Federal guidelines for protecting credit cardholders' data applies to cities and towns

Some municipalities may believe they are exempt from complying with payment card industry standards because they are governmental entities.

"It's one of the common misunderstandings. And the answer is, 'No, you're not exempt,'" said Ray Hillen, director of security practices with Agio, an IT security consulting firm. In fact, compliance with the global data security standard is mandatory for local governments, just as it is for any other business that accepts payment cards and stores, processes and/or transmits cardholder data.

Payment Card Industry standards were developed to ensure customers' payment card data are kept safe and both customers and merchants are protected against data breaches. The standards apply to any business or entity that takes payment for services by credit card, including government offices that accept credit or debit card payments for water bills, recreational fees, taxes or any other service.

"Municipalities, hospitals, universities, community colleges−if they process payments, in the world of PCI, they are all merchants," Hillen said.

Using a third party for credit card processing does not absolve a local government of its responsibility for compliance. The PCI's Data Security Standard still applies to the local government. Local officials should require a written agreement from their service provider verifying that the service provider will comply with the PCI requirements.

The five major credit card brands (American Express, Discover, JCB International, MasterCard and Visa Inc.) founded the Security Standards Council to help reduce fraud charges by creating maintenance and updated data security standards. The SSC also provides education and training to help merchants ensure customers" credit card data are kept safe throughout all transactions.

The Council frequently updates and refines its guidelines. In fact, PCI-DSS Version 3.0 became the mandatory standard effective on January 1. It is important for municipalities to constantly review where they are in terms of compliance and understand any updates or changes to the requirements, Hillen said.

The standard has 12 requirements designed to build and maintain a secure network, protect cardholder data, ensure the maintenance of vulnerability management programs, implement strong access control measures, regularly monitor and test networks, and ensure the maintenance of information security policies.

While the PCI Security Standards Council encourages merchants to follow best practices, it does not enforce compliance or impose any consequences for noncompliance. Banks and credit card processors are the entities responsible for enforcing the standard and can assess penalties for noncompliance.

The Council maintains an extensive website, www.pcisecuritystandards.org, with information about getting and staying in compliance, along with answers to common questions a municipality or other merchant may have. The Council has also defined six security milestones to help merchants incrementally protect against the highest risk factors and escalating threats while achieving PCI-DSS compliance. More information is available on the Council's website.

Don't store the information, particularly credit card numbers and other sensitive data such as the CVV or CVC code (the additional security number on the back of credit cards) if you don't need to keep the credit card information once the transaction is authorized. (Hillen echoed that tip, saying the easiest way for municipalities to mitigate their risk is to reduce the amount of card holder data stored, either by outsourcing or going to a virtual payment method.)
Protect systems and networks, and be prepared to respond to a system breach by determining all access points to the information. Then segment the network to limit what needs to be secured.
Secure applications that accept payment cards, including application processes and servers.
Monitor and control access to your computer systems.
Be sure that data is protected if your local government must store sensitive card information.
Finalize remaining compliance efforts, and ensure all controls are in place by completing the remaining PCI-DSS requirements, and implementing policy, procedures and processes.

The do's and don-ts of PCI compliance (provided by the Better Business Bureau)

Do regularly monitor and test networks/systems that have payment card data.
Do implement and enforce an organizational Information Security Policy.
Do install, and keep up-to-date, a firewall that protects cardholder data stored within company systems.
Do assign every employee with computer access a unique ID and use a robust password (e.g., mix of letters, numbers and symbols), which is changed frequently (every 45-60 days).
Do restrict physical access to company systems and records with cardholder data to only those employees with a business "need-to-know."
Do encrypt cardholder data if transmitting it over wireless or open, public networks.
Do use and regularly update antivirus software.
Do have secure computer systems and applications (e.g., good and frequent process to update all computers with necessary patches, process for identifying system/application vulnerabilities, etc.).
Do ensure any e-commerce payment solutions are tested to prevent programming vulnerabilities like SQL injection attacks.
Do use a Payment Application Data Security Standard compliant payment application listed on the PCI Security Standards Council website.
Do verify that any third-party service provider that handles cardholder data has validated PCI DSS compliance by visiting the PCI Security Standards Council website.
Don't store magnetic stripe cardholder data or the CVV or CVC code after authorization.
Don't use vendor-supplied or default system passwords or common/weak passwords.
Don't store cardholder data in any systems in clear text (i.e., unencrypted).
Don't leave remote access applications in an "always on" mode.