This chapter prescribes the requirements that apply to Federal Program Agencies (FPAs) that collect or intend to collect public money via credit or debit card.

This chapter applies to FPAs that collect or intend to collect public money via credit or debit card (individually and collectively referred to herein as “card”). The Card Acquiring Service (CAS) Program of the Bureau of the Fiscal Service provides FPAs card acceptance capabilities through its designated financial agent (“Financial Agent”), which may use the services of a merchant acquirer or processor to perform card authorization, transaction processing, or other services on behalf of the Financial Agent.

In addition to the requirements of this chapter, an FPA that has established a card servicing account through the CAS program also must comply with and be bound by the rules and regulations of the card networks (collectively, the Network Rules), any of which may be altered or amended periodically and without notice by the individual card networks. The Network Rules include, without limitation:

• Visa Core Rules and Visa Product and Service Rules,
• Mastercard Rules and Mastercard Transaction Processing Rules,
• Terms and Conditions for American Express Card Acceptance and Merchant Regulations – U.S.,
• The Discover Network Operating Regulations,
• The operating rules and regulations of various PIN debit card networks,
• The operating rules and regulations of various regional debit card networks, Electronic Benefit Transfer (EBT) card programs, and EBT Processing Networks, and
• The rules and regulations issued by any other network for which Fiscal Service may determine to offer card processing services.

An FPA that fails to comply with any provision of the Network Rules may incur fines and penalties imposed by a network. In the event that the Network Rules conflict with federal law and/or the terms of this chapter, federal law and/or the terms of this chapter take precedence over the Network Rules. If the Network Rules simply provide more specificity or clarity regarding a provision of this chapter, the Network Rules are not to be deemed to conflict with this chapter. If there is an apparent conflict between this chapter and the Network Rules, please notify the Fiscal Service Program Contact listed at the end of this chapter.

See, inter alia, 12 U.S.C. 90, 265, 266; 15 U.S.C. 1693o–2; 31 U.S.C. 321, 3301-3303, 3720. 

For terms and definitions related to this chapter, please view the TFM Glossary.

In order to process card transactions, an FPA must establish a card servicing account by completing and submitting to Fiscal Service a Card Acquiring Service Application (CAS Application or Application). This requirement applies to any FPA that seeks to process card transactions using a traditional stand-alone point-of-sale terminal or device, a solution provided through a third-party value-added reseller/integrated software provider, mobile applications and devices, or e-commerce (via the internet). 

Fiscal Service may approve or reject an FPA’s Application based on factors such as the nature and amount of the collections for which the FPA wishes to accept cards and the feasibility of alternative collection methods. Fiscal Service reserves the right to withhold, limit, or terminate card processing services if Fiscal Service determines that it is not cost effective or otherwise not in the public interest. If an FPA’s CAS Application is approved, a card servicing account for the FPA will be established and the Financial Agent will assign the FPA an account series which consists of a Chain Account Number, Division Number, and Merchant Identification (MID) Number. 

• Chain Account Number – An alphanumeric designator assigned to reflect a unique channel of processing (e.g., 0A123B). Each Chain Account Number is affiliated with either an Agency Location Code (ALC) or Disbursing Station Symbol Number (DSSN). An ALC or DSSN may be affiliated with multiple Chain Account Numbers.
• Division Number – A customizable value assigned under a Chain Account Number to designate unique lines of accounting (e.g., 001).
• MID Number– A unique designator under a Chain Account Number and Division Number that reflects the processing location (e.g., 4445123456789).

FPAs may apply for and be assigned more than one Chain Account Number depending on organizational needs.

All credits and debits to an FPA’s card servicing account are subject to review, audit, and correction by the Financial Agent and any independent third party that has the authority to conduct such audits.

An FPA must designate on its CAS Application an Authorizing Official, Chain point of contact (POC), MID POC, and Billing POC for each card servicing account. The roles and responsibilities of each card servicing account POC type are set forth below. 

• Authorizing Official (AO) – The AO is an employee and official of the FPA who is authorized to approve the establishment of the FPA’s card servicing account. (The AO cannot be the individual submitting the CAS Application.).
• Chain POC – The Chain POC is an employee of the FPA who is the first-line contact for the CAS program and serves as the subject matter expert for the CAS program relationship. Due to the interactive partnership with the CAS program, the Chain POC owns the role of lead liaison for any program-related projects, unless otherwise specified. The Chain POC is responsible for disseminating program-related information and/or communications to relevant FPA contacts.
• MID POC –The MID POC, also known as the location-level POC, is the second-line contact for the CAS program. This contact should be familiar with the day-to-day operations for the point-of-sale devices, services, and/or software used at the location under the FPA’s card servicing account.
• Billing POC – The Billing POC is responsible for addressing any funding, operations, or service-related questions pertaining to the card servicing account.

