Luke Harris E-Commerce Analyst Office of the State Controller State of North Carolina April 16, 2012 David McCoy, State Controller E-Commerce – What does.

Luke Harris

E-Commerce Analyst

Office of the State Controller

State of North Carolina

April 16, 2012

David McCoy, State Controller

E-Commerce – What does the North Carolina Office of the State Controller (OSC) expect from

Universities?

E-Commerce – What does OSC expect from Universities?

General Statutes North Carolina Office of the State Controller (OSC) Policies

and Procedures Card Industry Rules Procedures for approvals or exceptions Accounting and Reconciliation of Transactions Payment Card Industry (PCI) Data Security Standards Security Incident Plan (Merchant Cards) Statistics and upcoming e-commerce directives Recap

2


General Statutes – Following link pertains to

E-Commerce listed on OSC’s website

http://www.osc.nc.gov/SECP/SECP_General_Statutes.pdf

• § 66-58.12. Agencies may provide access to services through electronic and digital transactions; fees authorized – (in part)

(b) An agency may charge a fee to cover its costs of permitting a person to complete a transaction through the World Wide Web or other means of electronic access.

3


• § 66-58.12 – (in part) cont’d

The fee may be applied on a per transaction basis and may be calculated either as a flat fee or a percentage fee, as determined under an agreement between a person and a public agency. The fee may be collected by the agency or by its third party agent.

(c) The fee imposed under subsection (b) of this section must be approved by the Office of State Budget and Management, in consultation with the State Chief Information Officer and the Joint Legislative Commission on Governmental Operations.

4


• § 66-58.12 – (in part) cont’d

The revenue derived from the fee must be credited to a nonreverting agency reserve account. The funds in the account may be expended only for e-commerce initiatives and projects approved by the State Chief Information Officer, in consultation with the Joint Legislative Oversight Committee

on Information Technology.

5


• § 143B-426.39 Powers and duties of the State Controller. (in part) - The State Controller shall:

(1) Prescribe, develop, operate, and maintain in accordance with generally accepted principles of governmental accounting, a uniform state accounting system for all state agencies.

(5) Prescribe the manner in which disbursements of the State agencies shall be made and may require that warrants, vouchers, electronic payments, or checks, except those drawn by the State Auditor, State Treasurer, and Administrative Officer of the Courts, shall bear two signatures of officers as designated by the State Controller.

6


• § 147-86.10. (Effective July 1, 2007) Statement of policy. (in part) – It is the policy of the State of North Carolina that all agencies, institutions, departments, bureaus, boards, commissions, and officers of the State, whether or not subject to the State Budget Act, Chapter 143C of the General Statutes, shall devise techniques and procedures for the receipt, deposit, and disbursement of moneys coming into their control and custody which are designed to maximize interest-bearing investment of cash, and to minimize idle and nonproductive cash balances.

7


• § 147-86.10 (in part) cont’d - This policy shall apply to the General Court of Justice as defined in Article IV of the North Carolina Constitution, the public school administrative units, and the community colleges with respect to the receipt, deposit, and disbursement of moneys required by law to be deposited with the State Treasurer and with respect to moneys made available to them for expenditure by warrants drawn on the State Treasurer. This policy shall include the acceptance of electronic payments in accordance with G.S. 147-86.22 to the maximum extent possible consistent with sound business practices.

8


• § 147-86.11. (Effective July 1, 2007) Cash management for the State (in part) –

(a) Uniform Plan. – The State Controller, with the advice and assistance of the State Treasurer, the State Budget Officer, and the State Auditor, shall develop, implement and amend as necessary a uniform statewide plan to carry out the cash management policy for all State agencies.

9


• § 147-86.11. (in part) cont’d –

(h) New Technologies. – The statewide cash management plan shall consider new technologies and procedures whenever the technologies and procedures are economically beneficial to the State as a whole. Where the new technologies and procedures may be implemented without additional legislation, the technologies and procedures shall be implemented in the plan.

10


• § 147-86.20. Definitions.

The following definitions apply in this Article:

(2a) Electronic payment. – Payment by charge card, credit card, debit card, or by electronic funds transfer as defined in this subsection.

