Date post: | 22-Dec-2015 |
Category: |
Documents |
Upload: | dortha-golden |
View: | 214 times |
Download: | 0 times |
August 1, 2006 (Rev. April 2009)August 1, 2006 (Rev. April 2009) Statewide Electronic Commerce Program (SECP)Statewide Electronic Commerce Program (SECP)
Merchant Card ServicesMerchant Card ServicesEnrollment ProcessEnrollment Process
For agencies and eligible entities desiring to For agencies and eligible entities desiring to participate in the State Controller’s Master participate in the State Controller’s Master
Services Agreement (MSA)Services Agreement (MSA)
Between the State of NCBetween the State of NC and SunTrust Merchant Services, LLCand SunTrust Merchant Services, LLC
Dated August 1, 2006Dated August 1, 2006Contract Number 14-06002Contract Number 14-06002
Enrollment Process StepsEnrollment Process StepsStep 1.Step 1. Identify Merchant Card ProjectIdentify Merchant Card Project
Step 2.Step 2.Execute Enrollment FormsExecute Enrollment Forms
Step 3.Step 3.OSC Acts on RequestOSC Acts on Request
Step 4.Step 4.DST Acts on Request DST Acts on Request (If applicable)(If applicable)
Step 5.Step 5.STMS Acts on RequestSTMS Acts on Request
Step 6.Step 6.CPS Involvement & Testing CPS Involvement & Testing (If applicable)(If applicable)
Step 7.Step 7.Establish Business ProceduresEstablish Business Procedures
Step 8.Step 8.Establish Fiscal ProceduresEstablish Fiscal Procedures
Step 9.Step 9.Obtain PCI Security ComplianceObtain PCI Security Compliance
Step 1 – Identify Card ProjectStep 1 – Identify Card Project Obtain information about Merchant Cards from OSC’s Web siteObtain information about Merchant Cards from OSC’s Web site
E-Commerce Statutes and PoliciesE-Commerce Statutes and Policies Merchant Cards Overview and Merchants Cards-101Merchant Cards Overview and Merchants Cards-101 STMS Master Services Agreement (Various Component Documents)STMS Master Services Agreement (Various Component Documents) PCI Data Security StandardsPCI Data Security Standards Card Association Rules for Merchants (Visa and MasterCard)Card Association Rules for Merchants (Visa and MasterCard)
Identify potential payment applications for Merchant CardsIdentify potential payment applications for Merchant Cards Card Present (Face-to-Face Applications)Card Present (Face-to-Face Applications) Card Not Present (Non-Face-to-Face Applications)Card Not Present (Non-Face-to-Face Applications)
Determine what capture method(s) will be used to process cardsDetermine what capture method(s) will be used to process cards Review “Capture Solutions – Merchant Cards” documentReview “Capture Solutions – Merchant Cards” document POS Terminals Capture SolutionPOS Terminals Capture Solution
• Stand-alone terminal – with analog telephone lineStand-alone terminal – with analog telephone line• POS terminal using POS Software (Identify software and vendor to be obtained)POS terminal using POS Software (Identify software and vendor to be obtained)
Web-Based Capture Solution – Requires a gateway serviceWeb-Based Capture Solution – Requires a gateway service• Common Payment Service as gatewayCommon Payment Service as gateway• PayPoint thru STMS as gatewayPayPoint thru STMS as gateway• Other third-party as gatewayOther third-party as gateway
Yahoo! Store – NC@YourServiceYahoo! Store – NC@YourService Develop an internal statement of work, considering the program requirements, work Develop an internal statement of work, considering the program requirements, work
effort, cost and benefits – Use appropriate Project Plan Templateeffort, cost and benefits – Use appropriate Project Plan Template Determine ability to comply with Payment Card Industry Data Security StandardDetermine ability to comply with Payment Card Industry Data Security Standard Determine project feasibility and obtain management approvalDetermine project feasibility and obtain management approval Identify Funding and obtain OSBM approval or other budget approvalIdentify Funding and obtain OSBM approval or other budget approval If convenience fee to be levied, must first obtain approval from OSBMIf convenience fee to be levied, must first obtain approval from OSBM
Master Services Agreement (MSA)Master Services Agreement (MSA) Consists of various component documents – on OSC WebsiteConsists of various component documents – on OSC Website Requires Review by Agency Fiscal Office and Agency LegalRequires Review by Agency Fiscal Office and Agency Legal
