Attachment 2: Merchant Card Services

Transcription

1 Attachment 2: Merchant Card Services Overview The County s primary purpose in seeking proposals for merchant card services is to provide a variety of card payment options and services to County customers at the lowest cost. The County also observes that service options and technologies in the merchant card industry are changing and will likely continue to change for some time. So, secondarily, it will seek to engage a Bank that shows an ability to help the County meet the expanding demand for payment options in this environment, while assisting us in maintaining records in a cost efficient manner. Program Activity The County currently has 16 active merchant identification numbers. In 2012, the County received over 21,000 receipts with a total dollar amount of $778,863. VISA accounted for approximately 79% of the total sales amount, MasterCard 20%, and Discover 1%. Acting as a Minnesota deputy registrar, the County has also added processing of motor vehicle transactions which are managed through a State merchant ID. The County foresees the possibility in the future that its level of merchant card activity could increase through the addition of merchant IDs and on-line permits and sales. Payment of property taxes may be made by e-check or merchant card on-line, available through a third-party vendor that collects the payments for the County. The vendor collects a convenience fee in addition to the full tax amount and remits the full tax amount to the County. In 2012, we collected 3,394 e-checks totaling $9.6 million and 1,122 credit card payments totaling $ 1.8 million. VISA accounted for approximately 63% of the dollar amount of these remittances. Cardholders presenting cards to County staff continues to be the primary method of card use. In some locations, the card is swiped at the point of sale by the customer. In other locations, the County staff enters card information into a merchant services portal or terminal, primarily for customers on the telephone. The County library accepts in-person payments for fees and fines at their self-service terminals. Settlements and charges for all merchant IDs are currently settled to two bank accounts as a miscellaneous transaction on a next-day basis. I. PROVIDER INFORMATION Provider Experience 1. The Provider must currently be engaged in the business of processing credit/debit card transactions, and maintain a volume of transaction processing that exceeds 50,000 transactions per year. 1

2 2. The Provider must have been engaged in the business of processing credit/debit card transactions for not less than three (3) years, two (2) of which must include providing such services to governmental entities. Please state the number of years that you have been providing these services. 3. Banks/Providers must demonstrate the operational and technical capacity to process the County s merchant card needs efficiently, accurately and timely every day without interruption. 4. Banks/Providers must provide assurance that the key persons assigned to the account have the relevant qualifications, experience and capability required and that the identified key staff, or similarly qualified persons, will be available for the duration of the Agreement. II. CORE MERCHANT SERVICES 5. Does the Provider act as its own processor or does it use the services of a third-party processor? If a third-party processor is used, for how long has the Bank/Provider had a relationship with this institution? 6. Does the key person(s) listed in #4 act as liaison between the third-party processor and the Provider? Describe standard procedure for customer service requests or disputes and the expected response times. Authorization 7. Describe the authorization method(s) you would recommend for the County. List and describe alternatives. 8. What are the procedures to reverse an incorrect authorization? 9. Does software flag transactions that may have been authorized but not settled (not captured in batch for whatever the reason may be)? Settlement 10. Are gross settlements credited to the County s bank account daily? Are they settled by merchant ID? Can they be settled to more than one account? 11. How are the costs to the County settled at month-end, by merchant ID, by type of cost, etc.? Can they be settled to more than one account? 12. For which card brands and payment options do you provide next-day settlement? 13. What are the settlement schedules for other card brands and payment options that are not next-day? 2

3 14. What is the daily cut-off time that transactions must be transmitted to meet next-day settlement? 15. By what method is settlement made, e.g., direct account credit, ACH or Fed wire? 16. How will settlement amounts be listed on the bank statement, as individual transactions, by brand type (Visa, MasterCard, etc.), in summary by merchant identification number? 17. Will Saturday and Sunday activity be combined into Monday activity? Ticket Retrieval and Chargebacks 18. Describe the ticket or transaction retrieval request process and turnaround time. 19. What percentage of chargebacks is handled without merchant involvement? 20. Will you provide a designated contact person or a department to help the County manage chargebacks? 21. Are credit card chargebacks and other debit adjustments netted from daily settlements, or are they debited separately? 22. Do you have the capability to store and retrieve transaction information? If so, is this information accessible by the County online? 23. Would you require the County to maintain a reserve/setoff balance in a designated account as part of a merchant card services agreement? 24. Do you follow card association rules that call for the full return of interchange to the merchant for returns, reversals and chargebacks? Processing 25. Do you support BIN (Bank Information Number) file management to differentiate between debit card and credit card transactions? 26. Describe your debit card processing capabilities. Which networks can you use to support both PIN-based and signature-based transactions? How have you implemented differential pricing in the aftermath of the Durbin Amendment? 27. Please describe how you would support a program for lowest cost routing for debit cards. 28. What process do you use to ensure that transactions qualify for the lowest interchange category? Do you provide a periodic review of account activity to help the County departments identify opportunities to improve qualification rates? 29. Does your processing system identify and eliminate duplicate transactions? 3

