Merchant Card Services Enrollment Process

1
Merchant Card ServicesEnrollment Process

• For agencies and eligible entities desiring to
  participate in the State Controllers Master
  Services Agreement (MSA)

Between the State of NC and SunTrust Merchant
Services, LLC Dated August 1, 2006 Contract
Number 14-06002
2
Enrollment Process Steps

• Step 1. Identify Merchant Card Project
• Step 2. Execute Enrollment Forms
• Step 3. OSC Acts on Request
• Step 4. DST Acts on Request (If applicable)
• Step 5. STMS Acts on Request
• Step 6. CPS Involvement Testing (If applicable)
• Step 7. Establish Business Procedures
• Step 8. Establish Fiscal Procedures
• Step 9. Obtain PCI Security Compliance

3
Step 1 Identify Card Project

• Obtain information about Merchant Cards from
  OSCs Web site
• E-Commerce Statutes and Policies
• Merchant Cards Overview and Merchants Cards-101
• STMS Master Services Agreement (Various Component
  Documents)
• PCI Data Security Standards
• Card Association Rules for Merchants (Visa and
  MasterCard)
• Identify potential payment applications for
  Merchant Cards
• Card Present (Face-to-Face Applications)
• Card Not Present (Non-Face-to-Face Applications)
• Determine what capture method(s) will be used to
  process cards
• Review Capture Solutions Merchant Cards
  document
• POS Terminals Capture Solution
• Stand-alone terminal with analog telephone line
• POS terminal using POS Software (Identify
  software and vendor to be obtained)
• Web-Based Capture Solution Requires a gateway
  service
• Common Payment Service as gateway
• PayPoint thru STMS as gateway
• Other third-party as gateway
• Yahoo! Store NC_at_YourService

4
Step 2 Execute Enrollment Forms

• Master Services Agreement (MSA)
• Consists of various component documents on OSC
  Website
• Requires Review by Agency Fiscal Office and
  Agency Legal
• Agency Participation Agreement (APA)
• Allows for agency to participate in MSA
• Binds participant to OSC Policies STMS Contract
  requirements (including card association rules)
• Executed in quadruplicate by Agency CFO
• Merchant Card Participant Setup Form (Chain
  level)
• Provides OSC, DST, and STMS with info necessary
  to setup various profiles, bank settlement
  accounts, invoicing, statement rendering, etc.
  for the entire agency (chain)
• Merchant Card Outlet Setup Form (Outlet level)
• Provides setup information pertaining to each
  outlet, rolling up to the single merchant chain
  number
• May be line of business, division, branch
  location, or capture method, etc.
• A separate form is to be completed for each
  merchant number (outlet)
• Other Forms as Applicable
• Wachovia Connection Setup Form For agencies
  depositing funds with State Treasurer
• POS Terminals Order Form If Applicable
  (Purchase, rent, or lease)
• ClientLine Enrollment Form Designating users
  for STMS online reporting system
• Trustwave Enrollment Form For Self-Assessment
  Questionnaire / Vulnerability Scanning
• Common Payment Service (CPS) Forms If CPS is to
  provide gateway service

5
Step 3 OSC Acts on Request

• Approves or disapproves of participation
• Determines if an eligible entity
• Considers participants ability to be PCI
  security compliant
• Forwards appropriate forms to DST and STMS
• Involves Common Payment Service (CPS) if
  applicable
• Involves PayPoint gateway if applicable
• Orders POS Terminals From STMS (if applicable)
• Has DST to set up bank account with Wachovia, if
  depositing with State Treasurer
• Sets up users on ClientLine (STMS online
  reporting)
• If OSC is to be administrator for Wachovia
  Connection
• Setups up agency users as specified on Wachovia
  Connection Setup Form
• Advises agency users of User-ID, initial
  password, and instructions
• Determines category of PCI security compliance
• Enrolled in TrustKeeper at the Chain Level
• Two options
• Self-Assessment Questionnaire Only
• Self-Assessment Questionnaire and Vulnerability
  Scanning

6
Step 4 DST Acts on Request

• This step only applies if Participant is a State
  Agency depositing funds with the State Treasurer
• Community Colleges generally have their own bank
  account for settlement, prior to depositing
  (transferring funds) with State Treasurer
• Local Units of governments utilize their local
  depository bank
• Colleges and local units using either Wachovia or
  SunTrust Bank as their depository receive
  next-day settlement. (All other banks are two-day
  settlements)
• Executes Agency Participation Agreement (APA) on
  behalf of the State Treasurer
• Authorizes Wachovia to establish a settlement
  bank account
• Bank account is a ZBA account that sweeps to
  DSTs bank account
• DST pays the fees for the bank settlement account
• STMS is provided this bank account number, which
  associates each of the participants merchant
  numbers with the settlement account at Wachovia
• Assigns a CIT account on Core Banking System
  (CB)
• Accommodates certifying deposits by Agency on
  CMCS
• The daily ZBA transfer (net of chargebacks) is to
  be certified, based on amount viewed on Wachovia
  Connection
• DST maps the settlement bank account to the CIT
  account on CB
• DST advises agency via Official Depository
  Designation Letter when CIT account is established

