|To:||Legislative Leadership, Judicial Branch Administrators, Elected Officials, Secretariats, and Department Heads, Chief Information Officers, Chief Fiscal Officers, and General Counsels|
|From:||Martin J. Benison, Comptroller|
|Date:||November 20, 2008|
|Re:||DEADLINE REMINDER REGARDING PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARD COMPLIANCE FOR ALL COMMONWEALTH ENTITIES ACCEPTING ELECTRONIC PAYMENTS AND FREQUENTLY ASKED QUESTIONS|
Comptroller Memo Y#2009-08A
The purpose of this email is to remind all departments of deadlines for compliance with Payment Card Industry (PCI) Data Security Standards required by the major credit card associations and to provide answers to some frequently asked questions regarding the PCI Compliance initiative.
All Commonwealth entities that process, transmit, or store credit card payment data (internally or through a 3 rd party processor) through ANY means (lockbox, mail, cashier window, point-of-sale (POS) device, telephone, interactive voice response(IVR) systems, or web application) MUST CERTIFY TO THE COMPTROLLER THAT THE DEPARTMENT IS PCI COMPLIANT NO LATER THAN APRIL 30, 2009, AND ANNUALLY THEREAFTER. In addition, Commonwealth entities are strongly encouraged to address security of all payments data including EFT and ACH transactions using the PCI DSS.
Deadlines for Engaging PCI Contractor and Completion of PCI Compliance:
See FY2009-08 for details, vendor information, and links to the proper forms.