Comptroller Fiscal Year Memo Letter Head


M E M O R A N D U M

To:Legislative Leadership, Judicial Branch Administrators, Elected Officials, Secretariats, and Department Heads, Chief Information Officers, Chief Fiscal Officers, and General Counsels
From:Martin J. Benison, Comptroller
Date:April 8, 2009
Re:REMINDER APRIL 30, 2009 DEADLINE PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARD COMPLIANCE CERTIFICATION

Comptroller Memo Y#2009-08B


Executive Summary

The purpose of this memorandum is to remind all departments of the April 30 th deadline for compliance with Payment Card Industry (PCI) Data Security Standards required by the major credit card associations and to provide instructions for Attestation of Compliance submission to the Comptroller.
















All Commonwealth Departments that accept electronic payments or process, transmit, or store credit card or other bank account payment data (internally or through a 3 rd party processor) through ANY means (lockbox, mail, cashier window, point-of-sale (POS) device, telephone, interactive voice response (IVR) systems, or web application) must be PCI Compliant.

ALL COMMONWEALTH DEPARTMENTS THAT ACCEPT ELECTRONIC PAYMENTS OR TRANSMIT OR STORE CREDIT CARD PAYMENT INFORMATION MUST PROVIDE A WRITTEN CERTIFICATION OF PCI COMPLIANCE TO THE COMPTROLLER NO LATER THAN APRIL 30, 2009, AND ANNUALLY THEREAFTER.

Once the PCI Compliance Self Assessment Questionnaire (SAQ) has been completed and submitted to the Department's merchant bank, the Department must scan the Attestation of Compliance (AOC) section, including the Department Head or authorized signatory's signature and date, and email these scanned pages to PCIAttestations@massmail.state.ma.us no later than Thursday April 30, 2009 .

PLEASE DO NOT SEND THE ENTIRE SELF ASSESSMENT QUESTIONNAIRE (SAQ); just send the scanned, signed and dated Attestation of Compliance pages. These pages generally comprise the first few pages of the SAQ.

Comptroller Memo FY#2009-08 outlined the requirements for Departments to engage one of the two authorized PCI Compliance Contractors to complete the PCI Assessment and PCI certification process.

Any remediation items identified must be remediated by the department and validated by the PCI compliance vendors (DRG or LCS) prior to April 30, 2009. The Self Assessment Questionnaire (SAQ), and network scan results (if required) must be submitted to the entity's merchant bank.

The Office of the Comptroller conducted a Multiple Department Procurement/Multiple Department User Request for Response (RFR) with ITD and other departments that accept credit card payments to select PCI Compliance contractors certified by the PCI Security Standards Council as Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs). Both selected contractors are qualified to provide consulting, validation, and network scanning services for Commonwealth entities completing their Self Assessment Questionnaire (SAQ).



DIGITAL RESOURCES GROUP, LLC (DRG)

LIGHTHOUSE COMPUTER SERVICES, INC. (LCS)

VC0000390523
PO Box 55071, Boston, MA 02205
Contact: David Fosdick
Telephone: 978-496-1503
Email Address: pci@drgsf.com
Fax: 775-855-5042
Web: www.drgsf.com

VC0000389868
6 Blackstone Valley Place, Suite 205 Lincoln RI 02865
Contact: Timothy Bernard
Telephone:(508) 254-2804
Email Address: tbernard@lighthousecs.com
Fax: (401) 334-0719
Web: www.lighthouseCS.com

Authorized Signatories:
James Cowing (Managing Director)
David Fosdick (Vice President)

Authorized Signatories:
Anthony N. Fiore, Jr. (CFO)
Ernie Yenke (Chief Operating Officer)
Thomas Mrva (President)

Prompt Payment Discount:
1% if paid within 15 days

Prompt Payment Discount:
1% paid in 10 days

The engagement documents are posted Accounts Receivable Business Function page under E-Commerce. See also FY2009-08 and FY2009-8A and PCI Frequently Asked Questions doc format of PCI_FAQ _2009-08A.doc
. The PCI engagement information is also posted at www.comm-pass.com (enter search term "CTRPCI2007" under "Contracts", and click on the "Forms and Terms" tab to find documents to be used in engaging a contractor for assessment, remediation, scans, consulting, and validation of the SAQ.)

If you have any questions, please contact Patricia Davis at 617-973-2332.

cc:MMARS Liaisons
Payroll Directors
Kenneth Marchurs, SAO