Accepting Credit Cards

This page provides a high-level overview of the steps involved for departments looking to implement a new credit card processing system or to modify an existing credit card processing system.

Step 1: Review Town PCI Policy

Background: Many departments across the Town accept credit cards as a form of payment for services. The Town’s goal with accepting credit card is to follow the Payment Card Industry (PCI) Security Standard to ensure all credit card transactions are secure.

Before starting the process of implementing a new payment card processing system review the Town’s PCI policy.

If you are new to credit card processing, here are a couple of helpful links that explain the process and define some commonly used terms.

• Fiserv – How Credit Card Processing Works
• Payment Depot – How Credit Card Processing Works: Who’s Involved and What Happens?

Step 2: Determine Requirements & Review Current Approved Payment Solutions

Do you need to accept credit card payments in person, online or both? If you are working with a software partner, do they have a list of payment processors or payment gateways that they integrate with?

The answer to those questions will help determine the appropriate payment solution.

The Town participates in the State’s Sun Trust Merchant Service Agreement which partners with First Data for payment processing. Whenever possible the Town prefers to use First Data as the payment processor. That typically means using a payment gateway such as Payflow Gateway by PayPal, that then transmits the data to First Data for processing for online payments.

For in person devices, the list of available devices compatible with First Data are available here. If you wish to order devices from that Sun Trust Merchant Services agreement list, contact Clayton Hainline([email protected]) in the Business Management Department.

Other Town Approved Payments Processors are available here: Approved Payment Processors.

Note: For payment gateways that connect to First Data or devices ordered from the approved list above, BMD can provide support in administering the online account (creating accounts, resetting passwords, etc.), or ordering the device for in person terminals.

For any device or payment processor other than First Data, the requesting department is responsible for all aspects of administering the system. This may include paying an additional fee to have the proposed solution reviewed or implemented by a third-party Qualified Security Assessor to ensure PCI compliance.

Step 3: Review of Proposed Processor By the Financials Systems Manager & Chief Information Security Officer

All new or modifications to existing credit card processing systems must be reviewed by the Chief Information Security Officer (Chris Morris) and the Financial Systems Manager (Clayton Hainline) before implementation.

To begin the review process, complete this form.

Once you have completed the form email the completed form to [email protected] and [email protected].  They will review the form and schedule a follow up with any additional questions.

The main items that will be reviewed include:

• Is the proposed solution PCI Compliant?
• How will the credit card data be transmitted (analog phone lines, cellular data, wifi, etc.)
• Will credit card data be stored in anyway and if so who will have access to that information.
• If requesting to use a new payment processor, not currently approved by the Town, what is the business justification? It is highly preferable to use a previously approved payment processor, but if there is a strong business justification, exceptions can be made.
• What is the department’s plan for administration after implementation?

Note: The Chief Information Security Officer (Chris Morris) and the Financial Systems Manager (Clayton Hainline) are happy to participate in meetings throughout the process when evaluating payment processing systems if needed. But the project management (scheduling meetings, determining schedule, etc.) is up to the requesting department.

Step 4: Review of reporting capabilities by Revenue Accountant

The payment processing solution must include a daily “batching” report that can be used for reconciliation. A demonstration or copies of example reports must be provided to the Revenue Accountant (Nicole Mazyck, [email protected]) for approval.

Step 5: Completion of Contract with PCI Clause

If you are working with a software company that will integrate with the payment processor, then you must use the “Small-Services with PCI Clauses” contract template that is available on the Town Intranet.

A contract is not required if you are just ordering a credit card terminal from the First Data provided list for in-person transactions and there is no integration with a separate software.

Step 6: Maintenance

After implementation of credit card payment processing system there are ongoing steps required by The Town to ensure PCI compliance.

• Completion of annual PCI training by anyone involved in the acceptance of credit card payments.
• Routine review of credit card terminals to ensure there is no defect or evidence of tampering.
• Contacting your software provide for an annual attestation of their PCI compliance.
• Each department that accepts credit cards is required to have a PCI Coordinator, responsibilities are detailed n the Town’s PCI policy.