The URL can be used to link to this page

Home My WebLink AboutRes 2017-35 - Authzng Accptnc of Electronic Pymnts RESOLUTION NO. 2017-35 CITY OF PALM DESERT STAFF REPORT REQUEST: ADOPT RESOLUTION No. 2017- 35 A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF PALM DESERT AUTHORIZING THE ACCEPTANCE OF ELECTRONIC FORMS OF PAYMENT INCLUDING CREDIT AND DEBIT CARDS FOR THE PAYMENT OF CITY-IMPOSED FEES, CHARGES, FINES, PERMITS AND LICENSES AND AUTHORIZING THE CITY MANAGER TO ESTABLISH POLICIES AND PROCEDURES NECESSARY TO EFFECTUATE THE ACCEPTANCE OF ELECTRONIC FORMS OF PAYMENT SUBMITTED BY: Janet Moore, Director of Finance DATE: April 13, 2017 CONTENTS: Resolution No. 2017- 35 Draft Electronic Payment Acceptance Policy Recommendation By Minute Motion, that the City Council: 1. Adopt Resolution 2017- 35 authorizing the acceptance of electronic forms of payment including credit and debit cards for the payment of city-imposed fees, charges, fines, permits and licenses; and 2. Authorize the City Manager to establish policies and procedures necessary to effectuate the acceptance of electronic forms of payment; and 3. Authorize the City Manager or the Director of Finance to execute agreements with banks and/or third parties for electronic payment processing that may include fees for such processing. Strategic Plan Objective/City Manager 2017 Goals This request does not apply to a specific strategic plan goal, however, the request does specifically relate to the 2017 City Manager's Goals under Service Related Goals: Enable the use of credit cards for conducting business with the City. Executive Summary In order to provide a high level of customer service, the City would like to accept electronic forms of payment (including credit and debit cards) for City-imposed fees, Staff Report Approval of Resolution No. 2017- 35 - Acceptance of Electronic Payments April 13, 2017 Page 2 of 3 charges, fines, permits and licenses. To accept electronic forms of payment, the City is required to adopt policies and procedures to comply with the Payment Card Industry Data Security Standards (PCIDSS). Because the forms of electronic payments are constantly evolving, staff is requesting that the City Manager be authorized to establish and review policies from time to time to ensure compliance with PCIDSS. Staff is also requesting authorization for the City Manager or Director of Finance to enter into any agreements or contracts to facilitate the processing of electronic payments with banks and/or third parties. Background The City currently does not accept any electronic forms of payment (including credit/debit cards) from its customers. The use of electronic forms of payment, including credit and debit cards, is a customary and economical business practice to provide a high level of customer service and to expand payment options available to our customers. PCI Compliance In order for the City to accept electronic forms of payments including credit/debit cards, the City must establish policies and procedures to ensure that the City is compliant with the rules and regulations established by the Payment Card Industry (PCI). PCI regulations require that a merchant, which in this case is the City, understands and implements standards for security policies, technologies and ongoing processes that protect payment systems from breaches and theft of cardholder data. A large part of the regulations is information security. The Information Technology Department is reviewing its policies to ensure they are PCI compliant, which includes network security, network monitoring, secure applications, internal controls, encryptions, and routine system tests. The City Manager's draft policy includes procedures related to cardholder security, including access to cardholder data, methods of collecting cardholder data, transmission of cardholder data, and prohibited card activities. The policy also identifies procedures for City staff relative to handling card payments, refunds and chargebacks. Fees For each electronic transaction, the City will be charged fees by the merchant services provider and the bank of approximately two percent (2%) depending on the type of card used. While the City as a government entity is allowed to charge a 'convenience fee' for an electronic payment card transaction, staff believes that as the City progresses with online processes for licenses, permits, and plan checking, the benefits to both our customers and the City to transact online will outweigh the City's costs to accept electronic forms of payment. Staff believes that a fair number of the anticipated credit card transactions will be for business licenses. Initial costs are estimated to be about $500 a month; however, once our other online functions are up and running the fees will increase. Staff will look at these annually to determine if a convenience fee should be considered. G:\Finance\Niamh Ortega\Policies\Credit Card Acceptance Policy\SR-Accepting Electronic Payments-Policy No FIN-001.doc Staff Report