about the north carolina office of the state controller

Merchant Card Program Overview

What are the basic types of Merchant Cards?
  • Credit Cards
    • Bank Cards (Issued by a bank bearing a brand logo, e.g., Visa or MasterCard)
    • Travel & Entertainment (T&E) Cards (Proprietary Cards)
  • Debit Cards
    • PIN Debit (Issued by a bank having a switch network logo on the reverse) (card-present only)
    • PIN-less Debit (Issued by a bank having a switch network logo on the reverse (card-not-present only)
    • Signature Debit (Issued by a bank having a switch network logo on the reverse, but also bearing a credit card brand logo on the front)

What other types of cards are there?
  • Smart Cards (Contain embedded chip)
  • Electronic Benefits Transfer (EBT) Cards
  • Procurement Cards

Who are the players in a Merchant Card transaction?
  • Consumer / Cardholder - (Citizens or Taxpayer)
  • Merchant - State agency
  • Acquiring Processor - Facilitates authorization and settlement
  • Interchange Network - Credit Card Associations (i.e., Visa, MasterCard)
  • Card Issuing Bank - Bank that issued card to consumer
  • Merchant Bank - Depository Bank (e.g., State Treasurer’s bank)
  • Gateway Service - Middle party used to accommodate internet captured transactions

What are the basic types of Capture?
  • Card-Present
    • Credit or Debit
    • Point of Sale (POS)
    • ATM (Debit Cards)
    • Card is swiped, not keyed
    • Lower Risk / Lower Fees
  • Card Not-Present
    • Credit Card only
    • Mail Order / Telephone Order (MOTO)
    • Internet Order
    • Card info is keyed, not swiped
    • Higher Risk / Higher Fees

Who is the current OSC’s Master Services Agreement (MSA) with?
SunTrust Merchant Services, supported by First Data Merchant Services Corporation.
 

What types of bank accounts are needed to settle merchant card transactions?
  • For State Agency participants using the OSC’s MSA, each agency has a settlement account that is designated as a Zero Balance Account (ZBA). On settlement date, funds are credited to the account, with the total of the funds being swept to the State Treasurer’s account that night.
  • For non-State participants using the OSC’s MSA (e.g., local units of government), funds are credited to a settlement bank account controlled by the participant.

Who has the responsibility for reconciling settlement bank accounts?
It is the participant's responsibility to reconcile the bank accounts timely. Statements are sent directly to the participant monthly. Wachovia Connection can be used to reconcile on a more frequent basis.
 

What systems do participants use to view / reconcile transactions?
  • MyClientLine - Web-based system provided by First Data Merchant Services Corporation allowing the participant to view card activity. FDMS' Technical Support Services is the administrator, establishing users and assigning functions, and performing password maintenance. (Email: support@myclientline.net)
  • Electronic Integrated Dispute System (EIDS) - Web-based system provided by First Data Merchant Services Corporation allowing the participant to manage and respond to chargebacks. You must sign up for MyClientLine to also have EIDS. FDMS' Technical Support Services is the administrator, establishing users and assigning functions, and performing password maintenance. (Email: support@myclientline.net)
  • Wachovia Connection - Web-based system provided by Wachovia Bank allowing the participant to view settlement activity in the bank settlement account. For State Agency participants, OSC is the administrator, establishing agency users and assigning functions, and performing password maintenance. (Email: OSC.secp.info@ncosc.net)
  • Cash Management Control System (CMCS) - System provided by OSC to State agencies to report credit card deposits. Amounts reported are to be the total of the amount swept, as viewed on Wachovia Connection, one day after settlement.
  • Core Banking System - System provided by DST allowing State agencies to view their CIT bank account activity, which reflects both the daily amount swept to the State Treasurer's bank account and the daily amount certified by the agency on CMCS. (Email: CBS.Help@nctreasurer.com)
     

