Government agency credit card programs and PCI compliance

Organizations that process card payments must comply with the Payment Card Industry (PCI) Data Security Standard (DSS). Learn more about PCI DSS.

The Payment Card Industry (PCI) Data Security Standard (DSS) Council is responsible for the global requirements governing the security of cardholder data. Card brands are responsible for enforcement. All merchant services providers, also known as “acquirers,” have the responsibility to report PCI DSS compliance to the data security programs of the card brands.

All organizations that accept and process card payments must comply with the PCI DSS. This includes government agencies that take credit card payments for constituent services. The cost of noncompliance can be high, so it pays to comply with the PCI DSS.

"PCI DSS applies to all entities that process, transmit and/or store cardholder data,” explains Michael Hodge, regional director of payment solutions at U.S. Bank. “If a government agency is processing card payments, then it’s clearly in scope for PCI compliance.”

Major card associations worked together to develop the PCI DSS because of escalating risks related to credit card fraud.

PCI DSS includes requirements that address:

• Security management
• Policies
• Procedures
• Network architecture
• Software design
• Other critical protective measures

Consequences of noncompliance

PCI DSS compliance requirements and validation apply to government agencies the same as they do for other businesses.

“If an organization, such as a government agency, fails to adhere to PCI DSS, they may be assessed fines for noncompliance, and/or may no longer be able to process cards for payment,” Hodge says. Fines vary by card brand and an agency’s assigned PCI level, but they can be as high as hundreds of thousands of dollars.

“Beyond fines, government agencies also need to comply with the standard to maintain constituent trust,” Hodge says. “They should consider it a best practice to protect cardholder data and information.”

“At U.S. Bank, our government agency clients consistently adhere to their PCI DSS compliance, and validate it annually,” Hodge says.

However, Hodge notes the configuration of card processing networks for government agencies — and how these networks speak to one another — can affect how agencies manage and conduct their PCI DSS audit duties. They may be subject to multiple audits and validations, or just one.

“Given that we’re reminded of security breaches daily, it’s imperative that agencies accepting cards recognize and address annual compliance,” Hodge says.

“As long as an agency is the merchant of record, it has compliance responsibility. Once it begins accepting card payments, its compliance duties begin. The agency should be diligent to discuss with its payment acquirer the steps necessary to reach compliance responsibility.”

Some government entities may find they have bureaucratic challenges with PCI DSS compliance

Government entities work across agencies and with management to understand their responsibilities, which include the need to examine, establish and maintain a strong data security posture. They also need to understand the costs of annual validation. “As a result, it’s important that they develop a best practices policy for card payment acceptance,” Hodge says.

The PCI DSS Council provides a list of approved companies that can assist you with an audit. Acquirers often recommend a PCI Approved Qualified Security Assessor, but government agencies aren’t required to follow this recommendation.

For more information about PCI DSS compliance, talk to your merchant services provider and visit www.pcisecuritystandards.org. Card brands also offer data security program help:

• Visa Cardholder Information Security Program.
  
• MasterCard Site Data Protection Program.
• Discover Data Information Security and Compliance.