Procedures: The University Controller s Office is responsible for administering the process for



Similar documents
Procedures: The University Controller s Office is responsible for administering the process for

Validation of PCI Compliance Requirements NC Office of the State Controller June 23, 2015

Merchant Card Processing Request Form

PCI Policies Appalachian State University

CREDIT CARD PROCESSING POLICY AND PROCEDURES

Understanding Payment Card Industry (PCI) Data Security

University Policy Accepting Credit Cards to Conduct University Business

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Saint Louis University Merchant Card Processing Policy & Procedures

POLICY SECTION 509: Electronic Financial Transaction Procedures

Registry of Service Providers

Office of Finance and Treasury

Standards for Business Processes, Paper and Electronic Processing

IT TECHNICAL SECURITY REVIEW CHECKLISTS FOR E-COMMERCE WEBSITES

University Policy Accepting and Handling Payment Cards to Conduct University Business

. Merchant Accounts are special bank accounts issued by a merchant. . Merchant Level: This classification is based on transaction volume.

Enterprise Systems Update. December 16, 2014

UCSB Credit Card Processing and PCI Compliance

Annual Trustwave PCI Self Assessment Questionnaire (SAQ) Educational Presentation. Understanding the Merchants Responsibilities for PCI Compliance

SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

FAQ s for Payment Card Processing at the University

Common Payment Service 101

The following are responsible for the accuracy of the information contained in this document:

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Benefits of Integrated Credit Card Processing Within Microsoft Dynamics GP. White Paper

TSYS Tokenization and Card Processing

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

Accepting Payment Cards and ecommerce Payments

Self Assessment Questionnaire A Short course for online merchants

RFP#15-20 EXHIBIT E MERCHANT SERVICES INFORMATION SHEET

Merchant Card Processing Best Practices

Fall Conference November 19 21, 2013 Merchant Card Processing Overview

Welcome to the Duke Medicine Credit Card PCI Education session.

UCSB Credit Card Merchant Handbook

Third Party Agent Registration and PCI DSS Compliance Validation Guide

CREDIT CARD MERCHANT PROCEDURES. Revised 01/21/2014 Prepared by: NIU Merchant Services

D. DFA: Mississippi Department of Finance and Administration.

Remediation, a Key Approach to Reducing Scope

SCHEDULE A MODIFIED SCOPE OF SERVICES MERCHANT CARD PROCESSING SERVICES STATE OF NORTH CAROLINA AND SUNTRUST MERCHANT SERVICES

Credit Card Processing Overview

Prepared by Treasury Office. This is a new policy. A8.711 September 2009 A8.700 TREASURY. P 1 of 5. A8.711 Electronic Payments via University Websites

Sales Rep Frequently Asked Questions

Registration and PCI DSS compliance validation

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

Clark University's PCI Compliance Policy

POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

CardControl. Credit Card Processing 101. Overview. Contents

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

SECTION 509: Payment Card and Electronic Funds Transfer (EFT) Procedures

Insurance-Specific Payment Services Requires Insurance Industry Knowledge

Getting Started. Quick Reference Guide for Payment Processing

Agent Registration. Program Guide. (For use in Asia Pacific, Central Europe, Middle East, Africa)

Important Info for Youth Sports Associations

GLOSSARY OF MOST COMMONLY USED TERMS IN THE MERCHANT SERVICES INDUSTRY

Payment Card Industry Data Security Standard

Information Technology

PCI Compliance Tutorial - Virtual Terminal

THE CITADEL The Military College of South Carolina 171 Moultrie Street Charleston, SC MEMORANDUM 23 April 2015 NUMBER 5-004

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

UW Platteville Credit Card Handling Policy

University of Oregon Policy Statement Development Form

PCI COMPLIANCE GUIDE For Merchants and Service Members

UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Terminal / Account Set-up Form TS1001 Revised November 2011

Policies and Procedures. Merchant Card Services Office of Treasury Operations

The University of Georgia Credit/Debit Card Processing Procedures

Treasurer s Office Updates. Business Manager Meeting Thursday, December 11 th 2014

Achieving PCI Compliance for Your Site in Acquia Cloud

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Complying with PCI is a necessary step in safely accepting Payment Cards.

