Section 781.8.3. State department requirements for accepting credit card payments.  

       8.3(1) A state department shall notify the treasurer of its intent to accept credit card payments and provide the treasurer with the following information:

        a.           The type of goods and services it will offer for payment by credit card and debit card.

        b.           The estimated per-transaction amount, yearly transaction volume, and total yearly dollar volume to be collected.

        c.           The number and location of departmental sites that may accept credit card payments.

        d.           The method that the department will use to accept card payments, for example, through a Web site, a virtual terminal, a point-of-sale terminal, or a wireless terminal.

       8.3(2) A state department shall purchase or lease any equipment or software required to accept credit card payments, or pay any fees charged for access to online virtual terminals used to process credit card and debit card payments.

       8.3(3) A state department shall sign an agency participation agreement with the treasurer acknowledging its responsibilities under the credit card contract, including, but not limited to:

        a.           Following the procedures for accepting payments by credit card and debit card as outlined in the agreement between the financial institution, merchant services provider, and treasurer, and as specified in the merchant guidelines.

        b.           Following procedures issued by the treasurer to record receipts, corrections to receipts, refunds, chargebacks, expenses, and any other accounting transactions associated with accepting credit card and debit card payments.

        c.           The payment of all equipment and software costs, all processing fees and charges incurred in accepting card payments, including the costs of supplies, and all fees charged for annual PCI-DSS reviews.

        d.           Becoming compliant with PCI-DSS and maintaining that compliance as long as the department accepts credit card and debit card payments.

       8.3(4) A state department shall receive authorization from the treasurer prior to accepting credit card and debit card payments.

       8.3(5) A state department shall follow the procedures and rules for charging a convenience fee for credit card and debit card transactions as outlined in the agreement between the financial institution, merchant services provider, and treasurer, and as specified in the merchant guidelines, and by the credit card associations’ rules.

       8.3(6) A state department shall follow the instructions provided by the treasurer for completing cash receipts documents to reflect credit card transactions that post to the treasurer’s account at the financial institution.

       8.3(7) A state department shall be responsible for achieving and maintaining compliance with all applicable PCI-DSS.

       8.3(8) A state department shall be responsible for completing an annual review of its compliance with PCI-DSS, as required by the treasurer’s credit card processing contract and by the PCI-DSS. At any time throughout the year, the state department shall promptly cure any instance of noncompliance of which it becomes aware.

      8.3(9) A state department shall be responsible for any penalties, fees, fines, and other costs assessed against the department, the treasurer, or the state of Iowa, resulting from or arising out of the department’s violation of, or noncompliance with, PCI-DSS.

[ARC 9100B, IAB 9/22/10, effective 10/27/10]