6109 - ACCEPTANCE OF PAYMENT BY CREDIT CARD
The Board authorizes the acceptance of credit cards for the payment of invoices. The Board authorizes the Treasurer/CFO to manage credit card transactions pursuant to applicable State and Federal laws and regulations, and the regulations of the payment card industry ("PCI").
For purposes of this policy, the term credit card includes branded debit cards (having credit card logo and not requiring PIN input) unless otherwise indicated. Visa, MasterCard, Discover, American Express cards will be accepted for payments.
All fees and charges associated with credit card payments are the responsibility of the payer. Fees will be added to the total cost of the invoice amount.
Compliance with PCI DSS
Credit card data is high-risk confidential information that is protected by State and Federal law and the Board has a legal obligation to protect it. Credit card associations require all merchants to follow protocols entitled Payment Card Industry Data Security Standards (“PCI DSS”). The PCI DSS includes a comprehensive set of international security requirements to help protect cardholder data and prevent fraud and identity theft. Credit card companies require that all merchants comply with PCI DSS before accepting credit cards and must also certify their compliance annually.
All acquirers and card issuers must comply, and must also ensure the compliance of their merchants and service providers who store, process, or transmit customer data.
In order to ensure compliance, the Board is required to:
- Build and maintain a secure network, which includes installation and maintenance of firewall configurations to protect cardholder data.
- Not use vendor-supplied defaults for system passwords and other security parameters.
- Protect cardholder data.
- The card verification code or value (three (3) digit or four (4) digit code printed on the front or back of the credit card) is not to be stored under any circumstances.
- The personal identification number ("PIN") or the encrypted PIN block is not to be stored under any circumstances.
- All primary account numbers ("PANs") should be masked. Viewing will be limited to employees and other parties with a legitimate need to know.
- Encrypt transmission of cardholder data across open, public networks.
- Maintain a vulnerability management program, which includes protection against malware and the use of antivirus software that is routinely updated.
- Develop and maintain secure systems and applications.
- Implement strong access control measures.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data internally and externally. All paper and electronic records must be stored in secure locations.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain an Information Security Policy – maintain a policy that addresses information security. The policy outlines the Board’s incident response plan.
The Treasurer/CFO shall perform periodic audits and advise the Board of the results of such audits and evaluations and of any related action necessary to maintain compliance.
The Treasurer/CFO shall also be responsible for filing annual compliance certificates as required.
Breach of Data
Upon discovering that any Board system has been subject to a breach which compromises personal information, including an individual's name, consisting of the individual's first name or first initial and last name, in combination with and linked to any one (1) or more of the following data elements, when the data elements are not encrypted, redacted, or altered by any method or technology in such a manner that the data elements are unreadable:
- Social security number;
- Driver's license number or State identification card number;
- Account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individual's financial account.
All employees are required to immediately notify the Treasurer/CFO upon discovering that any system containing personal information has been breached. Failure to do so may result in discipline, up to and including termination.
Following the discovery or notification that a system containing personal information has been compromised, the Treasurer/CFO or designee shall promptly send written or electronic notice to any resident of Ohio whose personal information was or may have been exposed if the access and acquisition by an unauthorized individual or entity causes or reasonably is believed will cause a material risk of identity theft or other fraud to the resident. Notice must be sent no later than forty-five (45) days after discovering the breach, unless such notice interferes with law enforcement activities. The notice will inform the individual of the data that may have been accessed and acquired, as well as what steps have been taken to restore the system’s integrity.
© Neola 2025