Policy
FIACCT 07-08_01 Revenue- Credit Cards Mobile Payment Applications
Effective: September 16, 2016
Revised: September 16, 2016
Purpose
This policy outlines the procedures for agencies to follow to accept credit cards for payment of fees, services, products, etc. via mobile payment applications.
Definitions
Chase Mobile Checkout
A mobile application designed for tablet or smartphone use that allows mobile acceptance of credit card payments. Chase Mobile Checkout is the only mobile payment application authorized by the Division of Finance.
Mobile Swipe Device
“Blue Mobile Reader IDynamo Mobile Reader” credit card swipe device
provided by Chase Paymentech for use with the Chase Mobile Checkout
application.
Mobile Device Management (MDM)
Software package offered by the Department of Technology Services
(DTS) that secures, monitors, manages and supports mobile devices.
Payment Card Industry Data Security Standard
The Payment Card Industry (PCI) Data Security Standard is required
by credit card companies to ensure the safe handling of sensitive
payment information and safeguarding of cardholder data.
Self-Assessment Questionnaire (SAQ) D
The PCI self-assessment questionnaire required for PCI compliance
for mobile applications and other payment solutions certified by the PCI
Data Security Council as a point-to-point encryption payment process.
Policy
A.
Agencies using mobile payment applications must adhere to this and Finance Policy FIACCT 07-08.00 Revenue – Credit Cards.
B.
Agencies that wish to accept credit cards for payments via mobile payment applications should do the following before accepting credit cards as a method of payment:
- Complete the State Division of Finance’s credit card implementation checklist for state agencies. Submit it to the State Division of Finance for review and approval. Division of Finance will ensure proper setup with the State’s approved credit card processor and the State approved Credit Card Company. Finance will work with the credit card processor and coordinate purchase of the mobile swipe device for the requesting agency.
- Create and maintain a list of people and positions that will be using the device.
- Keep a copy at the Agency level and submit a copy to State Finance for setup.
- Each person must have a unique email account and password.
- There is a limit of five people that can access one device.
- The device must be used only with dedicated State-owned tablets with MDM.
- Install MDM as instructed by DTS for all mobile devices owned by the State; so that if the mobile tablet is stolen, the tablet can be wiped remotely.
- Inventory each mobile device and mobile swipe device including serial numbers, makes and models of devices.
- Identify mobile devices being used to the MDM team as being PCI devices.
- Location services must be active on the tablet.
- Manual card number entry on the Chase Mobile Checkout application must have transaction settings on the application adjusted to request CVD (Card Verification Data), and zip code on manual entry.
- Checkout logs must be used to monitor who uses the mobile devices and mobile swipe device and when those devices are used.
- Devices must be secured in a locked storage space when not in use.
- Ensure devices and associated networks are PCI compliant. Agencies using mobile applications must complete the SAQ D.
- If accepting card-not-present transactions, the agency must harden mobile devices per the requirements provided in the Chase Mobile Hardening Standard document.
- Agency policies and procedures for the device should not supersede State Finance policies and procedures for the device without agreement by State Finance.
- Employees using the device must be trained on the policies and procedures for the device and PCI compliance before use.
C.
The agency is responsible for reconciliation of card transactions and theft prevention. The agency must establish a process for reconciling goods and services rendered to the corresponding transactions, batch reports and deposits.
- Agencies must have a record keeping process to ensure proper billing of goods and services provided.
- Agencies must have adequate internal controls, including separation of duties, regarding mobile billings.
Background
Many agencies that have been accepting credit cards have a business need to accept credit card payments in locations and circumstances where swipe machines are not practical or logical. Chase Paymentech, the State’s contracted provider for credit card processing, offers the Chase Mobile Checkout application and hardware to meet that business need. Information security for payment card data is of utmost importance for the State. PCI data security standards provide a baseline for securing card data.
Procedure
Responsibilty
Action
Agency
- Read and comply with Division of Finance Policy FIACCT 07-08.00 Revenue – Credit Cards
- Contact the State Division of Finance to request approval for new credit card merchant numbers and arrange for the purchase of equipment and training.
- Obtain a State-provided tablet and set up MDM.
- If accepting card-not-present transactions, follow the instructions found in the Chase Mobile Hardening Standard document on finance.utah.gov/pcicompliance.html.
- Complete and submit the agency’s Annual PCI Self-Assessment Questionnaire to the State Division of Finance for review and approval. (Note: State Division of Finance will not allow agencies to begin accepting credit cards until compliant with the PCI Standard).
- Inventory mobile devices and mobile swipe devices per requirements.
- In the Chase Mobile Checkout application, adjust transaction settings to require CVD (card verification data) and zip code on manual entry.
- Follow credit card acceptance policy and procedures. Get staff trained\ on security measures and begin to accept credit cards.