What is a recurring payment facility?

If you have an ongoing relationship with your customers and would like to regularly bill them for goods or services (e.g. a weekly gym membership), you can apply for a recurring facility.

How does a recurring payment facility work?

Your customers authorise your business to charge their account automatically at regular intervals so that you can provide the goods and services to them on an ongoing basis. Your business will need to meet our qualifying criteria to set up a recurring facility, and you'll need to choose how you want to set it up.

If you deal with your customers over the phone, you'll need a recurring facility with an online MOTO facility, or if you want the ability to sign up your customers online you'll need an e-commerce recurring facility.

Tips to help keep your payment facility secure.

Take the following steps to help protect your payment facility and reduce the risk of an account data compromise.

What to do

When to do it

Who is responsible?

Ensure your facility and service provider are PCI DSS compliant. You can check any provider's compliance status by asking for their Certificate of Compliance (COC). This will provide the validation date and expiry date of their PCI DSS compliance

At set up, and annually thereafter

Merchant / Service provider

Only allow authorised staff to process payments

Daily

Merchant

Don't store any card information such as the cardholder PIN or card verification code (3 digits on the back of the card)

Daily

Merchant

Ensure controls are in place to identify who has accessed your payment system and create a plan for when you detect unauthorised access

At set up, and annually thereafter

Merchant

Create a unique user ID and password for each staff member that has access to your system

At set up

Merchant

Establish a complex password policy*. If a user has attempted to log in unsuccessfully more than six times, lock their account and reset password after 30 minutes. This will give you time to investigate whether they are an authorised user

Passwords should be changed every 90 days

Merchant

Change default password to system, application and devices

At set up

Merchant

Develop an Incident Response Plan

Annually

Merchant

Establish staff security awareness training

At the start of employment, and annually thereafter

Merchant

Conduct staff background check

At the start of employment

Merchant

*For example passwords must be seven characters in length and contain a capital and lower-case letter, number and symbol.

Tips to help prevent card fraud & payment disputes (chargebacks).

  • If you have a recurring MOTO facility, only accept card information over the phone (not via email or any other channel) and process transactions immediately while the customer is on the phone. Make sure you have consent from the cardholder before the transaction is processed
  • If you have a recurring e-commerce facility, enable 3DSecure. This is a way to combat against fraudulent transactions by verifying your cardholder.

Learn more about chargebacks here.

What's the difference between an account data compromise (ADC) and card fraud?

An ADC is when an unauthorised person gains access to your business or payment environment to steal valuable information (like card payment data) with the intention to commit fraud. Card fraud is when stolen card payment data is used to make a fraudulent transaction.

Get help.

New customers

Call the Westpac Merchant Onboarding team on 0800 888 066, option 3 weekdays between 8:30am - 5pm.

0800 888 066

Existing customers

Contact your Westpac Relationship Manager or Merchant Assist on 0800 888 066, option 4 weekdays between 8:30am - 5pm.

0800 888 066

Things you should know.

The information on this page is intended as a guide only. We make no warranty or representation, express or implied, regarding the accuracy of any information, statement or advice contained on this page. We recommend you seek independent advice before acting or relying on any of the information on this page. All opinions, statements and analysis expressed are based on information current at the time of writing from sources which Westpac believes to be authentic and reliable. Westpac issues no invitation to anyone to rely on this material.

Links to other sites are provided for convenience only and Westpac accepts no responsibility for the availability or content of such websites.