Approval of Resolution No. 2017-35 - Acceptance of Electronic Payments April 13, 2017 Page 3 of 3 Excluded Transactions Staff recommends that the City not accept credit, debit or payment cards for certain types of payment transactions including transient occupancy taxes (TOT), assessment district payments, rent payments and/or other taxes, not including business licenses. While the merchant cost may be minimal for other type of charges due to the overall aggregate amounts, in the case of TOT payments the aggregate amount could be over ten million dollars wherein the cost to the City would be in the hundreds of thousands of dollars. In the rare circumstance that allowing a payment for these types of transaction would be beneficial to the City, the City Manager or Finance Director could authorize it provided it was requested and approved in writing. Staff will look at these exclusions annually to ensure that it is still appropriate that they be excluded. Conclusion Staff believes that the acceptance of electronic forms of payment including credit/debit cards is appropriate given the growing electronic dependence in business practices. With some companies changing to 'no-cash' and 'no-check' systems, the acceptance of electronic payments including credit, debit and payment cards, will allow the City to move forward as technology evolves. Fiscal Analysis The cost of accepting electronic forms of payment, including credit, debit and payment cards, is estimated to be approximately two percent (2%) of the transaction amount depending on the type of card/form used. It is anticipated that cost will be minimal in the 2016-2017 fiscal year as staff will be establishing the accounts and purchasing the equipment needed. In FY2017-2018 the cost is estimated to be $500 a month, and will gradually increase as more customers transact online. Department Head: J Moore, Director of Finance Approval: -� Lauri Aylaian, City Manager G:\Finance\Niamh Ortega\Policies\Credit Card Acceptance Policy\SR-Accepting Electronic Payments-Policy No FIN-001.doc RESOLUTION NO. 2017- 35 A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF PALM DESERT AUTHORIZING THE ACCEPTANCE OF ELECTRONIC FORMS OF PAYMENT INCLUDING CREDIT AND DEBIT CARDS FOR THE PAYMENT OF CITY-IMPOSED FEES, CHARGES, FINES, PERMITS AND LICENSES AND AUTHORIZING THE CITY MANAGER TO ESTABLISH POLICIES AND PROCEDURES NECESSARY TO EFFECTUATE THE ACCEPTANCE OF ELECTRONIC FORMS OF PAYMENT WHEREAS, the effective and efficient management of the City's cash resources requires reasonable but expeditious revenue collection; and WHEREAS, the use of electronic forms of payment, including credit and debit cards, has become a customary and economical business practice to provide a high level of customer service and to expand payment options for its customers; and WHEREAS, the City desires to allow electronic forms of payment when appropriate, ensuring the greatest value in the most cost effective way possible; and WHEREAS, the policies, procedures and practices of accepting electronic forms of payment should be reviewed and revised as required to minimize risk and ensure the security of data within the rules and regulations established by the Payment Card Industry (PCI) and articulated in the PCI Data Security Standards (DSS); and WHEREAS, the City recognizes the necessity to best accommodate its customers by facilitating the payment of City-imposed fees, charges, fines, permits, licenses and/or sales by electronic forms of payment including credit and debit cards. NOW, THEREFORE, THE CITY COUNCIL OF THE CITY OF PALM DESERT DOES HEREBY RESOLVE, DETERMINE AND ORDER AS FOLLOWS: Section 1. The above recitals are true and correct. Section 2. The City Manager is hereby authorized to establish and periodically review policies and procedures for the acceptance of electronic forms of payment including appropriate business practices. Such policies, procedures and practices shall include: the types of electronic payments to be accepted; the types of charges imposed by the City that may be paid through electronic payments; whether limits are appropriate for certain types of transactions; whether certain types of transactions would be excluded from some or all types of electronic payments; the imposition of fees for rejected transactions or the waiving thereof; or other considerations deemed appropriate concerning the acceptance of current and future forms of electronic payments. RESOLUTION 2017- 35 Section 3. The City Manager or the Director of Finance is hereby authorized, on behalf of the City of Palm Desert, to execute an agreement or agreements with one or more banks or third parties for the use of electronic payment processing including credit and debit cards for payment by the public of fees, charges, fines, permits, licenses and/or sales in accordance with any policies established set forth in Section 1. The agreement(s) may provide for the payment by the City of fees in accordance with the bank's or third party's schedule