Each FPA must promptly inform Fiscal Service of changes in personnel assigned as the AO, Chain POC, MID POC, or Billing POC to ensure continued communications between Fiscal Service and the FPA. Each FPA should submit personnel contact changes to the Fiscal Service Program Contact at CardAcquiringService@fiscal.treasury.gov identifying both the prior point of contact and the replacement point of contact.

FPAs must review all card collection processes and ensure that all relevant staff, including personnel assigned as the Chain POC and MID POC, are properly trained in the relevant card acceptance procedures. The Financial Agent offers training on its reporting tool, including on such topics as reconciliation, reporting, and chargebacks. FPAs must ensure that training is conducted in conjunction with the Financial Agent and that all appropriate personnel have access to the Financial Agent’s reporting tool. 

FPAs may contact the Financial Agent to request ad hoc assistance and training which may be provided as resources allow. Assistance and training may focus on how to reconcile card activity daily, demonstrations on reporting capabilities, and how to operate or troubleshoot equipment. 

The Financial Agent may offer free training to FPAs as part of its usual customer services, including courses, presentations, and webinars provided by third-party contractors of the Financial Agent. By notifying FPAs of such training opportunities, Fiscal Service is not endorsing the products or services that the third party may offer. 

When an FPA seeks to accommodate an additional processing mechanism or location, the FPA must submit a new CAS Application to apply for a new MID Number. 

Any request to change the ALC or DSSN to which deposits are reported must be authorized by the FPA’s Chain POC and submitted to Fiscal Service for approval.

FPAs must honor all valid cards when properly presented as payment from cardholders. FPAs must not: 

• Try to dissuade a cardholder from using any card,
• Criticize or mischaracterize any card or any card service or program,
• Promote or try to persuade or prompt cardholders to use any particular card, or
• Engage in activities that may negatively impact the business of card brands and processing networks.

FPAs must display the Visa, Mastercard, American Express, and Discover acceptance marks, in the same manner at processing locations to indicate that all such payment methods are honored. In communications that promote card as a form of payment, all acceptance marks must be presented with equal prominence. 

7060.10—Authorization 

For each transaction, FPAs must obtain authorization for the total amount of the transaction being processed. If a transaction is declined by the card issuer or otherwise not authorized, an FPA must not complete the transaction. 

Card-Present Transactions – In a card-present transaction, the cardholder’s payment credentials are captured electronically via EMV chip or contactless payment at the FPA through a point-of-sale terminal or device. FPAs may not require the cardholder to provide identification as a condition for processing a card-present transaction. Card validation and transaction authorization must be obtained through the terminal or device unless there is a loss of terminal connectivity. 

FPAs should obtain the authorization electronically by allowing the terminal or device to read the card information from the Europay, Mastercard, Visa (EMV) chip or via a contactless payment. If the transaction cannot be processed using the EMV chip or contactless payment, the cardholder may swipe the card through the terminal or device, or the FPA may manually key enter the card account number and expiration date into the terminal or device. 

If a terminal or device loses connectivity and authorization cannot be obtained either electronically or manually through the terminal or device, the FPA may call the Financial Agent’s voice authorization telephone number to obtain a valid authorization. The FPA should document the authorization code, card number, and card expiration date. When the terminal or device’s connectivity is restored, the FPA must manually enter the transaction information directly into the terminal or device as a force post item. Throughout the authorization process, card transaction data and cardholder information must be appropriately secured in accordance with the requirements in Section 7080—Data Compliance. 

E-commerce/Card-Not-Present Transactions – For card-not-present transactions conducted via the telephone, mail, or internet, card validation and authorization must be obtained electronically through the e-commerce platform. The FPA must obtain the card validation code (i.e., the CVV2 for Visa cards, the CVC2 for Mastercard cards, and the CID for American Express and Discover cards). For all e-commerce and card-not-present transactions, the cardholder’s address and postal zip code will be transmitted to the card issuer for validation. FPAs should use the verification responses from the card issuer in their decision to accept or decline a transaction. 

If the e-commerce platform loses connectivity and authorization cannot be obtained, the FPA must call the Financial Agent’s voice authorization telephone number to obtain a valid authorization. Throughout the authorization process, card transaction data and cardholder information must be appropriately secured in accordance with the requirements in Section 7080—Data Compliance. 

7060.20—Settlement 

The Financial Agent is authorized to credit and debit an FPA for all amounts due to or from that FPA. An FPA must deposit only transaction receipts that result from cardholder transactions with that FPA. 