Appendix 1 Payment Card Industry Data Security Standards Program

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

Payment Card Acceptance Administrative Policy

PC-DSS Compliance Strategies NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

Agent Registration. Program Guidelines. (For use in Asia Pacific, Central Europe, Middle East and Africa)

institute s Credit Card Payment Policy

Policy. London School of Economics & Political Science. PCI DSS Compliance. Jethro Perkins IMT. Information Security Manager. Version Release 1.

ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS

Payment Card Industry Data Security Standards

I. Definitions. DFA: Mississippi Department of Finance and Administration.

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

Simplêfy Client Support and Information Services. PCI Compliance Guidebook

Vendor 1 QUESTION CCSF RESPONSE

Payment Card Industry Data Security Standards Compliance

TERMINAL CONTROL MEASURES

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:


What a Processor Needs from a University to Validate Compliance

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

Project Title slide Project: PCI. Are You At Risk?

Transcription:

NC STATE UNIVERSITY University Controller s Office Internal Administrative Procedures Section: General Accounting Function: Cash Management Person Responsible: Heidi Kozlowski Procedure Number: GA-CM-MS-02 Procedure Title: Applying for a Merchant Account History: Issued: April 2004; Revised March 2014 Purpose: Instructions for applying for and maintaining a merchant account Procedures: The University Controller s Office is responsible for administering the process for accepting payments via credit card. This process is conducted in accordance with NCSU s participation in the State of North Carolina s Master Service Agreement (MSA) for payment card services and PCI-DSS requirements. Merchant application process steps: 1. In order for a department to be able to accept credit card payments, they must obtain receipt center approval from the University Controller or designee. A form BA-114 Request/Authority to Establish Receipt Center needs to be completed and forwarded to the Controller or designee for review and approval. The forms can be downloaded from the Controller s Office home page: http://www.fis.ncsu.edu/controller/forms/default.asp. 2. Once approved as a receipt center, Contact Merchant Services Section at the Controller s Office to discuss the line of business, description of transactions, capture acceptance methods (Payment Applications, Payment Gateways, Point-of-Sale Terminal, etc), volume of business, go-live 3. Complete application form, Merchant Request Form. 4. Upon acceptance as a merchant, the Merchant Service Section at the Controller s Office will provide installation/setup and training 5. PCI compliance evaluation and monitoring will be discussed with the merchant and will be

continual while the merchant account remains active. Timeline for creating a Merchant Account A merchant account can take a minimum of six weeks to complete from the initial meeting until the account is in production and the first transaction has been accepted. Payment Processing Service All University merchants are set up through the State of North Carolina s Master Service Agreement (MSA) with SunTrust Merchant Services (STMS), a partnership between SunTrust Bank and First Data Merchant Services (FDMS). STMS provides merchant card payment processing services. The North Carolina Office of the State Controller (OSC) has mandated that all agencies and universities of the State use the MSA unless an exemption has been approved. A University department may request an exemption from this requirement by providing a business case justifying an alternate vendor or process to Merchant Services in the Controller s Office. The business case will be reviewed by the University and the State Treasurer s Electronic Commerce Section. If approved, the Merchant Service Section will work with the department to implement, monitor, and maintain security and compliance in accordance with University policy over the alternate vendor. University departments shall not enter into an outsourcing agreement with a third-party provider, including software applications for credit card processing, without prior approval. Outsourcing Credit Card Payments The University is required to participate in the Master Service Agreement (MSA) for merchant services provided by OSC due to Cash Management Law (General Statute 147-86.10 and 11). An exemption from participating may be obtained from OSC if a suitable business case is presented. (See Payment Processing Service). This requirement applies to all contracts, including outsourced functions if they involve credit card processing. The requirement does apply even when the University is not the merchant for the credit card processing. Any area of campus involved in or negotiating an outsourcing agreement that involves

