|To:||Legislative Leadership, Judicial Branch Administrators, Elected Officials, Secretariats, and Department Heads, Chief Information Officers, Chief Fiscal Officers, and General Counsels|
|From:||Martin J. Benison, Comptroller|
Anne Margulies, Assistant Secretary for Information Technology & Chief Information Officer
|Date:||September 24, 2008|
|Subject:||PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARD COMPLIANCE POLICY FOR ALL COMMONWEALTH ENTITIES ACCEPTING CREDIT CARD PAYMENTS|
|Comptroller Memo FY#2009-08|
This memorandum is issued jointly by the Office of the Comptroller (CTR) and the Information Technology Division (ITD) to notify Departments of deadlines for compliance with Payment Card Industry (PCI) Data Security Standards required by the major credit card associations. Given the high costs related to data breaches and identity theft, the credit card associations have created common industry security requirements for any entity that accepts credit card payments.
ALL DEPARTMENTS THAT ACCEPT CREDIT CARD PAYMENTS MUST VALIDATE
PCI DATA SECURITY STANDARD COMPLIANCE
NO LATER THAN THURSDAY APRIL 30, 2009.
Departments must validate PCI compliance for current payment applications accepting credit card payments no later than Thursday April 30, 2009 . PCI compliance must also be confirmed prior to implementing any new application or program that will accept credit card payments or that processes, stores or transfers credit cardholder data, and any applications connected to networks that process or transmit credit cardholder data. The Office of the Comptroller (CTR) has engaged two nationally certified PCI compliance contractors to assist Departments with meeting initial and ongoing PCI compliance validation.
Background - Security of Personal Information - Credit Card Holder Data
In addition to current statutes outlining the management of public records G.L. c. 66 and the protection of personal data G.L. c. 66A, the increase of identify theft has prompted additional requirements to prevent the unauthorized release or misuse of personal information, such as Executive Order 504.
The Information Technology Division has also issued ITD Security Policies that provide mandatory standards for Executive Departments to ensure the protection of Commonwealth data and systems from attacks, compromise, or misuse.
In response to large scale data breaches, the Legislature recently passed Chapter 82 of the Acts of 2007 (An Act Relative to Security Freezes and Notification of Data Breaches) codified in G.L. c. 93H and 93I (in addition to other data security statutes) to provide consumers with notice in the event their personal information was improperly released or stolen. See also: Train the trainer - ITD.
As a result of the significant costs to credit card companies related to credit card fraud and identify theft, the major credit card associations have created common industry security requirements for any entity that accepts credit card payments. The PCI Security Standards Council has issued Payment Card Industry (PCI) Data Security Standards that require any entity that accepts credit card payments ("merchants") to annually validate PCI compliance. Merchants who are not PCI compliant that suffer a security breach that results in the compromise of card holder data face severe contractual penalties from the credit card associations, in addition to any penalties and loss of the public trust from customers.
|All Commonwealth Departments that process, transmit, or store credit card payment data (internally or through a 3 rd party processor) through ANY means (lockbox, mail, cashier window, point-of-sale (POS) device, telephone, interactive voice response(IVR) systems, or web application) MUST CERTIFY TO THE COMPTROLLER THAT THE DEPARTMENT IS PCI COMPLIANT NO LATER THAN APRIL 30, 2009, AND ANNUALLY THEREAFTER.|
PCI compliance standards have created a multifaceted security protocol that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. PCI standards are designed to improve the safekeeping of payment information by tightening overall security. This overall review reduces the chances of experiencing security breaches, fraud, and potential catastrophic financial losses, penalties, and loss of trust in Commonwealth public facing applications.
Departments should not limit their review solely to the collection of credit card payment data. All information that departments collect, manipulate, transmit, and/or store should be cataloged and classified with resulting data security control based upon documented risk-assessment driven exposure and loss-impact analyses. Through this approach, similar to PCI compliance standards, expected to extend to banking information and other confidential data will be more easily addressed.
Departments that accept revenue from credit cards have either signed credit card agreements with VISA, MasterCard, American Express and Discover, or have accepted the credit card agreement terms when using the E-PAY Statewide Contract. PCI compliance is now a requirement for merchants accepting credit card payments.
PCI Data Security Standards (PCI DSS)
The core of the PCI Data Security Standards is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized.
PCI Data Security Standard
Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
Departments accepting credit card payments should review the following links for additional information:
Departments are Responsible for PCI Compliance and Costs of Breach
Given the serious consequences of a Commonwealth security breach and the significant cost to taxpayers for associated fines and penalties, security of personal data such as credit card holder information is essential. In addition, changes in government audit and federal grant receipt requirements will soon require PCI compliance for government audits and receipt of federal grants.
