SECP News/System Status
Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of payment card security standards published the PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users. The guidance educates merchants on the factors and risks that need to be addressed in order to protect card data when using mobile devices, such as smart phones and tablets, to accept payments.
PCI SECURITY STANDARDS COUNCIL RELEASES GUIDANCE FOR MERCHANTS ON MOBILE PAYMENT ACCEPTANCE SECURITY:
Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of payment card security standards published the PCI DSS Cloud Computing Guidelines Information Supplement, a product of the Cloud Special Interest Group (SIG). Businesses deploying cloud technology can use this resource as a guide for choosing solutions and third-party cloud providers that will help them secure their customer payment data and support PCI DSS compliance.
PCI SECURITY STANDARDS COUNCIL RELEASES PCI DSS CLOUD COMPUTING GUIDELINES:
Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of payment card security standards published the PCI DSS E-commerce Guidelines Information Supplement, a product of the E-commerce Security Special Interest Group (SIG). Businesses selling goods and services over the Internet can use this resource as a guide for choosing e-commerce technologies and third-party service providers that will help them secure customer payment data and support PCI DSS compliance efforts.
PCI SECURITY STANDARDS COUNCIL RELEASES PCI DSS E-COMMERCE SECURITY GUIDELINES:
|02/06/2008||8:00am||On February 6, 2008, the PCI Security Standards Council announced that its updated Self Assessment Questionnaire (SAQ) for merchants and service providers is now available. The updated SAQ reflects the requirements specified in the PCI Data Security Standard version 1.1. The new version of the SAQ actually has four different sub-versions (A,B,C, and D). The sub-version to be used by a merchant depends upon the manner in which the merchant processes merchant cards. Information on the updated SAQ can be found at the following link: https://www.pcisecuritystandards.org/tech/saq.htm|
|03/27/2008||4:00pm||The Office of the State Controller will hold its second annual E- Commerce Conference on April 23, 2007 at the McKimmon Center in Raleigh. The focus of the conference will be on assisting agencies in identifying how they can more fully participate in E-Commerce, for both disbursement and collection of funds. Registration information may be found at: http://qa.osc.nc.gov/cpe/courses.html|
The State Controller has entered into a master services agreement with Discover Network Card, under which agencies can participate on an optional basis. Enrollment will be available May 1.
The Office of Information Technology Services (ITS) has announced a 15% reduction in the fee that the Common Payment Service (CPS) charges for processing merchant card transactions. The per transaction fee has been reduced from $.41 to $.35, effective April 1, 2008.
|04/30/2008||10:05am||MyClientLine is currently experiencing problems and unavailable. The problem is being worked on; however, at this time there is no current estimate for the resumption of normal service.|
|04/30/2008||1:00pm||MyClientLine is expected to be available again at 3pm.|
|04/30/2008||4:30pm||The State Controller has prepared and submitted to the General Assembly a report entitled, "Electronic Commerce Task Force Report - 2008" The report provides an assessment of the current environment and provides recommendations to expand ecommerce in state government.|
|06/23/2008||9:30am||An enhancement is being made to the utilization of the PCI Data Security "Compliance Validation Service” available through Trustwave, a qualified security assessor. Beginning in July 2008, all participants in the merchant card services MSA are required to be enrolled in the service, even if scanning services are not needed. Click here for information regarding the new process.|
|09/30/2008||2:40pm||Wachovia Connection is currently having technical difficulties. The problem is being worked on; however, at this time there is no current estimate for the resumption of normal service.|
The PCI Security Council has released version 1.2 of the PCI Data Security Standard. The policy and related information may be viewed at: https://www.pcisecuritystandards.org/
The State Controller issued a policy entitled, PCI Data Security Compliance, to assist participants in being and remaining compliant with the PCI Data Security Standard.
