August 1, 2006 (Rev. April 2009)August 1, 2006 (Rev. April 2009) Statewide Electronic Commerce Program (SECP)Statewide Electronic Commerce Program (SECP)

Merchant Card ServicesMerchant Card ServicesEnrollment ProcessEnrollment Process

For agencies and eligible entities desiring to For agencies and eligible entities desiring to participate in the State Controller’s Master participate in the State Controller’s Master

Services Agreement (MSA)Services Agreement (MSA)

Between the State of NCBetween the State of NC and SunTrust Merchant Services, LLCand SunTrust Merchant Services, LLC

Dated August 1, 2006Dated August 1, 2006Contract Number 14-06002Contract Number 14-06002

Enrollment Process StepsEnrollment Process StepsStep 1.Step 1. Identify Merchant Card ProjectIdentify Merchant Card Project

Step 2.Step 2.Execute Enrollment FormsExecute Enrollment Forms

Step 3.Step 3.OSC Acts on RequestOSC Acts on Request

Step 4.Step 4.DST Acts on Request DST Acts on Request (If applicable)(If applicable)

Step 5.Step 5.STMS Acts on RequestSTMS Acts on Request

Step 6.Step 6.CPS Involvement & Testing CPS Involvement & Testing (If applicable)(If applicable)

Step 7.Step 7.Establish Business ProceduresEstablish Business Procedures

Step 8.Step 8.Establish Fiscal ProceduresEstablish Fiscal Procedures

Step 9.Step 9.Obtain PCI Security ComplianceObtain PCI Security Compliance

Step 1 – Identify Card ProjectStep 1 – Identify Card Project Obtain information about Merchant Cards from OSC’s Web siteObtain information about Merchant Cards from OSC’s Web site

E-Commerce Statutes and PoliciesE-Commerce Statutes and Policies Merchant Cards Overview and Merchants Cards-101Merchant Cards Overview and Merchants Cards-101 STMS Master Services Agreement (Various Component Documents)STMS Master Services Agreement (Various Component Documents) PCI Data Security StandardsPCI Data Security Standards Card Association Rules for Merchants (Visa and MasterCard)Card Association Rules for Merchants (Visa and MasterCard)

Identify potential payment applications for Merchant CardsIdentify potential payment applications for Merchant Cards Card Present (Face-to-Face Applications)Card Present (Face-to-Face Applications) Card Not Present (Non-Face-to-Face Applications)Card Not Present (Non-Face-to-Face Applications)

Determine what capture method(s) will be used to process cardsDetermine what capture method(s) will be used to process cards Review “Capture Solutions – Merchant Cards” documentReview “Capture Solutions – Merchant Cards” document POS Terminals Capture SolutionPOS Terminals Capture Solution

• Stand-alone terminal – with analog telephone lineStand-alone terminal – with analog telephone line• POS terminal using POS Software (Identify software and vendor to be obtained)POS terminal using POS Software (Identify software and vendor to be obtained)

Web-Based Capture Solution – Requires a gateway serviceWeb-Based Capture Solution – Requires a gateway service• Common Payment Service as gatewayCommon Payment Service as gateway• PayPoint thru STMS as gatewayPayPoint thru STMS as gateway• Other third-party as gatewayOther third-party as gateway

Yahoo! Store – NC@YourServiceYahoo! Store – NC@YourService Develop an internal statement of work, considering the program requirements, work Develop an internal statement of work, considering the program requirements, work

effort, cost and benefits – Use appropriate Project Plan Templateeffort, cost and benefits – Use appropriate Project Plan Template Determine ability to comply with Payment Card Industry Data Security StandardDetermine ability to comply with Payment Card Industry Data Security Standard Determine project feasibility and obtain management approvalDetermine project feasibility and obtain management approval Identify Funding and obtain OSBM approval or other budget approvalIdentify Funding and obtain OSBM approval or other budget approval If convenience fee to be levied, must first obtain approval from OSBMIf convenience fee to be levied, must first obtain approval from OSBM