Therefore, the Comptroller is notifying all Commonwealth departments (in all branches of government) of their mandated obligation to take immediate steps to ensure PCI compliance if the department accepts credit card payments for Commonwealth fees, fines or other revenues recorded on the state accounting system (MMARS). In addition, PCI compliance governs all types of revenue, even if these revenues are not recorded as state revenue on MMARS, such as non-Commonwealth trust funds at Universities and other higher ed institutions, or any entity affiliated with a state agency, college or university that might subject the Commonwealth to defend a customer suit or result in the use of taxpayer or trust funds for damages in the event of a security breach.
Public authorities and municipalities must also be PCI compliant, but do not fall under state finance law for state agencies and are therefore outside the scope of this Fiscal Year Update. Municipalities may use the pre-qualified vendors listed in this Fiscal Year Update.
|Due to the mandatory requirement that any merchant Department maintain PCI compliance if accepting credit cards for payments, Departments are required to ensure that sufficient funds are budgeted in annual spending plans and set aside for initial and annual PCI compliance, including any remediation.|
Departments are also responsible for the costs of any security breach, including but not limited to penalties assessed by the credit card associations, legal costs, consumer lawsuits, and the costs of remediation for consumers harmed by the security breach. Therefore, Departments must take immediate action to identify staff and other resources to ensure PCI compliance as soon as possible and annually thereafter.
PCI Compliance Procurement
CTR conducted a Multiple Department Procurement/Multiple Department User Request for Response (RFR) with ITD and other departments that accept credit card payments to select PCI Compliance contractors certified by the national PCI Council as Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs). Both Contractors are qualified to provide the consulting, validation, and network scanning services for Commonwealth entities.
|DIGITAL RESOURCES GROUP, LLC (DRG)||LGHTHOUSE COMPUTER SERVICES, INC. (LCS)|
PO Box 55071, Boston, MA 02205
Contact: David Fosdick
Email Address: email@example.com
6 Blackstone Valley Place, Suite 205 Lincoln RI 02865
Contact: Timothy Bernard
Email Address: firstname.lastname@example.org
Fax: (401) 334-0719
James Cowing (Managing Director)
David Fosdick (Vice President)
Anthony N. Fiore, Jr. (CFO)
Ernie Yenke (Chief Operating Officer)
Thomas Mrva (President)
|Prompt Payment Discount:|
1% if paid within 15 days
|Prompt Payment Discount:|
1% paid in 10 days
Information for each of the Contractors is posted on www.comm-pass.com (search under "contracts" under search term "CTRPCI2007"). Documents will be posted under "Forms and Terms" and "Vendors" for additional information for each vendor and the forms to be used for engaging a Contractor. In addition, the documents will also be posted under the Office of the Comptroller Accounts Receivable Business Function, on the E-Commerce page.
CTR has worked with both contractors and recommends both vendors highly. CTR, the Executive Office of Administration and Finance (ANF) and ITD have collaborated to assist Departments that are using the Statewide E-Payments contract with the initial assessment process to validate PCI compliance.
As part of the first phase of PCI compliance, CTR has negotiated an initial assessment process with each of the PCI Contractors to provide consulting and network scans. The PCI contractor will review required materials and identify the level of a Department's PCI compliance and potential remediation that will be needed to reach PCI compliance or mitigate risks. In addition, the Contractors will perform network scans to identify any potential vulnerability. At the completion of the initial assessment and any remediation to achieve PCI compliance, the Department will be responsible for filing the SAQ with its merchant bank and certify to the Comptroller that the Department is PCI complaint.
Deadlines for Engaging PCI Contractor and Completion of PCI Compliance
Due to the critical need to ensure PCI compliance as soon as possible, Departments must adhere to the following deadlines for PCI compliance:
DECEMBER 1, 2008
Complete quote process and engage PCI Compliance Contractor for initial assessment and scans.
APRIL 30, 2009
Certify PCI compliance (submission of SAQ to merchant bank after scans and remediation) OR certify remediation underway with deadline for completion and PCI compliance.
Preparation for PCI Compliance Validation - What you need to get started.
Given the importance of ensuring PCI compliance as soon as possible, we are asking that all Departments currently accepting credit card payments (and not already undergoing PCI review) immediately begin collecting the necessary data and resources identified below and complete the Initial Assessment for PCI compliance, as follows:
- Identify Funding for PCI Compliance and Scans - pricing for the initial PCI compliance validation and scans will depend primarily on the methods used to accept credit card payments, the size of your operation and the number of outward facing IP addresses connected to any network or system that transmits credit card data. Once you have compiled the information below, you will be able to submit a PCI Quote Form to each vendor to identify the potential cost for the initial validation and scanning engagement.
