|To:||Legislative Leadership, Judicial Branch Administrators, Elected Officials, Secretariats, and Department Heads, Chief Information Officers, Chief Fiscal Officers, and General Counsels|
|From:||Martin J. Benison, Comptroller|
|Date:||April 8, 2009|
|Re:||REMINDER APRIL 30, 2009 DEADLINE PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARD COMPLIANCE CERTIFICATION|
Comptroller Memo Y#2009-08B
The purpose of this memorandum is to remind all departments of the April 30 th deadline for compliance with Payment Card Industry (PCI) Data Security Standards required by the major credit card associations and to provide instructions for Attestation of Compliance submission to the Comptroller.
All Commonwealth Departments that accept electronic payments or process, transmit, or store credit card or other bank account payment data (internally or through a 3 rd party processor) through ANY means (lockbox, mail, cashier window, point-of-sale (POS) device, telephone, interactive voice response (IVR) systems, or web application) must be PCI Compliant.
ALL COMMONWEALTH DEPARTMENTS THAT ACCEPT ELECTRONIC PAYMENTS OR TRANSMIT OR STORE CREDIT CARD PAYMENT INFORMATION MUST PROVIDE A WRITTEN CERTIFICATION OF PCI COMPLIANCE TO THE COMPTROLLER NO LATER THAN APRIL 30, 2009, AND ANNUALLY THEREAFTER.
Once the PCI Compliance Self Assessment Questionnaire (SAQ) has been completed and submitted to the Department's merchant bank, the Department must scan the Attestation of Compliance (AOC) section, including the Department Head or authorized signatory's signature and date, and email these scanned pages to PCIAttestations@massmail.state.ma.us no later than Thursday April 30, 2009 .
PLEASE DO NOT SEND THE ENTIRE SELF ASSESSMENT QUESTIONNAIRE (SAQ); just send the scanned, signed and dated Attestation of Compliance pages. These pages generally comprise the first few pages of the SAQ.
Comptroller Memo FY#2009-08 outlined the requirements for Departments to engage one of the two authorized PCI Compliance Contractors to complete the PCI Assessment and PCI certification process.
Any remediation items identified must be remediated by the department and validated by the PCI compliance vendors (DRG or LCS) prior to April 30, 2009. The Self Assessment Questionnaire (SAQ), and network scan results (if required) must be submitted to the entity's merchant bank.
The Office of the Comptroller conducted a Multiple Department Procurement/Multiple Department User Request for Response (RFR) with ITD and other departments that accept credit card payments to select PCI Compliance contractors certified by the PCI Security Standards Council as Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs). Both selected contractors are qualified to provide consulting, validation, and network scanning services for Commonwealth entities completing their Self Assessment Questionnaire (SAQ).
The engagement documents are posted Accounts Receivable Business Function page under E-Commerce. See also FY2009-08 and FY2009-8A and PCI Frequently Asked Questions . The PCI engagement information is also posted at www.comm-pass.com (enter search term "CTRPCI2007" under "Contracts", and click on the "Forms and Terms" tab to find documents to be used in engaging a contractor for assessment, remediation, scans, consulting, and validation of the SAQ.)
If you have any questions, please contact Patricia Davis at 617-973-2332.