11


• § 147-86.22. Statewide accounts receivable program. – (in part) The State Controller shall establish policies that allow accounts receivable to be payable under certain conditions by electronic payment. These policies shall be established with the concurrence of the State Treasurer.

A condition of payment by electronic payment is receipt by the appropriate State agency of the full amount of the account receivable owed to the State agency.

12


• § 147-86.22. – (in part) cont’d -

A debtor who pays by electronic payment may be required to pay any fee or charge associated with the use of electronic payment. Fees associated with processing electronic payments may be paid out of the General Fund and Highway Fund if the payment of the fee by the State is economically beneficial to the State and the payment of the fee by the State has been approved by the State Controller and State Treasurer.

13


• § 147-86.22. – (in part) cont’d -The State Controller and State Treasurer shall consult with the Joint Legislative Commission on Governmental Operations before establishing policies that allow accounts receivable to be payable by electronic payment and before authorizing fees associated with electronic payment to be paid out of the General Fund and Highway Fund.

14


• § 147-86.22. – (in part) cont’d – A State agency must also consult with the Joint Legislative

Commission on Governmental Operations before implementing any program to accept payment under the policies established pursuant to this subsection.

A payment of an account receivable that is made by electronic payment and is not honored by the issuer of the card or the financial institution offering electronic funds transfer does not relieve the debtor of the obligation to pay the account receivable.

15


• § 14-113.24. Credit, charge, or debit card numbers on receipts. (in part) -

(b) Except as provided in this section, no person that accepts credit, charge, or debit cards for the transaction of business shall print more than five digits of the credit, charge, or debit card account number or the expiration date upon any receipt with the intent to provide the receipt to the cardholder at the point of sale. This section applies to a person who employs a cash register or other machine or device that electronically prints receipts for credit, charge, or debit card transactions.

16


• § 14-113.24. - (in part) cont’d -

This section does not apply to a person whose sole means of recording a credit, charge, or debit card number for the transaction of business is by handwriting or by an imprint or copy of the credit, charge, or debit card.

17


• § 147‑77. Daily deposit of funds to credit of Treasurer.

All funds belonging to the State of North Carolina, in the hands of any head of any department of the State which collects revenue for the State in any form whatsoever, and every institution, agency, officer, employee, or representative of the State or any agency, department, division or commission thereof, except officers and the clerks of the Supreme Court and Court of Appeals, collecting or receiving any funds or money belonging to the State of North Carolina,

18


• § 147‑77. – cont’d

shall daily deposit the same in some bank, or trust company, selected or designated by the State Treasurer, in the name of the State Treasurer, at noon, or as near thereto as may be, and shall report the same daily to said Treasurer: Provided that the State Treasurer may authorize exemptions from the provisions of this section so long as funds are deposited and reported pursuant to the provisions of this section at least once a week and, in addition, so long as funds are deposited

19


• § 147‑77. – cont’d

and reported pursuant to the provisions of this section whenever as much as two hundred fifty dollars ($250.00) has been collected and received: Provided, that the Treasurer may refund the amount of any bad checks which have been returned to the department by the Treasurer when the same have not been collected after 30 days' trial.

20


• § 116-36.1. Regulation of institutional trust funds. (in part) -

(b) Trust funds and investment earnings thereon, are available for expenditure by each institution without further authorization from the General Assembly.

21


• § 147‑86.11. Cash management for the State.

(in part) -

(e) Elements of Plan. – For moneys received or to be received, the statewide cash management plan shall provide at a minimum that:

(2) Moneys received shall be deposited daily in the form and amounts received, except as otherwise provided by statute.

.

22


North Carolina Office of the State Controller (OSC) E-Commerce Policies and Procedures

http://www.osc.nc.gov/SECP/SECP_Policies.html

Senate Bill 222 passed in 1999 amended several statutes that authorized the State Controller to issue policies relating to "electronic payments," which support the Statewide Electronic Commerce Program (SECP).

23


• Maximization of Electronic Payment Methods

http://www.osc.nc.gov/Credit_Card/MaximizationofElectronicPaymentMethods.pdf

Outbound Payments

Each non-NCAS agency and university shall develop payment methods that allow for the utilization of ACH direct deposit.