FPAs must batch and transmit completed card transactions to the Financial Agent within one calendar day. This requirement does not apply until the goods are shipped or the services are performed unless the cardholder agrees to a delayed delivery of the goods or services at the time of the transaction. If the FPA has received the customer’s authorization for delayed delivery, then the words “Delayed Delivery” must be legibly noted on the transaction receipt. 

7065.10—Minimum Transaction Amounts

FPAs may not establish a minimum transaction amount as a condition for honoring a card without obtaining Fiscal Service’s prior written concurrence. This applies to credit and debit card transactions. Fiscal Service may allow or establish a minimum transaction amount in certain circumstances for security reasons or to meet an FPA business or operating need.

7065.20—Maximum Transaction Amounts

There is no maximum transaction amount for debit card transactions. The maximum transaction amounts set forth below apply to credit card collections.

7065.20a—Credit Card Collections 

FPAs must limit their credit card collections at the Chain Account level so that (a) total daily credit card transactions processed from a single payor are no more than $24,999.99 (hereinafter the “Maximum Daily Limit”) and (b) total monthly transactions processed from a single payor (based on a rolling 30-day period) are no more than $100,000.00 (hereinafter the “Maximum Monthly Limit”). Fiscal Service may, from time to time, amend this section to adjust the Maximum Daily Limit and the Maximum Monthly Limit.

Any individual credit card transaction greater than the Maximum Daily Limit will be rejected unless exempted under Section 7065.80. If a payor initiates multiple transactions on the same day with the same credit card at the same FPA, those transactions causing the total charge to exceed the Maximum Daily Limit will also be rejected unless exempted under Section 7065.80. Fiscal Service may monitor an FPA’s Card Servicing Account to audit whether transactions by a single payor collectively exceed the Maximum Daily Limit or Maximum Monthly Limit, including any transactions by a single payor using different credit cards. 

7065.20b—Intra-governmental Card Collections 

FPAs must limit their card collections so that no individual intra-governmental credit card transaction (“IGT Card Transaction”) exceeds $10,000.00 (“IGT Card Transaction Limit”). The Maximum Daily Limit of $24,999.99 set forth in Section 7065.20a also applies to IGT Card Transactions. As set forth in Section 7065.40, the use of credit card for Intra-governmental Transactions should be avoided. The payment method of choice for Intra-governmental Transactions is G-Invoicing or Intra-Governmental Payment and Collection (IPAC). Please refer to TFM Volume 1, Part II, Chapter 4700, Appendix 8 for further IGT guidance. 

7065.20c—Prohibition on Splitting Transactions 

FPAs accepting payment by credit card from payors who owe an amount on a bill or other obligation must not structure the payment with the purpose of evading the Maximum Daily Limit set forth in Section 7065.20a and the IGT Card Transaction Limit set forth in Section 7065.20b. Accordingly, FPAs may not permit payments to be divided into two or more credit card transactions over one or multiple days if the multiple transactions would cause the total amount to exceed the Maximum Daily Limit or the IGT Card Transaction Limit.

Example of a SPLIT TRANSACTION – A payor was provided a bill from an FPA for $48,000. The payor used one credit card to make a payment of $24,999.99 and placed the remaining $23.000.01 balance on a second credit card. This is a split transaction as the payor used two credit cards to evade the Maximum Daily Limit of $24,999.99. 

Example SOLUTION to splitting a transaction – A payor was provided a bill from an FPA for $48,000. The payor used one credit card to make a payment of $24,999.99 and will pay the remaining balance of $23,000.01 by cash, debit card or ACH. 

Example of a SPLIT IGT CARD TRANSACTION – An FPA is paying an invoice of $12,000 to another FPA. The payor FPA used a GSA SmartPay card to make one payment of $9,000 and then another payment of $3,000. This is a split transaction as the payor agency structured the transaction to avoid the IGT Card Transaction Limit. 

Example SOLUTION to splitting an IGT Card Transaction – An FPA is paying an invoice of $12,000 to another FPA. The payor agency uses G-Invoicing or IPAC to pay the entire invoice. 

7065.30—Alternative Collection Methods 

FPAs accepting payment by card in an e-commerce/card-not-present environment (e.g., via Pay.gov) should also offer at least one other electronic payment option where possible, including ACH, real time gross settlement methods where available (i.e., FedNow, Real Time Payments, and Fedwire), and, for Intra-governmental Transactions, G-Invoicing or IPAC. In all environments, whenever credit card is an offered payment option, debit card should also be an option.

