SECP News/System Status
Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of payment card security standards published the PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users. The guidance educates merchants on the factors and risks that need to be addressed in order to protect card data when using mobile devices, such as smart phones and tablets, to accept payments.
PCI SECURITY STANDARDS COUNCIL RELEASES GUIDANCE FOR MERCHANTS ON MOBILE PAYMENT ACCEPTANCE SECURITY:
Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of payment card security standards published the PCI DSS Cloud Computing Guidelines Information Supplement, a product of the Cloud Special Interest Group (SIG). Businesses deploying cloud technology can use this resource as a guide for choosing solutions and third-party cloud providers that will help them secure their customer payment data and support PCI DSS compliance.
PCI SECURITY STANDARDS COUNCIL RELEASES PCI DSS CLOUD COMPUTING GUIDELINES:
Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of payment card security standards published the PCI DSS E-commerce Guidelines Information Supplement, a product of the E-commerce Security Special Interest Group (SIG). Businesses selling goods and services over the Internet can use this resource as a guide for choosing e-commerce technologies and third-party service providers that will help them secure customer payment data and support PCI DSS compliance efforts.
PCI SECURITY STANDARDS COUNCIL RELEASES PCI DSS E-COMMERCE SECURITY GUIDELINES:
2012 E-Commerce Conference
To register for this conference, click on the following link: http://www.zoomerang.com/Survey/WEB22GK9SJST6Y
|07/10/2012||9:15 am||Common Payment Service Fee Reduction
The per card transaction fee charged by the Common Payment Service (CPS) for processing card transactions has been reduced from $0.28 to $0.23. The 18% reduction was effective for June transactions and will be reflected in the ITS July billing. This rate reduction is the second in the last two years, with the last reduction effective July 1, 2010
Wells Fargo EFTs
Communication from Wells Fargo
Visa Announces U.S. Participation in Global Point-of-Sale Counterfeit Liability Shift – Effective October 1, 2015. http://usa.visa.com/download/merchants/bulletin-us-acquirer-mandate-080911.pdf
Wachovia/Wells Fargo CEO Credential Migration
In an effort to share with you what this process will look like for you, please ensure that you AND your users review the CEO Portal First-Time User Tour (Flash).
Obtaining new log-in credentials:
The New User Set Up process includes a few simple steps:
Additional CEO Migration Resources:
Schedule C Revision
Regulation II - Wall Street Reform and Consumer Protection Act (H.R.4173) requires the Federal Reserve Board to establish standards for debit card interchange fees and prohibiting exclusivity arrangements and routing restrictions. A final rule (Regulation II) was issued by the Federal Reserve Board on June 29, 2011. For more information on the ruling see the Federal Reserve Board release http://www.federalreserve.gov/newsevents/press/bcreg/20110629a.htm.
STMS Contract Renewal and Fee Revision – The merchant card services contract with STMS has been renewed for an additional year. The renewal provides for a revision of the vendor-levied “per transaction” fee, from $.04 to $.0425, effective July 1, 2011. The incremental increase of $.0025 is to offset PCI Data Security validation services provided the participants. Refer to the memo at http://www.osc.nc.gov/SECP/11-51_Merchant_Cards_Contract_Renewal.pdf
IRS Code Section 6050W – The IRS has a new code that will result in card merchant agencies receiving a Form 1099-K in January 2012, for card transactions beginning January 1, 2011. In preparation for the receipt of the Form 1099-K, it is important that the card processors (i.e., STMS / First Data, American Express, and Discover) have the agency’s correct Tax Identification Number (TIN) and “legal name” (as on file with the IRS). Notices received from a card processor asking for the agency’s correct TIN and/or legal name should be responded to. Refer to the following link for additional information: http://www.irs.gov/govt/fslg/article/0,,id=226894,00.html
PCI Standards Version 2.0 - The PCI Security Standards Council has released Version 2.0 of both the PCI Data Security Standard (PCI-DSS) and the Payment Application Data Security Standard (PA-DSS). The new standards become effective January 1, 2011. More info can be viewed at https://www.pcisecuritystandards.org/pdfs/pr_101028_standards_2.0.pdf .
