Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Best Practices In Campus-wide eCommerce STRAIGHT TALK ON CAMPUS COMMERCE

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. TouchNet ●Established in 1989 ●Specializing in Self Service ●Serving Higher Education since 1993 ●Specializes in Higher Education 700 Users ●Partnerships: SunGard, Datatel, PeopleSoft ●Payment Card Industry (PCI) Certified ●Member of NACHA ●Foundation: Payment Gateway –Credit Card, ACH Engine, Debit Cards

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Agenda ●Common Practices in eCommerce ●Discuss Best Practices ●Payment Card Industry (PCI) Standards ●Summary ●Questions and Maybe Some Answers

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. What are Your Commerce Initiatives? ●Tickets ●T-shirts ●Tuition ●Textbooks ●Donations ●Event Registration ●Non-Credit Classes ●Athletics ●Central Stores ●ACH (Electronic Checks) ●Electronic Billing ●Camps ●Parking ●Cashiering ●Fundraising ●More…

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. eCommerce Is More Than Tuition ●Athletics: Game Tickets, Logo Wear ●Alumni: Donations, Events ●Theatre: Tickets, Fund Raising ●Bookstore: Books, Merchandise ●Admissions: Application Fees ●Parking: Permits, Fines

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Current Practices ●Multiple Payment Pages ●Multiple Security Burdens ●Disparate Systems ●Separate Reconciliation ●Rogue Processors ●Absence of a Central Administration

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Common Practice: Typical Campus

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Best Practice One Payment Engine for the Entire Enterprise –Control: Piece of Mind; PCI Compliance –Costs: Collective Volumes Reduces Costs –Efficiency: Managing multiple systems drains time and resources –Real-time Payment Processing –Brand Management

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Centralized Commerce Model

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Administrative Management

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Track Tender Types

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Best Practice Campus Commerce Management ●Common Infrastructure: Synch In-line and Online Channels ●Process Payments from a Variety of Departments and Systems ●Single & Recurring Payments ●Manage Processing and Reconciliation Costs ●Leverage Existing Business Applications ●Compliance Control: –PCI, FERPA, GLB, PABP, NACHA ●Central Accountancy: Integration with Finance Systems

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Simplifying Campus Commerce Single Gateway Secure Payment Processing Single Framework Needed Websites Store Existing Websites Pay

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. The “Mall” View The “Store” View Sample of School Shopping Site

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Integrating Payment Functionality to an Existing Web Site Existing Web Page Link out to a Secure Payment Page

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Best Practice Operations Centralized Control / Decentralized Management –Common Technical Environment –Reduces IT Overhead –Individual Departments Manage Online Presence –Able to serve existing web applications

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Best Practice Embrace PCI ●Understand the Requirements ●Face Reality: Your Merchants Have Issues ●Accept Responsibility: Form A Team ●Create eCommerce Policy ●Identify & Educate Campus Merchants ●Raise Awareness ●Set Requirements for Campus Merchants ●Budget (work into current projects)

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. PCI Merchant Levels Merchant Level 1 ●Any merchant-regardless of acceptance channel-processing over 6,000,000 transactions per year. ●Any merchant that has suffered a hack or an attack that resulted in an account data compromise. ●Any merchant that any of the Payment Card Brands, at their sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the respective card system. Merchant Level 2 Any merchant processing 150,000 to 6,000,000 e-commerce transactions per year. Merchant Level 3 Any merchant processing 20,000 to 150,000 e-commerce transactions per year. Merchant Level 4 Any merchant processing fewer than 20,000 e-commerce transactions per year, and all other merchants processing up to 6,000,000 transactions per year.

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Face Reality… “Your campus merchants have issues!” ●Single Location or Multiple Campuses ●Tens or Hundreds of Merchants ID’s ●Unknown online activity ●Multiple Payment Methods ●Multiple Banking/Processor Relationships ●Multiple Payment Gateways in use ●Little to no knowledge of PCI requirements

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Accept Responsibility: Form a Project Team ●Treasurer ●Controller ●Bursar ●IT Appoint a Team Leader

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Create eCommerce Policy ●If starting from scratch –Look for examples online –Ask your favorite listserv ●If one currently exist –Include PCI requirements

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Identify & Educate Campus Merchants ●Identify Merchants –Include Online and In-line Merchants –Across the entire enterprise  ERP Systems: SIS, Finance  Departments: Athletics, Alumni, Theatre, etc. ●Survey Merchants ●Google your “.edu” domain

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Raise Awareness ●Get the word out… - - Newsletters - Meetings - Advertisements - Broadcast ●Fear Factor - show them why...

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Why the Control? ● Two West Coast Universities – 178,000 former and current students, applicants and employees – 59,000 students, staff and faculty ● Three Northeast Schools – 2,100 students, alumni and professors – 120,000 individuals ● Two Southwest Universities – 5,000 International Students – 55,200 students, faculty and staff ● Two Southern Universities – 30,000 students, faculty and staff – 57,000 patrons of the Arts & Theater The Headlines! PCI - #1 ISSUE

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Source: Privacy Rights Clearinghouse, Feb. 15, 2005 through June 14, PCI - #1 ISSUE Why Should You Care?

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Merchant Liability for improper storage of credit card data ●If cardholder data is compromised, you may be subject to the following liabilities and fines associated with non- compliance: –Potential fines of up to $500,000 –All fraud losses incurred from the use of the compromised account numbers from the date of compromise forward –Cost of re-issuing cards associated with the compromise –Cost of any additional fraud prevention/detection activities required by the card associations (i.e. a forensic audit) or costs incurred by credit card issuers associated with the compromise –Average cost of rectifying breech = $2 Million - Ambrion TrustWave

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Design Enterprise Architecture ●Standardize – Build or Buy a Gateway as a foundation for campus commerce –Enterprise Payment Gateway –PCI Self Assessment or Certified Provider –Consolidate Acquiring Banks and Processors –Open to campus vendors i.e., Parking, Collections, Alumni, etc.

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Self Assessment Questionnaire ●Complete PCI Internal Assessment ●10 Pages (Microsoft Word format) ● ●12 Requirements

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. PCI Data Security Standards (often referred to as the “Digital Dozen”) 1Install and maintain a working firewall 2Do not use vendor-supplied default passwords 3Protect stored data 4Encrypt data sent across public networks 5Use and update anti-virus software 6Develop and maintain secure systems and applications

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. PCI Data Security Standards 7 Restrict access to data by “need to know” 8 Assign unique ID to each person with access 9 Restrict physical access to cardholder data 10 Track and monitor all access to network resources and cardholder data 11 Regularly test security systems and processes 12 Maintain a policy that addresses information security

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information.

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. What’s One More Certification? PCI - #1 ISSUE Payment Application Best Practices [PABP]

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Best Practices: Summary ●One Payment Engine for Enterprise ●Consolidate ALL Payments ●Control and Manage Costs ●PCI Preparedness ●Conduct Self Assessments ●Create Awareness ●Form a Team ●Educate Merchants ●Document, document, document

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Questions? Thank you! Dave Swan Regional Manager TouchNet Information Systems