MERCHANT AGREEMENT

2. Amendments by us

• Amended subsection 2.1 by increasing the notice period we give to you about variations from 14 to 30 days.

• Clarified how you may:
  • cancel or suspend the Direct Debit Request; or
  • change, stop or defer an individual debit payment.

• Inserted an obligation on you to notify us as soon as possible if you need to change your account.
• Removed our right to charge reasonable costs when there are insufficient funds in your account. However, your financial institution (which may also be Westpac), may charge you amounts under the terms that govern your account.

• Updated subsection 5.4 detailing how to make a complaint.

• Removed statements about your duty to advise us if your nominated account is transferred, closed or details are changed and to arrange a suitable payment method. You still owe these obligations to us as stated in section 9 of the Merchant Business Solutions Card Acceptance by Business Terms and Conditions.
• Removed the requirement for all authorised signatories on your account to sign the Direct Debit Request.

• Updated our contact details in subsection 8.1.
• Inserted subsection 8.3, deeming any notice from us to have been received by you on the second banking day after sending.

Section 2 Definitions and interpretation 

• Removed the definitions of the PCI PA-DSS, PA-QSA and SSL as they are no longer part of, or relevant to compliance with the updated PCI DSS.
• References to the PCI PA-DSS, PA-QSA and SSL have been removed from other sections throughout the Terms and Conditions as they are no longer relevant.

• Inserted additional context about when we may set up a ledger account in your name and included the recovery of debts as a reason for establishing a ledger account in your name. It now states:
  
  “In instances such as insufficient funds in your Account, we may establish an account in your name for the purpose of exercising our rights, like retaining funds for processing Transactions, Chargebacks, and recovering debts.”

• Inserted a right for us to review, monitor and audit pages of your Website without requesting access and to allow Third Parties to assist us. It now states:
  
  “You must provide us and our Third Parties with reasonable access to view, monitor and audit the pages of your Website (where that Website accepts Card payments).”

• Clarified that you are responsible for ensuring that your Website is secure as required by the PCI DSS (which continues to include encryption). It now states:
  
  “You are responsible for:
  
  b) ensuring that your Website is secure as required by the PCI DSS during the exchange of Card Information between your Website and your Payment Gateway; and”

• Removed the limitation that the EFTPOS Air facility could only be used by one person at any time.
• Clarified that multiple users may take payments simultaneously using their Terminals under the one EFTPOS Air facility. It now states:
  
  “You and/or the EFTPOS Air User must:
  
  d) be approved by us if you require more than one Terminal for that EFTPOS Air facility to allow multiple EFTPOS Air Users to use the EFTPOS Air facility simultaneously to accept Card payments to process Transactions;”

PCI DSS Validation

• Amended subparagraph a) to require you to be aware of whether you are a level 1, 2 or 3 merchant under the PCI DSS and created an ongoing obligation on you to validate your compliance with the PCI DSS, including providing documents to us when requested.

Account Data Compromise (ADC) Events

• Amended the first paragraph for clarity.

Removed this section 43 and replaced it with a standalone document called “Direct Debit Request Service Agreement”. A current version is available online at: Direct Debit Request Service Agreement from 10 November 2023 and contains the following changes from section 43.

• Amended subsection 2.1 by increasing the notice period we give to you about variations from 14 to 30 days.
• Amended section 3 “How to cancel or change direct debits” to clarify how you may:
  • cancel or suspend the Direct Debit Request; or
  • change, stop or defer an individual debit payment.
• Updated section 4 “Your obligations” by:
  • inserting an obligation on you to notify us as soon as possible if you need to change your account; and
  • removing our right to charge reasonable costs when there are insufficient funds in your account. However, your financial institution (which may also be Westpac), may charge you amounts under the terms that govern your account.
• Updated subsection 5.4 detailing how to make a complaint.
• Amended section 6 “Accounts” by:
  • removing statements about your duty to advise us if your nominated account is transferred, closed or details are changed and to arrange a suitable payment method. You still owe these obligations to us as stated in section 9 of the Terms and Conditions; and
  • removing the requirement for all authorised signatories on your account to sign the Direct Debit Request.
• Amended subsection 8 “Contacting each other” by:
  • updating our contact details in subsection 8.1; and
  • inserting subsection 8.3, deeming any notice from us to have been received by you on the second banking day after sending.

Safety for Online Merchants

• Amended the footnote to clarify that 3D Secure is a service available through card schemes when enabled on the Payment Gateway.

What are the 12 key requirements of PCI DSS?

• Updated requirement 1 to reflect the focus on “network security controls.” Replaced “firewalls” and “routers” with “network security controls” to support a broader range of technologies used to meet the security objectives traditionally met by firewalls.
• Updated requirement 2 to reflect that the focus is on secure configurations in general, and not just on vendor-supplied defaults.
• Updated requirement 3 to reflect the focus on account data, a broader concept than cardholder data.
• Updated requirement 4 to reflect the focus on “strong cryptography” to protect transmissions of cardholder data.
• Updated requirement 5 to reflect the focus on protecting all systems and networks from malicious software.
• Updated requirement 6 to include “software” rather than “applications.”
• Updated requirement 7 to include system components and cardholder data.
• Updated requirement 10 to reflect a focus on audit logs, system components, and cardholder data.
• Updated requirement 12 to reflect that the focus is on organisational policies and programs that support information security.

• The descriptions of existing SAQ types have been updated to mirror amendments made to the SAQ types in the “Self-Assessment Questionnaire instructions and Guidelines”, version 4 that supports the PCI DSS.
• Updated SAQ A to replace “cardholder data” with “account data” to reflect the focus on account data, a broader concept than cardholder data. Replace “compliant third-party service provider” with “validated and compliant third parties” to indicate verification due diligence. This SAQ type  is not applicable to service providers.
• Updated SAQ A-EP to include eCommerce merchants “that partially outsource” payment processing to PCI DSS “validated and compliant third parties”. It applies to merchants whose website(s) can impact the security of the payment transaction and/or the integrity of the page that accepts the customer’s account data. This SAQ type is not applicable to service providers.
• Updated SAQ B to state that it is not applicable to service providers.
• Updated SAQ B-IP to replace “PIN Transaction Security (PTS)-approved payment terminals” with “PCI-listed approved PIN Transaction Security (PTS) point-of-interaction (POI) devices” for updated terminology. This SAQ type is not applicable to service providers.
• Updated SAQ C-VT to replace “cardholder data” with “account data” to reflect the focus on account data, a broader concept than cardholder data. Qualified that payment account data is entered with “an isolated computing device and a securely connected web browser”. This SAQ type is not applicable to service providers.
• Updated SAQ C to state that it is not applicable to service providers.
• Updated SAQ P2PE to insert the requirement that the merchant has “no access to clear-text account data”. This SAQ type is not applicable to service providers.
• Updated SAQ D to state that it is not applicable to service providers.
• A new SAQ type called “SPoC” has been introduced for merchants using off-the-shelf mobile devices with a secure card reader.

Fee Summary Table

• We have inserted a new fee called the “Chargeback Fee” of $33.00 per chargeback (eCommerce merchants only, excluding PayWay) under the heading “Additional and Ongoing fees”.
• “EFTPOS Accessories” has been renamed to “EFTPOS Terminal Accessories” under the headings “Additional and Ongoing fees” and “Additional and Ongoing fees for Pricing Plans”.
• The heading “Westpac Merchant Pricing Plans^1” has been amended by adding “– No longer for sale from 8 December 2023”.
• The heading “Westpac Presto Pricing Plans^1” has been amended by adding “– No longer for sale from 8 December 2023”.