24


• Maximization of Electronic Payment Methods

Inbound Payments

Each agency and university shall consider the feasibility of accepting payments via ACH when appropriate, considering the volume and frequency of payments received. Both the ACH credit and ACH debit methods should be considered. The services of third-party data collection centers and gateway service providers may be utilized if the ACH debit option is offered.

25


• Master Services Agreements for Electronic Payments

http://www.osc.nc.gov/Credit_Card/MasterServicesAgreementsForElectronicPayments.pdf

A State entity may be exempted from participating in the MSA(s) if it provides OSC a suitable business case for exemption, in which case the entity may secure services on its own, provided it adheres to all applicable procurement requirements.

26


• Master Services Agreements for Electronic Payments

The costs of the services secured through the MSA(s) by State related agencies shall be paid for by the agency, unless the Department of State Treasurer (DST) agrees to pay for the services, as deemed advantageous to the State’s General Fund.

Agencies requiring a gateway service in order to participate in the MSA(s) may select either the Common Payment Service (CPS) gateway offered through ITS, or secure a gateway service of its choosing, provided it acquires approval from OSC and adheres to all applicable procurement requirements. 27


• Funding for Electronic Payment Services

http://www.osc.nc.gov/Credit_Card/FundingforElectronicPaymentServices.pdf

When General and Highway fund appropriations are to be used, the state entity must obtain approval from the Office of State Budget and Management (OSBM) on the availability of an appropriation.

When Special Fund receipts are used, the agency must pay for the fees from the Special Fund established with approval of the Office of State Budget and Management (OSBM).

28


• Funding for Electronic Payment Services

For services deemed appropriate for the State Treasurer to pay the fees, prior arrangements must be made with the State Treasurer.

Universities may determine the appropriateness of using institutional trust funds.

29


• Charging Transaction Fees

http://www.osc.nc.gov/Credit_Card/ChargingTransactionFees.pdf

All agencies must adhere to the policies established by the Office of State Budget and Management (OSBM) and the Office of Information Technology Services.

The agency must request the establishment of a special fund budget code by OSBM and OSC. All transaction fees collected are to be recorded separately from the revenue being collected, with the transaction fees being deposited to the special fund budget code.

30



Funds deposited to the special fund budget code may be used only for e-commerce initiatives and projects, to include any third-party related fees and merchant card processing services.

The practice of charging transactions fees shall not conflict with any merchant card associations’ Rules. Notwithstanding that the fee revenue may be use to pay for merchant card processing services, all fees charged are for the conducting of an electronic transaction, not for the utilization of a merchant card.

31



Fees charged under this statute pertain only to obtaining electronic access, which includes the Internet, voice response unit. Electronic access does not include mail orders or telephone orders, commonly referred to as MOTO. Neither does it include the acceptance of a face-to-face merchant card transaction.

The notice must be provided to the consumer advising of the fee, before the payment is effected.

32


• Security and Privacy of Data Each participant in a Master Services Agreement (MSA) must develop business and systems controls to ensure the confidentiality and integrity of financial transactions within their scope of electronic payment processing activities. Computer security measures, including physical security, logical application controls, transmission security, and firewall utilization where applicable, must be implemented to satisfy the integrity and confidentiality objectives as well as eliminating or reducing the general risks associated with computerized systems. All staff involved in the transaction of electronic business must be aware of the security requirements.

33


• Security and Privacy of Data

Adhere to all applicable merchant card associations’ operating rules (e.g., Visa, MasterCard).

Participate in any security assessments and security scans required by the associations and/or OSC, in order to be and to remain compliant with Payment Card Industry (PCI) Security Standards, and be responsible for any fines levied as the result of not being compliant.

If not utilizing the Common Payment Service, only utilize a third-party service provider that is compliant with Payment Card Industry Security Standards.

34



Store and protect cardholder data in accordance with industry standards, including not disclosing account information except on a “business need to know” basis or when compelled by law. Information that cannot be stored or retained includes: the 3-digit CVV 2/CVC 2 value located on the back of the card within the signature panel, and magnetic stripe data. In the case of Internet transactions, cardholder account numbers must not be transmitted to cardholders. All records containing account number information must be unreadable prior to discarding.