What types of fees are involved in Merchant Card processing?
  • Processing Fees (Invoiced monthly by SunTrust Merchant Services)
    • Interchange Fees - Passed on to Visa and MasterCard (Depends upon capture method and the "Merchant Category Code" assigned to the transaction.)
    • Assessment Fees - Passed on to Visa (.0925%) and MasterCard (.0950%)
    • Network Switch Fees - Applies to debit card transactions
    • Merchant Service Fees - Paid to SunTrust / First Data ($.04 per transaction)
  • Gateway Service Fees (If Applicable)
    • Common Payment Service ($.28 per authorization, void, return) Included on agency’s monthly ITS invoice.
    • PayPoint Gateway Service (Range $.30 - $.35 per transaction, plus $1,000.00 setup)
    • Other Third-party Gateway Service (As contracted)
  • Equipment and Supplies (POS terminals, etc.)
    • Can be purchased, rented or leased
    • Available from SunTrust Merchant Services
  • Depository Bank Fees (Maintenance, Deposit activity, online reporting, etc)
    • State agencies - Absorbed by DST
    • Non-State agencies - Per arrangements with bank
  • PCI Validation Service Fees
    • Annual Self-Assessment Questionnaire through Trustwave - Included in "per transaction fee" levied by STMS (Beginning July 2011)
    • Vulnerability Scanning of external facing IP addresses by Trustwave (if applicable) - included in "per transaction fee" levied by STMS (Beginning July 2011)
    • On-site security assessments or forensic investigation services that may be obtained under a SOW - Paid by the agency directly to Trustwave

What are Merchant Category Codes?
A Merchant Category Code (MCC) is a 4-digit classification code used by the bankcard industry to identify a merchant's predominant business activity.  It is assigned by the acquiring card processor and is used partially to determine the interchange rate (along with the capture method).  The best MCC for the State's participants are as follows: 1) Visa - 2038 CPS/Retail 2 (also referred to as Emerging Markets); 2) MasterCard - 3020 Public Sector.
 

How is funding made for Merchant card fees?
Participants are responsible for identifying funding sources prior to participating in the MSA. When General and Highway fund appropriations are to be used, the state entity must obtain approval from the Office of State Budget and Management (OSBM) on the availability of an appropriation. State agencies should refer to the OSC policy established pursuant to G.S. 147-86.22.
 

Can transaction fees be charged to consumers paying by merchant card?
Transactions fees may be charged only under certain conditions, pursuant to G.S. 66-58.12 and G.S. 147-86.22. Agencies desiring to charge consumers a fee (convenience fee), must adhere to the policy established by OSC, including abiding by all Visa and MasterCard association rules. Reference should be made to the policy.
  • Transaction fees can be charged:
    • For transactions initiated only through the Internet or other electronic means.
    • Must be approved by OSBM in consultation with the State CIO and Gov Opts.
    • Fees must be deposited to a special non-reverting budget code, and only be used for e- commerce initiatives and projects.
  • Transaction fees cannot be charged:
    • For transactions initiated face-to-face (i.e., POS terminals)
    • For mail order or telephone orders (MOTO)
  • Convenience fee rules vary from association to association.
    • Visa allows a convenience fee for "card-not-present" transactions if the fee is a "flat fee."  MasterCard, on the other hand, allows the convenience fee to be either a "flat" fee or a "percentage-based" fee.
    • In addition, Visa does not allow a fee to be charged for card-not-present transactions unless the same fee is charged for all transactions through the same channel (e.g., ACH bank drafts and card transactions initiated through the web).

Does the recently enacted Durbin Amendment allow an agency to charge different amounts based upon the form of payment?

The Durbin Amendment is the portion of the Wall Street Reform Act passed in 2010 that amended the “Electronic Funds Transfer Act,” and pertains primarily to debit card transactions, and to some extent credit card transactions.  One of the provisions of the Amendment is that a “payment card network shall not …. inhibit the ability of any person to provide a discount or in-kind incentive for payment by the use of cash, checks, debit cards, or credit cards…”  The Amendment specifies that “The term ‘discount’ means a reduction made from the price that customers are informed is the regular price; and does not include any means of increasing the price that customers are informed is the regular price.”  (Emphasis added)

The law’s definition of discount implies that the provision does not authorize the levying of a “convenience fee” which generally results in the increase in the regular price of a product or service.  The law specifically lists four “forms of payments” that are applicable.  All four forms of payments are those that can be initiated in a “face-to-face” transaction, while only two of the four can be initiated in a “card-not-present” transaction.  Not listed as a form of payment in the Durbin Amendment is an “ACH debit” (sometimes referred to as an E-check), a transaction type not covered under the “Electronic Funds Transfer Act,” but under the NACHA Operating Rules.  Bank regulators generally consider the term “cash” to be currency and coin (US or foreign).

