Security Center

General security awareness

a) Verify your customer (different type of payments)

  • The most important is to have the client in front of you to ensure the smooth processing of a secure card-present transaction.

  • Chip & PIN provides added security when used at the SumUp chip-enabled terminal. Magneticstripe cards present certain level of risks, as this scam is a one the top financial crime. Only if the card doesn’t have a chip, you can swipe the card: first you need to insert the card, then the terminal will advise you to read the magnetic stripe (i.e. to swipe the card).

  • With the Chip & Signature payments, the merchants have the responsibility to check the legitimacy of the signature. Always validate the payment with a signature (in case it misses the signature or the signature is unacceptable, the official representation of the information request/chargeback won’t be acknowledged by the issuer). Never sign the screen on behalf of the customer.

b) Know your customer (checks to be done)

  • Make sure the credit card is not damaged -hold on to the card during the payment transaction, this will allow you to examine the card.

  • Make sure that the credit card belongs to the client.

  • Validate the payments with the real client’s signature. In certain cases the customer will be asked to sign on the screen of your smartphone/tablet instead of entering the PIN. It’s not possible to choose between PIN or signature. The card itself determines which authorisation type is preferred.Compare the signature to the back of the card. Check additional identification if necessary. If the card is unsigned, request a photo ID that has a signature, and have the cardholder sign the card. In best case scenario, request the payment to be performed with another card. Never sign the screen on behalf of the customer.

  • For high amount (e.g. £1,000 / € 1,000 and more) transactions make sure to request a photo ID to check the card belongs to the client.

  • If the customer wants to make a payment with a company / corporation credit card please request to send a copy of the receipt to the company's accounting department.

c) Inform your customer (communicate)

  • To prevent that your customer can’t identify the charge on your bank statement, it’s advisable to inform your customer in advance that SumUp will appear on the bank statement as the bank account owner, but your business name will be shown in the reference (for credit cards: SUMUP* business name, for debit cards: business name transaction ID).

  • Clearly communicate to the client that in case of a problem, it is required that they try to solve the issue with the merchant first.

  • Always end the SumUp receipt via sms/email: As SumUp offers the function to send a receipt to your cardholder by email or text message (or connect a compatible receipt printer), we also recommend to use this function. Besides this option, you can also create a standard handwritten receipt. By doing so you can assure that your customer has a reminder/proof of the payment in case he might has difficulties to identify the charge on his bank statement.

d) Best Practices

  • Match Billing and Shipping addresses - if you are shipping an item, check whether the billing and shipping addresses match. If they don’t match, ask your customer why. Their answer should make practical sense. If it doesn’t, do not accept the payment. If you have any questions about accepting a payment, always feel free to contact us.

  • Delivery Confirmation - If you are shipping a product, make sure to keep the tracking information and a delivery receipt. For large orders, require a signature confirmation at delivery.

  • Avoid duplicate payments: When using SumUp to transact, you will receive live confirmation as to whether or not the payment was successful. This is signaled by a green tick, at which point you can provide the customer with a receipt. If it wasn’t successful, you will see a red cross or a red exclamation mark. Additionally you can always check the sales history in the app (iOS: see ‘account’ on the upper left, Android: see the menu symbol of three lines on the upper left in the app) and on our dashboard on sumup.me. The status of the transaction in the sales history matches the status in our database, so you can be sure that this is the final state.

  • If you wish to refund a customer for a payment, always issue the refund directly back to the payment card. If you must provide a refund via cash, check, or money order, make sure to obtain a signed agreement that your customer received the refund.

  • Enter the full amount of the sale — do not break the sale into several smaller amounts. Please be aware that it’s not allowed to split one amount into several transactions to avoid security limits of your customer’s card, because this is against the terms and conditions of our banking partners.

2. How to take secure payments

The aim here is to guide you on how to take secure payments and minimize the risk of reversals and chargebacks (What is a chargeback? Click here) done by mistake, or because the client didn’t recognise the payment on their bank statement or fraud. Although chargebacks cannot always be completely avoided, there are steps you can take to help prevent them. The more you know about processing procedures, the less likely you might be to do, or fail to do, something that could result in a chargeback.

Security Tips:

  • Please make sure, that the business name you entered during the registration is known to your customers, because this name will appear on the bank statement of your clients. If you like to change the business name, please contact our Support Team.

  • Respond promptly to retrieval requests (What is a retrieval request? Click here). Both customers and card issuing banks may request copies of sales and credit drafts.

  • If the credit card is declined when swiped through the terminal, do not continue to try. Instead you should request a new form of payment from the cardholder.

  • If the PIN code is entered incorrectly twice during the transaction, please ask the customer to pay with another card.

