140 likes | 371 Views
Merchant Card Services Enrollment Process. For agencies and eligible entities desiring to participate in the State Controller’s Master Services Agreement (MSA). Between the State of NC and SunTrust Merchant Services, LLC Dated August 1, 2006 Contract Number 14-06002.
E N D
Merchant Card ServicesEnrollment Process For agencies and eligible entities desiring to participate in the State Controller’s Master Services Agreement (MSA) Between the State of NC and SunTrust Merchant Services, LLC Dated August 1, 2006 Contract Number 14-06002 Statewide Electronic Commerce Program (SECP)
Enrollment Process Steps Step 1.Identify Merchant Card Project Step 2.Execute Enrollment Forms Step 3.OSC Acts on Request Step 4.DST Acts on Request (If applicable) Step 5.STMS Acts on Request Step 6.CPS Involvement & Testing (If applicable) Step 7.Establish Business Procedures Step 8.Establish Fiscal Procedures Step 9.Obtain PCI Security Compliance
Step 1 – Identify Card Project • Obtain information about Merchant Cards from OSC’s Web site • E-Commerce Statutes and Policies • Merchant Cards Overview and Merchants Cards-101 • STMS Master Services Agreement (Various Component Documents) • PCI Data Security Standards • Card Association Rules for Merchants (Visa and MasterCard) • Identify potential payment applications for Merchant Cards • Card Present (Face-to-Face Applications) • Card Not Present (Non-Face-to-Face Applications) • Determine what capture method(s) will be used to process cards • Review “Capture Solutions – Merchant Cards” document • POS Terminals Capture Solution • Stand-alone terminal – with analog telephone line • POS terminal using POS Software (Identify software and vendor to be obtained) • Web-Based Capture Solution – Requires a gateway service • Common Payment Service as gateway • PayPoint thru STMS as gateway • Other third-party as gateway • Yahoo! Store – NC@YourService • Develop an internal statement of work, considering the program requirements, work effort, cost and benefits – Use appropriate Project Plan Template • Determine ability to comply with Payment Card Industry Data Security Standard • Determine project feasibility and obtain management approval • Identify Funding and obtain OSBM approval or other budget approval • If convenience fee to be levied, must first obtain approval from OSBM
Step 2 – Execute Enrollment Forms • Master Services Agreement (MSA) • Consists of various component documents – on OSC Website • Requires Review by Agency Fiscal Office and Agency Legal • Agency Participation Agreement (APA) • Allows for agency to participate in MSA • Binds participant to OSC Policies & STMS Contract requirements (including card association rules) • Executed in quadruplicate by Agency CFO • Merchant Card Participant Setup Form (Chain level) • Provides OSC, DST, and STMS with info necessary to setup various profiles, bank settlement accounts, invoicing, statement rendering, etc. for the entire agency (chain) • Merchant Card Outlet Setup Form (Outlet level) • Provides setup information pertaining to each outlet, rolling up to the single merchant chain number • May be line of business, division, branch location, or capture method, etc. • A separate form is to be completed for each merchant number (outlet) • Other Forms as Applicable • Wachovia Connection Setup Form – For agencies depositing funds with State Treasurer • POS Terminals Order Form – If Applicable (Purchase, rent, or lease) • ClientLine Enrollment Form – Designating users for STMS online reporting system • Trustwave Enrollment Form – For Self-Assessment Questionnaire / Vulnerability Scanning • Common Payment Service (CPS) Forms – If CPS is to provide gateway service • Third-party Gateway Boarding Forms – If applicable • Routing of Forms • OSC obtain signatures of DST and STMS on APA • OSC distributes executed APA • OSC provides STMS the forms that require STMS action • OSC provides DST the forms that require DST action
Step 3 – OSC Acts on Request • Approves or disapproves of participation • Determines if an eligible entity • Considers participant’s ability to be PCI security compliant • Forwards appropriate forms to DST and STMS • Involves Common Payment Service (CPS) if applicable • Involves PayPoint gateway if applicable • Orders POS Terminals From STMS (if applicable) • Has DST to set up bank account with Wachovia, if depositing with State Treasurer • Sets up users on ClientLine (STMS online reporting) • If OSC is to be administrator for Wachovia Connection • Setups up agency users as specified on Wachovia Connection Setup Form • Advises agency users of User-ID, initial password, and instructions • Determines category of PCI security compliance • Enrolled in TrustKeeper at the Chain Level • Two options • Self-Assessment Questionnaire Only • Self-Assessment Questionnaire and Vulnerability Scanning
Step 4 – DST Acts on Request • This step only applies if Participant is a State Agency depositing funds with the State Treasurer • Community Colleges generally have their own bank account for settlement, prior to depositing (transferring funds) with State Treasurer • Local Units of governments utilize their local depository bank • Colleges and local units using either Wachovia or SunTrust Bank as their depository receive next-day settlement. (All other banks are two-day settlements) • Executes Agency Participation Agreement (APA) on behalf of the State Treasurer • Authorizes Wachovia to establish a settlement bank account • Bank account is a ZBA account that sweeps to DST’s bank account • DST pays the fees for the bank settlement account • STMS is provided this bank account number, which associates each of the participant’s merchant numbers with the settlement account at Wachovia • Assigns a CIT account on Core Banking System (CB$) • Accommodates certifying deposits by Agency on CMCS • The daily ZBA transfer (net of chargebacks) is to be certified, based on amount viewed on Wachovia Connection • DST maps the settlement bank account to the CIT account on CB$ • DST advises agency via Official Depository Designation Letter when CIT account is established
