Docstoc

SLA

Document Sample
SLA Powered By Docstoc
					University of North Carolina at Chapel Hill Service Level Agreement Credit Card Merchant Services - Internet Common Payment Service

Merchant Name: ________________________________________________________

Table of Contents: 1. Overview ..............................................................................................................................2 1.1. Statement of Intent ........................................................................................................2 1.2. Service Level Agreement Review Dates ......................................................................2 2. Service Description ..............................................................................................................3 3. Responsibilities ....................................................................................................................4 3.1. Merchant Responsibilities ............................................................................................4 3.2. Accounting Services – Cash Manager Responsibilities ...............................................6 3.3. ITS – SIS Group Responsibilities .................................................................................8 3.4. ITS Responsibilities ......................................................................................................9 3.5. ITS – Security Responsibilities ....................................................................................9 3.6. Control Center (CC) Responsibilities .........................................................................10 3.7. ITS Response Center (ITRC) Responsibilities ...........................................................10 4. Attachments .......................................................................................................................12 5. Contacts..............................................................................................................................14 6. Signatures ...........................................................................................................................15 7. Terms .................................................................................................................................16

1 of 17

Dated 07/12/2006

1. Overview 1.1 Statement of Intent This Service Level Agreement with attachments documents the agreement between the Finance Division, Information Technology Services (ITS) and UNC Departments. Functional and technical roles and responsibilities will be defined for the Finance Division, ITS and UNC Departments that accept credit cards as an acceptable form of payment for goods or services such as application or registration fees. These departments will be set up with credit card merchant accounts. The Department’s customized internet applications will interface with SIS CPS. SIS CPS will interface and access the payment processing services of the State – Common Payment Service (CPS). 1.2 Service Level Agreement Review Dates Current Review: Month, 2006 Next Review: Month, 2007

2 of 17

Dated 07/12/2006

2. Service Description  The NC Office of the State Controller (OSC) is statutorily charged with administering the State’s Electronic Commerce and Payments Program (SECPP), which includes merchant credit card services through the Common Payment Service (see http://www.ncga.state.nc.us/Sessions/1999/Bills/Senate/PDF/S222v7.pdf and http://www.ncosc.net/SECP/SECP_Policies.html). The OSC and Finance Division provide a centralized credit card payment option to all University units through the State’s Common Payment Service system. The cost of providing the service is recharged to the individual departments. The Common Payment Service (CPS), a payment gateway, is a shared service that enables University applications to interface and access the payment processing services of the State. The State of North Carolina uses the payment processing service provided by SunTrust Merchant Services (STMS), a partnership between SunTrust Bank and First Data Merchant Services (FDMS) to process payments received by credit card. Cards accepted are Visa, MasterCard and Diner’s Club. Merchant sales information is transmitted to FDMS. FDMS receives authorization and then payment from the cardholder’s bank. FDMS then deposits these payments into the State Treasury Account at the State’s Depository Bank (Wachovia) and transmits a daily electronic file that summarizes this activity. A department, unit or organization is approved by both the Office of the State Controller and the Finance Division before they are set up as a merchant. Electronic reporting is provided through the State’s CPS VCCT web-based application. This tool allows Merchants to reconcile their credit card transactions daily. Information on Merchant Credit Cards through the Common Payment Service is available at http://www.ncosc.net/SECP/SECP_CPS.html.

 

 

  

3 of 17

Dated 07/12/2006

3. Responsibilities 3.1 Merchant Responsibilities A. Set Up The first step is to get approval from the Controller’s Office and complete the Merchant Service Level Agreement form.  To become a Credit Card Merchant, a department, unit or organization must fill out the following forms: (http://www.ncosc.net/EPP/Enroll/index.htm) 1. Statement of Requirements for Electronic Payment Acceptance & Processing form provided by OSC (http://www.ncosc.net/EPP/Enroll/ACH_Forms/EC_SOR.doc) 2. Outlet Account Set-Up (http://www.ncosc.net/EPP/Template/Outlet_Account_Setup_Form.dot) 3. Bill Code Action Form (http://www.its.state.nc.us/About/Forms/BILLCODEFORM.pdf) 4. CPS Set Up Form (http://www.ncosc.net/EPP/Enroll/ACH_Forms/CPS_Set-up.xls) Set up the Department’s front end internet application. The internet application will interface with the SIS CPS and meet the technical specifications provided by ITS-SIS Group. Application must have an audit log prior to sending data to SIS CPS. The department’s technical staff is responsible for the development, maintenance and enhancement of their internet application. Merchant’s Fiscal Office approves access to MyMerchantView (MMV) and processes the MMV application for each individual access. Submit the MyMerchantView (MMV) access form by fax to OSC (919-981-5560).



