Transcript Document 7681422

Merchant Card Services
Enrollment Process
For agencies and eligible entities desiring to
participate in the State Controller’s Master
Services Agreement (MSA)
Between the State of NC
and SunTrust Merchant Services, LLC
Dated August 1, 2006
Contract Number 14-06002
August 1, 2006 (Rev. April 2009)
Statewide Electronic Commerce Program (SECP)
Enrollment Process Steps
Step 1.
Identify Merchant Card Project
Step 2.
Execute Enrollment Forms
Step 3.
OSC Acts on Request
Step 4.
DST Acts on Request
Step 5.
STMS Acts on Request
Step 6.
CPS Involvement & Testing
Step 7.
Establish Business Procedures
Step 8.
Establish Fiscal Procedures
Step 9.
Obtain PCI Security Compliance
(If applicable)
(If applicable)
Step 1 – Identify Card Project



Obtain information about Merchant Cards from OSC’s Web site

E-Commerce Statutes and Policies

Merchant Cards Overview and Merchants Cards-101

STMS Master Services Agreement (Various Component Documents)

PCI Data Security Standards

Card Association Rules for Merchants (Visa and MasterCard)
Identify potential payment applications for Merchant Cards

Card Present (Face-to-Face Applications)

Card Not Present (Non-Face-to-Face Applications)
Determine what capture method(s) will be used to process cards

Review “Capture Solutions – Merchant Cards” document

POS Terminals Capture Solution





Stand-alone terminal – with analog telephone line
POS terminal using POS Software (Identify software and vendor to be obtained)
•
•
•
Common Payment Service as gateway
PayPoint thru STMS as gateway
Other third-party as gateway
Web-Based Capture Solution – Requires a gateway service
Yahoo! Store – NC@YourService
Develop an internal statement of work, considering the program requirements, work
effort, cost and benefits – Use appropriate Project Plan Template
Determine ability to comply with Payment Card Industry Data Security Standard
Determine project feasibility and obtain management approval
Identify Funding and obtain OSBM approval or other budget approval
If convenience fee to be levied, must first obtain approval from OSBM


•
•

Step 2 – Execute Enrollment Forms
Master Services Agreement (MSA)



Agency Participation Agreement (APA)






Provides setup information pertaining to each outlet, rolling up to the single merchant chain number
May be line of business, division, branch location, or capture method, etc.
A separate form is to be completed for each merchant number (outlet)
Other Forms as Applicable







Provides OSC, DST, and STMS with info necessary to setup various profiles, bank settlement
accounts, invoicing, statement rendering, etc. for the entire agency (chain)
Merchant Card Outlet Setup Form (Outlet level)


Allows for agency to participate in MSA
Binds participant to OSC Policies & STMS Contract requirements (including card association rules)
Executed in quadruplicate by Agency CFO
Merchant Card Participant Setup Form (Chain level)


Consists of various component documents – on OSC Website
Requires Review by Agency Fiscal Office and Agency Legal
Wachovia Connection Setup Form – For agencies depositing funds with State Treasurer
POS Terminals Order Form – If Applicable (Purchase, rent, or lease)
ClientLine Enrollment Form – Designating users for STMS online reporting system
Trustwave Enrollment Form – For Self-Assessment Questionnaire / Vulnerability Scanning
Common Payment Service (CPS) Forms – If CPS is to provide gateway service
Third-party Gateway Boarding Forms – If applicable
Routing of Forms




OSC
OSC
OSC
OSC
obtain signatures of DST and STMS on APA
distributes executed APA
provides STMS the forms that require STMS action
provides DST the forms that require DST action
Step 3 – OSC Acts on Request
 Approves or disapproves of participation
• Determines if an eligible entity
• Considers participant’s ability to be PCI security compliant
Forwards appropriate forms to DST and STMS
Involves Common Payment Service (CPS) if applicable
Involves PayPoint gateway if applicable
Orders POS Terminals From STMS (if applicable)
Has DST to set up bank account with Wachovia, if depositing
with State Treasurer
 Sets up users on ClientLine (STMS online reporting)
 If OSC is to be administrator for Wachovia Connection





• Setups up agency users as specified on Wachovia Connection Setup
Form
• Advises agency users of User-ID, initial password, and instructions
 Determines category of PCI security compliance
• Enrolled in TrustKeeper at the Chain Level
• Two options


