object to the claim. Landsbankinn will advise the merchant regarding required information as applicable at each time.

The main reasons why chargebacks are not objected to are that the chargeback is justified, e.g. if a duplicate transaction took place, a refund has been delayed etc., or that the merchant is unable to provide a defence, for instance if the relevant procedure for the card older’s confirmation was not complied with. Landsbankinn is not responsible for the acceptance of chargeback objections, but instead acts as an intermediary to provide the card companies with information so they can make the final decision regarding the legitimacy of the chargeback claim. The merchant portal has advice and details about information to be submitted in the case and what conditions, if any, it must fulfill.

Examples of information that can be requested for objections to chargeback claims:

• Card number (first 6 and last 4 digits)
• Card expiration date
• Description of the product/service paid for
• Merchant contact information/merchant location (URL)
• Cardholder name and address (for wire transfers and online transactions)
• Billing address for product
• Delivery address for product
• Confirmation number for address
• Confirmation number for CVV/CVC number
• Cardholder phone number and email address
• Proof that the product was delivered to the cardholder
• Credit card payment agreement/confirmation of recurring credit card payment by cardholder

It is important that merchants take preventative action to reduce the risk of chargeback claims. Chargeback claims can harm operations and result in financial damage for merchants, even though they do not occur frequently. Merchants are advised to have procedures for the handling of chargeback claims.

Below you can find some good tips to prevent and defend against chargeback claims.

Delivery of information: It is important to deliver the requested information immediately to the card companies to demonstrate that the cardholder paid by card. If the information is not received within the designated deadline the objection will not be considered and the chargeback will go through.

Merchant’s name on the cardholder’s transaction statement: To avoid chargeback claims due to the cardholder not recognising the merchant’s name on the transaction statement, the merchant’s name on the statement needs to be the same as the name displayed at the point of sale (the name under which the merchant does business). The merchant must make sure that the name under which they do business is registered with Landsbankinn.

The card has expired: If a transaction is performed after the expiration date of a card it may be deemed invalid. Special consideration must be taken for charges where a card is charged when some time has passed since the purchase agreement was made or the card details submitted. In such cases, the merchant must contact the cardholder again to receive new card details. We would also like to inform merchants about Landsbankinn’s card detail updating service for recurring charges, such as regular credit card payments.

Transaction declined: If a transaction is declined, the merchant should not proceed with the sale. The same applies when a cardholder does not confirm a charge during an online transaction using 3D secure.

Duplicated transactions: Care must be taken to avoid submitting the same transaction more than once, since a chargeback might occur in cases of duplicate/repeated transactions for the same charge.

Terms and conditions for product/service returns and refunds: Terms and conditions for returns, exchanges and refunds should be accessible to the cardholder on the merchant’s point of sale or website.

Cardholder refunds: If a cardholder is to receive a refund to their card it is important to perform it immediately to avoid a chargeback claim on the grounds that the refund has not been processed. It is important to refrain from processing a refund without first consulting with Landsbankinn if a chargeback claim is filed on the grounds of a refund for products or services that the merchant intended to perform but had not yet been processed.

Cardholder complaints: It is important to respond swiftly to cardholder complaints and seek to resolve matters immediately to avoid chargeback claims.

Delays in the delivery of a product/service: Notify the cardholder immediately if the delivery of a product or service has been delayed and inform them of the estimated delivery time. This can prevent the cardholder from submitting a chargeback claim on the grounds that a product or service has not been delivered. Ideally, a product should not be charged until it is ready for shipment/delivery.

Product unavailable: If the product or service that the cardholder paid for is not available, the cardholder must be notified and offered a comparable product or a refund.

Product delivery: Payments should not be processed until the product is delivered or shipped to the cardholder. If a payment is processed without product delivery, the odds of a chargeback claim are increased as the cardholder can see the charge on their account without having received the product.

Card company policies pose limits regarding to what extent a merchant can defend themselves against chargebacks. The policies clearly indicate what information is considered relevant for decisions regarding chargebacks, thus posing limits for the defence that are much stricter than in cases decided before courts of law, complaints boards or courts of arbitration.

