about the north carolina office of the state controller

Common Payment Services Overview


What is the Common Payments Service (CPS)?

CPS is a gateway service provided by the OSC through the Office of Information Technology Services (ITS), available to a participant of one or both of the two Master Services Agreements (MSAs) that OSC offers to support the statewide "EFT/ACH processing services" and "Merchant Card processing services."

When does a participant need the services of CPS?

Participants requiring the services of CPS are those:
  • Having an internet application requiring a gateway to the processor (EFT and/or Merchant Card vendor).
  • Desiring a virtual terminal for capturing card not-present transactions, such as Mail Orders and Telephone Orders (MOTO).
  • Not having the ability to transmit ACH files directly to the originating bank (ODFI).

When does a participant not need the services of CPS?

  • In the case of ACH, the participant may have the capability of transmitting the ACH file directly to the bank, either through a direct transmission, via a VAN, or through Wells Fargo’s WebAchieve.
  • In the case of Merchant Cards, a gateway is not needed if Point of Sale (POS) terminal is the only capture method being used.
  • Participants desiring to use a third-party gateway service instead of CPS may only use one that has been pre-approved by OSC.

What are the primary functions provided by CPS for merchant card processing?

  • Processing real time authorizations
  • Processing the batch files for settlement at the end of each day

What are the primary functions provided by CPS for ACH processing?

  • Warehousing of transactions received prior to settlement date
  • Transmitting ACH files to the EFT bank on a timely basis
  • Both ACH credit (outbound) and ACH debit (inbound) transactions can be processed

What reports are provided by CPS relating to merchant card processing?

  • Authorized Merchant Card Transaction Report
  • Settled Merchant Card Transaction Report

What reports are provided by CPS relating to EFT processing?

  • Settled ACH Files Report
  • Settled ACH Transactions Report

What types of interfaces does CPS’s Application Program Interface (API) accommodate?

  • Java-based applications
  • Web service

Does CPS use any middleware to communicate with the Merchant Card Processor?

  • CPS currently uses Cybersource middleware, version 6.2. The middleware was formerly known as Paylinx.
  • ITS assumes the responsibility for keeping the middleware operational and up to date.

What type of connection does CPS have with the Merchant Card Processor?

  • Primary - Frame Relay
  • Primary Backup - Frame Relay
  • Secondary Backup - ISDN

What is the CPS Virtual Credit Card Terminal (VCCT)?

  • VCCT is a web-based application available to participants that accommodates card not-present transactions, such as Telephone Orders and Mail Orders (MOTO)
  • It is a thin client, Java based application
  • Once enrolled, User Procedures are provided by ITS
  • Password maintenance is performed by ITS

What are the fees charged by CPS?

  • Fees are set annually by the Enterprise Solution Services of ITS
  • There are no setup fees, only monthly transaction fees
  • Fees are included on the participant’s monthly ITS invoice.
  • The current fee for Merchant Card processing is $.28 per transaction (reduced from $.35 effective July 2010)
  • The fee for ACH processing is based on the monthly transaction volume. The “per item” fee ranges from $.0258 - $.08.

Does CPS create ACH files for a participant?

There are two methods ACH transactions can be received by CPS. One is through the CPS's Application Program Interface (API) on a "transaction by transaction" basis. The other method is the "batch" method, in which case the agency creates its own ACH file, using the standard ACH format, and transmits the file to CPS. Based on the date contained in the various files received, CPS then builds batches from all transactions submitted (API transactions and agency-batch transactions) and transmits one consolidated file to the ODFI.

When must ACH files be submitted to the CPS?

  • An ACH formatted file must be submitted to CPS prior to 8:00 p.m. one banking day prior to the effective settlement date.
  • The date on the file will determine the date that CPS transmits the file to the ODFI, not the date that the payment (credit or debit) will be effective (settles).
  • The effective date (settlement date for funds posting to the payee/payor’s bank account) will always be one banking day after the date on the file.

When must Merchant Card batch files be submitted to CPC?

Merchant card transactions should be submitted to CPS prior to 10:00 p.m. on the same day as authorized, in order to:
  • Receive next-day funding (if settling to a Wells Fargo account)
  • Receive the best interchange rate

What are the primary forms associated with enrolling in CPS?

  • CPS Project Implementation Plan
  • Security Risk Assessment (SRA)
  • CPS Setup Form
  • ITS Bill Code Action Form

Do new merchant card participants have to be certified as PCI Security compliant?

Yes. All new participants must be certified as compliant with the Payment Card Industry (PCI) security standards. All participants must remain compliant.

As a service provider, is the CPS considered to be PCI Security compliant?

Yes, CPS, functioning as a Level 1 service provider, undergoes an annual on-site PCI security audit by a Qualified Security Assessor (QSA). CPS was initially certified compliant in January 4, 2006, and has been certified compliant each subsequent year. The current QSA is Trustwave.

Do participants utilizing the VCCT application provided by CPS have to undergo external vulnerability scanning by Trustwave?

The PCI Security Council has not given definitive guidance on the issue of “virtualization.” While there are some vendors claiming that virtual terminal applications do not require the merchant to undergo external vulnerability scanning, most Qualified Security Assessors (including Trustwave) now advise that they do.

In 2009, Trustwave revised its previous position regarding virtualization applications and gave the following guidance: Virtual terminals—web applications that a merchant enters credit card data into—still leave the merchant with PCI compliance burdens.  A merchant in this case is involved with the transmission of cardholder data since they take the card number and enter it into the web application.  Although storage is not involved at the agency level, if cardholder data is being transmitted over public (external facing) IP addresses in an agency’s control, then those IP addresses are in scope for PCI vulnerability scanning. To validate compliance, virtual terminal applications require at least SAQ C (if the PC terminal is a stand-alone terminal not connected to any other system), and often SAQ D (if the PC terminal is connected to other systems). Therefore, agencies utilizing the Virtual Credit Card Terminal (VCCT) offered by the Common Payment Service (CPS) should enroll in the vulnerability scanning service provided by Trustwave.

Who should be contacted for technical questions pertaining to CPS?

Call the ITS Service Desk at 919-754-6000 (or toll free 800-722-3946) and request technical information pertaining to CPS.  

What other information regarding CPS should be consulted?

The power point presentation entitled “CPS-101” found on the SECP site should be viewed.