Step 5 – STMS Acts on Request • Executes APA on behalf of the STMS • Establishes profile setup • Assigns a single chain number for the participant • Assign individual merchant (outlet) numbers for the participant as specified on the Outlet Setup forms • Setups profile for each merchant number • Maps a settlement bank account number to each as specified on the Merchant Card Participant Setup Form • Sets up invoicing – as central billing or billing per merchant number • Setups ClientLine for participant • Ships POS terminals as ordered
Step 6a – CPS Involvement • If the Common Payment Service (CPS) gateway is to be utilized, participant should follow the steps outlined in the CPS Agency Work Plan Template • Participant conducts a Security Risk Assessment (SRA) for the proposed Agency application • Participant submits the SRA to the Office of Information Technologies Services (ITS) as part of the technical architecture review requirements • ITS will advise of the approval of the SRA and arrange for testing • Agency develops its application, including interface(s) to CPS, and request ACH Profile set-up in the CPS test environment • Agency documents test results and proceeds to next steps (Performance Acceptance Testing)
Step 6b – CPS Verification Testing • At least two weeks prior to an application deployment, the participant must develop an Acceptance Checklist: • Test Plan / Script • CPS Security Risk Assessment (SRA) • Internal Agency Policies and Procedures • OSC reviews the checklist and supporting documents and approves deployment if no issues • Participant migrates application into production, and conducts “production verification” test • Using a limited number of live transactions • Verify settlement of funds into bank account • If production verification is adequate, participant opens (announces) the service to the public (if Internet application)
Step 7 – Establish Business Procedures • Familiarize employees with STMS Operating Guide • Face-to-face transactions (signatures, expiration dates, etc) • Card not-present transactions • Obtain necessary training • POS terminals (if applicable) • POS software (if applicable) • Obtaining Authorizations from STMS • Voice authorizations as backup • Suspected fraud – Code 10 Procedures • Other authorizations denied – Alternative payment options • Non-match of Address or Security code verification • Refunds (for duplicate or erroneous transactions) • Transmitting transactions to STMS for settlement • Frequency and deadlines • Responding to disputed items • Retention of transactions for face-to-face (18 months) • Resolution of card not-present transactions
Step 8 – Establish Fiscal Procedures • Complete Internal Policies & Procedures - Template • Viewing bank settlement account (via Wachovia Connection or otherwise) • Recording daily settlement amount (reporting via CMCS if State agency) • Processing Chargebacks • Reconciling transactions captured and transmitted to STMS to settlement amount received from STMS • Consider multiple merchant numbers settling into a single bank settlement account • Determination of State funds vs. local funds (if applicable) • Netting out of chargebacks • Reviewing and paying monthly invoice received from STMS • If State agency, update Cash Management Plan
Step 9 – Obtain PCI Security Compliance • View PCI Data Security Requirements on Websites • OSC and PCI Data Security Council • Understand difference between: Compliance, Validation, and Attestation • Review document “Applicability of PCI Data Security Standard” • Address complinace from business perspective • Physical security, employee screening, etc. • Address complinace from IT perspective • Hardware, software, firewalls, encryption, etc. • Enroll with Trustwave to validated PCI compliance – Two Options • Self-Assessment Questionnaire Only • Self-Assessment Questionnaire and Vulnerability Scanning • Complete PCI Self-Assessment Questionnaire (SAQ) online • Determine which SAQ to complete online (A,B, C, or D) • For multiple outlets, off-line SAQs may have to be completed (Only one online) • If external-facing IP addresses • Specify the IP addresses to undergo vulnerability scanning when enrolling • Schedule vulnerability scans to be performed via TrustKeeper • If third-party service provider utilized, ensure vendor’s compliance • Written Agreement specifying vendor’s responsibility for compliance with Standard • Ongoing monitoring of service provider’s compliance • Refer to document “PCI Validation for Service Providers” • If a Payment Application is used for capture • Determine if application is compliant with PCI Payment Application Standard
Enrollment Documents Master Services Agreement (MSA) Agency Participation Agreement (APA) Participant Setup Form Outlet Setup Form ClientLine Setup Form POS Terminal Order Form Trustwave Validation Enrollment Form Internal Policies & Procedures Template Wachovia Connection Setup Form CPS Security Risk Assessment-SRA PCI Monitoring Online Enrollment Agency
More Information Office of the State Controller Web Site www.osc.nc.gov David C. Reavis E-Commerce Manager (919) 871-6483 Amber Young Central Compliance Manager (919) 981-5481 SECP Support Services Center (919) 707-0795) Statewide Electronic Commerce Program (SECP)