Treasury Services - PCI Compliance

​  PCI Compliance

Ens​uring Your Security

Our technology and policies are designed to make your online transactions private and secure. Documen​​​ted steps are taken to safeguard information according to established security standards ​and procedures and we contin​ually evaluate the newest technology for protecting information.  Sensitive information passed in online transactions such as banking information, and personal data is confidential.


What's New in PCI DSS?​

​The standard is evolving to keep up with the state of e-commerce and more sophisticated cyber threats. The latest evolution of the standard — PCI DSS v4.0 — was released on March 31, 2022.​​

A new PCI DSS version 4 is replacing the PCI DSS version 3.2.1.  PCI DSS v3.2.1 will be retired as of March 31, 2024.  The new version addresses ways to combat new threats and technologies.  The main goal of PCI DSS 4.0 is to continue to evolve the standard to meet the changing needs of the payment card industry and the new technologies being implemented daily.  ​A summary of Changes from version 3.2.1 to v4.0 is available in the PCI SSC Document Library​  ​​

Key objectives for changes: ​

  • Continuing to meet the needs of the payment industry.
  • Promoting security as a continuous process.
  • Adding flexibility and addit​ional methods to maintain payment security.
  • Enhancing payment validation methods and procedures.​

For additional information on what's new in PCI DSS, please visit the PCI DSS User Guide.

PCI Compliance​

  • ​​​​​​​​What is the PCI Data Security Standard (PCI DSS)?

The Payment Card Industry Data Security Standard (PCI DSS) is an established information security standard which applies to any organization involved in the processing, transmission, and storage of credit card information. Created and overseen by an independent agency, the PCI Security Standards Counc il (PCI SSC), PCI DSS is designed to improve the security of payment card transactions and to reduce credit card fraud.

The PCI SSC was founded in 2006 as a joint venture between the five largest payment card brands (Visa, MasterCard, American Express, Discover, and JCB). Its goal was to create a clear and interoperable set of standards for protecting consumer information. Although the SSC does not enforce compliance itself, the PCI DSS is now widely accepted and applies to all organizations dealing with credit, debit, or cash card information, regardless of size or industry.


  • ​​What are the various PCI Security Standards?

PCI DSS consists of twelve requirements, organized under six major objectives delineated by the PCI SSC. Every requi​​rement is a security step that helps businesses satisfy the relevant objective. The objectives and associated requirements are as follows:


  • To whom does PCI apply?

PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits, or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

  • ​​What is addressed for a PCI review?
  1. Network Security which includes testing and monitoring requirements.
  2. Protection of cardholder data via policies and training.
  3. Storage of data & access controls.
  4. Requirements of annual self-assessment questionnaire (SAQ) and attestation of compliance (AOC).


​Agency Re​sponsibility

Any agency who maintains a Merchant Identification Number (MID) for accepting credit/debit card payments must follow the PCI security standards. The key element in the compliance process is the internal control procedures established within the Wisconsin Accounting Manual section 14-04. Agencies will be responsible for ongoing training, policy development, and completion of a Self-Assessment Questionnaire (SAQ) each year.  Treasury staff from the State Controller's Office will assist Wisconsin Agency's Financial and IT Security Teams in this endeavor, in partnership with the Department of Enterprise Technology (DET).  By working together, we can proactively protect and secure our payment systems.

Use the following information for incident reporting​

State Controller's Office Treasury Team       Department of Enterprise Technology

Contact:         Contact:​

Data Breach and Credit Monitoring Services:​ (view on VendorNet)​