Presentation on theme: "Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations"— Presentation transcript:
1 Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations Credit and Debit Card Acceptance Policy and eTransact Informational Session December 3, 2009Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
2 Agenda Credit and Debit Card Acceptance and Electronic Commerce Policy Why do we need a policy?What is PCI DSS?Highlights of the policyPlan for validating PCI DSS complianceQuestionseTransactOverview of eTransact applicationBenefits of using eTransactHow to get startedQuestions
3 Why do we need a policy?The use of credit and debit cards as the preferred method of payment continues to growSchools and departments increasingly want the ability to accept credit and debit cards, particularly by utilizing e-commerce (internet based transactions)Policy provides the guidelines and expectations for schools and departments that accept credit and debit cards as a method of payment including the need for PCI DSS compliance
4 What is PCI DSS? Payment Card Industry Data Security Standard It is a “set of comprehensive requirements developed by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International, to facilitate the adoption of consistent data security measures on a global basis.”The PCI DSS is intended to help organizations proactively protect customer account data.The PCI DSS is managed by the PCI Security Standards Council. The Council will modify the PCI DSS as needed to keep pace with emerging payment security risks.
5 High Level Look at the PCI DSS Requirements At its core, the PCI DSS is really based on the best practices surrounding network security and information security that departments and schools already follow
6 High Level Look at the SAQs Self-assessment questionnaire – required annually4 different SAQs, your business process will determine which SAQ you completeA – 13 questions, 2 pagesB – 26 questions, 4 pagesC – 41 questions, 8 pagesD – 222 questions, 21 pages
7 Policy HighlightsEach school or department is responsible for policy compliance. A main contact responsible for compliance must sign the policy acknowledgement form and return to Cash and Credit OperationsMerchant ID numbers and/or electronic commerce capabilities must be obtained from Cash and Credit Operations. eTransact is the preferred method of processing electronic commerce transactionsOnly the Controller’s Office can authorize the use of a convenience fee. The University does not accept credit or debit cards for tuition payments
8 Policy Highlights (cont.) Complete annual PCI DSS questionnaire (SAQ)Develop remediation plans for any compliance issuesBackground checks for employees functioning as cashiers with access to one card number at a time while facilitating a transaction is a recommendation onlyBackground checks are required for employees with access to multiple card account numbers at one timeReview third party contracts for PCI DSS complianceReport potential security breaches according to the Security Breach Response referenced in the policyRead and enforce the twelve requirements of the PCI DSS
9 Plan for PCI DSS compliance Finalized credit and debit card acceptance and e-commerce policySelected an approved scanning vendor (ASV) to perform required quarterly network scans (Coalfire)Selected vendor for eTransact (CASHNet)In 2010, we will require campus merchants to provide us with completed SAQsOnce, we have completed SAQs and quarterly scans, we will submit to our merchant bank to validate complianceQuestions?
11 eTransacteTransact is the preferred method of electronic commerce at the University. We have partnered with a PCI DSS compliant third party vendor to process credit and debit card transactions for the University.Public Affairs has created a website for eTransact that can provide information to schools and departments as well as to customers.
12 Benefits of eTransactTransactions processed through eTransact do not require receipt vouchers to be completed. There is a direct feed to AIS overnight to post the income to your general ledger accountStorefronts can be setup quickly with little use of your technology resourcesReporting tools, report groups, customizable pagesUnlimited license for storefronts and checkoutsWith PayPal or Verisign there is a product and monthly costFees are currently around 2%
13 Benefits of eTransact (cont.) No monthly fee or cost to activate - normal credit card fees still applyTwo different types of applications possibleStorefront – website/application/form hosted on third party siteCheckout – website/application/form hosted on Washington University servers, but customer passed to third party to enter credit card dataHelps to achieve PCI DSS compliance by limiting the scope of PCI, keeping sensitive data off WU networks, and not storing cardholder dataGreat for departments without a web presence or with limited technology resourcesReports can be delivered to a report group. Reports are available without having to login to the system
14 How to get startedRead the Credit and Debit Card Acceptance & Electronic Commerce PolicyYour department’s business manager (or equivalent) will be responsible for ensuring compliance with the policy and compliance with PCI DSS requirementsThe business manager (or equivalent) must sign the acknowledgement at the end of the Credit Card Acceptance and Electronic Commerce Policy indicating their understanding of the requirementsComplete the application for merchant ID (PDF) found at and return to Cash and Credit Operations – Campus Box 1147
15 Examples and Current Status Ten departments live with eTransact – five storefront and five checkoutFive departments under constructionCashiering module is the next phase we will consider. This will allow similar processing only for point of sale machines as opposed to electronic commerceQuestions?