HomeMy WebLinkAboutCC RES 2017-35RESOLUTION NO. 2017-35
A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF PALM
DESERT AUTHORIZING THE ACCEPTANCE OF ELECTRONIC FORMS
OF PAYMENT INCLUDING CREDIT AND DEBIT CARDS FOR THE
PAYMENT OF CITY -IMPOSED FEES, CHARGES, FINES, PERMITS
AND LICENSES AND AUTHORIZING THE CITY MANAGER TO
ESTABLISH POLICIES AND PROCEDURES NECESSARY TO
EFFECTUATE THE ACCEPTANCE OF ELECTRONIC FORMS OF
PAYMENT
WHEREAS, the effective and efficient management of the City's cash resources
requires reasonable but expeditious revenue collection; and
WHEREAS, the use of electronic forms of payment, including credit and debit
cards, has become a customary and economical business practice to provide a high
level of customer service and to expand payment options for its customers; and
WHEREAS, the City desires to allow electronic forms of payment when
appropriate, ensuring the greatest value in the most cost effective way possible; and
WHEREAS, the policies, procedures and practices of accepting electronic forms
of payment should be reviewed and revised as required to minimize risk and ensure the
security of data within the rules and regulations established by the Payment Card
Industry (PCI) and articulated in the PCI Data Security Standards (DSS); and
WHEREAS, the City recognizes the necessity to best accommodate its
customers by facilitating the payment of City -imposed fees, charges, fines, permits,
licenses and/or sales by electronic forms of payment including credit and debit cards.
NOW, THEREFORE, THE CITY COUNCIL OF THE CITY OF PALM DESERT
DOES HEREBY RESOLVE, DETERMINE AND ORDER AS FOLLOWS:
Section 1. The above recitals are true and correct.
Section 2. The City Manager is hereby authorized to establish and periodically
review policies and procedures for the acceptance of electronic forms of payment
including appropriate business practices. Such policies, procedures and practices shall
include: the types of electronic payments to be accepted; the types of charges imposed
by the City that may be paid through electronic payments; whether limits are appropriate
for certain types of transactions; whether certain types of transactions would be
excluded from some or all types of electronic payments; the imposition of fees for
rejected transactions or the waiving thereof; or other considerations deemed
appropriate concerning the acceptance of current and future forms of electronic
payments.
RESOLUTION 2017- 35
Section 3. The City Manager or the Director of Finance is hereby authorized,
on behalf of the City of Palm Desert, to execute an agreement or agreements with one
or more banks or third parties for the use of electronic payment processing including
credit and debit cards for payment by the public of fees, charges, fines, permits,
licenses and/or sales in accordance with any policies established set forth in Section 1.
The agreement(s) may provide for the payment by the City of fees in accordance with
the bank's or third party's schedule of fees for accounts of similar volume subject to
change from time to time, and may provide for the use of, or purchase of, equipment
provided by the bank or third party.
Section 4. The City Manager, the Director of Finance and all other officers of
the City are hereby authorized and directed, jointly and severally, to do any and all
things to implement the policies established pursuant to this Resolution, and any such
actions previously taken by such officers are hereby ratified and confirmed.
Section 5. This Resolution shall take effect immediately upon adoption.
PASSED, APPROVED AND ADOPTED at the regular meeting of the Palm
Desert City Council held on this 13th day of April, 2017, by the following vote, to wit:
AYES: JONATHAN, BELLY, NESTANDE, WEBER, and HARNIR
NOES: NONE
MIN
IMO
ABSENT: NONE ago
ABSTAIN: NONE
C. HARNIK, MAYOR
ATTEST:
RAAt-AorAillk_f_
GIHELL D. KLASSE •, CITY CLERK
CITY OF PALM DESERT, CALIFOR
APPROVED AS ! .FORM:
ROBEN EAV, CITY ATTORNEY
BEST, B ST & KRI • GER, L
G tFinance'N amh OrtegatPo' c,estCredd s d Acceptance P. cy1RES-Credd Card Acceptance Pokey No FIN 001 Doc,
Page 2 of 2
RESOLUTION NO. 2017-35
Subject
Policy No.
