Item C04M
C ounty of f Monroe
ELj » °o
�
BOARD OF COUNTY COMMISSIONERS
/� r i � ��
Mayor George Neugent, District 2
The Florida. Ke Se
y
I
Mayor Pro Tern David Rice, District 4
Danny L. Kolhage, District I
Heather Carruthers, District 3
Sylvia J. Murphy, District 5
County Commission Meeting
May 17, 2017
Agenda Item Number: C.4
Agenda Item Summary #2894
BULK ITEM: Yes DEPARTMENT: Budget and Finance
TIME APPROXIMATE: STAFF CONTACT: Christine Hurley (305) 292 -4441
10:30 A.M.
AGENDA ITEM WORDING: Authorization for County staff to continue to implement
acceptance of credit cards by County Departments at a cost of $28,750 for the purchase of devices
and a service fee will be charged to the user for the convenience of using this payment method,
which will offset any processing expense to the County.
ITEM BACKGROUND: F.S. 215.322 authorizes a unit of local government to accept payment by
use of credit cards, charge cards, bank debit cards, and electronic funds transfers for financial
obligations that are owing to such unit of local government and to surcharge the person who uses a
credit card, charge cards, bank debit cards, or electronic funds transfer in payment of taxes, license
fees, fines, civil penalties, court- ordered payments, or court costs, or other statutorily prescribed
revenues an amount sufficient to pay the service fee charges by the financial institution, vending
service company, or credit card company for such services and encourages units of local government
to make their goods, services, and information more convenient to the public through the acceptance
of payment by credit cards, charges cards, debit cards, or other means of electronic funds transfer to
the maximum extent practicable when the benefits to the participating agency and the public
substantiate the cost of accepting these types of payments.
County staff has been working with the Clerk and various county departments to implement the
acceptance of credit cards by county departments as needed. The Clerk, via a contract with Elavon,
will be coordinating implementation with the County. There will be two Elavon representatives
present at the meeting to answer any questions or address any concerns of the Board (Craig Peterson,
Regional Sales Manager for Government & Higher Education and James Lewis, Senior Director and
General Manager of Elavon). With a single swipe or dip of a card, the device /terminal will authorize
two transactions and generate a receipt for the sale amount and another for the service fee amount.
The percentage fee is set to entirely offset the processing expenses, resulting in a revenue - neutral fee
collection fully hosted by Elavon.
The County is anticipating that it will purchase 50 devices for various locations in the County (see
attached- MC Credit Card Locations for device locations). The cost of each device is $575.00 for a
total of $28,750. The County's Information Technology department is also involved in the
implementation to ensure that each location where devices are to be used have adequate
technological support. The County Administrator will be adopting an administrative instruction for
Monroe County departments and employees to follow. The draft administrative instruction is
attached and has been reviewed by Assistant County Administrator Christine Hurley, the Clerk's
office and the County Attorney's office.
PREVIOUS RELEVANT BOCC ACTION: None.
CONTRACT /AGREEMENT CHANGES:
N/A
STAFF RECOMMENDATION: Approval
DOCUMENTATION:
DRAFT CREDIT CARD POLICY - Monroe County 5 17 17
MC Credit Card Locations - Equipement FINAL- Update 04042017V3
FINANCIAL IMPACT:
Effective Date: Anticipated to begin week of June 5, 2017
Expiration Date:
Total Dollar Value of Contract: N/A
Total Cost to County:
Current Year Portion:
Budgeted:
Source of Funds:
CPI:
Indirect Costs:
Estimated Ongoing Costs Not Included in above dollar amounts:
Revenue Producing: No.
Grant:
County Match:
Insurance Required:
Additional Details:
If yes, amount:
05/17/17 001 -05002 - TECHNICAL SERVICES
For Devices (50 total)
$28,750.00
REVIEWED BY:
Christine Hurley Completed 04/26/2017 8:18 AM
Alan MacEachern Completed 05/01/2017 11:55 AM
Tina Boan
Christine Limbert
Maria Slavik
Kathy Peters
Board of County Commissioners
Completed
05/01/2017 4:34 PM
Completed
05/01/2017 4:34 PM
Completed
05/01/2017 5:02 PM
Completed
05/02/2017 1:23 PM
Pending
05/17/2017 9:00 AM
I. BACKGROUND
Acceptance of credit and debit cards (herein referred to as payment cards) as a payment
method has become universal within both the private and public sectors. Many governments
now accept cards for taxes, fines, user charges and fees. For a fee, a payment card processing
service provider works with a government entity to accept and process payment card
payments.
