FMS Web site bannerFMS Programs Banner Tab Read FMS Web site privacy policy Skip to Main Content Department of the Treasury Web site Programs main page
 

transparent spacer graphicHometransparent spacer graphicFAQ'stransparent spacer graphicTraining & Eventstransparent spacer graphicPublicationstransparent spacer graphicProgramstransparent spacer graphicAbout FMStransparent spacer graphicA-Z Indextransparent spacer graphicNavigation Helptransparent spacer graphic
   
 
     arrow pointing right Advanced Search | RSSXML | Subscribe | Contact FMS Skip secondary navigation
  spacer graphic

white arrow Overview:
Card Acquiring Service

white arrow Getting Started

white arrow APA & Rules

white arrow Features & Benefits

white arrow Training & Reference

white arrow PCI Compliance/Data Security

white arrow Contacts

Card Acquiring Service

Payment Card Industry Data Security Standard

Overview

All Federal agencies accepting credit and debit cards are required to maintain full compliance with the Payment Card Industry Data Security Standard (PCI DSS).  This is in addition to the Office of Management and Budget (OMB) Personally Identifiable Information (PII) guidelines related to accidental or purposeful disclosure of cardholder information. 

With the decision to accept cards as a form of payment comes the responsibility to protect your customers’ sensitive card information.  The Payment Card Industry Security Standards Council (PCI SSC) was formed to govern the security of this sensitive cardholder data.  As such, the PCI SSC developed the PCI Data Security Standard (PCI DSS), which contains the security requirements merchants must follow in order to help protect themselves against unauthorized intrusions and account data compromises.  The PCI DSS applies to all entities, including Federal agencies, that process, store, or transmit cardholder data. 

Failure to maintain compliance with the PCI DSS puts your organization at risk of significant fines, fees, penalties or losing the ability to process card payments, as may be prescribed by the applicable card associations.  Furthermore, a suspected or known compromise of your card processing systems can result in serious damage to your organization’s reputation and/or potential litigation brought by impacted cardholders and issuing banks who suffer losses as a result of compromised information. 

Key Components

The PCI DSS is comprised of 12 general requirements designed to:

  • Build and maintain a secure network;
  • Protect cardholder data;
  • Maintain a vulnerability management program;
  • Implement strong access control measures;
  • Regularly monitor and test networks; and
  • Maintain an information security policy.

A very critical aspect of the standard is the non-retention of sensitive authentication data subsequent to transaction authorization. The card brands refer to this data as Prohibited Data, which includes:  the full content of any track on the back of a card’s magnetic stripe; CVV2/CVC2/CAV2/CID (the three of four digit code printed on the back of the card); or PIN or encrypted PIN blocks.  Storage of any one of the above items subsequent to transaction authorization is a direct violation of the card association rules. 

Merchant Levels

All organizations currently fall into one of four merchant levels established by the card associations based on transaction volume calculated over a 12-month period.  The merchant level determines the method of compliance validation that is required by the card associations.   Merchant levels are defined as:

Level

Description

1

-Any merchant, regardless of acceptance channel, processing more than 6 million transactions per year in one card brand                                                                  
-Any merchant that has suffered a hack or an attack that resulted in an account data compromise                                                                
-Any merchant that any card association determines to be a Level 1

2

-Any merchant, regardless of acceptance channel, processing 1 to 6 million transactions per year in one card brand

3

-Any merchant processing 20,000 to 1 million Visa or MasterCard e-commerce transactions per year

4

-Any other merchants, regardless of acceptance channel

 

 

 

 

 

 

 

Requirements

FMS and Fifth Third will notify agencies that meet the thresholds for Levels 1, 2 and 3, and will provide specific guidance on validation requirements and associated timeframes for compliance.  Level evaluations and notifications will occur on a quarterly basis.   All agencies should consider themselves to be a Level 4, unless otherwise notified.

The initial steps to assist Level 4 agencies in your PCI compliance consist of two key tasks:

1 – Complete an annual PCI Self-Assessment Questionnaire
The current version of the Self-Assessment Questionnaire can be found on the PCI Security Standards Council website at https://www.pcisecuritystandards.org/saq/instructions_dss.shtml.  You will need to complete the appropriate questionnaire for your agency. 

2 – Conduct quarterly network vulnerability scans by an Approved Scanning Vendor (ASV)
A listing of Approved Scanning Vendors, who are authorized to perform the network vulnerability scans on your behalf, is available at http://www.pcisecuritystandards.org/qsa_asv/find_one.shtml
Network vulnerability scans are required for all agencies with external-facing Internet Protocol (IP) addresses in contact with the cardholder data environment.

Agency Support

Fifth Third and FMS offer a PCI 101 webinar for Treasury agencies to help get you started. 

Upcoming sessions:

Session 1: November 18, 2009 10:00 a.m. – 11:30 p.m., EST
Session 2: December 8, 2009 10:30 p.m. – 12:00 p.m., EST

To register for a session, or to receive a copy of a past presentation, please contact FTPSMerchantCompliance.Bancorp2@53.com.

For a current listing of PCI educational webinars for Fifth Third merchants, visit www.trustwave.com/53webinars.php. This link also provides information on other upcoming or past educational webinars that are available to your agency to learn more about PCI DSS. 

Fifth Third has arranged for Trustwave to offer these webinars as a service for Fifth Third customers, including Treasury agencies. Trustwave also independently offers other PCI compliance services which Treasury has not reviewed or endorsed.

For More Information
 
For the most up-to-date PCI DSS information and guidance please refer to:
 
www.pcisecuritystandards.org
www.visa.comp/cisp
www.mastercard.com/sdp
   Last Updated:  Friday November 06, 2009

Accessibility
Privacy Policy 		Web Site Inventory &
Publication Schedule 		E-Government
Economic Recovery 		Freedom of
Information Act 		Information
Quality Act
Link to Treasury Department Web Site Link to Treasury No Fear Act Page Link to Recovery.gov: Your Money At Work. Link to Regulations.gov Link to USA.gov