35



For point of sale transactions, adhere to the requirements of both applicable State law (G.S. 14-113.24) and the Payment Card Industry Security Standards pertaining to the printing of account numbers and expiration dates of cards on the cardholder’s copy of the receipt. While the statutory requirements and the industry standards differ, the requirements of both can be met by only printing the last four digits. The merchant’s copy of the receipt may or may not contain the full card number and expiration date, and should only contain the full number and expiration date if there is a business reason for doing so.36



The merchant copy of the receipts must be kept in a secure place (i.e. locked cabinet with minimal access) for eighteen months. At the end of the eighteen months, the receipts should be destroyed in a secure manner, preferably shredding.

Maintain records of transactions in a manner that provides adequate security and audit trails, and in accordance with the agency’s official retention records, but at a minimum of at least eighteen months.

37



In the case of Electronic Funds Transfer, each participant must:

Adhere to all security requirements of the ACH Originating Depository Financial Institution (ODFI), which generally include the requirement for the protection of passwords and access codes.

Adhere to all NACHA Operating Rules regarding the origination of ACH transactions.

38



Adhere to all NACHA Operating Guidelines relating to the origination of Internet-initiated entries (WEB entries). The Originator is required to establish procedures that provide for transactions to be handled in a “commercially reasonable manner.” Those aspects include commercially reasonable fraudulent transaction detection systems, security technology to establish a secure Internet session with at least 128 bit SSL encryption technology, and procedures to verify the validity of the RDFI’s routing number.

39



In the case of WEB entries initiated via the Internet, adhere to the NACHA Operating Rule requiring Originators to conduct an audit at least once per year to ensure that Receivers’ financial information is protected by security practices and that appropriate procedures are in place.

Adhere to all NACHA Operating Guidelines relating to the origination of Telephone-initiated (TEL entries). The Originator is required to utilize a commercially reasonable method (e.g., use of a directory, database, etc,) to verify the consumer’s name, address, and telephone number.

.

40



The Originator is also advised to further verify the Receiver’s identity by verifying pertinent information with the Receiver (e.g., past buying history, mother’s maiden name, Caller ID information, etc.). Additionally, the Originator must establish commercially reasonable procedures to verify that routing numbers are valid.

http://www.fededirectory.frb.org/

41


• Electronic Payment Confirmation

http://www.osc.nc.gov/Credit_Card/ElectronicPaymentConfirmation.pdf

All applications that utilize merchant cards or electronic funds transfer (EFT) transactions as a method of payment via the Worldwide Web shall provide for the generation of a confirmation of the transaction at the time of the order. Confirmations shall adhere to the Policy on “Security and Privacy of Data,” regarding the disclosure of confidential information.

42


• Customer Transaction Disputes

http://www.osc.nc.gov/Credit_Card/CustomerTransactionDisputes.pdf

Disputes involving transactions shall be resolved by each participant and with its customer (e.g., citizens, taxpayer, etc), with the assistance of the respective transaction Merchant Card Services Provider (merchant card processor) or EFT Financial Services Provider. The Provider may process the appropriate correcting transactions, if necessary, subsequent to the resolution of the dispute.

43


• Authorization for Merchant Card Transactions

http://www.osc.nc.gov/Credit_Card/AuthorizationforMerchantCardTransactions.pdf

All State agencies or other participants utilizing Merchant Card services, whether through the OSC’s Master Services Agreement or under separate arrangement, shall develop procedures to ensure compliance with the Processor’s operating guide regarding the obtaining of authorizations. Prior to the finalization of a merchant card transaction, an authorization approval code must be obtained from the

44


• Authorization for Merchant Card Transactions

merchant card processor. Real-time authorization shall be the preferred method, with the telephone authorization being the alternative method. Finalization of a transaction shall include both fulfillment of a sale or acceptance of an accounts payable, and the monetary settlement of the transaction.

Each participant shall be responsible for developing and documenting procedures to handle merchant card exceptions. The procedures shall include the handling of transactions for which an approval is denied, unauthorized card use, non-match of address verification, the use of an alternative payment if authorization is denied, and charge backs.

