Merchant card services enrollment process
1 / 14

- PowerPoint PPT Presentation

  • Updated On :

Merchant Card Services Enrollment Process. For agencies and eligible entities desiring to participate in the State Controller’s Master Services Agreement (MSA). Between the State of NC and SunTrust Merchant Services, LLC Dated August 1, 2006 Contract Number 14-06002.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '' - spencer

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Merchant card services enrollment process l.jpg

Merchant Card ServicesEnrollment Process

For agencies and eligible entities desiring to participate in the State Controller’s Master Services Agreement (MSA)

Between the State of NC

and SunTrust Merchant Services, LLC

Dated August 1, 2006

Contract Number 14-06002

Statewide Electronic Commerce Program (SECP)

Enrollment process steps l.jpg
Enrollment Process Steps

Step 1.Identify Merchant Card Project

Step 2.Execute Enrollment Forms

Step 3.OSC Acts on Request

Step 4.DST Acts on Request (If applicable)

Step 5.STMS Acts on Request

Step 6.CPS Involvement & Testing (If applicable)

Step 7.Establish Business Procedures

Step 8.Establish Fiscal Procedures

Step 9.Obtain PCI Security Compliance

Step 1 identify card project l.jpg
Step 1 – Identify Card Project

  • Obtain information about Merchant Cards from OSC’s Web site

    • E-Commerce Statutes and Policies

    • Merchant Cards Overview and Merchants Cards-101

    • STMS Master Services Agreement (Various Component Documents)

    • PCI Data Security Standards

    • Card Association Rules for Merchants (Visa and MasterCard)

  • Identify potential payment applications for Merchant Cards

    • Card Present (Face-to-Face Applications)

    • Card Not Present (Non-Face-to-Face Applications)

  • Determine what capture method(s) will be used to process cards

    • Review “Capture Solutions – Merchant Cards” document

    • POS Terminals Capture Solution

      • Stand-alone terminal – with analog telephone line

      • POS terminal using POS Software (Identify software and vendor to be obtained)

    • Web-Based Capture Solution – Requires a gateway service

      • Common Payment Service as gateway

      • PayPoint thru STMS as gateway

      • Other third-party as gateway

    • Yahoo! Store – [email protected]

  • Develop an internal statement of work, considering the program requirements, work effort, cost and benefits – Use appropriate Project Plan Template

  • Determine ability to comply with Payment Card Industry Data Security Standard

  • Determine project feasibility and obtain management approval

  • Identify Funding and obtain OSBM approval or other budget approval

  • If convenience fee to be levied, must first obtain approval from OSBM

Step 2 execute enrollment forms l.jpg
Step 2 – Execute Enrollment Forms

  • Master Services Agreement (MSA)

    • Consists of various component documents – on OSC Website

    • Requires Review by Agency Fiscal Office and Agency Legal

  • Agency Participation Agreement (APA)

    • Allows for agency to participate in MSA

    • Binds participant to OSC Policies & STMS Contract requirements (including card association rules)

    • Executed in quadruplicate by Agency CFO

  • Merchant Card Participant Setup Form (Chain level)

    • Provides OSC, DST, and STMS with info necessary to setup various profiles, bank settlement accounts, invoicing, statement rendering, etc. for the entire agency (chain)

  • Merchant Card Outlet Setup Form (Outlet level)

    • Provides setup information pertaining to each outlet, rolling up to the single merchant chain number

    • May be line of business, division, branch location, or capture method, etc.

