Electronic processing of transactions is common place in our business environment. While governments tend to lag behind the corporate world, they are increasingly accepting electronic payments and taking advantage of the benefits such as convenience, better customer service, improved collection, etc.
In the past, electronic purchases of goods and services has received a great deal of scrutiny and emphasis. What about electronic receipts for goods and services? Do your local government clients accept credit and debit cards (merchant cards)? In this article, we discuss things to consider in working with clients who accept merchant card payments.
Payment Card Industry Compliance
Merchants are required to comply with standards established by the Payment Card Industry Security Standards Council (PCI SSC). These standards were established to protect the personal information of cardholders. Entities that accept, store, process, and/or transmit merchant card payments are considered merchants.
Noncompliance and breaches of information are monitored and enforced by merchant companies (for example, Visa, American Express, etc.) and can result in penalties that range from being unable to accept merchant card payments to substantial fees. Even if your client contracts with a third party vendor, they are still responsible for ensuring compliance and liable for any penalties.
Governments may be accepting merchant cards for various reasons ranging from taxes to ticket sales. These payments may also be taken at multiple physical locations and online. Information may be captured in point of sale (POS) machines, taken over the phone, or received through email or fax. Electronic information and paper files are both subject to the PCI standards.
With a recent, largely publicized security breach for a well-known retailer, you may want to advise your clients on the compliance requirements involved with accepting merchant cards. It’s essential that business office and information technology departments work together, likely with their third party vendor, to ensure the government is not exposed to risk and liability.
Unique Fraud Risks
While merchant card payments may reduce the traditional misappropriation risks associated with collecting cash and checks, there may be other fraud risks you haven’t considered. One such example is skimming. Skimming is theft of credit card information and can be accomplished in a couple of ways. The employee can discretely “skim” the merchant card with a small handheld electronic device that obtains card data from the magnetic strip. Another way to skim is by compromising the POS terminal (for example, attaching an electronic device or switching the cable). In these ways, the employee can obtain a large amount of information for their own personal use or to sell to others for the manufacture of counterfeit merchant cards.
To prevent these types of fraud, governments should have appropriate policies, procedures, and internal controls. These range from employee background checks and training to physical security of POS terminals. You may want to advise your clients about unique fraud risks related to merchant cards so they can take appropriate precautions.
Practical Consideration: The GFOA has best practice documents for accepting merchant cards that include recommended controls on their website at www.gfoa.org. The PCI website referenced previously also offers physical security suggestions and best practices.