  

B. Changes/Termination    In the event of any changes in the information provided on the enrollment forms listed above, notify the Cash Manager in Accounting Services. If the Merchant no longer wishes to accept credit cards, notify the Cash Manager in Accounting Services. Notify the Cash Manager in Accounting Services in the event that the Merchant will be making any changes to their method of processing after the merchant has been initially set up. All changes must be approved by OSC, Finance Division and ITS before putting into production.

4 of 17

Dated 07/12/2006

C. Reconciliation, Settlement and Transaction Posting  Prepare an internal transaction log of the credit card payments received to include the variable order-descr, effective date, payment amount and contact information of the individual making the credit card payment. DO NOT STORE ACTUAL CREDIT CARD NUMBER, EXPIRATION DATE AND CARD VALIDATION CODE ON THE BACK OF THE CARD. Reconcile daily the internal transaction log with the order-descr field using VCCT, the State’s web-based application. Problems should be reported immediately to the Head Teller, Cashier’s Office. Prepare and submit a Daily Cash Transmittal (DCT) through the Daily Deposit System. Use MyMerchantView (MMV) to reconcile the monthly invoice from SunTrust. As a security precaution, Merchants shall maintain in writing and provide upon request the name(s) of the person(s) that will be allowed to approve a Credit (Refund) Slip. This cannot be the same person who processes sales transactions. Responsible for reviewing and resolving any disputes between the customer and their credit card merchant account in a timely manner.



  



D. Security Issues  Must immediately report to ITS-Security the suspected or confirmed loss or theft of any material or records that contain cardholder data. In addition, Internal Audit policy 4 in the Business Manual requires management to notify the University Police and the Internal Audit Department if they have reason to believe that public property or funds may have been damaged, lost, or misused. Suspected misuse can be reported anonymously to Internal Audit, the University Police, or the State Auditor’s Hotline. Credit card numbers, expiration dates and the card validation code on the back of the card of cardholders are NOT to be stored in any electronic file in any capacity. Adhere to all the data and system security requirements for credit card merchants as defined in the Credit Card Merchant Services – Policies, Procedures and Tools. Adhere to the Payment Card Industry (PCI) Security Standards and agree to a quarterly network scan for all externally-facing IP addresses. Register into the TrustKeeper Portal. Complete the worksheet of assigned questions related to the PCI Compliance Questionnaire as directed by ITS – Security. ITS -Security can offer support and answer questions

    

5 of 17

Dated 07/12/2006

concerning the completion of these questions. Have documentation to back up the answers given to these questions.  Must adhere to the E-Commerce policies of the Statewide Electronic Commerce Program (http://www.ncosc.net/SECP/SECP_Policies.html).

E. Problem Resolution  Provide a calendar of peak times to ITS along with the names of the people that need to be contacted when there is a system outage. Any changes to this calendar needs to be reported to ITS. Contact their technical support person first when a customer reports a problem to make sure that there isn’t anything wrong with their front end application. Once this is ruled out, they will then submit a remedy ticket or call 962-HELP to report the problem.



F. Training  All employees responsible for systems or procedures related to credit card transactions or data must complete the Credit Card Merchant Services Training program provided by the Finance Division.

G. Fees and Other costs  Will be responsible for related equipment and supply costs, processing fees, and fines and penalties resulting from noncompliance with University, State and Payment Card Industry (PCI) policies. Transaction fees may be charged to cover the cost of permitting a person to complete a transaction using a web application or other means of electronic access. The fee imposed must be approved by the Finance Division. Revenues from the transaction fee and expenditures funded by the fee must be accounted for separately to provide an audit trail on the collection and use of the fees.





3.2 Accounting Services – Cash Manager Responsibilities The Cash Manager meets with the department to determine which method of credit card processing will best suit their needs. When the determination is made that credit card processing should utilize the State’s Common Payment Service, the Controller’s Office will approve the credit card processing activities and start the process of Merchant set up.