Benefits to accepting payment cards include:
• Enhanced customer service and convenience.
• Increased certainty of collection.
• Accelerated payments and the availability of funds.
• Improved audit trail.
• Reduced cashiering costs.
• Improved overall cash flow and forecasting.
• Lessened delinquencies.
• Reduced return check processing costs.
• Reduced collection costs.
The Payment Card Industry, also known as PCI, is made up of the major credit card
companies (e.g., VISA, Master Card, Discover and other major card issuers). PCI has
established for merchants accepting payment cards for payment of goods and services
important and stringent security requirements to protect credit card data. These are called the
PCI Data Security Standards or "PCI -DSS." These standards include controls for handling
and restricting credit card information, computer and internet security, and reporting of a
breach of credit card information.
0
II. PURPOSE
0
The purpose of this policy is to establish for authorized Monroe County departments business
processes and procedures for accepting payment cards that will minimize the County's risk
and provide the greatest value, security of data, and availability of services to each county
customer within the rules and regulations established by PCI and articulated in PCI -DSS.
Additionally, these processes are intended to ensure that payment card acceptance procedures 0.
are appropriately integrated with the County's business processes and automated systems.
In response to increasing incidents of identity theft, PCI created the PCI -DSS to help prevent
theft of customer data. PCI -DSS applies to all entities that accept payment cards to procure
goods or services. Compliance with this standard is enforced by PCI through guidelines and
self - assessment for smaller volume participants and through validated on -site inspection for
larger volume participants. Following PCI guidelines positions providers to effectively
safeguard this data — however it is often discovered after a security breach has occurred that
1
the company /entity breached had been deficient in at least one section of their PCI audit
review.
Security breaches can result in serious consequences for Monroe County, including release of
confidential information, damage to reputation, the assessment of substantial fines, possible
legal liability and the potential loss of the ability to accept payment card and eCommerce
payments.
III. DEFINITIONS
Cardholder: The customer to whom a payment card has been issued or the individual
authorized to use the card.
Cardholder Data: All personally identifiable data about the cardholder (i.e., account
number, expiration date, cardholder name.)
Cashiering Services: Monroe County department that approves all third -party service
providers and coordinates the policies and procedures for accepting payment cards.
Encryption: The process of converting information into an unintelligible form to anyone
except holders of a specific cryptographic key. Use of encryption protects information
between the encryption process and the decryption process against unauthorized disclosure.
Merchant Department: For the purposes of the PCI -DSS and this policy, a merchant
department is defined as a Monroe County department that is authorized to accept payment
cards as payment for goods and /or services provided by Monroe County.
Merchant Department Responsible Person (MDRP): A designated employee within each
Monroe County Merchant Department who has primary authority and responsibility for 0
payment card and eCommerce transaction processing within that department.
Payment Card: Any payment card /device that bears the logo of Discover Financial
Services, MasterCard Worldwide, or VISA, Inc. or other major credit card issuer.
Payment Card Account Change: Any change in the payment account including, but not
limited to:
• the use of existing payment card accounts for new purposes;
• the alternation of business processes that involve payment card processing activities;
• the addition or alteration of payment systems;
• the addition or alternation of relationships with third -party payment card service
providers, and
• the addition or alternation of payment card processing technologies or channel
K
Payment Card Industry (PCI) -Data Security Standard (DSS): A multi- faceted security
standard that includes requirements for security management, policies, procedures, network
architecture, software design and other critical protective measures.
Self- Assessment: The PCI Self- Assessment Questionnaire (SAQ) is a validation tool that is
primarily used by merchants to demonstrate compliance to the PCI -DSS.