  • If the customer wants to make a payment with a company / corporation credit card please request to send a copy of the receipt to the company's accounting department.

  • Enter the full amount of the sale — do not break the sale into several smaller amounts. Please be aware that it’s not allowed to split one amount into several transactions to avoid security limits of your customer’s card, because this is against the terms and conditions of our banking partners. Our security system possesses measures to detect split transactions.

  • Avoid duplicate payments: When using SumUp to transact, you will receive live confirmation as to whether or not the payment was successful. This is signaled by a green tick, at which point you can provide the customer with a receipt. If it wasn’t successful, you will see a red cross or a red exclamation mark. Additionally you can always check the sales history in the app (iOS: see ‘account’ on the upper left, Android: see the menu symbol of three lines on the upper left in the app) and on our personal dashboard on sumup.me. The status of the transaction in the sales history matches the status in our database, so you can be sure that this is the final state.

  • Self-financing: Please be aware of the fact, that self-financing is prohibited based on the terms and conditions of our banking partners. Our security system possesses measures to detect signs of self-financing. Such transactions are due to be refunded.

  • Send a receipt: As SumUp offers the function to send a receipt to your cardholder by email or text message (or connect a compatible receipt printer), we also recommend to use this function. Besides this option, you can also create a standard handwritten receipt. By doing so you can assure that your customer has a reminder/proof of the payment in case he might has difficulties to identify the charge on his bank statement.

3. Chargebacks, retrieval request & fraud report notifications

a) Retrieval Request

What is a retrieval request?

A retrieval request occurs when your customer or customer’s bank requests more information about a transaction that appears on his or her credit card statement.

Are any funds deducted from my bank account as a result of a retrieval request?

No, a retrieval request is just a request for information. You will not be charged for the amount of the transaction belonging to the retrieval request. Failure to provide us with the requested details and documents on the transaction, may result in a chargeback.

b) Chargebacks

What is a chargeback?

When a credit card transaction is disputed (either at the request of the Cardholder or by the Cardholder bank), you may receive a chargeback. If a chargeback occurs, you will be charged for the amount of the transaction. We also actively support you to dispute the chargeback and so to recover for you the amount from the cardholder's bank.

What are some of the reasons for chargebacks?

Some of the reasons for chargebacks may include:

  • Merchandise is damaged in transit and arrives broken

  • A cardholder returns the merchandise but has not received a refund

  • A cardholder disputes a transaction as a fraudulent use of their card

  • A cardholder didn’t recognize the charge on the bank statement

  • Cardholder disputes the quality or receipt of merchandise

  • The amount charged to the card was incorrect

  • Processing errors were made during the transaction

  • Merchant did not fulfill a retrieval request

c) Fraud report

What is a fraud report notification?

A fraud report occurs when your customer’s bank notifies us that the card used for the payment has been reported by the customer as fraudulently used, lost, stolen or counterfeit. At that point of time you will not be charged, but it is highly likely that a chargeback comes with fraud reason.

4. Chargeback, retrieval request & fraud report management

a) Retrievel Request

What should I do if I receive a retrieval request?

You will be duly notified of the retrieval request (What is a retrieval request? Click here) and you will be asked to provide us with all relevant information and documents on the purchase to be forwarded to the client’s bank (here you find the requirements for the requested documents). The best practice is to contact the client to solve the issue and ask him/her to call the bank to stop any potential chargeback.

b) Chargeback Request

What should I do if I receive a chargeback?

If you receive a chargeback (What is a chargeback? Click here), read our chargeback email carefully and see if you are able to provide the requested information.

How do I manage chargebacks?

If a buyer contacts you with a complaint about a purchase, work with that buyer to resolve the dispute. If you can't resolve the dispute to their mutual satisfaction, instruct the buyer how to return the merchandise. Once the merchandise has been returned to you, issue a refund to the same credit card used to make the purchase. Don't accept numbers and information that don't match and use common sense to assess the risk. Make sure to keep us informed as our experience might be of help to resolve the issue. To avoid chargebacks with reason ‘Transaction not recognized’ make sure that the business name registered with us is easily recognizable. To avoid fraudulent payments, make sure to follow the security guidance. In case the product was shipped: to ensure safe receipt of merchandise, use a form of shipping that provides proof of delivery. For higher ticket items, require a signature for delivery.

How does a chargeback take place?

A chargeback begins when a buyer contacts their card issuer to dispute a transaction. The chargeback is passed through the applicable payment network to the merchant. Your SumUp account will be charged at the time the chargeback is received. A fee of £/€10 will be additionally applied to cover the expenses incurred from the chargeback. Please be aware that this fee will be charged by the payments provider and is not caused by SumUp. The chargeback include a "respond by" date. Since the payment networks only allow a limited amount of time to respond to a chargeback (and dispute it), it is critical that any response to the email we send you be provided by this within the requested timeframe. We actively support you to dispute the chargeback and so to recover for you the amount from the cardholder's bank.

