1. Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
Credit and Debit Card Acceptance Policy and eTransact Informational Session December 3, 2009
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

2. Agenda Credit and Debit Card Acceptance and Electronic Commerce Policy
Why do we need a policy?
What is PCI DSS?
Highlights of the policy
Plan for validating PCI DSS compliance
Questions
eTransact
Overview of eTransact application
Benefits of using eTransact
How to get started
Questions

3. Why do we need a policy?
The use of credit and debit cards as the preferred method of payment continues to grow
Schools and departments increasingly want the ability to accept credit and debit cards, particularly by utilizing e-commerce (internet based transactions)
Policy provides the guidelines and expectations for schools and departments that accept credit and debit cards as a method of payment including the need for PCI DSS compliance

4. What is PCI DSS? Payment Card Industry Data Security Standard
It is a “set of comprehensive requirements developed by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International, to facilitate the adoption of consistent data security measures on a global basis.”
The PCI DSS is intended to help organizations proactively protect customer account data.
The PCI DSS is managed by the PCI Security Standards Council. The Council will modify the PCI DSS as needed to keep pace with emerging payment security risks.

5. High Level Look at the PCI DSS Requirements
At its core, the PCI DSS is really based on the best practices surrounding network security and information security that departments and schools already follow

6. High Level Look at the SAQs
Self-assessment questionnaire – required annually
4 different SAQs, your business process will determine which SAQ you complete
A – 13 questions, 2 pages
B – 26 questions, 4 pages
C – 41 questions, 8 pages
D – 222 questions, 21 pages

7. Policy Highlights
Each school or department is responsible for policy compliance. A main contact responsible for compliance must sign the policy acknowledgement form and return to Cash and Credit Operations
Merchant ID numbers and/or electronic commerce capabilities must be obtained from Cash and Credit Operations. eTransact is the preferred method of processing electronic commerce transactions
Only the Controller’s Office can authorize the use of a convenience fee. The University does not accept credit or debit cards for tuition payments

8. Policy Highlights (cont.)
Complete annual PCI DSS questionnaire (SAQ)
Develop remediation plans for any compliance issues
Background checks for employees functioning as cashiers with access to one card number at a time while facilitating a transaction is a recommendation only
Background checks are required for employees with access to multiple card account numbers at one time
Review third party contracts for PCI DSS compliance
Report potential security breaches according to the Security Breach Response referenced in the policy
Read and enforce the twelve requirements of the PCI DSS

9. Plan for PCI DSS compliance
Finalized credit and debit card acceptance and e-commerce policy
Selected an approved scanning vendor (ASV) to perform required quarterly network scans (Coalfire)
Selected vendor for eTransact (CASHNet)
In 2010, we will require campus merchants to provide us with completed SAQs
Once, we have completed SAQs and quarterly scans, we will submit to our merchant bank to validate compliance
Questions?

10. eTransact

11. eTransact
eTransact is the preferred method of electronic commerce at the University. We have partnered with a PCI DSS compliant third party vendor to process credit and debit card transactions for the University.
Public Affairs has created a website for eTransact that can provide information to schools and departments as well as to customers.

12. Benefits of eTransact
Transactions processed through eTransact do not require receipt vouchers to be completed. There is a direct feed to AIS overnight to post the income to your general ledger account
Storefronts can be setup quickly with little use of your technology resources
Reporting tools, report groups, customizable pages
Unlimited license for storefronts and checkouts
With PayPal or Verisign there is a product and monthly cost
Fees are currently around 2%

13. Benefits of eTransact (cont.)
No monthly fee or cost to activate - normal credit card fees still apply
Two different types of applications possible
Storefront – website/application/form hosted on third party site
Checkout – website/application/form hosted on Washington University servers, but customer passed to third party to enter credit card data
Helps to achieve PCI DSS compliance by limiting the scope of PCI, keeping sensitive data off WU networks, and not storing cardholder data
Great for departments without a web presence or with limited technology resources
Reports can be delivered to a report group. Reports are available without having to login to the system

14. How to get started
Read the Credit and Debit Card Acceptance & Electronic Commerce Policy
Your department’s business manager (or equivalent) will be responsible for ensuring compliance with the policy and compliance with PCI DSS requirements
The business manager (or equivalent) must sign the acknowledgement at the end of the Credit Card Acceptance and Electronic Commerce Policy indicating their understanding of the requirements
Complete the application for merchant ID (PDF) found at and return to Cash and Credit Operations – Campus Box 1147

15. Examples and Current Status
Ten departments live with eTransact – five storefront and five checkout
Five departments under construction
Cashiering module is the next phase we will consider. This will allow similar processing only for point of sale machines as opposed to electronic commerce
Questions?