6 of 17

Dated 07/12/2006

A. Merchant Set Up   Meet with department’s personnel that are contemplating taking the Credit Card Payments to determine the best method for that department. Email the following forms to the Department and assist them in completing the forms, if needed: 1. Outlet Account Set Up Form 2. Statement of Requirements for Electronic Payment Acceptance and Processing Form 3. Bill Action Code Form 4. CPS Set Up Form Receive electronically completed forms #1, 2 and 4 from the department and original form #3 with signature from the department. Send completed Outlet Set Up Form (1) and Statement of Requirements for Electronic Payment Acceptance and Processing Form (2) electronically to OSC. Have the UNC Controller sign completed Bill Code Action Form (3) and fax to NC ITS. CPS Set Up will not be complete at this time because the State must assign Merchant numbers and identifiers. Save partially completed form and wait for this information from the State. Update the project list, Internet Credit Card Status Worksheet for the new Merchant. Receive from NC ITS the Bill Code. Receive from OSC the Merchant Outlet Number, MID and TID and add to the CPS Set Up Form. Email the completed CPS Set Up Form to the State CPS Tech Support at cpstechsupport@ncmail.net. Create the Project Request for ITS - SIS. Send email to department instructing them to contact the Head Teller at the Cashier’s Office before their first transaction and copy the Head Teller. Add contact info to creditcardadm listserv. Update the CPS credit card internet project list (summary and individual worksheets) once department is in production.

   

       

7 of 17

Dated 07/12/2006

B. Set Up Compliance         Request from OSC pre-registration for PCIDSS testing from Ambiron TrustWave. Activate Trustkeeper site and initial validation process when registration email arrives from Ambiron TrustWave TrustKeeper Support. Register self in TrustKeeper. Add new Department user and ITS – Security to TrustKeeper. Email Department TrustKeeper contact with the userid/password and information regarding compliance. Give TrustKeeper information to ITS – Security. Create remedy ticket to have ITS – Security initiate PCI compliance testing (questionnaire and scans). Monitor compliance status.

C. Files to Update    CPS credit card internet project list (summary and individual worksheets). CPS TrustKeeper Account Access. TrustKeeper Userid Log.

3.3 ITS – SIS Group Responsibilities ITS – SIS Group is responsible for providing a page on a secure server with 128-byte encryption where the user can enter safely their credit card and expiration date information. Their program will interface with the State’s CPS system.     Provide basic credit card number and expiration date editing before calling the state CPS. Give departments options for routing errors back to the application or keeping the user on the secure server so they can correct errors and resubmit the transaction. Route charged transactions to a user defined url using the variable jspbounceto. Give departments flexibility to route unsuccessful transactions to a user defined url using the variable jspbounceErr.
8 of 17 Dated 07/12/2006

           

Give the departments flexibility to receive email confirmations of completed transactions using the field mailTo. Generate an audit log of the transactions. Help new departments interface with the SISCPS and the State’s CPS system. Receive test accounts for the departments from State CPS tech support with Merchant Name, User Name and Password. Set up a test account for the department in SISCPS. Give Department’s IT personnel the test url to their webPay.pl page. After testing, the Department notifies the SIS Programmer when they are ready to move forward. SIS Programmer sends the test scripts to the department. If department passes the script tests, the SIS Programmer emails CPS tech support that the department is ready to move into Production and is ready to have VCCT set-up. The SIS Programmer contacts the department’s technical person and coordinates a day to move everything to production. The SIS Programmer must move the config files and the perl page to production. After the State and SISCPS has the department in production, the department receives their SISCPS production url from the SIS Programmer, along with instructions for a Production Test Run. Update the SISCPS listserv members. On Call programmer will work with the Merchant/Vendor to resolve and close any remedy ticket that has been assigned to ITS – SIS. Provide a list of possible errors with response instructions and contact information to the Control Center to help in problem resolution. Close out the SIS Project Request once the Department is in production and has passed the PCI security requirements (questionnaire and scan).

   

9 of 17

Dated 07/12/2006

3.4 ITS Responsibilities    Vice Chancellor for Information Technology or delegate must approve internet application to be used for credit card processing activities. Maintain secure server and interface application without direct cost to the departments. Perform timely patches and software upgrades to meet OSC requirements and PCI Compliance Standards.

