Fraud Prevention

eCommerce merchants are required to comply with Tyro’s Website Requirements. Here we provide some Frequently Asked Questions to get you started, and more detailed information to assist you in meeting these Requirements.
Website requirements are a set of disclosures that need to be made on websites when accepting payments.
Website requirements are important to ensure that appropriate information is made available to cardholders when making purchases. Tyro website requirements assist merchants in:
Website requirements are verified when eCommerce merchants are onboarded, and website content is monitored on an ongoing basis. At the time of onboarding, Tyro will request details of the website’s URL. If a website is under development at the time of the merchant application, Tyro will request visibility of the development site and may defer approval of the merchant facility until development work is complete.
Tyro should be notified if changes are made to the following:
Before approving an eCommerce facility, Tyro will verify that the connected website contains the information provided below. “Must have” items must be displayed in all cases. “Recommended” items are optional.
Must have: The total price of goods/services being purchased, including applicable tax and shipping/delivery/installation. Where shipping/delivery/installation prices are estimated, this should be made clear to the cardholder.
Must have: A clearly denoted transaction currency against the total price of goods/services being purchased, which in most cases will be Australian Dollars. This may be achieved using text in a prominent place (e.g. “All transactions are processed in Australian Dollars”) and/or by using AUD$ (or the applicable transaction currency) on the checkout/payment page. Where the merchant only sells and ships/delivers/installs in Australia, and this is noted on the website, transaction currency only needs to be denoted using the dollar symbol (i.e. $402).
Recommended: It is recommended that a clear naming convention exists between the URL of the merchant website, the merchant business name, and the name that will appear against the transaction on the cardholder’s card statement/bill.
Must have: The cost of shipping/delivery/installation clearly stated, unless shipping/delivery/installation is included in the sale price and clearly noted.
Must have – Liquor merchants only: Where liquor is being sold online, merchants must: (1) display their liquor licence details (2) note that delivery is only made to Australian addresses (3) note that liquor is sold only to persons of 18 years of age or older, and note that age confirmation identification must be presented at the time of delivery.
Recommended: The approximate shipping/delivery/installation time frame and method, as applicable. Where the shipping/delivery/installation time frame is estimated, or delays are possible (e.g. because of the cardholder’s location or potential border controls), or delivery will occur in multiple shipments, or delivery restrictions exist (e.g. delivery is only made to specific countries or states), this should be made clear to the cardholder.
Recommended: It is recommended that shipping/delivery/installation arrangements/conditions are made clear to the cardholder, for example where there is a need for cardholders to sign for parcels or provide identification upon collection or sign for completion of installation.
Recommended: It is recommended that a “click to accept” or other acknowledgement button or checkbox is used, in order to obtain and record the cardholder’s agreement to the information provided.
Must have: An email address or a telephone number or a contact form, via which cardholders may engage with the merchant to seek information or resolve disputes.
Recommended: It is recommended that multiple contact options are provided to maximise the opportunity for contact and minimise the propensity for disputes. It is also recommended that a timeframe for response is noted in order to manage cardholder expectations.
Must have: The name of the merchant, mailing or Post Office Box address, and country of domicile.
Must have: The merchant business name on the website must match, or be easy for the cardholder to reconcile with, the name that will appear against the transaction on the cardholder’s card statement/bill. If the connection between the name on the website and the cardholder’s card statement/bill is not strong, then the merchant must place text on the checkout page to explain the name that will appear on the cardholder’s card statement/bill (e.g. “This transaction will appear on your card statement/bill under the name of Business Name Limited”).
Recommended: It is recommended that a clear naming convention exists between the URL of the merchant website, the merchant business name, and the name that will appear against the transaction on the cardholder’s card statement/bill.
Must have: A refund/return/cancellation policy, or a no refund/return/cancellation policy, as applicable, which should be prominently disclosed and fair and reasonable. Where applicable, cardholders should be made aware of the conditions that must be met to be eligible for a refund/return/cancellation and any associated fees.
Recommended: It is recommended that a “click to accept” or other acknowledgement button or checkbox is used, in order to obtain and record the cardholder’s agreement to the information provided.
Must have: A complete description of goods/services to which the payment relates.
Recommended: It is recommended that goods are noted as new or used, as applicable.
Recommended – Ugg boot sellers only: It is recommended that information is provided to make a clear association with, or disassociation from, the UGG Australia brand owned by Deckers Corporation, as applicable. Buyer confusion can result in chargebacks and brand violations can result in significant card scheme fines.
Must have: Approved images of the card types accepted (e.g. Mastercard, Visa), either on the website itself or an associated Hosted Payments Page.
Recommended: It is recommended that details are provided of security capabilities for transmission of payment card details (e.g. “All card information is captured on a Hosted Payment Page and stored in a PCI-DSS compliant environment”).
Recommended: It is recommended that details are provided on what information the merchant collects from its customers, how the merchant stores and secures this information, and whether or not the merchant shares this information with other parties.
The following items apply to specific merchant categories/merchant types:
Must have – Liquor merchants only: Where liquor is being sold online, merchants must: (1) display their liquor licence details (2) note that delivery is only made to Australian addresses (3) note that liquor is sold only to persons of 18 years of age or older, and note that age confirmation identification must be presented at the time of delivery.
Recommended – Charities: It is strongly recommended that charity merchants employ CAPTCHA technology to prevent the use of automated scripts for card testing. This form of card testing allows fraudsters to generate approvals/declines on a large volume of cards in a short time period, causing significant disruption to merchants and inconvenience to genuine cardholders. CAPTCHA technology is described as “a type of challenge–response test used in computing to determine whether or not the user is human”, and can be used as a method to limit fraudulent activity. Please note that card testing is most common at charity merchants, however can be found in other merchant contexts.
Recommended – Ugg boot sellers only: It is recommended that information is provided to make a clear association with, or disassociation from, the UGG Australia brand owned by Deckers Corporation, as applicable. Buyer confusion can result in chargebacks and brand violations can result in significant card scheme fines.
Websites must NOT incorporate content that:
Mastercard is a registered trademark, and the circles design is a trademark of Mastercard International Incorporated.
15 Oct 2019 - 13 min read
1 Dec 2022 - 13 min read
1 Jul 2016 - 18 min read
Australian-based 24/7 support