Oregon State Treasury

Tobias Read OREGON STATE TREASURER

Merchant Cards

Skip Navigation LinksState Agencies > Merchant Cards

GENERAL INFORMATION​

Merchant Card Services Overview​
Agency Readiness
Implementation

PROCESSING OPTIONS​

Card-Present Processing Options
Card-Not-Present Processing Options​

PROTECTING CARDHOLDER DATA​

Payment Card Industry Security Standards
Payment Card Industry Security Standards Council​
PCI Data Security Standard​
Payment Application Data Security Standard​
PCI PIN Transaction Security Requirements
PCI Point-to-Point Encryption Standard
Visa Global Registry of Services Providers
What to Do If Cardholder Data Is Compromised

OTHER RULES AND REGULATIONS

Agency Merchant Agreement
U.S. Bank/Elavon Operating Guide
Treasury Policies
Oregon Accounting Manual
OSCIO Enterprise Security Office

RESOURCES​​

ORS 293.875 designates the State Treasurer as the sole banking and cash management officer for the state. Via that designation, Treasury has broad authority to review, establish, and modify policies and procedures for the efficient handling of cash and cash equivalents under the control of all state agencies, including universities. Treasury acts as the bank for all state agencies, contracting with private banks and financial service providers to deliver a variety of cash management services to those agencies.

Additionally, Treasury negotiates with our financial service providers to offer a variety of optional cash management services that agencies may choose to utilize. Via our negotiations with our providers, we ensure that all public depository and other regulatory requirements for these services are met. For these optional services, agencies may choose to contract with other vendors as long as normal contracting processes are followed and Treasury's Third Party Vendor Requirements (FIN 214) are met.

Merchant Card Services Overview

The acceptance of credit and debit cards is one way to facilitate electronic payments through all payment channels—point-of-sale (POS), mail order or telephone order (MOTO), and online—allowing agencies to shift away from a paper-based environment while improving cash flow, service to their customers, and operational efficiencies. 

Treas​ury administers the statewide Master Agreement for Merchant Card Services with U.S. Bank/Elavon. This agreement includes acceptance of Visa, Mastercard, Discover and American Express. Managing this contract on an enterprise basis allows agencies to benefit from the leveraging of volume pricing and ensure compliance with ORS 293.265 and ORS chapter 295. Agencies that wish to accept merchant card transactions for payment of goods and services will be required to execute an Agency Merchant Agreement between Treasury, the agency, and U.S. Bank/Elavon. 

In addition to contract administration, Treasury provides the following merchant card–related services to agencies.

  • ​​Meets with agencies to understand business objectives and discuss cost benefit considerations to facilitate decision-making about and effective use of desired merchant card acceptance methods.
  • Serves as liaison between merchant card service provider and agencies to coordinate the implementation of merchant card services and to address ongoing questions and issues related to merchant card acceptance.
  • Coordinates and/or provides training and education about payment card processing and card data security.
  • Oversees compliance with statutory, payment industry, and regulatory requirements.

Agency Readiness

Readiness for acceptance of merchant cards involves changing or enhancing established business and technical processes and requires the commitment and support of those responsible for your agency’s business, budgetary, and technical processes. Before implementing a merchant card acceptance solution, agencies should take time to evaluate their customer base and current processes and determine their staff capacity and commitment in implementation and the possible development of new back office processes for processing and protecting cardholder data.

Before deciding to implement a merchant card acceptance solution, contact Customer Solutions. Customer Solutions will meet with your agency to review the following material to help you understand your agency’s liabilities and responsibilities prior to finalizing your decision about implementing and maintaining a merchant card acceptance program.

  • Treasury policies
  • Merchant Card Services Agreement Terms and Conditions
  • Merchant card acceptance processing methods
  • Merchant card processing fees
  • Merchant account set up requirements
  • Payment Card Industry Security Standards
  • Treasury third party vendor requirements

Implementation

Customer Solutions will assist in the implementation of merchant card acceptance solutions. The implementation timeline and resources can vary based on the solution selected. Each agency that participates in Treasury’s merchant card acceptance program is required to execute an Agency Merchant Agreement between Treasury, the agency, and U.S. Bank/Elavon as well as have the resources available to ensure ongoing compliance with card association rules and the Payment Card Industry Data Security Standard (PCI DSS).

