PCI Compliance 101: Understanding the Data Security Standard and How to Comply

By Andrew Brooks, VP of Information Security

As a Level 1 PCI compliant payment facilitator for local governments and utilities, CityBase gets a lot of questions about PCI – like what puts an organization within PCI scope, and how to comply with the standards. If you take credit card payments, you are required to be PCI compliant. The Payment Card Industry (PCI) Standards Council is the governing body that outlines the security criteria that organizations must comply with in order to achieve and maintain PCI compliance. This standard is known as the PCI Data Security Standard (PCI DSS).

How to Determine if You Are in PCI Scope

One of the most common issues cities face is identifying their responsibilities when taking credit card payments and assessing PCI scope. An easy way to determine if you are in scope is to ask yourself three simple questions:

1. Is cardholder data stored on your network?
2. Is cardholder data transmitted over your network? 
3. Is cardholder data stored on any of your systems?  

If you answered yes to any of these questions, then you are required to be PCI compliant. Your merchant level and PCI requirements will further be determined by the amount of transactions you take each year. The levels are as follows:

• Level 1: Merchants processing more than 6 million card transactions per year
• Level 2: Merchants processing 1 to 6 million transactions per year
• Level 3: Merchants handling 20,000 to 1 million transactions per year
• Level 4: Merchants handling fewer than 20,000 transactions per year

Level 1 merchants are required to maintain an extensive PCI compliance program, complete a yearly Report on Compliance (ROC), and meet all controls outlined in the PCI DSS. Lower-level merchants, such as Level 4, are able to submit a self-assessment questionnaire to maintain PCI compliance.  

Maintaining a Secure System: Why It’s Important to be PCI Compliant

Even though Level 3 and Level 4 merchants are under less scrutiny, the amount of work for maintaining PCI compliance can be overwhelming for smaller and mid-sized cities. 

In addition to the amount of work required to get it right, there is often a looming uncertainty about getting it wrong and being the victim of a data breach, or handling cardholder data on non-compliant systems. Beyond data breaches and PCI compliance, security is increasingly important as constituents require payment systems that they can trust.

How To Reduce Your PCI Scope

One of the most effective ways to reduce or eliminate an organization’s PCI burden is to partner with a third party merchant service provider whose solution can reduce your PCI compliance overhead. 

The PCI council defines a merchant service provider as a business entity that is not a payment brand such as Visa or MasterCard, but is directly involved in the processing, storage, or transmission of cardholder data. 

A government or utility can outsource its risks around credit and debit card processing to a third party merchant service provider. Transactions are completed on systems owned and operated by the service provider, which is responsible for securing those systems and maintaining PCI compliance.

By outsourcing this work to a trusted third party, you free up time and resources that can be reinvested in serving constituents, rather than spending time worrying about the security of your payment systems and the ability to continue taking payments.

How CityBase Reduces PCI Scope for Governments and Utilities

CityBase understands the challenges that cities, counties, and utilities face when balancing myriad commitments and responsibilities. It’s specifically why our products and services are designed to remove client networks and systems from PCI scope. 

CityBase is committed to building a world-class information security program. We strive to protect our business and our clients, and the people and places they serve. CityBase is dedicated to maintaining and constantly improving a multi-faceted security program to support our platform, and the people and businesses who rely on it.