of fees for accounts of similar volume subject to change from time to time, and may provide for the use of, or purchase of, equipment provided by the bank or third party. Section 4. The City Manager, the Director of Finance and all other officers of the City are hereby authorized and directed, jointly and severally, to do any and all things to implement the policies established pursuant to this Resolution, and any such actions previously taken by such officers are hereby ratified and confirmed. Section 5. This Resolution shall take effect immediately upon adoption. PASSED, APPROVED AND ADOPTED at the regular meeting of the Palm Desert City Council held on this day of April, 2017, by the following vote, to wit: AYES: NOES: ABSENT: ABSTAIN: JAN C. HARNIK, MAYOR ATTEST: RACHELLE D. KLASSEN, CITY CLERK CITY OF PALM DESERT, CALIFORNIA APPROVED AS TO FORM: ROBERT W. HARGREAVES, CITY ATTORNEY BEST, BEST & KRIEGER, LLP G IFinancelNiamh OrtegalPolicieslCred?Card Acceptance PohcylRES-Credit Card Acceptance Policy No FIN-001.Docx Page 2 of 2 RESOLUTION NO. 2017-35 CITY OF PALM DESERT ADMINISTRATIVE PROCEDURES Subject Acceptance of Electronic Forms of Payments :w, ,. ,� .: including Credit Debit and Payment Cards ';4 j 0,'5y • Policy No. FIN-001 b ` / _• Date Issued: April 13, 2017 44 Amended: N/A •• H r •. ••• ' 9 1/ •��• Resolution No. 2017- 35 authorizing City Approved by Manager to draft policy Authored by Finance Department I. PURPOSE The purpose of this policy is to establish guidelines and parameters for the acceptance of electronic forms of payment including, credit, debit or payment cards, at the City of Palm Desert (the "City") for various payments including fees, charges, fines, permits, licenses and/or sales, while minimizing risk, ensuring the security of data within the rules and regulations established by the Payment Card Industry (PCI) and articulated in the PCI Data Security Standards (DSS), and ensuring that payment card acceptance procedures are appropriately integrated with the City's financial and other systems. II. SCOPE This policy applies to all City employees, contractors, consultants or agents who, when doing business on behalf of the City, accept, process, transmit, or otherwise handle electronic forms of payment or cardholder information in physical or electronic format, for payments including but not limited to fees, charges, fines, permits, licenses and/or sales. This policy applies to all electronic forms of payment including credit, debit or payment cards, including payments made in person, by phone, mail, text, fax or via the Internet. "Phone payments" include both person to person contact and IVR (Interactive Voice Response). III. DEFINITIONS A. Automated Clearing House (ACH): A nationwide electronic funds transfer network which enables participating financial institutions to distribute electronic credit and debit entries to bank accounts and to settle such entries. B. Cardholder: The person who owns, and whose name is on, a debit, credit or payment card. C. Cardholder Data: Cardholder data is any personally identifiable information associated with a user of a credit/debit. Primary account number (PAN), name, expiration date, and card verification value 2 (CW2) are included in this definition. RESOLUTION NO. 2017-35 Administrative Procedures Manual FIN-001 Acceptance of Electronic Payments including Credit Cards Page 2 of 6 D. Card Verification Code or Value: Data element on a card's magnetic stripe that uses a secure cryptographic process to protect data integrity on the stripe and reveals any alteration or counterfeiting (commonly referred to as CAV, CVC, CVV, CSC, or CID,) or a three- or four-digit value printed in the signature panel area on the back of the card or embossed above the card number on the face of the payment cards (commonly referred to as CAV2, CVC2, CW2): • CAV—Card Authentication Value (JCB payment cards) • CVC—Card Validation Code (MasterCard payment cards) • CW—Card Verification Value (Visa and Discover payment cards) • CSC—Card Security Code (American Express) • CID— Card Identification Number (American Express and Discover payment cards) • CAV2 —Card Authentication Value 2 (JCB payment cards) • CVC2—Card Validation Code 2 (MasterCard payment cards) • CW2—Card Verification Value 2 (Visa payment cards) E. Chargebacks: A charge deducting sums that had provisionally been credited to City's account for the payment of services, fees, charges, fines, permits and/or licenses. F. Convenience fee: A fee charged, by the City, to recover the costs associated with offering the convenience of using a credit card. G. Credit Card: A card issued by a bank or business authorizing the holder to buy goods or services on credit. H. Credit/Debit Card Terminal/Terminal Reader: Stand-alone credit and debit card swipe device that processes card transactions. Card terminals are connected to a merchant bank using an encrypted tunnel over the internet. I. Debit Card: A card used to pay for purchases by electronic transfer