iPOS S.A.F.E

iPOS S.A.F.E is a risk management tool that is crucial for ensuring transactional security. It's designed to protect merchants by spotting and stopping potential fraud or suspicious activity before it occurs, rather than after the damage is done - a significant improvement compared to traditional systems.

Accessing iPOS S.A.F.E

The iPOS S.A.F.E module is available to both default and non-default ISO Admin users. It is located on the portal's left-hand side panel.

In this module, you can:

• Configure Risk Rules for individual TPNs (Terminal Profile Numbers)

• Create and apply Templates to existing or new TPNs for a consistent setup

At the top of this section, you will find the search box, where the ISO can search for any merchant on the iPOSpays portal based on their DBA, store name, and TPN/DeviceLabel.

When a TPN is temporarily deactivated due to a triggered risk rule, the ISO can restore its status by navigating to iPOS S.A.F.E Module → Risk Rules → [Select Desired TPN] → Activate.

Before reactivating the TPN, it is strongly recommended that the ISO review the transactions that triggered the deactivation. This should include direct communication with the merchant to verify the legitimacy of the flagged transaction attempts.

Risk Rules

iPOS S.A.F.E offers a set of configurable risk rules designed to help identify and mitigate potential threats. ISOs can choose to enable or disable these rules and customize their parameters based on the merchant’s specific processing needs.

• Velocity Check - All cards

• Velocity Check - Same BIN

• Decline Limit

• Daily Batch Limit

• Manual Refund Daily Limit

• Ticket Size – Sale Transaction

• Ticket Size – Manual Refund Transaction

• Daily EMV Fallback Limit

• International Card - Sale

• Restrict International Card Refund

• Card Validation

Velocity Check - All cards

This rule prevents phishing attempts from bots. iPOS S.A.F.E will deactivate the TPN when the number of transactions within the configured duration exceeds the threshold values.

Velocity Check - Same BIN

This risk rule is designed to prevent card testing and fraudulent activity involving cards that share the same BIN (Bank Identification Number). It monitors transaction patterns involving the same BIN and triggers protective actions when suspicious behavior is detected. The rule is activated based on two distinct criteria:

• 1st Criteria – Transaction Volume Threshold: If multiple transactions are performed using cards with the same BIN—whether it’s one card or several different cards from the same issuer—and the total count exceeds the configured threshold within the defined time frame, the system will block that BIN. Once triggered, any card using the same BIN will be automatically blocked for 12 or 24 hours, based on the configuration.

• 2nd Criteria – Failure Count Threshold: If several transactions using different cards with the same BIN are declined within the configured time window and the number of failed attempts exceeds the “Fail Count” threshold, the system will block the BIN for 24 hours.

Example Scenario:

• Threshold: 10 transactions

• Fail Count: 5

• Duration: 5 minutes

If 10 transactions are attempted within 5 minutes using cards that share the same BIN, the 11th transaction will trigger the rule and block the BIN.

Alternatively, if within those 10 transactions, 5 or more are declined, the rule will be triggered based on the failure count—even if the total transaction threshold hasn’t been reached.

Summary:

The rule will activate as soon as either the transaction volume threshold or the failure count threshold is met within the specified time window. Once triggered, all future attempts using the same BIN will be blocked for the configured duration (e.g., 24 hours), helping to prevent further abuse

Decline Limit

The Decline Limit risk rule helps prevent misuse or potential fraud by monitoring a high volume of declined transactions over a short period.

When enabled, iPOS S.A.F.E will track both:

• The number of declined transactions within a configured time frame, and

• The decline percentage (i.e., the ratio of declines to total transactions during that period).

How it works:

1. Max Decline – Set the maximum number of declined transactions allowed within the timeframe.

2. Decline Percent – Set the maximum allowable percentage of declined transactions.

Both thresholds must be exceeded within the specified timeframe for the rule to trigger.

If both conditions are met, the TPN will be automatically deactivated by iPOS S.A.F.E due to suspicious activity.

Note: Tip adjustments and voids are excluded from this rule’s validation.

Daily Batch Limit

The Daily Batch Limit rule allows ISOs to define a maximum transaction volume that a merchant can process within a single open batch. Once the total transaction amount in the batch reaches the configured threshold, any additional transactions will be declined until the batch is closed and a new one begins.

Example: If the batch limit is set to $10,000 and the merchant has processed $10,000 in approved transactions, any further sale attempts will be declined until the batch is settled.

Important Exception:

• Standalone refunds are exempt from this rule. Refunds that exceed the batch limit will still be processed successfully.

Manual Refund Daily Limit

This rule defines the daily cap for manual refund transactions that are not tied to existing sales. It applies to manual refunds initiated directly from the POS, CloudPOS, PIN pad, Hosted Payment Page, SPIn, and similar channels.

• Refund Limit: The total dollar amount allowed for manual refunds per day.

• Refund Count Limit: The maximum number of manual refunds that can be performed each day.

Any transaction that exceeds either the Refund Limit or the Refund Count Limit—whichever comes first—will be automatically declined.

Note:

• This rule does not apply to refunds processed from the Transactions module in iPOSpays.

• All card entry modes are subject to the “Refund Limit” rule.

• The threshold count only considers approved refunds, not declined ones.

• Multiple contactless or EMV transactions that fall below the threshold value will not trigger a decline, even if the number of transactions exceeds the threshold.

• Swipe and manual card entry modes that fall under the threshold will trigger the risk rule if they exceed the threshold.

Ticket Size – Sale Transaction

This rule sets a threshold for the maximum amount the TPN is allowed to process when performing individual sale transactions. ISOs can configure this rule according to the merchant's normal processing volumes, where any transaction amount above the set ticket size will be declined.