4 30. Do you offer processing solutions that perform: a. Deferred billing? b. Installment billing? c. Recurring billing? 31. Do you provide Address Verification Service? 32. Do you support CVV2 (Card Verification Value 2)? 33. Is data imaging (e.g., signature capture) available? If so, describe your capabilities. 34. Are you able to process smart card (or mobile NFC) tap or proximity transactions? If so, describe. 35. Are there limitations on the number of transactions: a. Contained in a batch? b. Processed daily? 36. Are there limitations on the number of files transmitted each day? 37. What is the average number of transactions you currently process daily? What is the greatest number of transactions processed in an hour? How does that compare to your current capacity? 38. How do you work with proprietary or non-standard POS systems to partner with you for credit card processing? Do you negotiate and pass through rates that conform with the agreement rates or do you pass through transmitted rates? 39. Can you process Minnesota Electronic Benefits Transfer (EBT) card transactions? 40. List all alternative payment providers such as PayPal, Bill Me Later, Secure Bill Pay that you can process payments for? 41. Describe in a narrative the processes, products, services and technologies that your Bank can currently deliver that would permit the County to build a broader, more flexible platform of payment options for its customers. Also describe any processes or services that are now in development. PCI DSS and Data Security Compliance 4

5 42. Provide documentation for all involved parties providing services demonstrating that the software accepting and processing payments via credit card, debit card or pre-paid card is compliant with the Payment Application Data Security Standard (PA-DSS). The compliance must be current (certification within past 12 months). You must be included on PCI SSC s list of Validated Payment Applications. You must agree to demonstrate compliance annually or upon request of Washington County. 43. Has the Bank been certified as compliant by a qualified third-party assessor? Please name the assessor. 44. Please provide reasonable detailed, complete and accurate documentation describing the systems, processes, network segments, security controls and dataflow used to receive, transmit, store and secure cardholder data. Does documentation conform to PCI DSS standards? Can this documentation be provided at time of agreement and updated as needed throughout the duration of the agreement? 45. Identify your Bank s PCI DSS support structure, including the compliance team, their backgrounds, and professional certifications. How does your organization support your merchants PCI DSS compliance efforts? 46. What resources are available to the County for assistance with PCI DSS compliance? Who is the customer contact for PCI DSS compliance the County can refer to for questions? Is there an additional charge for this assistance? 47. Are magnetic stripe data (track data) or PIN (Personal Identification Number) blocks stored on any system? If the Bank or its systems store primary account numbers (PANs), the storage must be encrypted and protected. 48. The Minnesota Plastic Card Security Act (Minnesota Statutes section 325E.64) prohibits any person or entity conducting business in Minnesota from storing payment card data after a transaction is authorized, or in the case of PIN debit transactions, for more than 48 hours following authorization. Describe how you erase or destroy all media under your control which may not be retained pursuant to this law. 49. Please describe how your systems protect data from unauthorized access. a. How do you prevent anyone other than the County or its authorized employees from monitoring, using, gaining access to the County s data? b. Do you periodically test and re-evaluate the effectiveness of such precautions? c. How will you notify the County within 24 hours, if such controls precautions are violated? 50. Please describe your system(s) password policy including character length and requirements, and frequency of required change. 51. Do you deliver any systems or databases for electronic payments with default settings that must be configured to be unique to the County? If so, please list and describe. 52. Are the payment applications isolated and secure so that no other unnecessary or insecure services share systems infrastructure? 5

