eCommerce Training Training Days 2010

advertisement
Credit Card &
eCommerce Best
Practices
Training Days 2010
Dan Hough and Robert Monasky
Business Affairs
Agenda
1.Introduction & Overview
2.Credit Cards: The Good, The Bad & The Ugly
3.Definitions
4.Process Flow
5.Processing Costs
6.Disputed Card Payments
7.Regulations
8.Best Practices
9.Becoming a Merchant
10.Questions
1
Lots of Information– Take time to Digest
Compliance
Increase Sales
Fees
Breach
Rep
Convenience/Cost Savings
2
PII
In the End it’s a Balance!!
3
Credit Cards: The Good
1.Increase sales and revenues
2.Save costs
3.Speed
4.Security
5.Reach
4
Credit Cards: The Bad
1.Costs
2.Increased responsibility for sensitive data
3.Compliance administration
4.Ongoing training
5.Reconciliation
5
Credit Cards: The Ugly
1.Confidential Financial Data breach
2.Not being PCI compliant can have costly
ramifications for you and/or the University
3.Loss of Merchant ID for not following policy
6
Definitions
1.Issuer – The financial institution or other
organization that issued the credit card to cardholder.
2.Acquirer – Financial institution accepting payment
for the products or services on behalf of merchant.
3.Card Association – An association of card-issuing
banks such as Visa, MasterCard, Discover, American
Express, etc. that set transaction terms for merchants,
card-issuing banks, and acquiring banks.
7
Definitions (continued)
5.Merchant – Entity accepting credit card payments
for products or services sold to the cardholder.
6.Interchange – The clearing and settlement system
for credit & debit cards where data is exchanged
between Acquirer and the Issuer.
7.Authorization – The approval of credit worthiness of
the transaction
8.Settlement – The closing of credit card batches and
the start of the movement of funding to a Merchant.
8
Process Flow: Step 1. Authorization
9
Elavon
(processor)
US Bank
Process Flow: Step 2. Batching
10
Process Flow: Step 3. Clearing
11
Process Flow: Step 4. Funding
12
Interchange Costs
1.Managed and updated by the Card Associations
2.Interchange costs vary in amount based on:
•Industry type (grocery, restaurant, adult, higher education….)
•Length of time you have been in business
• Received method: swiped, over the phone, or via ecommerce.
•Average dollar amount of each sales transaction, the total dollar
amount of sales per month.
•Timeliness of settling batch for payment
•Information the business captures during the transaction
•Card type (rewards, cash back…)
•Interchange fee (qualified/non-qualified)
13
YOU Can Help Control Costs Remember These Interchange Tips
Consider
•Only One Authorization per
Transaction
•Avoid processing Pre-Auth with no
matching settle transaction
(remember it costs Per/trans)
•Returns/Chargebacks
•
•
•
14
Always
Close Batch Daily if not setup on
Auto-Close
Follow POS device transaction
prompts entering valid data not
pressing enter or “0” to by-pass the
prompt
Hand-keyed Transactions –Enter
Address Verification ((AVS) Zip
Code)
Your liability for disputed card payments
A chargeback is a dispute with the merchant to reverse a
transaction you have processed:
• You, or your customer, have made an error at the point of
sale, such as using an expired card.
• A cardholder or card issuing business disputes the
transaction.
• The transaction was made fraudulently
• You didn't respond to a request for a copy of a transaction in
time.
• It was a duplicate transaction.
15
Your liability for disputed card payments (continued)
The transaction was not authorized.
The goods or services ordered have not been received.
If a cardholder disputes participating in a transaction
Inadequate customer service (i.e. faulty product)
A chargeback can be made up to 120 days after the
transaction
• You're given 14 days from the date of the chargeback request
to respond
• They are expensive (initial transaction + chargeback + time)
•
•
•
•
•
Chargebacks are a Merchant Responsibility
(cashiers can assist with response)
16
Industry Regulations
•PCI DSS - Payment Card Industry Data Security Standards
•security standard that must be met to accept payment cards…
•CISP – Cardholder Information Security Program
•specifications developed and used by credit card companies for the
purpose of ensuring the privacy and security of financial data.
•NACHA – Nat’l Automated Clearing House Assoc.
•operating rules and practices for the ACH Network and for
electronic payments in the areas of Internet commerce, electronic
bill & invoice…
•Oregon SB 583 – OR Consumer Identity Theft Prot Act
•regulation to ensure the safety of the personal identifying
information (name in combo w/SSN, DL or ID card, financial,
payment card #…)
17
Security Standards- PCI Data Security Standard
Requirements
Assess
•Vulnerabilities that pose risks to the security of cardholder
•How cardholder data flows from beginning to end of the transaction
process
•Ensure transaction hardware/software is PCI compliance
Remediate
•Review & remediation of vulnerabilities found
•Re-scan (if applicable)
Report (Validation)
•Complete Self Assessment Questionnaire Annually
•Submitted through Business Affairs to US Treasury
18
Security Standards- PCI Requirements
1.Install and maintain a firewall
configuration to protect cardholder data
2.Do not use vendor-supplied defaults for system passwords
and other security parameters
3.Protect stored cardholder data
4.Encrypt transmission of cardholder data across open,
public networks
5.Use and regularly update anti-virus software or programs
6.Develop and maintain secure systems and applications
19
Security Standards- PCI Requirements
(continued)
7.Restrict access to cardholder data
by business
need to know
8.Assign a unique ID to each person with computer access
9.Restrict physical access to cardholder data
10.Track and monitor all access to network resources and
cardholder data
11.Regularly test security systems and processes
12.Maintain a policy that addresses information security for all
personnel
20
Security Standards- Consequences
•In 2006, over 30% of breaches involved colleges & universities
If found liable for a breach
•VISA assesses fines $500,000 - $1,000,000
•You must cover losses on individual accounts
•You must cover cost of reissuing compromised cards
•Submit to a forensic investigation
•Automatically requires an external security assessment
•Loss of Merchant ID
21
Security Standards- OSU Breach Response
•Do not access or alter compromised machine.
