Purpose

The purpose of this policy is to define the guidelines for accepting and processing credit cards and storing personal cardholder information. The policy will help to ensure that cardholder information supplied to the City of Hillsboro (the City) is secure and protected. Additionally, it helps the City remain in compliance with credit card company requirements and the Payment Card Industry (PCI) Data Security Standard.

Scope

This policy applies to all City of Hillsboro employees receipting credit card transactions. The policy pertains to all departments that process, transmit, or handle cardholder information. The cardholder information may be in a physical or an electronic format.

Refund Policy

Refund requests are reviewed individually by City staff to determine refund eligibility. Refunds may be determined appropriate if a citation has been dismissed in Court, or an overpayment has been made. Valid refunds will be either credited to the customer’s credit card account, or a check will be issued to the customer within two weeks of validation.

Security Policy

All credit card transactions that the City processes must meet the following standards:

1. An installed and maintained firewall configuration exists and transmission of cardholder data is encrypted over public networks which protects cardholder data. Regularly updated anti‐virus software is used. Vendor‐supplied defaults for system passwords are not used. Unique computer IDs are used by individuals processing payments.
2. Electronic credit card numbers are not transmitted or stored on a personal computer or e‐mail account. Electronic lists of customer’s credit card numbers are not retained. Credit card information is only accepted online, by telephone, mail, fax, or in person. This information will not be accepted via e‐mail and departments will not e‐mail credit card information.
3. Physical cardholder data is locked in a secure area with limited access to individuals that require the use of the data. Access is restricted on a ‘need to know’ basis.
4. Only essential information is stored. Card Validation Code (also known as the Security Digits, V Code, or CID) is not stored. User PIN’s or the full data from a cards magnetic stripe is not retained.
5. Credit card information is retained for only the time needed to process and reconcile.
6. Credit card information, if it does not need to be retained, is destroyed. Information is destroyed by shredding (cross-cut) immediately after processing, or immediately after they no longer need to be retained.
7. All terminals used by the City produce credit card receipts which only show up to the last five digits of the credit card number.
8. The individual presenting the payment card must be the cardholder.
9. All departments must comply with the Payment Card Industry Data Security Standard which has been summarized in this policy. Full detail can be found at:

Procedures

Departments, who need to accept credit/debit cards and obtain a physical terminal to either swipe or key transactions, need to contact the Accounting Manager to execute the required paper work, obtain a Merchant Number, and be given direction as how to process those transactions for accounting purposes as well as to be compliant with the proper security measures needed to secure credit card information.

All servers and computers used for electronic transactions will be secure and Payment Card Industry compliant. After contacting the Accounting Manager, a specialized Merchant Number can be established, and the department will be provided with contacts to receive technical instruction.

Under no circumstance will it be permissible to obtain or send credit card information, or transmit credit card information by email.

Employees are expected regularly check equipment for suspicious behavior, evidence of tampering or substitution of devices. If unusual conditions exist, employees must contact Finance immediately.

Employees verify with Finance on unsolicited third‐party persons claiming to be repair or maintenance personnel, prior to engaging services.

Training

All employees that process, transmit, or handle cardholder information are required to read the policy and will adhere to its requirements. Department supervisors are responsible for providing this policy to its card handling employees and provide training on use of devices and security asit relatesto credit cards and related physical cardholder data.

Compromised Credit Cards

If the City becomes aware that a customer credit card number or card processing device has been compromised, the City will notify individuals involved immediately. The City will contact US Bank (who is the City’s merchant bank), the City Police Department and other involved associations as necessary to remediate the loss of important information.

Sanctions

If the requirements of the policy are not followed, the City could be suspended of physical and/or electronic payment options as a result. Fines may also be imposed on the City by the affected credit card company. For example, the minimum fines which could be levied on the City from VISA for violation of the Payment Card Industry Data Security Standard begin at $50,000.

Service Providers

The City’ service providers related to the credit card processing environment include:

US Bank/Elavon/Converge, Comprise (Library), Active Network/Class (Parks), Paypal (UB), Square (Various City events).

Questions

Please feel free to contact the Finance Department with further questions, concerns or comments.