Date
Approved by
Authored by
CITY OF PALM DESERT
ADMINISTRATIVE PROCEDURES
Acceptance of Electronic Forms of Payments
including Credit Debit and Payment Cards
FIN-001
Issued: April 13, 2017
Amended: N/A
Resolution No. 2017- 35 authorizing City
Manager to draft policy
Finance Department
I. PURPOSE
The purpose of this policy is to establish guidelines and parameters for the
acceptance of electronic forms of payment including, credit, debit or payment
cards, at the City of Palm Desert (the "City") for various payments including fees,
charges, fines, permits, licenses and/or sales, while minimizing risk, ensuring the
security of data within the rules and regulations established by the Payment Card
Industry (PCI) and articulated in the PCI Data Security Standards (DSS), and
ensuring that payment card acceptance procedures are appropriately integrated
with the City's financial and other systems.
II. SCOPE
This policy applies to all City employees, contractors, consultants or agents who,
when doing business on behalf of the City, accept, process, transmit. or otherwise
handle electronic forms of payment or cardholder information in physical or
electronic format, for payments including but not limited to fees, charges, fines,
permits, licenses and/or sales.
This policy applies to all electronic forms of payment including credit, debit or
payment cards, including payments made in person, by phone, mail, text, fax or via
the Internet. "Phone payments" include both person to person contact and IVR
(Interactive Voice Response).
III. DEFINITIONS
A. Automated Clearinq House (ACH): A nationwide electronic funds transfer
network which enables participating financial institutions to distribute electronic
credit and debit entries to bank accounts and to settle such entries.
B. Cardholder: The person who owns, and whose name is on, a debit, credit or
payment card.
C. Cardholder Data: Cardholder data is any personally identifiable information
associated with a user of a credit/debit. Primary account number (PAN), name,
expiration date, and card verification value 2 (CVV2) are included in this
definition.
RESOLUTION NO. 2017-35
Administrative Procedures Manual
FIN-001
Acceptance of Electronic Payments including Credit Cards
Page 2 of 6
D. Card Verification Code or Value: Data element on a card's magnetic stripe
that uses a secure cryptographic process to protect data integrity on the stripe
and reveals any alteration or counterfeiting (commonly referred to as CAV,
CVC, CVV, CSC, or CID,) or a three- or four -digit value printed in the signature
panel area on the back of the card or embossed above the card number on
the face of the payment cards (commonly referred to as CAV2, CVC2, CVV2):
• CAV — Card Authentication Value (JCB payment cards)
• CVC — Card Validation Code (MasterCard payment cards)
• CVV — Card Verification Value (Visa and Discover payment cards)
• CSC — Card Security Code (American Express)
• CID — Card Identification Number (American Express and Discover payment
cards)
• CAV2 — Card Authentication Value 2 (JCB payment cards)
• CVC2 — Card Validation Code 2 (MasterCard payment cards)
• CVV2 — Card Verification Value 2 (Visa payment cards)
E. Chargebacks: A charge deducting sums that had provisionally been credited
to City's account for the payment of services, fees, charges, fines, permits
and/or licenses.
F. Convenience fee: A fee charged, by the City, to recover the costs associated
with offering the convenience of using a credit card.
G. Credit Card: A card issued by a bank or business authorizing the holder to
buy goods or services on credit.
H. Credit/Debit Card Terminal/Terminal Reader: Stand-alone credit and debit
card swipe device that processes card transactions. Card terminals are
connected to a merchant bank using an encrypted tunnel over the internet.
I. Debit Card: A card used to pay for purchases by electronic transfer directly
from the purchaser's bank account.
J. Direct Debit Transaction: A method of ACH collection used where the debtor
grants authorization to a specific company to electronically debit his/her
account via an ACH debit transaction.
K. Electronic Bill Presentment and Payment (EBPP): Electronic delivery and
payment of bills over the Internet.