directly from the purchaser's bank account. J. Direct Debit Transaction: A method of ACH collection used where the debtor grants authorization to a specific company to electronically debit his/her account via an ACH debit transaction. K. Electronic Bill Presentment and Payment (EBPP): Electronic delivery and payment of bills over the Internet. L. Interactive Voice Response (IVR): A software application that accepts a combination of voice telephone input and touch-tone keypad selection and provides appropriate responses in the form of voice or other media. M. IVR Payment Service: IVR payment service consists of a standard IVR application which connects to a third party financial processor that authorizes and settles financial transactions. N. Merchant Transaction Fees: A fee, or combination of fees, charged to the City by a contracted third party provider for processing the City's credit and debit card sales (transactions). O. Payment Card Industry (PCI) Data Security Standard (DSS): A multi-faceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. RESOLUTION NO. 2017-35 Administrative Procedures Manual FIN-001 Acceptance of Electronic Payments including Credit Cards Page 3 of 6 P. Payment Cards: Cards issued by a bank or business authorizing the holder to buy goods or services. Q. Personally Identifiable Information: Information that can be utilized to identify an individual including but not limited to name, address, social security number, phone number, etc. R. Personal Identification Number (PIN): A confidential unique numeric code selected by the cardholder which acts as an electronic signature on certain payment card transactions. The PIN is not printed on the card, it is usually manually entered by the cardholder into the Card Terminal. S. Point of Sale (POS): An electronic payment system which captures and transmits the customer's credit or debit card number and sale information to the merchant's financial institution for approval and payment. T. Primary Account Number (PAN): Acronym for primary account number, also referred to as account number. Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account. U. Rents: Leases and rents of City-owned property. V. Sensitive Authentication Data: Security-related information (card validation codes/values, full magnetic-stripe data, or personal identification number (PIN)) used to authenticate cardholders, appearing in plain-text or otherwise unprotected form. W. Transient Occupancy Tax (TOT): A tax charged to short-term guests by hotels, motels and vacation properties and paid monthly to the City Treasurer. X. Third Party Provider: A company, other than a financial institution, that processes electronic payments (credit card, debit card, ACH and checks) over a secure private network connection. IV. GENERAL POLICIES A. Compliance with PCI-DSS — All departments, employees, consultants, contractors, agents, etc. accepting electronic payments on behalf of the City are responsible for compliance and must comply with and/or implement the terms and conditions of any agreements between the City and its credit card payment service providers, PCI DSS, as well as section 1798.29 of the California Civil Code. B. Initiating Electronic Payment Processing - The Director of Finance or City Manager will determine the most appropriate payment options, establish the necessary bank accounts, order equipment, select banks or third party providers, and facilitate the training of staff. No department will enter into any agreement for payment processing without first contacting and obtaining the written approval of the Director of Finance or City Manager. i. Use of Third Party Providers — The City will use a third party provider for all electronic payment-related services including credit, debit or RESOLUTION NO. 2017-35 Administrative Procedures Manual FIN-001 Acceptance of Electronic Payments including Credit Cards Page 4 of 6 payment cards. The City will accept VISA, MasterCard, and Discover and has negotiated contracts for processing payment card transactions. At the City Manager's discretion, the City may also accept other forms of payment provided such acceptance is consistent with the resolution authorizing the acceptance of electronic payments as well as this policy. Individual City departments may not use or negotiate individual contracts with payment card companies or processors. ii. IVR — Payment systems that allow for persons to make payments via IVR will be established by the Information Technology Department Head or the Director of Finance and approved by the City Manager. iii. Internet Electronic Payments — Payment systems that allow for persons to make payments via the Internet will be established by the Information Technology Department or the Director of Finance and approved by the City Manager. C. Cardholder Data Security - Cardholder data must be protected at all times. As such, the City will not retain PAN data or any sensitive authentication data. i. General Protections of Cardholder Data - To