Document 7681422
Download
Report
Transcript Document 7681422
Merchant Card Services
Enrollment Process
For agencies and eligible entities desiring to
participate in the State Controller’s Master
Services Agreement (MSA)
Between the State of NC
and SunTrust Merchant Services, LLC
Dated August 1, 2006
Contract Number 14-06002
August 1, 2006 (Rev. April 2009)
Statewide Electronic Commerce Program (SECP)
Enrollment Process Steps
Step 1.
Identify Merchant Card Project
Step 2.
Execute Enrollment Forms
Step 3.
OSC Acts on Request
Step 4.
DST Acts on Request
Step 5.
STMS Acts on Request
Step 6.
CPS Involvement & Testing
Step 7.
Establish Business Procedures
Step 8.
Establish Fiscal Procedures
Step 9.
Obtain PCI Security Compliance
(If applicable)
(If applicable)
Step 1 – Identify Card Project
Obtain information about Merchant Cards from OSC’s Web site
E-Commerce Statutes and Policies
Merchant Cards Overview and Merchants Cards-101
STMS Master Services Agreement (Various Component Documents)
PCI Data Security Standards
Card Association Rules for Merchants (Visa and MasterCard)
Identify potential payment applications for Merchant Cards
Card Present (Face-to-Face Applications)
Card Not Present (Non-Face-to-Face Applications)
Determine what capture method(s) will be used to process cards
Review “Capture Solutions – Merchant Cards” document
POS Terminals Capture Solution
Stand-alone terminal – with analog telephone line
POS terminal using POS Software (Identify software and vendor to be obtained)
•
•
•
Common Payment Service as gateway
PayPoint thru STMS as gateway
Other third-party as gateway
Web-Based Capture Solution – Requires a gateway service
Yahoo! Store – NC@YourService
Develop an internal statement of work, considering the program requirements, work
effort, cost and benefits – Use appropriate Project Plan Template
Determine ability to comply with Payment Card Industry Data Security Standard
Determine project feasibility and obtain management approval
Identify Funding and obtain OSBM approval or other budget approval
If convenience fee to be levied, must first obtain approval from OSBM
•
•
Step 2 – Execute Enrollment Forms
Master Services Agreement (MSA)
Agency Participation Agreement (APA)
Provides setup information pertaining to each outlet, rolling up to the single merchant chain number
May be line of business, division, branch location, or capture method, etc.
A separate form is to be completed for each merchant number (outlet)
Other Forms as Applicable
Provides OSC, DST, and STMS with info necessary to setup various profiles, bank settlement
accounts, invoicing, statement rendering, etc. for the entire agency (chain)
Merchant Card Outlet Setup Form (Outlet level)
Allows for agency to participate in MSA
Binds participant to OSC Policies & STMS Contract requirements (including card association rules)
Executed in quadruplicate by Agency CFO
Merchant Card Participant Setup Form (Chain level)
Consists of various component documents – on OSC Website
Requires Review by Agency Fiscal Office and Agency Legal
Wachovia Connection Setup Form – For agencies depositing funds with State Treasurer
POS Terminals Order Form – If Applicable (Purchase, rent, or lease)
ClientLine Enrollment Form – Designating users for STMS online reporting system
Trustwave Enrollment Form – For Self-Assessment Questionnaire / Vulnerability Scanning
Common Payment Service (CPS) Forms – If CPS is to provide gateway service
Third-party Gateway Boarding Forms – If applicable
Routing of Forms
OSC
OSC
OSC
OSC
obtain signatures of DST and STMS on APA
distributes executed APA
provides STMS the forms that require STMS action
provides DST the forms that require DST action
Step 3 – OSC Acts on Request
Approves or disapproves of participation
• Determines if an eligible entity
• Considers participant’s ability to be PCI security compliant
Forwards appropriate forms to DST and STMS
Involves Common Payment Service (CPS) if applicable
Involves PayPoint gateway if applicable
Orders POS Terminals From STMS (if applicable)
Has DST to set up bank account with Wachovia, if depositing
with State Treasurer
Sets up users on ClientLine (STMS online reporting)
If OSC is to be administrator for Wachovia Connection
• Setups up agency users as specified on Wachovia Connection Setup
Form
• Advises agency users of User-ID, initial password, and instructions
Determines category of PCI security compliance
• Enrolled in TrustKeeper at the Chain Level
• Two options
Self-Assessment Questionnaire Only
Self-Assessment Questionnaire and Vulnerability Scanning
Step 4 – DST Acts on Request
This step only applies if Participant is a State Agency depositing funds with
the State Treasurer
• Community Colleges generally have their own bank account for settlement, prior to
depositing (transferring funds) with State Treasurer
• Local Units of governments utilize their local depository bank
• Colleges and local units using either Wachovia or SunTrust Bank as their depository
receive next-day settlement. (All other banks are two-day settlements)
Executes Agency Participation Agreement (APA) on behalf of the State
Treasurer
Authorizes Wachovia to establish a settlement bank account
• Bank account is a ZBA account that sweeps to DST’s bank account
• DST pays the fees for the bank settlement account
• STMS is provided this bank account number, which associates each of the
participant’s merchant numbers with the settlement account at Wachovia
Assigns a CIT account on Core Banking System (CB$)