Durbin Amendment – Federal legislation recently enacted (H.R.4173 - Wall Street Reform and Consumer Protection Act) has several provisions impacting government entities accepting credit and/or debit cards. Notable provisions that went into effect July 2010 are as follows: 1) A merchant can now set a minimum amount for which it will accept a credit card payment, provided the minimum amount does not exceed $10.00 (provision applies to all merchants, but does not apply to debit cards); 2) An institution of higher education (university or community college) can now set a maximum amount for which it will accept a credit card payment (provision does not apply to debit cards, or to general government agencies or local units of government); 3) All merchant agencies can now offer a discount for any given form of payment (e.g., provide a discount for paying by cash, check, or debit card versus credit card). Government entities should examine the federal legislation in detail, as there are additional requirements and/or exclusions that may apply when implementing any of the provisions referenced. See Durbin Amendment contained in the legislation (pages 693-699). http://www.sec.gov/about/laws/wallstreetreform-cpa.pdf
Schedule C Revision: The Fall 2010 “Association Interchange Compliance Guide” has been revised to incorporate the current fees levied by Visa, MasterCard, and the debit networks. Merchants should note the best “interchange rate” available to most public sector merchants remain the same: MasterCard “Enhanced Public Sector” – 1.55% plus $.10; and Visa “CPS Retail 2 Emerging Market” – 1.43% plus $.05. An agency may or may not qualify for the best interchange rate available, depending upon its capture method and the type of card being presented. The Assessment Fee for both brands is now .11%. See revised Schedule C for more information, including rates for the various PIN debit cards and other fees that may apply. These fees represent the “pass-through” fees associated with accepting merchant cards.
Card Program 10th Anniversary - July 1, 2010, marked the 10th anniversary of the statewide enterprise program that allowed agencies to accept merchant cards for payments. During the past three years, the volume has doubled, while over the past five years the volume has tripled. Transaction activity for the Fiscal Year ending June 30, 2010 showed that over 9 million card transactions, totaling nearly $800 million, were processed by various state agencies during the year.
Common Payment Service Fee Reduction - The per card transaction fee charged by the Common Payment Service (CPS) for processing card transactions has been reduced from $.035 to $.28. The 20% reduction was effective July 1, 2010 and will be reflected in the ITS August billing. This rate reduction demonstrates the economies of scale that can be achieved when agencies subscribe to an enterprise service.
Schedule C Revision: The Spring 2010 “Association Interchange Compliance Guide” has been revised to incorporate the current fees levied by Visa, MasterCard, and the debit networks. Merchants should note there are some minor fee increases for: 1) Some of the PIN debits networks; 2) MasterCard’s increase in the “assessment fee” from .095% to .11% per transaction amount, effective April 1, 2010; and 3) Visa’s increase in the “assessment fee” from .0925% to .11% per transaction amount, effective July 1, 2010 . See revised Schedule C for more information.
Schedule C - The Spring 2010 “Association Interchange Compliance Guide” has been revised to incorporate the current fees levied by Visa, MasterCard, and the debit networks. Merchants should note there are some minor fee increases for: 1) Some of the PIN debits networks; and 2) MasterCard’s increase in the “assessment fee” from .095% to .1100% per transaction amount. See revised Schedule C for more information.
PCI-PTS Standard - Effective July 1, 2010, Visa will be enforcing the “PCI PIN Transaction Security (PCI-PTS) Standard.” The standard was first announced in 2008 and was previously known as the PIN Entry Device (PCI-PED) standard. The standard requires all POS terminals that accept PIN based debit cards to have triple DES encryption. For merchants purchasing new POS equipment in the last five years, this should not be an issue. All agencies accepting PIN based debit cards are advised to inspect their POS devices and ascertain if the terminals are compliant. Replacement of non-complaint POS terminals prior to July 1, 2010 will be necessary if PIN based debit cards are being accepted. Information on the standard can be found at the following link: https://www.pcisecuritystandards.org/security_standards/ped/index.shtml
|01/25/2010||8:15am||Visa Misuse Authorization Fee – Effective October 1, 2009, Visa began implementing a Misuse of Authorization System Fee at $0.045 per item. This fee applies to authorized transactions that are not followed by a matching Visa cleared (settled) transaction (or in the case of a canceled transaction, not properly reversed). The fee can be avoided by clearing (settling) your transactions within 10 days of authorization for all MCCs, with the exception of Travel & Entertainment Merchants which must clear within 20 days. If an authorization is not needed, the authorization must be electronically reversed within 24 hours for card present authorizations, or 72 hours for card-not-present authorizations.|