Sensitive Authentication Data: Security- related information (card validation codes /values,
full magnetic -stripe data, or personal identification number (PIN)) used to authenticate
cardholders, appearing in plain -text or otherwise unprotected form.
IV. APPLICABILITY
This policy applies to all Monroe County employees, contractors, consultants or agents who,
in the course of doing business on behalf of the County, accept, process, transmit, or
otherwise handle cardholder information in physical or electronic format.
This policy applies to all County departments and administrative areas which accept payment
cards regardless of whether revenue is deposited in a County financial account.
V. ACCEPTABLE PAYMENT CARDS
Monroe County Board of County Commissioners accepts VISA, MasterCard, Discover cards
and has negotiated contracts for processing payment card transactions.
VI. PROHIBITED PAYMENT CARD ACTIVITIES
Monroe County prohibits certain credit card activities that include, but are not limited to:
• Accepting payment cards for cash advances.
• Discounting a good or service based on the method of payment.
• Adding a surcharge or additional fee to payment card transactions, except for
payment card fees as allowed by F. S. 215.322 and as set forth in more detail below
• Using a paper imprinting machine unless specifically authorized by County
management.
No Monroe County employee, contractor or agent who obtains access to payment card or
other personal payment information in the course of conducting business on behalf of the
County may sell, purchase, provide, share, or exchange said information in any form
including but not limited to imprinted sales slips, copies of imprinted sales slips, mailing
lists, tapes, or other media obtained by reason of a card transaction to any third party other
than to the County's depository bank, Visa, MasterCard or other credit card company, or
pursuant to a government request.
0
0
0
3
VII. PAYMENT CARD FEES
Each transaction will have 2 sales slips; one slip will be for the County charge and one slip
will be for the associated fee charged by the credit card company. The fees will not be
recorded in Monroe County's general ledger but will be sent directly to the County's
merchant services provider.
VIII. REFUNDS
When a good or service is purchased using a payment card and a refund is necessary, the
refund must be credited back to the account that was originally charged. Refunds in excess of
the original sale amount or cash refunds are prohibited. The associated fee charged by the
credit card company is non - refundable. There is no fee charged by the credit card company
for refunds.
IX. CHARGEBACKS
Occasionally a customer will dispute a payment card transaction, ultimately leading to a
chargeback. In the case of a chargeback, the County department initiating the transaction is
responsible for notifying the Monroe County Clerk's Finance Department and for providing
appropriate supporting documentation.
X. MAINTAINING SECURITY
® County departments and administrative areas accepting payment cards on behalf of the
County are subject to the PCI -DSS.
® The County prohibits the transmission of cardholder data or sensitive authentication data
via email or unsealed envelopes through County inter - departmental mail as these are not
secure.
® The County requires that all external services providers that handle payment card
information be PCI compliant.
® The County restricts access to cardholder data to those with a business "need to know."
® For electronic media, cardholder data shall not be stored on servers, local hard drives, or
external (removable) media including floppy discs, CDs or thumb (flash) drives unless
encrypted and otherwise in full compliance with PCI DSS.
0
0
0
:l
For paper media, cardholder data shall not be stored unless approved for legitimate
business purposes.
XI. RESPONSIBILITIES
Merchant Department Responsible Persons (MDRPs) are responsible for:
Executing on behalf of the relevant County Department, Payment Card Account
Acquisition or Change Procedures.
Ensuring that County employees (including the MDRP), contractors and agents with
access to payment card data within the respective County department acknowledge in
writing that they have read and understood this Policy.
