Merchants: operating guides, brochures

The following documents provide information that assists you with the operation of your merchant facility. These can be printed for your reference.

Terms and Conditions

Notice to Bank of Melbourne Merchant Customers

Effective 10 November 2023, important changes will be made to your Direct Debit Request Service Agreement (DDRSA). A summary of these changes is below.

DDRSA

From 10 November 2023, the DDRSA will be available in a standalone document online at Direct Debit Request Service Agreement . Your DDRSA is currently located at section 42 of the EFTPOS Merchant Agreement Terms and Conditions and will be removed on the next release date on 08 December 2023.

Section	What has changed
2. Amendments by us	Amended subsection 2.1 by increasing the notice period we give to you about variations from 14 to 30 days.
3. How to cancel or change direct debits	Clarified how you may: cancel or suspend the Direct Debit Request; or change, stop or defer an individual debit payment.
4. Your obligations	Inserted an obligation on you to notify us as soon as possible if you need to change your account. Removed our right to charge reasonable costs when there are insufficient funds in your account. However, your financial institution (which may also be Bank of Melbourne), may charge you amounts under the terms that govern your account.
5. Dispute	Updated subsection 5.4 detailing how to make a complaint.
6. Accounts	Removed statements about your duty to advise us if your nominated account is transferred, closed or details are changed and to arrange a suitable payment method. You still owe these obligations to us as stated in section 9 of the EFTPOS Merchant Agreement Terms and Conditions. Removed the requirement for all authorised signatories on your account to sign the Direct Debit Request.
8. Contacting each other	Updated our contact details in subsection 8.1. Inserted subsection 8.3, deeming any notice from us to have been received by you on the second banking day after sending.

Effective 08 December 2023 changes will be made to the documents which form part of your Agreement with us. A summary of these changes is listed below.

EFTPOS Merchant Agreement Terms and Conditions (Terms and Conditions)

Section	What has changed
Section 2 Definitions and interpretation	Removed the definitions of the PCI PA-DSS, PA-QSA and SSL as they are no longer part of, or relevant to compliance with the updated PCI DSS. References to the PCI PA-DSS, PA-QSA and SSL have been removed from other sections throughout the Terms and Conditions as they are no longer relevant.
Section 9 Your Account	Inserted additional context about when we may set up a ledger account in your name and included the recovery of debts as a reason for establishing a ledger account in your name. It now states: "In instances such as insufficient funds in your Account, we may establish an account in your name for the purpose of exercising our rights, like retaining funds for processing Transactions, Chargebacks, and recovering debts.”
Section 15 eCommerce Merchants	Inserted a right for us to review, monitor and audit pages of your Website without requesting access and to allow Third Parties to assist us. It now states: “You must provide us and our Third Parties with reasonable access to view, monitor and audit the pages of your Website (where that Website accepts Card payments).” Clarified that you are responsible for ensuring that your Website is secure as required by the PCI DSS (which continues to include encryption). It now states: “You are responsible for: b) ensuring that your Website is secure as required by the PCI DSS during the exchange of Card Information between your Website and your Payment Gateway; and”
Section 24 Fraud prevention	PCI DSS Validation Amended subparagraph a) to require you to be aware of whether you are a level 1, 2 or 3 merchant under the PCI DSS and created an ongoing obligation on you to validate your compliance with the PCI DSS, including providing documents to us when requested. Account Data Compromise (ADC) Events Amended the first paragraph for clarity.
Section 42 Your Direct Debit Request Service Agreement	Removed this section 42 and replaced it with a standalone document called “Direct Debit Request Service Agreement”. A current version is available online at Direct Debit Request Service Agreement from 10 November 2023 and contains the following changes from section 42. Amended subsection 2.1 by increasing the notice period we give to you about variations from 14 to 30 days. Amended section 3 “How to cancel or change direct debits” to clarify how you may: cancel or suspend the Direct Debit Request; or change, stop or defer an individual debit payment. Updated section 4 “Your obligations” by: inserting an obligation on you to notify us as soon as possible if you need to change your account; and removing our right to charge reasonable costs when there are insufficient funds in your account. However, your financial institution (which may also be Bank of Melbourne), may charge you amounts under the terms that govern your account. Updated subsection 5.4 detailing how to make a complaint. Amended section 6 “Accounts” by: removing statements about your duty to advise us if your nominated account is transferred, closed or details are changed and to arrange a suitable payment method. You still owe these obligations to us as stated in section 9 of the Terms and Conditions; and removing the requirement for all authorised signatories on your account to sign the Direct Debit Request. Amended subsection 8 “Contacting each other” by: updating our contact details in subsection 8.1; and inserting subsection 8.3, deeming any notice from us to have been received by you on the second banking day after sending.