How can I learn about chargebacks in more detail?

Review our 'How to take secure payments' — A quick Guide for helpful hints for preventing chargebacks.

c) Fraud Report

What should I do if I receive a fraud report?

You will be duly notified of the fraud report (What is a fraud report? Click here) and you will be provided with further instructions. The best practice is to contact the client to solve the issue and ask him/her to call the bank to stop any potential chargeback.

5. Official documents

We are obliged by our payments providers to check the legitimacy of the transactions. We might be required to collect additional information from you to verify the payment.

Detailed invoice, issued on a company form:

  • to include not only the business name, but also to mention SumUp as payment provider

  • to be issued on the credit card holder’s name

  • the amount and the date of the payment to match

  • to be signed by the credit card holder

  • to contain the client's address and a valid mobile number or email address (in case we need to contact him).

6. High roller merchant questionnaire

If you intend to use SumUp to process higher value payments (i.e. more than $5,000), please take a moment to reply to the questions below and forward the information to our Support ([email protected]).

  • What is your business model? (a short description)

  • Is there a delay between the payment and the service?

  • How exactly you intend to use SumUp?

  • Where will be the reader located?

  • What is the expected maximum transaction value?

  • What is the expected monthly value?

  • Do you have any other credit card payment processor? Which one?

  • What is the reason to choose SumUp?

  • Have you experienced chargebacks and reversals?

7. Glossary

BIN (Bank Identification Number)

The 6-digit range of numbers assigned by the Federal Bureau of Standards and used by card companies to identify their financial transactions. The AmEx range begins with '3' (3xxxxx), the MasterCard® range begins with '5' (5xxxxx), and the VISA® range begins with '4' (4xxxxx).

Card present transactions

Transactions in which the cardholder and the card are at the point of sale. This type of payment works with our terminal.

Cardholder

A person or entity that is issued a credit or debit account that is accessed through the use of a card (= client, who owns the credit card)

Chargeback

When a credit card transaction is disputed (either at the request of the Cardholder or by a card Issuer), the dispute is handled through a chargeback. A chargeback will cause the amount of the original sale and a chargeback fee to be deducted from your outstanding balance. Here you find more information about chargebacks.

Chargeback objection

As soon as SumUp receives the information about a chargeback of one of your customers, you will be informed immediately by email. Within a certain timeframe we have the possibility to prepare an objection of this chargeback to regain the funds. To be able to do this, we depend on your information and documents of this transaction (as we advice in our email). We actively support you to dispute the chargeback and so to recover for you the amount from the cardholder's bank.

Chargeback reversal

If the cardholder’s issuing bank confirms our provided information and documents to be sufficient, the status of the chargeback will be reversed and you will regain the funds of the transaction.

Chip

Many cards have a chip that communicates the registered information to our PIN+ terminal. If a chip is available on the card (and this the case for all European cards, for example), it’s always preferred to process the transaction by reading the chip instead of the magnetic stripe.

Fraud report

If the cardholder claims that he didn’t authorise the transaction, he can hand in a fraud report to his bank. Here you find more information about a fraud report.

Invoice

It’s an official document that confirms a transaction between a buyer and a seller. Normally it includes the quantity, name and price of goods/services, date, payment type, invoice number, tax information and merchant & customer name as well as contact details. Here you find detailed information about an invoice.

Issuer

The issuer is the bank of the cardholder respectively your customer.

Magnetic stripe reading

When the credit card is swiped through the terminal to record the card information. Obtaining a magnetic strip reading proves the card's presence at the time of a transaction.

Chip + PIN

When the credit card is inserted in the terminal to record the card information. Depending on the required exact authentication method, the payment could be verified with a PIN. When the credit card is inserted in the terminal to record the card information. Depending on the required exact authentication method, the payment could be verified with a Signature.

Receipt

It’s a proof for the payment for the cardholder issued by the merchant. It contains the quantity, name and price of goods/services, date, payment type, tax information, name & contact details of the merchant, but usually no information about the cardholder. Hence, an invoice is more detailed and prefered as a proof for payment.

Retrieval Request

A retrieval request occurs when your customer requests more information about a transaction that appears on his or her credit card statement. Here you find additional information about retrieval requests.

Transaction

An act between a Seller and a Cardholder that results in either a paper or an electronic representation of the Cardholder's promise to pay for goods or services received from the act, i.e. the payment done by card for a purchase/service by the merchant.

Unauthorized Transaction

Any sale for which a Cardholder does not provide his/her specific authorization (This should not be confused with the failure to receive an authorization response from the Issuer.)