If an FPA’s credit card collection transactions would exceed the thresholds set forth in Sections 7065.20a and 7065.20b (and an exemption for the thresholds in Section 7065.20 has not been granted pursuant to Section 7065.80), the FPA must use another electronic collection alternative.

Fiscal Service reserves the right to require FPAs to use G-Invoicing or IPAC to process intra-governmental transactions rather than allow these transactions to be conducted with a government-issued card. For more information on G-invoicing please visit https://www.fiscal.treasury.gov/g-invoice/. For more information on IPAC, please visit https://www.fiscal.treasury.gov/ipac/.

7065.40—Intra-governmental Card Transactions 

An IGT Card Transaction occurs when an FPA uses a GSA SmartPay card to make a payment to another FPA. 

While G-Invoicing and IPAC are the preferred methods of payment for Intra-governmental Transactions, an FPA may use a GSA SmartPay card to make a payment to another FPA, subject to the limitations set forth in Section 7065.20b. 

7065.50—Fees, Costs, and Reimbursement

FPAs are solely responsible for the costs associated with processing IGT card transactions, including interchange, processing fees, and Network charges. The Financial Agent directly invoices each FPA for such fees and charges. The FPA pays the Financial Agent directly within 30 calendar days of the receipt of the invoice. In the event an FPA fails to pay the Financial Agent on a timely basis, Fiscal Service, in its sole discretion, may pay the Financial Agent the amount owed by the FPA and the FPA must authorize Fiscal Service to obtain equivalent funds from the FPA via G-Invoicing or IPAC to reimburse Fiscal Service. In such event, Fiscal Service provides the FPA with information supporting the G-Invoicing or IPAC transfer. 

Failure to pay the costs associated with IGT card transactions may subject an FPA to the CAS Program Non-Compliance Notice and Suspension of Service Process set forth in Section 7085 of this chapter. 

Additionally, FPAs are solely responsible for any fees imposed by the Financial Agent in connection with special projects completed by the Financial Agent at the request of the FPA. Fiscal Service will provide advance notification to FPAs of any such charges. 

Costs associated with the processing of Chain Accounts exempted from the Maximum Daily Limit and Maximum Monthly Limit under Section 7065.20a are discussed in Section 7065.80b.

7065.60—Surcharges 

An FPA must not directly or indirectly require any cardholder to pay a surcharge, fee, or offer cash discounting in connection with a transaction unless required by law or specified by Fiscal Service. However, if an FPA is reimbursing Fiscal Service for nonstandard card acquiring services under Section 7065.80b, the FPA may consider the reimbursement charges when setting its own rates for goods and services provided to the public. 

7065.70—FPA Compliance

FPAs must ensure that their regulations, policies, or other procedural documents reflect the policies set forth in Section 7065. Additionally, FPAs must reinforce the Maximum Daily Limit, Maximum Monthly Limit, and IGT Card Transaction Limit set forth in Section 7065.20 in communications with customers which should reference collection alternatives to credit card payments. FPAs that fail to adhere to the requirements of Section 7065 will be deemed non-compliant and may be subject to the CAS Program Non-Compliance Notice and Suspension of Service Process set forth in Section 7085 of this chapter. 

The Financial Agent, either itself or through its merchant acquirer or processor, will reject any card transactions that would cause the total charge to exceed the Maximum Daily Limit set forth in Section 7065.20a (unless the FPA has obtained an exemption under Section 7065.80 from the transaction limits set forth in Section 7065.20a). FPAs are responsible for working with their customers that are splitting transactions to ensure compliance with the Maximum Daily Amount, Maximum Monthly Amount, and IGT Card Transaction Limit. 

7065.80—Exemption from Maximum Transaction Amounts

7065.80a – Exemption Request 

Fiscal Service has determined that the processing of credit card transactions in excess of the limits set forth in Section 7065.20a is not a standard collection service provided by Treasury to FPAs. Accordingly, if an FPA wishes to process transactions that exceed the Maximum Daily Limit and/or Maximum Monthly Limit set forth in Section 7065.20a, one may request an exemption for one or more Chain Accounts by submitting a written request to CardAcquiringService@fiscal.treasury.gov specifying:

• The cash flow(s) for which the FPA is seeking an exemption and the justification for the request,
• Identification of alternative payment options currently provided with respect to the cash flow(s),
• The feasibility and availability of alternative collection channels for the cash flow(s),
• Whether the FPA seeks to have either no card processing transaction limit or to establish higher limits than those set forth in Section 7065.20a,
• Forecasted annual credit card transaction volumes if the exemption is granted,
• Information regarding the impact to the FPA or the FPA’s customers if the exemption is not granted,
• The feasibility of dividing the cash flow(s) into multiple Chain Accounts for exemption and non-exemption purposes,
• Any other factors that would impact Fiscal Service’s administrative and operational management of the potentially exempted cash flow(s),
• A point of contact representing the FPA on its exemption request and a billing contact.

