TO: Board of Supervisors
FROM: Ryan J. Alsop, Chief Executive Officer
REPORT BY: Andrew M. Mize, Legislative & Policy Analyst
SUBJECT: Policy Section 31A Addendum for Payment Card Information
RECOMMENDATION
title
Adopt a Resolution appending an addendum to the County of Napa Policy Manual, Section 31A, for Payment Card Information, and appointing the Treasurer-Tax Collector as the officer responsible for maintaining the security of payment card information received by the County. (No Fiscal Impact)
body
BACKGROUND
The County accepts payment card payments for, among other things, providing certain services. As a condition of accepting payment cards, the County must maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS), published by the Payment Card Industry Security Standards Council, which is enforced through our merchant and payment processing relationships.
PCI DSS requires the County to maintain written policies governing how personnel may use County technology and access payment card data and related systems, including a documented acceptable use policy for end-user technologies. This item adopts a Payment Card Information Addendum (Exhibit A), to the County’s Information Technology Use & Security Policy to formalize current practices, set clear expectations for personnel, and support ongoing PCI compliance activities.
PCI DSS requires the designation of a Payment Card Information Compliance Officer to manage organizational compliance with the standards. Along with the Division of Information Technology Services, the Office of the Treasurer-Tax Collector is primarily responsible for the management of processing of electronic credit card payments. Accordingly, staff recommend the appointment of the Treasurer-Tax Collector to be the County’s Payment Card Information Compliance Officer.
Recommended action:
1. Adopt a resolution that:
(a) Amends the County Policy Manual, Part I, Section 31A by appending a Payment Card Information Addendum (as shown in Exhibit B [clean version] and Exhibit C [redline version]; and
(b) Appoints the Treasurer-Tax Collector as the County’s Payment Card Information Compliance Officer.
FISCAL IMPACT
|
Is there a Fiscal Impact? |
No |
|
Is it Mandatory or Discretionary? |
Discretionary |
|
Discretionary Justification: |
Adoption of the Payment Card Information Addendum ensures the County is complying with PCI DSS requirements. Appointment of a Payment Card Information Compliance Officer is mandatory for compliance, but organizations have discretion in the position appointed for the role. Staff recommend appointment of the Treasurer-Tax Collector to this position because of the direct involvement of the Office of the Treasurer-Tax Collector in handling payment card information on a day-to-day basis. |
|
Consequences if not approved: |
The County will not be in compliance with PCI DSS requirements. |
|
Additional Information: |
Strategic Initiative: Elevate County Service & Workforce Excellence |
ENVIRONMENTAL IMPACT
ENVIRONMENTAL DETERMINATION: The proposed action is not a project as defined by 14 California Code of Regulations 15378 (State CEQA Guidelines) and therefore CEQA is not applicable.