45


• Types of Merchant Cards Accepted

http://www.osc.nc.gov/SECP/TypesOfMerchantCardsAccepted.pdf

Any entity desiring to participate in an MSA that the State may have entered with a proprietary card company must execute the applicable Agency Participation Agreement, binding the entity to the terms and conditions of the MSA.

All State entities subject to OSC’s control pursuant to the Cash Management Law (G.S. 147-86.10-11) that are participants in the MSA with the State’s primary merchant card services provider, and that accept a proprietary card

46



issued by a company with which the State has an MSA, will be required to participate in the MSA with the proprietary card company.

A State entity may be exempted from participating in a MSA with a proprietary card company if it provides OSC a suitable business case for exemption, in which case the entity may enter into an agreement with the proprietary card company directly.

47



An agency may selectively elect to only accept merchant cards as a payment channel for certain types of receipts, taking into account the nature of the receipts, including the: – beneficiary of the receipts – finality of the payment required – ability to obtain a source of funding to pay the processing

fees associated with the particular type of receipts

48


• Types of Merchant Cards Accepted An agency accepting merchant cards as a payment channel may selectively elect to only accept certain merchant card brands for certain types of receipts, taking into account the nature of the receipts, including the: – beneficiary of the receipts – requirement for the settlement (receipt) of funds for

the card transaction to be within one banking day of card acceptance

– ability to obtain a source of funding to pay the processing fees associated with a particular card brand that may have processing costs greater than other card brands accepted 49



If no convenience fees are levied by an entity accepting merchant cards, at a minimum both Visa and MasterCard shall be accepted, as the funds received for settlement are generally received within one banking day, and the interchange fees associated with the two cards are similar.

If no convenience fees are levied by the entity, the entity has the option of accepting one or more proprietary cards, provided the agreement under which the card is accepted provides for funding to be received within two banking days.

50



If convenience fees are levied by an entity accepting merchant cards or other channels of electronic payments, the entity may selectively elect to accept only cards whose governing Rules are compatible with the entity’s established fee structure (i.e., percentage based and/or flat fee based).

51


• Merchant Cards Security Incident Plan

http://www.osc.nc.gov/SECP/MerchantCardsSecurityIncidentPlan.pdfAll participants in the State Controller’s Master Services Agreement for Merchant Card Services, as well as State agencies engaging in separate arrangements, are to devise a security incident response plan that incorporates the requirements of the Payment Card Industry Security Council. For those State agencies falling under the purview of The State Chief Information Officer, the incident response requirements defined by the Office of Information Technology Services (ITS) should also be incorporated.

52


• Compliance with PCI Data Security Standards

http://www.osc.nc.gov/SECP/Compliance_with_PCI_Data_Security_Standards.pdf

In the case of Merchant Card services, each participant must….participate in any security assessments and security scans required by the associations and/or OSC, in order to be and to remain compliant with Payment Card Industry (PCI) Security Standards, and be responsible for any fines levied as the result of not being compliant.

. 53


• Compliance with International ACH Transactions (IAT) Ruleshttp://www.osc.nc.gov/SECP/IATRulesAdvisory-July28-RevAug18.pdf

The IAT rules apply to domestic as well as international ACH transactions. All entities originating payments electronically, whether they be for payroll, pensions, or vendor payments, are therefore advised to examine the new rules to see how they apply. Origination of electronic payments includes submitting ACH credits to payees (for disbursements), as well as originating ACH debits to draft payers' accounts (for collecting funds).

.

. 54


Card Industry Rules

http://www.osc.nc.gov/SECP/SECP_Card_Industry_Rules.htmlAs a participant in OSC's Master Services Agreement with SunTrust Merchant Services, entities are required to comply with all payment card industry rules. This includes those specified by the processing vendor (STMS), as well as those by the issuing card associations (Visa and MasterCard). Many of the rules have fines associated with violations and non-compliance, and some require services to the violating merchant to be terminated. Most of these rules, but not all, are found either in the STMS Operating Guide, or on Visa and MasterCard Websites.

. 55


Procedures for approvals or exceptions. A State entity may be exempted from participating in the

MSA(s) if it provides OSC a suitable business case for exemption, in which case the entity may secure services on its own, provided it adheres to all applicable procurement requirements.