Agency Participation Agreement (APA)Agency Participation Agreement (APA) Allows for agency to participate in MSAAllows for agency to participate in MSA Binds participant to OSC Policies & STMS Contract requirements (including card association rules)Binds participant to OSC Policies & STMS Contract requirements (including card association rules) Executed in quadruplicate by Agency CFOExecuted in quadruplicate by Agency CFO
Merchant Card Participant Setup Form (Chain level)Merchant Card Participant Setup Form (Chain level) Provides OSC, DST, and STMS with info necessary to setup various profiles, bank settlement Provides OSC, DST, and STMS with info necessary to setup various profiles, bank settlement
accounts, invoicing, statement rendering, etc. for the entire agency (chain)accounts, invoicing, statement rendering, etc. for the entire agency (chain) Merchant Card Outlet Setup Form (Outlet level)Merchant Card Outlet Setup Form (Outlet level)
Provides setup information pertaining to each outlet, rolling up to the single merchant chain numberProvides setup information pertaining to each outlet, rolling up to the single merchant chain number May be line of business, division, branch location, or capture method, etc.May be line of business, division, branch location, or capture method, etc. A separate form is to be completed for each merchant number (outlet)A separate form is to be completed for each merchant number (outlet)
Other Forms as ApplicableOther Forms as Applicable Wachovia Connection Setup Form – For agencies depositing funds with State TreasurerWachovia Connection Setup Form – For agencies depositing funds with State Treasurer POS Terminals Order Form – If Applicable (Purchase, rent, or lease)POS Terminals Order Form – If Applicable (Purchase, rent, or lease) ClientLine Enrollment Form – Designating users for STMS online reporting systemClientLine Enrollment Form – Designating users for STMS online reporting system Trustwave Enrollment Form – For Self-Assessment Questionnaire / Vulnerability ScanningTrustwave Enrollment Form – For Self-Assessment Questionnaire / Vulnerability Scanning Common Payment Service (CPS) Forms – If CPS is to provide gateway serviceCommon Payment Service (CPS) Forms – If CPS is to provide gateway service Third-party Gateway Boarding Forms – If applicableThird-party Gateway Boarding Forms – If applicable
Routing of FormsRouting of Forms OSC obtain signatures of DST and STMS on APAOSC obtain signatures of DST and STMS on APA OSC distributes executed APAOSC distributes executed APA OSC provides STMS the forms that require STMS actionOSC provides STMS the forms that require STMS action OSC provides DST the forms that require DST actionOSC provides DST the forms that require DST action
Step 2 – Execute Enrollment FormsStep 2 – Execute Enrollment Forms
Approves or disapproves of participationApproves or disapproves of participation• Determines if an eligible entityDetermines if an eligible entity• Considers participant’s ability to be PCI security compliantConsiders participant’s ability to be PCI security compliant
Forwards appropriate forms to DST and STMSForwards appropriate forms to DST and STMS Involves Common Payment Service (CPS) if applicableInvolves Common Payment Service (CPS) if applicable Involves PayPoint gateway if applicableInvolves PayPoint gateway if applicable Orders POS Terminals From STMS (if applicable)Orders POS Terminals From STMS (if applicable) Has DST to set up bank account with Wachovia, if depositing Has DST to set up bank account with Wachovia, if depositing
with State Treasurerwith State Treasurer Sets up users on ClientLine (STMS online reporting)Sets up users on ClientLine (STMS online reporting) If OSC is to be administrator for Wachovia ConnectionIf OSC is to be administrator for Wachovia Connection
• Setups up agency users as specified on Wachovia Connection Setups up agency users as specified on Wachovia Connection Setup FormSetup Form
• Advises agency users of User-ID, initial password, and instructionsAdvises agency users of User-ID, initial password, and instructions Determines category of PCI security compliance Determines category of PCI security compliance
• Enrolled in TrustKeeper at the Chain LevelEnrolled in TrustKeeper at the Chain Level• Two optionsTwo options
Self-Assessment Questionnaire OnlySelf-Assessment Questionnaire Only Self-Assessment Questionnaire and Vulnerability ScanningSelf-Assessment Questionnaire and Vulnerability Scanning
Step 3 – OSC Acts on RequestStep 3 – OSC Acts on Request
This step only applies if Participant is a State Agency depositing funds with This step only applies if Participant is a State Agency depositing funds with the State Treasurerthe State Treasurer
