Skip to main content

Merchant Cards Overview

What are the basic types of Merchant Cards?

  • Credit Cards
    • Bank Cards (Issued by a bank bearing a brand logo, e.g., Visa or MasterCard)
    • Travel & Entertainment (T&E) Cards (Proprietary Cards)
       
  • Debit Cards
    • PIN Debit (Issued by a bank having a switch network logo on the reverse) (card-present only)
    • PIN-less Debit (Issued by a bank having a switch network logo on the reverse (card-not-present only)
    • Signature Debit (Issued by a bank having a switch network logo on the reverse, but also bearing a credit card brand logo on the front)

What other types of cards are there?

  • Smart Cards (Contain embedded chip)
  • Electronic Benefits Transfer (EBT) Cards
  • Procurement Cards

Who are the players in a Merchant Card transaction?

  • Consumer/Cardholder - (Citizens or Taxpayer)
  • Merchant - State agency
  • Acquiring Processor - Facilitates authorization and settlement
  • Interchange Network - Credit Card Associations (i.e., Visa, MasterCard)
  • Card Issuing Bank - Bank that issued card to consumer
  • Merchant Bank - Depository Bank (e.g., State Treasurer’s bank)
  • Gateway Service - Middle party used to accommodate internet captured transactions

What are the basic types of Capture?

  • Card-Present
    • Credit or Debit
    • Point of Sale (POS)
    • ATM (Debit Cards)
    • Card is swiped, not keyed
    • Lower Risk/Lower Fees
       
  • Card Not Present
    • Credit Card only
    • Mail Order/Telephone Order (MOTO)
    • Internet Order
    • Card info is keyed, not swiped
    • Higher Risk/Higher Fees

Who is the current OSC’s Master Services Agreement (MSA) with?

Fiserv/First Data Merchant Services Corporation (FDMS).

What types of bank accounts are needed to settle merchant card transactions?

  • For State Agency participants using the OSC’s MSA, each agency has a settlement account that is designated as a Zero Balance Account (ZBA). On settlement date, funds are credited to the account, with the total of the funds being swept to the State Treasurer’s account that night.
  • For non-State participants using the OSC’s MSA (e.g., local units of government), funds are credited to a settlement bank account controlled by the participant.

Who has the responsibility for reconciling settlement bank accounts?

It is the participant's responsibility to reconcile the bank accounts timely. Statements are sent directly to the participant monthly. Wells Fargo CEO can be used to reconcile on a more frequent basis.

What systems do participants use to view/reconcile transactions?

  • Commerce Control Center/ClientLine – Web-based system provided by First Data Merchant Services Corporation allowing the participant to view card activity. User must submit a Commerce Control Center Request Form to request access. (Email:  nc.osc@fiserv.com>)
  • Commerce Control Center contains a web-based system allowing the participant to manage and respond to chargebacks. User must complete a Commerce Control Center Request Form to request access. (Email: NC.OSC <nc.osc@fiserv.com>)
  • Wells Fargo CEO - Web-based system provided by Wells Fargo allowing the participant to view settlement activity in the bank settlement account. DST is the administrator. 
  • Core Banking System - System provided by DST allowing State agencies to view their CIT bank account activity, which reflects both the daily amount swept to the State Treasurer's bank account and the daily amount certified by the agency on NCFS. (Email: CBS.Help@nctreasurer.com)

What types of fees are involved in Merchant Card processing?

  • Processing Fees (Invoiced monthly by Fiserv/First Data Merchant Services)
    • Interchange Fees - Passed on to Visa and MasterCard (Depends upon capture method and the "Merchant Category Code" assigned to the transaction.)
    • Assessment Fees - Passed on to Visa and MasterCard 
    • Network Switch Fees - Applies to debit card transactions
    • Merchant Service Fees - Paid to Fiserv / First Data ($.015 per transaction)
       
  • Gateway Service Fees (If Applicable)
    • PayPoint Gateway Service (Range $.06 - $.08 per transaction)
    • Commerce Hub ($.0175 per transaction)
    • Other Third-party Gateway Service (As contracted)
       
  • Equipment and Supplies (POS terminals, etc.)
    • Can be purchased, rented or leased
    • Available from Fiserv/First Data Merchant Services
       
  • Depository Bank Fees (Maintenance, Deposit activity, online reporting, etc.)
    • State agencies - Paid by Agency
    • Non-State agencies - Per arrangements with bank
       
  • PCI Validation Service Fees
    • Annual Self-Assessment Questionnaire through VigiTrust - Included in "per transaction fee" levied by Fiserv/FDMS
    • Vulnerability Scanning of external facing IP addresses by MegaPlanIt (where applicable) - included in "per transaction fee" levied by Fiserv/FDMS
    • On-site security assessments or forensic investigation services that may be obtained under a SOW - Paid by the agency directly to PCI compliance vendor

What are Merchant Category Codes?

A Merchant Category Code (MCC) is a 4-digit classification code used by the bankcard industry to identify a merchant's predominant business activity. It is assigned by the acquiring card processor and is used partially to determine the interchange rate (along with the capture method). 

How is funding made for Merchant card fees?

Participants are responsible for identifying funding sources prior to participating in the MSA. When General and Highway fund appropriations are to be used, the state entity must obtain approval from the Office of State Budget and Management (OSBM) on the availability of an appropriation. State agencies should refer to the OSC policy established pursuant to G.S. 147-86.22.

Can transaction fees be charged to consumers paying by merchant card?