Self-Assessment Questionnaire Only
Self-Assessment Questionnaire and Vulnerability Scanning
Step 4 – DST Acts on Request
 This step only applies if Participant is a State Agency depositing funds with
the State Treasurer
• Community Colleges generally have their own bank account for settlement, prior to
depositing (transferring funds) with State Treasurer
• Local Units of governments utilize their local depository bank
• Colleges and local units using either Wachovia or SunTrust Bank as their depository
receive next-day settlement. (All other banks are two-day settlements)
 Executes Agency Participation Agreement (APA) on behalf of the State
Treasurer
 Authorizes Wachovia to establish a settlement bank account
• Bank account is a ZBA account that sweeps to DST’s bank account
• DST pays the fees for the bank settlement account
• STMS is provided this bank account number, which associates each of the
participant’s merchant numbers with the settlement account at Wachovia
 Assigns a CIT account on Core Banking System (CB$)
• Accommodates certifying deposits by Agency on CMCS
• The daily ZBA transfer (net of chargebacks) is to be certified, based on amount
viewed on Wachovia Connection
• DST maps the settlement bank account to the CIT account on CB$
• DST advises agency via Official Depository Designation Letter when CIT account is
established
Step 5 – STMS Acts on Request
 Executes APA on behalf of the STMS
 Establishes profile setup
• Assigns a single chain number for the participant
• Assign individual merchant (outlet) numbers for
the participant as specified on the Outlet Setup
forms
 Setups profile for each merchant number
• Maps a settlement bank account number to each
as specified on the Merchant Card Participant
Setup Form
• Sets up invoicing – as central billing or billing per
merchant number
 Setups ClientLine for participant
 Ships POS terminals as ordered
Step 6a – CPS Involvement






If the Common Payment Service (CPS) gateway is to be
utilized, participant should follow the steps outlined in
the CPS Agency Work Plan Template
Participant conducts a Security Risk Assessment (SRA)
for the proposed Agency application
Participant submits the SRA to the Office of
Information Technologies Services (ITS) as part of the
technical architecture review requirements
ITS will advise of the approval of the SRA and arrange
for testing
Agency develops its application, including interface(s)
to CPS, and request ACH Profile set-up in the CPS test
environment
Agency documents test results and proceeds to next
steps (Performance Acceptance Testing)
Step 6b – CPS Verification Testing

At least two weeks prior to an application deployment,
the participant must develop an Acceptance Checklist:





OSC reviews the checklist and supporting documents
and approves deployment if no issues
Participant migrates application into production, and
conducts “production verification” test



Test Plan / Script
CPS Security Risk Assessment (SRA)
Internal Agency Policies and Procedures
Using a limited number of live transactions
Verify settlement of funds into bank account
If production verification is adequate, participant opens
(announces) the service to the public (if Internet
application)
Step 7 – Establish Business Procedures

Familiarize employees with STMS Operating Guide



Obtain necessary training
•
•





Voice authorizations as backup
Suspected fraud – Code 10 Procedures
Other authorizations denied – Alternative payment options
Non-match of Address or Security code verification
Refunds (for duplicate or erroneous transactions)
Transmitting transactions to STMS for settlement


POS terminals (if applicable)
POS software (if applicable)
Obtaining Authorizations from STMS


Face-to-face transactions (signatures, expiration dates, etc)
Card not-present transactions
Frequency and deadlines
Responding to disputed items


Retention of transactions for face-to-face (18 months)
Resolution of card not-present transactions
Step 8 – Establish Fiscal Procedures





Complete Internal Policies & Procedures - Template
Viewing bank settlement account (via Wachovia
Connection or otherwise)
Recording daily settlement amount (reporting via CMCS
if State agency)
Processing Chargebacks
Reconciling transactions captured and transmitted to
STMS to settlement amount received from STMS





Consider multiple merchant numbers settling into a single
bank settlement account
Determination of State funds vs. local funds (if applicable)
Netting out of chargebacks
Reviewing and paying monthly invoice received from
STMS
If State agency, update Cash Management Plan
Step 9 – Obtain PCI Security Compliance

View PCI Data Security Requirements on Websites




Address complinace from business perspective





Specify the IP addresses to undergo vulnerability scanning when enrolling
Schedule vulnerability scans to be performed via TrustKeeper
If third-party service provider utilized, ensure vendor’s compliance




Determine which SAQ to complete online (A,B, C, or D)
For multiple outlets, off-line SAQs may have to be completed (Only one online)
If external-facing IP addresses


Self-Assessment Questionnaire Only
Self-Assessment Questionnaire and Vulnerability Scanning
Complete PCI Self-Assessment Questionnaire (SAQ) online


Hardware, software, firewalls, encryption, etc.
Enroll with Trustwave to validated PCI compliance – Two Options


Physical security, employee screening, etc.
Address complinace from IT perspective


OSC and PCI Data Security Council
Understand difference between: Compliance, Validation, and Attestation
Review document “Applicability of PCI Data Security Standard”
Written Agreement specifying vendor’s responsibility for compliance with Standard
Ongoing monitoring of service provider’s compliance
Refer to document “PCI Validation for Service Providers”
If a Payment Application is used for capture

Determine if application is compliant with PCI Payment Application Standard
Enrollment Documents
Master Services Agreement (MSA)
Agency Participation Agreement (APA)
Participant Setup Form
Outlet Setup Form
ClientLine Setup Form
POS Terminal Order Form
Trustwave Validation Enrollment Form
Internal Policies & Procedures Template
CPS Security Risk
Assessment-SRA
Agency
PCI Monitoring
Online Enrollment
Wachovia Connection
Setup Form
More Information
Office of the State Controller Web Site
www.osc.nc.gov
David C. Reavis
E-Commerce Manager
(919) 871-6483
Amber Young
Central Compliance Manager
(919) 981-5481
Support Services Center
(919) 707-0795)
August 1, 2006 (Rev. April 2009)
Statewide Electronic Commerce Program (SECP)