dcsimg


Photo of busy people

Card Acquiring Service (CAS)


Security Requirements

Any agency that accepts credit or debit cards as a form of payment is also responsible for protecting customers' sensitive card information.

All federal agencies that process, store or transmit credit and debit card transactions must comply fully with the Payment Card Industry Data Security Standard (PCI DSS). This is in addition to the Office of Management and Budget (OMB) Personally Identifiable Information (PII) guidelines related to accidental or purposeful disclosure of cardholder information.

Any agency accepting cards as a form of payment is also responsible for protecting your customers' sensitive card information. The Payment Card Industry Security Standards Council (PCI SSC) was formed to govern the security of sensitive cardholder data and developed the PCI Data Security Standard (PCI DSS), which contains the security requirements merchants must follow in order to help protect themselves against unauthorized intrusions and account data compromises.

Failure to maintain compliance with the PCI DSS puts your agency at risk of significant fines, fees, penalties, or losing the ability to process card payments. Furthermore, a suspected or known compromise of your card processing systems can result in serious damage to your agency's reputation, fines imposed by the Card Networks, and potential litigation brought by impacted cardholders and issuing banks who suffer losses as a result of compromised information.

You must not keep sensitive data

A critical aspect of the standard is not storing sensitive authentication data after a transaction has been authorized. The card brands refer to this data as Prohibited Data.

You must not store

  • the full content of any track on the back of a card's magnetic stripe

  • the three or four digit code from the back of the card (CVV2 / CVC2 / CAV2 / CID)

  • PIN or encrypted PIN blocks

Storing any of these items after a transaction has been authorized is a direct violation of the card association rules.

You must validate your compliance

Agencies must continually evaluate their systems and processes to ensure that their business is fully protected and in compliance with the PCI DSS.

The required validation depends, in part, on how many credit and debit card transactions your agency processes in a year.

The card associations place all organizations that accept credit or debit card payments into one of the four levels in the following table.

Level Description
1

Any merchant, regardless of acceptance channel, processing more than 6 million transactions per year in one card brand

Any merchant that has suffered a hack or an attack that resulted in an account data compromise

Any merchant that any card association determines to be a Level 1

2
Any merchant, regardless of acceptance channel, processing 1 to 6 million transactions per year in one card brand
3
Any merchant processing 20,000 to 1 million Visa or MasterCard e-commerce transactions per year
4
Any other merchants, regardless of acceptance channel

All agencies should consider themselves Level 4, unless the Bureau of the Fiscal Service and Vantiv notify them that they are at a different level. If your agency moves to Level 3, 2, or 1, you will receive specific guidance from the Bureau of the Fiscal Service and Vantiv on what you must do.

To comply with the PCI DSS, Level 4 agencies must do these two tasks:

  1. Complete an annual PCI Self-Assessment Questionnaire.
  2. The questionnaires are at this site external to the Bureau of the Fiscal Service: https://www.pcisecuritystandards.org/saq/instructions_dss.shtml.

    You must complete the appropriate questionnaire for your agency.

  3. Have an Approved Scanning Vendor (ASV) conduct a quarterly network vulnerability scan.

    A list of Approved Scanning Vendors who are authorized to perform the network vulnerability scans on your behalf is available at this site external to the Bureau of the Fiscal Service:
    http://www.pcisecuritystandards.org/qsa_asv/find_one.shtml

    Network vulnerability scans are required for all agencies with external-facing Internet Protocol (IP) addresses in contact with the cardholder data environment.

You can get help with these two tasks

Vantiv, in conjunction with Fiscal Service Card Acquiring Service, has partnered with Trustwave®, an industry leader in information security and compliance, to help agencies simplify the PCI DSS validation process. Trustwave provides a set of online data security tools called PCI Assist.

The PCI Assist tools are specifically designed to guide Level 4 merchants through the PCI DSS validation process.

PCI Assist includes an online "wizard" that will direct you to the Self-Assessment Questionnaire for your agency's specific card data environment. The questionnaire will help determine where your agency is compliant and where it is not compliant with PCI DSS requirements.

PCI Assist also includes a network vulnerability-scanning tool to help identify weaknesses in your external network, if scanning is required for your compliance validation.

Fiscal Service is offering PCI Assist to agencies at no charge. We strongly encourage you to use PCI Assist to evaluate your systems and processes to ensure card data is fully protected.

Although PCI Assist is designed to facilitate an agency’s compliance efforts, Treasury does not guarantee that using PCI Assist will ensure compliance with the PCI DSS. Agencies are under no obligation to use PCI Assist and may choose to get PCI compliance tools or services from other providers at their own expense.

You may log in to PCI Assist at this site external to the Bureau of the Fiscal Service: https://pci.trustwave.com/fms.

For training on PCI Assist, see the options at this site external to the Bureau of the Fiscal Service: https://www3.trustwave.com/webinars/vantiv/

If you need help setting up or using PCI Assist, contact us at CardAcquiringService@fiscal.treasury.gov

For more information on PCI DSS



Open Gov   My Money.gov   USA.gov   Business USA
Facebook   Twitter   You Tube   RSS Feed