Customer Service   360-753-2454 / 1-888-241-7597

DIS Electronic Payment Services Customer Guide

Purpose
Disclaimer
Background
Credit card transactions on the Internet
Building a credit card application for the Internet: Appendix: DIS' E-Payment Hosting Services
Reference

I. Purpose of Document

This document has been prepared for DIS customers that are considering implementing web-based credit card applications. It will describe the steps necessary from requirements specification through application installation on the state secure Web servers. Although DIS offers hosting services for e-commerce applications, you may find these guidelines helpful if you choose to host similar applications on your own environment.

By law, e-payment applications (including credit cards) must be economically feasible and approved by the Office of Financial Management (OFM) before they can be implemented. See RCW 43.41.180 and the State Administrative and Accounting Manual (SAAM) Chapter 40. The web based Administrative and Accounting Resources also provides useful information.

Additionally, the Office of the State Treasurer (OST) is responsible for the ''…effective cash management of public funds'' and has ''…the authority to represent the state in all contractual relationships with financial institutions.''   See RCW 43.08.015.   Please see Section V, Step Two contact information and a more detailed discussion of these important issues.

Finally, we appreciate the opportunity of providing this guide to you. As we learn more about credit card processing services and operations, it is likely that this document and related policies and resources will undergo several revisions. We plan to update and to maintain the most recent version of this document on our Intranet website.

Your feedback is important to us. If you have any questions or comments please e-mail DIS Enterprise Business Solutions.

Return to top

II. Disclaimer

The material presented in the Internet-Based Credit Card Applications DIS Customer Guide is for general guidance only.   DIS does not represent nor warrant that this is the only information available or the only information that should be considered when deciding to implement a web-based credit card system.   DIS shall not be held liable for any losses caused by reliance on the accuracy, reliability or timeliness of this information.   Portions of such information may not be useful or applicable to an entity’s particular circumstance.   Any person or entity that relies on any information obtained from this Guide does so at his or her own risk.

Return to top

III. Background

The popularity of the Internet provides Washington State government agencies with an excellent means to improve its delivery of goods and services to Washington citizens. While the growth of the "electronic marketplace" presents technical challenges it also offers unprecedented opportunities. Government now has the potential to offer goods and services (including various tax and license payments) conveniently and efficiently and to become more responsive to its citizens. Our task is to meet the technical challenges involved with the presentation of these services.

Studies in 1997 showed that 42 percent of all Internet purchases used credit cards. By 2001, it was estimated that 90 percent of commerce-enabled web sites in the U.S. would have online connections to payment processing networks. Similar trends are expected in the state of Washington. At the same time, credit cards remain a very popular form of payment for consumers. Credit cards represent the most mature and visible form of electronic payment over the Internet. Providing Internet-based credit card payment solutions also supports the State's goal to use information technology to provide more responsive and cost effective service to citizens. Agencies have looked to DIS for credit card based solutions in order to obtain the benefits of centralization, security and economies of scale.

DIS has responded to those customer needs and as such has made available a centralized credit card hosting facility whereby agencies can host credit card applications in a safe secure and monitored environment.

The current configuration employed by DIS makes use of two shared Internet Information Server (IIS) and SQL Database platforms. Applications, or "storefronts," can be hosted through Microsoft's Site Server - Commerce Edition or they may reside as stand-alone Active Server Page (ASP) applications. In either deployment, the applications may utilize the Cybersource payment processing services.

DIS provides this guide to assist with application planning and implementation. Whether your application resides on the DIS shared environment or on your own secured server, we hope these guidelines will be of benefit to you.

Return to top

IV. Credit Card Transactions on the Internet

The Office of the State Treasurer (OST) signed a contract with Bank of America (B of A) Merchant Services in February 2000, enabling state agencies to accept credit card payment for goods and services over the Internet.

The first step to building your credit card-ready Internet application is to become familiar with the Internet credit card services available to state agencies.

Credit card processing enables the transfer of funds from a consumer’s bank to the state treasury. For a good explanation of how this business is transacted on the web visit CyberSource payment service: How it works.

