Registration Programs Overview & Comparison Franchise Management, Global Registrations

Mastercard is dedicated to making payments safe, simple, and smart. Registration Programs

Service Provider Overview Mastercard does not object to a Customer’s use of a third party, but does need to know what third party(ies) support a particular Customer, and the nature of the support provided. A Service Provider may only perform the Program Services it is registered to perform. Registration of Service Providers allows Mastercard to identify and mitigate potential risks that any 3rd party may present. Rules concerning Service Providers are set forth in Chapter 7 of the Mastercard Rules manual Mastercard has developed a Service Provider Registration Guide that is available on Mastercard Connect. Mastercard does not object to a Customer’s use of a third party, but does need to know what third party(ies) support a particular Customer, and the nature of the support provided. Mastercard considers a Service Provider to be an agent of the Customer that registers it. For this reason, before a Customer begins to use a third party to support any of the Customer’s Mastercard programs, the Customer must register the third party with Mastercard as a Service Provider. A Customer must register each third party provider that it wishes to receive services from. If a third party is to perform Mastercard services for three Customers, it must be registered as a Service Provider by each of the three Customers. If the third party is registered by only one of the three Customers, it may only provide Mastercard services on behalf of that one Customer and not on behalf of the other two. Registration Programs

Service Provider Categories Service Provider Overview Service_Provider@Mastercard.com Service Providers are classified into eight categories based on the services provided. Service Provider Categories 1. Independent Sales Organization (ISO) 2. Data Storage Entity (DSE) 3. Third Party Processor (TPP) 4. Digital Wallet Operator (DWO) 5. Payment Facilitator (PF) 6. Merchant Monitoring Service Program (MMSP) 7. Digital Activity Service Provider (DASP) 8. Service Provider Registration Facilitator (SPRF) A Service Provider is categorized by the Corporation based upon the Corporation’s understanding of the nature of the Program Services to be performed. A Service Provider may only perform the Program Services it is registered to perform. Registration Programs

Independent Sales Organization (ISO) Performs services that do not have access to card holder data: Cardholder and/or Merchant statement preparation Point of Interaction (POI) Terminal deployment Customer Service Cardholder and/or Merchant solicitation, including application processing Merchant Education & Training “Sales person” – Solicitation of Cardholders and/or merchants Cannot have access to account data – “Account Data – full Primary Account Number” ATM Deployment - The end to end installation and management of ATM network including site selection and preparation, ATM procurement and installation. Merchant Training - Any/all Merchant training related to payment card operations, installation, and/or other functions of technologies associated with payment cards. Registration Programs

Data Storage Entity (DSE) Performs services that do have access to cardholder data and must be PCI Compliant: External hosting of payment applications (ex: website shopping carts) POI Terminal servicing Computer-based storage of Account or Transaction Data including Merchant website hosting Encryption Key Loading Examples: Online Shopping cart Tracks the cookies and traffic for a particular site Website hosting - Provides space on a server own or lease for use by clients as well as providing internet connectivity, typically in a data center. Any/all computer hosting services, including web hosting. Level 1 PCI - All DSE with more than 300,000 total combined Mastercard and Maestro Transactions annually Level 2 PCI – All DSE with 300,000 or less total combined Mastercard and Maestro Transactions annually Encryption Key Loading - The loading of encryption keys through a safe and secure key code encrypted database. For use in preventing unauthorized access to transaction data in route between endpoints or residing on a network server. Software Application - Software permitting Customers to send or receive card transaction information (for example, non-card account number, expiration date, transaction amount, and so on). Terminal Driving - ATM or POS terminal driving. The proactive management, monitoring, and/or maintenance of ATM and/or POS devices. Registration Programs