Master Services Agreement (MSA)Master Services Agreement (MSA) Consists of various component documents – on OSC WebsiteConsists of various component documents – on OSC Website Requires Review by Agency Fiscal Office and Agency LegalRequires Review by Agency Fiscal Office and Agency Legal

Agency Participation Agreement (APA)Agency Participation Agreement (APA) Allows for agency to participate in MSAAllows for agency to participate in MSA Binds participant to OSC Policies & STMS Contract requirements (including card association rules)Binds participant to OSC Policies & STMS Contract requirements (including card association rules) Executed in quadruplicate by Agency CFOExecuted in quadruplicate by Agency CFO

Merchant Card Participant Setup Form (Chain level)Merchant Card Participant Setup Form (Chain level) Provides OSC, DST, and STMS with info necessary to setup various profiles, bank settlement Provides OSC, DST, and STMS with info necessary to setup various profiles, bank settlement

accounts, invoicing, statement rendering, etc. for the entire agency (chain)accounts, invoicing, statement rendering, etc. for the entire agency (chain) Merchant Card Outlet Setup Form (Outlet level)Merchant Card Outlet Setup Form (Outlet level)

Provides setup information pertaining to each outlet, rolling up to the single merchant chain numberProvides setup information pertaining to each outlet, rolling up to the single merchant chain number May be line of business, division, branch location, or capture method, etc.May be line of business, division, branch location, or capture method, etc. A separate form is to be completed for each merchant number (outlet)A separate form is to be completed for each merchant number (outlet)

Other Forms as ApplicableOther Forms as Applicable Wachovia Connection Setup Form – For agencies depositing funds with State TreasurerWachovia Connection Setup Form – For agencies depositing funds with State Treasurer POS Terminals Order Form – If Applicable (Purchase, rent, or lease)POS Terminals Order Form – If Applicable (Purchase, rent, or lease) ClientLine Enrollment Form – Designating users for STMS online reporting systemClientLine Enrollment Form – Designating users for STMS online reporting system Trustwave Enrollment Form – For Self-Assessment Questionnaire / Vulnerability ScanningTrustwave Enrollment Form – For Self-Assessment Questionnaire / Vulnerability Scanning Common Payment Service (CPS) Forms – If CPS is to provide gateway serviceCommon Payment Service (CPS) Forms – If CPS is to provide gateway service Third-party Gateway Boarding Forms – If applicableThird-party Gateway Boarding Forms – If applicable

Routing of FormsRouting of Forms OSC obtain signatures of DST and STMS on APAOSC obtain signatures of DST and STMS on APA OSC distributes executed APAOSC distributes executed APA OSC provides STMS the forms that require STMS actionOSC provides STMS the forms that require STMS action OSC provides DST the forms that require DST actionOSC provides DST the forms that require DST action

Step 2 – Execute Enrollment FormsStep 2 – Execute Enrollment Forms

Approves or disapproves of participationApproves or disapproves of participation• Determines if an eligible entityDetermines if an eligible entity• Considers participant’s ability to be PCI security compliantConsiders participant’s ability to be PCI security compliant

Forwards appropriate forms to DST and STMSForwards appropriate forms to DST and STMS Involves Common Payment Service (CPS) if applicableInvolves Common Payment Service (CPS) if applicable Involves PayPoint gateway if applicableInvolves PayPoint gateway if applicable Orders POS Terminals From STMS (if applicable)Orders POS Terminals From STMS (if applicable) Has DST to set up bank account with Wachovia, if depositing Has DST to set up bank account with Wachovia, if depositing

with State Treasurerwith State Treasurer Sets up users on ClientLine (STMS online reporting)Sets up users on ClientLine (STMS online reporting) If OSC is to be administrator for Wachovia ConnectionIf OSC is to be administrator for Wachovia Connection

• Setups up agency users as specified on Wachovia Connection Setups up agency users as specified on Wachovia Connection Setup FormSetup Form