• Community Colleges generally have their own bank account for settlement, prior to Community Colleges generally have their own bank account for settlement, prior to depositing (transferring funds) with State Treasurerdepositing (transferring funds) with State Treasurer
• Local Units of governments utilize their local depository bankLocal Units of governments utilize their local depository bank• Colleges and local units using either Wachovia or SunTrust Bank as their depository Colleges and local units using either Wachovia or SunTrust Bank as their depository
receive next-day settlement. (All other banks are two-day settlements)receive next-day settlement. (All other banks are two-day settlements)
Executes Agency Participation Agreement (APA) on behalf of the State Executes Agency Participation Agreement (APA) on behalf of the State TreasurerTreasurer
Authorizes Wachovia to establish a settlement bank accountAuthorizes Wachovia to establish a settlement bank account• Bank account is a ZBA account that sweeps to DST’s bank accountBank account is a ZBA account that sweeps to DST’s bank account• DST pays the fees for the bank settlement accountDST pays the fees for the bank settlement account• STMS is provided this bank account number, which associates each of the STMS is provided this bank account number, which associates each of the
participant’s merchant numbers with the settlement account at Wachoviaparticipant’s merchant numbers with the settlement account at Wachovia
Assigns a CIT account on Core Banking System (CB$)Assigns a CIT account on Core Banking System (CB$)• Accommodates certifying deposits by Agency on CMCSAccommodates certifying deposits by Agency on CMCS• The daily ZBA transfer (net of chargebacks) is to be certified, based on amount The daily ZBA transfer (net of chargebacks) is to be certified, based on amount
viewed on Wachovia Connectionviewed on Wachovia Connection• DST maps the settlement bank account to the CIT account on CB$DST maps the settlement bank account to the CIT account on CB$• DST advises agency via Official Depository Designation Letter when CIT account is DST advises agency via Official Depository Designation Letter when CIT account is
establishedestablished
Step 4 – DST Acts on RequestStep 4 – DST Acts on Request
Executes APA on behalf of the STMSExecutes APA on behalf of the STMS Establishes profile setupEstablishes profile setup
• Assigns a single chain number for the participantAssigns a single chain number for the participant• Assign individual merchant (outlet) numbers for Assign individual merchant (outlet) numbers for
the participant as specified on the Outlet Setup the participant as specified on the Outlet Setup formsforms
Setups profile for each merchant numberSetups profile for each merchant number• Maps a settlement bank account number to each Maps a settlement bank account number to each
as specified on the Merchant Card Participant as specified on the Merchant Card Participant Setup FormSetup Form
• Sets up invoicing – as central billing or billing per Sets up invoicing – as central billing or billing per merchant numbermerchant number
Setups ClientLine for participantSetups ClientLine for participant Ships POS terminals as orderedShips POS terminals as ordered
Step 5 – STMS Acts on RequestStep 5 – STMS Acts on Request
If the Common Payment Service (CPS) gateway is to be If the Common Payment Service (CPS) gateway is to be utilized, participant should follow the steps outlined in utilized, participant should follow the steps outlined in the CPS Agency Work Plan Templatethe CPS Agency Work Plan Template
Participant conducts a Security Risk Assessment (SRA) Participant conducts a Security Risk Assessment (SRA) for the proposed Agency applicationfor the proposed Agency application
Participant submits the SRA to the Office of Participant submits the SRA to the Office of Information Technologies Services (ITS) as part of the Information Technologies Services (ITS) as part of the technical architecture review requirementstechnical architecture review requirements
ITS will advise of the approval of the SRA and arrange ITS will advise of the approval of the SRA and arrange for testing for testing
Agency develops its application, including interface(s) Agency develops its application, including interface(s) to CPS, and request ACH Profile set-up in the CPS test to CPS, and request ACH Profile set-up in the CPS test environmentenvironment
Agency documents test results and proceeds to next Agency documents test results and proceeds to next steps (Performance Acceptance Testing)steps (Performance Acceptance Testing)