Ticket Size – Manual Refund Transaction

This rule sets a threshold for the maximum amount the TPN is allowed to process when performing manual refunds. ISOs can configure this rule according to the merchant's normal processing volumes, where any transaction amount above the set ticket size will be declined.

• Ticket Size: Sets a limit for the maximum dollar amount per refund transaction. Applies to all manual refunds performed on POS, PIN pad terminals, etc.

• CloudPOS Ticket Size: Sets the maximum dollar amount per manual refund transaction on CloudPOS. This does not apply to refunds for existing sale transactions or those performed via CloudPOS+ PIN pad terminals.

CloudPOS Ticket Size can also be used to prevent merchants from processing “unmatched or blind refunds”. When this parameter is set to $0.00, the merchant will not be allowed to process refunds through the CloudPOS Payment page, instead, they will be required to find the original sale on the transaction module and initiate the refund from the original sale record.

Daily EMV Fallback Limit

The Daily EMV Fallback Limit rule is designed to restrict excessive fallback transactions, which are often exploited in fraudulent schemes.

While EMV fallback is permitted for genuine cases where a chip card is damaged or unreadable, fraudsters may attempt to bypass chip authentication by using skimmed card data and triggering fallback. This rule mitigates such misuse by allowing ISOs to configure a daily cap on fallback transactions.

Once the configured daily limit is reached, any additional EMV fallback transactions will be automatically declined, enhancing security without impacting legitimate usage patterns.

Note: EMV fallback refers to the process where a chip card fails to read, and the system allows the transaction to proceed using the magnetic stripe.

International Card - Sale

This rule allows the ISO to determine if a TPN is able to process Sales for International Cards by configuring this feature to “Yes” to allow or “No” to restrict.

Restrict International Card Refund

This rule is used to control whether refunds can be processed on international cards. When enabled, refunds will only be allowed to domestic cards (issued in the same country as the merchant account). When disabled, refunds to international cards will be permitted.

• CloudPOS: This setting allows the ISO to control refund permissions for international cards on CloudPOS devices. Set to Disable to allow refunds, or Enable to restrict them.

• POS: Similarly, this setting determines refund permissions for POS devices. Choose Disable to allow international card refunds, or Enable to block them.

Card Validation

The Card Validation risk rule checks for incorrect CVV and/or ZIP codes. This rule is governed by the CVV/AVS settings defined in the TPN’s Edit Parameters section. If either CVV or ZIP code validation is marked as mandatory, the rule will enforce the corresponding check during transaction processing. If a transaction is approved but fails either check, it will be automatically voided, and the funds will be released back to the customer’s account.

Important: For the rule to function effectively, CVV and ZIP code fields must be marked as mandatory in the Edit Parameter for the TPN.

When Card Validation is enabled, two sub-options appear and can be configured independently:

• CVV Check: Validates the CVV response returned by the processor. If the response indicates a mismatch, the transaction will be declined with response code R12. The system will then automatically void the transaction and release the funds to the cardholder.

• ZIP Code Check: Validates the ZIP code using the AVS (Address Verification System) response from the processor. A mismatch will also trigger a decline with R12, followed by an automatic void and fund release.

This rule improves payment security by ensuring that only transactions with verified cardholder information are approved, significantly reducing fraud risk for both merchants and customers.

Saving and Applying Risk Rule Configurations

Once you have configured Risk Rules for a TPN, you will have the following options:

1. Save: Will apply these settings to a specific TPN

2. Save as Template: Will allow the ISO to generate a template with the already configured values in order to use this template with other TPNs. The system will prompt to generate a name for this template and give the option to be set as the “Default template” to be applied to newly created TPNs.

3. After generating a Template, you are also able to apply the template to a specific TPN by selecting this option, then you will see a pop-up prompt to select the desired template from all the available options, as shown below:

Bulk Assign / Update

Once you have created a Risk Rule Template, you can easily apply these configurations to multiple merchants, stores, or TPNs simultaneously by following this set of instructions:

• From the Risk Rules module, filter your search to all the targeted merchants, stores, or TPNs

• Click on the action button located at the top left corner of this section and select “Bulk Assign / Update.”

• If you wish to assign an existing template, select the template name from the drop-down menu, and then click “Bulk Update.”

• If you wish to update one or multiple rules, select the “Bulk Update Selected Only**” box and proceed to update the desired risk rules and values. When all desired options have been modified, click “Bulk Update.”

Risk Rule Templates

Under the iPOS S.A.F.E Module, you will find the subcategory for Templates. In this section, you will be able to see all the templates under your portfolio.

You will also be able to:

• Edit or delete existing templates.

• Set a template as the default or remove it as the default for new TPNs.

• See which template is currently set as the default.

• Check when a template was last updated.

• See who originally created the template.

Risk Decline Codes:

WWhen a risk rule is activated, a specific risk code will be shown on both the POS device and the CloudPOS (Virtual Terminal) during the transaction, alerting the merchant about the detected activity.

Please reference the different decline codes and their message below, along with the explanation of each code:

• R01 - Velocity Check - Same BIN (blocks the TPN)

• R02 - Velocity Check - All cards

• R03- Decline percent

• R04 - Daily Batch Limit

• R05 - Daily Refund Limit

• R06 - Ticket Size - Sale Transaction

• R07 - Ticket Size - Refund Transaction

• R08 - Daily EMV Fallback Limit

• R09 - International Card Sale/Ticket

• R10 - Velocity Check - Same BIN (blocks only the BIN)

• R11 - International Card Refund

• R12 - Invalid CVV/ZIP code or CVV /AVS Mismatch Response