500.11 - Statewide Accounting Policy - Compliance with PCI Data Security Standards

Policy Area:  eCommerce
Policy Sub Area:  N/A
Authority:  G.S. 66-58.12(a); G.S. 132-6.1(c); and G.S. 147-33.82(b)
Effective Date:  10/1/2008
Last Revision Date:  N/A
Policy Owner/Division:  Statewide Accounting

Policy

Not withstanding any conflict with the “Security and Privacy of Data Policy” or with the Master Services Agreement with the merchant card vendor, the following requirements are to be adhered to: 

  • For all participants in the Merchant Card Services master agreement provided by Office of the State Controller (OSC), the OSC shall secure the services of a security services provider considered to be both a Qualified Security Assessor (QSA) and an Approved Scanning Vendor (ASV), for the purposes of providing both remote validation services and vulnerability scanning services. Costs of the various services secured from the security services provider may be borne by either the OSC and/or the participants as may be determined appropriate by the OSC. 
  • As a prerequisite for participating in the master services agreement, each participant must enroll in the services provided by the security services provider: 
    • All participants must subscribe to the service that provides for the annual completion of the appropriate online Security Assessment Questionnaire (SAQ), as required by the PCI Data Security Standard. 
    • All participants that utilize one or more capture methods involving external facing IP addresses, and are subject to undergoing vulnerability scans as required by the PCI Data Security Standard, are to subscribe to the vulnerability scanning service. 
  • Any costs incurred by a participant to become and remain compliant with the PCI Data Security Standards, including but not limited to an annual penetration test (if applicable), shall be borne by the participant. Any costs incurred by the participant associated with an onsite security audit or a forensic investigation that may be required shall be borne by the participant. 
  • Any participant that does not enroll or remain enrolled in the validation service provided by the securities services provider shall not be allowed to participate or continue participation in the Merchant Card Services master service agreement. 
  • Each participant enrolled in the validation service provided by the security services provider shall perform all requirements of the service in a timely manner in order to reflect and attest the status of compliance with the PCI Data Security Standard. 
  • The Office of the State Controller shall periodically compile reports obtained through the validation service reflecting and attesting the status of compliance with the PCI Data Security Standard (PCI DSS). The reports shall be made available to the merchant card processor, as may be requested from time to time by the processor, or as may be requested by a card brand. The information provided shall only be to assist the participants in attesting their compliance with the PCI DSS, as may be required by the master services agreement(s).
  • In the case where the participant is subject to the oversight of a central oversight agency, the Office of the State Controller may share the compliance status reports obtained through the validation service with the appropriate central oversight agency. Appropriate management reports may be submitted as follows:
    • State Agencies – Office of Information Technology Services
    • Universities – UNC General Administration
    • Community Colleges – NC Community College System
    • Local Units of Government – Local Government Commission
  • When appropriate, and/or when requested, the management reports shall be submitted to the Office of the State Auditor.
  • The role of the Office of the State Controller shall not be to make determination if a participant is complaint with the PCI Data Security Standard or not, but to provide information that may be obtained through the validation service to the merchant card processor (vendor). The merchant card processor will use the information provided to determine the participant’s compliance status and to determine any rectifying action that the processor deems appropriate to address any non-compliance issue. The processor may address any non-compliance issue directly with the participant.
  • Pursuant to G.S. 132-6.1(c), the information obtained through the validation service regarding a participant’s PCI Data Security compliance status shall be deemed confidential, as the information would disclose security features of the participant’s electronic data processing systems, information technology systems, telecommunications networks, or electronic security systems. Accordingly, any reports shared with the central oversight agencies are to be treated as confidential information pursuant to the referenced statue.
  • Any participant receiving communications from the merchant card processor regarding a PCI Data Security non-compliance issue must respond to the processor within a reasonable time. Corrective actions must be taken that satisfies the processor’s concerns. Actions taken may include, but not be limited to:
    • Correcting the non-compliance issue within the timeframe agreed to by the processor
    • Implementing compensating measures agreed to by the processor
    • Temporarily suspending the use of a merchant card capture application until the non-compliance issue is resolved
    • Discontinuing the merchant card capture application altogether
  • In the case of a communication received from the merchant card processor regarding a PCI Data Security non-compliance issue, where the participant is subject to the purview of a central oversight agency (i.e., Office of Information Technology Services, UNC-General Administration, NC Community College System, and Local Government Commission), guidance from the central oversight agency should be sought by the participant.
  • For State agencies operating a merchant card capture system, but not participating in a master services agreement provided by the OSC, the agency may apply to enroll in the validation service offered by OSC for PCI Data Security compliance purposes. However, community colleges that are not participants in a master services agreement provided by
  • OSC are to enroll in a validation service offered by the NC Community College System, and are subject to the requirements of the college’s contracted merchant card processor.
  • The individual (or his/her successor) at the governmental entity that executed the “Participation Agreement” to allow the entity to be a participant in OSC’s merchant card services master services agreement shall be the individual responsible for ensuring that the requirements of this policy are adhered to, including but not limited to, responding to any non-compliance issues that may arise.

Procedures

N/A

Accounting Guidance

The PCI Data Security Standards are those issued by the PCI Security Standards Council, which may be viewed at the Council’s website.

Related Documents (Memos/Forms)

N/A

Revision History

  • None to date