Treasury Services - PCI Compliance

​  PCI Compliance

Ens​uring Your Security

Our technology and policies are designed to make your online transactions private and secure. Documen​​​ted steps are taken to safeguard information according to established security standards ​and procedures and we contin​ually evaluate the newest technology for protecting information.  Sensitive information passed in online transactions such as banking information, and personal data is confidential.


What's New in PCI DSS?​

The Payment Card Industry (PCI) Data Security Standards (DSS) are evolving to keep up with the state of e-commerce and more sophisticated cyber threats. ​​

A new PCI DSS version 4.0 is replacing the PCI DSS version 3.2.1 on March 31, 2​022.  PCI DSS v3.2.1 will be retired as of March 31, 2024.  Below are just some of the chang​es you will see in the new PCI DSS version. ​A c​omplete summary of changes from v3.2.1 to v4.0 is available in the PCI Document ​Library​  

Definition of Change​
​Self-Assessment Questionnaire (SAQ) Reference Requirements
Addition​al encryption requirements added regarding​ PAN and SAD
Protection against removal media, Phishing protections added, Security Awareness Training Added​
​5.3.3, 5.4.1,,

​Additional Cybersecurity requirements, such as malware scans & IDS/IPS applicati​ons​
​, 10.7.2, 10.7.3​

​​Access Reviews added as a requirement.
​​7.2.4, 7.2.5 (verified using the process required in 7.2.4),
​MFA Required within CDE
​8.4.2, 8.5.1​
​Automated audit log reviews added
​PCS DSS Scope must be evaluated every 12 ​months
​12.5.2, if ​​they are a service provider it must be evaluated every 6 months,
​Targeted risk analysis preferred in all requirements rather than the overall organization-wide risk assessments

For additional information on what's new in PCI DSS v4.0, please visit the What's New in PC​​​​​I D​SS 

PCI Compliance​

  • ​​​​​​​​What is the PCI Data Security Standard (PCI DSS)?

The Payment Card Industry Data Security Standard (PCI DSS) is an established information security standard which applies to any organization involved in the processing, transmission, and storage of credit card information. Created and overseen by an independent agency, the PCI Security Standards Counc il (PCI SSC), PCI DSS is designed to improve the security of payment card transactions and to reduce credit card fraud.

The PCI SSC​​​ was founded in 2006 as a joint venture between the five largest payment card brands (Visa, MasterCard, American Express, Discover, and JCB). Its goal was to create a clear and interoperable set of standards for protecting consumer information. Although the SSC does not enforce compliance itself, the PCI DSS is now widely accepted and applies to all organizations dealing with credit, debit, or cash card information, regardless of size or industry.


  • ​​What are the various PCI Security Standards?

PCI DSS consists of twelve requirements, organized under six major objectives delineated by the PCI SSC. Every requi​​rement is a security step that helps businesses satisfy the relevant objective. The objectives and associated requirements are as follows:


  • To whom does PCI apply?

PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits, or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

  • ​​What is addressed for a PCI review?
  1. Network Security which includes testing and monitoring requirements.
  2. Protection of cardholder data via policies and training.
  3. Storage of data & access controls.
  4. Requirements of annual self-assessment questionnaire (SAQ) and attestation of compliance (AOC).


​Agency Re​sponsibility

Any agency who maintains a Merchant Identification Number (MID) for accepting credit/debit card payments must follow the PCI security standards. The key element in the compliance process is the internal control procedures established within the Wisconsin Accounting Manual section 14-04. Agencies will be responsible for ongoing training, policy development, and completion of a Self-Assessment Questionnaire (SAQ) each year.  Treasury staff from the State Controller's Office will assist Wisconsin Agency's Financial and IT Security Teams in this endeavor, in partnership with the Department of Enterprise Technology (DET).  By working together, we can proactively protect and secure our payment systems.

PCI Training

On an annual basis the payment card industry requires each merchant to attest that they are in compliance with the Data Security Standards of the PCI Council.  These standards require that all staff who handle and/or oversee credit acard receipting operations complete annual training.  In order to comply with the PCI requirements and Wisconsin statutes, the State Controller's Office is providing an annual PCI training video through Cornerstone called PCI Compliance.  There are additional training videos in Conerstone regarding ​PCI DSS and ​protection for point of sale devices that would be beneficial to various members on your team.  You can find all PCI training videos in Cornerstone by entering "PCI" in the search menu.​ 

Use the following information for incident reporting​

State Controller's Office Treasury Team       Department of Enterprise Technology

Contact:         Contact:​

Data Breach and Credit Monitoring Services:​ (view on VendorNet)​​​