ELECTRONIC PAYMENT PROCESSING SERVICES
Binding City Policy
The City shall ensure its electronic payment processing services, systems, and procedures are easy to use, cost effective, and secure.
The OMF Bureau of Revenue and Financial Services’ Treasury Division shall contract for and maintain all City banking-related services, including those related to payment card and automated clearinghouse (ACH) processing. Payment cards refer to credit and debit cards. Electronic payment processing refers to the use of credit, debit, and ACH methods of payment.
Bureaus that provide electronic payment processing options shall be responsible for all direct and indirect costs associated with providing the service.
Bureaus interested in offering electronic payment processing as a payment option for City services shall submit a written request for approval to their bureau’s Technology Business Consultant, and shall agree to comply with all standards and policies related to electronic payment processing. Prior to submitting requests, bureaus shall consider the financial and operational impacts of providing this service. See FIN 2.10.01 Guidelines for Electronic Payment Processing Services.
Bureaus shall use the City's e-Commerce platform (also known as the City's payment processing gateway or PPG) for all electronic payment processing services. See FIN 2.10.02 Technical Requirements for Electronic Payment Processing Services. The City Treasurer will approve any exceptions to this requirement to ensure all electronic payment processing solutions meet all financial and depository requirements.
To protect cardholder data and to ensure the best merchant pricing, bureaus shall use best practices for accepting and processing payment cards. See FIN 2.10.03 Best Practices for Processing Payment Card Transactions.
The Treasury Division shall confer with the Accounting Division and Bureau of Technology Services prior to approving bureaus’ requests.
All electronic payment services must be processed in a City-approved secure environment. The Payment Card Industry - Data Security Standard (PCI-DSS) will be the City's standard for processing electronic payments in a secure environment. This PCI-DSS standard addresses the physical, network, and software environment for payment card services. Bureaus that use City-approved external software for electronic payment processing services shall use only software that is Payment Application-Data Security Standard (PA-DSS) compliant. PA-DSS is a set of software security standards related to PCI-DSS which applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as a part of authorization or settlement. The Bureau of Technology Services has determined that a PCI-DSS compliant environment meets the U.S. Department of Treasury recommendation to process ACH payments with sound, risk-based security controls in all ACH systems.
Bureaus, and their approved agents, that accept payment cards as a method of payment for services shall maintain compliance with all current and applicable PCI-DSSrequirements as established by the PCI Security Standards Council (or its successor). All designated agents, such as third-party payment card processors acting on behalf of a City bureau, must provide proof of PCI-DSS compliance as validated by a Qualified Security Assessor (QSA) and an Approved Scan Vendor (ASV) that is registered and certified by the PCI Security Standards Council. See FIN 2.10.02 Technical Analysis Requirements.
To ensure compliance with the PCI-DSS requirement to restrict access to hardware that collects cardholder data, bureaus shall ensure the security of all their payment device hardware. See FIN 2.10.04 Security of Payment Card Device Hardware.
Third-party processors and/or agents acting on behalf of City bureaus in the collection of funds are required to deposit in a timely manner all collected funds directly to a City owned and collateralized bank account.
The Treasury Division, the Accounting Division, and the Bureau of Technology Services shall together assist bureaus in complying with this policy.
Ordinance No. 181829, passed by City Council May 14, 2008 and effective July 1, 2008.
Amended by Resolution No. 37086, adopted by City Council August 6, 2014.
Amended by Chief Administrative Officer, February 3, 2016.