Bank of America is able to work with different internet credit card service providers and has reseller agreements with the vendor CyberSource. Many of the examples in this document refer to CyberSource, one of Bank of America’s back office credit card acceptance and processing providers. This is only meant to simplify this documentation. Both CyberSource and VeriSign are viable options and need to be evaluated. Your best choice will be dependent upon business decisions at your agency. CyberSource and VeriSign have different processing infrastructures, services, reporting, and rates. It's a good idea to become generally familiar with both services. (See the Reference section.) Your choice of which service to use will be affected by several factors, such as: the rates charged to process transactions (pricing structures), your projected volumes of transactions to be processed, and technical infrastructure requirements. Contact the Office of the State Treasurer’s Outreach Coordinator for more information.

CyberSource's online merchant Support Center will provide you with the information you need to have your application utilize their services.  The basics of the technology and the general steps of credit card processing are outlined at their web site. Please familiarize yourself with the Cybersource Support Center, accessible with the login “cybersource” and password “cybersource”.

You will also want to evaluate the VeriSign credit card processing service. VeriSign provides valuable insights to credit card processing steps at their web site. Please familiarize yourself with their Payment Processing.

Note: An important issue to be aware of is the merchant’s responsibility in the case of fraudulent credit card charges. On the topic of financial liability Visa advises consumers, “You are not liable. Consumer protection varies from country to country and from region to region. In card-not-present transactions (mostly mail order and Internet purchases) Merchant banks are responsible for any charge-backs. Generally, these charges are passed from the bank back to the merchant.”

The Digital Government Applications Academy was created by the Department of Information Services (DIS) to help agencies accelerate and synchronize the deployment of their digital government services. The Academy has basic information about building your Internet credit card application. Informational documents are available for you to view at ATOM: Applications Template and Outfit Model.

Return to top

V. Building a Credit Card Application for the Internet

Step One: Define Business Requirements

Describe what your web application is to accomplish. Make your basic requirements as complete as possible describing what, exactly, this application will do and how it will fit your business strategy. Try to be specific concerning such factors as the scope, the data sources, the number of financial transactions and dollar amounts, and the benefits you hope to gain by using credit cards. Be sure to talk with your IS, program, and fiscal shops. Your OFM Accounting Consultant and OFM Budget Analyst can also be of great assistance throughout the process providing advice and illustrative examples of other agency’s projects. Be sure to bear in mind that e-payment applications are required by law to be economically feasible.

For further discussion, see Step 4, SAAM Chapter 40 and the web-based Accounting and Administrative Resources. These are important decisions since the following steps will hinge upon the thoroughness of your description at this step.

Reference: “IT Portfolio Structure and Content Standards

Return to top

Step Two: Meet with the Office of State Treasurer (OST)

The 1993 Cash Management Act (RCW 43.08.015) directs the State Treasurer's Office to "ensure effective cash management of public funds". It also assigns the State Treasurer's Office "the authority to represent the state in all contractual relationships with financial institutions."

The Office of the State Treasurer will help you understand options and issues regarding acceptance of credit cards over the Internet. OST will also help describe credit card rate structures that you will be charged as part of your new role as a merchant. Contacting OST for the most current merchant fees will help you prepare an accurate Economic Feasibility Study.

Please contact the OST Outreach Coordinator at 360-902-8917 for help with this step.

Return to top

Step Three: Design and Cost your Development and Production Environments

At this point you will need make preliminary design decisions about your application development, your operating environment, and your system maintenance in order to estimate their costs. Though not exhaustive, the following is a list of minimum considerations you need to include in your planning and cost estimates:

  1. Provide an E-Payment application environment with: a web credit card application, a web server, a database server, internet connectivity, capability for communication with a credit card service provider (CyberSource or VeriSign.)