|11/01/2009||2:45pm||Effective October 1, 2009, the Diners Club Card is no longer being processed by MasterCard, but by Discover Financial Services. This is the result of Discover acquiring Diners Card International from Citi. The effect on a participating merchant will depend on whether the merchant currently subscribes to the Discover Network (i.e., accepts the Discover Card). A merchant that does not have an arrangement with Discover will find that the Diners Card International can no longer be processed through STMS (the processor of Visa and MasterCard transactions).|
|11/02/2009||8:00am||Trustwave Holdings, Inc. has been re-selected as the PCI Security Compliance Services vendor, with the new contract period being for three years, through October 2012. Trustwave will continue to provide remote validation services (online Self-Assessment Questionnaire) and external vulnerability scanning (for those having capture solutions with external facing IP addresses) to participating merchants under the STMS master services agreement. The OSC will continue to pay for these basic services provided by Trustwave. Participants requiring specific supplemental remediation services relating to PCI compliance can subscribe to such services from Trustwave on an optional basis.|
|07/29/2009||11:00am||The State Controller has issued an “IAT Rules Advisory” to alert and assist agencies that originate electronic payments through the ACH Network, regarding an important regulatory rule that becomes effective September 18, 2009. The advisory can be viewed at http://www.osc.nc.gov/SECP/SECP_IAT_Rules.html|
|05/05/2009||3:00pm||A series of webinars will be offered to participants of the merchant card contract regarding the online reporting tools – ClientLine and EIDS. The webinars are being held the last part of May. Enrollment information can be viewed at: http://www.osc.nc.gov/cpe/courses.html|
|04/20/2009||8:45am||The Spring 2009 fee schedules have been issued by Visa, MasterCard, and the debit networks. Merchants should note there are some significant fee increases for: 1) Some of the PIN debits networks, as the caps have been removed; and 2) Visa and MasterCard have each increased their “access fee,” which is now approximately $.02 per transaction. The fees take effect on various dates. See Merchant Card Fees document for more information.|
|04/06/2009||5:00pm||An optional gateway service is now available to participants of the STMS master services agreement, allowing participants to subscribe to the PayPoint gateway service, which offers a web capture solution for participants that do not have the internal expertise or resources to develop an internal web capture application of its own. View Information on the gateway service.|
|03/31/2009||3:00pm||The Common Payment Service (CPS) gateway will be unavailable for an extended period of time on Sunday, May 3, from 12:00 midnight until 12:00 noon. CPS will undergo annual maintenance to re-encrypt the CPS database with a new encryption key, a new requirement of the PCI Data Security Standard. Any questions regarding this event should be addressed to the ITS Service Desk at 919-754-6000 or 800-722-3946, with a reference to Change Request 9808.|
The gateway capture solution available under the STMS contact, previously known as “YourPay,” is now called “First Data Global Gateway.”
The First Data Global Gateway will be unavailable for several hours during the early morning hours of April 19. An outage is necessary to perform a scheduled migration of the Online and Settlement systems. It will affect all activities on the First Data Global Gateway including API, Connect, and the Virtual Terminal. Please contact your Account Specialist if you have any questions.
|01/22/2009||12:00pm||To assist agencies that utilize third-party “service providers” for processing merchant cards, to ensure compliance with the PCI Data Security Standard, OSC has prepared a document entitled, ”PCI Data Security Validation for Service Providers.” The document references a “Sample Addendum for Requirement 12.8” for the agency’s potential use.|
|02/06/2008||8:00am||On February 6, 2008, the PCI Security Standards Council announced that its updated Self Assessment Questionnaire (SAQ) for merchants and service providers is now available. The updated SAQ reflects the requirements specified in the PCI Data Security Standard version 1.1. The new version of the SAQ actually has four different sub-versions (A,B,C, and D). The sub-version to be used by a merchant depends upon the manner in which the merchant processes merchant cards. Information on the updated SAQ can be found at the following link: https://www.pcisecuritystandards.org/tech/saq.htm|
|03/27/2008||4:00pm||The Office of the State Controller will hold its second annual E- Commerce Conference on April 23, 2007 at the McKimmon Center in Raleigh. The focus of the conference will be on assisting agencies in identifying how they can more fully participate in E-Commerce, for both disbursement and collection of funds. Registration information may be found at: http://qa.osc.nc.gov/cpe/courses.html|
The State Controller has entered into a master services agreement with Discover Network Card, under which agencies can participate on an optional basis. Enrollment will be available May 1.