ensure the protection and privacy of any individual's cardholder data, sensitive authentication data and/or personal information will only be used at the time of the transaction while doing business with the City of Palm Desert. ii. Transmission of cardholder data - The City prohibits the transmission of cardholder data or sensitive authentication data through any unsecure methods, including email, telephone (except by approved fully automated IVR), mail, text, unsealed envelopes through city mail, or the pneumatic tube system. iii. PCI Compliant - The City requires that all third party providers that handle payment card information be PCI compliant. D. Cardholder Access - The City restricts access to cardholder data and will only request additional information from cardholders in those infrequent instances that may arise related to the processing of rejected charges, disputes, refunds or chargebacks. E. Prohibited Payment Card Activities - Prohibited activities from any type of electronic payment or payment card include, but are not limited to: i. Transmission of cardholder data, sensitive authentication data or personal information through any unsecure methods, including email, telephone (except by approved fully automated IVR), mail, text, unsealed envelopes through city mail, or the pneumatic tube system. ii. Cash advances. iii. Discounts to any charges based on the method of payment. RESOLUTION NO. 2017-35 Administrative Procedures Manual FIN-001 Acceptance of Electronic Payments including Credit Cards Page 5 of 6 iv. Additional surcharges or fees to payment card transactions except as provided herein. v. Using a paper imprinting system unless authorized by the Finance Director or the City Manager. vi. Any other activity that the City Manager or Director of Finance deems inconsistent with the established intent in accepting credit cards. F. Assessing Convenience Fees - If the City Manager determines that the cost of providing these payment options cannot be borne by the City through increased user fees or offsetting cost savings internally, the City Manager may, with City Council approval, assess a "convenience fee". This convenience fee may be administered by a third party provider. G. Exceptions i. Transaction Type - Credit, debit or payment cards will not be accepted as payment for TOT, Assessment District Payments, taxes and/or rents (does not include business licenses), unless authorized in writing by the Finance Director or City Manager. ii. Other - The City Manager or his/her designee may consider exceptions to this policy statement, however, such exceptions must comply with all resolutions, and all other policy statements related to information security and privacy. V. TRANSACTIONAL PROCEDURES In addition to the policies and procedures set forth herein, the actual processing steps may be set forth by any department accepting over-the-counter transactions, external service provider or the Finance Department and may be amended from time to time. A. In Person andlor Over-the-Counter Payments i. Payments accepted in person will only be allowed through terminal reader over a secure Internet connection. ii. To the extent possible, the cardholder will swipe the card through the terminal reader. iii. The cardholder will be required to enter any personal identification information including their PIN into the terminal reader, when required. No one other than the cardholder will be allowed to enter a PIN into the terminal reader. iv. Manually entered payments are discouraged but are allowed on the rare occasion that there is a malfunction of equipment or payment card and may only be entered in the physical presence of the cardholder. RESOLUTION NO. 2017-35 dministrative Procedures Manual FIN-001 Acceptance of Electronic Payments including Credit Cards Page 6 of 6 v. Merchant receipts will be signed by the cardholder before the transaction is finalized. B. E-Mail, Telephone, Mail, Text and Fax Payments — To protect cardholder data, payments will not be accepted through any unsecure methods including email, telephone (except by fully automated IVR), mail, text or by fax. C. Internet Electronic Payments — Approved PCI compliant payment systems that allow for persons to make payments via the Internet will follow the requirements established guidelines by the payment system to ensure security. D. IVR — Approved PCI-compliant payment systems that allow for persons to make payments via IVR must be fully automated and completed by the cardholder. E. Refunds - Refunds will be processed in the same manner as all other refunds of the City. The Director of Finance will determine the appropriate method for refunds which may be through a terminal reader or a refund check. F. Chargebacks - Chargebacks will be processed in the same manner as all other chargebacks of the City. Until the chargeback is resolved by the cardholder, the City's approval or process for which a permit and/or license was issued by an electronic form of payment will be suspended.