- Identify PCI Team and Primary Contacts - Once you have identified potential fiscal resources to fund the PCI validation process and scans (in cooperation with your CFO) the department should identify the key resources and contacts that will lead the PCI compliance initiative in your Department. It is our experience that the PCI security validation process works best when the Department assembles a cross functional team made up of the appropriate program, fiscal, IT, security, and legal resources in your organization. A broad level of expertise is critical to ensuring that security risks are identified and remediated and that staff are properly trained to ensure data security. In order to submit the final validation to the merchant banks that process your credit card payments, you will also need to identify an individual with Department Head Signature Authorization to approve submission of the validation certification from the PCI contractor to your merchant bank.
- Payment Data Flow - Document your payment data flow which identifies how credit card payment data passes through your Department and/or 3rd party processor. Number of facilities and how many process credit card payments. Number of POS (Point of Sale) devices. What credit card brands do you accept? How is payment data handled? What and who handles payment data? What networks, operating systems and applications collect, store, handle or pass through payment data and what networks, systems or applications are connected to these? Do you store credit card numbers and where and how are these stored? Do you have offsite or recovery facilities that store cardholder data? Provide the type of merchants and names of card transaction processors you have a business relationship with. The goal here is to identify potential vulnerabilities at any point in the flow of credit card payment data (accepting, storing, processing, or transmitting) that might enable inappropriate access or theft of credit card payment data.
- Network Diagram - Develop or update a current network diagram that illustrates ALL networks, appliances, systems, or applications that collect, store, process, or transmit credit card and other payment data, including any networks, systems, appliances, or applications that are connected or associated with these networks, systems or applications. It is critical that the network diagram is accurate and include ALL networks and connections, since the PCI contractor will be able to validate only the information actually presented.
- Outward Facing IP Addresses and Wireless networks- Identify any externally accessible (outward facing) and active IP addresses or ranges that are associated with the network(s) in which payment data is stored, processed, or transmitted. All IP addresses that connect to any network through which payment data flows/travels, even if not stored by the department, must be scanned for PCI compliance. Please note that the price for scans is based upon the number of outward facing IP Addresses, so this information will determine the current and continued costs of scans. If you are unsure of how may IP addresses may be covered you can request IP address mapping to identify IP addresses and other risk areas. Departments should also identify any wireless networks implemented in the Department or at any other location. It is recommended that the Department verify that there are no unauthorized wireless networks operating at any Department location.
- Identify if the Department is using its own Payment Application or using the Pay Button pages under the Statewide Contract - Departments with their own payment applications will have additional PCI compliance requirements, such as undergoing a full code review or verifying that the payment software being used is a PCI compliant software. Departments using the Statewide Contract Pay Button pages hosted by EDS do not have to complete application or code review.
- Self-Assessment Questionnaire - Complete the Self-Assessment Questionnaire (SAQ) that can be found at https://www.pcisecuritystandards.org/saq/index.shtml. The Department will need the cross-functional PCI team in order to answer the questions and gather the necessary validation information. The PCI contractors will review the questionnaire provide a risk assessment as part of the initial engagement to identify potential problems or remediation. Ultimately, the SAQ will need to be filed with the merchant bank that processes the Department's credit card payment so PCI compliance must be achieved prior to submission.
- Identify Policies for maintaining information security and PCI compliance.
- Obtain Quotes for Initial Assessment from PCI Contractors. Any Commonwealth Department (in any branch of government including Higher Education institutions using trust funds) that chooses to use the CTR PCI contract (RFR#: CTRPCI2007) must have an initial assessment completed. Departments may not contract solely for security scans unless an initial assessment has been completed. Non-Commonwealth departments (Authorities, municipalities, etc.) are not required to complete this step, although this step is highly encouraged. To get started, each Department will identify which contractor they will engage for the initial assessment. Departments are required to obtain a quote from each contractor for the assessment using the PCI Quote Form (posted on Comm-PASS or the CTR E-Commerce page under Accounts Receivable Business Functions). Departments are free to interview the Contractors to assist in selection.
- Engage PCI Contractor (DEADLINE NO LATER THAN DECEMBER 1, 2008 )
- Once the Department has selected a contractor, they will execute a Standard Contract Form with the vendor to establish the contract and set aside funds for payment. To expedite contract execution, pre-populated Standard Contract Forms for each Contractor have been posted on Comm-PASS and on the CTR E-Commerce page under Accounts Receivable Business Functions. The Department has the choice of whether to use a rate contract with no maximum obligation or to establish a maximum obligation contract for each phase of PCI compliance.
