The document discusses the Payment Card Industry Data Security Standard (PCI DSS), which establishes requirements for securely handling, storing, and transmitting credit card data. It requires merchants and service providers that process, store or transmit credit card data to comply with security standards covering areas like network security, data protection, access control, monitoring, and security policies. Non-compliance can result in fines, lawsuits, and loss of credit card processing privileges. The Commonwealth of Massachusetts is working to help state departments assess their PCI compliance status and achieve validation through qualified security assessors and approved scanning vendors.

1. Payment Card Industry (PCI)
Data Security Standard (DSS)
Compliance
Commonwealth of Massachusetts
Office of the State Comptroller
March 2007

2. 2
What is PCI DSS?
• Mandatory compliance program resulting
from a collaboration between the credit
card associations to create common
industry security requirements for
cardholder data.

3. 3
More about PCI compliance….
• Common set of industry tools and measurements
to ensure safe handling of sensitive information.
• Actionable framework for developing a robust
account data security process—including
preventing, detecting, and reacting to security
incidents.
• Technical requirements for secure storage,
processing, and transmission of cardholder data.
• Common auditing and scanning procedures.

4. 4
Who has to worry about it?
• If you transact credit card business, you
have to worry about it.
• Merchants and third party providers who
process, transmit, or store cardholder data
are required to adhere to certain data
security standards.
• Applies to credit card business transacted
over all payment channels (POS, mail, IVR,
and e-commerce).

5. 5
Who are the stakeholders?
• Credit card industry – Founders of the PCI
Security Standards Council are Visa,
Mastercard, Amex, Discover, and JCB
brands.
• Acquiring banks/member banks – must
require PCI compliance from merchants and
service providers doing credit card business.
• Merchants and service providers – must be
PCI compliant, regardless of channel.
• Our customers.

6. 6
PCI DSS:
Covers 6 Areas/12 Requirements
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords
and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data and sensitive
information across open public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications

7. 7
PCI DSS:
Covers 6 Areas/12 Requirements
(continued)
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10.Track and monitor all access to network resources and
cardholder data
11.Regularly test security systems and processes
Maintain an Information Security Policy
12.Maintain a policy that addresses information security

8. 8
Major Activity Areas
• Identify merchant level (dependent on volume).
• Subject matter expertise.
• Consulting and recommendations.
• Compliance – relates to infrastructure security
and business procedures (may be supported by
Qualified Security Assessor (QSA)).
– Annual self-assessment questionnaire
– Annual on-site security audit (depending on merchant
level)
• Validation – process performed by an Approved
Scanning Vendor (ASV) on all external-facing IP
addresses.
• Possibly, audit (depending on merchant level).

9. 9
Our Approach
• See what departments and other states are doing.
• Communicate – share information to promote
awareness of the issue, identify participating
departments, and gain support.
• Learn about PCI DSS Compliance.
• Check in with banks and service providers on their
PCI Compliance status and requirements.
• Initiate a procurement to identify Qualified Security
Assessors (QSVs) and Approved Scanning Vendors
(ASVs) to assist departments in achieving
compliance and validation.
• Identify costs and funding.

10. 10
Consequences of Non-Compliance
• Forensic investigation
• Steep monetary fines (up to $500K) levied
by the card associations plus damages
• Lawsuits
• Damage to reputation
• Bad publicity
• Revocation of credit card business
privileges

11. 11
For more information:
• See https://www.pcisecuritystandards.org/index.htm and
http://www.pcicomplianceguide.org for general information.
• Check out the self-assessment questionnaire at:
https://www.pcisecuritystandards.org/pdfs/pci_saq_v1-0.pdf
to assess level of effort and resources to remediate
problems and achieve compliance.
• See http://usa.visa.com and Visa Cardholder Information
Program (CISP) links.
• See
http://www.mastercard.com/us/sdp/assets/pdf/SDP_Present
ation.pdf for Mastercard Site Data Protection (SDP)
information
• Stay tuned for updates on RFR progress.