6 53. If you access any of the point-of-sale solutions within the County remotely: a. Describe controls in place to prevent others from accessing the County s system or data (use secure remote access methods and no use of common or default passwords). b. Provide information regarding who has access, why access is needed and how often remote access is made. 54. Describe how all system and databases that are part of the point of sale system are kept up to date with patches and all applicable security updates. Confirm that this can be done within one month of release of the patches or updates. 55. Describe appropriate logging capabilities for systems and databases. Are logs turned on and current? 56. In the event that security vulnerabilities are identified, describe how you will promptly notify the County and how you will provide instructions to mitigate risk of that vulnerability being exploited. Please describe how you will provide a patch release or security update within 48 hours of a security vulnerability being discovered, and how you will provide support as necessary to properly deploy the patch or security update. 57. Describe how the solution can support the requirement to support end-to-end traceability of a transaction, regardless of the number of vendor "partners" involved. Describe the security measures used to prevent unauthorized user access to either the system or the data. 58. How does your firm assign PCI assessment levels at the client level? By location? In aggregate? Do you require a compliance certificate and network scan from Level 4 PCI merchants? How do you notify clients of certificate expiration? 59. How do you support clients who have experienced a PCI DSS violation? Provide examples. 60. Do you recommend or require the adoption of particular technologies or services to assist in PCI DSS compliance? Please list and describe. Technical 61. Describe the various processing solutions available for the different County card acceptance environments (in-person payments, on-line tax payments with convenience charge added, telephonic interactive voice response, standard swipe machines, virtual terminals, parking payment machines, unattended kiosks). Provide system specifications, if appropriate. 62. Does your processing software support Purchasing Card Levels II and III? 63. What authorization methods do you support and which do you recommend for each processing channel? 6

7 64. List any processor-specific hardware needed to support these authorization options. 65. What equipment do you recommend we obtain for processing? Can the County use already deployed equipment? Do you provide this equipment for lease/sale? Provide pricing details. What is your maintenance and/or replacement policy for this equipment? Will you make available an equipment conversion fund to replace our existing terminals and/or processing equipment? Current Credit Card Equipment: Hypercom T7P-T Hypercom T4210 Dial 66. Describe your recommended transmission method for each processing channel (e.g., dial, lease line, batch, real-time, Internet, etc.). 67. Describe the monitoring and notification process if a transmission fails. 68. Provide your average response times for dial and lease-line authorization methods during both peak and normal periods. Provide the same data for your online card processing services. 69. Describe the security measures used to prevent unauthorized user access to either the system or the data. If applicable, please indicate if there has ever been a compromise to any credit card systems or applications through a security breach. If yes, explain process your company took to notify customers, the steps taken to protect customer s data and the safeguards put in place to prevent it in the future. 70. Do your systems have the capability to create files that can be transmitted into our JD Edwards E system, if the County should desire that? Reporting/Inquiry 71. Describe the daily and/or monthly reconciliation reports available to the County. 72. Provide samples of standard reports, including detail and summary reports, and describe available formats and how long they are available? What are the costs associated with each format? 73. What is the standard delivery time frame? 74. What delivery methods are available (e.g., mail, , on-line, fax)? 75. Describe ad hoc reporting capabilities. 7

8 76. Describe how multiple merchant numbers are reported and the flexibility afforded the County for customizing the reports. Can the County roll up specific groups for reporting independent of others? 77. Is historical information regarding sales, refunds, and chargebacks maintained in a database for access by the merchant? For how many months may historical data be retrieved? 78. Describe the training available to new recipients of your reports. 79. How many County employees will the Bank permit to access on-line reporting? Do you require unique user identification? If so, is there a charge for additional users? Would the County have the capability of creating a System Administrator account to access on -line activity reports for all merchant ID s? Conversion and Implementation 80. Provide a copy of all proposed agreements, including the contract that will need to be in place prior to the implementation of merchant card services. 81. Provide a typical implementation task list and time frame showing both your tasks and the County s. Also provide a timeline for on-going requests for new accounts. 82. What are the typical problems a customer should expect to encounter during a conversion and how might they be minimized? 83. What costs are associated with the conversion? III. FEES 84. How is the applicable interchange fee determined for each transaction? By how much does the Bank's fee exceed Visa/MasterCard's stated interchange assessment? 85. Please list any other fees (Merchant IDs, online users, PCI compliance, etc.) that apply to this relationship. 86. Provide a sample statement showing the level of detail that is provided. 87. Is there an analysis statement of monthly fees available, similar to the AFP s general banking fees? 8