• Advises agency users of User-ID, initial password, and instructionsAdvises agency users of User-ID, initial password, and instructions Determines category of PCI security compliance Determines category of PCI security compliance

• Enrolled in TrustKeeper at the Chain LevelEnrolled in TrustKeeper at the Chain Level• Two optionsTwo options

Self-Assessment Questionnaire OnlySelf-Assessment Questionnaire Only Self-Assessment Questionnaire and Vulnerability ScanningSelf-Assessment Questionnaire and Vulnerability Scanning

Step 3 – OSC Acts on RequestStep 3 – OSC Acts on Request

This step only applies if Participant is a State Agency depositing funds with This step only applies if Participant is a State Agency depositing funds with the State Treasurerthe State Treasurer

• Community Colleges generally have their own bank account for settlement, prior to Community Colleges generally have their own bank account for settlement, prior to depositing (transferring funds) with State Treasurerdepositing (transferring funds) with State Treasurer

• Local Units of governments utilize their local depository bankLocal Units of governments utilize their local depository bank• Colleges and local units using either Wachovia or SunTrust Bank as their depository Colleges and local units using either Wachovia or SunTrust Bank as their depository

receive next-day settlement. (All other banks are two-day settlements)receive next-day settlement. (All other banks are two-day settlements)

Executes Agency Participation Agreement (APA) on behalf of the State Executes Agency Participation Agreement (APA) on behalf of the State TreasurerTreasurer

Authorizes Wachovia to establish a settlement bank accountAuthorizes Wachovia to establish a settlement bank account• Bank account is a ZBA account that sweeps to DST’s bank accountBank account is a ZBA account that sweeps to DST’s bank account• DST pays the fees for the bank settlement accountDST pays the fees for the bank settlement account• STMS is provided this bank account number, which associates each of the STMS is provided this bank account number, which associates each of the

participant’s merchant numbers with the settlement account at Wachoviaparticipant’s merchant numbers with the settlement account at Wachovia

Assigns a CIT account on Core Banking System (CB$)Assigns a CIT account on Core Banking System (CB$)• Accommodates certifying deposits by Agency on CMCSAccommodates certifying deposits by Agency on CMCS• The daily ZBA transfer (net of chargebacks) is to be certified, based on amount The daily ZBA transfer (net of chargebacks) is to be certified, based on amount

viewed on Wachovia Connectionviewed on Wachovia Connection• DST maps the settlement bank account to the CIT account on CB$DST maps the settlement bank account to the CIT account on CB$• DST advises agency via Official Depository Designation Letter when CIT account is DST advises agency via Official Depository Designation Letter when CIT account is

establishedestablished

Step 4 – DST Acts on RequestStep 4 – DST Acts on Request

Executes APA on behalf of the STMSExecutes APA on behalf of the STMS Establishes profile setupEstablishes profile setup

• Assigns a single chain number for the participantAssigns a single chain number for the participant• Assign individual merchant (outlet) numbers for Assign individual merchant (outlet) numbers for

the participant as specified on the Outlet Setup the participant as specified on the Outlet Setup formsforms

Setups profile for each merchant numberSetups profile for each merchant number• Maps a settlement bank account number to each Maps a settlement bank account number to each

as specified on the Merchant Card Participant as specified on the Merchant Card Participant Setup FormSetup Form

• Sets up invoicing – as central billing or billing per Sets up invoicing – as central billing or billing per merchant numbermerchant number

Setups ClientLine for participantSetups ClientLine for participant Ships POS terminals as orderedShips POS terminals as ordered

Step 5 – STMS Acts on RequestStep 5 – STMS Acts on Request

If the Common Payment Service (CPS) gateway is to be If the Common Payment Service (CPS) gateway is to be utilized, participant should follow the steps outlined in utilized, participant should follow the steps outlined in the CPS Agency Work Plan Templatethe CPS Agency Work Plan Template