3.5 ITS - Security Responsibilities One of the missions of ITS - Security is to provide guidance and resources on the prevention of computer security incidents.           Set up internal scans to occur before the Ambiron TrustWave scans. Send the applicable questions to the merchant to answer as part of the PCI Security Standards. Update the PCI Questionnaire spreadsheets with the Department’s answers after receiving sheets from the Departments. Complete the PCI Security Standard Questionnaire. Submit electronically the completed PCI Security Standard Questionnaire to Ambiron TrustWave. Review the Compliance Questionnaire Report from TrustKeeper. Report any issues to the appropriate party. Review results of Ambiron TrustWave scans and report any issues to the appropriate party. Update spreadsheets with Department’s Name, IP Address, Merchant Name, Responses to email of PCI questions, Internal scan, Ambiron Scan dates and results and Certification date. Deal with all security issues. Close the Remedy Ticket once the Department is certified.

10 of 17

Dated 07/12/2006

3.6 Control Center (CC) Responsibilities The Control Center is responsible for the daily management of the central computing and networking hardware facilities. They ensure that all equipment is functioning properly. They monitor systems on a 24 hour 7 day per week basis.    Monitor all CPS servers. Receive Remedy Tickets from ITRC or create Remedy Ticket based on available information. Responsible for the Automated Simulator to test functionality. This will run an application to replicate the manual process of entering an invalid credit card. When the message returns with anything other than “invalid credit card”, the control center will submit Remedy Ticket to appropriate group according to written procedures provided by ITS – SIS. When the simulator encounters an error, notify the ITRC of the problem. Will receive notifications of problems and potential blackouts from the State via the listserv. Will act as the point person to interact with the ITRC and ITS Support Staff as needed.

  

3.7 ITS Response Center (ITRC) Responsibilities The ITRC uses Remedy Action Request System to track Help Requests and to route problems to the appropriate support group.    Respond to all calls concerning credit card payment issues according to the workflow document (see Attachments section – Page 13). Create Remedy ticket and assign ticket to Control Center according to written procedures provided by ITS – SIS. Receive immediate notification from the Control Center when the Control Center is aware of system problems.

11 of 17

Dated 07/12/2006

4. Attachments Card Industry Rules: VISA – http://usa.visa.com/business/accepting_visa/ops_risk_management/index.html Master Card – http://www.mastercard.com/us/merchant/how_works/merchant_rules.html SunTrust Merchant Program Guide – http://www.ncosc.net/EPP/suntrustprogramguide.pdf

Information on Merchant Credit Cards through the Common Payment Service: http://www.ncosc.net/SECP/SECP_CPS.html Payment Card Industry’s Security Standards: VISA – www.visa.com/cisp MasterCard – http://sdp.mastercardintl.com

Forms: Statement of Requirements for Electronic Payment Acceptance & Processing Form http://www.ncosc.net/EPP/Enroll/ACH_Forms/EC_SOR.doc Outlet Account Set-Up Form http://www.ncosc.net/EPP/Template/Outlet_Account_Set-up_Form.dot Bill Code Action Form - http://www.its.state.nc.us/About/Forms/BILLCODEFORM.pdf CPS Set Up Form - http://www.ncosc.net/EPP/Enroll/ACH_Forms/CPS_Set-up.xls MyMerchantView Form - http://www.ncosc.net/EPP/Forms/Merchant_Sign-up_Form.dot

12 of 17

Dated 07/12/2006

Department-ITS SIS Problem Resolution Workflow

Department has a problem.

Contact Dept IT support person to assist in determining what type of problem.

Contact vendor

Yes

Vendor application problem?

No

Contact ITS Use web submit Call 962-HELP or Initiate a Chat

Go to help.unc.edu and submit a request for help. Select ‘Type of Help Needed’ either ‘SISAdministrative Depts Only’ or ‘CPS’, select ‘Choose a Secondary Issue’ (if required) and appropriate Severity.

Provide customer information to the ITRC; explain problem; request appropriate severity.

SIS-Administrative Depts Only CPS

The ITRC will work with the Control Center to determine if there are any known issues.

The ticket goes to ITS-SIS

Was there a resolution?

No

Route to the appropriate group for resolution.

Yes

Follow-up email sent after resolution.

