The URL can be used to link to this page

Home My WebLink AboutCredit Card Payment Acceptance Policy 01/26 Policy Title: Credit Card Payments Acceptance Policy Policy Number: 916.01 Effective Date: 01/21/2026 Authority: Franklin County Commissioners Dean A. Horst, Chair John T. Flannery Robert G. Ziobrowski PURPOSE To establish a clear and secure policy for accepting credit card payments from customers, ensuring accuracy, customer data protection, and compliance with industry standards. SCOPE th This policy applies to all Franklin County and 39 Judicial District – Franklin County branch Court-supervised employees and operations involved in the processing of credit card payments from customers, consumers, taxpayers, and others. POLICY STATEMENT Franklin County is committed to providing convenient payment options for our customers, including the acceptance of credit card payments. All credit card transactions must be handled securely and in compliance with applicable laws and regulations to protect customer information and prevent fraud. All County personnel processing credit card payments for goods and services must protect and secure all credit card data, regardless of how it is stored, including but not limited to account information, card imprints, correspondence, and terminal identification numbers. All department heads and personnel shall strictly observe and enforce this policy to ensure that Franklin County customer information and privacy is protected and to assure compliance with Payment Card Industry Data Security Standard (PCI DSS). DEFINITIONS Cardholder: The customer to whom a credit or debit card has been issued or the individual authorized to use a card. Cardholder Data: All personally identifiable data about a cardholder (i.e. account number, expiration date, and cardholder name). Encryption: The process of converting information into unintelligible form to anyone except holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process against unauthorized disclosure. Payment Card: Any credit or debit card/device that bears the logo of American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or Visa, Inc. Credit or Debit Card Industry Standards (PCI) Data Security Standard (PCI DSS): A multi- faceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. Sensitive Authentication Data: Security-related information (card validation codes/values, full magnetic-stripe data, or other personal identification number \[PIN\] used to authenticate cardholders, appearing in plain-text or otherwise unprotected form. Point of Sale (POS): Hardware and/or software used to process payment card transactions at merchant locations. LEGAL AND REGULATORY COMPLIANCE All credit card payment transactions must comply with applicable laws, regulations, and industry standards, including PCI-DSS (Payment Card Industry Data Security Standards). Only approved processing software programs and hardware with security communication protocols and/or encrypted connections are used for processing electronic transactions. Departments/staff are NOT to procure their own software as it may have countywide PCI ramifications. Any new software capable of accepting payments shall be reviewed and approved by ITS and Fiscal prior to purchase. AUTHORIZATION TO ACCEPT CREDIT CARD PAYMENTS Departments or operations requesting credit card processing capabilities are required to submit their request to County Administration and the Chief Financial Officer or Fiscal Director along with a business justification. Requests will be considered on an individual process basis. Departments must demonstrate the viability of the acceptance of alternative forms of payment. Minimum standards for consideration should be:  The Department regularly receives payment for goods and/or services in routine operations.  The Department can provide justification that acceptance of cards will increase net revenues, enhance collection rates, or enhance convenience to the public and encourage prompt payment.  The Department has the ability to ensure that it follows the procedures as laid out in this policy, particularly in regard to being Processing Card Industry (PCI) compliant.  Credit card payment may only be accepted for the amount of the purchase, plus any convenience fees if applicable. Cash back and cash advances are prohibited.  Adequate security and record-keeping processes are established and properly monitored. th  Approval of the President Judge of the 39 Judicial District – Franklin County Branch for requests from employees of court-supervised departments. If the President Judge grants approval, the request may be submitted to County Administration for integration into the County’s credit card processing system. Credit Cards can be accepted in the following access methods:  At the customer service counter where the county employee is conducting the transaction through the vendor system and the vendor’s encrypted devices are used for card data retrieval.  Through any web-enabled software where the transaction is conducted through the vendor’s integrated system for credit card data entry needed to complete the transaction.  Field collection through phones or tablets using vendor’s encrypted devices for credit card data retrieval.  Over-the-phone data card collection is allowed with the County Administrator or their designee’s written approval, under these rules: o Credit card information should never be saved. o County employee may never speak back the card data to the customer; if verification is needed the employee must ask the caller to repeat the data o County employees may never write down any credit card information for any reason; and if this is ever done it must be destroyed/shredded immediately o County Controller retains the right to audit departments at will if this collection method is approved. Credit Cards are NOT allowed to be accepted in the following access methods:  Credit card data is never allowed to be left on voicemail.  