Steps to implement merchant card acceptance solutions include the following:

  • Selecting a merchant card acceptance processing method
  • Executing an Agency Merchant Agreement
  • Attending training for merchant card processing best practices and security requirements
  • Completing a Merchant Account Request Form
  • Completing applicable PCI DSS Self-Assessment Questionnaires validating compliance with the standards
  • Establishing and maintaining merchant card acceptance policies and procedures
  • Completing Treasury’s Third Party Vendor Qualification Application, if applicable

Contact Customer Solutions​ for more detailed information about merchant card acceptance implementation requirements for your desired solution.

​​​​​Back to top


 

The decision about which merchant card acceptance processing method to use to capture and transmit merchant card activity is generally that of the agency and can be based on a variety of budgetary, regulatory, and programmatic considerations. Additionally, the options available for selection depend on whether the acceptance of credit and debit cards is for card-present or card-not-present transactions. Customer Solutions​ is available to assist agencies in outlining the various considerations including PCI DSS compliance scope reduction when determining a solution that best fits their needs.

Card-Present Processing Options

Card-present transactions occur when both the card and cardholder are present at the point of sale. Cardholder data can be captured by swiping a magnetic strip card, dipping an EMV chip card, or tapping an NFC/contactless digital wallet with a stored card. 

Card-present processing options include

  • Stand-Alone Payment Card Terminals. These devices are used for card-present, over-the-counter transactions when integration with a back-end solution is not needed. Terminals can be purchased or leased through Treasury’s master agreement, which includes a selection of user-friendly countertop and portable devices that meet the latest industry security standards. Terminals can be connected using analog phone line, Ethernet, or private cellular network. Peripherals such as PIN pads, printers, and cash drawers are also available. 
  • Payment Card Terminals Integrated with a Point-of-Sale (POS) Software Solution. Agency operations that require payment card terminal integration with back-end solutions such as cashiering, parking, online registration, or inventory management have the following options for processing card-present transaction via a POS solution:
    • The Oregon CIO’s Electronic Government Program. In addition to other services available to agencies via this program, the E-Government Program contracts with a third party vendor (NIC USA) to deliver POS solutions. As part of the contracting process, Treasury has qualified NIC USA for state agency use with respect to POS solutions. 
    • U.S. Bank/Elavon POS Solutions. Agencies may select a POS software solution available through Treasury’s master agreement. 
    • Third Party Vendor Solutions. Agencies may decide to procure services from a third party vendor. Before executing a contract, an agency must work with the vendor to complete Treasury’s Third Party Vendor Qualification Application. This option would require agencies to adhere to DAS, OSCIO ESO, and/or other procurement and security requirements in addition to meeting all of Treasury’s third party vendor requirements as they relate to public funds laws, Payment Card Industry (PCI) Security Standards, and the master agreement. 

Card-Not-Present Processing Options

Card-not-present transactions occur when the card is not physically presented to a merchant by the cardholder at the time of sale. Such transactions include electronic commerce (EC), mail order (MO) and telephone order (TO) transactions. 

Electronic Commerce (EC)

Options for agencies to accept customer-initiated merchant card transactions via online solutions include

  • The Oregon CIO’s Electronic Government Program​. In addition to other services available to agencies via this program, the E-Government Program contracts with a third party vendor (NIC USA) to deliver online payments. As part of the contracting process, Treasury has qualified NIC USA for state agency use with respect to e-commerce solutions. 
  • U.S Bank E-Commerce Solutions. Agencies may select an e-commerce solution available through Treasury’s master agreement.
  • Third Party Vendor Solutions. Agencies may decide to procure services from a third party vendor. Before executing a contract, an agency must work with the vendor to complete Treasury’s Third Party Vendor Qualification Application. This option would require agencies to adhere to DAS, OSCIO ESO, and/or other procurement and security requirements in addition to meeting all of Treasury’s third party vendor requirements as they relate to public funds laws, Payment Card Industry (PCI) Security Standards, and the master agreement.

