about the north carolina office of the state controller

Merchant Card Program Overview

What are the basic types of Merchant Cards?
  • Credit Cards
    • Bank Cards (Issued by banks)
    • Travel & Entertainment (T&E) Cards (Proprietary Cards)
  • Debit Cards
    • PIN (Online / Real-time)
    • Signature (Offline / Batch)

What other types of cards are there?
  • Smart Cards (Contain embedded chip)
  • Electronic Benefits Transfer (EBT) Cards
  • Procurement Cards

Who are the players in a Merchant Card transaction?
  • Consumer / Cardholder - (Citizens or Taxpayer)
  • Merchant - State agency
  • Acquiring Processor - Facilitates authorization and settlement
  • Interchange Network - Credit Card Associations (i.e., Visa, MasterCard)
  • Card Issuing Bank - Bank that issued card to consumer
  • Merchant Bank - Depository Bank (e.g., State Treasurer’s bank)
  • Gateway Service - Middle party used to accommodate internet captured transactions

What are the basic types of Capture?
  • Card-Present
    • Credit or Debit
    • Point of Sale (POS)
    • ATM (Debit Cards)
    • Card is swiped, not keyed
    • Lower Risk / Lower Fees
  • Card Not-Present
    • Credit Card only
    • Mail Order / Telephone Order (MOTO)
    • Internet Order
    • Card info is keyed, not swiped
    • Higher Risk / Higher Fees

Who is the current OSC’s Master Services Agreement (MSA) with?
SunTrust Merchant Services, supported by First Data Merchant Services Corporation.
 

What types of bank accounts are needed to settle merchant card transactions?
  • For State Agency participants using the OSC’s MSA, each agency has a settlement account that is designated as a Zero Balance Account (ZBA). On settlement date, funds are credited to the account, with the total of the funds being swept to the State Treasurer’s account that night.
  • For non-State participants using the OSC’s MSA (e.g., local units of government), funds are credited to a settlement bank account controlled by the participant.

Who has the responsibility for reconciling settlement bank accounts?
It is the participant's responsibility to reconcile the bank accounts timely. Statements are sent directly to the participant monthly. Wachovia Connection can be used to reconcile on a more frequent basis.
 

What systems do participants use to view / reconcile transactions?
  • MyClientLine - Web-based system provided by First Data Merchant Services Corporation allowing the participant to view card activity. FDMS' Technical Support Services is the administrator, establishing users and assigning functions, and performing password maintenance. (Email: support@myclientline.net)
  • Electronic Integrated Dispute System (EIDS) - Web-based system provided by First Data Merchant Services Corporation allowing the participant to manage and respond to chargebacks. You must sign up for MyClientLine to also have EIDS. FDMS' Technical Support Services is the administrator, establishing users and assigning functions, and performing password maintenance. (Email: support@myclientline.net)
  • Wachovia Connection - Web-based system provided by Wachovia Bank allowing the participant to view settlement activity in the bank settlement account. For State Agency participants, OSC is the administrator, establishing agency users and assigning functions, and performing password maintenance. (Email: OSC.secp.info@ncosc.net)
  • Cash Management Control System (CMCS) - System provided by OSC to State agencies to report credit card deposits. Amounts reported are to be the total of the amount swept, as viewed on Wachovia Connection, one day after settlement.
  • Core Banking System - System provided by DST allowing State agencies to view their CIT bank account activity, which reflects both the daily amount swept to the State Treasurer's bank account and the daily amount certified by the agency on CMCS. (Email: CBS.Help@nctreasurer.com)
     