Card brands generally interpret their rules based upon whether the transaction is a “card-present” transaction or a “card-not-present” transaction.  The brands will likely interpret the Durbin Amendment to apply only to card-present transactions, as neither “cash” nor “check” can be initiated as an online transaction.  The term “E-check” is an industry term that applies to an ACH debit, but is not a legal term used as a “form of payment.”  Consequently, agencies should be careful in interpreting the Durbin Amendment to either:  1) allow a convenience fee; or 2) to offer a discount for a form of payment that is not specifically authorized (i.e., ACH debit).

However, there is a pending lawsuit settlement between the US Department of Justice and several of the card brands that would recognize an ACH debit as an “other form of payment,” when applying a discount.  Should this settlement be approved by the courts, discounts (from the regular price) could potentially be offered for online transactions, as well as face-to-face transactions.  Additionally, the Durbin Amendment allows the Federal Reserve Bank to begin regulating fees for debit cards starting in 2012.  An agency should consult with its legal counsel before applying any of these referenced provisions.

Can travel and entertainment cards be accepted?
  • OSC issued a policy dated December 15, 2006 entitled, "Types of Merchant Cards Accepted," which addresses proprietary cards (e.g., American Express and Discover), also referred to as T&E cards. The policy specifies that a participant may accept proprietary cards, but must either enter into an agreement directly with the proprietary card company or participate under a master agreement that OSC may enter with the company.
  • The OSC policy allows each participant to make its own determination regarding which proprietary cards it will accept, and allows the participant to be selective as to which types of receipts it will accept proprietary cards.
  • On December 15, 2006, OSC entered into a master agreement with American Express (Amex). Reference should be made to the American Express Cards Overview section for information regarding enrollment with Amex.
  • On February 1, 2008, OSC entered into a master agreement with DFS Services, LLC (Discover Network). Reference should be made to the Discover Network Card Overview section for information regarding enrollment with Discover Network.
  • Participants receive a monthly invoice directly from the proprietary card company for the discount fees, which is in addition to the fee of $.04 per transaction charged by STMS for processing a proprietary card transaction.
  • Participants should be aware that settlement of the funds is normally two banking days after the card is processed, not “next day” settlement as is the case for Visa and MasterCard. The participant must develop procedures to accommodate any reconciliation irregularities that the delayed settlement causes.
  • If desired, STMS can block certain merchant numbers from processing T&E cards, to prevent inadvertent acceptance.

What are the different capture methods used for merchant cards?
All merchant card transactions captured by an agency must be transmitted to the merchant cards services provider.
  • POS Terminals
    • Stand-alone terminal – with analog telephone line
    • POS terminal using POS Software - on network & servers
  • Web-based – using CPS Gateway (Refer to CPS information)
    • Interface with agency’s Web application
    • Virtual Terminal Solution - For Mail Order and Telephone Order (MOTO)
  • Web-based with Consumer Interface – using PayPoint Gateway Solution
  • Web-based – using a Third-Party Gateway (Requires approval from OSC)
  • Yahoo! Store – NC@YourService

When is a gateway service not needed?
When the only capture solution offered by an agency is a Point of Service (POS) terminal, a gateway service is not needed, as the transmission is directly with the merchant card services provider.
 

When is the Common Payments Service (CPS) appropriate for use?
CPS is a service available through the Office of Information Technology Services (ITS), performing a gateway service. Merchant card transactions routed through CPS are submitted to the Merchant Card Service provider. Two options for merchant card processing are available through CPS:
  • Participants can transmit merchant card transactions captured via an agency-operated capture system (computer or web-base application).
  • Participants can transmit merchant card transactions captured through the CPS Virtual Terminal.

When is PayPoint suitable for use?

  • Agency desires to accept payments online, but does not have the internal resources and/or expertise to develop a comprehensive in-house web capture application
  • Agency desires to utilize a third-party gateway service provider to minimize (but not completely avoid) applicability of the PCI Data Security Standard requirements, primarily by avoiding the agency ever having to store cardholder data in the agency’s database
  • Agency desires to offer both the ACH bank draft payment option (E-Check), in addition to the card option
  • Agency has outstanding invoices (accounts receivable transactions) associated with payors, which are conducive to being authenticated online-real time, either on the agency’s website or on PayPoint’s website, before being accepted and transacted via PayPoint.