Ensuring that all payment card data collected by authorized County departments accepted
in the course of performing County business, regardless of whether the data is stored
physically or electronically, is secured. Data is considered to be secured only if all of the
following criteria are met:
- Only those with a "need -to- know" are granted access to payment card and electronic
payment data;
- Email should not be used to transmit credit card or personal payment information. If
it should be necessary to transmit credit card information via email only the last four
digits of the credit card number can be displayed;
- Credit card or personal information is never downloaded onto any portable devices or
media such as USB flash drives, compact disks, laptop computers or personal digital
assistants;
- Fax transmissions (both sending and receiving) of credit card and electronic payment
information occurs using only fax machines which are attended by those individuals
who must have contact with payment card data to do their jobs;
- The processing and storage of personally identifiable credit card or payment
information on County computers and servers is prohibited;
- Only secure communication protocols and /or encrypted connections to the authorized
vendor are used during the processing of payment card transactions;
- The three or four digit validation code printed on the payment card is never stored in
any form;
- The full contents of any track data from the magnetic stripe are never stored in any
form;
0
0
0
5
- The personal identification number (PIN) or encrypted PIN block are never stored in
any form;
- The primary account number (PAN) is rendered unreadable anywhere it is stored;
- All but the last four digits of any credit card account number are masked when it is
necessary to display credit card data;
- All media containing payment card or personal payment data is retained no longer
than a maximum of six (6) months and then destroyed or rendered unreadable; and
- Notifying the Monroe County Information Technology Department in the event of
suspected or confirmed loss of cardholder data. Details of any suspected or confirmed
breach should not be disclosed in any email correspondence.
Information Technology Department shall regularly monitor and test the County network
and coordinate the County's compliance with the PCI Standard's technical requirements and
verify the security controls of systems authorized to process credit cards.
The Information Technology Director shall ensure that Monroe County maintains currency
with the requirements of the PCI -DSS and related requirements to ensure that this policy
remains current and shall coordinate and lead the County's response to a security breach
involving cardholder data.
The Monroe County Clerk's Finance Department shall coordinate with the respective County
Departments authorized to accept payment cards to:
® Provide training to ensure that County departments are trained in accepting and
processing payment cards in compliance with this policy;
® Work with external vendors and coordinate payment card policies, standards, and
procedures;
® Serve as liaison between the bank and the merchant services' provider for Payment Card
account acquisition or change procedures; and
® Review and modify the Application for Payment Card Account Acquisition or Change as
necessary.
XIL RESPONDING TO A SECURITY BREACH
In the event of an actual, possible, or suspected breach, the County department must:
0
0
0
L
® Prevent any further access to or alteration of the compromised system(s) (e.g., do not log
on at the machine and /or change passwords);
® Do not switch off the compromised machine. Instead, isolate the compromised system(s)
from the network by unplugging the network connection cable;
® Preserve logs and electronic evidence;
® Contact the County's Information Technology Department and the Clerk's Finance
Department immediately for further direction; and
® Log all actions taken.
XIIL APPROVAL FOR PAYMENT CARD PROCESSING OR CHANGE PROCEDURES
To receive authorization to accept payment cards or change a payment card processing, the
MDRP must submit an Application for Accepting Payment Cards or Change Payment Card
Authorization to the Monroe County Clerk's Finance Department. The application must be
signed by the MDRP and the appropriate Assistant County Administrator.
XIV. SANCTIONS
The County Administrator may suspend credit card account privileges of any department or
administrative unit not in compliance with this policy or that places the County at risk.
0
Any department or administrative unit engaged in payment card activities will be responsible
for any financial loss due to inadequate internal controls or negligence in adhering to the
PCI -DSS.
0
0
2
XV. TRAINING
Employees who are expected to be given access to cardholder data shall be required to
complete upon hire, and at least annually thereafter, security awareness training focused on
cardholder data security. Employees shall be required to acknowledge at least annually that
they have received training, understand cardholder security requirements, and agree to
comply with these requirements. The Assistant County Administrator or MDRP may require
employees to attend additional training as needed.
7
� a
N
F N
10
N
C
O
N
u
J
U
U
C
U
W
O
o
E �
a`
c
� m
D a
Q
� u
C
� a
9 [y
{ c*
V -
`
>
`
� s
m -
E
a
-
E v
A t
m
u
�
a
m
c
m
0
c
0
4
4 a
0 d
u
a 'A
E
E
E
E
E
G E
C
C
w
u a
s�iSa
v a
s�iSa
-
-
m
E
�
E
m
m
m
8 rW
F IR S u
y D 4
G
-
g a
{ 6
8
x
u
'a
O
O
IF
19
EF
1
O
O
IF
EE
a a5
Z O W.
O
O
O
O
IF
E E
2— E
I R
4 . 'o
M 3
13