Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations Credit and Debit Card Acceptance Policy and eTransact Informational Session December 3, 2009 Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
Agenda Credit and Debit Card Acceptance and Electronic Commerce Policy Why do we need a policy? What is PCI DSS? Highlights of the policy Plan for validating PCI DSS compliance Questions eTransact Overview of eTransact application Benefits of using eTransact How to get started Questions
Why do we need a policy? The use of credit and debit cards as the preferred method of payment continues to grow Schools and departments increasingly want the ability to accept credit and debit cards, particularly by utilizing e-commerce (internet based transactions) Policy provides the guidelines and expectations for schools and departments that accept credit and debit cards as a method of payment including the need for PCI DSS compliance
What is PCI DSS? Payment Card Industry Data Security Standard It is a “set of comprehensive requirements developed by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International, to facilitate the adoption of consistent data security measures on a global basis.” www.pcisecuritystandards.org The PCI DSS is intended to help organizations proactively protect customer account data. The PCI DSS is managed by the PCI Security Standards Council. The Council will modify the PCI DSS as needed to keep pace with emerging payment security risks.
High Level Look at the PCI DSS Requirements At its core, the PCI DSS is really based on the best practices surrounding network security and information security that departments and schools already follow
High Level Look at the SAQs Self-assessment questionnaire – required annually 4 different SAQs, your business process will determine which SAQ you complete A – 13 questions, 2 pages B – 26 questions, 4 pages C – 41 questions, 8 pages D – 222 questions, 21 pages
Policy Highlights Each school or department is responsible for policy compliance. A main contact responsible for compliance must sign the policy acknowledgement form and return to Cash and Credit Operations Merchant ID numbers and/or electronic commerce capabilities must be obtained from Cash and Credit Operations. eTransact is the preferred method of processing electronic commerce transactions Only the Controller’s Office can authorize the use of a convenience fee. The University does not accept credit or debit cards for tuition payments
Policy Highlights (cont.) Complete annual PCI DSS questionnaire (SAQ) Develop remediation plans for any compliance issues Background checks for employees functioning as cashiers with access to one card number at a time while facilitating a transaction is a recommendation only Background checks are required for employees with access to multiple card account numbers at one time Review third party contracts for PCI DSS compliance Report potential security breaches according to the Security Breach Response referenced in the policy Read and enforce the twelve requirements of the PCI DSS
Plan for PCI DSS compliance Finalized credit and debit card acceptance and e-commerce policy Selected an approved scanning vendor (ASV) to perform required quarterly network scans (Coalfire) Selected vendor for eTransact (CASHNet) In 2010, we will require campus merchants to provide us with completed SAQs Once, we have completed SAQs and quarterly scans, we will submit to our merchant bank to validate compliance Questions?
eTransact www.wustl.edu/etransact
eTransact eTransact is the preferred method of electronic commerce at the University. We have partnered with a PCI DSS compliant third party vendor to process credit and debit card transactions for the University. Public Affairs has created a website for eTransact that can provide information to schools and departments as well as to customers. www.wustl.edu/etransact
Benefits of eTransact Transactions processed through eTransact do not require receipt vouchers to be completed. There is a direct feed to AIS overnight to post the income to your general ledger account Storefronts can be setup quickly with little use of your technology resources Reporting tools, report groups, customizable pages Unlimited license for storefronts and checkouts With PayPal or Verisign there is a product and monthly cost Fees are currently around 2% www.wustl.edu/etransact
Benefits of eTransact (cont.) No monthly fee or cost to activate - normal credit card fees still apply Two different types of applications possible Storefront – website/application/form hosted on third party site Checkout – website/application/form hosted on Washington University servers, but customer passed to third party to enter credit card data Helps to achieve PCI DSS compliance by limiting the scope of PCI, keeping sensitive data off WU networks, and not storing cardholder data Great for departments without a web presence or with limited technology resources Reports can be delivered to a report group. Reports are available without having to login to the system www.wustl.edu/etransact
How to get started Read the Credit and Debit Card Acceptance & Electronic Commerce Policy Your department’s business manager (or equivalent) will be responsible for ensuring compliance with the policy and compliance with PCI DSS requirements The business manager (or equivalent) must sign the acknowledgement at the end of the Credit Card Acceptance and Electronic Commerce Policy indicating their understanding of the requirements Complete the application for merchant ID (PDF) found at http://www.cashandcredit.wustl.edu/campuscommerce.html and return to Cash and Credit Operations – Campus Box 1147
Examples and Current Status Ten departments live with eTransact – five storefront and five checkout Five departments under construction Cashiering module is the next phase we will consider. This will allow similar processing only for point of sale machines as opposed to electronic commerce www.wustl.edu/etransact Questions?