An FPA’s submission of an exemption request under this section does not guarantee the request will be approved. The CAS program shall have the discretion to grant or deny an FPA’s exemption request.

7065.80b—Reimbursement of Fiscal Service on Exempted Cash Flows 

An exemption from the Maximum Daily Limit and/or Maximum Monthly Limit pursuant to Section 7065.80 will be conditioned on reimbursement from the FPA. Fiscal Service will require the establishment of an interagency agreement (IAA) with the FPA, authorized by the Economy Act or other applicable legal authority, setting forth the parameters of the exemption and the terms and conditions of the FPA's reimbursement.

Fiscal Service will track costs and invoice the FPA in accordance with the IAA. IAAs may be periodically reviewed and updated.

7070.10—Retrieval Requests 

FPAs must respond to a retrieval request within 10 calendar days. If an FPA does not submit a complete response within 30 calendar days of the receipt of the retrieval request, the retrieval request can turn into an automatic chargeback, which the FPA has no right to re-present. This chargeback results in a loss of funds to the FPA. 

7070.20—Chargeback Process 

If a cardholder contacts an FPA to dispute a charge, the FPA shall attempt to resolve the dispute directly with the cardholder. If the cardholder contacts the issuing bank to dispute a charge, the issuing bank may initiate a chargeback. If a chargeback is initiated, the issuing bank will provisionally credit the cardholder’s account, the Financial Agent will automatically debit the FPA, and the Financial Agent will provide the FPA documentation about the chargeback. An FPA must submit evidence to refute the chargeback within 15 calendar days or choose to accept the chargeback. The issuing bank will review the FPA’s response and decide whether to finalize or reverse the chargeback. If an FPA does not submit a complete and proper response to the chargeback within 45 calendar days, the chargeback is finalized. 

The Financial Agent maintains an online system that allows for the automation of the chargeback process, and the Financial Agent communicates directly with the FPA through this system to obtain all information necessary to resolve disputes. 

For a chargeback received for a transaction made on a foreign-issued card, the chargeback amount may or may not match the amount of the original transaction due to the exchange rate conversion. 

Any network fees imposed on the FPA as a result of noncompliance with retrieval requests or chargeback requirements may be passed through to the FPA separately as a fine or may be included in the chargeback or miscellaneous adjustment amounts for which the FPA is debited. 

7075.10—Truncation Requirements

Federal law and Network Rules prohibit including more than the last four digits of a card number on a cardholder’s receipt. Federal law and Network Rules also prohibit including the card expiration date on a cardholder’s receipt. Failure to adhere to these prohibitions may result in fines or penalties.

7075.20—Disclosure to Third Parties

FPAs must not disclose a cardholder’s account information or any other personal information to third parties other than to the FPA’s agents for the sole purpose of assisting the FPA in completing the transaction or as specifically required by law.

Suspicious requests for account information should be reported immediately. Contact the Fiscal Service Program Contact to report any such request. 

7080.10—Retention and Storage of Card Data and Information 

FPAs that accept card payments are subject to a number of requirements, including the Payment Card Industry Data Security Standards (PCI DSS) and the requirements set forth in the Network Rules relating to the retention and storage of card transaction data and cardholder information. FPAs that fail to comply with applicable data retention and storage requirements may be subject to network fines and/or penalties, liabilities, or damages arising under federal law.

Card-present Transactions

FPAs must retain at each terminal or device location or at a central location legible copies of transaction receipts for a period of at least 18 months for Visa, Mastercard, and Discover transactions and 24 months for American Express transactions. In addition, for any transaction receipt related to a contract for the delivery of services over an extended period of time, the FPA must retain the receipt for a period of 6 months following the date that the service period ends.

E-commerce/Card-not-present Transactions

FPAs must not store any card numbers on a web server or otherwise maintain a database of card numbers on a machine accessible from the internet or by unauthorized FPA local area network users. Workstations where card numbers are keyed or otherwise entered are to be secured via the appropriate firewall and networking configurations.

If a customer’s card number is stored on the e-commerce platform for future use, the customer must opt in for this type of service. An option must be offered for a customer to log in to their account and remove this option at any time. It is recommended that when customers view their accounts online that card numbers and expiration dates are truncated. 

