DOA > Treasury Services - PCI Compliance

Treasury Services - PCI Compliance

 PCI Compliance

Ensuring Your Security

Our technology and policies are designed to make your online transactions private and secure. Documented steps are taken to safeguard information according to established security standards and procedures and we continually evaluate the newest technology for protecting information. Sensitive information passed in online transactions such as banking information, and personal data is confidential.

What's New in PCI DSS?

The standard is evolving to keep up with the state of e-commerce and more sophisticated cyber threats. The latest evolution of the standard — PCI DSS v4.0 — was released on March 31, 2022.
A new PCI DSS version 4 is replacing the PCI DSS version 3.2.1. PCI DSS v3.2.1 will be retired as of March 31, 2024. The new version addresses ways to combat new threats and technologies. The main goal of PCI DSS 4.0 is to continue to evolve the standard to meet the changing needs of the payment card industry and the new technologies being implemented daily. A summary of Changes from version 3.2.1 to v4.0 is available in the PCI SSC Document Library.
Key objectives for changes: 
Continuing to meet the needs of the payment industry.
Promoting security as a continuous process.
Adding flexibility and additional methods to maintain payment security.
Enhancing payment validation methods and procedures.

For additional information on what's new in PCI DSS, please visit the PCI DSS User Guide.

PCI Compliance

What is the PCI Data Security Standard (PCI DSS)?

The Payment Card Industry Data Security Standard (PCI DSS) is an established information security standard which applies to any organization involved in the processing, transmission, and storage of credit card information. Created and overseen by an independent agency, the PCI Security Standards Counc il (PCI SSC), PCI DSS is designed to improve the security of payment card transactions and to reduce credit card fraud.
The PCI SSC was founded in 2006 as a joint venture between the five largest payment card brands (Visa, MasterCard, American Express, Discover, and JCB). Its goal was to create a clear and interoperable set of standards for protecting consumer information. Although the SSC does not enforce compliance itself, the PCI DSS is now widely accepted and applies to all organizations dealing with credit, debit, or cash card information, regardless of size or industry.

What are the various PCI Security Standards?

PCI DSS consists of twelve requirements, organized under six major objectives delineated by the PCI SSC. Every requirement is a security step that helps businesses satisfy the relevant objective. The objectives and associated requirements are as follows:

To whom does PCI apply?

PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits, or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

What is addressed for a PCI review?

Network Security which includes testing and monitoring requirements.
Protection of cardholder data via policies and training.
Storage of data & access controls.
Requirements of annual self-assessment questionnaire (SAQ) and attestation of compliance (AOC).

Agency Responsibility

Any agency who maintains a Merchant Identification Number (MID) for accepting credit/debit card payments must follow the PCI security standards. The key element in the compliance process is the internal control procedures established within the Wisconsin Accounting Manual section 14-04. Agencies will be responsible for ongoing training, policy development, and completion of a Self-Assessment Questionnaire (SAQ) each year. Treasury staff from the State Controller's Office will assist Wisconsin Agency's Financial and IT Security Teams in this endeavor, in partnership with the Department of Enterprise Technology (DET). By working together, we can proactively protect and secure our payment systems.

Use the following information for incident reporting

State Controller's Office Treasury Team Department of Enterprise Technology
Contact: DOATreasury@wisconsin.gov Contact: ESDHelp@wisconsin.gov
Data Breach and Credit Monitoring Services: (view on VendorNet)

Resources

PCI Security Standards Council: https://www.pcisecuritystandards.org/
PCI Security Standards Council list of validated products and solutions
https://www.pcisecuritystandards.org/product-solutions-listings-overview/
PCI Compliance Manager Portal (Sysnet Portal login required): https://www.pcicompliancemanager.com/safemaker/login/portal
PCI Training Video (login required)
Wisconsin Accounting Manual
PCI Do's and Don'ts
Best Practices
PCI Compliance 12-Step Checklist https://pcidssguide.com/your-12-step-pci-dss-compliance-checklist/
PCI Incident Reporting: Contact WI Enterprise Service Desk (ESD) at ESDHelp@wisconsin.gov
Data Breach and Credit Monitoring Services: (view on VendorNet)
PCI Accidental Discloser (example excel spreadsheet with credit card numbers that were incorrectly transferred): Contact DOATreasury@wisconsin.gov
Technical or IT questions: Contact DOAHelpdesk@wisconsin.gov

State of Wisconsin

Department of Administration

Treasury Services - PCI Compliance

Quick Links