•Do not turn off the compromised machine. Instead,
isolate compromised systems.
•Preserve logs and electronic evidence.
•Log all actions taken.
•Be on high alert and monitor all systems with
cardholder data.
•Contact Business Affairs /Cashiers.
•Provide a report containing; account information at
risk and the source and timeframe of the compromise.
22
So…Do You Still Want To Be A
Merchant?
23
New Merchants: Consider the Following
•What are you planning on selling?
•How are you going to sell it?
•Where will you be selling?
•How much revenue will be generated?
•Can you afford the discount fee?
•What’s driving the decision to take cards?
•Who will be the contact person?
•Privacy Policy
•Return/Refund Policy
•Segregation of Duties
24
New Merchants
How to get started:
•Contact Business Affairs
•Define security and operational practices
•Choose a payment processor (TouchNet, VM)
•Complete forms (MID, detail code…)
•Process through Business Affairs office
•Complete Best Practices and application training
•Start processing!
25
New Merchants – Contact Business Affairs
•Offers expertise in our hosted solutions and
applications
•Can connect you with others on campus with similar
experiences
•Assists with obtaining a Merchant ID
•Provide application (i.e. TouchNet, Virtual Merchant)
advice
•Best Practices training
•Other tools (i.e. Merchant Connect)
26
New Merchants - Costs
•Virtual Merchant – Point of Sale Transactions
•Monthly fee of $5.00 per merchant
•Optional equipment costs:
•Card Wedge (highly recommended for POS): $75
•Printers: $249
•TouchNet uPay or uStore – Web Only transactions
•No Cost to merchant
•Merchant ID – No cost
The Payment Card industry & standards are dynamic and constantly
changing. Greater focus on security may increase costs. Costs will be
shared among all OSU merchants.
27
New Merchants
Contact the Cashiers Office once you are setup, but before
your first transaction.
They will:
•Verify merchant account flow-through to Treasury
•Confirm everything is ready to go
•Conduct any needed testing for online stores
•Provide Merchant Connect login info (if requested).
28
Best Practices: Process Flow- Three Core Merchant
Actions
Authorization
Merchants must obtain approval from the Issuing Bank to process
a transaction
Authentication
Involves the verification of the cardholder and the card.
Settlement
Send approved transactions daily to the Merchant Bank
29
Best Practices: Transaction Processing- Card Present
•Always swipe the stripe
•Hold the card in the presence of the customer through the entire
transaction.
•Before swiping the card, verify that the card expiration date has
not passed.
•Obtain authorization (Approved, Declined, Call Center, or
Referrals, Pick up, No Match)
•While the transaction is being processed, check the card’s
features and security elements to make sure the card is valid and
has not been altered.
•Card must be signed (see ID not valid)
30
Best Practices: Transaction Processing- Card Present
•Customer signs sales receipt. Compare the signature with the
signature on the back panel of the card.
•Compare the name and account number on the credit card with
name and last four digits of the account number on the printed
receipt.
•If you suspect fraud, make a code 10 call (suspicious activity)
31
Best Practices: Transaction Processing- Card Not
Present
•Obtain an Authorization on all transactions
•Authorization must occur before any merchandise is shipped or
service performed.
•Compare card type and account number
•Request card Expiration Date
•Requesting Card Verification 2 (CVV2/CVC2) – never keep!
•Request AVS (Address Verification)
32
Best Practices- General
•Refund to the same card and no more
than original transaction
•Keep equipment and applications up to
date
•Keep Return/Refund & Privacy policies
current
•Follow OSU Cash Handling Guidelines
•Reconcile/verify transactions regularly
33
Best Practices- Protect Cardholder Data
•Restrict access to cardholder data
•Store all info in a secure area
•Assign a unique ID to each person with system
access
•Do not send or receive complete credit card
numbers using email or campus mail
•Never write down the CVV2/CV2 number – no
exceptions
•Mask the card number or only record the last four (4)
•Train all personnel on security practices
34
Merchant Connect - payment activity management
•Copies of recent statements
•View deposits (batches) and detailed information on
transactions
•Research chargebacks
•Last ten days of deposit activity/6 months of statements
•Itemization of monthly fees
35
Additional Resources
Merchant Statements and Information
https://www.merchantconnect.com/CWRWeb/displayMemberLogin.do
OSU Cash Handling Guidelines
http://oregonstate.edu/fa/businessaffairs/cashiers/cash_handling_handb
ook.php
OUS Controller’s Division
http://www.ous.edu/contdiv/cobpp/10.20_ecommerce_creditcard_payments.php
OSU eCommerce Info
http://oregonstate.edu/dept/computing/ecommerce/
Treasury Cash Management Policies
http://www.ost.state.or.us/divisions/finance/cjashmanagement/index.htm
36
Questions?
Business Affairs Contacts:
• Dan Hough 541-737-2935
Email: Dan.Hough@OregonState.Edu
•Robert Monasky 541-737-0654
Email: Robert.Monasky@OregonState.Edu
•Janice Lee-Virnig (Cashiers Manager) 541-737-4109
Email: Janice.Lee-Virnig@OregonState.Edu
37
Download