Safely accept recurring card payments.

What is a recurring payment facility?

If you have an ongoing relationship with your customers and would like to regularly bill them for goods or services (e.g. a weekly gym membership), you can apply for a recurring facility.

How does a recurring payment facility work?

Your customers authorise your business to charge their account automatically at regular intervals so that you can provide the goods and services to them on an ongoing basis. You’ll need to check whether your payment gateway offers a recurring facility, your business will need to meet our qualifying criteria and you'll need to choose how you want to set it up.

If you deal with your customers over the phone, you'll need a recurring facility with an online MOTO facility, or if you want the ability to sign up your customers online you'll need an e-commerce recurring facility.

Tips to help keep your payment facility secure.

Take the following steps to help protect your payment facility and reduce the risk of an account data compromise.

What to do	When to do it	Who is responsible?
Ensure your facility and service provider are PCI DSS compliant. You can check any provider's compliance status by asking for their Certificate of Compliance (COC). This will provide the validation date and expiry date of their PCI DSS compliance	At set up, and annually thereafter	Merchant / Service provider
Change default password to system, application and devices	At set up	Merchant
Create a unique user ID and password for each staff member that has access to your system	At set up	Merchant
Ensure controls are in place to identify who has accessed your payment system and create a plan for when you detect unauthorised access	At set up, and annually thereafter	Merchant
Establish a complex password policy*. If a user has attempted to log in unsuccessfully more than six times, lock their account and reset password after 30 minutes. This will give you time to investigate whether they are an authorised user	Passwords should be changed every 90 days	Merchant
Only allow authorised staff to process payments	Daily.	Merchant.
Don't store any card information such as the cardholder PIN or card verification code (three digits on the back of the card)	Daily.	Merchant.
Conduct staff background check	At the start of employment.	Merchant.
Establish staff security awareness training	At the start of employment, and annually thereafter.	Merchant.
Develop an Incident Response Plan	Annually.	Merchant.

*For example passwords must be seven characters in length and contain a capital and lower-case letter, number and symbol.

Tips to help prevent card fraud & payment disputes (chargebacks).

MOTO (Mail or Telephone Order)

Make sure you have consent from the cardholder before the transaction is processed.
Only accept card information over the phone (not by email or any other channel) and process transactions immediately while the customer is on the phone.

Online

Enable 3D Secure. This is a way to combat fraudulent transactions by verifying your cardholder. Contact your payment gateway provider to set this up.
Talk to your payment gateway provider about tokenisation. This replaces card details with a randomly created, custom alphanumeric ID that means you don’t have to capture sensitive information, keep it in internal databases or transmit it through your systems. Your payment gateway provider will need to set this up.

Learn more about chargebacks here.

What's the difference between an account data compromise (ADC) and card fraud?

An ADC is when an unauthorised person gains access to your business or payment environment to steal valuable information (like card payment data) with the intention to commit fraud.

Card fraud is when stolen card payment data is used to make a fraudulent transaction.

Get in touch.

New customers

Call the Westpac Merchant Onboarding team on 0800 888 066 (option 1), weekdays between 8:30am to 5pm, or email merchant_onboarding@westpac.co.nz

Existing customers

Contact your Westpac Relationship Manager, or contact our Merchant Assist team on 0800 888 066 (option 2), weekdays between 8.30am to 5pm, or email merchant_assist@westpac.co.nz

0800 888 066

Option 1. New or additional merchant facilities, or to change ownership of an existing facility.
Option 2. General enquiries on your existing merchant facility including suspicious transactions.
Option 3. Westpac Get Paid on-the-go or Westpac Get Paid in-store technical support.
Option 4. Westpac Get Paid online technical support.
Option 5. Terminal faults that aren't related to Westpac Get Paid.

Read our REDNews article on the risks of MOTO transactions Read our REDNews article on protecting your payments Read our REDNews article on BIN attacks

Ways of accepting payments.

Things you should know.

The information on this page is intended as a guide only. We make no warranty or representation, express or implied, regarding the accuracy of any information, statement or advice contained on this page. We recommend you seek independent advice before acting or relying on any of the information on this page. All opinions, statements and analysis expressed are based on information current at the time of writing from sources which Westpac believes to be authentic and reliable. Westpac issues no invitation to anyone to rely on this material.

Links to other sites are provided for convenience only and Westpac accepts no responsibility for the availability or content of such websites.