What types of fees are involved in Merchant Card processing?
  • Processing Fees (Invoiced monthly by SunTrust Merchant Services)
    • Interchange Fees - Passed on to Visa and MasterCard (Depends upon capture method and the "Merchant Category Code" assigned to the transaction.)
    • Assessment Fees - Passed on to Visa (.0925%) and MasterCard (.0950%)
    • Network Switch Fees - Applies to debit card transactions
    • Merchant Service Fees - Paid to SunTrust / First Data ($.04 per transaction)
  • Gateway Service Fees (If Applicable)
    • Common Payment Service ($.35 per authorization, void, return) Included on agency’s monthly ITS invoice.
    • Third-party Gateway Service (As contracted)
  • Equipment and Supplies (POS terminals, etc.)
    • Can be purchased, rented or leased
    • Available from SunTrust Merchant Services
  • Depository Bank Fees (Maintenance, Deposit activity, online reporting, etc)
    • State agencies - Absorbed by DST
    • Non-State agencies - Per arrangements with bank
  • PCI Validation Service Fees
    • Annual Self-Assessment Questionnaire through Trustwave - Absorbed by OSC
    • Vulnerability Scanning o0f external facing IP addresses by Trustwave (if applicable) - Absorbed by OSC
    • On-site security assessments or forensic investigation services that may be obtained - Paid by the agency

What are Merchant Category Codes?
A Merchant Category Code (MCC) is a 4-digit classification code used by the bankcard industry to identify a merchant's predominant business activity.  It is assigned by the acquiring card processor and is used partially to determine the interchange rate (along with the capture method).  The best MCC for the State's participants are as follows: 1) Visa - 2038 CPS/Retail 2 (also referred to as Emerging Markets); 2) MasterCard - 3020 Public Sector.
 

How is funding made for Merchant card fees?
Participants are responsible for identifying funding sources prior to participating in the MSA. When General and Highway fund appropriations are to be used, the state entity must obtain approval from the Office of State Budget and Management (OSBM) on the availability of an appropriation. State agencies should refer to the OSC policy established pursuant to G.S. 147-86.22.
 

Can transaction fees be charged to consumers paying by merchant card?
Transactions fees may be charged only under certain conditions, pursuant to G.S. 66-58.12 and G.S. 147-86.22. Agencies desiring to charge consumers a fee (convenience fee), must adhere to the policy established by OSC, including abiding by all Visa and MasterCard association rules. Reference should be made to the policy.
  • Transaction fees can be charged:
    • For transactions initiated only through the Internet or other electronic means.
    • Must be approved by OSBM in consultation with the State CIO and Gov Opts.
    • Fees must be deposited to a special non-reverting budget code, and only be used for e- commerce initiatives and projects.
  • Transaction fees cannot be charged:
    • For transactions initiated face-to-face (i.e., POS terminals)
    • For mail order or telephone orders (MOTO)
  • Convenience fee rules vary from association to association.
    • Visa allows a convenience fee for "card-not-present" transactions if the fee is a "flat fee."  MasterCard, on the other hand, allows the convenience fee to be either a "flat" fee or a "percentage-based" fee.
    • In addition, both associations do not allow a fee to be charged for card-not-present transactions unless the same fee is charged for all like transactions (e.g., ACH bank drafts and card transactions initiated through the web).

Can travel and entertainment cards be accepted?
  • OSC issued a policy dated December 15, 2006 entitled, "Types of Merchant Cards Accepted," which addresses proprietary cards (e.g., American Express and Discover), also referred to as T&E cards. The policy specifies that a participant may accept proprietary cards, but must either enter into an agreement directly with the proprietary card company or participate under a master agreement that OSC may enter with the company.
  • The OSC policy allows each participant to make its own determination regarding which proprietary cards it will accept, and allows the participant to be selective as to which types of receipts it will accept proprietary cards.
  • On December 15, 2006, OSC entered into a master agreement with American Express (Amex). Reference should be made to the American Express Cards Overview section for information regarding enrollment with Amex.
  • On February 1, 2008, OSC entered into a master agreement with DFS Services, LLC (Discover Network). Reference should be made to the Discover Network Card Overview section for information regarding enrollment with Discover Network.
  • Participants receive a monthly invoice directly from the proprietary card company for the discount fees, which is in addition to the fee of $.04 per transaction charged by STMS for processing a proprietary card transaction.
  • Participants should be aware that settlement of the funds is normally two banking days after the card is processed, not “next day” settlement as is the case for Visa and MasterCard. The participant must develop procedures to accommodate any reconciliation irregularities that the delayed settlement causes.
  • If desired, STMS can block certain merchant numbers from processing T&E cards, to prevent inadvertent acceptance.