  2. Experienced credit card application design and development, and application assistance.

  3. Obtain qualified Information Technology staff to provide and manage this complex environment including provisions for such considerations as performance and capacity management, recovery services, and 24-hour system support. You will also need to develop your web applications and support the environment for that development. Establish help desk support for your client (consumer) applications and establish a help desk for systems problems to mitigate outages: local, Credit Card provider, bank servers, Internet access, etc.

  4. Availability Management

  5. Change Management to track changes to application and changes to application environments (development and production.)

  6. Problem Management, i.e., tracking, alerting, escalating and solving problems to identify performance degradation, for notification of identified events that have or may have an adverse affect on service delivery to customers, and for notification of failed processes.

  7. Security Management must protect sensitive consumer information from unauthorized external access or to avoid the broadcast on the Internet of the application owner’s intellectual property, proprietary and confidential data. Credit card systems should employ access control and secure the platform against known security risks

  8. Physical Environment Management should ensure climate control, system from power loss, fire, etc.

  9. Restoration Management should provide for regular, scheduled data back-ups and restoration.

  10. Disaster Recovery should provide for a resumption of services after a significant disaster at the production site. (CyberSource recommends a manual process as backup in the event CyberSource or the Internet Service Provider becomes unavailable.)

You may consider using DIS’ E-Payment Service to satisfy many of these requirements. Please refer to the Appendix to see what DIS is presently making available to its customers.

Return to top

Step Four: Prepare an Economic Feasibility Study

Each agency or institution must be authorized by the Office of Financial Management (OFM) to accept credit card payments. RCW 43.41.180 authorized OFM "to approve the use of electronic and other technological means to transfer both funds and information whenever economically feasible." It further states that "no state agency may use electronic or other technological means, including credit cards, without specific continuing authorization" from OFM.

A business case rationale must be prepared demonstrating the benefit to the state of accepting credit card payment at the agency. Plans can vary in their content depending upon the scope of the project and impact on an agency's business process.

Agencies can also conduct a pilot project in order to evaluate actual costs and implementation impacts. Pilot projects also require OFM approval prior to implementation.

A good resource for you to review as you begin the economic feasibility study process is the State Administrative and Accounting Manual (SAAM) Chapter 40. A description of the complete content required in your economic feasibility study and a sample format are available online. This chapter contains policies and requirements for acceptance of credit cards, debit cards or other similar devices by state agencies. The policies and procedures in this chapter are the minimum requirements that all state agencies must meet. An agency may establish additional policies and requirements, as long as the agency meets the required minimum standards. Additional resources are available online from OFM. Your OFM Accounting Consultant will assist you in the preparation, submittal and approval of your Economic Feasibility Study.

Return to top

Step Five: Set up your B of A Merchant Account with OST

RCW 43.88.160(5)(d) requires the State Treasurer's Office to "coordinate agencies' acceptance and use of credit cards and other payment methods, if the agencies have received authorization under RCW 43.41.180."

As soon as you receive OFM's approval for your E-Commerce application, schedule a visit with OST to set up your Bank of America Merchant Account. Setting up a merchant account to handle Internet transactions is a comprehensive process. OST is there to help you with the coordination of numerous parties that must be contacted before your account can actually process transactions.

OST will contact the Bank of America on your behalf. The Bank of America will then assign a merchant account for you to process Internet transactions. OST will explain how you will use the Bank of America merchant account number.

Bank of America will also contact CyberSource on your behalf. CyberSource will then in turn assign you a CyberSource merchant account. Once you receive the CyberSource merchant account you will receive an e-mail from CyberSource with specific instructions for setting up a CyberSource account. This will include specifying who is to receive reports, technical support bulletins, service bulletins, and implementation services. CyberSource also provides passwords to allow access to transaction reports and other Online Merchant Services.

Important issues to be aware of when setting up your account include:

  • Consider who will be the agency fiscal contact(s) for the Internet Bank of America Merchant Account during the day-to-day processing. Include this person early in the planning and implementation phases of your project.

  • Setting up a B of A Merchant Account takes several weeks.

  • Make no assumptions about other merchant accounts. A merchant account that you may currently have for "over-the-counter" transactions will not be sufficient for Internet transactions. When contacting OST, make sure you request Internet Credit Card Processing.

