To:           Legislative Leadership, Judicial Branch Administrators, Elected Officials, Secretariats, and Department Heads, 
               Chief Information Officers, Chief Fiscal Officers, and General Counsels

From:       Martin J. Benison, Comptroller
               John Letchford, Assistant Secretary for Information Technology & Chief Information Officer

Date:        June 6, 2013

Subject:    Payment Collection Data Security Policy


Comptroller Memo FY#2013-24


This Fiscal Year Update is issued jointly by the Office of the Comptroller (CTR) and the Information Technology Division (ITD) to notify Departments of compliance with Data Security Standards for the collection of revenue.


Fiscal responsibility under state finance law requires that any Department collecting revenue ensure that sufficient funds are maintained and set aside for initial and ongoing data security compliance to protect PII collected or transmitted to support the collection of revenue, including electronic payments.

Acceptance of electronic payments provides administrative efficiencies by reducing the amount of cash and checks handled by Departments, but also increases data security risks because personally identifiable information (PII) such as bank account numbers, credit and debit card numbers, individual’s names and other data are handled by individuals and systems and transmitted through electronic channels to complete the electronic transaction, increasing the risk of a data breach or other unauthorized access, theft, loss or misuse of PII.

The Office of the Comptroller (CTR) and the Information Technology Division (ITD) have jointly issued the Payment Collection Data Security Policy to identify Department responsibilities for compliance with Data Security Standards for the collection of revenue. Departments are required under this policy to certify as part of the annual Internal Control Questionnaire (ICQ) submission, data security compliance of any PII collected or transmitted to support fiscal transactions, including the collection of revenue through electronic payments. 

Annual budgets should ensure sufficient funding to maintain continued compliance: reduction in budgeted funds does not support any failure to maintain continued compliance.  A Department merchant must halt acceptance of credit or debit cards for payments if Payment Card Industry Council compliance standards cannot be met due to budgetary constraints.

The Office of the Comptroller (CTR) has also issued a Statewide Contract for Data Security audits under PRF56DesignatedOSC to assist with data security compliance which must be used by all departments in any branch of state government collecting or storing PII and any department accepting revenue through electronic payments, irrespective of whether the Commonwealth department is recording that revenue in the state accounting system (MMARS) or in a fiduciary capacity. 

Questions related to the Policy or the Statewide Data Security Contract may be submitted to