13 of 17

Dated 07/12/2006

5. Contacts To Establish Credit Card Process: Roxanne Krotoszynski, Cash Manager Email: krotoszy@email.unc.edu Phone: (919) 962-4245 General Questions: Roxanne Krotoszynski, Cash Manager Email: krotoszy@email.unc.edu Phone: (919) 962-4245 Technical Issues: Karen Michael, Business Analyst Email: kmichael@email.unc.edu Phone: (919) 445-9319 Training: Stephanie Lloyd, Finance Training Coordinator Email: FinanceTrainer@unc.edu Phone: (919) 843-3069 PCI Compliance and Data Security: ITS – Security Phone: (919) 445-9393 CPS Connection: HELP Desk Phone: (919) 962-HELP Deposits and Reconciliation: Tina Zimmerman, Head Teller, Cashier’s Office Email: tina_zimmerman@unc.edu Phone: (919) 962-5846 CPS Connection, VCCT: NC ITS Customer Support Center Email: support@ncmail.net Phone: (919) 754-6000 or 1-800-722-3946 Credit Card Merchant Contact Name: __________________________________________________________ Email: __________________________________________________________ Phone: __________________________________________________________ Fax: __________________________________________________________ Credit Card Merchant individual authorized to sign on returned sales or credits (must be different from the person processing charge sales): Name: __________________________________________________________ Title: __________________________________________________________ Email: __________________________________________________________ Phone: __________________________________________________________ Fax: __________________________________________________________
14 of 17 Dated 07/12/2006

6. Signatures The undersigned agree to follow the rules and regulations stated in this Service Level Agreement. Any deviations may result in termination of Department as a credit card processing merchant. For the Finance Division Signature: Date: ___________________________________________________ ___________________________________________________

For Information Technology Services – Enterprise Applications Signature: Date: ___________________________________________________ ___________________________________________________

For ITS - User Support & Engagement Signature: Date: ___________________________________________________ ___________________________________________________

For ITS – IT Infrastructure & Operations Signature: Date: ___________________________________________________ ___________________________________________________

For ITS – Information Security & Policy Signature: Date: ___________________________________________________ ___________________________________________________

Credit Card Merchant – Dean, Director or Department Head Name (Print): ___________________________________________________ Title: Address: Signature: Date: ____________________________________________________ ____________________________________________________ ____________________________________________________ ____________________________________________________

15 of 17

Dated 07/12/2006

7. Terms          Ambiron TrustWave: A leading provider of information security and compliance management solutions. CC: Control Center. A department of ITS - IT Infrastructure and Operations. Config Files: SIS CPS processing files. CPS: Common Payment Service. The State’s payment gateway through the NC Office of Information Technology Services. FDMS: First Data Merchant Services. A credit card processing platform. ITRC: ITS Response Center. ITS: Information Technology Services. The central technology organization for the University of North Carolina at Chapel Hill. ITS – EA: Information Technology Services – Enterprise Applications. ITS division that is responsible for all major ITS application development. ITS – Security: Information Technology Services – Security. A division of ITS that manages all aspects of compliance with relevant university, State and Federal rules regarding data integrity and privacy. ITS – SIS Group: Information Technology Services – Student Information Systems. A department of ITS – EA. jspbounceto: A required field populated by the department with the response url. SISCPS uses the value of this field to direct the user to a new webpage when the transaction was successful. jspbounceErr: An optional field populated by the department with the error url. SISCPS uses the value of this field to direct the user to a new webpage when the transaction has an error. Merchant: A University Department or Unit that is authorized to accept credit card payments for goods or services provided to customers. MID: Merchant ID. A unique number that identifies a University Department or Unit that is an approved Merchant.

 



 

16 of 17

Dated 07/12/2006



MMV: MyMerchantView. The internet based reporting tool provided by SunTrust Merchant Services (STMS). This tool provides summary and detailed-level reports for all batches and transactions submitted to STMS for settlement. order-descr: a unique variable that identifies the transaction. This is the only application generated variable that will appear on the VCCT reconciliation report. OSC: Office of the State Controller. PCI: Payment Card Industry. PCIDDS: Payment Card Industry Data Security Standards. Perl Page: PayNow Page, where user enters credit card information. SISCPS: Application that Department’s web application interfaces with. This application will pass the credit card transaction from its secure server to the State CPS system. STMS: SunTrust Merchant Services. The State has a Master Service Agreement with 2STMS for Credit and Debit Card payment processing services. TID: Terminal ID. TrustKeeper: Provides Merchants with a web-based portal that allows Merchants to assess vulnerability and compliance with PCIDSS. VCCT: Virtual Credit Card Terminal. The State’s web-based application used by CPS clients to reconcile credit card transactions processed.

     

   

17 of 17

Dated 07/12/2006


				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:396
posted:9/3/2009
language:English
pages:17