Mail Order or Telephone Order (MO/TO)

Options for processing merchant card transactions received via MO/TO include

  • Stand-Alone Payment Card Terminals. These devices can be used by agency staff to key enter cardholder data for mail and telephone orders when integration with a back-end solution is not needed. Terminals can be purchased or leased through Treasury’s master agreement, which includes a selection of user-friendly countertop and portable devices that meet the latest industry security standards. Terminals can be connected using analog phone line, Ethernet, or private cellular network. 
  • Point-of-Sale (POS) Software Solutions. Agency operations that require integration of payment processing with back-end solutions such as cashiering, parking, online registration, or inventory management have the following options for processing MO/TO transactions via a POS solution: 
    • The Oregon CIO’s Electronic Government Program. In addition to other services available to agencies via this program, the E-Government Program contracts with a third party vendor (NIC USA) to deliver POS solutions. As part of the contracting process, Treasury has qualified NIC USA for state agency use with respect to POS solutions. 
    • U.S. Bank/Elavon POS Solutions. Agencies may select a POS software solution available through Treasury’s master agreement. 
    • Third Party Vendor Solutions. Agencies may decide to procure services from a third party vendor. Before executing a contract, an agency must work with the vendor to complete Treasury’s Third Party Vendor Qualification Application. This option would require agencies to adhere to DAS, OSCIO ESO, and/or other procurement and security requirements in addition to meeting all of Treasury’s third party vendor requirements as they relate to public funds laws, Payment Card Industry (PCI) Security Standards, and the master agreement. 

Contact Customer Solutions for more information about the merchant card acceptance processing methods available to agencies.

​​​​​Back to top 


 

Based on selected merchant card processing methods, agencies are required to establish and maintain a proper security environment to safeguard customer payment information at all times. At a minimum, agencies must maintain compliance with Payment Card Industry Data Security Standard (PCI DSS) requirements.

Treasury’s Data Security Policy (02.18.13) documents data security requirements and responsibilities for agencies processing electronic transactions including credit and debit card transactions. Treasury expects state agencies and organizations to adhere to data security requirements mandated by the State of Oregon for the protection of financial-related data. These include the OSCIO ESO Statewide Information Security Standards and the Oregon Consumer Identity Theft Protection Act. Additionally, agencies that transmit, process, or store customer cardholder data are required to validate their compliance with the PCI DSS by completing applicable self-assessment questionnaires annually. 

Failure to comply with these requirements may expose agency customers to loss due to financial fraud. If a data compromise occurs through an agency’s systems or processes and cardholder data is lost or stolen, the agency is responsible and accountable. Impacts of a breach could include fines imposed by the payment brands, damaged public trust, forensic costs, replacement costs for affected customer credit and debit cards, costs to provide credit monitoring for each customer for a year, being required to obtain annual reports of compliance assessments by a qualified security assessor, and may result in the termination of an agency’s authorization to process payment card transactions.

Payment Card Industry Security Standards Council (PCI SSC)

The PCI SSCan independent body founded by American Express, Discover, JCB International, MasterCard and Visais a global forum for the industry to come together to develop, enhance, disseminate, and assist with the understanding of security standards for payment account security. The PCI SSC maintains, evolves, and promotes the PCI DSS. It also provides critical tools needed for implementation of the standards such as assessment and scanning qualifications, self-assessment questionnaires, training and education, and product certification programs. 

Maintaining payment security is required for all entities that store, process, or transmit cardholder data. Guidance for maintaining payment security is provided in the PCI Security Standards. These set the technical and operational requirements for organizations accepting or processing payment transactions and for software developers and manufacturers of applications and devices used in those transactions.

There are four PCI security standards that agencies functioning as merchants must adhere to: (1) the PCI Data Security Standard (PCI DSS), which applies to an agency’s entire merchant card process; (2) the Payment Application Data Security Standard (PA-DSS), which applies to the capture software that an agency may be using; (3) the PCI Pin Transaction Security Requirements (PCI PTS), which apply to terminals and devices that provide for the keying of PIN debit cards (also referred to as PCI PIN Entry Device or PCI PED); and, (4) PCI Point-to-Point Encryption (P2PE), which applies to point-to-point encryption solution providers that an agency might be using.

