ELECTRONIC PAYMENT PROCESSING SERVICES
Binding City Policy
BCP-FIN-2.10
Policy
The City shall ensure its electronic payment processing services, systems, and procedures are easy to use, cost effective, and secure.
The OMF Bureau of Revenue and Financial Services’ Treasury Division shall contract for and maintain all City banking-related services, including those related to payment card and automated clearinghouse (ACH) processing. Payment cards refer to credit and debit cards. Electronic payment processing refers to the use of payment cards and ACH.
Bureaus that provide electronic payment processing options shall be responsible for all direct and indirect costs associated with providing the service.
Bureaus interested in offering electronic payment processing as a payment option for City services shall submit a written request for approval to their bureau’s Technology Business Consultant, and shall agree to comply with all standards and policies related to electronic payment processing. Prior to submitting requests, bureaus shall consider the financial and operational impacts of providing this service. See FIN 2.10.01 Guidelines for Electronic Payment Processing Services.
Bureaus shall use the City's payment gateway for all electronic payment processing services. See FIN 2.10.02 Technical Requirements for Electronic Payment Processing Services. The City Treasurer will approve any exceptions to this requirements to ensure all electronic payment processing solutions meet all financial and depository requirements.
To protect cardholder data and to ensure the best merchant pricing, bureaus shall use best practices for accepting and processing payment cards. See FIN 2.10.03 Best Practices for Processing Payment Card Transactions.
The Treasury Division shall confer with the Accounting Division and Bureau of Technology Services prior to approving bureaus’ requests.
Security Standard
All electronic payment services shall be processed in a City-approved secure environment. The Payment Card Industry Data Security Standard (PCI DSS) will be the City's standard for processing electronic payments in a secure environment. This PCI DSS standard addresses the physical, network, and software environment for payment card services. Bureaus that use City-approved external software for electronic payment processing services shall use only software that is Payment Application Data Security Standard (PA DSS) compliant. PA DSS is a set of software security standards which applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as a part of authorization or settlement. Bureaus that use payment card devices to process payment card transactions shall use only devices that meet PCI PIN Transaction Security (PTS) validation and utilize point-to-point encryption technology. The Bureau of Technology Services has determined that a PCI DSS compliant environment meets the U.S. Department of Treasury recommendation to process ACH payments with sound, risk-based security controls in all ACH systems.
Bureaus, and their approved agents, that accept payment cards as a method of payment for services shall maintain compliance with all current and applicable PCI DSS-requirements as established by the PCI Security Standards Council (or its successor). All designated agents, such as third-party payment processors acting on behalf of a City bureau, must provide proof of PCI DSS compliance as validated by a Qualified Security Assessor (QSA) and an Approved Scan Vendor (ASV) that is registered and certified by the PCI Security Standards Council. See FIN 2.10.02 Technical Analysis Requirements.
To ensure compliance with the PCI DSS requirement to restrict access to hardware that collects cardholder data, bureaus shall ensure the security of all their payment device hardware. See FIN 2.10.04 Security of Payment Card Device Hardware.
Third-party processors and/or designated agents acting on behalf of City bureaus in the collection of funds are required to deposit in a timely manner all collected funds directly to a City owned and collateralized bank account without detour to any third-party bank account. The City of Portland shall be the merchant of record for all payment card transactions.
Responsibility
The Treasury Division, the Accounting Division, and the Bureau of Technology Services shall together assist bureaus in complying with this policy.
HISTORY
Ordinance No. 181829, passed by City Council May 14, 2008 and effective July 1, 2008.
Amended by Resolution No. 37086, adopted by City Council August 6, 2014.
Amended by Chief Administrative Officer, February 3, 2016.
Amended by Chief Administrative Officer, July 8, 2016.