To request an exemption, e-mail a letter on university letterhead addressed to Controller David McCoy to [email protected]. The letter should contain the following information: vendor name, business case, and verification of PCI compliance.

56


Procedures for approvals or exceptions

G.S. 66-58.12 states in part, “An agency may charge a fee to cover its cost of permitting a person to complete a transaction through the World Wide Web or other means of electronic access. The fee imposed must be approved by the Office of State Budget and Management, in consultation with the State Chief Information Officer and the Joint Legislative Commission on Governmental Operations”.

57



To request approval, e-mail memo with details concerning fee request to [email protected] and [email protected] at OSBM and copy [email protected] . OSBM will consult with Gov Ops and CIO.

58



§ 147-86.22. Statewide accounts receivable program. (in part) -A State agency must also consult with the Joint Legislative Commission on Governmental Operations before implementing any program to accept payment under the policies established pursuant to this subsection.

Contact your OSBM analyst.

59



§ 147‑77. Daily deposit of funds to credit of Treasurer.

Contact :Chandler Park Francis

Statewide Banking Operations Manager

North Carolina Department of State Treasurer

325 N. Salisbury Street

Raleigh, NC 27603

919.508.5952 (phone)

919.807-3178 (fax)

[email protected]

www.nctreasurer.com

60



§ 116-36.1. Regulation of institutional trust funds.

No exceptions for daily deposit under this general statute.

61


Accounting and Reconciliation of Transactions– Reconcile and certify funds on a daily basis

• Verify reports from systems, Clientline, and online banking

– Resolve any reconciliation issues as soon as possible

• Missing transactions, fees mistakenly debited, and any other out of balance issues

– Verify the accuracy of the monthly STMS and Wells Fargo statements

• Utilize Clientline to obtain details of statement for Cards

• Wells Fargo statement detailed

62


Accounting and Reconciliation of Transactions– Respond to any disputes as soon as possible

• Chargebacks for cards (EIDS) and Returns for ACH (CEO)

– Use correct accounts for payment of fees and charging transaction fees

– Pay “correct” statement in a timely manner• If invoice incorrect, not received, or going to the wrong place,

let OSC know by contacting the OSC Support Services at 919-707-0795 or e-mail [email protected] .

63


Payment Card Industry (PCI) Data Security Standards

https://www.pcisecuritystandards.org/• The PCI DSS is a multifaceted security standard that includes

requirements for security management, policies, procedures, network architecture, software design and other critical protective measures associated with credit card account data.

• Covers both Business and Information Technology

• Current version is 2.0.

64


Payment Card Industry (PCI) Data Security Standards – Requirement 12.8

https://www.pcisecuritystandards.org/• PCI DSS requirement 12.8 requires the merchant to

“manage” the service provider by: 1) maintaining a “written agreement” specifying the service provider’s responsibility for compliance; 2) performing due diligence to ensure PCI compliance prior to engagement; and 3) monitoring the service provider’s compliance status. Additionally, OSC's Data Privacy Security Policy specifies that only PCI compliant service providers can be utilized.

65


Payment Card Industry (PCI) Data Security Standards –Data Security Breaches• Staflor- Unknown at this time• Zappos – It appears no full numbers exposed

(only last 4 digits)• Sony PlayStation Network-12 million• Hannaford Brothers – 4.2 million• Heartland Payment Systems - 134 million• TJ X Companies - 94 million

(Sources: Nytimes.com, Perlroth, December 2011;

CIO.com, Armerding, February 2012;

Techweb.com, Schwartz, January 2012)

.66


Payment Card Industry (PCI) Data Security Standards - Security Breaches- What does it cost?

• Fines levied by card associations to make notifications to all cardholders and replace cards

• Costs of notifying taxpayers of incident, pursuant to the NC Identity Theft Protection Act (G.S. 75-60 through G.S. 75-66)

• Forensic Investigation Costs (cost approx. $10,000)• Cost associated with discontinuing accepting cards• Bad Press (Reputation and Trust)• Cost of an annual on-site security audit (cost approx. $15-20 K)

.67


68

Payment Card Industry (PCI) Data Security Standards – What should we do?

