August 1, 2006 (Rev. April 2009)Statewide Electronic Commerce Program (SECP) Merchant Card Services Enrollment Process For agencies and eligible entities desiring to participate in the State Controller’s Master Services Agreement (MSA) Between the State of NC and SunTrust Merchant Services, LLC and SunTrust Merchant Services, LLC Dated August 1, 2006 Contract Number

Enrollment Process Steps Step 1.Identify Merchant Card Project Step 2.Execute Enrollment Forms Step 3.OSC Acts on Request Step 4.DST Acts on Request (If applicable) Step 5.STMS Acts on Request Step 6.CPS Involvement & Testing (If applicable) Step 7.Establish Business Procedures Step 8.Establish Fiscal Procedures Step 9.Obtain PCI Security Compliance

Step 1 – Identify Card Project  Obtain information about Merchant Cards from OSC’s Web site E-Commerce Statutes and Policies E-Commerce Statutes and Policies Merchant Cards Overview and Merchants Cards-101 Merchant Cards Overview and Merchants Cards-101 STMS Master Services Agreement (Various Component Documents) STMS Master Services Agreement (Various Component Documents) PCI Data Security Standards PCI Data Security Standards Card Association Rules for Merchants (Visa and MasterCard) Card Association Rules for Merchants (Visa and MasterCard)  Identify potential payment applications for Merchant Cards Card Present (Face-to-Face Applications) Card Present (Face-to-Face Applications) Card Not Present (Non-Face-to-Face Applications) Card Not Present (Non-Face-to-Face Applications)  Determine what capture method(s) will be used to process cards Review “Capture Solutions – Merchant Cards” document Review “Capture Solutions – Merchant Cards” document POS Terminals Capture Solution POS Terminals Capture Solution Stand-alone terminal – with analog telephone lineStand-alone terminal – with analog telephone line POS terminal using POS Software (Identify software and vendor to be obtained)POS terminal using POS Software (Identify software and vendor to be obtained) Web-Based Capture Solution – Requires a gateway service Web-Based Capture Solution – Requires a gateway service Common Payment Service as gatewayCommon Payment Service as gateway PayPoint thru STMS as gatewayPayPoint thru STMS as gateway Other third-party as gatewayOther third-party as gateway Yahoo! Store – Yahoo! Store –  Develop an internal statement of work, considering the program requirements, work effort, cost and benefits – Use appropriate Project Plan Template  Determine ability to comply with Payment Card Industry Data Security Standard  Determine project feasibility and obtain management approval  Identify Funding and obtain OSBM approval or other budget approval  If convenience fee to be levied, must first obtain approval from OSBM

 Master Services Agreement (MSA) Consists of various component documents – on OSC Website Consists of various component documents – on OSC Website Requires Review by Agency Fiscal Office and Agency Legal Requires Review by Agency Fiscal Office and Agency Legal  Agency Participation Agreement (APA) Allows for agency to participate in MSA Allows for agency to participate in MSA Binds participant to OSC Policies & STMS Contract requirements (including card association rules) Binds participant to OSC Policies & STMS Contract requirements (including card association rules) Executed in quadruplicate by Agency CFO Executed in quadruplicate by Agency CFO  Merchant Card Participant Setup Form (Chain level) Provides OSC, DST, and STMS with info necessary to setup various profiles, bank settlement accounts, invoicing, statement rendering, etc. for the entire agency (chain) Provides OSC, DST, and STMS with info necessary to setup various profiles, bank settlement accounts, invoicing, statement rendering, etc. for the entire agency (chain)  Merchant Card Outlet Setup Form (Outlet level) Provides setup information pertaining to each outlet, rolling up to the single merchant chain number Provides setup information pertaining to each outlet, rolling up to the single merchant chain number May be line of business, division, branch location, or capture method, etc. May be line of business, division, branch location, or capture method, etc. A separate form is to be completed for each merchant number (outlet) A separate form is to be completed for each merchant number (outlet)  Other Forms as Applicable Wachovia Connection Setup Form – For agencies depositing funds with State Treasurer Wachovia Connection Setup Form – For agencies depositing funds with State Treasurer POS Terminals Order Form – If Applicable (Purchase, rent, or lease) POS Terminals Order Form – If Applicable (Purchase, rent, or lease) ClientLine Enrollment Form – Designating users for STMS online reporting system ClientLine Enrollment Form – Designating users for STMS online reporting system Trustwave Enrollment Form – For Self-Assessment Questionnaire / Vulnerability Scanning Trustwave Enrollment Form – For Self-Assessment Questionnaire / Vulnerability Scanning Common Payment Service (CPS) Forms – If CPS is to provide gateway service Common Payment Service (CPS) Forms – If CPS is to provide gateway service Third-party Gateway Boarding Forms – If applicable Third-party Gateway Boarding Forms – If applicable  Routing of Forms OSC obtain signatures of DST and STMS on APA OSC obtain signatures of DST and STMS on APA OSC distributes executed APA OSC distributes executed APA OSC provides STMS the forms that require STMS action OSC provides STMS the forms that require STMS action OSC provides DST the forms that require DST action OSC provides DST the forms that require DST action Step 2 – Execute Enrollment Forms