• Accommodates certifying deposits by Agency on CMCS
• The daily ZBA transfer (net of chargebacks) is to be certified, based on amount
viewed on Wachovia Connection
• DST maps the settlement bank account to the CIT account on CB$
• DST advises agency via Official Depository Designation Letter when CIT account is
established
Step 5 – STMS Acts on Request
Executes APA on behalf of the STMS
Establishes profile setup
• Assigns a single chain number for the participant
• Assign individual merchant (outlet) numbers for
the participant as specified on the Outlet Setup
forms
Setups profile for each merchant number
• Maps a settlement bank account number to each
as specified on the Merchant Card Participant
Setup Form
• Sets up invoicing – as central billing or billing per
merchant number
Setups ClientLine for participant
Ships POS terminals as ordered
Step 6a – CPS Involvement
If the Common Payment Service (CPS) gateway is to be
utilized, participant should follow the steps outlined in
the CPS Agency Work Plan Template
Participant conducts a Security Risk Assessment (SRA)
for the proposed Agency application
Participant submits the SRA to the Office of
Information Technologies Services (ITS) as part of the
technical architecture review requirements
ITS will advise of the approval of the SRA and arrange
for testing
Agency develops its application, including interface(s)
to CPS, and request ACH Profile set-up in the CPS test
environment
Agency documents test results and proceeds to next
steps (Performance Acceptance Testing)
Step 6b – CPS Verification Testing
At least two weeks prior to an application deployment,
the participant must develop an Acceptance Checklist:
OSC reviews the checklist and supporting documents
and approves deployment if no issues
Participant migrates application into production, and
conducts “production verification” test
Test Plan / Script
CPS Security Risk Assessment (SRA)
Internal Agency Policies and Procedures
Using a limited number of live transactions
Verify settlement of funds into bank account
If production verification is adequate, participant opens
(announces) the service to the public (if Internet
application)
Step 7 – Establish Business Procedures
Familiarize employees with STMS Operating Guide
Obtain necessary training
•
•
Voice authorizations as backup
Suspected fraud – Code 10 Procedures
Other authorizations denied – Alternative payment options
Non-match of Address or Security code verification
Refunds (for duplicate or erroneous transactions)
Transmitting transactions to STMS for settlement
POS terminals (if applicable)
POS software (if applicable)
Obtaining Authorizations from STMS
Face-to-face transactions (signatures, expiration dates, etc)
Card not-present transactions
Frequency and deadlines
Responding to disputed items
Retention of transactions for face-to-face (18 months)
Resolution of card not-present transactions
Step 8 – Establish Fiscal Procedures
Complete Internal Policies & Procedures - Template
Viewing bank settlement account (via Wachovia
Connection or otherwise)
Recording daily settlement amount (reporting via CMCS
if State agency)
Processing Chargebacks
Reconciling transactions captured and transmitted to
STMS to settlement amount received from STMS
Consider multiple merchant numbers settling into a single
bank settlement account
Determination of State funds vs. local funds (if applicable)
Netting out of chargebacks
Reviewing and paying monthly invoice received from
STMS
If State agency, update Cash Management Plan
Step 9 – Obtain PCI Security Compliance
View PCI Data Security Requirements on Websites
Address complinace from business perspective
Specify the IP addresses to undergo vulnerability scanning when enrolling
Schedule vulnerability scans to be performed via TrustKeeper
If third-party service provider utilized, ensure vendor’s compliance
Determine which SAQ to complete online (A,B, C, or D)
For multiple outlets, off-line SAQs may have to be completed (Only one online)
If external-facing IP addresses
Self-Assessment Questionnaire Only
Self-Assessment Questionnaire and Vulnerability Scanning
Complete PCI Self-Assessment Questionnaire (SAQ) online
Hardware, software, firewalls, encryption, etc.
Enroll with Trustwave to validated PCI compliance – Two Options
Physical security, employee screening, etc.
Address complinace from IT perspective
OSC and PCI Data Security Council
Understand difference between: Compliance, Validation, and Attestation
Review document “Applicability of PCI Data Security Standard”
Written Agreement specifying vendor’s responsibility for compliance with Standard
Ongoing monitoring of service provider’s compliance
Refer to document “PCI Validation for Service Providers”
If a Payment Application is used for capture
Determine if application is compliant with PCI Payment Application Standard
Enrollment Documents
Master Services Agreement (MSA)
Agency Participation Agreement (APA)
Participant Setup Form
Outlet Setup Form
ClientLine Setup Form
POS Terminal Order Form
Trustwave Validation Enrollment Form
Internal Policies & Procedures Template
CPS Security Risk
Assessment-SRA
Agency
PCI Monitoring
Online Enrollment
Wachovia Connection
Setup Form
More Information
Office of the State Controller Web Site
www.osc.nc.gov
David C. Reavis
E-Commerce Manager
(919) 871-6483
Amber Young
Central Compliance Manager
(919) 981-5481
Support Services Center
(919) 707-0795)
August 1, 2006 (Rev. April 2009)
Statewide Electronic Commerce Program (SECP)