Protecting your business against credit card fraud

Section	What has changed
Safety for Online Merchants	Amended the footnote to clarify that 3D Secure is a service available through card schemes when enabled on the Payment Gateway.

Your guide to the Payment Card Industry Data Security Standard (PCI DSS)

From time to time the PCI Security Standards Council will release a new version of the PCI Standard. As of the 31st of March 2024, PCI validation under version 3.2.1 will be retired and superseded by version 4.0. The purpose of the new version is to allow merchants more flexibility in the methodologies used to secure card data within their system and networks focused on an “outcome based” approach. Version 4.0 has enhanced its clarification on requirements, revised the format and includes new requirements to meet the evolving threat landscape. The changes to the 12 core requirements, Self Assessment Questionnaire (SAQ) descriptions and the addition of a new SAQ category “SPoC” reflect these improvements.

For a full list of changes please refer to the “Summary of Changes from PCI DSS Version 3.2.1 to 4.0” found on the PCI Security Standards Councils website.

Section	What has changed
What are the 12 key requirements of PCI DSS?	The 12 key requirements of the PCI DSS have been updated to reflect the updated PCI DSS dated March 2022, version 4. Updated requirement 1 to reflect the focus on “network security controls.” Replaced “firewalls” and “routers” with “network security controls” to support a broader range of technologies used to meet the security objectives traditionally met by firewalls. Updated requirement 2 to reflect that the focus is on secure configurations in general, and not just on vendor-supplied defaults. Updated requirement 3 to reflect the focus on account data, a broader concept than cardholder data. Updated requirement 4 to reflect the focus on “strong cryptography” to protect transmissions of cardholder data. Updated requirement 5 to reflect the focus on protecting all systems and networks from malicious software. Updated requirement 6 to include “software” rather than “applications.” Updated requirement 7 to include system components and cardholder data. Updated requirement 10 to reflect a focus on audit logs, system components, and cardholder data. Updated requirement 12 to reflect that the focus is on organisational policies and programs that support information security.
What is the Self-Assessment Questionnaire (SAQ)?	The descriptions of existing SAQ types have been updated to mirror amendments made to the SAQ types in the “Self-Assessment Questionnaire instructions and Guidelines”, version 4 that supports the PCI DSS. Updated SAQ A to replace “cardholder data” with “account data” to reflect the focus on account data, a broader concept than cardholder data. Replace “compliant third-party service provider” with “validated and compliant third parties” to indicate verification due diligence. This SAQ type is not applicable to service providers. Updated SAQ A-EP to include eCommerce merchants “that partially outsource” payment processing to PCI DSS “validated and compliant third parties”. It applies to merchants whose website(s) can impact the security of the payment transaction and/or the integrity of the page that accepts the customer’s account data. This SAQ type is not applicable to service providers. Updated SAQ B to state that it is not applicable to service providers. Updated SAQ B-IP to replace “PIN Transaction Security (PTS)-approved payment terminals” with “PCI-listed approved PIN Transaction Security (PTS) point-of-interaction (POI) devices” for updated terminology. This SAQ type is not applicable to service providers. Updated SAQ C-VT to replace “cardholder data” with “account data” to reflect the focus on account data, a broader concept than cardholder data. Qualified that payment account data is entered with “an isolated computing device and a securely connected web browser”. This SAQ type is not applicable to service providers. Updated SAQ C to state that it is not applicable to service providers. Updated SAQ P2PE to insert the requirement that the merchant has “no access to clear-text account data”. This SAQ type is not applicable to service providers. Updated SAQ D to state that it is not applicable to service providers. A new SAQ type called “SPoC” has been introduced for merchants using off-the-shelf mobile devices with a secure card reader.
What are the requirements for Payment Applications?	This section has been removed as the PCI DSS has removed the Payment Application Data Security Standards (PA-DSS) and it is no longer applicable.

Your guide to merchant fees and charges

Section	What has changed
Merchant Flat Rate Pricing	Under the heading “Additional and Ongoing fees”, we have inserted a new fee called the “Chargeback Fee” of $30.00 per chargeback (eCommerce merchants only, excluding PayWay). The heading “EFTPOS Accessories” has been renamed to “EFTPOS Terminal Accessories”.
Simple Pricing Plan¹	The heading “Simple Pricing Plan^1”has been amended by adding “- No longer for sale from 8 December 2023.” The heading “Additional and ongoing fees”, has been updated to read “- Additional and ongoing fees for Simple Pricing Plan.^1”. The heading “EFTPOS Accessories” has been renamed to EFTPOS Terminal Accessories”.
Our fees explained	Amended the heading “Simple Pricing Plan” to “Plan Fee.”