ECommerce Duke

1
E-Commerce _at_ Duke
Treasury Cash Management (TCM)
2
E-Commerce Uses at Duke?

• Applications include
• University Development
• Web storefronts (Bookstore)
• Conference Registration Sites
• Prepayment for Departmental Services (Telephone,
  Cable, Cell)
  
• Electronic Bill Payment
• More

3
DukePay The CentralizedE-Commerce System

• Need for University approved tools practices to
  support e-commerce.
  
• Concerns include
• Secure interfacing and data collection
• Legal Tax Regulations
• Privacy
• Financial processes integration to GL
• 3rd party involvement

4
What Is DukePay?

• DukePay is a centrally managed e-payment
  service and the surrounding policies.
  
• TCM OIT Partnership
• History
• Build vs. Buy Considerations
• RFI sent to identify vendors for authorizing and
  managing Internet payments.
  
• Cross-functional selection team evaluated RFIs
• Selection finalized in 2004
• CyberSource Hosted Order Page (HOP)
• OIT served as pilot

5
DukePay Benefits

• One-stop resource for E-Commerce
• Reduces risk of exposing credit card numbers
• Information Security Compliance
• (including PCI-DSS)
• Legal / Tax Compliance
• Advanced Reporting Tools
• Corporate Rates
• There is experience using it at Duke help is
  available

6
Steps to accept paymentsfrom a Duke website?

• First step - - Contact TCM.
• Business Plan Discussion
• Merchant Account Application
• Consult on resources for storefront development
  integration with e-payment services

7
How to use DukePay?

• Department builds their own Storefront
  integrates with DukePay
  
• Storefront securely connects to CyberSources
  HOP
  
• Generate security keys to connect
• Pass your desired parameters collected from
  storefront
  
• Customize/Brand HOP Receipt Messages

8
Functionality of DukePay System
HOP secure payment entry with branded Duke
look.
Duke Storefront -Website.
Web Cash Register - HOP authorizes sends merc
hant customer confirmation - Business Center
provides back-end transaction management tools
for merchant
9
Transaction Flow
10
Duke E-CommerceOrganizational Structure
11
E-Commerce Review Board

• Treasury Office
• Corporate Tax
• Banking
• IT Security Office
• Legal Office
• OIT

12
Who is using DukePay?

• Alumni Development Records
• OIT
• Bursar (e-check only)
• Auxiliaries Event Mgmt (ticketing, etc)
• Multiple conference registrations
• Multiple schools application fees
• Departmental Exceptions to DukePay?

13
What does DukePay cost?

• Gateway fees paid centrally by TCM
• Banking, Credit Card fees paid by Department
• Visa, MasterCard, etc.
• Web Development Fees
• Department
• Office of Web Services

14
Payment Card Industry Data Security Standard
(PCI)

• What is PCI-DSS?
• In 2001, VISA created their CISP standard
• In 2004, VISA partnered with MasterCard to form a
  single security standard PCI
  
• Designed to minimize the exposure of credit card
  transactions

15
What/Who Does PCI Cover?

• PCI security requirements apply to all Merchants,
  Members and Service Providers who
  
• Store card holder data
• Process card holder data
• Transmit card holder data
• Covers any merchant ID
• Card present
• Card not present
• Internet

16
What IS the PCI Standard?

• 6 Goals
• Build and maintain a secure network
• Protect card holder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

17
What IS the PCI Standard?

• 12 Requirements
• Install and maintain a firewall
• Do not use default passwords
• Protect stored data
• Encrypt sensitive information in transit
• Use and update anti-virus software
• Develop secure systems and applications
• Restrict access to data
• Assign a unique ID to people with access
• Restrict physical access
• Track and monitor access to network/data
• Regularly test systems and processes
• Maintain an information security policy

18
PCI Requirements

• Break down into 170 specifics
• Some are technical
• Some are policy/procedural
• Business managers are responsible forALL of
  them
  
• Consequences Monetary fines and/or restrictions
  on merchant processing!

19
Non-Technical PCI Requirements (examples)

• Do not store CVV2 numbers
• Never email card holder information
  (unlessencrypted)
  
• Physically secure all paper with card
  holderdata
  
• Limit employee and visitor access to cardholder
  data
  
• Destroy media (including paper) with cardholder
  data
  
• Establish incident response procedure
• Establish employee training

20
How DUKE Complies with PCI?

• TCM works with departments to ensurecompliance
  for ALL merchant Ids at Duke
  
• 200 Mids (POS Internet)
• Most are Level 4 Merchants
• Enforce the use of DukePay and the Hosted Order
  Page system
  
• Work to produce a common set of policiesand
  procedures for Duke

21
How DUKE Complies with PCI?

• TCM provides Awareness Classes annually
• Email Notices began in 2002
• Held first Class in 2005
• Business Manager MUST attend
• (Tech Support Staff recommended)
• PCI Self-Assessment Questionnaires must be
  submitted to TCM (annually)
  
• PCI Compliance Action Plans mandatory
• Collaborate with Internal Audit to assure
  compliance.

22
PCI Compliance

• Continued Awareness Efforts Maintenance
• Update websites (both ITSO and TCM)
• Post guidelines to support the requirements
• Incident Response Plan
• Internal Security Procedures
• On-line HELP Form

23
Questions?
24
E-Commerce _at_ Duke
Treasury Cash Management Contact Information
Christa Stilley Poe Director, Electronic Commerce

christa.stilleypoe_at_duke.edu 919-681-6455