  • You will receive two kinds of merchant account numbers also commonly known as Merchant Ids or MIDS:

    1. Bank of America (B of A) MID (a series of numbers that the bank uses)

    2. CYBS MID which is assigned by CyberSource and is alphabetic

Please contact the OST Outreach Coordinator at 360-902-8917.

Return to top

Step Six: Application Design and Development

  1. Design Recommendations

    2. Credit card applications should guard against allowing consumers to submit their order more than once. This will protect the consumer from multiple charges to their credit card.

    Credit card applications also typically send purchasers an order verification by e-mail after their account has been successfully billed. This accomplishes two aims: first, this satisfies the consumer’s expectation for a positive notification verifying the purchase, and second, this also indicates to the buyer that the purchase was made once and only once.

    Credit Card Service Disruptions

    Despite the best efforts of your Credit Card Service Provider, service disruptions will occasionally occur. In addition, individual bank processors can experience outages. When these disruptions occur, they may hamper your ability to complete sales in a timely fashion. To capture these sales and ensure customer satisfaction, CyberSource recommends that you consider implementing some or all of the following best practices.

    a. Accepting orders during the outage period,

    b. Selectively Fulfilling orders, and

    c. Referring customers to your customer service telephone center.

    CyberSource payment solution functional data is online, using login name "cybersource" and password "cybersource".

    Learn more at CyberSource “Electronic Payment Solutions ” or contact a sales representative for a consultation.

    In addition to actions taken by your application in the case of a failure at CyberSource, an Emergency Notification from CyberSource will be passed on to DIS, and then, by DIS, to all interested DIS-hosted customers. Notify your DIS account representative to request where such messages should go to, e.g. customer service desk, etc.

  2. Retaining and Disclosing Customer Data

    3. In SHB2792 the 2000 legislature amended Chapter 42.17 of RCW DISCLOSURE (Public Information) of the Public Disclosure Act to exempt credit card numbers from disclosure.

    EXECUTIVE ORDER 00-03, PUBLIC RECORDS PRIVACY PROTECTIONS.

  3. Credit Card Service Provider Software Installation

    4. You may download the merchant software, called the Internet Commerce Suite (ICS), from CyberSource at any point in the process. You do not need to have a merchant account from OST in order to test the ICS client software with your application. However, in order to process actual transactions in “live” mode (i.e., conducting actual bank transactions with real credit cards) you will need a merchant account from OST. After receiving your CyberSource Merchant ID you will receive a logon and password that allows your staff to enter the CyberSource Online Support Center. This logon and password is controlled by CyberSource.

    CyberSource provides customers with reference guides to their API for a variety of languages including Perl, C and most UNIX platforms. DLLs, and COM objects for Microsoft Windows® and Windows NT, and plug-in components for a variety of commerce platforms, including Microsoft SiteServer, Microsoft Active Server Pages, IBM Net.Commerce, are provided.

    The APIs for these implementations are documented and available from CyberSource:

    Read Payment Solution Functional Data using login name "cybersource" and password "cybersource". You will also want to familiarize yourself with CyberSource Payment Service.

Return to top

Step Seven: Set Up Your Reconciliation Process

The State Treasurer has a specific process for accounting for credit card transactions. Your agency fiscal managers probably have an agency-specific process for proper accounting practices and for establishing a good audit trail. Be sure to get your agency fiscal accountants together with OST and OFM early in the design process. The process of cash management/accountability is an integral part of offering goods and services online to citizens and to businesses.

Please contact the OST Outreach Coordinator at 360-902-8917.

See a PowerPoint presentation with a very simple overview of the basic batch reconciliation process.

For a better explanation of how business is transacted on the web, visit: CyberSource payment service: How it works.

Return to top

Step Eight: Application Testing

Before going “live” (i.e., conducting actual bank transactions with real credit cards) extensive application testing is encouraged. While in the development phase, a test credit card can be used to simulate an entire transaction with CyberSource. Note: test transactions completed with a test credit card will never reach the bank for a "real-time" authorization.

