SETTING UP A MERCHANT ACCOUNT FOR DARS. Author(s): Dan Keyworth, Associate Director Annual Programmes and DARS

Transcription

1 Setting up a Merchant Account for DARS Version 1.4, last updated 10 September 2013 SETTING UP A MERCHANT ACCOUNT FOR DARS Author(s): Dan Keyworth, Associate Director Annual Programmes and DARS Introduction This document summarises the guidelines for Participants who wish to set up a merchant account for connecting to DARS to collect payment transactions, such as for event registration payments and donations. Please contact the DARS Helpdesk for further information. Pre-requisites and Definitions Any entity must sign the DARS Participation documentation prior to using its payment services. To accept card payments into a bank account, a Payment Service Provider (PSP) is needed, to provide the means by which the payment gateway is connected to your acquiring bank via a merchant account. DARS is configured for CyberSource to be able to act as a separate PSP. The University has two CyberSource accounts (one each for events and donations) and each College wishing to use this service would require its own such account. Each Participant must then also set up a merchant account with a Merchant Acquirer (MA). The University use Streamline as their MA and Colleges should contact their existing bank for help with setting up a separate merchant account. Alternatively, Blackbaud s software facilitates the use of IATS as the Payment Service Provider, without the need to purchase a separate Merchant Acquirer. In either case, DARS stores the merchant account information and the Blackbaud Payment Service (BBPS), held on Blackbaud s own servers, is used to replace the token in a credit card transmission file received from DARS with the actual Primary Account Number (PAN) and send this file on to the gateway for processing. Similarly, when the web service receives a response file from the gateway, Website/Database (DARS) Payment Portal (Blackbaud Payment Service) Payment Service Provider (CyberSource or IATS) University/College Bank Account Separate Merchant Acquirer if using CyberSource (Streamline, Barclays etc) Page 1 of 5

2 it will securely replace the credit card number with its token before it returns the file to DARS. Throughout the process, credit/debit card numbers never appear in an unencrypted format and are never held on DARS own servers. Options available to Colleges and Departments Departments wishing to use DARS for collecting gifts should contact the University Gift Registry for further details; and Departments wishing to use DARS for collecting event registration payments should contact the University Alumni Office for further details. All payments to or via the University through DARS should utilise the University s two merchant accounts already set up for this purpose. Colleges/overseas offices wishing to use DARS for collecting their own gifts and/or event registration payments directly should contact the DARS Helpdesk. The two most common options available are: 1. To sign up for a merchant account and CyberSource account; or 2. To sign up for an IATS account Our contractual agreement with Blackbaud makes it possible for Colleges to use the same BBPS account as the University, but with separate Payment Service Providers (and Merchant Acquirers). CyberSource supports processing the following Australian Dollar Danish Krone Hong Kong Dollar Japanese Yen Mexican Peso New Zealand Dollar Nigerian Naira Norwegian Krone Singapore Dollar South African Rand Thai Baht IATS UK supports processing the following Hong King Dollar Japanese Yen Singapore Dollar Swiss Francs Below is a selection of the Merchant Acquirers that DARS and CyberSource can currently connect with (for outside the UK, there are other options available): Barclays HBoS HSBC LloydsTSB Cardnet Streamline There are three further options currently available to Colleges/overseas offices for processing transactions through DARS, as listed below. Each of these payment service providers is not included among the primary options above simply because they have not yet been directly tested within the Live System. Please therefore contact the DARS Helpdesk at an early stage to explore any of these options in further detail, so that appropriate testing approach can be agreed at the outset: Page 2 of 5

3 Setting up a Merchant Account for DARS Version 1.4, last updated 10 September 2013 IPPayments supports processing the following Australian Dollar New Zealand Dollar Sage supports processing the following currencies through DARS: Blackbaud Merchant Services supports processing the following Further details from Blackbaud are available at: As any agreements by Colleges require commercial decisions, the DARS Support Centre and the University make no recommendation or guarantees on the performance or otherwise of any option. Any agreements for transaction services are between the Participant and their providers, and the Support Centre simply enables the valid choices made by Participants. Process once an account is acquired Once a College has the necessary account details, it should provide them to the DARS Support Centre, via the Helpdesk (ensuring that any passwords are sent separately for security reasons). The Support Centre will then set up the account for the College within Live DARS, as well as any additional test environments as necessary. Accounts can be set up in test mode in Live before being switched to live use. The Support Centre can also provide dummy card numbers to assist testing. 1. To use CyberSource, the following details are required: o Merchant Account details (necessary to sign up with CyberSource) o CyberSource Account details 2. To use IATS, just the IATS Account details are required. All administration of the merchant and payment service provider accounts is solely the responsibility of Participants and no liability is taken by the University for errors, defects etc. PCI Compliance When taking any payments online or offline (whether for donations, events or other items), entities must comply with industry standards known as Payment Card Industry Data Security Standards (PCI-DSS). The PCI Security Standards Council website is at This therefore applies to any payment card information collected in relation to DARS, including via the following three common routes: 1. Payments taken online (i.e. through Oxford Alumni Online and its associated websites) 2. Payments taken over the phone (e.g. during telethons) Page 3 of 5

4 3. Payments taken by post (e.g. on forms filled in by constituents) Note: methods 2 and 3 may have the card payment confirmed via DARS or another system. For all methods, the processes around DARS must be PCI-DSS compliant. Blackbaud provides information about its PCI compliance at PCI-DSS applies to all entities that store, process, and/or transmit. It covers both technical and operational system components included in, or connected to,. As such, the standards apply not just to DARS but more widely to the collegiate University. How DARS addresses PCI Compliance Standards Area Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Control Measures Requirement 1. Install and maintain a firewall configuration to protect 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored 4. Encrypt transmission of across open, public networks 5. Use and regularly update antivirus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to How DARS complies 1 and 2 DARS utilises applications that sit on Blackbaud s own servers (not the University s), therefore our compliance with this requirement is handed off to them. 3. On DARS only the last 4 digits of the card are stored (they are not even on the database and visible as the last four). The full data is stored on Blackbaud s compliant servers. 4. No data is held at Oxford all data transmitted to Blackbaud over SSL (securely). Any data taken for card entry follows established procedures and is destroyed after use this process is associated with but not part of DARS. 5 and 6 Systems are hosted by Blackbaud and are compliant with PCI regulations. 7. No data is available within DARS to internal users. 8. Even though no data is held internally all DARS users have individual ID s for system access. 9. Full is not held on DARS. Page 4 of 5

5 Standards Area Regularly Monitor and Test Networks Maintain an Information Security Policy Requirement 10. Track and monitor all access to network resources and 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel How DARS complies 10 and 11 Covered by Blackbaud s PCI compliance. 12. The University has its own information security policies. DARS meets Data Protection guidelines and PCI requirements. By the use of a PCI-DSS compliant solution (Blackbaud CRM), the University greatly reduces its own exposure to PCI-DSS compliance risk, as well as adopting a robust and tested platform. The latest version of this document can be downloaded at Page 5 of 5