 Approves or disapproves of participation Determines if an eligible entityDetermines if an eligible entity Considers participant’s ability to be PCI security compliantConsiders participant’s ability to be PCI security compliant  Forwards appropriate forms to DST and STMS  Involves Common Payment Service (CPS) if applicable  Involves PayPoint gateway if applicable  Orders POS Terminals From STMS (if applicable)  Has DST to set up bank account with Wachovia, if depositing with State Treasurer  Sets up users on ClientLine (STMS online reporting)  If OSC is to be administrator for Wachovia Connection Setups up agency users as specified on Wachovia Connection Setup FormSetups up agency users as specified on Wachovia Connection Setup Form Advises agency users of User-ID, initial password, and instructionsAdvises agency users of User-ID, initial password, and instructions  Determines category of PCI security compliance Enrolled in TrustKeeper at the Chain LevelEnrolled in TrustKeeper at the Chain Level Two optionsTwo options Self-Assessment Questionnaire Only Self-Assessment Questionnaire Only Self-Assessment Questionnaire and Vulnerability Scanning Self-Assessment Questionnaire and Vulnerability Scanning Step 3 – OSC Acts on Request

 This step only applies if Participant is a State Agency depositing funds with the State Treasurer Community Colleges generally have their own bank account for settlement, prior to depositing (transferring funds) with State TreasurerCommunity Colleges generally have their own bank account for settlement, prior to depositing (transferring funds) with State Treasurer Local Units of governments utilize their local depository bankLocal Units of governments utilize their local depository bank Colleges and local units using either Wachovia or SunTrust Bank as their depository receive next-day settlement. (All other banks are two-day settlements)Colleges and local units using either Wachovia or SunTrust Bank as their depository receive next-day settlement. (All other banks are two-day settlements)  Executes Agency Participation Agreement (APA) on behalf of the State Treasurer  Authorizes Wachovia to establish a settlement bank account Bank account is a ZBA account that sweeps to DST’s bank accountBank account is a ZBA account that sweeps to DST’s bank account DST pays the fees for the bank settlement accountDST pays the fees for the bank settlement account STMS is provided this bank account number, which associates each of the participant’s merchant numbers with the settlement account at WachoviaSTMS is provided this bank account number, which associates each of the participant’s merchant numbers with the settlement account at Wachovia  Assigns a CIT account on Core Banking System (CB$) Accommodates certifying deposits by Agency on CMCSAccommodates certifying deposits by Agency on CMCS The daily ZBA transfer (net of chargebacks) is to be certified, based on amount viewed on Wachovia ConnectionThe daily ZBA transfer (net of chargebacks) is to be certified, based on amount viewed on Wachovia Connection DST maps the settlement bank account to the CIT account on CB$DST maps the settlement bank account to the CIT account on CB$ DST advises agency via Official Depository Designation Letter when CIT account is establishedDST advises agency via Official Depository Designation Letter when CIT account is established Step 4 – DST Acts on Request

 Executes APA on behalf of the STMS  Establishes profile setup Assigns a single chain number for the participantAssigns a single chain number for the participant Assign individual merchant (outlet) numbers for the participant as specified on the Outlet Setup formsAssign individual merchant (outlet) numbers for the participant as specified on the Outlet Setup forms  Setups profile for each merchant number Maps a settlement bank account number to each as specified on the Merchant Card Participant Setup FormMaps a settlement bank account number to each as specified on the Merchant Card Participant Setup Form Sets up invoicing – as central billing or billing per merchant numberSets up invoicing – as central billing or billing per merchant number  Setups ClientLine for participant  Ships POS terminals as ordered Step 5 – STMS Acts on Request

 If the Common Payment Service (CPS) gateway is to be utilized, participant should follow the steps outlined in the CPS Agency Work Plan Template  Participant conducts a Security Risk Assessment (SRA) for the proposed Agency application  Participant submits the SRA to the Office of Information Technologies Services (ITS) as part of the technical architecture review requirements  ITS will advise of the approval of the SRA and arrange for testing  Agency develops its application, including interface(s) to CPS, and request ACH Profile set-up in the CPS test environment  Agency documents test results and proceeds to next steps (Performance Acceptance Testing) Step 6a – CPS Involvement