processing credit cards through a processor not under the MSA should forward an exemption request to Merchant Services. (See Payment Processing Service). Payment Application HigherOne is the University s preferred payment application and is required to be used for all internet credit card transactions. A University department may request an exception from this requirement by providing a business case justifying an alternate vendor or process to Merchant Services. The business case will be reviewed and forwarded as appropriate to the PCI Team to request approval. A University department shall not enter into an outsourcing agreement with a third-party provider, including software applications for credit card processing, until the business case is approved. Upon approval, standard purchasing policies apply. Complete Setup Forms Once the department has completed the initial meeting with Merchant Services and decided on the capture method, Merchant Services will complete the appropriate setup forms. Merchant Services Section will identify the appropriate PCI Self Assessment (SAQ) questionnaire to be completed and the department will need to provide a workflow diagram and description. The forms are submitted to the NC Office of the State Controller to be reviewed and sent to SunTrust Merchant Services for setup. The requesting department must complete PCI DSS training prior to go live of the merchant account. Credit Card Transaction Process Method 1: Payment Application The credit card transaction process begins when the customer purchases a product/event or makes a donation through a third party hosted payment application/website. All vendors part of the transaction are required to be a level one service provider. The payment application tenders the transaction for the customer on their website. The payment application interfaces with the payment processor. The payment processor interfaces with the credit card companies to validate the credit card and verify the address if address verification is used. The payment processor returns an authorization code to the payment application and settles the funds with the University s bank account.

Method 2: Point-of-Sale Terminal The credit card transaction process begins when the customer purchases a product/event or makes a donation and their card is swiped or entered into a point-of-sale terminal. The terminal is connected through an analog or cellular telephone line to the payment processor for settlement. The payment processor interfaces with the credit card companies to validate the credit card and verify the address if address verification is used. The payment processor returns an authorization code to the point of sale terminal and settles the funds with the University s bank account. Merchant Training University departments approved as merchants shall ensure that all employees involved in the merchant service/credit card environment have completed the PCI trainings on an annual basis. These training sessions apply to any who participate in the merchant s payment process.there are 3 different merchant roles. Department Head- Merchant Account Owner Site Manager- Functional Contact Operator- Cashiers These training sessions also apply to IT support/developers of applications and software that access or process credit card information or interface with credit card payment gateways. University departments shall also provide necessary training to employees to ensure staff members adhere to the policies and procedures for merchant services. Currently, there are two online PCI training courses available that have developed by NCSU Security & Compliance. Merchants can self enroll during the application process for these courses and are required to complete them prior to go live of the merchant or if a new user to an existing merchant, the training must be completed before handling any credit card information.

PCI Compliance Assessment During the set up phase, the merchant needs to begin assessing their initial Payment Card Industry (PCI) Data Security Standard (DSS) Compliance. Assessment consists of the following steps: 1. Review PCI-DSS Requirements Review the current version of PCI-DSS to make sure that the merchant meets all applicable requirements. PCI Compliance is not a point-in-time, but a continuous day-to-day process. 2. Complete Compliance Documents - Merchants are required to have documented procedures for their business process related to credit card processing. A workflow diagram is a component of their documents. 3. Complete Annual SAQ Before the merchant may begin accepting transactions, the merchant must complete their initial SAQ. The merchant should consult with Merchant Services, as required to verify which SAQ is applicable. Related Information: Merchant Services Procedure Merchant Funding Procedure Contact Information: University Controller s Office Merchant Services Campus Box 7205 Raleigh NC 27695-7205 merchantservices@ncsu.edu

Persons Involved in These Procedures: Name of Person Description of Duties Merchants Meet requirements and complete application. Merchant Services Review and approve merchant application. Complete OSC application and facilitate application process thru OSC. Security & Compliance Evaluates, monitors, and reports for PCI compliance. Internal Administrative Procedures Approved By: Name of Person Date Associate Controller: Heidi Kozlowski November 26, 2007 University Controller:

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information