PCI & Merchant Services Town HallMarch 10, 2020

1

Agenda

● PCI Compliance ● PCI Compliance Requirements ● Merchant Service Transition ● BB&T, now Truist Presentation● Q&A

2

PCI Compliance: What is it?

● PCI DSS (Payment Card Industry Data Security Standards) are applicable to:○ all merchants who process, transmit, or store

cardholder data, regardless of the size or number of transactions.

○ all third-party service providers.● The payment brands (e.g., VISA, MasterCard), as well

as the acquiring banks (e.g.,BB&T, now Truist ) are responsible for enforcing PCI compliance.

3

PCI Compliance: What is it?

4

PCI Compliance: What is it?

5

● UMD is Level 2 Merchant: We processed 2,059,229 million card transactions annually through all channels (card present, card not present, eCommerce.)

● Merchants who are considered Level 2 must do the following:● Complete an Annual Self-Assessment Questionnaire (SAQ).● Complete a quarterly network scans by an ASV.● Complete the Attestation of Compliance Form.

PCI Compliance: Why is it important?

● $115,602,239 ● A data breach of our PCI environment could

force UMD to stop accepting credit cards.● Fines for being out of compliance may cost us

as high as $100,000 a month.● Suspension of merchant account(s).● PCI Compliance is not optional.

6

PCI Compliance: UMD Compliance Status

● We are currently NOT in compliance.● Remediation effort & timeline:

○ Established PCI Governance Committee○ Developed and Issued PCI Compliance Guidance & IT PCI Standards

to campus (completed in Dec 2019)○ Procedures and guides will be created by PCI Governance Committee○ Requested an extension to BOA and VISA ○ We are reporting monthly updates to BOA and VISA○ Contracted a QSA to perform our AOC ○ July 2020 is our deadline to be PCI Compliant.

7

PCI Compliance Requirements

● Complete annual PCI DSS security training.● Annual inventory and POC confirmation of your PCI

Environment. ● Quarterly external vulnerability scans are required by

PCI/DSS standards.● Obtain annual attestation to confirm your third party

vendor is PCI Compliant. ● Maintain internal documented standards and

procedures.8

PCI Compliance Requirements

● All MIDs will be centrally administered by the Office of Student Financial Services and Cashiering.

● Departments are required to use:○ Nelnet eCommerce: exceptions need to be approved by the PCI

Committee.○ 3rd party Web systems that will keep your department’s credit card

process out-of-scope.○ Use P2PE technology for terminals and POS devices.

● Limit who can see credit card information.● Limit access to credit card data.● Limit cardholder data in physical locations.

9

Merchant Services Transition

● State merchant service contract awarded to BB&T, now Truist in Spring 2019

● All BAMS MIDs to be reissued by BB&T, now Truist - eCommerce and Terminals

10

Merchant Services Transition

11

Conversion deadline: September 2020

Contacts and Resources

● Conversion ?s:○ Tara Renaghan trenagha@umd.edu x50699

● PCI ?s:○ Email: pcicompliance@umd.edu○ PCI Guidelines:

https://finance.umd.edu/financial-services/cash-management-reporting

12

Project Overview

14[-Restricted-] 14

• Kickoff• Current State Assessment• Identify the products used today• Include other stakeholders/partners

• Planning• Provide expectations of timeline and develop a roadmap• Decision making on new products/integrations• Staging the files to prepare for Onboarding

• Execution• Onboard the new accounts • Order new products, gateways, etc.• Welcome emails/training

• Monitoring• Provide support for testing and “Go Live” date• Quality assurance review for first 30 days of processing• Track progress to determine when to close the old BAMS

accounts

• Closing • Your relationship manager provides ongoing support

Ingenico

16[-Restricted-] 16

▪ Founded in 1980

▪ Headquartered in Paris / 88 Locations

▪ 6,000 Employees / 74 Nationalities

▪ 30 Million Terminals Installed

Ingenico Overview

Tetra Line

18[-Restricted-]

Multiple Device Options

• Desk/3500

• Desk/5000

• iPP315

• Move/5000

• Lane/3000

• Lane/5000

• Lane/7000

• Lane/8000

19[-Restricted-]

Two Desk models to meet merchant’s needs

Desk/3500 Desk/5000

20[-Restricted-] 20

Desk/3500 vs Desk/5000

Desk/3500Key arguments

Maximized network connectivity:• Offer the optimized solution for any existing infrastructure

Enhanced user experience:• Best-in-class user experience with a user-friendly and intuitive

interface

Improve transaction flows with ergonomic NFC design :• Queue buster, boosting contactless and NFC use

through smart ergonomics

Compatible with latest security standards:• PCI-PTS 5.x certified, ensure a long-term investment to

securely accept payment

Desk/5000 Key arguments

Enriched business apps withinnovative capabilities:• Offer rich web-based applications using HTML5

technology• Open the terminal to the rich HTML5 Apps

developer world to generate additional revenues.

Accept any payment method :• Support multiple methods of

payment

21[-Restricted-] 21

Desk/Series – Enhanced User Experience

Best-in-class user experience, featuring a color display and large friendly backlit keypad in an optimized footprint at counter

23[-Restricted-] 23

iPP315

▪ Secure payment acceptance at checkout

▪ Accepts EMV, magstripe and NFC/ contactless payments quickly and easily

▪ Connects with Ingenico Desk series terminals with a single USB cable

The multi-payment PIN Pad that simplifies checkouts

25[-Restricted-] 25

Move/5000 Optimized Battery Life

A battery life allowing merchants to sell all day long, without interruptions

Authorize.Net

31[-Restricted-] 31

Authorize.Net Overview

Authorize.Net is a known leader in the ecommerce space, and BB&T is proud to be a trusted authorized reseller. Authorize.net payment gateway allows customers to make payments on your website—integration can be as simple as a “Pay Now” button or completely customized to fit your website needs.

Features: ▪ Simple Checkout for “Pay Now” or “Donate Now”

▪ Accept Suite API integrations, which includes SDKs, developer documentation, and sandbox accounts ▪ https://developer.authorize.net/ for more information

▪ Advanced Fraud Detection suite with filters to flag or halt transactions such as billing/shipping mismatch, velocity, and more

▪ Customer database

▪ Recurring billing with tokenization

▪ Invoicing

▪ Account Updater

▪ eCheck processing

▪ Mobile add on option

32[-Restricted-] 32

Questions