The Office of Information Technology Services (ITS) has announced a 15% reduction in the fee that the Common Payment Service (CPS) charges for processing merchant card transactions. The per transaction fee has been reduced from $.41 to $.35, effective April 1, 2008.
|04/30/2008||10:05am||MyClientLine is currently experiencing problems and unavailable. The problem is being worked on; however, at this time there is no current estimate for the resumption of normal service.|
|04/30/2008||1:00pm||MyClientLine is expected to be available again at 3pm.|
|04/30/2008||4:30pm||The State Controller has prepared and submitted to the General Assembly a report entitled, "Electronic Commerce Task Force Report - 2008" The report provides an assessment of the current environment and provides recommendations to expand ecommerce in state government.|
|06/23/2008||9:30am||An enhancement is being made to the utilization of the PCI Data Security "Compliance Validation Service” available through Trustwave, a qualified security assessor. Beginning in July 2008, all participants in the merchant card services MSA are required to be enrolled in the service, even if scanning services are not needed. Click here for information regarding the new process.|
|09/30/2008||2:40pm||Wachovia Connection is currently having technical difficulties. The problem is being worked on; however, at this time there is no current estimate for the resumption of normal service.|
The PCI Security Council has released version 1.2 of the PCI Data Security Standard. The policy and related information may be viewed at: https://www.pcisecuritystandards.org/
The State Controller issued a policy entitled, PCI Data Security Compliance, to assist participants in being and remaining compliant with the PCI Data Security Standard.
|10/01/2008||5:00pm||The following memorandum has been posted: PCI Data Security Compliance Policy|
|11/10/2008||11:30pm||OSC has changed its email convention. All email correspondence relating to the Statewide E-Commerce Program (SECP) should now be sent to firstname.lastname@example.org, replacing the suffix “@ncosc.net.” The new suffix applies to the email address of OSC staff members as well.|
|11/14/2008||9:50am||Webinars offered by the PCI Security Council are now available on the Council’s website: https://www.pcisecuritystandards.org/education/webinars.shtml.|
|12/10/2008||1:00pm||There is a credit card fraud scheme prevalent among non-profit organizations to which agencies may be susceptible. A document entitled "Fraud Detection Services for Card-Not-Present Transactions" can be viewed at: http://www.osc.nc.gov/SECP/Card_Fraud_Detection.pdf|
|01/19/2007||11:35am||A recent press announcement was made regarding a data security breach at a large retailer. The incident underscores the need for all businesses, including government agencies, to handle customer payment card data with the utmost vigilance. Being a member of the PCI Security Council, OSC fully supports the need for greater education and adherence with the PCI Data Security Standard (PCI DSS). Information regarding the PCI DSS can be found on the OSC site.|
|02/02/2007||3:10pm||The State Controller has entered into a master agreement with American Express, under which agencies can participate on an optional basis. Enrollment is now available.|
|02/08/2007||2:15pm||The State Controller has issued a new E-Commerce Policy entitled, "Merchant Cards Security Incident Plan." This policy should be adhered to when developing a security incident plan as required by the PCI Data Security Standard. All E-Commerce policies can be viewed at the following link:|
|03/07/2007||2:05pm||The State Controller has published a document entitled, "Statewide Electronic Commerce Program Status Report." The report has been provided to the State's leadership in order to identify issues requiring attention, which is necessary to help state government move closer to a paperless environment.|
|03/26/2007||4:25pm||The Office of the State Controller will hold its first E-Commerce Conference on May 7, 2007. The focus of the conference will be on assisting agencies in identifying how they can more fully participate in E-Commerce, for both disbursement and collection of funds. Registration information may be found at: http://qa.osc.nc.gov/cpe/courses.html|
|04/17/2007||11:30am||Effective April 13, 2007 a new "Schedule C - Visa and MasterCard's Interchange Qualification Data" becomes effective. A new component of the interchange pass through cost is a fee referred to as the "Visa and MasterCard Access Fees," which is $.0075 per settled transaction. The Access Fees have an April 1 effective date.|
|06/12/2007||5:00pm||The E-Commerce Policy entitled, "Maximization of Electronic Payments" has been revised, effective June 1, 2007. The revision recognizes new electronic payment solutions that are now available to agencies. The revision recognizes more options for an agency to consider for disbursements, including debit cards and payroll cards. The revision also allows the State Controller to pre-approve third-party gateway service providers that may be utilized to accommodate an agency's Web capture needs. The revised policy can be viewed at the following link: http://www.osc.nc.gov/SECP/SECP_Policies.html|
|10/02/2007||9:15am||On September 18, AmbironTrustWave (ATW), the State's contracted Qualified Security Assessor (QSA) announced the change of their brand name to Trustwave. Whenever documentation on OSC's website refers to ATW, it now refers to Trustwave.|
|10/23/2007||5:00pm||Effective October 12, 2007 a new "Schedule C - Visa and MasterCard's Interchange Qualification Data" becomes effective. See the link under the Merchant Card Master Services Agreement.|
The online tool provided by SunTrust Merchant Services called "MyMerchantView" is being replaced by a new online tool called "ClientLine." A series of Webinar sessions are being offered to explain ClientLine. The Webinars require registration.
