Comptroller Fiscal Year Memo Letter Head


M E M O R A N D U M

To:Legislative Leadership, Judicial Branch Administrators, Elected Officials, Secretariats, and Department Heads, Chief Information Officers, Chief Fiscal Officers, and General Counsels
From:Martin J. Benison, Comptroller
Date:November 20, 2008
Re:DEADLINE REMINDER REGARDING PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARD COMPLIANCE FOR ALL COMMONWEALTH ENTITIES ACCEPTING ELECTRONIC PAYMENTS AND FREQUENTLY ASKED QUESTIONS

Comptroller Memo Y#2009-08A


Executive Summary

The purpose of this email is to remind all departments of deadlines for compliance with Payment Card Industry (PCI) Data Security Standards required by the major credit card associations and to provide answers to some frequently asked questions regarding the PCI Compliance initiative.














All Commonwealth entities that process, transmit, or store credit card payment data (internally or through a 3 rd party processor) through ANY means (lockbox, mail, cashier window, point-of-sale (POS) device, telephone, interactive voice response(IVR) systems, or web application) MUST CERTIFY TO THE COMPTROLLER THAT THE DEPARTMENT IS PCI COMPLIANT NO LATER THAN APRIL 30, 2009, AND ANNUALLY THEREAFTER. In addition, Commonwealth entities are strongly encouraged to address security of all payments data including EFT and ACH transactions using the PCI DSS.

Deadlines for Engaging PCI Contractor and Completion of PCI Compliance:







DECEMBER 1, 2008Complete quote process and engage PCI Compliance Contractor for initial assessment and scans.
APRIL 30, 2009Certify PCI compliance (submission of SAQ to merchant bank after scans and remediation) OR certify remediation underway with deadline for completion and PCI compliance.

See FY2009-08 for details, vendor information, and links to the proper forms.

See PCI Frequently Asked Question doc format of    PCI_FAQ _2009-08A.doc  .

cc:MMARS Liaisons
Legal Counsels
Payroll Directors
Kenneth Marchurs, SAO