– Business staff and IT staff work together to obtain PCI Compliance (communicate)

– Educate staff on PCI Data Security– Document – Utilize the Trustkeeper tool to validate PCI compliance– Answer Security Annual Questionnaire (SAQ)– Schedule vulnerability scans if applicable– Keep information updated in portal in terms of changes to

merchant cards operations


69


Security Incident Plan (Merchant Cards)• PCI DSS requires the development of a security incident plan

by each merchant. In addition, the Office of the State Controller has issued a policy that addresses the development of such plan. In the case of participants under the purview of the State Chief Information Officer, the OSC policy requires adherence with the Security Incident Reporting Policy issued by the Office of Information Technology. The plan should require the reporting of a known or suspected security incident with 24 hours to the OSC. The OSC is to be involved in all assessments of security incidents and coordinate any notification to the card associations that may be appropriate. .

70


Security Incident Plan (Merchant Cards)

Contact at OSC for reporting an incident is:

Ben McLawhorn, CISA, CISM, CFE, CICA, CGCIORisk Mitigation Services ManagerOffice of the State Controller1410 Mail Service CenterRaleigh, North Carolina 27699-1410(919) 707-0757 – office (919) 981-5567 - faxEmail: [email protected]

71


Statistics and upcoming e-commerce directives

• EFT transactions (inbound and outbound) for FY2010-11 was 14.8M transactions.

• Merchant card processing was 10.4M transactions equaling $756.8M in FY2010-11.

• Of the merchant card transactions, 4.4M transactions equaling $414.6M was related to university processing for FY 2010-11.

72


Statistics and Upcoming E-Commerce Releases• Spring Interchange Pricing release in April 2012

– Visa is now requiring Address Verification Service (AVS) to qualify for the emerging markets rate which is the best rate the state can get for a consumer card. This represents about 67% of the Visa volume. » Face-To-Face Transactions- Zip must match to

qualify for CPS retail 2 or transaction downgrades to ERF

» Non Face-to Face Transactions-must perform AVS (address and zip) to qualify for CPS retail 2 but will not be downgraded if no match.

73


Statistics and Upcoming E-Commerce Releases

• For Card not Present transactions Only– Passing and ACI of an R will allow AVS to be bypassed

and transaction will continue to clear at CPS Retail 2. The ACI (Authorization Characteristic Indicator) is an indicator that is passed with the transaction’s data string in the auth record as well as the settlement record. At a software level- the vendor would need to determine if they have the ability to pass this with the transaction. At a terminal level- If the user chooses that the transaction is recurring, an ACI of an R is passed with the transaction and the AVS feature will then not be prompted on the device.

74


Statistics and Upcoming E-Commerce Releases

• Spring Interchange Pricing release in April 2012– Visa is implementing a new Fixed Acquirer Network

Fee (FANF) which is based on the number of merchant locations, Merchant Category Code (MCC), Card Present / Card Not Present Identifiers and Total Gross Sales Volume per Taxpayer ID, per month. This fee is variable month to month.

75


Recap Follow General Statutes Reference and apply OSC Policies and Guidelines Document Cash Management Plan

• Gain approvals or exemptions before proceeding with new processes if applicable

• Deposit and certify funds daily• Reconcile• Data Security – follow and report any incidents to OSC• Validate PCI compliance (communication is key)• Educate and keep updated

76


Contacts:General inquiries: OSC Support Services: 919-707-0795 or [email protected]

Luke Harris

E-Commerce Analyst

Office of the State Controller

State of North Carolina

[email protected]

Phone: 919-707-0667

77


Contacts:

Amber Young Sharon Hayes

Central Compliance Manager Director, E-Commerce Initiatives

Office of State Controller Office of State Controller

State of North Carolina State of North Carolina

[email protected] [email protected]

Phone: 919-707-0619 Phone: 919-871-6483

78

Luke Harris E-Commerce Analyst Office of the State Controller State of North Carolina April 16, 2012 David McCoy, State Controller E-Commerce – What does.

Documents

state controller ecommerce

state agencies

state treasurer

state auditor

state controller osc

office of state budget

state budget act

ecommerce initiatives