L. Interactive Voice Response (IVR): A software application that accepts a
combination of voice telephone input and touch-tone keypad selection and
provides appropriate responses in the form of voice or other media.
M. IVR Payment Service: IVR payment service consists of a standard IVR
application which connects to a third party financial processor that authorizes
and settles financial transactions.
N. Merchant Transaction Fees: A fee, or combination of fees, charged to the City
by a contracted third party provider for processing the City's credit and debit
card sales (transactions).
O. Payment Card Industry (PCI) Data Security Standard (DSS): A multi -faceted
security standard that includes requirements for security management,
policies, procedures, network architecture, software design and other critical
protective measures.
RESOLUTION NO. 2017-35
Administrative Procedures Manual
FIN-001
Acceptance of Electronic Payments including Credit Cards
Page 3 of 6
P. Payment Cards: Cards issued by a bank or business authorizing the holder to
buy goods or services.
Q. Personally Identifiable Information: Information that can be utilized to identify
an individual including but not limited to name, address, social security
number, phone number, etc.
R. Personal Identification Number (PIN): A confidential unique numeric code
selected by the cardholder which acts as an electronic signature on certain
payment card transactions. The PIN is not printed on the card, it is usually
manually entered by the cardholder into the Card Terminal.
S. Point of Sale (POS): An electronic payment system which captures and
transmits the customer's credit or debit card number and sale information to
the merchant's financial institution for approval and payment.
T. Primary Account Number (PAN): Acronym for primary account number, also
referred to as account number. Unique payment card number (typically for
credit or debit cards) that identifies the issuer and the particular cardholder
account.
U. Rents: Leases and rents of City -owned property.
V. Sensitive Authentication Data: Security -related information (card validation
codes/values, full magnetic -stripe data, or personal identification number
(PIN)) used to authenticate cardholders, appearing in plain -text or otherwise
unprotected form.
W. Transient Occupancy Tax (TOT): A tax charged to short-term guests by
hotels, motels and vacation properties and paid monthly to the City Treasurer.
X. Third Party Provider: A company, other than a financial institution, that
processes electronic payments (credit card, debit card, ACH and checks) over
a secure private network connection.
IV. GENERAL POLICIES
A. Compliance with PCI-DSS — All departments, employees, consultants,
contractors, agents, etc. accepting electronic payments on behalf of the City
are responsible for compliance and must comply with and/or implement the
terms and conditions of any agreements between the City and its credit card
payment service providers, PCI DSS, as well as section 1798.29 of the
California Civil Code.
B. Initiating Electronic Payment Processing - The Director of Finance or City
Manager will determine the most appropriate payment options, establish the
necessary bank accounts, order equipment, select banks or third party
providers, and facilitate the training of staff. No department will enter into any
agreement for payment processing without first contacting and obtaining the
written approval of the Director of Finance or City Manager.
i. Use of Third Party Providers — The City will use a third party provider
for all electronic payment -related services including credit, debit or
RESOLUTION NO. 2017-35
Administrative Procedures Manual
FIN-001
Acceptance of Electronic Payments including Credit Cards
Page 4 of 6
payment cards. The City will accept VISA, MasterCard, and Discover and
has negotiated contracts for processing payment card transactions. At the
City Manager's discretion, the City may also accept other forms of
payment provided such acceptance is consistent with the resolution
authorizing the acceptance of electronic payments as well as this policy.
Individual City departments may not use or negotiate individual contracts
with payment card companies or processors.
ii. IVR — Payment systems that allow for persons to make payments via IVR
will be established by the Information Technology Department Head or
the Director of Finance and approved by the City Manager.
iii. Internet Electronic Payments — Payment systems that allow for persons
to make payments via the Internet will be established by the Information
Technology Department or the Director of Finance and approved by the
City Manager.