FPAs may not retain the following:

• magnetic stripe data,
• EMV chip data,
• CVV2/CVC2 or CID (the three- or four-digit code printed on the card), or
• personal identification number (PIN) or encrypted PIN blocks subsequent to the authorization of a sales transaction or data transmitted via Near Field Communication (NFC).

FPAs must immediately notify the Financial Agent, as well as the Fiscal Service Program Contact of any breaches of cardholder information.

7080.20—Payment Card Industry Data Security Standard 

FPAs must comply fully with the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is an industry standard supported by all card networks that applies to any entity processing, storing, or transmitting cardholder data. The PCI DSS contains security requirements to help protect against unauthorized intrusions and account data compromises.

The method of PCI DSS compliance validation required for each FPA depends on the FPA’s PCI DSS merchant level. There are four merchant levels based on transaction volume calculated over a 12-month period. Unless otherwise notified, FPAs should consider themselves to be Level 4 merchants—merchants that process up to 1 million card transactions annually through all channels and do not process more than 20,000 card transactions annually exclusively via e-commerce. Level 4 merchants must validate their compliance with PCI DSS by enrolling in an online validation portal chosen by the Financial Agent, completing a self-assessment questionnaire, and signing an attestation of compliance. Fiscal Service and/or the Financial Agent will notify FPAs that meet the higher transaction thresholds for Levels 1, 2, and 3 compliances, and provide specific guidance on validation requirements and associated timeframes for compliance. 

PCI DSS compliance is an ongoing process, not a one-time event. In addition to annual validation requirements, FPAs must continuously assess their operations and fix any identified vulnerabilities. PCI DSS validation, compliance or security audits are not performed by Fiscal Service and where applicable, may result in expenses to the FPA.

PCI DSS requirements are in addition to, and do not replace, requirements under the Federal Information Security Modernization Act of 2014 (FISMA) or any National Institute of Standards and Technology (NIST) guidelines. Questions about PCI DSS requirements should be directed to the Fiscal Service Program Contact.

7085.10—Failure to Respond 

Unless otherwise specified in this chapter, each FPA must respond to any written or email inquiry or instruction from Fiscal Service or the Financial Agent relating to the FPA’s use of the CAS program within a period of 30 calendar days from the date of receipt, or as specified in the inquiry. Fiscal Service may suspend or discontinue services provided to an FPA under this chapter if the FPA fails to respond timely to inquiries or instructions (see Section 7085.30, CAS Program Non-Compliance Notice and Suspension of Service Process). 

7085.20—Fines and Penalties

An FPA that fails to comply with any provision of the Network Rules may incur fines and penalties imposed by a network. The networks have developed several programs designed to mitigate fraud and curb chargebacks. Such programs include but are not limited to the monitoring of chargeback rates, improper card acceptance, improper processing of declined transactions, and abnormal fraud or counterfeit sales activity. In the event that an FPA fails to comply with any Network Rules, the FPA may be subject to fines and/or termination of the FPA’s Card Servicing Account. FPAs have full responsibility for any fines, fees, and/or penalties levied by a network in accordance with merchant monitoring programs.

If a fine is imposed on an FPA, the FPA must remit the amount of the fine to the Financial Agent within 30 calendar days of notification of the fine. In the event that the FPA fails to pay the Financial Agent on a timely basis, Fiscal Service, in its sole discretion, may pay the Financial Agent the amount owed by the FPA and the FPA must authorize Fiscal Service to obtain equivalent funds from the FPA via G-Invoicing or IPAC to reimburse Fiscal Service. In such event, Fiscal Service provides the FPA with information supporting the G-Invoicing or IPAC transfer.

7085.30—CAS Program Non-Compliance Notice and Suspension of Service Process

FPAs using the CAS program must abide by all Network Rules and the policies specified in this chapter of the TFM (collectively “CAS Program Rules”). If Fiscal Service determines that an FPA is not in compliance with the CAS Program Rules, Fiscal Service may issue the FPA an initial notice of non-compliance (the Initial Notice of Non-compliance). The CAS program will make reasonable efforts to send such Initial Notice of Non-compliance within 45 calendar days following the date on which the CAS program first identified the CAS Program Rule violation. The Initial Notice of Non-compliance will identify the specific rule violation, the cashflow(s) to which the violation applies, a brief explanation of why the FPA is deemed to be non-compliant, and the timeframe in which the CAS program expects the FPA to become compliant. FPAs must provide the CAS program with a written acknowledgement of receipt of an Initial Notice of Non-Compliance within 15 business days from the date of receipt of such Initial Notice.