Use this link for CyberSource Support. As a part of testing you will want to generate return codes to be sure your application responds correctly to them. To find how to do this log into CyberSource’s “Testing Information” (login, password = cybersource, cybersource). Read “Testing Credit Card Services” and “First Data (FDC) Testing Information.” You should point your application to the CyberSource test server “ics2test.ic3.com ”. By including fields with the given values you can elicit the return codes you wish to get.

Return to top

Step Nine: Implementation at DIS

Implementation of your system depends entirely upon the design decisions you have made (Step One) concerning your system architecture and the implications of those decisions. For instance, have you chosen to run your application employing a Unix or NT operating system? What provisions have you made to provide security to protect customer data and your organization’s data and application? What type of access will be required by your users? What support systems need to be in place? Please refer to Step Three to re-examine these areas regarding system design considerations.

Because DIS cannot possibly address all of the possible system design, support and security configurations and requirements for implementation processes, this section will address implementation specific to DIS hosted E-Payments applications.

1. DIS Service Level Agreement

In order for us to serve your needs in a timely fashion, DIS asks its customers to please contact Computer Services Division (CSD) CSD Customer Services, well ahead of time. Be sure to have your receipt of a signed Service Level Agreement (SLA) and to submit your technical requirements well in advance of scheduled implementation. And, once again, be sure to include DIS in your application design and development process.

DIS recommends that your application be published to our staging server for testing. This way, testing is accomplished in an identical environment to the production environment. Acquiring a secure access ID will be necessary for the staging as well as for the production environment. You may begin the process by sending an e-mail to Telecommunications Services Division (TSD) TSD Customer Services.

2. CyberSource Site Management

The CyberSource Support Center “Manage Commerce Services”, (password necessary, use “cybersource”, “cybersource”) provides information concerning: Startup Checklist, Merchant Bank Information, Tutorials, Best Practices, Services Documentation, Quick References, Update Keys/Certificates, Product Update Notification, etc.

CyberSource also makes available “Merchant Notifications” which detail outages and upgrades by e-mail to the Primary Contact.

3. Going “Live”

The CyberSource software includes the Ecert (certificate generation) application used to generate your public and private keys. These are the two keys used by CyberSource to positively identify messages as coming from this particular server. One key is held by the server and encrypted into the message, the other is publicly available on a vendor site. The Ecert process generates a certificate request and submits it to the CyberSource server. Upon receiving the request the server replies with a signed certificate. Before attempting to use the Ecert application CyberSource must set you up as a test merchant. DIS will assist you with contacting your CyberSource support representative to register as a test merchant if you have not already done so. DIS will also assist with the Ecert process that is required to be performed for each DIS customer’s installation.

See CyberSource's Web site SCMP Checklist - Expanded, Item 5 for specific instructions on how to run Ecert. (login=cybersource:password=cybersource)

Once you are comfortable with your development and testing is complete, an e-mail must be sent to:

1.) Your Merchant Support Representative at CyberSource stating your desire to turn your account from test mode to “live.”   Your support representative will confirm your account is current, then send a return e-mail stating your account is now “live”.   At this point, all transactions require a real credit card number and transaction fees will be charged to your account.

2.) Send an e-mail to CSD Customer Services with instructions to move the DIS hosted E-Payments application from the "staging" environment to the "production" environment.

Return to top

I. Appendix: DIS' E-Payment Hosting Services

DIS operates a full range of services including a complete dual-server environment for hosting secure, credit card-enabled web sites.   As part of their E-Payments System services DIS has in-place:

  1. The DIS E-Payment application environment will support staging/testing and production. "DIS does not provide a platform for application development." The environment offers:

    • Two Microsoft Windows 2000 web servers operating Microsoft Windows 2000 and Microsoft IIS 5.0. DIS’ production platforms employ automated content replication, Microsoft Site Server Commerce Edition, CyberSource COM/ASP Component for NT, as well as the CyberSource Commerce Component for Microsoft Site Server.
    • Two Microsoft SQL Server 7.0 database platforms,
    • Scalable communications pathways.

