pci & merchant services town hall
TRANSCRIPT
PCI & Merchant Services Town HallMarch 10, 2020
1
Agenda
● PCI Compliance ● PCI Compliance Requirements ● Merchant Service Transition ● BB&T, now Truist Presentation● Q&A
2
PCI Compliance: What is it?
● PCI DSS (Payment Card Industry Data Security Standards) are applicable to:○ all merchants who process, transmit, or store
cardholder data, regardless of the size or number of transactions.
○ all third-party service providers.● The payment brands (e.g., VISA, MasterCard), as well
as the acquiring banks (e.g.,BB&T, now Truist ) are responsible for enforcing PCI compliance.
3
PCI Compliance: What is it?
4
PCI Compliance: What is it?
5
● UMD is Level 2 Merchant: We processed 2,059,229 million card transactions annually through all channels (card present, card not present, eCommerce.)
● Merchants who are considered Level 2 must do the following:● Complete an Annual Self-Assessment Questionnaire (SAQ).● Complete a quarterly network scans by an ASV.● Complete the Attestation of Compliance Form.
PCI Compliance: Why is it important?
● $115,602,239 ● A data breach of our PCI environment could
force UMD to stop accepting credit cards.● Fines for being out of compliance may cost us
as high as $100,000 a month.● Suspension of merchant account(s).● PCI Compliance is not optional.
6
PCI Compliance: UMD Compliance Status
● We are currently NOT in compliance.● Remediation effort & timeline:
○ Established PCI Governance Committee○ Developed and Issued PCI Compliance Guidance & IT PCI Standards
to campus (completed in Dec 2019)○ Procedures and guides will be created by PCI Governance Committee○ Requested an extension to BOA and VISA ○ We are reporting monthly updates to BOA and VISA○ Contracted a QSA to perform our AOC ○ July 2020 is our deadline to be PCI Compliant.
7
PCI Compliance Requirements
● Complete annual PCI DSS security training.● Annual inventory and POC confirmation of your PCI
Environment. ● Quarterly external vulnerability scans are required by
PCI/DSS standards.● Obtain annual attestation to confirm your third party
vendor is PCI Compliant. ● Maintain internal documented standards and
procedures.8
PCI Compliance Requirements
● All MIDs will be centrally administered by the Office of Student Financial Services and Cashiering.
● Departments are required to use:○ Nelnet eCommerce: exceptions need to be approved by the PCI
Committee.○ 3rd party Web systems that will keep your department’s credit card
process out-of-scope.○ Use P2PE technology for terminals and POS devices.
● Limit who can see credit card information.● Limit access to credit card data.● Limit cardholder data in physical locations.
9
Merchant Services Transition
● State merchant service contract awarded to BB&T, now Truist in Spring 2019
● All BAMS MIDs to be reissued by BB&T, now Truist - eCommerce and Terminals
10
Merchant Services Transition
11
Conversion deadline: September 2020
Contacts and Resources
● Conversion ?s:○ Tara Renaghan [email protected] x50699
● PCI ?s:○ Email: [email protected]○ PCI Guidelines:
https://finance.umd.edu/financial-services/cash-management-reporting
12
Project Overview
14[-Restricted-] 14
• Kickoff• Current State Assessment• Identify the products used today• Include other stakeholders/partners
• Planning• Provide expectations of timeline and develop a roadmap• Decision making on new products/integrations• Staging the files to prepare for Onboarding
• Execution• Onboard the new accounts • Order new products, gateways, etc.• Welcome emails/training
• Monitoring• Provide support for testing and “Go Live” date• Quality assurance review for first 30 days of processing• Track progress to determine when to close the old BAMS
accounts
• Closing • Your relationship manager provides ongoing support
Ingenico
16[-Restricted-] 16
▪ Founded in 1980
▪ Headquartered in Paris / 88 Locations
▪ 6,000 Employees / 74 Nationalities
▪ 30 Million Terminals Installed
Ingenico Overview
Tetra Line
18[-Restricted-]
Multiple Device Options
• Desk/3500
• Desk/5000
• iPP315
• Move/5000
• Lane/3000
• Lane/5000
• Lane/7000
• Lane/8000
19[-Restricted-]
Two Desk models to meet merchant’s needs
Desk/3500 Desk/5000
20[-Restricted-] 20
Desk/3500 vs Desk/5000
Desk/3500Key arguments
Maximized network connectivity:• Offer the optimized solution for any existing infrastructure
Enhanced user experience:• Best-in-class user experience with a user-friendly and intuitive
interface
Improve transaction flows with ergonomic NFC design :• Queue buster, boosting contactless and NFC use
through smart ergonomics
Compatible with latest security standards:• PCI-PTS 5.x certified, ensure a long-term investment to
securely accept payment
Desk/5000 Key arguments
Enriched business apps withinnovative capabilities:• Offer rich web-based applications using HTML5
technology• Open the terminal to the rich HTML5 Apps
developer world to generate additional revenues.
Accept any payment method :• Support multiple methods of
payment
21[-Restricted-] 21
Desk/Series – Enhanced User Experience
Best-in-class user experience, featuring a color display and large friendly backlit keypad in an optimized footprint at counter
23[-Restricted-] 23
iPP315
▪ Secure payment acceptance at checkout
▪ Accepts EMV, magstripe and NFC/ contactless payments quickly and easily
▪ Connects with Ingenico Desk series terminals with a single USB cable
The multi-payment PIN Pad that simplifies checkouts
25[-Restricted-] 25
Move/5000 Optimized Battery Life
A battery life allowing merchants to sell all day long, without interruptions
Authorize.Net
31[-Restricted-] 31
Authorize.Net Overview
Authorize.Net is a known leader in the ecommerce space, and BB&T is proud to be a trusted authorized reseller. Authorize.net payment gateway allows customers to make payments on your website—integration can be as simple as a “Pay Now” button or completely customized to fit your website needs.
Features: ▪ Simple Checkout for “Pay Now” or “Donate Now”
▪ Accept Suite API integrations, which includes SDKs, developer documentation, and sandbox accounts ▪ https://developer.authorize.net/ for more information
▪ Advanced Fraud Detection suite with filters to flag or halt transactions such as billing/shipping mismatch, velocity, and more
▪ Customer database
▪ Recurring billing with tokenization
▪ Invoicing
▪ Account Updater
▪ eCheck processing
▪ Mobile add on option
32[-Restricted-] 32
Questions