Card Acquiring Service

Payment Card Industry Data Security Standard

Overview

All federal agencies accepting credit and debit cards are required to maintain full compliance with the Payment Card Industry Data Security Standard (PCI DSS). This is in addition to the Office of Management and Budget (OMB) Personally Identifiable Information (PII) guidelines related to accidental or purposeful disclosure of cardholder information.

With the decision to accept cards as a form of payment comes the responsibility to protect your customers' sensitive card information. The Payment Card Industry Security Standards Council (PCI SSC) was formed to govern the security of this sensitive cardholder data. As such, the PCI SSC developed the PCI Data Security Standard (PCI DSS), which contains the security requirements merchants must follow in order to help protect themselves against unauthorized intrusions and account data compromises. The PCI DSS applies to all entities, including federal agencies, that process, store, or transmit cardholder data.

Failure to maintain compliance with the PCI DSS puts your organization at risk of significant fines, fees, penalties or losing the ability to process card payments, as may be prescribed by the applicable card associations. Furthermore, a suspected or known compromise of your card processing systems can result in serious damage to your organization's reputation and/or potential litigation brought by impacted cardholders and issuing banks who suffer losses as a result of compromised information.

Key Components

The PCI DSS is comprised of 12 general requirements designed to:

  • Build and maintain a secure network;
  • Protect cardholder data;
  • Maintain a vulnerability management program;
  • Implement strong access control measures;
  • Regularly monitor and test networks; and
  • Maintain an information security policy.

A very critical aspect of the standard is the non-retention of sensitive authentication data subsequent to transaction authorization. The card brands refer to this data as Prohibited Data, which includes: the full content of any track on the back of a card's magnetic stripe; CVV2/CVC2/CAV2/CID (the three of four digit code printed on the back of the card); or PIN or encrypted PIN blocks. Storage of any one of the above items subsequent to transaction authorization is a direct violation of the card association rules.

Merchant Levels

All organizations currently fall into one of four merchant levels established by the card associations based on transaction volume calculated over a 12-month period. The merchant level determines the method of compliance validation that is required by the card associations. Merchant levels are defined as:

Level

Description

1

-Any merchant, regardless of acceptance channel, processing more than 6 million transactions per year in one card brand
-Any merchant that has suffered a hack or an attack that resulted in an account data compromise
-Any merchant that any card association determines to be a Level 1

2

-Any merchant, regardless of acceptance channel, processing 1 to 6 million transactions per year in one card brand

3

-Any merchant processing 20,000 to 1 million Visa or MasterCard e-commerce transactions per year

4

-Any other merchants, regardless of acceptance channel

Requirements

Agencies must maintain ongoing compliance with the PCI DSS and must continually evaluate their systems and processes to ensure their business is fully protected. Fiscal Service and Vantiv, formerly Fifth Third Processing Solutions, LLP, will notify agencies that meet the thresholds for Levels 1, 2 and 3, and will provide specific guidance on validation requirements and associated timeframes for compliance. Level evaluations and notifications will occur on a quarterly basis. All agencies should consider themselves to be a Level 4, unless otherwise notified.

The initial steps to assist Level 4 agencies in achieving PCI compliance consist of two key tasks:

1 - Complete an annual PCI Self-Assessment Questionnaire
The current version of the Self-Assessment Questionnaire can be found on the PCI Security Standards Council website at https://www.pcisecuritystandards.org/saq/instructions_dss.shtml. You will need to complete the appropriate questionnaire for your agency.

2 - Conduct quarterly network vulnerability scans by an Approved Scanning Vendor (ASV)
A listing of Approved Scanning Vendors, who are authorized to perform the network vulnerability scans on your behalf, is available at http://www.pcisecuritystandards.org/qsa_asv/find_one.shtml. Network vulnerability scans are required for all agencies with external-facing Internet Protocol (IP) addresses in contact with the cardholder data environment.

PCI Assist

Vantiv, in conjunction with Fiscal Service Card Acquiring Service, has partnered with Trustwave®, an industry leader in information security and compliance, to help agencies simplify the process with PCI Assist. PCI Assist provides a set of online data security tools specifically designed to guide Level 4 merchants through the PCI DSS validation process.

PCI Assist includes wizard functionality that will direct your agency to the Self-Assessment Questionnaire for your specific card data environment. The questionnaire will help determine where your agency is compliant and where it is not compliant with PCI DSS requirements. PCI Assist also includes a network vulnerability scanning tool to help identify weaknesses in your external network, if scanning is required for your compliance validation.

Fiscal Service is offering PCI Assist to agencies at no charge. Your agency is strongly encouraged to use PCI Assist to evaluate your systems and processes to ensure card data is fully protected. Although it is designed to facilitate an agency’s compliance efforts, Treasury does not guarantee that the use of PCI Assist will ensure compliance with the PCI DSS. Agencies are under no obligation to use PCI Assist and may choose to obtain PCI compliance tools or services from other providers at their own expense.

Agencies may log in to PCI Assist at: https://pci.trustwave.com/fms.

Please contact CardAcquiringService@fiscal.treasury.gov if you require your agency set-up information in order to use PCI Assist.

Training

We strongly encourage Federal agency representatives to partake in a PCI Assist training session, either live or prerecorded, and start working through the compliance validation process as soon as possible.

Please contact Fiscal Service prerecorded webinar access information. Agency points of contact will be notified when future live webinar training session are announced.

For a current listing of PCI educational Webinars for Vantiv merchants, visit www.trustwave.com/53webinars.php. This link also provides information on other upcoming or past educational Webinars that are available to your agency to learn more about PCI DSS.

Vantiv has arranged for Trustwave to offer these Webinars as a service for Vantiv customers, including Treasury agencies. Trustwave also independently offers other PCI compliance services which Treasury has not reviewed or endorsed.

For More Information

For the most up-to-date PCI DSS information and guidance please refer to: www.pcisecuritystandards.org
www.visa.comp/cisp
www.mastercard.com/sdp

   Last Updated:  October 07, 2014