The URL can be used to link to this page

Home My WebLink AboutPaymt Card Draft Policy Policy No. F-12, Exhibit A - Minimum guidelines for PCI-DSS Page 1 of 3 DESCHUTES COUNTY ADMINISTRATIVE POLICY NO. F-12 Effective date: PAYMENT CARD SECURITY POLICY STATEMENT OF POLICY: It is the policy of Deschutes County to protect cardholder data through use of appropriat e controls over acceptance of debit and credit cards for payment of county services. APPLICABILITY: This policy applies to all county departments and County service districts under t he governance of the Board of County Commissioners whose operations accept payment cards. POLICY AND PROCEDURES: Policies and procedures are intended to cover the minimum guidelines under the Payment Card Industry Data Security Standards (PCI-DSS). Exhibit A attached hereto and incorporated herein is to assist directors and managers design, implement, monitor and comply wit h these security standards by providing the basic procedures not detailed under the mai n body of the policy. Department procedures may be more extensive but shall incorporate these ba sic procedures. 1. All payment card activities shall be coordinated and authorized in advance by the F inance Department. Any questions as to appropriateness of procedures should be directed t o the Finance Director or the Finance Director’s designee. 2. Staff with responsibilities that include handling of payment card transactions shall be trained on this policy and associated procedures by their department. Staff s hall not accept payment cards until this required training has been completed. 3. Staff shall not store sensitive authentication data after authorization either on paper or in electronic form (even if encrypted). Sensitive authentication data consists of magnetic stripe data, card validation code (three-digit or four-digit number printed on the f ront or back of a payment card used to verify card-not-present transactions), and PIN data . 4. Staff shall not send any cardholder account information by any unsecured or unencrypt ed method (such as through interoffice mail, email, instant messaging, or chat). 5. Staff shall ensure the original payment card receipt (cardholder and mercha nt copy) generated from transactions on electronic terminals include only the last fo ur digits of the cardholder account. Any imprint receipts generated from manual processing shall be restricted as discussed in Exhibit A . 6. This policy shall be reviewed annually. APPROVED by the Deschutes County Board of Commissioners _________________. _________________________________ Dave Kanner, County Administrator Policy No. F-12, Exhibit A - Minimum guidelines for PCI-DSS Page 2 of 3 DESCHUTES COUNTY ADMINISTRATIVE POLICY NO. F-12 EXHIBIT A –Minimum procedural guidelines for PCI-DSS These procedures are intended to be the minimum guidelines under the Payment Card Industr y Data Security Standards (PCI-DSS) for imprint machines or stand-alone dia l-out terminals only where no electronic cardholder data is stored. Departments are responsible for identifying the need for additional procedures and implementing them as warranted. The PCI-DSS standards and support can be obtained at www.pcisecuritystandards.org . 1. Management and supervisors shall immediately report any incidents identifi ed to the Finance Department. The County identifies an “incident” as a suspected loss of physical cardholder data or unapproved access to cardholder data. 2. All payment card transactions will be via payment card terminals connected thr ough telephone lines to a third party processor and/or software applications that de legate the transaction to an approved third party payment processor. If electronic payment t erminals become inoperable or are unavailable, departments may use manual imprint machines/methods to process payment card transactions. The County currently does not collect, store or handle payment card information with County owned software or data systems. a. Departments shall document their card processing procedures and annually review these procedures for compliance with PCI-DSS standards. b. Payment card terminals shall be monitored or secured at all times to protect them from tampering. Departments shall notify the Finance Department if any tampering of terminals is suspected. 3. Departments shall retain original cardholder payment records for 36 months. 4. Retention of cardholder account number information shall be discouraged and only done in limited business circumstances approved by the Finance Department. Payment data shall be kept on paper and never stored in electronic form. Physical access to cardholder dat a shall be restricted as long as it is retained. Management shall: a. identify efforts to secure the data by type of media and location; b. mark classified information as confidential; c. restrict access to data only to staff with business need to know; d. track and log any movement of data; e. destroy data when it is no longer needed for business or legal reasons. (Appropri ate methods include cross-cut shredded, incinerated, pulped, or secure-shred services); and Policy No. F-12, Exhibit A - Minimum guidelines for PCI-DSS Page 3 of 3 f. periodically review payment card records retained and destroy any ret ained cardholder records as required under the documentation retention requirements (currently 36 months). 5. Management and supervisors shall ensure appropriate staff are trained in these matters prior to accepting payment cards. Satisfaction of this requirement shall be evidenced b y a signed document. 6. The Finance Department shall coordinate and approve third party payment card proc essing and shall: a. maintain a list of service providers; b. establish written agreements with service providers on responsibility for se curity of cardholder data; and c. perform due diligence process for new service providers; and monitor service provider PCI-DSS compliance status.