Cashnet Training Introductory Session
July 20, 2017
• Carol Rigdon, Business Systems & Services
• Monique Polas, Treasurers Office
• Laura Raderman Information Security Office
Today’s Agenda• Community Welcome
• Background: On-Line Credit Card Payment Project
• Cashnet Terminology and Considerations
• Storefront Path to Rollout and Resources Available To Help You
• Payment Card Industry (PCI) Compliance
• Timeline Test Login & Readiness (for users attending hands-on sessions)
On-Line Credit Card Payment Project
• Kickoff and Requirements Gathering (Spring-Summer 2016)
Community InvolvementTreasury & Business SystemsTepper, UA, Heinz, Student Affairs, SCS, Computing Services
• Vendor Selection (Fall 2017)
Cashnet – HigherEd, Features, Disaster Recovery
• Implementation Beta Group (Winter-Spring 2017)Community Involvement
University AdvancementHeinz SchoolSchool of Computer ScienceFinance
Expanded Options
Legacy
Vendor Support; Admin Tools; Scalable; Cloud
Self-Serve Configurable Reporting
New Features – Upgrades; Maintenance
Shopping Cart; Checkout Option
Transaction Level Detail Feeder to GL
Payment Card Industry (PCI) burden LOW
Cashnet
Limited tools, not scalable, on-site
Limited Reporting
Static features
Checkout Only
Roll-up transaction by account in GL
Payment Card Industry (PCI) burden HIGH
Project: Storefront Path to Cashnet
1. Department Requests Storefront
2. Storefront Approval
Cashnet Merchant& Users
Provisioned
3. CMU-Owner
Build & Test
TRAIN
4. Department
Requests
migration to
PROD
environment
New Terminology
Storefront Type
• Checkout; 3rd party integration• eMarket• Donation
User Roles• eMarket Admin, Store Owner, eMarket and
Inquiry and *CMU-OWNER*• Cashier – Transaction Processor in Cashnet• Operator – “Virtual”, no-login, Store
Number
Environments• TRAIN• PROD
Oracle• Revenue String• Credit Card Fee String• Event Dates
Storefront Setup• Item Code• Payment Type• Site Name
CMU branding guidelines (eMarket)
Transaction level detail => Oracle General Ledger (GL)
Financial Data Warehouse (FDW) GL query including Cashnet TX id
Data Exchange Report Transfer (on-request)
Future Cashnet upgrade process – released to your TRAIN for testing then to PROD;
subscribe to d-list (see resource slide)
Payment Card Industry (PCI) compliance requirements continue to evolve
Considerations
PCI Compliance• Three “modes”
• Cashnet eMarket (everything happens on CASHNet's servers)
– no additional PCI compliance *HIGHLY RECOMMENDED*
• Cashnet payment processing only (checkout), a 3rd party runs the storefront
– Congratulations, you’re an SAQ A, but with limited training/documentation.
– HOWEVER, you will need to obtain documentation from your 3rd party vendor.
• Cashnet payment processing only (checkout), you run the storefront on your servers then transfer to Cashnet
– You’re an SAQ A as well, with full reporting requirements.
• Report Annually (start in February/March)
• On-site meeting with our QSA (May)
• In the past, they’ve chosen to meet with every merchant, they *may* sample the Cashnet storefronts
PCI Compliance• Training and Policy Attestation
• Who?
– Everyone who has access to the server running your storefront where a configuration could be changed (usually admins)
– Anyone submitting documentation
• Annually, takes about an hour
• Sign the training and policy attestation forms
• Three documents describing your environment (we provide templates)
• Data flow diagram
• Incident response plan
• Signed SAQ A (about March)
PCI Compliance• Your own server
• Some kind of proof that you’ve changed all vendor defaults and that you require strong passwords
(screenshots, configuration file contents, etc.)
• Access Control List
– a list of everyone with access to the server in an administrative capacity. We compare this to the
training forms.
• 3rd party’s server
• Attestation of Compliance (AOC) or completed SAQ D for service providers from your vendor.
Requirement implemented in late 2016.
• Contact [email protected] if your vendor has questions.
PCI Compliance Q&A
• Don’t worry! We’ve been through this before and will help you every step of the
way.
• If you’re following basic security hygiene (you haven’t gotten a notice from ISO),
you’re doing OK, we just need to document it!
• Any questions [email protected]
Migration Timeline
JULY – SEPTEMBER 30, 2017
Legacy and Cashnet are LIVE in parallel while storeowners migrate legacy to
Cashnet
SEPTEMBER 30, 2017
Last NEW credit card trx processed via legacy
OCTOBER – DECEMBER 2017
Legacy available for refunds, adjustments and reporting
Resources• Treasurer’s Office e-commerce site: http://www.cmu.edu/finance/treasury/ecommerce
• Cashnet on-line training: http://training.cashnet.com
• Cashnet maintenance/upgrade alerts: [email protected]
• CMU Cashnet help list serve [email protected]
• Storefront request form http://www.cmu.edu/finance/treasury/ecommerce/cashnet/index.html
• CMU PCI DSS compliance site https://www.cmu.edu/finance/pcidss
• CMU brand guidelines http://www.cmu.edu/marcom/brand-standards/web-standards.html
• Branding Assistance: [email protected]
Cashnet Instances:
TRAIN https://train.cashnet.com/cmutrain
PROD https://commerce.cashnet.com/cmucashier
Create your Login to CASHNet Learning Portal Training.Cashnet.com
• Click “Sign Up”
• Use access code: “CMU” (not case sensitive)
• Create a profile for yourself using your campus email address
Login to CASHNet TRAIN Application https://train.cashnet.com/cmutrain
• Operator ID = your ANDREW ID
• Password = Cashnet17
• Station = 000
• Client Code = CMU_TRAIN
• Yellow Bar