The URL can be used to link to this page

Home My Public Portal AboutADM-124_Credit Debit Card Security Policy_Effective 08-14-2017 City of Lebanon New Hampshire ADMINISTRATIVE POLICIES & PROCEDURES CREDIT/DEBIT CARD SECURITY Policy Number Effective Date Last Revision Page No. ADM-124 Previous 2017-02-A 08/14/2017 Page 1 of 5 Approved by: Paula Maville, Interim City Manager Section 1.0: Purpose This policy addresses the City of Lebanon's use of credit/debit card machines and the handling of confidential credit/debit card information. In this document, both credit and debit card information will simply be referred to as credit card information. Credit card information includes (but is not limited to) credit card numbers, expiration dates, CVV / CVC codes (3 digit codes on the back of cards), as well as a cardholder's name, address, bank account information, birth date, and Social Security number. Employees must read this policy in its entirety, retain a copy for their use, and sign the Agreement to Comply with Credit/Debit Card Information Security Policy (at the end of this document) confirming they understand this policy. Employees shall return signed agreements to the Finance Department where they will be retained in personnel files. Section 2.0: Scope This policy applies to all employees or contractors working on behalf of the City of Lebanon. Section 3.0: Definitions In this document, the terms: The City, City Employees, and employees, will be used interchangeably to mean any City of Lebanon employee or contractor working on behalf of the City of Lebanon. Section 4.0: Policy Detail Credit card information includes (but is not limited to): • All media (handwritten paper, received faxes, backup data, computer hard drive, etc.) that contains cardholder information. • The contents of the credit card magnetic strip (track data). • The CVV/CVC (the 3 or 4 digit number on the signature panel on the reverse of the card). City of Lebanon New Hampshire ADMINISTRATIVE POLICIES & PROCEDURES CREDIT/DEBIT CARD SECURITY Policy Number Effective Date Last Revision Page No. ADM-124 Previous 2017-02-A 08/14/2017 Page 2 of 5 Approved by: Paula Maville, Interim City Manager • All digits of the credit card's primary account number, expiration dates, CVV / CVC codes (3 digit codes on the back of cards), as well as the cardholder's name, address, bank account information, birth date, and Social Security number. Additionally, all digits, except the last 4, of the credit card account number must be concealed or masked (e.g. XXXX or****) when displayed. Section 5.0: Procedures A. Credit Card Information – Handling Specifics Access to cardholder information is restricted to City employees that have a legitimate need to view such information. No other employees shall access this data. All cardholder information stored and handled by The City must be protected against unauthorized use at all times. Any cardholder information that does not need to be stored must be discarded in an irreversible manner such as shredding, demagnetizing, disassembly, etc. B. Protect Data In Transit All cardholder information and data must be protected whether it is to be transported physically or electronically. Credit card information sent electronically, via the internet, email, instant chat, etc... must be sent using a strong encryption mechanism (e.g. AES encryption). The physical transportation of media containing credit card information to another location must be authorized by the Finance Department. The media must be logged and inventoried before leaving the premises. The City should use a traceable and trackable service to move media and the status of the shipment should be monitored until it has been delivered to its new location. City of Lebanon New Hampshire ADMINISTRATIVE POLICIES & PROCEDURES CREDIT/DEBIT CARD SECURITY Policy Number Effective Date Last Revision Page No. ADM-124 Previous 2017-02-A 08/14/2017 Page 3 of 5 Approved by: Paula Maville, Interim City Manager C. Physical Security Physical access to cardholder information must be restricted to prevent unauthorized individuals from obtaining sensitive data. All devices which can directly access credit card information must be able to be "locked" (via a password protected screensaver or similar method) so that physical access is not possible if the device is left unattended. D. Security Awareness and Procedures This policy must be incorporated into day-to-day practices to maintain a high level of security awareness. Departments utilizing credit card information should regularly review handling procedures and hold periodic security awareness meetings to ensure this policy and all relevant City policies are followed. All third parties with access to credit card information are obligated to comply with Card Association Security Standards (PCI/DSS). E. Security Management I Incident Response Plan The Finance Department is responsible for communicating credit card security policies and procedures to employees and contractors. In addition, the Finance Department will oversee credit card information security updates, and enforce this policy. In the event of a sensitive data compromise, the Finance Department will oversee the implementation of an incident response plan. Employees are expected to report to the Finance Department any security related issues. In the event of a suspected security breach, Departments shall: • Alert the Finance Department immediately who will carry out an initial investigation of the suspected security breach. City of Lebanon New Hampshire ADMINISTRATIVE POLICIES & PROCEDURES CREDIT/DEBIT CARD SECURITY Policy Number Effective Date Last Revision Page No. ADM-124 Previous 2017-02-A 08/14/2017 Page 4 of 5 Approved by: Paula Maville, Interim City Manager • Upon confirmation that a security breach has occurred, the Finance Department will alert all relevant parties that may be affected by the compromise. The Finance Department may also need to: 1. Shut down any systems or processes involved in the breach. 2. Alert all affected parties and notify law enforcement. F. Reporting Unauthorized Release of Data Employees must report inappropriate activity or unlawful conduct (with respect to credit card matters) by another employee to the Finance Department. G. Disciplinary Action Violation of this policy by any City of Lebanon employee will result in disciplinary action from a warning/reprimand up to and including termination of employment. Depending on the level and type of violation, employees may be disciplined in accordance with the City's Fraud Policy (Policy 08-01-A). Section 6.0: References (Charter/Code/State Statues) Section 7.0: Policy & Procedure Revision History Section Revisions Date Original Adoption Amendment Amendment Amendment City of Lebanon New Hampshire ADMINISTRATIVE POLICIES & PROCEDURES CREDIT/DEBIT CARD SECURITY Policy Number Effective Date Last Revision Page No. ADM-124 Previous 2017-02-A 08/14/2017 Page 5 of 5 Approved by: Paula Maville, Interim City Manager AGREEMENT TO COMPLY WITH CREDIT/DEBIT CARD INFORMATION SECURITY POLICY Please retain the policy document attached to this form for your reference and return this signed agreement form to the Finance Department. Employee Name: _____________________ Department: ___________________________ 1. I have been provided with a copy of the Credit/Debit Card Information Security Policy and have read and understand the policy. I understand how it impacts my role and as a condition of my employment, I agree to abide by the policy. 2. I agree to take all reasonable precautions to assure that credit/debit card information, or information that has been entrusted to the City of Lebanon such as customer information, will not be disclosed to unauthorized persons. At the end of my employment with the City of Lebanon I agree to return all credit/debit card information in my possession. 3. I understand that I am not authorized to use credit card information or customer information for my own purposes, nor am I at liberty to provide this information to third parties. 4. I understand that non-compliance could result in disciplinary action up to and including dismissal and perhaps criminal and/or civil penalties. 5. I further agree to promptly report all violations or suspected violations of information security policies to the Finance Department. Employee signature: __________ Date: ___________