220-07
CARDHOLDER INFORMATION SECURITY PROGRAM

POLICY & PROCEDURE

Subject:

CARDHOLDER INFORMATION SECURITY PROGRAM

Index: FINANCE

Number: 220-07

Effective Date

10/15/2010

Supersedes

N/A

Page

1 of 3

Staff Contact

Iwen Wang

Approved By

Denis Law

1.0 PURPOSE:

To establish policies and procedures for individuals who have access to cardholder data in any form at any merchant location for the City of Renton.

2.0 ORGANIZATIONS AFFECTED:

All departments and divisions.

3.0 REFERENCES:

City of Renton Policy & Procedure 230-02 – Records Management Services

City of Renton Policy & Procedure 250-16 – Electronic Data Security

City of Renton Policy & Procedure 370-06 – Hiring Process

City of Renton Policy & Procedure 300-44 – Criminal Background Check and/or Consumer Report for Prospective Employees and Volunteers with Unsupervised Access to Children under the Age of 16 or Developmentally-Disabled Persons and Vulnerable Adults

4.0 POLICY:

4.1    It is the responsibility of all City employees having access to cardholder data to protect the information as confidential at all times. Cardholder data should be disclosed only for a required business purpose.

5.0 DEFINITIONS:

5.1    Cardholder Information Security Program (CISP): Security requirements of the Payment Card Industry as the standard for protecting cardholder data.

5.2    Cardholder Data: Any information regarding a credit card (name, verification code, credit card number, and expiration date) regardless if it is embossed, printed, stamped, or marked in any form.

5.3    Employees: Individuals acting on behalf of the City in processing, storing, and retrieving cardholder data. This includes individuals in the following classifications: elected officials, staff, and volunteers.

5.4    Encrypted or Truncated: Data converted to a code or shortened for security purposes.

5.5    Merchant Location: Any business unit that accepts credit cards as a form of legal tender, including retail and web-based operations on City campus.

5.6    Payment Card Industry: The association of credit card providers. The City accepts the following credits cards: Visa and MasterCard.

5.7    Validation Code: The unique three- and four-digit code printed on the credit card requested as proof that a credit card is in the possession of the individual making or completing a transaction with a merchant.

6.0 PROCEDURES:

6.1    The City of Renton requires a number of standards to protect cardholder data held and/or used at the City. Responsibilities and requirements for the following persons and units are listed below.

6.2    City Merchant Locations:

6.2.1    New employees who will have access to cardholder information will be subject to a criminal background check before access to cardholder data is granted. Employees with an inappropriate background will not be permitted access to cardholder data.

6.2.2    Employees who will have access to cardholder information must sign the Confidentiality of Credit Card Information Agreement form in order to document his/her understanding of and willingness to comply with all City credit card policies and procedures. This certification will be maintained in the employee’s personnel file.

6.2.3    Employees’ access to cardholder data must be limited to least privileges necessary to perform job responsibilities.

6.2.4    Employees must store cardholder data in locked containers identified and classified as “confidential” in secured areas with limited access. Examples include customer receipts, mail orders, fax copies, merchant duplicate receipts, reports, etc.

6.2.5    Employees must destroy or securely store (as described above) any documents that contain cardholder information received by fax, mail, or taken over the telephone immediately upon completion of the transaction.

6.2.6    Employees must not send any unencrypted cardholder data by email.

6.2.7    Employees must not release cardholder data in any form unless there is a legitimate business purpose and then only after the request for information is reviewed and approved by the division’s management.

6.2.8    Employees must not use wireless network or WIFI to process any cardholder data.

6.2.9    Employees must not store cardholder data on laptop, notebook, mobile computing devices, or any removable media at any time.

6.2.10    Employees must protect cardholder data so that only the last four digits of the credit card number are displayed or printed.

6.2.11    Employees must have a unique password that must be changed periodically to access cardholder data.

6.2.12    Employees must store only cardholder data that is critical to business—name, account number, and expiration date.

6.2.13    Employees must never store the three- or four-digit validation code in any form.

6.2.14    Employees must store only cardholder data that is encrypted or truncated.

6.3.    Loss or Theft: When a City employee suspects the loss or theft of any materials containing cardholder data, it is vitally important to immediately notify the Fiscal Services Director to implement the procedures for security breaches.

7.0 CONTACTS:

For further information about the rules or practices covered in this guide, contact the Finance and Information Technology Administrator.

Cardholder Information Security Agreement

Confidentiality of Credit Card Information

Access to credit card information requires the highest degree of public trust to protect the interest of the City and the cardholders. It is a breach of ethical standards for any employee of the City or third-party with access to credit card information to divulge either directly or indirectly any cardholder information except on a need-to-know basis. Additionally, the release of cardholder information may only be done with proper authorization from the department’s director, associate director, manager, or appropriate supervisor.

I acknowledge the receipt of this policy and accept this statement. I have read and understand the above conditions and certify that I will comply with this agreement.

Employee’s Name (printed)             

Date:        Signature: