Rules of the School Board of Palm Beach County, Florida
Title 6Gx50
Chapter 6. Business Affairs
Prev.   Section 6.035   Next

Policy 6.035Acceptance of Credit and Debit Cards

  1. Purpose

    The School Board recognizes the efficiency and convenience afforded the day-to-day operation of the School District, for receipt of payments and recordkeeping for certain expenses, through the use of credit and debit cards under the supervision of teh treasury department. However, the School Board recognizes the need to establish control measures for the use of credit and debit cards as a method for parents and others to use to pay fees and services that the District offers and to maintain proper security over credit and debit cardholder information. Thus, this policy provides requirements and guidance for credit and debit card processing activities for the School District.

    The School Board, therefore, authorizes the use of credit and debit card payments for collection of revenues, including but not limited to, school activity fees, after school care services and school food services meals and for the payment of certain employee administrative expenses as fingerprinting fees, teacher certification fees, District retirees' insurance premium payment, etc. Such credit and debit card use may include the payment by online/internet use.

  2. Scope

    This policy applies to:

    1. All schools, departments, work units, employees, affiliates and consultants of the School District who accept credit/debit card payments for School District activities and business as provided herein.

    2. All external organizations or consultants contracting with the School District to provide services for credit/debit card processing for School District activities and business as provided herein.

    3. All schools, departments, work units, employees, affiliates, and consultants of the School District who provide credit/debit card processing services for third parties.

  3. Costs Associated with Use of Credit/Debit Cards.

    All costs associated with the acceptance or use of credit/debit cards shall be borne by the individual cost center. These costs shall include the transaction fee, authorization fee, interchange rate fee, charge back fee and any other direct charges associated with the acceptance of credit/debit card payments.

  4. Use of Awarded Vendors

    Only a vendor awarded a contract shall be authorized to provide credit and debit card transactions. Any and all other vendors are unauthorized to conduct such activities within the School District.

    Any awarded vendor must provide computer system security, connectivity security requirements, credit card number storage requirements protected by encryption, hashing and/or truncation, physical security requirements for servers storing card holder information, data retention and destructionrequirements, and other requirements requiring compliance with all apropriate credit and debit card security requirements.

  5. Standards and Guidelines

    It is the responsibility of all School District employees and third parties that have access to hold credit and debit cardholder data in confidence at all times. Cardholder information should be disclosed only for a required business purpose.

    The School District shall design adequate process and procedural standards to protect credit and debit card information held and/or used in accordance with this policy. Such standards, requirements and responsibilities shall include, but not be limited to, the following:

    1. Permanent employees with access to credit card information must:

      1. Be approved by the Principal or department head and have a background check by School Police before being granted access to cardholder information. Employees with an inappropriate background will not be permitted to have access to cardholder information.

      2. Attend a credit and debit card information and security training session, and sign a certification form to document his or her understanding and willingness to comply with all School District's credit and debit card policies and procedures. This certification shall be maintained in the employee's personnel file.

      3. Keep secure and confidential all cardholder numbers and information. Credit card receipts, if any, should typically be treated the same as large sums of cash.

      4. Not store sensitive cardholder data, as full account number, type, expiration, and track data, in any fashion on computers or networks.

      5. Not transmit in an insecure manner, such as by email, unsecured fax, or through District mail, credit card numbers.

      6. Maintain card information in a "secure" environment limited to only designated employees.

      7. Restrict access to credit card data and processing to appropriate and authorized employees.

      8. Report any incidents compromising cardholder data to School Police and Internal Audit.

    2. Individual Cost Centers engaging in credit and debit card processing activities must:

      1. Receive authorization from the Department of Treasury

      2. Ensure that all sensitive cardholder data, as credit or debit card numbers, PIN numbers, validation codes, social security numbers, etc., are protected against fraud, unauthorized use or other compromise.

      3. Restrict access cardholder information to the minimum number of people possible, including only to the appropriate personnel. These persons are defined as needing access in order to perform their day to day responsibilities. No employee may have access to cardholder information until she or he has attended the credit and debit card information and security training session and tendered written acknowledgement of receipt of this policy and related administrative procedures and guidelines.

      4. Not release credit and debit card information in any form unless there is a legitimate business purpose as provided herein.

      5. Store and secure cardholder data in locked containers identified and classified as confidential in secured areas with limited access.

      6. Not store cardholder information on laptop, notebooks, or mobile computing devices at any time.

      7. Report any incidents compromising cardholder data to School Police and Internal Audit.

    The Superintendent,or designee, is further authorized to impose further standards, requirements and responsibilities in administrative procedures and guidelines established to implement this policy.

  6. Compliance

    Failure to comply with this policy and the associated, required administrative procedures and guidelines by employees will be deemed a violation of this policy and subject to personnel action up to and including termination, personal responsibility for any and all changes, and/or possible referral to law enforcement authorities for prosecution.

    Technology that does not comply with this policy and associated required procedures is subject to disconnection or confiscation of equipment pending review and approval of processes, procedures and equipment.

  7. Administrative Procedures

    The Superintendent, or his or her designee, shall develop administrative procedures and guidelines providing the technical details for the implementation of this policy, including the necessary credit card processing and security procedures and guidelines. This separate document shall carry the full force of this policy. A copy of the administrative procedures and shall be housed in the School Board's District Office.

STATUTORY AUTHORITY:Fla. Stat. §§ 1001.41((7)
HISTORY:9/3/2008