If an FPA does not comply with the CAS Program Rule(s) identified in the Initial Notice of Non-compliance within 45 calendar days of receipt of the Initial Notice of Non-Compliance, the CAS program may send a subsequent notice (the Follow-up Notice of Non-compliance) to the FPA. The Follow-up Notice of Non-compliance may identify the information set forth in the Initial Notice of Non-Compliance, and actions the CAS program may take if the FPA does not become compliant with CAS Program Rules within the timeframe allotted. FPAs must provide the CAS program with a written acknowledgement of receipt of a Follow-up Notice of Non-Compliance within 7 business days from the date of receipt of such Follow-up Notice of Non-compliance.

If an FPA does not become compliant with CAS Program Rules within the timeframe specified in the Follow-up Notice of Non-Compliance, the CAS program reserves the right to take any action specified in the Follow-up Notice of Non-Compliance, which may include suspending the provision of card acquiring services to the FPA for those cashflows deemed non-compliant. If CAS, in its sole discretion, determines that suspension of card acquiring services is appropriate given the circumstances, CAS may send the FPA a final notice of non-compliance (a Final Notice of Non-Compliance) which may identify the information set forth in the Follow-up Notice of Non-Compliance, the dates of prior communications with the FPA regarding the rule violation, and the date on which Fiscal Service will suspend card acquiring services. If the CAS program decides to suspend card acquiring services, such decision will be considered final and irreversible. If an FPA wants to resume processing of card transactions, reference Section 7025 of this chapter.

Network Rules generally prohibit the use of credit cards as a means to pay debt obligations. Fiscal Service believes that this prohibition protects card-issuing banks from acquiring, through the credit card authorization process, debt obligations for which they are not the original underwriter. This protection is important to the issuing bank as it manages the credit risk associated with its credit card product according to its own risk management principles and in compliance with regulatory guidelines.

Examples of debt obligations include but are not limited to: (1) loans (e.g., with a payment schedule and/or interest rate payment obligation); (2) obligations considered in arrears for lack of payment (whether held by the original party or acquired by a third party for the purpose of collection); or (3) late payment obligations triggered by the failure to pay an obligation timely (to include the amount of the obligation not paid timely).

A debt obligation does not include, without limitation: (1) the purchase of a good or service (to include purchases in which full payment is expected within a period not exceeding 30 days and does not involve the payment of interest); or (2) an obligation established as a result of an “overpayment” which is due and payable in full within 30 days of notice to the payer.

The above examples of obligations that may be considered debt or non-debt should not be considered exhaustive. If an FPA has a question regarding whether its collections constitute debt repayment for the purpose of credit card eligibility, please contact the Fiscal Service Program Contact.

7095.10—Processing Card-Present Transactions

FPA POS terminal or device equipment must be situated to permit cardholders to input their PINs without revealing them to other persons, including FPA personnel and surveillance equipment. The PIN must never be stored or displayed to any cardholder. The PIN must be immediately encrypted and must remain encrypted for transmission until received by the Financial Agent. FPA POS terminal or device equipment must comply with the Data Encryption Standards required by the card and debit networks.

An FPA is not permitted to complete any POS debit card transaction via the FPA POS terminal or device, that has not been authorized online by the Financial Agent and/or the debit network.

7095.20—Processing Card-Not-Present Transactions

Subject to the requirements set forth in Section 7060 – Authorization and Settlement, FPAs may process card-not-present transactions. Card data and/or authorizations may not be accepted via email. An FPA that accepts mail order, telephone order, delayed delivery, or e-commerce transactions assumes all risk associated with such transactions, including, but not limited to, fraudulent sales transactions.

FPAs must employ proper mechanisms to secure e-commerce-based transactions, as described in NIST Special Publication 800-53 (revision 5). Any transaction where a secured session is not established with the cardholder’s web browser must not be completed.

If an FPA accepts eCommerce transactions, the following information must be disclosed on the FPA’s website:

• Complete description of goods, services, or collections,
• Returned merchandise and refund policy,
• Transaction currency,
• Customer service contact, including email address and/or telephone number,
• Export or legal restrictions (if applicable),
• Delivery policy (if applicable),
• Disclosure of merchant outlet country on the same screen as the checkout screen or during the checkout process,
• Consumer data privacy policy, and
• Security method for the transmission of payment data.

An FPA may establish its own return and refund policy subject to the requirements of this section. An FPA may limit returns or refunds provided that the FPA conspicuously discloses its return and refund policy at the time of the transaction, with wording such as this:

• “NO REFUND, ALL SALES FINAL”—For any FPA that does not accept return or exchange of merchandise or service cancellation/termination and does not issue refunds to cardholders.
• “EXCHANGE ONLY”—For any FPA that only accepts the return of merchandise in immediate exchange for similar merchandise of a price equal to the amount of the original transaction.
• “IN-STORE CREDIT ONLY”—For any FPA that accepts merchandise in return and delivers to the cardholder an in-store credit equal to the value of the merchandise returned that may be used only in the FPA’s place(s) of business.