C. Cardholder Data Security - Cardholder data must be protected at all times.
As such, the City will not retain PAN data or any sensitive authentication data.
i. General Protections of Cardholder Data - To ensure the protection and
privacy of any individual's cardholder data, sensitive authentication data
and/or personal information will only be used at the time of the transaction
while doing business with the City of Palm Desert.
ii. Transmission of cardholder data - The City prohibits the transmission
of cardholder data or sensitive authentication data through any unsecure
methods, including email, telephone (except by approved fully automated
IVR), mail, text, unsealed envelopes through city mail, or the pneumatic
tube system.
iii. PCI Compliant - The City requires that all third party providers that
handle payment card information be PCI compliant.
D. Cardholder Access - The City restricts access to cardholder data and will
only request additional information from cardholders in those infrequent
instances that may arise related to the processing of rejected charges,
disputes, refunds or chargebacks.
E. Prohibited Payment Card Activities - Prohibited activities from any type of
electronic payment or payment card include, but are not limited to:
i. Transmission of cardholder data, sensitive authentication data or
personal information through any unsecure methods, including email,
telephone (except by approved fully automated IVR), mail, text, unsealed
envelopes through city mail, or the pneumatic tube system.
ii. Cash advances.
iii. Discounts to any charges based on the method of payment.
RESOLUTION NO. 2017-35
Administrative Procedures Manual
FIN-001
Acceptance of Electronic Payments including Credit Cards
Page 5 of 6
iv. Additional surcharges or fees to payment card transactions except as
provided herein.
v. Using a paper imprinting system unless authorized by the Finance
Director or the City Manager.
vi. Any other activity that the City Manager or Director of Finance deems
inconsistent with the established intent in accepting credit cards.
F. Assessing Convenience Fees - If the City Manager determines that the cost
of providing these payment options cannot be borne by the City through
increased user fees or offsetting cost savings internally, the City Manager
may, with City Council approval, assess a "convenience fee". This
convenience fee may be administered by a third party provider.
G. Exceptions
Transaction Type - Credit, debit or payment cards will not be accepted
as payment for TOT, Assessment District Payments, taxes and/or rents
(does not include business licenses), unless authorized in writing by the
Finance Director or City Manager.
ii. Other - The City Manager or his/her designee may consider exceptions to
this policy statement, however, such exceptions must comply with all
resolutions, and all other policy statements related to information security
and privacy.
V. TRANSACTIONAL PROCEDURES
In addition to the policies and procedures set forth herein, the actual processing
steps may be set forth by any department accepting over-the-counter transactions,
external service provider or the Finance Department and may be amended from
time to time.
A. In Person and/or Over -the -Counter Payments
i. Payments accepted in person will only be allowed through terminal reader
over a secure internet connection.
ii. To the extent possible, the cardholder will swipe the card through the
terminal reader.
iii. The cardholder will be required to enter any personal identification
information including their PIN into the terminal reader, when required. No
one other than the cardholder will be allowed to enter a PIN into the
terminal reader.
iv. Manually entered payments are discouraged but are allowed on the rare
occasion that there is a malfunction of equipment or payment card and
may only be entered in the physical presence of the cardholder.
RESOLUTION NO. 2017-35
Administrative Procedures Manual
FIN-001
Acceptance of Electronic Payments including Credit Cards
Page 6 of 6
v. Merchant receipts will be signed by the cardholder before the transaction
is finalized.
B. E-Mail, Telephone, Mail, Text and Fax Payments — To protect cardholder
data, payments will not be accepted through any unsecure methods including
email, telephone (except by fully automated IVR), mail, text or by fax.
C. Internet Electronic Payments — Approved PCI compliant payment systems
that allow for persons to make payments via the Internet will follow the
requirements established guidelines by the payment system to ensure
security.
D. IVR — Approved PCI-compliant payment systems that allow for persons to
make payments via IVR must be fully automated and completed by the
cardholder.
E. Refunds - Refunds will be processed in the same manner as all other refunds
of the City. The Director of Finance will determine the appropriate method for
refunds which may be through a terminal reader or a refund check.
F. Chargebacks - Chargebacks will be processed in the same manner as all
other chargebacks of the City. Until the chargeback is resolved by the
cardholder, the City's approval or process for which a permit and/or license
was issued by an electronic form of payment will be suspended.
ISOM