Credit card data is never allowed to be collected through email, text, instant message, or social networking services.  Credit card data is never allowed to be collected through written forms. Point of Sale (POS) devices used to collect credit card information may only be purchased through the ITS Department. These devices are unique to the vendor’s system in terms of encryption and support. RESPONSIBILITIES It is the responsibility of the Administrator, Director or Department Head to:  Notify Information Technology Services and the Fiscal Department of ANY changes to the PCI environment. Changes could be anything from new employees who can accept credit cards to new card readers being purchased (which should already have ITS approval). Notification of terminated employees who process credit cards should be provided immediately so their access can be revoked.  Limit access to cardholder data to only those individuals who need access.  Educate and train employees under your supervision about this policy and conduct periodic reviews to ensure compliance with it.  Address any issues or breaches promptly and implement corrective actions. Any discrepancies, suspicious activities, or security breaches shall be immediately reported to the County Administrator, Chief Financial Officer and Chief Information Officer.  Physically inspect any devices where credit cards can be swiped for signs of tampering.  Adhere to requirements of the most current PCI DSS. The current version is available at https://www.pcisecuritystandards.org/document_library.  Work with ITS to conduct a PCI assessment at the determined interval.  Maintain internal documented processes and procedures (i.e. document your process for accepting credit card payments for transactions).  Work with the ITS Department to maintain PCI inventory list of the PCs and other equipment such as computers, card readers, kiosks, etc. that are used. Work with the Fiscal Department to maintain PCI staff inventory list to include names, roles, and privileges of people who deal with credit cards in your area. o Make updates to this documentation as changes occur. o You may be asked to periodically provide this documentation to ITS, the Fiscal Department, or the Controller. It is the responsibility of the employee to:  Follow the procedures for processing credit card payments as outlined in the Credit Card Payments Procedure document, ensuring the confidentiality and security of customer credit card information at all times.  Report any discrepancies, suspicious activities, or security breaches immediately to management or their supervisor. It is the County’s responsibility and the responsibility of each employee who processes credit card payments to secure cardholder data and maintain the confidentiality of all Payment Card data as required by PCI-DSS. Only users with a business need to access payment processing systems or cardholder data may do so. All paperwork, records, receipts, card imprints, electronic data, etc. containing cardholder account numbers and information shall be treated as private information. That private information must be protected against unauthorized disclosure. With the exception of the payer’s name and the amount paid, any credit card information obtained for the purposes of accepting a credit card payment must be destroyed (via permanent deletion or shredding) immediately after the payment transaction has been completed. REQUIRED ACTION FOR THEFT, FRAUD, OR BREACH In the event that Cardholder Data is compromised or potentially compromised, immediately contact the ITS Department, the County Administrator, the Controller, the Risk Manager, the ITS Department, and the Chief Financial Officer or Fiscal Director. This includes lost or stolen files with Cardholder Data, electronic loss of data, databases infected with viruses, loss of paper documents with Cardholder Data and any other loss or potential loss, theft or unauthorized access to devices or payment processing systems. The compromise of any cardholder information should be reported immediately by contacting the ITS Helpdesk. POLICY REVIEW This policy shall be reviewed as necessary, at least annually, to support continued compliance with County Code or other laws and regulations, as well as the then-current version of PCI DSS. POLICY VIOLATIONS Failure to comply with this policy may result in suspension or termination of Payment Card processing privileges for the department. Non-compliance with this policy may result in disciplinary action up to and including termination from County employment. ATTACHMENTS None CROSS REFERENCE CONTACT INFORMATION/PROPONENT OFFICE: Franklin County Commissioners’ Office ADDENDUMS/AMENDMENTS: Not applicable ** The Board of Commissioners reserves the right to terminate or amend this policy, at any time, without liability to any person who may be affected by such termination or amendment. No employee shall have any vested right to the continuance of this policy or have the same continued. ** Employees whose terms and conditions of employment are covered by a collective bargaining agreement will be covered by such terms and conditions of the contract. This policy is not intended to supersede or override the provisions of their collective bargaining agreement. In addition, this policy will apply to those employees who are members of a collective bargaining unit subject to negotiations except as may be modified by a collective bargaining agreement reached by the collective bargaining unit. ** This policy is not intended to supersede or override any provisions of the Courts as a result of inherent and exclusive rights and powers of the judiciary accorded to it by Article V of the Pennsylvania Constitution and Section 1620 of the County Code. ADOPTED THIS ____ DAY OF _______, 2026 FRANKLIN COUNTY BOARD OF COMMISSIONERS _____________________________ Dean A. Horst, Chair ______________________________ John T. Flannery ______________________________ Robert G. Ziobrowski cc: Carrie Gray, County Administrator Elected Officials Division Leaders Department Heads