When is NC@Your Service appropriate for use?
The NC@YourService is a self-contained solution, provided by Yahoo! Stores, that is suited to the sale of commodities or goods, such as books, tickets, and registrations. The solution provides:
  • A catalog-based inventory.
  • Web capture of transactions.
  • Authorization of merchant card transactions with the MSA provider.
  • Settlement of the transactions with the MSA provider.

What is the PCI Data Security Standard?

The PCI Data Security Standard (PCI DSS) is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures associated with credit card account data. This comprehensive standard is intended to help organizations proactively protect customer credit card account data that is either stored, processed, or transmitted. All merchants, regardless of the annual transaction volume (merchant level assigned), are required by the various card brands (i.e., Visa, MasterCard, American Express, Discover, and JCB) to follow the standard. Merchants not adhering to the standard are subject to substantial fines levied by the card associations. Each merchants is required to validate that it is complaint with the Standard, depending upon the card capture method it utilizes. Participants in the State's MSA with SunTrust Merchant Services are required to enroll in a service provided by Trustwave that facilitates the process of validating the participant's compliance. Reference should be made to the PCI Compliance web page that explains the Standard in more detail.
 

What merchant card data must never be stored?
It is never acceptable to retain or store magnetic stripe data subsequent to transaction authorization. It is never acceptable to retain or store the security code numbers (CVV2 or CVC2) subsequent to transaction authorization. Cardholder name, account number, and expiration date may be retained subsequent to transaction authorization, however the data must be encrypted. These are requirements of the PCI Security Data Standard.
 

What is the difference between a "chain" and an "outlet?"
The term "chain" refers to the "participant," and each participant is assigned a single "chain number" by STMS. The term "outlet" refers to either an operation, application, or division associated with the participant. A participant (chain) may have multiple outlets, with each outlet being assigned a "merchant number" by STMS. Generally, the transactions for all outlets (merchant numbers) associated with a chain settle into the same settlement bank account. STMS invoicing can be at either the merchant number level, or it can "roll-up" all merchant numbers to the chain level. Chain numbers and merchant numbers are both 12-digit numbers.
 

What are the differences between a "Merchant Number," a "Merchant ID," and a "Terminal ID?"
STMS assigns a 12-digit numeric number to each outlet, which is sometimes referred to as the "outlet number" and sometimes as the "merchant number." Additionally, STMS assigns one or two other identifiers that are associated with an outlet (merchant) number. These two identifiers are both 7 characters in length (alpha/numeric), and are assigned according to the "platform" the transactions are processed on at STMS:
  • Merchant ID (MID) - Associated with the capture method - Only one MID per merchant number.
     
  • Terminal ID (TID) - Associated with the capture device (terminal, application, or gateway) - Could be multiple TIDs per merchant number. In addition to the TID, a POS terminal will also be assigned a "terminal serial number."

Is a “Procurement Card” issued through the Department of Administration considered a merchant card?

A corporate card program allows for a branded card to be issued to a governmental agency thorough a financial institution to designated employees of the agency. Though it resembles and functions similar to a personal bank card, there are significant differences: 1) it is a corporate ‘purchasing’ or ‘procurement’ card rather than a ‘credit’ card; 2) full liability rests with the agency for payment to the financial institution for all transactions; and 3) it is assigned by the financial institution to a designated agency employee but is issued in the name of and on behalf of the agency. A corporate card is sometimes referred to as a “purchasing card” and sometimes as a “procurement card.” The State’s Procurement Card program is administered by the Division of Purchase and Contract (P&C) pursuant to G.S. 143-49(8), but is subject to policies issued by the State Controller relating to “disbursing” and “electronic payments.” Bank of America is the current procurement card vendor utilized by P&C.

What is the Card Account Updater (CAU) Service?
The Card Account Updater (CAU) Service is an optional service available from STMS. The service is designed for merchants that accept a large number of recurring payments for enrolled payors. Card information such as expiration dates, account numbers and closed accounts change regularly. These changes can be tracked and updated electronically in real-time eliminating the need for the merchant to directly contact customers for these exceptions. The service requires special registration directly with STMS. The servcie is generally involves a $500 registration fee, plus $.15 per matched update.