Policy Reference
Category | City Personnel Policies | |||
Approval Date | ||||
Scope | All employees involved in processing of customer credit cards and cardholder information |
Purpose
Accepting payments by credit card is very convenient, customer service friendly and one of the most recognized methods of payment. If it is utilized safely it can enhance the revenue stream for the City of Lee's Summit. However, there are responsibilities for the associated risks of fraud and identity theft which could have consequences.The Finance Department supports the acceptance of credit card payments in a secure environment and wants users to be as informed as possible about the risks and business processes that support the payments.
Policy
BackgroundThe City of Lee's Summit has centralized approach to banking services including credit card services. The recording of all credit card activity to the general ledger is in the Treasury Division. The City of Lee's Summit banking partnership with UMB Bank places our credit card processing through their card processing partner, Elavon.
Credit cards accepted at the City of Lee's Summit are: Visa; Mastercard; Discover and American Express (on a limited basis).
The City accepts cards in a variety of methods that incorporate varying degrees of risk. The methods are as follows: Terminal Transactions; Sales Software Packages and the Internet Gateway.
Business Requirements
A Merchant is defined as a department or other specific type of transaction for a department which processes credit card transactions.
- A new merchant must be approved by the Finance Department before entering any contracts or purchases of services, software and/or equipment. This requirement applies regardless of the transaction method or technology used (e.g. e-commerce, POS device).
- Demonstrate the ability to maintain compliance with the Payment Card Industry (PCI) Data Security discussed below in this document.
- Complete an annual PCI security self-assessment questionnaire and submit results of network scans and mitigate actions to ensure compliance of this policy and associated procedures.
- Review of this Merchant Card Policy document which is subject to annual review. Submittal of key contact person responsible for each merchant number; along with prompt notification of change.
Merchant Security Requirements
The Payment Card Industry Data Security Standard (PCI-DSS) secures data that is stored, processed or transmitted by merchants and processors. PCI-DSS specifies 12 requirements entailing many security technologies and business processes, and reflects most of the usual best practices for securing sensitive information.
The Payment Card Industry (PCI) Data Security Standard is the result of collaboration between Visa and MasterCard to create common industry security requirements. All Merchants must be PCI compliant and are responsible for ensuring the compliance of their unit and any third-party providers. Merchants must require the third-party provider to provide a certificate of compliance annually.
These standards apply to all payment methods, including retail (brick and mortar), mail/telephone order, and e-commerce.
The PCI-DSS identifies these 12 basic requirements that are grouped into six categories.
Build and Maintain a Secure Network
1) Install and maintain a firewall configuration to protect data
2) Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3) Protect stored data
4) Encrypt transmission of cardholder data and sensitive information across public networks
Maintain a Vulnerability Management Program
5) Use and regularly update anti-virus software
6) Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7) Restrict access to data by business need to know
8) Assign a unique ID to each person with computer access
9) Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10) Track and monitor all access to network resources and cardholder data
11) Regularly test security systems and processes
Maintain an information security policy
12) Maintain a policy that addresses information security
Accounting for Transactions
The daily receipts collected at each department/division must be delivered to the Treasury Division or posted to the general ledger by the using department.
Best Practices for Card Transactions
The most secure card processing is when the card is present and can be swiped at the POS. If the card is unable to be swiped, the terminal is unable to read the magnetic strip and perform electronic authorization; a manual key entry needs to occur. Manual key entry has greater risk due to increase risk of fraud or counterfeit, key entered transactions are more costly to process and are more time consuming and allow for more potential for error.
Bank Card Merchant Rules and Regulation
Non-Discrimination
The Merchant shall maintain a policy that shall not discriminate among customers seeking to make purchases through the use of a valid Card. An unreadable magnetic strip, in and of itself, does not deem a Card invalid. Use of a card will be denied for payment of Non-City fees (ie: The City of Lee's Summit is an agent collecting/receipting tax collection for Jackson County and acceptance of cards is prohibited).
Transaction Amount
The Merchant shall not establish minimum or maximum sales transaction amounts as a condition for honoring a Card. The Merchant shall process transactions only for amount collected, there will be no cash advances.
Signature Validation
The Merchant shall validate all cards by ensuring the signature on the back of the card matches the signature on the transaction receipt. The Merchant shall not accept any Card having two signatures on the signature panel located on the back of the Card. If card is signed at time of sale; a photo ID should be requested to verify identity. Exceptions should be approved by management.
Personal Information
The Merchant shall not impose a requirement on Cardholders to provide any personal information such as home or business telephone number, home or business address, drivers license number, photocopy of drivers license, photocopy of the card as a condition for honoring the Card unless the information is required for a mail order or telephone order transactions.
Authorization
The Merchant shall obtain authorization for each sales transaction for the total amount of such transaction.
Verification and Recovery of Cards
If a transaction is not authorized, the merchant must not complete the sale, and, if instructed by the Designated Authorization Center to pick-up the Card, the Merchant should do so by reasonable and peaceful means, notify the Designated Authorization Center when the Card has been recovered, and ask for further instructions.
Credits and Adjustments
A Merchant shall not process a credit transaction without having completed a previous purchase transaction with the same Cardholder and the same Card. The refund or adjustment indicated on the credit draft shall not exceed the original transaction amount.
The preferred method for credits or adjustments will be a credit back to the original credit card used. The card associations recommend no refunds for any credit or debit card transaction by any means other than a credit back to the original card. By issuing credits, you protect your customers from individuals who might fraudulently make a purchase on the customer's credit card and then request a refund in cash/check. There will be situations where deposit refunds will be returned by check (ie: court bonds, airport hangar deposits and where approved by department director).
Credits and Adjustments must be approved by an authorized signature (just like a check request) before processing. Refund and credit policies will be available to online customers by clearing visible links.
Disclosure and Storage of Cardholder Information
Information Disclosure
The Merchant shall not disclose a Cardholder's account information or any other personal information to third parties other than to the Merchant's agent(s) for the sole purpose of assisting such Merchant in completing the transaction or as specifically required by law. Suspicious request for account information should be reported immediately to the Finance Department.
Data Retention
Credit card account numbers may not be stored in electronic format without the expressed, written consent of the Finance Department. It is never acceptable to store the validation code, (which consists of the last three digits printed on the signature panel of a Visa or MasterCard) subsequent to transaction authorization, whether encrypted or unencrypted.
The Merchant or any agent of the Merchant shall not retain or store magnetic stripe data subsequent to the authorization of a sales transaction (even if encrypted).
The Merchant agrees to retain legible copies of all sales drafts for up to 18 months in order to satisfy any disputes/chargebacks.
The full listing of rules for credit card acceptance is available at: http://usa.visa.com/download/merchants/rules_for_visa_merchants.pdf.
Policy Review and Testing
Review of this policy and testing of this knowledge is required of all city staff processing credit card transactions. Any new hire must complete the policy review and testing before processing of credit card transactions can occur. Any future significant policy change will necessitate review and retesting.