    • A separate form is to be completed for each merchant number (outlet)

  • Other Forms as Applicable

    • Wachovia Connection Setup Form – For agencies depositing funds with State Treasurer

    • POS Terminals Order Form – If Applicable (Purchase, rent, or lease)

    • ClientLine Enrollment Form – Designating users for STMS online reporting system

    • Trustwave Enrollment Form – For Self-Assessment Questionnaire / Vulnerability Scanning

    • Common Payment Service (CPS) Forms – If CPS is to provide gateway service

    • Third-party Gateway Boarding Forms – If applicable

  • Routing of Forms

    • OSC obtain signatures of DST and STMS on APA

    • OSC distributes executed APA

    • OSC provides STMS the forms that require STMS action

    • OSC provides DST the forms that require DST action

Step 3 osc acts on request l.jpg
Step 3 – OSC Acts on Request

  • Approves or disapproves of participation

    • Determines if an eligible entity

    • Considers participant’s ability to be PCI security compliant

  • Forwards appropriate forms to DST and STMS

  • Involves Common Payment Service (CPS) if applicable

  • Involves PayPoint gateway if applicable

  • Orders POS Terminals From STMS (if applicable)

  • Has DST to set up bank account with Wachovia, if depositing with State Treasurer

  • Sets up users on ClientLine (STMS online reporting)

  • If OSC is to be administrator for Wachovia Connection

    • Setups up agency users as specified on Wachovia Connection Setup Form

    • Advises agency users of User-ID, initial password, and instructions

  • Determines category of PCI security compliance

    • Enrolled in TrustKeeper at the Chain Level

    • Two options

      • Self-Assessment Questionnaire Only

      • Self-Assessment Questionnaire and Vulnerability Scanning

Step 4 dst acts on request l.jpg
Step 4 – DST Acts on Request

  • This step only applies if Participant is a State Agency depositing funds with the State Treasurer

    • Community Colleges generally have their own bank account for settlement, prior to depositing (transferring funds) with State Treasurer

    • Local Units of governments utilize their local depository bank

    • Colleges and local units using either Wachovia or SunTrust Bank as their depository receive next-day settlement. (All other banks are two-day settlements)

  • Executes Agency Participation Agreement (APA) on behalf of the State Treasurer

  • Authorizes Wachovia to establish a settlement bank account

    • Bank account is a ZBA account that sweeps to DST’s bank account

    • DST pays the fees for the bank settlement account

    • STMS is provided this bank account number, which associates each of the participant’s merchant numbers with the settlement account at Wachovia

  • Assigns a CIT account on Core Banking System (CB$)

    • Accommodates certifying deposits by Agency on CMCS

    • The daily ZBA transfer (net of chargebacks) is to be certified, based on amount viewed on Wachovia Connection

    • DST maps the settlement bank account to the CIT account on CB$

    • DST advises agency via Official Depository Designation Letter when CIT account is established

Step 5 stms acts on request l.jpg
Step 5 – STMS Acts on Request

  • Executes APA on behalf of the STMS

  • Establishes profile setup

    • Assigns a single chain number for the participant

    • Assign individual merchant (outlet) numbers for the participant as specified on the Outlet Setup forms

  • Setups profile for each merchant number

    • Maps a settlement bank account number to each as specified on the Merchant Card Participant Setup Form

    • Sets up invoicing – as central billing or billing per merchant number

  • Setups ClientLine for participant

  • Ships POS terminals as ordered

Step 6a cps involvement l.jpg
Step 6a – CPS Involvement

  • If the Common Payment Service (CPS) gateway is to be utilized, participant should follow the steps outlined in the CPS Agency Work Plan Template

  • Participant conducts a Security Risk Assessment (SRA) for the proposed Agency application

  • Participant submits the SRA to the Office of Information Technologies Services (ITS) as part of the technical architecture review requirements

  • ITS will advise of the approval of the SRA and arrange for testing

  • Agency develops its application, including interface(s) to CPS, and request ACH Profile set-up in the CPS test environment

  • Agency documents test results and proceeds to next steps (Performance Acceptance Testing)

Step 6b cps verification testing l.jpg
Step 6b – CPS Verification Testing

  • At least two weeks prior to an application deployment, the participant must develop an Acceptance Checklist:

    • Test Plan / Script

    • CPS Security Risk Assessment (SRA)