Transactions fees may be charged only under certain conditions, pursuant to G.S. 66-58.12 and G.S. 147-86.22. Agencies desiring to charge consumers a fee (convenience fee), must adhere to policies established by all Visa and MasterCard association rules.

  • Transaction fees can be charged:
    • For transactions initiated only through the Internet or other electronic means.
    • Must be approved by the State CIO.
    • Fees must be deposited to a special non-reverting budget code, and only be used for e-commerce initiatives and projects.
       
  • Transaction fees cannot be charged:
    • For transactions initiated face-to-face (i.e., POS terminals)
    • For mail order or telephone orders (MOTO)
       
  • Convenience fee rules vary from association to association.
    • Visa allows a convenience fee for "card-not-present" transactions if the fee is a "flat fee." MasterCard, on the other hand, allows the convenience fee to be either a "flat" fee or a "percentage-based" fee.
    • In addition, Visa does not allow a fee to be charged for card-not-present transactions unless the same fee is charged for all transactions through the same channel (e.g., ACH bank drafts and card transactions initiated through the web).

What are the different capture methods used for merchant cards?

All merchant card transactions captured by an agency must be transmitted to the merchant cards services provider.

  • POS Terminals
    • Stand-alone terminal – with analog telephone line
    • POS terminal using POS Software - on network & servers
  • Web-based with Consumer Interface – using PayPoint Gateway Solution or Commerce Hub
  • Web-based – using a Third-Party Gateway (Requires approval from OSC)

When is a gateway service not needed?

When the only capture solution offered by an agency is a Point of Service (POS) terminal, a gateway service is not needed, as the transmission is directly with the merchant card services provider.

When is PayPoint suitable for use?

  • Agency desires to accept payments online, but does not have the internal resources and/or expertise to develop a comprehensive in-house web capture application.
  • Agency desires to utilize a third-party gateway service provider to minimize (but not completely avoid) applicability of the PCI Data Security Standard requirements, primarily by avoiding the agency ever having to store cardholder data in the agency’s database.
  • Agency desires to offer both the ACH bank draft payment option (E-Check), in addition to the card option.
  • Agency has outstanding invoices (accounts receivable transactions) associated with payors, which are conducive to being authenticated online-real time, either on the agency’s website or on PayPoint’s website, before being accepted and transacted via PayPoint.
  • FDMS also offers the payment gateway Commerce Hub (previously Payeezy). 

What is the PCI Data Security Standard?

The PCI Data Security Standard (PCI DSS) is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures associated with credit card account data. This comprehensive standard is intended to help organizations proactively protect customer credit card account data that is either stored, processed, or transmitted. All merchants, regardless of the annual transaction volume (merchant level assigned), are required by the various card brands (i.e., Visa, MasterCard, American Express, Discover, and JCB) to follow the standard. Merchants not adhering to the standard are subject to substantial fines levied by the card associations. Each merchant is required to validate that it is complaint with the Standard, depending upon the card capture method it utilizes. Participants in the State's MSA with Fiserv/First Data Merchant Services are required to enroll in a service that facilitates the process of validating the participant's compliance. The PCI Security Standards Council website explains the Standards in more detail.

What merchant card data must never be stored?

It is never acceptable to retain or store magnetic stripe data subsequent to transaction authorization. It is never acceptable to retain or store the security code numbers (CVV2 or CVC2) subsequent to transaction authorization. Cardholder name, account number, and expiration date may be retained subsequent to transaction authorization, however, the data must be encrypted. These are requirements of the PCI Security Data Standard.

What is the difference between a "chain" and an "outlet?"

The term "chain" refers to the "participant," and each participant is assigned a single "chain number" by FDMS. The term "outlet" refers to either an operation, application, or division associated with the participant. A participant (chain) may have multiple outlets, with each outlet being assigned a "merchant number" by FDMS. Generally, the transactions for all outlets (merchant numbers) associated with a chain settle into the same settlement bank account. FDMS invoicing can be at either the merchant number level, or it can "roll-up" all merchant numbers to the chain level. Chain numbers and merchant numbers are both 12-digit numbers.

What are the differences between a "Merchant Number," a "Merchant ID," and a "Terminal ID?"

FDMS assigns a 12-digit number to each outlet, which is sometimes referred to as the “merchant ID”, “MID”, "outlet number" or "merchant number." Additionally, FDMS assigns other identifiers that are associated with a merchant ID. These identifiers are referred to as a terminal ID (TID), are 7 characters in length (alpha/numeric), and are assigned according to the "platform" the transactions are processed on at FDMS.  The TID is associated with the capture device (terminal, application, or gateway). There could be multiple TIDs per merchant number. In addition to the TID, a POS terminal will also be assigned a "terminal serial number."

Is a “Procurement Card” issued through the Department of Administration considered a merchant card?

A corporate card program allows for a branded card to be issued to a governmental agency through a financial institution to designated employees of the agency. Though it resembles and functions similar to a personal bank card, there are significant differences: 1) it is a corporate ‘purchasing’ or ‘procurement’ card rather than a ‘credit’ card; 2) full liability rests with the agency for payment to the financial institution for all transactions; and 3) it is assigned by the financial institution to a designated agency employee but is issued in the name of and on behalf of the agency. A corporate card is sometimes referred to as a “purchasing card” and sometimes as a “procurement card.” The State’s Procurement Card program is administered by the Division of Purchase and Contract (P&C) pursuant to G.S. 143-49(8) but is subject to policies issued by the State Controller relating to “disbursing” and “electronic payments.” Bank of America is the current procurement card vendor utilized by P&C.