|10/01/2008||5:00pm||The following memorandum has been posted: PCI Data Security Compliance Policy|
|11/10/2008||11:30pm||OSC has changed its email convention. All email correspondence relating to the Statewide E-Commerce Program (SECP) should now be sent to firstname.lastname@example.org, replacing the suffix “@ncosc.net.” The new suffix applies to the email address of OSC staff members as well.|
|11/14/2008||9:50am||Webinars offered by the PCI Security Council are now available on the Council’s website: https://www.pcisecuritystandards.org/education/webinars.shtml.|
|12/10/2008||1:00pm||There is a credit card fraud scheme prevalent among non-profit organizations to which agencies may be susceptible. A document entitled "Fraud Detection Services for Card-Not-Present Transactions" can be viewed at: http://www.osc.nc.gov/SECP/Card_Fraud_Detection.pdf|
|01/19/2007||11:35am||A recent press announcement was made regarding a data security breach at a large retailer. The incident underscores the need for all businesses, including government agencies, to handle customer payment card data with the utmost vigilance. Being a member of the PCI Security Council, OSC fully supports the need for greater education and adherence with the PCI Data Security Standard (PCI DSS). Information regarding the PCI DSS can be found on the OSC site.|
|02/02/2007||3:10pm||The State Controller has entered into a master agreement with American Express, under which agencies can participate on an optional basis. Enrollment is now available.|
|02/08/2007||2:15pm||The State Controller has issued a new E-Commerce Policy entitled, "Merchant Cards Security Incident Plan." This policy should be adhered to when developing a security incident plan as required by the PCI Data Security Standard. All E-Commerce policies can be viewed at the following link:|
|03/07/2007||2:05pm||The State Controller has published a document entitled, "Statewide Electronic Commerce Program Status Report." The report has been provided to the State's leadership in order to identify issues requiring attention, which is necessary to help state government move closer to a paperless environment.|
|03/26/2007||4:25pm||The Office of the State Controller will hold its first E-Commerce Conference on May 7, 2007. The focus of the conference will be on assisting agencies in identifying how they can more fully participate in E-Commerce, for both disbursement and collection of funds. Registration information may be found at: http://qa.osc.nc.gov/cpe/courses.html|
|04/17/2007||11:30am||Effective April 13, 2007 a new "Schedule C - Visa and MasterCard's Interchange Qualification Data" becomes effective. A new component of the interchange pass through cost is a fee referred to as the "Visa and MasterCard Access Fees," which is $.0075 per settled transaction. The Access Fees have an April 1 effective date.|
|06/12/2007||5:00pm||The E-Commerce Policy entitled, "Maximization of Electronic Payments" has been revised, effective June 1, 2007. The revision recognizes new electronic payment solutions that are now available to agencies. The revision recognizes more options for an agency to consider for disbursements, including debit cards and payroll cards. The revision also allows the State Controller to pre-approve third-party gateway service providers that may be utilized to accommodate an agency's Web capture needs. The revised policy can be viewed at the following link: http://www.osc.nc.gov/SECP/SECP_Policies.html|
|10/02/2007||9:15am||On September 18, AmbironTrustWave (ATW), the State's contracted Qualified Security Assessor (QSA) announced the change of their brand name to Trustwave. Whenever documentation on OSC's website refers to ATW, it now refers to Trustwave.|
|10/23/2007||5:00pm||Effective October 12, 2007 a new "Schedule C - Visa and MasterCard's Interchange Qualification Data" becomes effective. See the link under the Merchant Card Master Services Agreement.|
The online tool provided by SunTrust Merchant Services called "MyMerchantView" is being replaced by a new online tool called "ClientLine." A series of Webinar sessions are being offered to explain ClientLine. The Webinars require registration.
|10/25/2007||11:15am||Wachovia Connection is currently unavailable. The problem is being worked on; however, at this time there is no current estimate for the resumption of normal service.|
|10/25/2007||1:15pm||Wachovia Connection is now available.|
|10/31/2007||4:00pm||The State Controller sent a memo to the chief fiscal officers of the three sectors of government regarding an E-Commerce Survey that is being required to be completed. The memo can be view at the following site. http://www.osc.nc.gov/SECP/SECP_Task_Force.html|
|11/27/2007||2:30pm||The master services agreement with STMS has been amended to grant participants the option to truncate the cardholder account number that is printed on the merchant's copy of sales slips. The associated change has also been made to the policy entitled, "Security and Privacy of Data." Click here to view the State Controller's memo pertaining to this change.|
The SECP site has been redesigned to reflect the changes in the Master Services Agreement provider and to offer more information about the program.