What are the different capture methods used for merchant cards?
All merchant card transactions captured by an agency must be transmitted to the merchant cards services provider.
  • POS Terminals
    • Stand-alone terminal – with analog telephone line
    • POS terminal using POS Software - on network & servers
  • Web-based – using CPS Gateway (Refer to CPS information)
    • Interface with agency’s Web application
    • Virtual Terminal Solution - For Mail Order and Telephone Order (MOTO)
  • Web-based – using a Third-Party Gateway (Requires approval from OSC)
  • Yahoo! Store – NC@YourService

When is a gateway service not needed?
When the only capture solution offered by an agency is a Point of Service (POS) terminal, a gateway service is not needed, as the transmission is directly with the merchant card services provider.
 

When is the Common Payments Service (CPS) appropriate for use?
CPS is a service available through the Office of Information Technology Services (ITS), performing a gateway service. Merchant card transactions routed through CPS are submitted to the Merchant Card Service provider. Two options for merchant card processing are available through CPS:
  • Participants can transmit merchant card transactions captured via an agency-operated capture system (computer or web-base application).
  • Participants can transmit merchant card transactions captured through the CPS Virtual Terminal.

When is NC@Your Service appropriate for use?
The NC@YourService is a self-contained solution, provided by Yahoo! Stores, that is suited to the sale of commodities or goods, such as books, tickets, and registrations. The solution provides:
  • A catalog-based inventory.
  • Web capture of transactions.
  • Authorization of merchant card transactions with the MSA provider.
  • Settlement of the transactions with the MSA provider.

What is the PCI Data Security Standard?

The PCI Data Security Standard (PCI DSS) is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures associated with credit card account data. This comprehensive standard is intended to help organizations proactively protect customer credit card account data that is either stored, processed, or transmitted. All merchants, regardless of the annual transaction volume (merchant level assigned), are required by the various card brands (i.e., Visa, MasterCard, American Express, Discover, and JCB) to follow the standard. Merchants not adhering to the standard are subject to substantial fines levied by the card associations. Each merchants is required to validate that it is complaint with the Standard, depending upon the card capture method it utilizes. Participants in the State's MSA with SunTrust Merchant Services are required to enroll in a service provided by Trustwave that facilitates the process of validating the participant's compliance. Reference should be made to the PCI Compliance web page that explains the Standard in more detail.
 

What merchant card data must never be stored?
It is never acceptable to retain or store magnetic stripe data subsequent to transaction authorization. It is never acceptable to retain or store the security code numbers (CVV2 or CVC2) subsequent to transaction authorization. Cardholder name, account number, and expiration date may be retained subsequent to transaction authorization, however the data must be encrypted. These are requirements of the PCI Security Data Standard.
 

What is the difference between a "chain" and an "outlet?"
The term "chain" refers to the "participant," and each participant is assigned a single "chain number" by STMS. The term "outlet" refers to either an operation, application, or division associated with the participant. A participant (chain) may have multiple outlets, with each outlet being assigned a "merchant number" by STMS. Generally, the transactions for all outlets (merchant numbers) associated with a chain settle into the same settlement bank account. STMS invoicing can be at either the merchant number level, or it can "roll-up" all merchant numbers to the chain level. Chain numbers and merchant numbers are both 12-digit numbers.
 

What are the differences between a "Merchant Number," a "Merchant ID," and a "Terminal ID?"
STMS assigns a 12-digit numeric number to each outlet, which is sometimes referred to as the "outlet number" and sometimes as the "merchant number." Additionally, STMS assigns one or two other identifiers that are associated with an outlet (merchant) number. These two identifiers are both 7 characters in length (alpha/numeric), and are assigned according to the "platform" the transactions are processed on at STMS:
  • Merchant ID (MID) - Associated with the capture method - Only one MID per merchant number.
     
  • Terminal ID (TID) - Associated with the capture device (terminal, application, or gateway) - Could be multiple TIDs per merchant number. In addition to the TID, a POS terminal will also be assigned a "terminal serial number."

Are procurement cards considered merchant cards?
No.  The procurement card program is administered by the Purchase and Contract division of the Department of Administration.