Treasury Services - PCI Compliance

  PCI Compliance

Ens​uring Your Security

Our technology and policies are designed to make your online transactions private and secure. Documented steps are taken to safeguard information according to established security standards ​and procedures and we continually evaluate the newest technology for protecting information.  Sensitive information passed in online transactions such as banking information, and personal data is confidential.

The Payment Card Industry Data Security Standard (PCI DSS) is an established information security standard which applies to any organization involved in the processing, transmission, and storage of credit card information. Created and overseen by an independent agency, the PCI Security Standards Council (PCI SSC), PCI DSS is designed to improve the security of payment card transactions and to reduce credit card fraud.

The PCI SSC was founded in 2006 as a joint venture between the five largest payment card brands (Visa, MasterCard, American Express, Discover, and JCB). Its goal was to create a clear and interoperable set of standards for protecting consumer information. Although the SSC does not enforce compliance itself, the PCI DSS is now widely accepted and applies to all organizations dealing with credit, debit, or cash card information, regardless of size or industry.

PCI DSS consists of twelve requirements, organized under six major objectives delineated by the PCI SSC. Every requirement is a security step that helps businesses satisfy the relevant objective. The objectives and associated requirements are as follows:​

 

PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits, or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

• ​​What is addressed for a PCI review?

1. Network Security which includes testing and monitoring requirements.
2. Protection of cardholder data via policies and training.
3. Storage of data & access controls.
4. Requirements of annual self-assessment questionnaire (SAQ) and attestation of compliance (AOC).​

 

Any agency who maintains a Merchant Identification Number (MID) for accepting credit/debit card payments must follow the PCI security standards. The key element in the compliance process is the internal control procedures established within the Wisconsin Accounting Manual section 14-04. Agencies will be responsible for ongoing training, policy development, and completion of a Self-Assessment Questionnaire (SAQ) each year.  Treasury staff from the State Controller's Office will assist Wisconsin Agency's Financial and IT Security Teams in this endeavor, in partnership with the Department of Enterprise Technology (DET).  By working together, we can proactively protect and secure our payment systems.

 

State Controller's Office Treasury Team       Department of Enterprise Technology

Contact: DOATreasury@wisconsin.gov         Contact:  ESDHelp@wisconsin.gov

​​​​​​​Resour​ces​

• PCI Security Standards Council: https://www.pcisecuritystandards.org/
• PCI Security Standards Council list of validated products and solutions
  https://www.pcisecuritystandards.org/assessors_and_solutions/vpa_agreement?return=%2Fassessors_and_solutions%2Fpin_transaction_devices
• PCI Compliance Manager Portal (Sysnet Portal login required): https://www.pcicompliancemanager.com/safemaker/login/portal
• PCI Share Point for Wisconsin Agencies (login​ required): Contact DOATreasury@wisconsin.gov
  
• PCI Training Video (login required)
  
• Wisconsin Accounting Manual
  
• PCI Do's and Don'ts
  
• Best Practices
  
• PCI Incident Reporting: Contact WI Enterprise Service Desk (ESD) at ESDHelp@wisconsin.gov
• PCI Accidental Discloser (example excel spreadsheet with credit card numbers that were incorrectly transferred): Contact DOATreasury@wisconsin.gov
• Technical or IT questions: Contact DOAHelpdesk@wisconsin.gov