Participant conducts a Security Risk Assessment (SRA) Participant conducts a Security Risk Assessment (SRA) for the proposed Agency applicationfor the proposed Agency application

Participant submits the SRA to the Office of Participant submits the SRA to the Office of Information Technologies Services (ITS) as part of the Information Technologies Services (ITS) as part of the technical architecture review requirementstechnical architecture review requirements

ITS will advise of the approval of the SRA and arrange ITS will advise of the approval of the SRA and arrange for testing for testing

Agency develops its application, including interface(s) Agency develops its application, including interface(s) to CPS, and request ACH Profile set-up in the CPS test to CPS, and request ACH Profile set-up in the CPS test environmentenvironment

Agency documents test results and proceeds to next Agency documents test results and proceeds to next steps (Performance Acceptance Testing)steps (Performance Acceptance Testing)

Step 6a – CPS InvolvementStep 6a – CPS Involvement

At least two weeks prior to an application deployment, At least two weeks prior to an application deployment, the participant must develop an Acceptance Checklist:the participant must develop an Acceptance Checklist:

Test Plan / ScriptTest Plan / Script CPS Security Risk Assessment (SRA)CPS Security Risk Assessment (SRA) Internal Agency Policies and ProceduresInternal Agency Policies and Procedures

OSC reviews the checklist and supporting documents OSC reviews the checklist and supporting documents and approves deployment if no issuesand approves deployment if no issues

Participant migrates application into production, and Participant migrates application into production, and conducts “production verification” testconducts “production verification” test

Using a limited number of live transactions Using a limited number of live transactions Verify settlement of funds into bank accountVerify settlement of funds into bank account

If production verification is adequate, participant If production verification is adequate, participant opens (announces) the service to the public (if Internet opens (announces) the service to the public (if Internet application)application)

Step 6b – CPS Verification TestingStep 6b – CPS Verification Testing

Familiarize employees with STMS Operating GuideFamiliarize employees with STMS Operating Guide Face-to-face transactions (signatures, expiration dates, etc)Face-to-face transactions (signatures, expiration dates, etc) Card not-present transactionsCard not-present transactions

Obtain necessary trainingObtain necessary training• POS terminals (if applicable)POS terminals (if applicable)• POS software (if applicable)POS software (if applicable)

Obtaining Authorizations from STMSObtaining Authorizations from STMS Voice authorizations as backupVoice authorizations as backup Suspected fraud – Code 10 ProceduresSuspected fraud – Code 10 Procedures Other authorizations denied – Alternative payment optionsOther authorizations denied – Alternative payment options Non-match of Address or Security code verificationNon-match of Address or Security code verification Refunds (for duplicate or erroneous transactions)Refunds (for duplicate or erroneous transactions)

Transmitting transactions to STMS for settlementTransmitting transactions to STMS for settlement Frequency and deadlinesFrequency and deadlines

Responding to disputed itemsResponding to disputed items Retention of transactions for face-to-face (18 months)Retention of transactions for face-to-face (18 months) Resolution of card not-present transactionsResolution of card not-present transactions

Step 7 – Establish Business ProceduresStep 7 – Establish Business Procedures

Complete Internal Policies & Procedures - TemplateComplete Internal Policies & Procedures - Template Viewing bank settlement account (via Wachovia Viewing bank settlement account (via Wachovia

Connection or otherwise)Connection or otherwise) Recording daily settlement amount (reporting via CMCS Recording daily settlement amount (reporting via CMCS

if State agency)if State agency) Processing ChargebacksProcessing Chargebacks Reconciling transactions captured and transmitted to Reconciling transactions captured and transmitted to

STMS to settlement amount received from STMSSTMS to settlement amount received from STMS Consider multiple merchant numbers settling into a single Consider multiple merchant numbers settling into a single

bank settlement accountbank settlement account Determination of State funds vs. local funds (if applicable)Determination of State funds vs. local funds (if applicable) Netting out of chargebacksNetting out of chargebacks