Authorization & Clearing Fraud Control / Risk Monitoring Third Party Processor Performs services that do have access to cardholder data and must be PCI Compliant: Customer Service Authorization & Clearing Chargebacks Fraud Control / Risk Monitoring Switching Services Chargebacks - Processing chargebacks to resolve disputes between cardholders and Merchants Customers Service w/access - Any type of Customer service provided by issuing banks, acquiring banks, or payment card companies with direct access to cardholder account information. Gateway Services - Any service that provides Merchants with real time card authorization and payment settlement solutions using the Internet. Includes sending and receiving data to and from Internet applications (for example, an authorization request) through the Internet. Switching Services - Transaction switching services, which includes authorization, clearing, and settlement. Registration Programs

Service_Provider@Mastercard.com TPP_Registration@Mastercard.com (Type 1) Third Party Processors are classified as Type I and Type II. Type I Provides Program Services for more than 100 million in transactions Must enter into a direct agreement with Mastercard Issuer/Acquirer must register the relationship with Mastercard via MC Connect Type II Provides Program Services for less than 100 million in transactions Issuer/Acquirer must register the relationship with Mastercard A Type I TPP is a TPP that Mastercard deems could significantly impact the integrity of the Interchange System, typically a TPP that provides Program Service for more than USD 100 million in transactions annually. A Type I TPP is the only type of Service Provider that may self-register with Mastercard as a Service Provider. Among other things, an applicant to be registered as a Type I TPP must enter into an agreement directly with Mastercard. •A Type II TPP is any TPP that Mastercard does not deem to be a Type I TPP. Registration Programs

Step 1: Step 2: Step 3: Registering an ISO, TPP, & DSE Relationship Service_Provider@Mastercard.com Mastercard ConnectTM via the Business Administration Tool Registering an ISO, TPP, & DSE Relationship Step 1: Register & Provision a Company Step 2: “Click here to Provision and Manage your Service Providers” Step 3: Create New Registration *If the Service Provider is already registered by your company, you can modify service details by selecting Services  Program Services  Store a Type I Third Party Processor (TPP) is directly registered with Mastercard. If registered as a Type I TPP, the third party may provide Mastercard services on behalf of any Mastercard Customer. However, the relationship still needs to be registered in Mastercard Connect, the same way a type II TPP is registered. Registration Programs

Step 1: Step 2: Step 3: Registering a Type I TPP TPP_Registration@Mastercard.com (Type 1) Registering a Type I TPP Step 1: Submit TPP registration Form 919 to TPP_Registration@Mastercard.com Step 2: Submit an Attestation of Compliance demonstrating compliance with PCI Data Security Standards in accordance with the Mastercard Site Data Protection Program to PCIReports@Mastercard.com Step 3: Submit SSAE16 and Business Continuity forms to TPRMRequest@Mastercard.com Registration Programs

Digital Wallet Operator Digital Wallet Operator Pass-through Registration is not required by Mastercard Wallet ID is not passed during Auth & Clearing Records Merchant on Record is the Merchant Funding Stage Digital Wallet Operator Payment Stage Mastercard Account data is entered by the Cardholder Stores Mastercard Account data provided by the Cardholder Receives Mastercard Account data from DWO when initiated by the cardholder In a Pass-through Digital Wallet, the wallet is simply a digital version of the physical wallet that a consumer would carry. A Pass-through Digital Wallet stores card information in a digital format for the consumer, and when a purchase is made, that information is passed directly to the Merchant, as if the cardholder was using their physical card. Registration Programs

Digital Wallet Operator Staged Registration is required by Mastercard Wallet ID is passed during Auth & Clearing Records Merchant on Record is the DWO PCI certification required Funding Stage Payment Stage In a Staged Digital Wallet, there are two separate transactions. There is a funding stage, where the cardholder can use any credit card to fund or reimburse the wallet. In the payment stage, a separate transaction transfers money from the wallet to the retailer in order to pay for the goods or services being purchased. When a consumer uses a Staged Digital Wallet, the card Issuer would only see the information from the funding stage of the transaction, with the DWO acting as a Merchant, and the Merchant would only see payment from the DWO, regardless of how the consumer funded the wallet. Registration Programs

