PCI Compliance For The Public Sector

Level 1 merchants are required to maintain an extensive PCI compliance program, complete a yearly Report on Compliance (ROC), and meet all controls outlined in the PCI DSS. Lower-level merchants, such as Level 4, are able to submit a self-assessment questionnaire to maintain PCI compliance.

In addition to the amount of work required to get it right, there is often a looming uncertainty about getting it wrong and being the victim of a data breach, or handling cardholder data on non-compliant systems. Beyond data breaches and PCI compliance, security is increasingly important as constituents require payment systems that they can trust.

Download Zip

A government or utility can outsource its risks around credit and debit card processing to a third party merchant service provider. Transactions are completed on systems owned and operated by the service provider, which is responsible for securing those systems and maintaining PCI compliance.

Our civic services solutions are designed for your public sector agency and the citizens you serve like community development, permitting, enforcement, inspections, business licensing, compliance, maintenance and work orders, 311 requests, utility billing, and parks and recreation management.

Seamlessly connect courts, public safety, and supervision agencies to ensure safer and more efficient operations for correctional facilities. Give your justice partners access to critical and sensitive data including pre-booking information from officers in the field and inmate scheduling information for the court.

Since Tyler Technologies is compliant, is there anything that my organization needs to do to maintain its compliance?

Yes. A common misconception is that since a third-party servicer provides a PCI compliant service, the parent organization is automatically compliant with PCI data security standards. Though Tyler maintains PCI compliance for its payment applications, PCI applies to all entities involved in payment card processing. However, by using Tyler as a third-party service provider your organization greatly reduces the number of PCI requirements that your organization is subject to in relation to that specific part of your business.

Are organizations using third-party processors required to be PCI DSS Compliant?

Yes. Simply using a third-party processor does not mean that your organization is compliant. Using a third-party may cut down your risk exposure thus reducing the efforts needed to validate compliance against PCI standards.

Who do I need to submit my compliance documentation to?

There is a lot of misleading information available in regards to this question. The PCI Council does not require you to submit documentation directly to the council and leaves enforcing the PCI DSS standards up to the acquiring bank(s) and card brands. In short, any compliance documentation completed by your organization should be kept on-file and submitted to your organizations acquiring bank (or merchant account manager) as requested.

My organization has multiple locations, is each location required to validate its PCI compliance?

Typically your organization is only required to validate once annually for all business locations. There are some special circumstances that would require validation for all locations. For example, using a different credit card processor for each location.

My organization does not store credit card data so PCI compliance doesn't apply to us, right?

Accepting credit or debit cards at your business (or e-business) automatically makes you subject to PCI requirements. Since your organization does not store credit card data, your compliance requirements will likely be reduced.

What are the penalties for non-compliance?

Different payment brands (Visa, MasterCard, American Express, etc.) set fines on an acquiring bank at their discretion. Acquiring banks typically pass this fine along until it hits the merchant. In addition, the acquiring bank can increase transaction fees or terminate their relationship with your organization if it is found to be non-compliant. The payment brands can also restrict your ability to accept their brand of payment card as well.

Can Tyler help me fill out my PCI compliance documents?

There are many moving pieces to PCI compliance. Tyler may be one of many third-party providers that your organization uses to accept payments. As one of potentially multiple third-party service providers to your organization we cannot readily assess or answer questions about your exact PCI requirements. We can offer our own PCI Attestation of Compliance (AoC) as evidence that Tyler maintains compliance with PCI DSS standards. In most cases, our AoC is all that you need to provide a PCI auditor to show them that your Tyler based applications are PCI DSS complaint.

Any organization that handles credit card payments needs to be educated on these numbers while it complies with the Payment Card Industry Data Security Standard (PCI DSS), which is a set of 12 binding compliance requirements made to ensure that card data is handled in a secure and safe way, and reduces the possibility of data breaches.

The rules around PCI DSS state that stored credit card data must be encrypted at all times and various items, such as the 3-digit security code on the back of a credit card, cannot be stored anywhere once a payment has been completed and authorized. Public sector companies have to follow these steps and are required to meet the standards of PCI DSS and other strict regulations.

Each industry has its own diverse challenges when it comes to credit card payments and theft. The public sector, which includes the military, law enforcement, and public services, is not immune to these challenges. A strong security strategy to combat credit card theft must address people, technology, and processes. The PCI DSS gives organizations a base outline of requirements to build a strategy off of.

Public sector organizations can check with their software, hardware, and service providers and ask if they are compliant with PA-DSS and PTS requirements while also confirming that they are not storing credit card data that is not necessary.

Professional Governmental Underwriters, Inc., is a full-service risk management company dedicated to assisting public, educational and non-profit entities in the management of their professional liability exposures including educators liability insurance. We are dedicated to providing state-of-the-art professional underwriting management and loss control advisory services on behalf of our designated carriers. For more information, call us toll-free at (800) 586-6502.

The PCI DSS Attestation of Compliance (AOC) and Responsibility Summary is available to customers through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.

Yes, Amazon Web Services (AWS) is certified as a PCI DSS Level 1 Service Provider, the highest level of assessment available. The compliance assessment was conducted by Coalfire Systems Inc., an independent Qualified Security Assessor (QSA). The PCI DSS Attestation of Compliance (AOC) and Responsibility Summary are available to customers through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.

Even if you are a non-PCI DSS customer, our PCI DSS compliance demonstrates our commitment to information security at every level. Because the PCI DSS standard is validated by an external independent third party, it confirms that our security management program is comprehensive and follows leading industry practices.

Customers must manage their own PCI DSS compliance certification, and additional testing will be required to verify that your environment satisfies all PCS DSS requirements. However, for the portion of the PCI cardholder data environment (CDE) that is deployed in AWS, your Qualified Security Assessor (QSA) can rely on AWS Attestation of Compliance (AOC) without further testing.

For detailed information please see "AWS PCI DSS Responsibility Summary" from the AWS PCI DSS Compliance Package, available to customers through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.

The AWS PCI Compliance Package is available to customers through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.

Yes, AWS is listed on both the Visa Global Registry of Service Providers and the MasterCard Compliant Service Provider List. The Service Provider listings further demonstrate that AWS successfully validated PCI DSS compliance and has met all applicable Visa and MasterCard program requirements.

No. The AWS environment is a virtualized, multi-tenant environment. AWS has effectively implemented security management processes, PCI DSS requirements, and other compensating controls that effectively and securely segregate each customer into its own protected environment. This secure architecture has been validated by an independent QSA and was found to be in compliance with all applicable requirements of PCI DSS.

PCI Security Standards Council has published PCI DSS Cloud Computing Guidelines for customers, service providers, and assessors of cloud computing services. It also describes service models and how compliance roles and responsibilities are shared between providers and customers.

d0d94e66b7

Page updated

Google Sites

Report abuse