Docstoc

merchant account credit card processing

Document Sample
merchant account credit card processing Powered By Docstoc
					                                                                    03/21/2007
     Guidelines for IEEE Conference Credit Card Processing
I.    Introduction:
      Due to regulations mandated by MasterCard, Visa, and American Express,
      IEEE and its service providers must comply with Payment Card Industry
      (PCI) Data Security Standards. IEEE is PCI compliant and will continue to
      ensure that credit card processes meet the industry standards.

      This issue is being taken seriously by IEEE because of our strong commitment
      to our members and customers. IEEE is taking all appropriate measures to
      ensure cardholders’ credit card information is secure.

      The current PCI regulations affect eCommerce and also encompass manual
      credit card processing. ECommerce includes processing credit card
      transactions over the Internet. This also includes the collection of credit card
      information over the Internet. These standards are international standards, and
      affect all conferences worldwide.

      The regulations cover three basic areas:
              Systems
              Processes
              People

      As a whole, past IEEE conference credit card processing did not meet the
      requirements required by PCI. Certain events were actually in compliance
      and some where not. The non-compliant events will have to look into other
      options for managing their credit card processing program.

      Not following the credit card processing procedures below will open yourself
      and IEEE to unnecessary risks & liabilities. IEEE can be fined and risk losing
      its ability to process credit cards.

      The diagram listed below is a basic flow for eCommerce transactions. There
      is not one straight forward flow as to how credit card data, processing, and
      funds transpire either by eCommerce or manual processes. All steps in the
      flow must be compliant.
                                                                        Pass                           Authorizted            $                         $
                                                                       credit                         Transactions                     Funds
                                    Submit
                 2006               On-line
                                                                        card                            Sent for                      Deposited
                                                                    information                        processing
                 IEEE              payment
                                                                                      Gateway
                                                                                                                                                  IEEE Conference
      Attendee registers on-line              Registration System                                               Merchant Processor Bank
                                                                                    Authorizaation                                                  Bank Account
                                                                                   Given or Denied



                                                                                         $                             Collection
                                                                                                                       Of money
                                                                                                                     For Authorized
                                                                                                                       Charge(s)

                                                                                  Cardholder’s Bank
II.    IEEE currently offers the following options for credit card processing:
       1. IEEE Conference Management Services (IEEE CMS) can provide IEEE
          entities with comprehensive pre and on-site registration services. Our PCI
          Compliant on-line registration system is available worldwide 24 hours a
          day, 7 days a week.
       2. IEEE also offers two manual processing options. (link to credit card
          processing agreement)
                 Option 1. The use of an IEEE credit card machine, which can be
                    used to manually enter credit card information or brought on site
                    to swipe cardholder information.
                 Option 2. IEEE will process the charges on behalf of the
                    conference.

III.   Third-Party Processing:
       1. Not a recommended method of processing, but acceptable if it follows the
          proper compliance procedures, including PCI.
       2. If the conference hires a third-party, IEEE policy states all contracts,
          which exceed $25,000.00 exposure, must be signed by IEEE.. The
          exposure value can be determined by adding the estimated total revenue
          collected plus fees paid to the third-party
       3. If hiring a registration company to process registrations and other credit
          card transactions, the third party must be PCI compliant. They must
          provide the conference with a current certificate showing compliance.
                  If the third party states they are compliant, but do not have a
                    certificate, please contact the IEEE.
                  IEEE will check for PCI compliance during contract review.
       4. Setting up Merchant Accounts and Gateways.
                  Volunteers cannot set up merchant account or gateways under
                    any circumstance.
                  The third-party must set up its own merchant accounts and
                    gateways., which must be compliant
                  IEEE can give the third-party company access to existing
                    merchant accounts (Option 1a), only after the third-party has
                    proven they are PCI compliant.
                               a. Third-party is still responsible for setting up a
                                   gateway.
                               b. Benefits include access to IEEE credit card rates
                                   and the money stays within IEEE.
       5. Make sure the third-party contract clearly states all entities involved in
          handling and/or holding the conference’s credit card money. The
          conference should clearly understand exactly how the credit card funds
          will flow.
       6. Make sure there are no pass through fees in the conference’s contract.
          IEEE will look for this during contract review, and will revise the contract
          if necessary.
IV.    Methods no longer acceptable.
       1. Conference volunteers cannot open up their own merchant accounts or
          gateways.
       2. Conference volunteers cannot have any on-line access to credit card data.
       3. Conferences cannot hire non-compliant third-parties.
       4. Conferences volunteers can no longer use existing IEEE merchant
          numbers for processing. These will only be given out to PCI compliant
          third-parties who prove they are compliant.