Digital Wallet Operator Staged Three ways to fund the staged wallet: 1. Before  Prepaid/top up 2. During  Back to Back authorization 3. After  Repayment Funding Stage The wallet may conduct the funding transaction either before (prepaid/top-up), during (back to back authorization), or after (repayment) the payment transaction. Registration Programs

Digital Wallet Operator Staged A separate transaction transfer money from the wallet to the retailer to pay for the services or goods purchased Funds transfer to an account designated by the retailer or held by the Staged DWO for or on behalf of the retailer. Payment Stage Registration Programs

Step 1: Step 2: Step 3: Registering Digital Wallet Operator Staged Validate compliance with the Site Data Protection (SDP) as described in Rule 10.3.2 of the Security Rules and Procedures manual and contact SDP@Mastercard.com Step 2: Accurately fill out form 1123, D-Wallet Registration. This is located on MC Connect under Library  Forms. Step 3: Complete and submit the form to d_wallet_registration@Mastercard.com Registration Programs

Payment Facilitator Overview & Comparison

Payment Facilitator Model Acquirers Submerchants Direct Contract Direct Contract

Rules concerning Payment Facilitators are set forth in Chapter 7 of the Mastercard Rules manual

Acquirer’s Responsibilities Register each Payment Facilitator Payment Facilitator Model Register all high risk submerchants in MRP tool MATCH query on each proposed submerchant Acquirers Submerchant must be in the same area of use as the Acquirer Submit all non-processed transactions quarterly on form 1235 Enter into a direct Merchant Agreement when submerchant combined Mastercard/Maestro sales volume exceeds the $1,000,000 USD threshold 100% responsible for all activity of the Payment Facilitator & each of its Submerchants.

Payment Facilitator Responsibilities Payment Facilitator Model Must be PCI Compliant Payment Facilitator Must conduct thorough due diligence on each submerchant contracted Must monitor each submerchant’s activity to ensure compliance with Mastercard’s standards and applicable law and regulations Must only use settlement funds to pay submerchants Must not be a submerchant of any other PF, nor be a PF for another PF An Acquirer may permit a Payment Facilitator to manage the following obligations on behalf of the Acquirer, and remains fully responsible for the fulfillment of each to the extent that the Payment Facilitator fails to do so: a. Verify that a Submerchant is a bona fide business operation, as set forth in section 7.1.2, “Submerchant Screening Procedures” in Chapter 7 of the Security Rules and Procedures manual; and b. Retain records concerning the investigation of a prospective Submerchant, provided that such records are provided to the Acquirer immediately upon request; and c. Pay a Submerchant for Transactions, in accordance with Rule 7.8.2, “Obligations as Sponsor of Submerchants,” part 4; and d. Ensure that a Submerchant is supplied with materials necessary to effect Transactions as set forth in Rule 7.8.2, “Obligations as Sponsor of Submerchants,” part 5; and e. Monitor a Submerchant’s Activity on an ongoing basis to deter fraud or other wrongful activity, as set forth in Rule 7.8.2, part 6.

Payment Facilitator Registrations Total: 818 Europe 324 Canada 18 United States 158 Asia / Pacific 219 Middle East / Africa 31 Latin America / Caribbean 68 * Based on Acquirer location

Marketplace vs. Payment Facilitator Overview & Comparison Franchise Management, Global Registrations

What’s the cardholder’s experience like?

Cardholder Experience: Marketplaces Cardholder Experience: If the cardholder searches for, selects, pays for the goods or services on the same website, without being directed to any third party the merchant is a marketplace. The cardholder’s statement will have the marketplace’s name. Most marketplaces are not Payment Facilitators and do not need to be registered with Mastercard.

Cardholder Experience: Payment Facilitators Cardholder Experience: When the cardholder is ready to pay for the goods or services, they are directed to the Payment Facilitator’s website to process the payment. Cardholder interacts with the submerchant for refunds and customer service. Cardholder’s statement will have both the PF & Submerchant name.