    • Internal Agency Policies and Procedures

  • OSC reviews the checklist and supporting documents and approves deployment if no issues

  • Participant migrates application into production, and conducts “production verification” test

    • Using a limited number of live transactions

    • Verify settlement of funds into bank account

  • If production verification is adequate, participant opens (announces) the service to the public (if Internet application)

Step 7 establish business procedures l.jpg
Step 7 – Establish Business Procedures

  • Familiarize employees with STMS Operating Guide

    • Face-to-face transactions (signatures, expiration dates, etc)

    • Card not-present transactions

  • Obtain necessary training

    • POS terminals (if applicable)

    • POS software (if applicable)

  • Obtaining Authorizations from STMS

    • Voice authorizations as backup

    • Suspected fraud – Code 10 Procedures

    • Other authorizations denied – Alternative payment options

    • Non-match of Address or Security code verification

    • Refunds (for duplicate or erroneous transactions)

  • Transmitting transactions to STMS for settlement

    • Frequency and deadlines

  • Responding to disputed items

    • Retention of transactions for face-to-face (18 months)

    • Resolution of card not-present transactions

Step 8 establish fiscal procedures l.jpg
Step 8 – Establish Fiscal Procedures

  • Complete Internal Policies & Procedures - Template

  • Viewing bank settlement account (via Wachovia Connection or otherwise)

  • Recording daily settlement amount (reporting via CMCS if State agency)

  • Processing Chargebacks

  • Reconciling transactions captured and transmitted to STMS to settlement amount received from STMS

    • Consider multiple merchant numbers settling into a single bank settlement account

    • Determination of State funds vs. local funds (if applicable)

    • Netting out of chargebacks

  • Reviewing and paying monthly invoice received from STMS

  • If State agency, update Cash Management Plan

Step 9 obtain pci security compliance l.jpg
Step 9 – Obtain PCI Security Compliance

  • View PCI Data Security Requirements on Websites

    • OSC and PCI Data Security Council

    • Understand difference between: Compliance, Validation, and Attestation

    • Review document “Applicability of PCI Data Security Standard”

  • Address complinace from business perspective

    • Physical security, employee screening, etc.

  • Address complinace from IT perspective

    • Hardware, software, firewalls, encryption, etc.

  • Enroll with Trustwave to validated PCI compliance – Two Options

    • Self-Assessment Questionnaire Only

    • Self-Assessment Questionnaire and Vulnerability Scanning

  • Complete PCI Self-Assessment Questionnaire (SAQ) online

    • Determine which SAQ to complete online (A,B, C, or D)

    • For multiple outlets, off-line SAQs may have to be completed (Only one online)

  • If external-facing IP addresses

    • Specify the IP addresses to undergo vulnerability scanning when enrolling

    • Schedule vulnerability scans to be performed via TrustKeeper

  • If third-party service provider utilized, ensure vendor’s compliance

    • Written Agreement specifying vendor’s responsibility for compliance with Standard

    • Ongoing monitoring of service provider’s compliance

    • Refer to document “PCI Validation for Service Providers”

  • If a Payment Application is used for capture

    • Determine if application is compliant with PCI Payment Application Standard

Enrollment documents l.jpg
Enrollment Documents

Master Services Agreement (MSA)

Agency Participation Agreement (APA)

Participant Setup Form

Outlet Setup Form

ClientLine Setup Form

POS Terminal Order Form

Trustwave Validation Enrollment Form

Internal Policies & Procedures Template

Wachovia Connection

Setup Form

CPS Security Risk Assessment-SRA

PCI Monitoring

Online Enrollment


More information l.jpg

More Information

Office of the State Controller Web Site

David C. Reavis

E-Commerce Manager

(919) 871-6483

Amber Young

Central Compliance Manager

(919) 981-5481


Support Services Center

(919) 707-0795)

Statewide Electronic Commerce Program (SECP)