Comptroller Fiscal Year Memo Letter Head



Legislative Leadership, Judicial Branch Administrators, Elected Officials, Secretariats, and Department Heads, Chief Information Officers, Chief Fiscal Officers, and General Counsels

From:Martin J. Benison, Comptroller

May 13, 2010

Re:Payment Card Industry (PCI) data security Standard compliance is an annual, ongoing, mandatory process for all commonwealth entities accepting electronic payments

Comptroller Memo FY#2010-26

Executive Summary

The purpose of this email is to remind all departments that PCI Compliance is an annual, ongoing process for all Commonwealth entities accepting electronic payments. All entities must engage a Qualified Security Assessor (QSA) to validate PCI Compliance the first year, and annually on or before the anniversary date thereafter. In addition, PCI Compliance will be included on the Statewide Single Audit this year.

All Commonwealth entities that process, transmit, or store credit card payment data (internally or through a 3 rd party processor) through ANY means (lockbox, mail, cashier window, point-of-sale (POS) swipe or keypad device, telephone, interactive voice response(IVR) systems, or web application) must certify and attest annually that the department is PCI compliant (on or before their compliance anniversary date). In addition, Commonwealth entities must address security of all payments data including EFT and ACH transactions using the PCI DSS.

PCI compliance must be validated by a Qualified Security Assessor (QSA) prior to implementing any new application or program that will accept credit card payments or that processes, stores or transfers credit cardholder data, and any applications connected to networks that process or transmit credit cardholder data. The Office of the Comptroller (CTR) has engaged two nationally certified PCI compliance contractors that Departments must engage to validate initial and ongoing annual PCI compliance. For more information on this contract, go to Comm-PASS and search for contract number CTRPCI2007.

Some Commonwealth entities are still working on initial PCI compliance and remediation areas identified during their assessment activities. Once these identified action items are remediated, the entity must submit the Qualified Security Assessor (QSA) validated Self Assessment Questionnaire (SAQ) to their merchant bank and the signed Attestation of Compliance (AOC) to the Comptroller annually.

Other Commonwealth entities are PCI compliant and currently engaged in ongoing compliance activities for Year 2 and beyond. Please keep in mind that the QSA validation, submission of the SAQ to the merchant bank, and submission of the signed Attestation of Compliance (AOC) to the Comptroller are an annual activity, to be completed on or before your anniversary date. Please note that any significant changes to your payment environment or network ecosystem require re-assessment for any impacts to PCI Compliance.

In addition, entities must execute any quarterly network scans and annual penetration tests, if required, in accordance with applicable sections of the PCI Data Security Standard (DSS).

PCI compliance was recently cited by the American Institute of Certified Public Accountants (AICPA) in an Audit Risk Alert and will be included in the Statewide Single Audit this year.

Due to the mandatory requirement that any Commonwealth merchant maintain PCI compliance if accepting electronic payments, entities must ensure that sufficient funds are budgeted in annual spending plans and set aside for initial and annual PCI compliance, including any remediation areas identified.

See FY2009-08, FY2008-08A and FY2009-08B for details, vendor information, and links to the proper forms.

See PCI Frequently Asked Question doc format of PCI_FAQ _2009-08A.doc

cc:MMARS Liaisons

Payroll Directors

Legal Counsels

John Parsons, SAO