The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures associated with credit and debit card account data. The standard was developed by the founding payment card brands of the PCI Security Standards Council which includes American Express, Discover, JCB International, Mastercard, and Visa. The purpose was to help to facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS is intended to help organizations proactively protect customer card account data that is either transmitted, processed, or stored. All merchants and service providers, regardless of the annual transaction volume, are required by the various card brands to comply with the standard. 

With approximately 300 sub-requirements, the PCI DSS can be sorted at a high level into six goals and 12 main requirements. 

​​Go​al​​ ​Requirements
​Build and Maintain a Secure Network and Systems ​1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters​
​Protect Cardholder Data ​3. Protect stored cardholder data
4. Encrypt transmissions of cardholder data across open, public networks
​Maintain a Vulnerability Management Program ​5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
​Implement Strong Access Control Measures ​7. Restrict access to cardholder data by business need-to-know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
​Regularly Monitor and Test Networks ​10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
​Maintain an Information Security Policy ​12. Maintain a policy that addresses information security for all personnel

Payment Application Data Security Standard (PA-DSS)

The PA-DSS is a standard separate from PCI DSS. The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data—such as full magnetic stripe, other sensitive authentication data, or PIN data—and ensure their payment applications support compliance with the PCI DSS. PA-DSS requirements apply to payment applications that are sold, distributed, or licensed to third parties (merchants). The PCI Security Standards Council publishes a list of validated payment applications.

PCI PIN Transaction Security Requirements (PCI PTS)

The PCI PTS are focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing–related activities. Manufacturers must follow these requirements in the design, manufacture, and transport of a device to the entity that implements it. Merchants utilizing devices not compliant with the requirements may be subject to fines. The PCI Security Standards Council publishes a list of approved PTS devices.​

PCI Point-to-Point Encryption (P2PE) Standard

The P2PE Standard contains detailed security requirements and testing procedures for application vendors and providers of P2PE solutions to ensure that their solutions can meet the necessary requirements for the protection of payment card data. The PCI Security Standards Council publishes a list of P​CI P2PE solutions for merchants and acquirers to use in selecting a P2PE solution.​

Visa Global Registry of Services Providers

The Visa Global Registry of Services Providers​ allows service providers to broadcast their compliance with Visa rules and industry security standards and to promote their services to potential clients worldwide. Clients and merchants should reference the site regularly as part of their due diligence process and only should use service providers that are listed on the registry.​

What to Do If Cardholder Data Is Compromised​

PCI DSS Requirement 12.10 requires merchants to implement an incident response plan and to be prepared to respond immediately to a breach. 

Agencies must ensure that their incident response plans address merchant card services and meet the requirements of both Treasury and the OSCIO ESO. Meeting those requirements will help ensure compliance with payment industry rules, statewide banking requirements, and applicable state laws. Contact Customer Solutions for more information about Treasury’s incident response requirements.

Visa’s What to Do if Compromised document contains procedures and timelines for reporting and responding to a suspected or confirmed account data compromise. In addition to Treasury and OSCIO ESO requirements, agencies should incorporate elements of this document in their incident response plans.

​​​​​​Back to top 


 

Treasury administers the statewide Master Agreement for Merchant Card Services with U.S. Bank/Elavon. As such, agencies that wish to accept merchant card transactions are required to execute an Agency Merchant Agreement between Treasury, the agency, and U.S. Bank/Elavon. When signing the Agency Merchant Agreement, agencies agree to abide by Elavon’s Terms of Service including compliance with PCI DSS and payment industry rules.​

U.S. Bank/Elavon Operating Guide

The guide describes the procedures and methods for submitting card transactions for payment, obtaining authorizations, re​sponding to chargebacks and media retrieval requests, convenience and service fees, and other aspects of the operations of Elavon’s services. ​

Treasury Policies

Oregon Accounting Manual

OSCIO Enterprise Security Office

While Treasury administers the statewide Master Agreement for Merchant Card Services, the ESO is responsible for enterprise security policy, security monitoring of the state network, enterprise incident response, and enterprise security architecture, as well as dissemination of security training, policy, and best practices across state government. The ESO’s website​ provides information on security standards, security guidance, a security resource center, and best practices related to the Oregon Consumer Identity Theft Protection Act.

​​​​​​Back to top


 

The following are additional merchant card–related resources that agencies may find useful:


​​​​