V.     Concentration Banking (link to CB web site)
       1. If using any non-IEEE credit processing service, the conference must
          coordinate with IEEE Concentration banking to coordinate auto deposits
          or payments.
       2. Contact the Treasury Department four weeks prior to processing
          transactions to ensure the proper flow of credit card funds into the
          conference’s concentration banking account.
       3. Do not provide third-party processes with a copy of a VOIDED check; this
          is not the bank information they need to send the funds.

VI.    Manual Credit Card Processing:
       1. IEEE offers two options for manually processing credit card transactions.
          Volunteers may process these types of transactions. (link to credit card
          processing agreement)
                Option 1: IEEE will rent a credit card machine to the conference
                   that can be used for pre & on-site registrations.
                Option 2: The conference collects the credit card information
                   than sends the information to IEEE to be processed.
       2. Best practices for processing manual transactions:
                Store hard copy credit card information in a secure (locked) area
                Do not ask or send credit card numbers over email.
                Send or receive credit card information by secure fax.
                Only issue refunds to the same credit card that the original
                   payment was made on (do not issue refunds to another credit
                   card number or issue a check refunds)
                Do not collect or store CVC Codes

VII.   Glossary of common credit card terms
       1. ECommerce: Business-to-consumer or Business-to-Business commerce
          conducted by way of the Internet or other electronic networks.
       2. Manual credit card processes: Collection and processing of credit card
          using non-eCommerce tools.
                Example: Collection by fax, mail, or in person.
                Example: Processing using a credit card machine or sending the
                   information to IEEE or a third-party to process.
       3. Discount rates/Credit Card Fees: Credit card processors charge
          discount rates (a percentage of the total sales processed). They can also
          charge per transaction fees, chargeback fees, and rental/admin fees.
          Current IEEE discount rates for all services are:
                 MasterCard 2.5%*
                 Visa 2.5%*
                 Discover 2.5%*
                 American Express 4.0%*
                 Diner’s Club 2.5% or 4.5% (majority 2.5%)*
                  * The conference receives the discount rate back from IEEE when
                  refunds are processed
       4. Merchant account: An account set up with a credit card processor. The
          merchant bank will collect the funds from the cardholder’s bank and
          transfer the funds to a specified account.
       5. Gateway: A gateway will collect and authorize (or decline) cardholder
          transactions. The gateway will than periodically (daily) send the
          information to the merchant bank for processing.
       6. PCI Compliant Certificate: Issued by a merchant approved scanning
          vendor on a quarterly basis.
       7. Pass-Through Fees: Fees passed from the vendor to the conference (or
          IEEE). This can include fines, law-suits, from being non-compliant.
       8. Originator ID: An ID number from the vendor or processor, which
          IEEE’s bank needs to allow automatic transfers into or out of
          Concentration Banking.
       9. Exposure: Total amount of liability to IEEE. Includes all stated
          contractual fees, plus credit card fees, as well as, total revenue processed.

VIII. IEEE Contacts:
      Conference Credit Card Processing:
      Peter Curtis, Manager Conference Finances
          Phone: +732-562-5598        Email: p.curtis@ieee.org

       Concentration Banking:
       Charles Krajcsik, Treasury Manager
          Phone: +732-562-6837        Email: c.karjcsik@ieee.org

       IEEE PCI Compliance:
       Suzanne Stiles, Manager Financial Compliance & Control
          Phone: +732-562-5322         Email: s.stiles@ieee.org

       Contracts:
       Vita Feuerstein, Manager Conference Planning
          Phone: +732-562-6826         Email: vita@ieee.org
 IX. PCI Compliant Third Parties
The companies listed below are a sample of known PCI compliant third parties. These
companies are not being endorsed by IEEE.

Badgeguys.com
CompuSystems
RegOnline
Doubleknot