    DIS’ dual web servers and dual SQL server database platforms support staging/testing and production functionality, respectively, as well as serving to provide for hot-swapping in the case of a failure to the production machine. Both pairs of servers employ data replication, backup control, and change control management.

  2. DIS’ skilled information technology staff provide these services:

    • Performance and capacity management of the DIS E-Payments System
    • Recovery services for the E-Payments System via DIS Server Backup and Restore Service
    • DIS support Center (Help Desk), 24 hours a day, 7 days a week (limited to agencies reporting problems as directly resulting from the E-Payments Application Server)

    DIS "does not" provide the following services:

    • Application development support for any of the Customer’s browsers, web page applications or server technologies.
    • Implementation or management of the Customer application environment.
    • Implementation or management of the Customer LAN environment (i.e., firewalls, hubs, servers, workstations, etc.)
    • Help desk support for client applications (i.e., help configuring Netscape/Explorer browser software or help configuring client firewalls, etc.)

  3. Availability Management

    4. Service will be available 24 hours a day 7 days a week with the exception of scheduled maintenance as defined in the Service Level Agreement.

  4. Change Management

    5. All changes to DIS Data Center computing and network environments are managed to provide platform stability and to minimize the impact of changes to its customers’ applications. All changes to the DIS computing and network environments are implemented in accordance with DIS Data Center Change Management (DCCM) Standards and Procedures.

  5. Problem Management

    • DIS monitors performance of Customer processes to identify performance degradation.
    • DIS provides automated event-driven problem management through use of monitoring tools.
    • DIS provides Customer notification of identified events that have or may have an adverse affect on service delivery to customers.
    • DIS provides Customer notification of failed processes.
    • DIS provides seamless integration of processes that ensures Customer problem resolution satisfaction by tracking, alerting, escalating and solving problems.
    • The DIS Help Desk is the single point of contact for Customer problem reporting, escalation and notification.

  6. Security Management

    • DIS provides a security system infrastructure that protects its Customers from unauthorized external access to or broadcast on the Internet of the customer’s intellectual property, proprietary and confidential data.
    • The current access control method is through the use of a user ID and password or by using digital certificates.
    • DIS policy allows physical access to the Data Center by DIS authorized personnel only.
    • DIS will secure the platform against known security risks.   Any observed security breaches or suspicious activity will be reported to the Customer.
    • DIS and the Customer will cooperate in efforts to maintain platform and network security.

  7. Physical Environment Management

    • Physical security guarded and electronically monitored
    • Rack mounted computer systems
    • Environmental controls and monitoring of Data Center physical environment
    • Fire detection and suppression systems
    • Conditioned power
    • Un-interruptible power supply
    • Raised floor

  8. Restoration Management

    • This service performs system backups for onsite and off-site storage on a scheduled basis.
    • DIS is responsible for restoring the E-Payment system from the last backup in the event system restoration is needed.

  9. Disaster Recovery

    10. DIS does not currently offer but is investigating disaster recovery for its distributed network. DIS conducts Disaster Recovery Exercises semiannually. DIS tests the ability to restore the DIS Backup and Restore System and restore and NT servers at its hot site on the East Coast. Further Recovery Exercises will be conducted in the future to determine requirements for Disaster Recovery of distributed networks.

    Use this link to learn more about DIS E-Payment Services hosting or by contacting DIS Computer Services Division, Customer Relations at 360-902-3401 or via e-mail: CSD Customer Services.

    Return to top

    II. Reference

    Access Washington provides an informative tool kit for Web development, including online templates.

    ATOM: Applications Template and Outfit Model

    E-Payments services website

    VeriSign web page

    CyberSource development guides (login: “cybersource” password: “cybersource”):

    CyberSource Support

    SCMP Checklist and the Application Programming Interface Developer's Guide (LOGIN=cybersource; PASSWORD=cybersource).

    CyberSource “Best Practices”.

    Return to top