In the event that a refund is granted for merchandise, price adjustments, or services terminated/canceled, the FPA should issue the refund to the original card. In the event that the cardholder’s account is closed, the FPA should still process the return to the original card. If the original card is not available, an alternate form of credit such as cash, in-store credit, or gift card, should be offered. The refund or adjustment indicated on the credit receipt must not exceed the original transaction amount. Authorization is required when a refund is issued to a cardholder.

An FPA may not receive any payments from a cardholder with respect to charges for merchandise and/or services that are included on a previous transaction receipt resulting from the use of a card. An FPA must not issue a credit when there is no corresponding charge.

FPAs that accept PIN debit transactions may be required by certain networks to offer cashback services to cardholders. Except in connection with a PIN debit cashback transaction, an FPA may not disburse cash to a cardholder and then process such activity as a card sales transaction, nor may an FPA process a money order or wire transfer transaction for a cardholder and then process such activity as a card sales transaction.

FPAs may not accept cash, check, or other negotiable payment instruments from a cardholder and then credit the cardholder’s account in the amount of the payment.

An FPA must provide the cardholder a completed copy of the transaction receipt evidencing a transaction involving use of a card. The cardholder must not be required to sign a transaction receipt unless the final transaction amount is indicated on the receipt. The transaction receipts must include all required information by the applicable card brands.

FPAs accepting e-commerce card transactions must produce a transaction receipt. All transaction receipts must comply with the truncation requirements regarding card numbers and expiration dates on receipts described in Section 7075 – Disclosure and Display of Cardholder Information.

FPAs are responsible for the acquisition and cost of POS devices and related equipment, supplies, and software. An FPA may purchase terminals and related equipment, supplies, and software either directly from the Financial Agent or from another source of the FPA’s choosing, provided that what is purchased by the FPA meets the requirements of the Financial Agent and Fiscal Service. Requirements include, but are not limited to, the ability to directly send, receive, and process:

• card transaction data,
• cardholder information,
• authorizations,
• and daily on-site reconciliation.

FPAs may contact the Fiscal Service Program Contact to obtain information about supported products and pricing.

7115.10—Acquisition of Equipment from the Financial Agent

If an FPA elects to purchase terminals or related equipment, supplies, and software from the Financial Agent payment is due at the time of purchase.

An FPA must seek a replacement terminal within three calendar days of its inability to process transactions and deposits. If the FPA elects to seek a replacement for a broken terminal purchased from the Financial Agent, the Financial Agent may advise on a suitable replacement terminal. If a replacement terminal is provided, the FPA must return the broken equipment to the Financial Agent within 30 calendar days and according to the instructions provided. Failure to return the equipment or failure to follow the return instructions provided may result in the FPA being charged for the full retail price of the equipment. All costs for equipment are quoted and must be approved by the FPA before ordering.

In the event the FPA fails to pay an amount owed under this section to the Financial Agent on a timely basis, Fiscal Service, in its sole discretion, may pay the Financial Agent the amount owed by the FPA and the FPA authorizes Fiscal Service to obtain equivalent funds from the FPA via G-invoicing or IPAC to reimburse Fiscal Service. In such event, Fiscal Service provides the FPA with information supporting the G-Invoicing or IPAC transfer.

7115.20—Acquisition of Third-Party Equipment

Before purchasing equipment from a third party, FPAs must confirm with the Fiscal Service Program Contact that the third party’s equipment meets the requirements of the Financial Agent and Fiscal Service. The FPA assumes all risk associated with the use of equipment or supplies that are not provided by the Financial Agent.

FPAs also are responsible for any and all costs associated with the use of third-party software or applications for card processing. An FPA may purchase and use software or applications from a third-party source of the FPA’s choosing, if the software or applications meet the requirements of the Financial Agent and Fiscal Service. FPAs may contact the Fiscal Service Program Contact to obtain information about supported products. FPAs are encouraged to evaluate the use of Fiscal Service products and services prior to exploring third-party solutions.

FPAs choosing to use third-party products or applications are responsible for costs associated with switching products or applications to meet Fiscal Service’s or the Financial Agent’s processing requirements.

Direct questions regarding this chapter to the Fiscal Service Program Contact at:

U.S. Department of the Treasury 
Bureau of the Fiscal Service 
Settlement Services Division 3201 Pennsy Drive, Building E 
Landover, MD 20785
CardAcquiringService@fiscal.treasury.gov