The main reasons for a chargeback going in favour of the cardholder are:

• The merchant does not respond to the chargeback claim before the deadline
• Adequate confirmation or authentication from the cardholder was not provided
• The merchant does not provide adequate information

If the merchant follows guidelines on authorisation and business transactions, the cardholder’s right to chargeback is greatly limited, and the odds of defence against chargeback claims are increased.

Unauthorised parties can attempt to obtain a product or services by defrauding both the merchant and the cardholder. It is important to stay alert for attempts to use a card for fraudulent purposes, take care while handling all card details and personal data and maintain security measures regarding all equipment and devices used for card payments, both at a service location and for online transactions.

We advise merchants to be attentive to the following items to prevent fraud:

Employees: Merchants must be aware of the risk posed by employee fraud. It is important to know your staff well and manage access details and permissions regarding payment processes and payment acceptance devices carefully, such as PINs for refunds. Clear procedures delimiting employee’s authorisations must be in place, including stipulations that prohibit employees from handling their own charges.

Staff education: Staff education is important so employees can recognise fraud or attempted fraud. The merchant is responsible for supplying information and procedures for responding to suspected fraud.

Access to payment acceptance device: Avoid unauthorised access to payment acceptance devices. The Bank or its partner will not replace a payment acceptance device without consulting with the merchant. Employees replacing such devices must present their credentials, and if there is any doubt as to their identity, Landsbankinn or its partner must be contacted for confirmation. The merchant or other parties are not allowed to modify or tamper with software in payment acceptance devices, such as downloading applications without prior approval and consultation with Landsbankinn and/or the service provider of the payment device.

Issues regarding payment acceptance devices: Requests where the merchant is contacted and asked to authorise payment by sending an authorisation request to a provided phone number should not be accepted. Landsbankinn or its partners will never ask the merchant for card/transaction details via telephone or ask the merchant to test transactions by submitting them in the payment acceptance device.

Fraud at point of sale:

All instructions regarding card payments must be followed. The safest ways to obtain the cardholder’s consent for a transaction are to ask the cardholder to confirm a card payment by PIN or to use contactless payment.

It is important to follow all instructions on the device screen when payment is processed through a payment acceptance device, such as a POS device, at the point of sale.

If the POS device is handed over to the cardholder to finalise payment or enter a PIN, the device should never leave your sight and should be returned as soon as the cardholder has confirmed the transaction, for example by PIN.

Magnetic strips or the manual entering of card numbers in the payment acceptance device should only be used in exceptional cases, such as if the microchip is not working. Do not use the magnetic strip reader when the cardholder has forgotten their PIN.

Suspicion of fraud can arise due to the card older’s conduct when purchasing a product, i.e. if they seem unusually rushed during the transaction, do not look at the product, seem evasive when communicating with service staff or behave unusually in other ways. Special care must be taken during payment in such cases to make sure the transaction is not fraudulent.

Merchants of products with good resale potential, such as electronics and jewellery, must be particularly alert as they can be the targets of fraud.

All directions regarding response and actions must be followed if Landsbankinn or its partner sends a notification that a fraudulent transaction might have taken place.

The payment terms for online stores have special provisions that the merchant must comply with.

The website shall include the following information:

• Card companies’ logos in full resolution. The logos shall be displayed where the merchant designates the accepted payment methods.
  - Visa logos
  - Mastercard logos
• Legal limitations, i.e. limitations, if any, that apply to the transactions.
• A detailed description of the product or services available for purchase in the online store.
• Purchasing terms for products or services, including delivery, returns and refunds. The terms shall be clearly displayed to the cardholder during the payment process so they can accept them, such as by using an “Accept” button, check a field for consent or demonstrably consenting by other means.
• Company information, i.e. name, address, identification number (kennitala), VAT number, email address, phone number etc.
• Information about the currency used for the transaction.
• The delivery time and shipping cost of the product (if applicable).
• The merchant’s privacy policy and information regarding the handling and security of card details.
• Applicable law and legal venue.

We are happy to assist you and answer any questions you might have via faersluhirding@landsbankinn.is.