Article

Municipalities and PCI Compliance – Do we have to?

Any entity (public, private, for profit, not-for-profit) that takes credit cards for payments must comply with PCI requirements. Knowing your merchant level is the first step to understanding what your compliance requirements entail.

Learn More
< Back to Insights
Insights  <  Municipalities and PCI Compliance – Do we have to?

Any entity (public, private, for profit, not-for-profit) that takes credit cards for payments must comply with PCI requirements. Knowing your merchant level is the first step to understanding what your compliance requirements entail.

With the Payment Card Industry, or PCI, compliance is generally something we assume big box stores and your average merchants all have. If they have a credit card swipe machine, they must be doing all the right things, right?   

But when it comes to our local cities, towns and school districts, our comfort level is less clear. Does my small-town Recreation Department have all the right “things in place” to be compliant with PCI? Better yet, do they even have to be? And what if a third-party processor is used? Does that get the town off the hook?  

Do towns, cities and school districts need to be PCI compliant? 

The short answer is yes. If the entity processes credit cards, they need to be PCI compliant. The difference is in how they can become compliant. Expectations for a municipality are nowhere near those of a big box store or retailer like Walmart or Amazon. FirstPCI compliance is divided into four levels, based on the number of Visa and/or Mastercard transactions that are processed per year. Level 4 (the lowest level at less than 20,000 e-commerce transactions per year) is generally where most municipalities will fall. Based on the PCI compliance level, different requirements must be met.   

So what does the town have to do now? 

Let’s start with the lower levelsLevels 2, 3 and 4 are required to complete a yearly self-assessment using the PCI self-assessment questionnaire tool (SAQ)in addition to a quarterly network scan by an approved scanning vendor (the PCI Security Standards Council lists approved scanning vendors online). 

The first part of the SAQ is a series of yes or no questions pertaining to each applicable PCI Data Security Standard requirement. There are different SAQs available for different merchant environments based on how the organization or entity accepts payment cards. Part 2 of the SAQ is an “Attestation of Compliance,” or certification that you are eligible to perform and have performed the appropriate self-assessment – essentially “checking the box” that you followed the rules. 

Entities that fall into Level 1 must have yearly assessments of compliance by a Qualified Security Assessor (QSA) in addition to the above requirements for Levels 2, 3 and 4. The yearly assessment takes a closer look at the entity’s point of sale (POS) system, reviews areas of vulnerability and identifies a prioritized list of security improvements the entity can make. In response, the entity must develop appropriate security measures to monitor the payment system going forward. The town should start by identifying the appropriate SAQ for them, using the guidelines at www.pcisecuritystandards.org. 

What if a third-party processor is used?   

There are SAQs specific to these types of entities. For example, Questionnaire A is designed for organizations that accept payment cards as “card-not-present merchants” (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing or transmission of any cardholder data on the merchant’s systems or premises. For towns using thirdparty PCI-compliant companies (such as PayPal) to do their transacting for them, this may be the questionnaire for them. 

So while the questionnaire may be shorter and simplified since the PCI vendor is doing the bulk of security legwork, the town still needs to go through the SAQ process. 

What if the town does nothing? 

If the entity doesn’t abide by PCI compliance requirements, Visa reserves the right to change the entity’s level standards to those of a higher (or stricter) level. So where the town may have only been expected to maintain Level 4 compliance, they now may have to abide by more. Not to mention the risks associated with a customer card data breach – both reputational and financialData breaches lead to lost business, and lawsuits. Banks can additionally charge fees and a number of penalties can be imposed if the entity does not become PCI compliant. 

Any entity (public, private, for profit, not-for-profit) that takes credit cards for payments must comply with PCI requirements. Knowing your merchant level is the first step to understanding what your compliance requirements entail. Determining the right SAQ for you is second. Utilizing third-party payment processors may help, but won’t get you completely off the hook for compliance. If you’ve been delaying getting familiar with your merchant responsibilities, the time is now. 

Continue the Conversation with Our Team
Get in touch with us.

Contact Us