 At least two weeks prior to an application deployment, the participant must develop an Acceptance Checklist: Test Plan / Script Test Plan / Script CPS Security Risk Assessment (SRA) CPS Security Risk Assessment (SRA) Internal Agency Policies and Procedures Internal Agency Policies and Procedures  OSC reviews the checklist and supporting documents and approves deployment if no issues  Participant migrates application into production, and conducts “production verification” test Using a limited number of live transactions Using a limited number of live transactions Verify settlement of funds into bank account Verify settlement of funds into bank account  If production verification is adequate, participant opens (announces) the service to the public (if Internet application) Step 6b – CPS Verification Testing

 Familiarize employees with STMS Operating Guide Face-to-face transactions (signatures, expiration dates, etc) Face-to-face transactions (signatures, expiration dates, etc) Card not-present transactions Card not-present transactions  Obtain necessary training POS terminals (if applicable) POS terminals (if applicable) POS software (if applicable) POS software (if applicable)  Obtaining Authorizations from STMS Voice authorizations as backup Voice authorizations as backup Suspected fraud – Code 10 Procedures Suspected fraud – Code 10 Procedures Other authorizations denied – Alternative payment options Other authorizations denied – Alternative payment options Non-match of Address or Security code verification Non-match of Address or Security code verification Refunds (for duplicate or erroneous transactions) Refunds (for duplicate or erroneous transactions)  Transmitting transactions to STMS for settlement Frequency and deadlines Frequency and deadlines  Responding to disputed items Retention of transactions for face-to-face (18 months) Retention of transactions for face-to-face (18 months) Resolution of card not-present transactions Resolution of card not-present transactions Step 7 – Establish Business Procedures

 Complete Internal Policies & Procedures - Template  Viewing bank settlement account (via Wachovia Connection or otherwise)  Recording daily settlement amount (reporting via CMCS if State agency)  Processing Chargebacks  Reconciling transactions captured and transmitted to STMS to settlement amount received from STMS Consider multiple merchant numbers settling into a single bank settlement account Consider multiple merchant numbers settling into a single bank settlement account Determination of State funds vs. local funds (if applicable) Determination of State funds vs. local funds (if applicable) Netting out of chargebacks Netting out of chargebacks  Reviewing and paying monthly invoice received from STMS  If State agency, update Cash Management Plan Step 8 – Establish Fiscal Procedures

 View PCI Data Security Requirements on Websites OSC and PCI Data Security Council OSC and PCI Data Security Council Understand difference between: Compliance, Validation, and Attestation Understand difference between: Compliance, Validation, and Attestation Review document “Applicability of PCI Data Security Standard” Review document “Applicability of PCI Data Security Standard”  Address complinace from business perspective Physical security, employee screening, etc. Physical security, employee screening, etc.  Address complinace from IT perspective Hardware, software, firewalls, encryption, etc. Hardware, software, firewalls, encryption, etc.  Enroll with Trustwave to validated PCI compliance – Two Options Self-Assessment Questionnaire Only Self-Assessment Questionnaire Only Self-Assessment Questionnaire and Vulnerability Scanning Self-Assessment Questionnaire and Vulnerability Scanning  Complete PCI Self-Assessment Questionnaire (SAQ) online Determine which SAQ to complete online (A,B, C, or D) Determine which SAQ to complete online (A,B, C, or D) For multiple outlets, off-line SAQs may have to be completed (Only one online) For multiple outlets, off-line SAQs may have to be completed (Only one online)  If external-facing IP addresses Specify the IP addresses to undergo vulnerability scanning when enrolling Specify the IP addresses to undergo vulnerability scanning when enrolling Schedule vulnerability scans to be performed via TrustKeeper Schedule vulnerability scans to be performed via TrustKeeper  If third-party service provider utilized, ensure vendor’s compliance Written Agreement specifying vendor’s responsibility for compliance with Standard Written Agreement specifying vendor’s responsibility for compliance with Standard Ongoing monitoring of service provider’s compliance Ongoing monitoring of service provider’s compliance Refer to document “PCI Validation for Service Providers” Refer to document “PCI Validation for Service Providers”  If a Payment Application is used for capture Determine if application is compliant with PCI Payment Application Standard Determine if application is compliant with PCI Payment Application Standard Step 9 – Obtain PCI Security Compliance

Enrollment Documents Master Services Agreement (MSA) Agency Participation Agreement (APA) Outlet Setup Form CPS Security Risk Assessment-SRA Trustwave Validation Enrollment Form Agency Participant Setup Form Wachovia Connection Setup Form ClientLine Setup Form POS Terminal Order Form PCI Monitoring Online Enrollment Internal Policies & Procedures Template

August 1, 2006 (Rev. April 2009)Statewide Electronic Commerce Program (SECP) More Information Office of the State Controller Web Site David C. Reavis E-Commerce Manager (919) Amber Young Central Compliance Manager (919) Support Services Center (919) )