CFMP Procedure

Bureaus using e-Commerce (online) service applications that process electronic check or payment card transactions, such as Visa or MasterCard, shall route the electronic receipts approval requests through the City’s centralized payment processing gateway for approval or disapproval by the City’s merchant services provider. The City’s gateway is an electronic payment processing web service and connection mechanism that routes electronic check and payment card receipts to the City’s payment processing provider, with integration to support the reconciliation process. See BTS 3.01 E-Government Services.

Payment Card Industry - Data Security Standard (PCI DSS) compliance

Payment card associations and companies such as Visa, MasterCard, Discover, and American Express created PCI DSS, which represents a common set of industry tools and measurements to help ensure the secure handling of sensitive payment card information. PCI DSS compliance requires adequate security controls when storing, processing, and transmitting sensitive cardholder data. Sensitive cardholder data includes the personal account number (cardholder account number) and track information (data on the magnetic strip or chip). Payment card companies enforce the PCI DSS standards, set merchant levels, set fees and penalties, and conduct management assessments. City policy is to comply with all aspects of the current PCI DSS standard. See BTS 2.17 Payment Card Security Standards.

The City’s merchant services provider or vendor bank is the City’s liaison to the payment card associations. The associations and vendor bank determine the City’s PCI merchant level based on volume and scope of processing activity. For purposes of determining merchant levels and the extent of a breach, the City’s payment card programs are regarded collectively as a single merchant. 

PCI DSS primarily addresses security requirements to minimize the possibility of an electronic breach of payment cardholder data. However, voice recordings of payment card data, printed receipts, and paper reports of sensitive cardholder data are also within the scope of PCI DSS. If it is determined that a security breach has occurred and cardholder data has been compromised, a cardholder association may assess fees and/or fines against the vendor bank and ultimately the City.

All merchants, including the City, are responsible for self-compliance as well as ensuring the compliance of all third-party service providers and designated-agents acting on their behalf. The City’s service providers include any designated-agent to which the City provides cardholder data or provides access to cardholder data. Services providers must be validated and registered with the PCI Security Standards Council and must provide evidence to the City of their ongoing compliance with PCI DSS. The City contracts for an annual independent PCI DSS compliance audit and quarterly network scans of all bureaus, technologies, and platforms that process electronic payments. 

Related Policy

FIN 2.10 Electronic Payment Processing Services

Authority In accordance with FIN 2.02 Comprehensive Financial Management Policies Overview, the City Treasurer is authorized to develop and implement procedures in support of the CFMP. 

History

Adopted by the City Council, August 6, 2014

Amended by City Treasurer, July 8, 2016