>

Setting up a Merchant Account for DARS

From DARSwiki
Jump to: navigation, search

Preface

This article will be updated on a regular basis. Updates may be required in response to updates to DARS or changes to business processes or errors.

Ensure you are familiar with the Data Protection laws before adding data to records in DARS. Refer to DARSWiki FurtherHelp for further information and relevant links.

Please think twice before printing this article. If a printed copy is necessary, ensure it is printed double-sided and always recycle old versions.

Last Modified: 10 September 2013


Introduction

This document summarises the guidelines for Participants who wish to acquire/utilise a merchant account for connecting to DARS to enable payment transactions, such as for event registration payments and donations. Please contact the mailto:dars@admin.ox.ac.uk for further information.

Pre-requisites and Definitions

  • Any entity must sign the DARS Participation documentation prior to using its payment services.
  • To accept card payments into a bank account, a Payment Service Provider (PSP) is needed, to provide the means by which the payment gateway is connected to your acquiring bank via a merchant account.
  • DARS is configured for CyberSource to be able to act as a separate PSP. The University has two CyberSource accounts (one each for events and donations) and each College wishing to use this service would require its own such account. Each Participant must then also set up a merchant account with a Merchant Acquirer (MA). The University use Streamline as their MA and Colleges should contact their existing bank for help with setting up a separate merchant account.
  • Alternatively, Blackbaud’s software facilitates the use of IATS as the Payment Service Provider, without the need to purchase a separate Merchant Acquirer.


In either case, DARS stores the merchant account information and the Blackbaud Payment Service (BBPS), held on Blackbaud’s own servers, is used to replace the token in a credit card transmission file received from DARS with the actual Primary Account Number (PAN) and send this file on to the gateway for processing. Similarly, when the web service receives a response file from the gateway, it will securely replace the credit card number with its token before it returns the file to DARS. Throughout the process, credit/debit card numbers never appear in an unencrypted format and are never held on DARS’ own servers.


”process diagram showing the flow of money from a DARS website transaction through to a Participants bank account.”


Options available to Colleges and Departments

All online donations to or via the Central University should be through the University’s two existing merchant accounts set up for this purpose. Departments wishing to use DARS for collecting:

  1. Donations should contact the University Gift Registry for further details.
  2. Event registration payments should contact the University Alumni Office for further details.


Colleges wishing to use DARS to collect their own donations and/or event registration payments online (directly) have two options available:

  1. To sign up for a merchant account and CyberSource account; or
  2. To sign up for an IATS account


Because of the University’s contractual agreement with Blackbaud, it is possible for Colleges to use the same BBPS account as the University, but with separate Merchant and CyberSource accounts.

CyberSource supports the following

currencies processed into DARS:

IATS UK supports the following

currencies processed in DARS:

  • Pounds Sterling
  • Pounds Sterling
  • Australian Dollar
  • Euro
  • Canadian Dollar
  • Hong Kong Dollar
  • Danish Krone
  • Japanese Yen
  • Euro
  • Singapore Dollar
  • Hong Kong Dollar
  • Swiss Francs
  • Japanese Yen
  • US Dollar
  • Mexican Peso
  • New Zealand Dollar
  • Nigerian Naira
  • Norwegian Krone
  • Singapore Dollar
  • South African Rand
  • Thai Baht
  • US Dollar


As these agreements require commercial decisions, the DARS Support Centre and the University make no recommendation or guarantees on the performance or otherwise of any option. Any agreements for transaction services are between the Participant and their providers, and the DARS Support Centre simply enables the valid choices made by Participants.


Below is a selection of the Merchant Acquirers that DARS and CyberSource can currently connect with (for outside the UK, there are other options available):

  • Barclays
  • HSBC
  • HBos
  • Streamline
  • LloydsTSBCardnet


Please note that there are three further options available for processing transactions into DARS:


  1. IPPayments
    • Australian Dollar
    • New Zealand Dollar


  2. Sage
    • Canadian Dollar
    • US Dollar


  3. Blackbaud Merchant Services
    • Canadian Dollar
    • Euro
    • Pounds Sterling
    • US Dollar


Further details from Blackbaud are available at: https://www.blackbaud.com/files/bbms/bbpstc.pdf.

Process once an account is acquired

Once a College has the necessary account details, it should provide them to the DARS Support Centre, via the Helpdesk (ensuring that any passwords are sent separately for security reasons).


The Support Centre will then set up the account for the College within Live DARS, as well as any additional test environments as necessary. Accounts can be set up in test mode in Live before being switched to live use. The Support Centre can also provide dummy card numbers to assist testing.

  1. To use CyberSource, the following details are required:
    • Merchant Account details (necessary to sign up with CyberSource)
    • CyberSource Account details


  2. To use IATS, just the IATS Account details are required.


All administration of the merchant and payment service provider accounts is solely the responsibility of Participants and no liability is taken by the University for errors, etc.

PCI Compliance

When taking any payments online or offline (whether for donations, events or other items), entities must comply with industry standards known as Payment Card Industry – Data Security Standards (PCI-DSS). The PCI Security Standards Council website is at https://www.pcisecuritystandards.org/.

This therefore applies to any payment card information collected in relation to DARS, including via the following three common routes:

  1. Payments taken online (i.e. through Oxford Alumni Online and its associated websites)
  2. Payments taken over the phone (e.g. during telethons)
  3. Payments taken by post (e.g. on forms filled in by constituents)


Note: methods 2 and 3 may have the card payment confirmed via DARS or another system.


For all methods, the processes around DARS must be PCI-DSS compliant. Blackbaud provides information about its PCI compliance at http://www.blackbaud.com/pci.


PCI-DSS applies to all entities that store, process, and/or transmit cardholder data. It covers both technical and operational system components included in, or connected to, cardholder data. As such, the standards apply not just to DARS but more widely to the collegiate University.


How DARS addresses PCI Compliance

Standards Area

Requirement

How DARS complies

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

1 and 2 – DARS utilises applications that sit on Blackbaud’s own servers (not the University’s), therefore our compliance with this requirement is handed off to them.

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

3. On DARS only the last 4 digits of the card are stored (they are not even on the database and visible as the last four). The full data is stored on Blackbaud’s compliant servers.

4. No data is held at Oxford – all data transmitted to Blackbaud over SSL (securely).

Any data taken for card entry follows established procedures and is destroyed after use – this process is associated with but not part of DARS.

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Implement Strong Access

5 and 6 – Systems are hosted by Blackbaud and are compliant with PCI regulations.

Control Measures

7. Restrict access to cardholder data by business need to know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

7. No data is available within DARS to internal users.

8. Even though no data is held internally all DARS users have individual ID’s for system access.

9. Full cardholder data is not held on DARS.

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

10 and 11 – Covered by Blackbaud’s PCI compliance.

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

12. The University has its own information security policies. DARS meets Data Protection guidelines and PCI requirements.


By the use of a PCI-DSS compliant solution (Blackbaud CRM), the University greatly reduces its own exposure to PCI-DSS compliance risk, as well as adopting a robust and tested platform.

Personal tools
Namespaces
  • Page
  • Discussion
  • Variants
    Actions
    Navigation
    DARS User Support
    DARS Support Centre
    Advancing Oxford
    Tools