Reviewing and paying monthly invoice received from Reviewing and paying monthly invoice received from STMSSTMS

If State agency, update Cash Management PlanIf State agency, update Cash Management Plan

Step 8 – Establish Fiscal ProceduresStep 8 – Establish Fiscal Procedures

View PCI Data Security Requirements on WebsitesView PCI Data Security Requirements on Websites OSC and PCI Data Security CouncilOSC and PCI Data Security Council Understand difference between: Compliance, Validation, and AttestationUnderstand difference between: Compliance, Validation, and Attestation Review document “Applicability of PCI Data Security Standard”Review document “Applicability of PCI Data Security Standard”

Address complinace from business perspectiveAddress complinace from business perspective Physical security, employee screening, etc.Physical security, employee screening, etc.

Address complinace from IT perspectiveAddress complinace from IT perspective Hardware, software, firewalls, encryption, etc.Hardware, software, firewalls, encryption, etc.

Enroll with Trustwave to validated PCI compliance – Two OptionsEnroll with Trustwave to validated PCI compliance – Two Options Self-Assessment Questionnaire OnlySelf-Assessment Questionnaire Only Self-Assessment Questionnaire and Vulnerability ScanningSelf-Assessment Questionnaire and Vulnerability Scanning

Complete PCI Self-Assessment Questionnaire (SAQ) onlineComplete PCI Self-Assessment Questionnaire (SAQ) online Determine which SAQ to complete online (A,B, C, or D) Determine which SAQ to complete online (A,B, C, or D) For multiple outlets, off-line SAQs may have to be completed (Only one online)For multiple outlets, off-line SAQs may have to be completed (Only one online)

If external-facing IP addressesIf external-facing IP addresses Specify the IP addresses to undergo vulnerability scanning when enrollingSpecify the IP addresses to undergo vulnerability scanning when enrolling Schedule vulnerability scans to be performed via TrustKeeperSchedule vulnerability scans to be performed via TrustKeeper

If third-party service provider utilized, ensure vendor’s complianceIf third-party service provider utilized, ensure vendor’s compliance Written Agreement specifying vendor’s responsibility for compliance with StandardWritten Agreement specifying vendor’s responsibility for compliance with Standard Ongoing monitoring of service provider’s complianceOngoing monitoring of service provider’s compliance Refer to document “PCI Validation for Service Providers”Refer to document “PCI Validation for Service Providers”

If a Payment Application is used for capture If a Payment Application is used for capture Determine if application is compliant with PCI Payment Application StandardDetermine if application is compliant with PCI Payment Application Standard

Step 9 – Obtain PCI Security ComplianceStep 9 – Obtain PCI Security Compliance

Enrollment DocumentsEnrollment DocumentsMaster Services Agreement (MSA) Master Services Agreement (MSA)

Agency Participation Agreement (APA)Agency Participation Agreement (APA)

Outlet Setup FormOutlet Setup Form

CPS Security Risk CPS Security Risk Assessment-SRAAssessment-SRA

Trustwave Validation Enrollment FormTrustwave Validation Enrollment Form

Agency

Participant Setup FormParticipant Setup Form

Wachovia ConnectionWachovia ConnectionSetup FormSetup Form

ClientLine Setup FormClientLine Setup Form

POS Terminal Order FormPOS Terminal Order Form

PCI MonitoringPCI Monitoring

Online EnrollmentOnline Enrollment

Internal Policies & Procedures TemplateInternal Policies & Procedures Template

August 1, 2006 (Rev. April 2009)August 1, 2006 (Rev. April 2009) Statewide Electronic Commerce Program (SECP)Statewide Electronic Commerce Program (SECP)

More InformationMore InformationOffice of the State Controller Web SiteOffice of the State Controller Web Site

www.osc.nc.govwww.osc.nc.gov

David C. ReavisE-Commerce Manager

(919) 871-6483

Amber YoungCentral Compliance Manager

(919) 981-5481Support Services Center

(919) 707-0795)