7
Step 5 STMS Acts on Request

• Executes APA on behalf of the STMS
• Establishes profile setup
• Assigns a single chain number for the participant
• Assign individual merchant (outlet) numbers for
  the participant as specified on the Outlet Setup
  forms
• Setups profile for each merchant number
• Maps a settlement bank account number to each as
  specified on the Merchant Card Participant Setup
  Form
• Sets up invoicing as central billing or billing
  per merchant number
• Setups ClientLine for participant
• Ships POS terminals as ordered

8
Step 6a CPS Involvement

• If the Common Payment Service (CPS) gateway is to
  be utilized, participant should follow the steps
  outlined in the CPS Agency Work Plan Template
• Participant conducts a Security Risk Assessment
  (SRA) for the proposed Agency application
• Participant submits the SRA to the Office of
  Information Technologies Services (ITS) as part
  of the technical architecture review requirements
• ITS will advise of the approval of the SRA and
  arrange for testing
• Agency develops its application, including
  interface(s) to CPS, and request ACH Profile
  set-up in the CPS test environment
• Agency documents test results and proceeds to
  next steps (Performance Acceptance Testing)

9
Step 6b CPS Verification Testing

• At least two weeks prior to an application
  deployment, the participant must develop an
  Acceptance Checklist
• Test Plan / Script
• CPS Security Risk Assessment (SRA)
• Internal Agency Policies and Procedures
• OSC reviews the checklist and supporting
  documents and approves deployment if no issues
• Participant migrates application into production,
  and conducts production verification test
• Using a limited number of live transactions
• Verify settlement of funds into bank account
• If production verification is adequate,
  participant opens (announces) the service to the
  public (if Internet application)

10
Step 7 Establish Business Procedures

• Familiarize employees with STMS Operating Guide
• Face-to-face transactions (signatures, expiration
  dates, etc)
• Card not-present transactions
• Obtain necessary training
• POS terminals (if applicable)
• POS software (if applicable)
• Obtaining Authorizations from STMS
• Voice authorizations as backup
• Suspected fraud Code 10 Procedures
• Other authorizations denied Alternative payment
  options
• Non-match of Address or Security code
  verification
• Refunds (for duplicate or erroneous transactions)
• Transmitting transactions to STMS for settlement
• Frequency and deadlines
• Responding to disputed items
• Retention of transactions for face-to-face (18
  months)
• Resolution of card not-present transactions

11
Step 8 Establish Fiscal Procedures

• Complete Internal Policies Procedures -
  Template
• Viewing bank settlement account (via Wachovia
  Connection or otherwise)
• Recording daily settlement amount (reporting via
  CMCS if State agency)
• Processing Chargebacks
• Reconciling transactions captured and transmitted
  to STMS to settlement amount received from STMS
• Consider multiple merchant numbers settling into
  a single bank settlement account
• Determination of State funds vs. local funds (if
  applicable)
• Netting out of chargebacks
• Reviewing and paying monthly invoice received
  from STMS
• If State agency, update Cash Management Plan

12
Step 9 Obtain PCI Security Compliance

• View PCI Data Security Requirements on Websites
• OSC and PCI Data Security Council
• Understand difference between Compliance,
  Validation, and Attestation
• Review document Applicability of PCI Data
  Security Standard
• Address complinace from business perspective
• Physical security, employee screening, etc.
• Address complinace from IT perspective
• Hardware, software, firewalls, encryption, etc.
• Enroll with Trustwave to validated PCI compliance
  Two Options
• Self-Assessment Questionnaire Only
• Self-Assessment Questionnaire and Vulnerability
  Scanning
• Complete PCI Self-Assessment Questionnaire (SAQ)
  online
• Determine which SAQ to complete online (A,B, C,
  or D)
• For multiple outlets, off-line SAQs may have to
  be completed (Only one online)
• If external-facing IP addresses
• Specify the IP addresses to undergo vulnerability
  scanning when enrolling
• Schedule vulnerability scans to be performed via
  TrustKeeper
• If third-party service provider utilized, ensure
  vendors compliance
• Written Agreement specifying vendors
  responsibility for compliance with Standard

13
Enrollment Documents
Master Services Agreement (MSA)
Agency Participation Agreement (APA)
Participant Setup Form
Outlet Setup Form
ClientLine Setup Form
POS Terminal Order Form
Trustwave Validation Enrollment Form
Internal Policies Procedures Template
Wachovia Connection Setup Form
CPS Security Risk Assessment-SRA
PCI Monitoring Online Enrollment
Agency
14
More Information
Office of the State Controller Web
Site www.osc.nc.gov
David C. Reavis E-Commerce Manager (919) 871-6483
Amber Young Central Compliance Manager (919)
981-5481
SECP
Support Services Center (919) 707-0795)