Step 6a – CPS InvolvementStep 6a – CPS Involvement
At least two weeks prior to an application deployment, At least two weeks prior to an application deployment, the participant must develop an Acceptance Checklist:the participant must develop an Acceptance Checklist:
Test Plan / ScriptTest Plan / Script CPS Security Risk Assessment (SRA)CPS Security Risk Assessment (SRA) Internal Agency Policies and ProceduresInternal Agency Policies and Procedures
OSC reviews the checklist and supporting documents OSC reviews the checklist and supporting documents and approves deployment if no issuesand approves deployment if no issues
Participant migrates application into production, and Participant migrates application into production, and conducts “production verification” testconducts “production verification” test
Using a limited number of live transactions Using a limited number of live transactions Verify settlement of funds into bank accountVerify settlement of funds into bank account
If production verification is adequate, participant If production verification is adequate, participant opens (announces) the service to the public (if Internet opens (announces) the service to the public (if Internet application)application)
Step 6b – CPS Verification TestingStep 6b – CPS Verification Testing
Familiarize employees with STMS Operating GuideFamiliarize employees with STMS Operating Guide Face-to-face transactions (signatures, expiration dates, etc)Face-to-face transactions (signatures, expiration dates, etc) Card not-present transactionsCard not-present transactions
Obtain necessary trainingObtain necessary training• POS terminals (if applicable)POS terminals (if applicable)• POS software (if applicable)POS software (if applicable)
Obtaining Authorizations from STMSObtaining Authorizations from STMS Voice authorizations as backupVoice authorizations as backup Suspected fraud – Code 10 ProceduresSuspected fraud – Code 10 Procedures Other authorizations denied – Alternative payment optionsOther authorizations denied – Alternative payment options Non-match of Address or Security code verificationNon-match of Address or Security code verification Refunds (for duplicate or erroneous transactions)Refunds (for duplicate or erroneous transactions)
Transmitting transactions to STMS for settlementTransmitting transactions to STMS for settlement Frequency and deadlinesFrequency and deadlines
Responding to disputed itemsResponding to disputed items Retention of transactions for face-to-face (18 months)Retention of transactions for face-to-face (18 months) Resolution of card not-present transactionsResolution of card not-present transactions
Step 7 – Establish Business ProceduresStep 7 – Establish Business Procedures
Complete Internal Policies & Procedures - TemplateComplete Internal Policies & Procedures - Template Viewing bank settlement account (via Wachovia Viewing bank settlement account (via Wachovia
Connection or otherwise)Connection or otherwise) Recording daily settlement amount (reporting via CMCS Recording daily settlement amount (reporting via CMCS
if State agency)if State agency) Processing ChargebacksProcessing Chargebacks Reconciling transactions captured and transmitted to Reconciling transactions captured and transmitted to
STMS to settlement amount received from STMSSTMS to settlement amount received from STMS Consider multiple merchant numbers settling into a single Consider multiple merchant numbers settling into a single
bank settlement accountbank settlement account Determination of State funds vs. local funds (if applicable)Determination of State funds vs. local funds (if applicable) Netting out of chargebacksNetting out of chargebacks
Reviewing and paying monthly invoice received from Reviewing and paying monthly invoice received from STMSSTMS
If State agency, update Cash Management PlanIf State agency, update Cash Management Plan
Step 8 – Establish Fiscal ProceduresStep 8 – Establish Fiscal Procedures
View PCI Data Security Requirements on WebsitesView PCI Data Security Requirements on Websites OSC and PCI Data Security CouncilOSC and PCI Data Security Council Understand difference between: Compliance, Validation, and AttestationUnderstand difference between: Compliance, Validation, and Attestation Review document “Applicability of PCI Data Security Standard”Review document “Applicability of PCI Data Security Standard”
Address complinace from business perspectiveAddress complinace from business perspective Physical security, employee screening, etc.Physical security, employee screening, etc.