|8/25/2006||3:00pm||"Participants in the Master Services Agreement (MSA) for processing merchant cards have until October 31, 2006 to complete the tasks to transition to the new MSA with SunTrust Merchant Services. Three windows to convert have been established. The first window was from August 1 to August 25. The second window is from August 26 to September 26. The third window is from September 27 to October 26. Conversion by the 26th of a given month will result in the fees for that month being retroactive to the first day of that month. Delays in transitioning will result in a participant paying $.108 per transaction instead of $.04 per transaction. "|
|8/30/2006||12:40pm||"There have been some changes in OSC's help desk operation, which is now called ""OSC Support Services Center."" Two trained analysts will be taking calls pertaining to SECP and assisting the user. If there are issues that need to be escalated to a second level analyst, the caller will be given a HEAT ticket number and the issue will be sent to the next level for resolution. When calling the Support Services Center, telephone 919-875-HELP (4357), choose Option 2 for SECP issues. "|
|9/26/2006||9:25am||"A revised PCI Security Data Standard has been issued by the newly formed PCI Security Council. Version 1 has been enhanced and is being replaced by Version 1.1, effective September 7, 2006. There is a phase out period, and Version 1 may no longer be used for PCI DSS compliance validation after December 31, 2006. "|
|10/17/2006||11:45am||"Since the inception of the State's arrangements with SunTrust Merchant Services, STMS has issued several versions of its ""Operating Guide,"" which is a critical component of the Master Services Agreement (MSA). The version of the Operating Guide that applies to participants of the the State's MSA dated August 1, 2006 is version OPSG801. The Operating Guide can be viewed on the OSC SECP Website on the page entitled, ""Merchant Card Master Services Agreement."" As specified by Section 3 of the ""Merchant Bankcard Services Agreement,"" all Participants are required to follow the procedures in the Operating Guide, and if there is any conflict between the terms of the ""Merchant Bankcard Services Agreement"" and the ""Operating Guide,"" the terms of the Agreement will govern. Should a different version of the Operating Guide apply in the future, the revised Guide will be posted on the OSC SECP Website. "|
|10/20/2006||9:45am||The State's old contract with STMS for merchant card services expires October 31. Participants not yet transitioned to the new contract put into place August 1 must have their enrollment forms into OSC no later than October 26 in order to allow sufficient time for both OSC and DST to execute the forms prior to forwarding them to STMS. Forms received by this date will result in the new pricing schedule being effective retroactive to October 1. Forms received by OSC after October 26 but prior to October 31, will be processed, but the new pricing schedule will not become effective until November 1. Forms received after October 31, will be processed, but participants should be aware of the risk of services being discontinued by STMS. If problems with obtaining PCI compliance are being experienced, the enrollment forms should still be submitted by the October 26 date, so the forms can be processed by OSC and DST timely. Please contact OSC's Support Services Center at 919-875-4357 if assistance is needed in completing the enrollment forms.|
|11/03/2006||12:50pm||All enrollment forms to convert to the new MSA with STMS that were received by OSC on or prior to October 26 were processed, which should result in the invoicing for the month of October reflecting the new price of $.04 per transaction. Participants should inspect their October invoices received from STMS to ascertain that STMS set the account up properly. Participants should notify OSC if the invoices appear to be incorrect. Enrollment forms received by OSC after October 26 were processed with the new rate becoming effective November 1.|
|11/16/2006||10:00am||One of the negotiated enhancements of the new Master Services Agreement for merchant card processing was STMS agreeing to provide a second frame relay circuit as a backup connection for the the Common Payment Service (CPS) gateway, instead of an ISDN line as the backup connection. Effective November 13, the new frame relay connection was put into place as the primary backup. As an extra measure of protection, the ISDN line will be retained as a secondary backup. This enhancement provides participants that use the CPS as their gateway with more reliability.|