HomeMy Public PortalAboutADM-124_Credit Debit Card Security Policy_Effective 08-14-2017
City of Lebanon
New Hampshire
ADMINISTRATIVE POLICIES & PROCEDURES
CREDIT/DEBIT CARD SECURITY
Policy Number Effective Date Last Revision Page No.
ADM-124
Previous 2017-02-A 08/14/2017 Page 1 of 5
Approved by: Paula Maville, Interim City Manager
Section 1.0: Purpose
This policy addresses the City of Lebanon's use of credit/debit card machines
and the handling of confidential credit/debit card information.
In this document, both credit and debit card information will simply be
referred to as credit card information. Credit card information includes (but
is not limited to) credit card numbers, expiration dates, CVV / CVC codes (3
digit codes on the back of cards), as well as a cardholder's name, address,
bank account information, birth date, and Social Security number.
Employees must read this policy in its entirety, retain a copy for their use,
and sign the Agreement to Comply with Credit/Debit Card Information
Security Policy (at the end of this document) confirming they understand
this policy. Employees shall return signed agreements to the Finance
Department where they will be retained in personnel files.
Section 2.0: Scope
This policy applies to all employees or contractors working on behalf of the City of
Lebanon.
Section 3.0: Definitions
In this document, the terms: The City, City Employees, and employees, will
be used interchangeably to mean any City of Lebanon employee or
contractor working on behalf of the City of Lebanon.
Section 4.0: Policy Detail
Credit card information includes (but is not limited to):
• All media (handwritten paper, received faxes, backup data,
computer hard drive, etc.) that contains cardholder information.
• The contents of the credit card magnetic strip (track data).
• The CVV/CVC (the 3 or 4 digit number on the signature panel on the
reverse of the card).
City of Lebanon
New Hampshire
ADMINISTRATIVE POLICIES & PROCEDURES
CREDIT/DEBIT CARD SECURITY
Policy Number Effective Date Last Revision Page No.
ADM-124
Previous 2017-02-A 08/14/2017 Page 2 of 5
Approved by: Paula Maville, Interim City Manager
• All digits of the credit card's primary account number, expiration
dates, CVV / CVC codes (3 digit codes on the back of cards), as well as
the cardholder's name, address, bank account information, birth
date, and Social Security number.
Additionally, all digits, except the last 4, of the credit card account number
must be concealed or masked (e.g. XXXX or****) when displayed.
Section 5.0: Procedures
A. Credit Card Information – Handling Specifics
Access to cardholder information is restricted to City employees that
have a legitimate need to view such information. No other employees
shall access this data.
All cardholder information stored and handled by The City must be
protected against unauthorized use at all times. Any cardholder
information that does not need to be stored must be discarded in an
irreversible manner such as shredding, demagnetizing, disassembly, etc.
B. Protect Data In Transit
All cardholder information and data must be protected whether it is to be
transported physically or electronically.
Credit card information sent electronically, via the internet, email, instant
chat, etc... must be sent using a strong encryption mechanism (e.g. AES
encryption).
The physical transportation of media containing credit card information
to another location must be authorized by the Finance Department. The
media must be logged and inventoried before leaving the premises. The
City should use a traceable and trackable service to move media and the
status of the shipment should be monitored until it has been delivered to
its new location.
City of Lebanon
New Hampshire
ADMINISTRATIVE POLICIES & PROCEDURES
CREDIT/DEBIT CARD SECURITY
Policy Number Effective Date Last Revision Page No.
ADM-124
Previous 2017-02-A 08/14/2017 Page 3 of 5
Approved by: Paula Maville, Interim City Manager
C. Physical Security
Physical access to cardholder information must be restricted to prevent
unauthorized individuals from obtaining sensitive data.
All devices which can directly access credit card information must be able to
be "locked" (via a password protected screensaver or similar method) so
that physical access is not possible if the device is left unattended.
D. Security Awareness and Procedures
This policy must be incorporated into day-to-day practices to maintain a
high level of security awareness. Departments utilizing credit card
information should regularly review handling procedures and hold
periodic security awareness meetings to ensure this policy and all
relevant City policies are followed.
All third parties with access to credit card information are obligated to
comply with Card Association Security Standards (PCI/DSS).
E. Security Management I Incident Response Plan
The Finance Department is responsible for communicating credit card
security policies and procedures to employees and contractors. In
addition, the Finance Department will oversee credit card information
security updates, and enforce this policy. In the event of a sensitive
data compromise, the Finance Department will oversee the
implementation of an incident response plan. Employees are expected
to report to the Finance Department any security related issues.
In the event of a suspected security breach, Departments shall:
• Alert the Finance Department immediately who will carry out an
initial investigation of the suspected security breach.
City of Lebanon
New Hampshire
ADMINISTRATIVE POLICIES & PROCEDURES
CREDIT/DEBIT CARD SECURITY
Policy Number Effective Date Last Revision Page No.
ADM-124
Previous 2017-02-A 08/14/2017 Page 4 of 5
Approved by: Paula Maville, Interim City Manager
• Upon confirmation that a security breach has occurred, the
Finance Department will alert all relevant parties that may be
affected by the compromise.
The Finance Department may also need to:
1. Shut down any systems or processes involved in the breach.
2. Alert all affected parties and notify law enforcement.
F. Reporting Unauthorized Release of Data
Employees must report inappropriate activity or unlawful conduct (with
respect to credit card matters) by another employee to the Finance
Department.
G. Disciplinary Action
Violation of this policy by any City of Lebanon employee will result in
disciplinary action from a warning/reprimand up to and including
termination of employment.
Depending on the level and type of violation, employees may be
disciplined in accordance with the City's Fraud Policy (Policy 08-01-A).
Section 6.0: References (Charter/Code/State Statues)
Section 7.0: Policy & Procedure Revision History
Section Revisions Date
Original Adoption
Amendment
Amendment
Amendment
City of Lebanon
New Hampshire
ADMINISTRATIVE POLICIES & PROCEDURES
CREDIT/DEBIT CARD SECURITY
Policy Number Effective Date Last Revision Page No.
ADM-124
Previous 2017-02-A 08/14/2017 Page 5 of 5
Approved by: Paula Maville, Interim City Manager AGREEMENT TO COMPLY WITH CREDIT/DEBIT CARD
INFORMATION SECURITY POLICY
Please retain the policy document attached to this form for your
reference and return this signed agreement form to the Finance
Department.
Employee Name: _____________________
Department: ___________________________
1. I have been provided with a copy of the Credit/Debit Card
Information Security Policy and have read and understand the
policy. I understand how it impacts my role and as a condition of
my employment, I agree to abide by the policy.
2. I agree to take all reasonable precautions to assure that
credit/debit card information, or information that has been
entrusted to the City of Lebanon such as customer information, will
not be disclosed to unauthorized persons. At the end of my
employment with the City of Lebanon I agree to return all
credit/debit card information in my possession.
3. I understand that I am not authorized to use credit card
information or customer information for my own purposes, nor am
I at liberty to provide this information to third parties.
4. I understand that non-compliance could result in disciplinary action
up to and including dismissal and perhaps criminal and/or civil
penalties.
5. I further agree to promptly report all violations or suspected
violations of information security policies to the Finance
Department.
Employee signature: __________ Date: ___________