ELECTRONIC PAYMENT PROCESSING
Binding City Policy
The City will ensure that its banking services, systems and procedures, including electronic payment processing, are easy for the public to use, provide a cost-effective service and maintain security for transactions.
The OMF Bureau of Financial Services Treasury Division will establish and maintain all City banking-related services, including those related to payment card or ACH (automated clearinghouse) processing. Payment cards refer to credit and debit cards. Electronic payment processing refers to the use of credit, debit or ACH methods of payment.
Bureaus that provide electronic payment processing options will be responsible for all direct and indirect costs associated with providing the service.
Bureaus interested in using payment cards as a payment option for City services will submit a written request to the Treasury Division and agree to comply with all standards and policies related to payment card processing. Prior to approval of the request, bureaus will perform a cost/benefit analysis that assesses the financial and operational impacts of providing this service and assesses alternatives to credit/debit card use. See cost/benefit analysis guidelines.
Bureaus will use the City's e-Commerce platform (also known as the City's payment processing gateway, or PPG) for all electronic payment card services. The Chief Technology Officer, will review requests for exceptions to this requirement based on the financial or technical requirements presented in the cost/benefit analysis.
All electronic payment processing services must be processed in a City-approved secure environment. The Payment Card Industry - Data Security Standard (PCI-DSS) shall be the City's standard for processing electronic payments in a secure environment. This PCI-DSS environment includes the physical, network and software environment for the payment card service. Bureaus that use external software for electronic payment processing services will use only software that is Payment Application-Data Security Standard (PA-DSS) compliant. PA-DSS is a set of software security standards related to PCI-DSS and applies to software vendors and others who develop payment applications that store, process or transmit cardholder data as a part of authorization or settlement. The Bureau of Technology Services has determined that a PCI-DSS compliant environment meets the U.S. Department of Treasury recommendation to process ACH payments with sound, risk-based security controls in all ACH systems.
Bureaus, and their approved third-parties, that accept payment cards as a method of payment for services will comply with all current and applicable Payment Card Industry - Data Security Standard (PCI-DSS) requirements as established by the PCI Security Standards Council (or its successor). Any designated agent, such as a third-party payment card processor acting on behalf of a City bureau, must provide proof of PCI-DSS compliance/certification evidenced and validated by a Qualified Security Assessor (QSA) and an Approved Scan Vendor (ASV) that is registered and certified by the PCI Security Standards Council. See technical analysis requirements.
Third-party processors and/or agents acting on behalf of City bureaus in the collection of funds are required to deposit all collected funds directly to a City owned and collateralized bank account.
The Chief Administrative Officer is authorized to develop and issue policies and procedures with input from Council, bureaus and other appropriate stakeholders in order to implement the electronic payment processing policy. The City Treasurer will provide guidance and direction to bureaus to prepare the cost/benefit analysis for electronic payment card processing. The Chief Technology Officer will provide guidance and direction to bureaus in the technical requirements and security policies.
Ordinance No. 181829, passed by City Council May 14, 2008 and effective July 1, 2008.