- The Department has the choice of whether to use a rate contract option with no maximum obligation and identify the details of performance in the PCI Quote Form/SOW, or to establish a maximum obligation contract for each phase of PCI compliance, also using the PCI Quote Form/SOW as the scope and budget..
- The Department is encouraged to execute a multi-fiscal year contract and update the contract documents as needed.
- The PCI Quote Form and Statement of Work will serve as the scope and budget and must contain the total cost of the work to be performed. The PCI Quote Form must be amended if there are any changes prior to any changed performance being made. If the Department chooses to use a Maximum Obligation as part of the Standard Contract Form, the contract must also be amended and re-executed if the Maximum Obligation changes, or there are any material changes in performance.
- Attachments to the Standard Contract Form may not include additional terms and conditions not negotiated as part of the CTR Contract or require "click through acceptance" of any additional terms not approved in writing by CTR. Any such additional terms shall be considered void.
- If the Department chooses to use a Maximum Obligation option in the Standard Contract Form, the contract and the PCI Quote Form/SOW must be amended and re-executed if the Maximum Obligation changes, or there are any material changes in performance.
- If the Department chooses to use a Rate Contract option only the PCI Quote Form/SOW will have to be updated as changes occur in the engagement within the dates of performance of the Standard Contract Form.
- Certification of PCI Compliance (DEADLINE NO LATER THAN APRIL 30, 2009). The initial assessment process will be used to identify any PCI related vulnerabilities discovered as a result of completing and reviewing the Self-Assessment Questionnaire (SAQ) and completing the scans of outward facing IP addresses, as well as any other reviews included as part of the PCI Compliance review. Each Department accepting credit card payments will be required to certify to the Comptroller that the Department is PCI compliant and has submitted the SAQ to its merchant bank and completed the necessary scans, OR certify that remediation is underway and identify when the Department will be PCI compliant.
- Ongoing PCI Compliance - If a Department has completed the initial assessment, the Department is responsible for continuing to engage one or both of the PCI Contractors for ongoing PCI compliance. (Some Departments may use a combination of services from each of the contractors or use one contractor for assessments and the other for remediation services.) Departments are free to engage any of the vendors once the initial quote process has been completed.
- The CTR PCI team will be available to assist Departments during the quote and contracting process, and as needed through the validation and scanning process.
Annual Data Security Validation Maintenance Responsibility
The cost of data breaches has been estimated at 20 times the cost of ensuring PCI compliance. Therefore, effective data security practices and processes, many of which underlie PCI compliance is a mandatory and critical on-going maintenance responsibility to protect taxpayer funds and maintain the public trust in the Commonwealth.
As long as a Department accepts credit card payments the Department is responsible for annual completion of the Self Assessment Questionnaire (SAQ) and quarterly network scans (if network scans are required). In addition, PCI standards require additional security reviews such as internal and external penetration tests. As Departments move from accepting paper checks to electronic payment options, security of personal data requirements change and require continued review and updates as hackers and identity thieves become more creative.
We urge you to immediately identify funding, resources and personnel to complete the initial PCI assessment and network scans. Please do not hesitate to contact Patricia Davis at 617-973-2332 with any questions, concerns, or funding hardships.
|Kenneth Marchurs, SAO|
Attachments: Information for each of the Contractors is posted on www.comm-pass.com (search under "contracts" under search term "CTRPCI2007"). Documents will be posted under "Forms and Terms" and "Vendors" for additional information for each vendor and the forms to be used for engaging a Contractor. In addition, the documents will also be posted under the Office of the Comptroller, Accounts Receivable Bureau Function, on the E-Commercepage.
PCI Request for Response (RFR)
PCI Quote Form/Statement of Work
StandardContract Form template (DRG)
Standard Contract Form template (LCS)
PCI RFR Response (DRG)
PCI RFR Response (LCS)
Digital Resources Group Contract Amendments file size 2MB
Affirmative Market Program Attachment (DRG)
Consultant Contractor Mandatory Submission Form (DRG)
Contractor Authorized Signatory Listing (DRG)
Prompt Payment Discount Form (DRG)
Lighthouse Computer Services Contract Amendments file size 2MB
Affirmative Market Program Attachment (LCS)
Consultant Contractor Mandatory Submission Form (LCS)
Contractor Authorized Signatory Listing (LCS)
Prompt Payment Discount Form (LCS)