Can I collect credit card information from participants in Iowa? What are the requirements?

Based on the information provided in the context documents, it is possible to collect credit card information from participants in Iowa, but there are specific requirements that must be followed.

State Department Requirements for Accepting Credit Card Payments

According to 781 IAAC 8.3 and 781 IAAC 8.4, a state department in Iowa that intends to accept credit card payments must provide the treasurer with information about the goods and services it will offer for payment by credit card and debit card, the estimated per-transaction amount, yearly transaction volume, and total yearly dollar volume to be collected, the number and location of departmental sites that may accept credit card payments, and the method that the department will use to accept card payments. The department must also purchase or lease any equipment or software required to accept credit card payments, or pay any fees charged for access to online virtual terminals used to process credit card and debit card payments. Additionally, the department must sign an agency participation agreement with the treasurer acknowledging its responsibilities under the credit card contract, including, but not limited to, following the procedures for accepting payments by credit card and debit card as outlined in the agreement between the financial institution, merchant services provider, and treasurer, and as specified in the merchant guidelines. The department must also follow procedures issued by the treasurer to record receipts, corrections to receipts, refunds, chargebacks, expenses, and any other accounting transactions associated with accepting credit card and debit card payments. The department is responsible for the payment of all equipment and software costs, all processing fees and charges incurred in accepting card payments, including the costs of supplies, and all fees charged for annual PCI-DSS reviews. The department must become compliant with PCI-DSS and maintain that compliance as long as the department accepts credit card and debit card payments. The department must receive authorization from the treasurer prior to accepting credit card and debit card payments. The department must follow the procedures and rules for charging a convenience fee for credit card and debit card transactions as outlined in the agreement between the financial institution, merchant services provider, and treasurer, and as specified in the merchant guidelines, and by the credit card associations’ rules. The department must also follow the instructions provided by the treasurer for completing cash receipts documents to reflect credit card transactions that post to the treasurer’s account at the financial institution. The department is responsible for achieving and maintaining compliance with all applicable PCI-DSS. The department must complete an annual review of its compliance with PCI-DSS, as required by the treasurer’s credit card processing contract and by the PCI-DSS. At any time throughout the year, the state department must promptly cure any instance of noncompliance of which it becomes aware.

Therefore, if you are a state department in Iowa, you can collect credit card information from participants, but you must follow the requirements outlined in 781 IAAC 8.3 and 781 IAAC 8.4.

Jurisdiction

Iowa

• Privacy