TO: Board of Supervisors
FROM: Ryan J. Alsop, Chief Executive Officer
REPORT BY: Andrew M. Mize, Legislative & Policy Analyst
SUBJECT: Adoption of Policy Related to Payment Card Industry Standards & Procedures
RECOMMENDATION
title
Adopt a Resolution creating Section 31F within the County of Napa Policy Manual, for Payment Card Industry information governance, and appointing the Treasurer-Tax Collector as the officer responsible for maintaining the security of payment card industry information received by the County. (No Fiscal Impact; Discretionary)
body
BACKGROUND
The County accepts payment card payments for, among other things, providing certain services. As a condition of accepting payment cards, the County must maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS), published by the Payment Card Industry Security Standards Council, which is enforced through our merchant and payment processing relationships.
PCI DSS requires the County to maintain written policies governing how personnel may use County technology and access payment card data and related systems, including a documented acceptable use policy for end-user technologies. This item adopts a Payment Card Industry Governance Policy (Exhibit A) to formalize current practices, set clear expectations for personnel, and support ongoing PCI compliance activities.
PCI DSS requires the designation of a Payment Card Information Compliance Officer to manage organizational compliance with the standards. Along with the Division of Information Technology Services, the Office of the Treasurer-Tax Collector is primarily responsible for the management of processing of electronic credit card payments. Accordingly, staff recommend the appointment of the Treasurer-Tax Collector to be the County’s Payment Card Information Compliance Officer.
Recommended action:
1. Adopt a resolution that:
(a) Amends the County Policy Manual, Part I, by adding a new Section 31F, Payment Card Industry Governance Policy (as shown in Exhibit A); and
(b) Appoints the Treasurer-Tax Collector as the County’s Payment Card Information Compliance Officer.
FISCAL IMPACT
|
Is there a Fiscal Impact? |
No |
|
Is it Mandatory or Discretionary? |
Discretionary |
|
Discretionary Justification: |
Adoption of the Payment Card Industry Governance Policy ensures the County is complying with PCI DSS requirements. Appointment of a Payment Card Information Compliance Officer is mandatory for compliance, but organizations have discretion in the position appointed for the role. Staff recommend appointment of the Treasurer-Tax Collector to this position because of the direct involvement of the Office of the Treasurer-Tax Collector in handling payment card information on a day-to-day basis |
|
Consequences if not approved: |
The County will not be in compliance with PCI DSS requirements. |
|
Additional Information |
Strategic Initiative: Elevate County Service & Workforce Excellence. |
ENVIRONMENTAL IMPACT
ENVIRONMENTAL DETERMINATION: The proposed action is not a project as defined by 14 California Code of Regulations 15378 (State CEQA Guidelines) and therefore CEQA is not applicable.