7-1002: Payment Cards, eChecks and Electronic Cash Transfers

Purpose

To establish guidelines for the acceptance of payment cards (Credit Cards, Debit Cards), eChecks and electronic cash transfers from money transfer companies, for County departments and related County entities, and ensure compliance with the rules and regulations established by the Payment Card Industry (PCI) and articulated in the PCI Data Security Standards (DSS). This standard also establishes requirements with respect to transactions and other processing costs associated with the acceptance of ePayments. 

Authority

• Government Code Section 27000.

Scope

Applies to all County of Sacramento departments and government entities that report to the County Board of Supervisors, who in the course of doing business, accept credit/debit card, eCheck and/or electronic cash transfer payments regardless of whether revenue is deposited in the County Treasury. 

Policy

A. Acceptable Electronic Payment (ePAYMENT) Methods 

The County currently accepts VISA, MasterCard, Discover and American Express Credit Cards, debit cards, eChecks, and electronic cash transfers. The County has designated Countywide contract(s) for processing ePayment transactions. Please contact the Treasury Division (Treasury) for information related to the designated contract(s). All County departments and related County entities must use the designated contract(s) unless a written exception has been granted by the Director of Finance. 

B. Prohibited ePAYMENT Activities

The County prohibits certain ePayment activities that include, but are not limited to: 

• Accepting payment cards for cash advances. 
• Discounting a good or service based on the method of payment. 
• Adding a surcharge or additional fee to payment card transactions unless approved by the Board of Supervisors (this is not the convenience fee charge to customers). 
• Using a paper imprinting system for ePayments unless approval is granted by Treasury. 
• Writing down customer credit card information. 
• Storage of encrypted credit card information unless an exception is approved by the County Information Security Officer (ISO). 
• Storage of any unencrypted credit card information that is in violation of Payment Card Industry (PCI) Requirements. 

C. ePAYMENTS Fees 

ePayment fees are incurred on a transactional, flat fee and/or incidental fee (i.e., per incident) basis. When such fees are incurred, the customer will be charged a processing fee by the payment processor. Any fees to be absorbed by the department need to be approved by the Department of Finance and County Executive Office (Financial Management). All absorbed fees must be invoiced to the County department or entity and paid through the County Auditor-Controller’s Office. Directly debiting the County Treasury bank account for such fees is prohibited. 

D. Chargebacks

In the case of a chargeback, the department or entity initiating the original transaction is responsible for handling all chargebacks with the processor. In addition, the department or entity will notify Treasury and provide appropriate supporting documentation of the dispute. 

E. Refunds 

When a refund is necessary, the refund should be credited back to the customer who was originally charged. Refunds in excess of the original transaction amount or cash refunds are prohibited. 

F. Maintenance Security 

• Departments or other entities including contractors or agents accepting ePayments on behalf of the County are subject to the PCI requirements maintained by the County ISO. 
• The County and PCI requirements prohibit the transmission of cardholder data or sensitive authentication data via unencrypted email or interoffice mail as these are not secure. 
• The County requires that all external service providers that handle payment card information be PCI compliant and maintain PCI compliance with the latest standards throughout the life of the contract. 
• The County restricts access to cardholder data to those with a business “need to know”. 
• All card data must be handled in accordance with the County’s Standard Process for Handling Credit Card Transactions to Meet PCI Compliance and Ensure Industry Best Practices. 

G. Responsibilities 

Department and entities are responsible for coordinating with Treasury all activities related to accepting ePayments. 

The County ISO shall regularly monitor and test the County’s Network and coordinate the County’s compliance with the PCI Standard’s technical requirements and verify the security controls of systems authorized to process credit cards. 

H. Sanctions 

The Director of Finance may suspend ePayment account privileges of any department or entity that is not in compliance with this standard and procedure or that places the County at risk. 

Any County department or entity engaged in ePayment activities will be responsible for any financial loss due to inadequate internal controls or negligence in adhering to the PCI Data Security Standard.