New Mexico Register / Volume XXIX, Issue 1 / January 16, 2018

This is an amendment to 2.60.8 NMAC, Sections 8 and 9, effective 1/16/2018.

2.60.8.8 AGENCY RESPONSIBILITIES AND REQUIREMENTS FOR BOARD APPROVAL OF PAYMENT CARD ACCEPTANCE:

A. Payment card services will be provided through the fiscal agent subject to the terms and conditions as set out in the fiscal agent agreement and the board’s agreements with individual payment card companies, through an agreement between an agency and a third-party processor if approved by the board, or through a statewide payment card acceptance system, if established.

B. Agencies requesting payment card acceptance shall submit to the director of the board a written request that contains the following:

(1) reason for payment card services and the specific fees, taxes, or other amounts to be collected using payment cards;

(2) confirmation that the agency has read and will follow the terms and conditions for payment card acceptance as set out in the fiscal agent agreement or statewide payment card acceptance system agreement, if established, and the board’s agreements with individual payment card companies;

(3) confirmation that the agency will pay all costs associated with the acceptance of payment card services, including purchases or leases of merchant equipment, as set out in the fiscal agent agreement and any agreement with an approved third-party processor, and including any assessment charged by the state to cover the cost of compliance with payment card industry data security standards;

(4) confirmation that the agency will be responsible for tracking, researching and recording all payment card transactions for reconciliation purposes;

(5) confirmation that any acceptance of payment cards through the internet shall be done in a secure fashion and on a secure system;

(6) confirmation in writing from the department of information technology that the agency’s acceptance of payment cards will meet data security standards of the payment card industry;

(7) confirmation that the agency’s chief financial officer and chief information officer will cooperate with the board to ensure compliance with payment card industry data security standards;

(8) whether the agency will absorb fees for acceptance of payment cards or cardholders will be assessed a convenience fee. If fees are to be paid by the cardholder, provide the procedures used to charge and collect convenience fees from cardholders and confirmation that the convenience fee will be in compliance with [~~Section 6-10-1.2(B)~~] Subsection B of 6-10-1.2 NMSA 1978, as amended;

(9) if the agency wishes to use a third-party processor, a copy of the third-party processor agreement with the agency and the reasons why use of a third-party processor is more advantageous for the agency than using the fiscal agent. If the third-party processor agreement with the agency is not yet available at the time board approval for acceptance of payment cards is requested, the board director may condition any approval on the board director’s later review and approval of the third-party processor agreement;

(10) if the agency wishes to use payment gateway through the fiscal agent agreement, a comparison of the costs and benefits of using payment gateway to traditional payment card services, including breakdown of fees to be paid by the board, the agency, and cardholders.

C. The board, in consultation with the fiscal agent, may, at any time, deny acceptance of payment cards by or revoke approval to an agency through the fiscal agent agreement. The reasons for denial or revocation may include, but are not limited to, the following:

(1) cost effectiveness;

(2) illegal or misuse of payment card transactions;

(3) failure to adhere to the terms and conditions of these regulations, the fiscal agent agreement payment card industry data security standards, or the board’s agreements with individual payment card companies;

(4) repeated lapses in compliance or security.

D. Reasons for denial of use of a third-party processor may include, but are not limited to, the reasons specified in [~~Subsection C of 2.60.8.8~~] Subsection C of 2.60.8.8 NMAC. In addition, upon approval, the agency’s agreement with the third-party processor must be approved by the board’s director to ensure compliance with the fiscal agent agreement and the board’s agreements with individual payment card companies. In the event there is no current agreement between the board and a particular payment card company, the board’s director may authorize an agency’s third-party processor to process payment cards issued by that company under the terms and conditions of the third-party processor’s own contract with the company as long as there is no discount imposed on or deduction from the entire amount due and owing to the agency and paid by the cardholder (except for any convenience fee paid by the cardholder in addition to the amount owed), which amount shall be transferred by the third-party processor to the agency.

[2.60.8.8 NMAC - N, 8/31/2000, A, 11/27/2003; A, 7/15/2003; A, 8/14/2015; A, 1/16/2018]

2.60.8.9 RESPONSIBILITIES FOR PAYMENT CARD ACCEPTANCE:

A. The fiscal agent shall provide payment card services, upon written request by the director of the board, to any agency so requesting subject to the terms and conditions set out in the fiscal agent agreement and individual payment card company agreements with the board.

B. The charge to an agency for payment card services will be the fee designated in the fiscal agent agreement or that set out in the approved third-party processor’s agreement. The fiscal agent shall bill the appropriate agency through [~~account analysis performed~~] separate invoices for card processing fees and applicable treasury management fees, if any prepared by the fiscal agent in accordance with the relevant provisions of the fiscal agent agreement. At the end of each fiscal year, the fiscal agent shall submit a report to the board director summarizing the payment card fees and merchant equipment costs charged to each agency for that fiscal year. Each agency will be responsible for all fees as set out in any approved third-party processor’s agreement with the agency. Each agency will ensure payments to service providers are timely and compliant with the service agreement.

C. Agencies may be assessed an incremental charge to cover the cost of compliance with payment card industry data security standards.

D. Agencies shall comply with the following payment card industry data security standards vendor management requirements:

(1) Maintain a current list of service providers handling cardholder data, including a description of the services provided;

(2) Maintain a written agreement with service providers that includes an acknowledgement that the service providers are responsible for the security of cardholder data that the service providers maintain in possession or otherwise store, process or transmit on behalf of the agency. The written agreement must also acknowledge any action or procedure that the provider undertakes that may impact the security of the agency’s cardholder data environment;

(3) Establish and maintain a program to monitor the third-party service provider’s payment card industry data security standards compliance status at least annually. This function will be performed by the State Treasurer’s Office for services provided under the fiscal agent agreement;

(4) Maintain documentation describing which payment card industry data security standards requirements are managed by each service provider and which are managed by the agency. The State Treasurer’s Office will maintain documentation regarding payment card industry data security standards requirements for payment card services provided by the fiscal agent; and

(5) Ensure compliance with any additional vendor management requirements mandated under subsequent releases of payment card industry data security standards requirements.

[2.60.8.9 NMAC - N, 8/31/2000; A, 11/27/2003; A, 8/14/2015; A, 1/16/2018]