PortlandOnline

POL Government Elected Officials Auditor Griffin-Valade Charter, Code & Policies Policies & Rules (PPD) Finance Comprehensive Financial Management Policies
FIN-2.10 - Electronic Payment Processing Services

ELECTRONIC PAYMENT PROCESSING SERVICES

Binding City Policy

BCP-FIN-2.10


 

Policy

 

The City shall ensure its electronic payment processing services, systems, and procedures are easy to use, cost effective, and secure.

 

The OMF Bureau of Revenue and Financial Services’ Public Finance and Treasury Division shall contract for and maintain all City banking-related services, including those related to payment card and automated clearinghouse (ACH) processing. Payment cards refer to credit and debit cards. Electronic payment processing refers to the use of credit, debit, and ACH methods of payment.

 

Bureaus that provide electronic payment processing options shall be responsible for all direct and indirect costs associated with providing the service.

 

Bureaus interested in offering electronic payment processing as a payment option for City services must submit a written request for approval to their bureau’s Technology Business Consultant and must agree to comply with all standards and policies related to electronic payment processing. Prior to submitting, bureaus shall consider the financial and operational impacts of providing this service. See FIN 2.10.01 Guidelines for Electronic Payment Processing Services.

 

Bureaus shall use the City's e-Commerce platform (also known as the City's payment processing gateway or PPG) for all electronic payment processing services. See FIN 2.10.02 Technical Requirements for Electronic Payment Processing Services. Exceptions to this requirement must be approved by the City Treasurer to ensure all electronic payment processing solutions meet all financial and depository requirements.

 

To protect cardholder data and to ensure the best merchant pricing, bureaus shall use best practices for accepting and processing payment cards. See FIN 2.10.03 Best Practices for Processing Payment Card Transactions.

 

Public Finance and Treasury shall confer with the Accounting Division and Bureau of Technology Services prior to approving bureaus’ requests.

 

Security Standard

 

All electronic payment services must be processed in a City-approved secure environment. The Payment Card Industry - Data Security Standard (PCI-DSS) shall be the City's standard for processing electronic payments in a secure environment. This PCI-DSS standard addresses the physical, network, and software environment for payment card services. Bureaus that use City-approved external software for electronic payment processing services shall use only software that is Payment Application-Data Security Standard (PA-DSS) compliant. PA-DSS is a set of software security standards related to PCI-DSS which applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as a part of authorization or settlement. The Bureau of Technology Services has determined that a PCI-DSS compliant environment meets the U.S. Department of Treasury recommendation to process ACH payments with sound, risk-based security controls in all ACH systems.

 

Bureaus, and their approved agents that accept payment cards as a method of payment for services shall maintain compliance with all current and applicable PCI-DSS requirements as established by the PCI Security Standards Council (or its successor). All designated agents, such as a third-party payment card processors acting on behalf of a City bureau, must provide proof of PCI-DSS compliance as validated by a Qualified Security Assessor (QSA) and an Approved Scan Vendor (ASV) that is registered and certified by the PCI Security Standards Council. See FIN 2.10.02 Technical Analysis Requirements.

 

Third-party processors and/or agents acting on behalf of City bureaus in the collection of funds are required to deposit in a timely manner all collected funds directly to a City owned and collateralized bank account. See FIN 6.10 Cash.

 

Responsibility

 

The Public Finance and Treasury Division and the Bureau of Technology Services shall together assist bureaus in complying with this policy.

 


HISTORY

 

Ordinance No. 181829, passed by City Council May 14, 2008 and effective July 1, 2008.

Amended by Resolution No. 37086, adopted by City Council August 6, 2014.