|10/25/2007||11:15am||Wachovia Connection is currently unavailable. The problem is being worked on; however, at this time there is no current estimate for the resumption of normal service.|
|10/25/2007||1:15pm||Wachovia Connection is now available.|
|10/31/2007||4:00pm||The State Controller sent a memo to the chief fiscal officers of the three sectors of government regarding an E-Commerce Survey that is being required to be completed. The memo can be view at the following site. http://www.osc.nc.gov/SECP/SECP_Task_Force.html|
|11/27/2007||2:30pm||The master services agreement with STMS has been amended to grant participants the option to truncate the cardholder account number that is printed on the merchant's copy of sales slips. The associated change has also been made to the policy entitled, "Security and Privacy of Data." Click here to view the State Controller's memo pertaining to this change.|
The SECP site has been redesigned to reflect the changes in the Master Services Agreement provider and to offer more information about the program.
|8/25/2006||3:00pm||"Participants in the Master Services Agreement (MSA) for processing merchant cards have until October 31, 2006 to complete the tasks to transition to the new MSA with SunTrust Merchant Services. Three windows to convert have been established. The first window was from August 1 to August 25. The second window is from August 26 to September 26. The third window is from September 27 to October 26. Conversion by the 26th of a given month will result in the fees for that month being retroactive to the first day of that month. Delays in transitioning will result in a participant paying $.108 per transaction instead of $.04 per transaction. "|
|8/30/2006||12:40pm||"There have been some changes in OSC's help desk operation, which is now called ""OSC Support Services Center."" Two trained analysts will be taking calls pertaining to SECP and assisting the user. If there are issues that need to be escalated to a second level analyst, the caller will be given a HEAT ticket number and the issue will be sent to the next level for resolution. When calling the Support Services Center, telephone 919-875-HELP (4357), choose Option 2 for SECP issues. "|
|9/26/2006||9:25am||"A revised PCI Security Data Standard has been issued by the newly formed PCI Security Council. Version 1 has been enhanced and is being replaced by Version 1.1, effective September 7, 2006. There is a phase out period, and Version 1 may no longer be used for PCI DSS compliance validation after December 31, 2006. "|
|10/17/2006||11:45am||"Since the inception of the State's arrangements with SunTrust Merchant Services, STMS has issued several versions of its ""Operating Guide,"" which is a critical component of the Master Services Agreement (MSA). The version of the Operating Guide that applies to participants of the the State's MSA dated August 1, 2006 is version OPSG801. The Operating Guide can be viewed on the OSC SECP Website on the page entitled, ""Merchant Card Master Services Agreement."" As specified by Section 3 of the ""Merchant Bankcard Services Agreement,"" all Participants are required to follow the procedures in the Operating Guide, and if there is any conflict between the terms of the ""Merchant Bankcard Services Agreement"" and the ""Operating Guide,"" the terms of the Agreement will govern. Should a different version of the Operating Guide apply in the future, the revised Guide will be posted on the OSC SECP Website. "|
|10/20/2006||9:45am||The State's old contract with STMS for merchant card services expires October 31. Participants not yet transitioned to the new contract put into place August 1 must have their enrollment forms into OSC no later than October 26 in order to allow sufficient time for both OSC and DST to execute the forms prior to forwarding them to STMS. Forms received by this date will result in the new pricing schedule being effective retroactive to October 1. Forms received by OSC after October 26 but prior to October 31, will be processed, but the new pricing schedule will not become effective until November 1. Forms received after October 31, will be processed, but participants should be aware of the risk of services being discontinued by STMS. If problems with obtaining PCI compliance are being experienced, the enrollment forms should still be submitted by the October 26 date, so the forms can be processed by OSC and DST timely. Please contact OSC's Support Services Center at 919-875-4357 if assistance is needed in completing the enrollment forms.|
|11/03/2006||12:50pm||All enrollment forms to convert to the new MSA with STMS that were received by OSC on or prior to October 26 were processed, which should result in the invoicing for the month of October reflecting the new price of $.04 per transaction. Participants should inspect their October invoices received from STMS to ascertain that STMS set the account up properly. Participants should notify OSC if the invoices appear to be incorrect. Enrollment forms received by OSC after October 26 were processed with the new rate becoming effective November 1.|
|11/16/2006||10:00am||One of the negotiated enhancements of the new Master Services Agreement for merchant card processing was STMS agreeing to provide a second frame relay circuit as a backup connection for the the Common Payment Service (CPS) gateway, instead of an ISDN line as the backup connection. Effective November 13, the new frame relay connection was put into place as the primary backup. As an extra measure of protection, the ISDN line will be retained as a secondary backup. This enhancement provides participants that use the CPS as their gateway with more reliability.|