Address complinace from IT perspectiveAddress complinace from IT perspective Hardware, software, firewalls, encryption, etc.Hardware, software, firewalls, encryption, etc.
Enroll with Trustwave to validated PCI compliance – Two OptionsEnroll with Trustwave to validated PCI compliance – Two Options Self-Assessment Questionnaire OnlySelf-Assessment Questionnaire Only Self-Assessment Questionnaire and Vulnerability ScanningSelf-Assessment Questionnaire and Vulnerability Scanning
Complete PCI Self-Assessment Questionnaire (SAQ) onlineComplete PCI Self-Assessment Questionnaire (SAQ) online Determine which SAQ to complete online (A,B, C, or D) Determine which SAQ to complete online (A,B, C, or D) For multiple outlets, off-line SAQs may have to be completed (Only one online)For multiple outlets, off-line SAQs may have to be completed (Only one online)
If external-facing IP addressesIf external-facing IP addresses Specify the IP addresses to undergo vulnerability scanning when enrollingSpecify the IP addresses to undergo vulnerability scanning when enrolling Schedule vulnerability scans to be performed via TrustKeeperSchedule vulnerability scans to be performed via TrustKeeper
If third-party service provider utilized, ensure vendor’s complianceIf third-party service provider utilized, ensure vendor’s compliance Written Agreement specifying vendor’s responsibility for compliance with StandardWritten Agreement specifying vendor’s responsibility for compliance with Standard Ongoing monitoring of service provider’s complianceOngoing monitoring of service provider’s compliance Refer to document “PCI Validation for Service Providers”Refer to document “PCI Validation for Service Providers”
If a Payment Application is used for capture If a Payment Application is used for capture Determine if application is compliant with PCI Payment Application StandardDetermine if application is compliant with PCI Payment Application Standard
Step 9 – Obtain PCI Security ComplianceStep 9 – Obtain PCI Security Compliance
Enrollment DocumentsEnrollment DocumentsMaster Services Agreement (MSA) Master Services Agreement (MSA)
Agency Participation Agreement (APA)Agency Participation Agreement (APA)
Outlet Setup FormOutlet Setup Form
CPS Security Risk CPS Security Risk Assessment-SRAAssessment-SRA
Trustwave Validation Enrollment FormTrustwave Validation Enrollment Form
Agency
Participant Setup FormParticipant Setup Form
Wachovia ConnectionWachovia ConnectionSetup FormSetup Form
ClientLine Setup FormClientLine Setup Form
POS Terminal Order FormPOS Terminal Order Form
PCI MonitoringPCI Monitoring
Online EnrollmentOnline Enrollment
Internal Policies & Procedures TemplateInternal Policies & Procedures Template
August 1, 2006 (Rev. April 2009)August 1, 2006 (Rev. April 2009) Statewide Electronic Commerce Program (SECP)Statewide Electronic Commerce Program (SECP)
More InformationMore InformationOffice of the State Controller Web SiteOffice of the State Controller Web Site
www.osc.nc.govwww.osc.nc.gov
David C. ReavisE-Commerce Manager
(919) 871-6483
Amber YoungCentral Compliance Manager
(919) 981-5481Support Services Center
(919) 707-0795)