Questions and Answers PCI Compliance (Updated May 23, 2014)

(1)

Alberta Treasury Board and Finance Communications May 23, 2014

Questions and Answers – PCI Compliance (Updated May 23, 2014)

The Alberta government is working toward PCI compliance, an industry standard created by the credit card industry to improve cardholder data security. The following are prepared responses to frequently asked questions.

1. What is PCI compliance?

The payment card industry (PCI) has developed a set of security standards that applies to all merchants who accept American Express, Discover Financial Services, JCB International, MasterCard Worldwide or Visa Inc.

The Payment Card Industry Data Security Standard (PCI-DSS) is the set of

requirements all major merchants like the government must adhere to if they want to continue accepting credit card payments for goods and services.

For more information about the PCI Data Security Standard, visit https://www.pcisecuritystandards.org.

2. Why is it important to Albertans that government achieve PCI compliance? Albertans expect their government to accept credit card payments for things like

permits, fines, and campsite reservations, but they also want to know their information is safe. The Alberta government is working toward PCI compliance to further reduce the chance of credit card fraud and identity theft.

3. Is PCI compliance necessary?

The province wants to continue offering Albertans a range of payment options that work for them, including credit cards. Compliance is required by the payment card industry. Failure to comply could result in the government paying fines or no longer being allowed to accept credit cards.

(2)

4. Can some government offices opt out?

All ministries that accept card payment must comply in order for the government to be certified PCI compliant. If one ministry does not achieve compliance, then the whole government will be found non-compliant.

Even if a ministry does not accept payment cards, if it has in the past, it is still subject to PCI compliance. Ministries must come up with a plan for locating and disposing of cardholder data as required by PCI.

5. I have heard the province will soon stop collecting credit card numbers. Does that mean I can’t pay for something using my credit card?

The province will continue to accept credit cards as a form of payment, but the actual processing of card payments will be performed on a TD Merchant Services point of sale (POS) terminal or pay page.

6. What is the benefit of turning over the collection of credit card numbers to a third party?

Keeping your personal information separate from your credit card information helps protect you against credit card fraud and identity theft. The province collects your

personal information (what you are paying for, shipping address, name etc.) but it never possesses your credit card number.

7. I sometimes make payments to the province using my credit card. How will PCI compliance affect me?

In many cases, the order process will similar, except when it comes time to provide your credit card number.

Ministries will continue to process orders received by mail, phone, fax or email, although some ministries may no longer offer all of these options. During the checkout process, clients using any of these methods and paying by credit card will be:

• referred to a secure automated telephone payment system

• referred to a secure pay page powered by TD Merchant Services, or

•

sent an email containing a link to a pay page.

(3)

Where available, clients can also pay in person. Card payment options may vary from Ministry to Ministry.

8. How does the Government Payment Application Service (GPAS) work? Example: you are ordering a book by email. The business unit processes the order on its GPAS system and emails you a payment request that includes a transaction number and a link to TD Merchant Services. You click on the link to open up the TD Merchant Services pay page and fill in the fields like you would in any other e-commerce pay page. After you complete your payment, GPAS emails the business unit payment notification for the service/product you ordered. GPAS then emails you a payment receipt, and you are done. The same process can be applied to fax and phone orders.

9. How does the Telephone Interactive Payment Service (TIPS) work? Example: You are requesting a permit. The employee on the other end of the line handles your request like before, until it is time for you to provide your credit card number. The employee will ask to either put you through to TIPS, or email you a payment request just like the book order example mentioned above. If you choose to pay by phone, the system puts you through to TIPS. You simply follow the prompts and key your credit card information right into your phone. In both cases, the system

generates a transaction number that ties the payment to the transaction. The credit card information goes directly to TD Merchant Services.

10. I’m used to doing things my way and don’t really understand the internet or automated telephone payment systems. Can’t you just make an exception and take my payment like you did before?

As the Alberta government implements PCI compliance, employees will no longer be able to accept payments in the following ways:

• Accepting credit card numbers provided verbally over the phone,

• Accepting card numbers provided in an email,

• Accepting card numbers provided in a fax or mailed letter,

• Accepting card numbers provided in a voicemail,

• Accepting credit card payments manually without a proper point of sale (POS) terminal, or

• Keying a credit card number into a POS terminal for a Card Not Present (CNP) transaction.

(4)

It’s all about protecting you from identity theft and credit card fraud.

In many cases, the order process will similar, except when it comes time to provide your credit card number.

Ministries will continue to process orders received by mail, phone, fax or email. During the checkout process, clients using any of these methods and paying by credit card will be:

• referred to a secure automated telephone payment system

• referred to a secure pay page powered by TD Merchant Services, or • sent an email containing a link to a pay page.

Where available, clients can also pay in person.

11. When does government expect to achieve PCI compliance?

Government started phasing out the direct collection of credit card information in June 2013. Ministries are at various stages of implementation. Some business areas within a ministry may stop collecting numbers before other business units within that same ministry.

Government is aiming to achieve initial compliance the end of 2014, although the actual certification may take place in early 2015. At that point, government as a whole will no longer be collecting credit card numbers. All ministries will have approved plans in place to locate and dispose any credit card information that may have been collected in the past.

12. Which ministries are involved?

Any ministry that accepts credit cards as payment or has collected them in the past is subject to PCI compliance.

13. Does PCI compliance affect only government ministries?

PCI Compliance applies to any organization that uses credit cards to collect revenue. With respect to the Government of Alberta’s specific PCI Compliance Policy, any agency, board, crown corporation or commission that processes credit card payments under the government’s credit card contract must adhere to the government’s PCI Compliance policies.

(5)

(6)

14. Who is responsible for the PCI compliance standards?

The Payment Card Industry (PCI) Security Standards Council develops, maintains and manages the PCI Security Standards. The Council has five founding global payment brands – American Express, Discover Financial Services, JCB International,

MasterCard Worldwide, and Visa Inc.

The five global payment brands also recognize the PCI Council as being qualified to validate the credentials of companies and individuals trained to validate compliance with the PCI DSS. But it is the payment card companies that enforce PCI compliance and impose penalties, not the council. The council also provides tools and guidance to help merchants as they work toward achieving compliance.

For more information about the Payment Card Industry (PCI) Security Standards Council, visit https://www.pcisecuritystandards.org.

15. Does the government do a lot of credit card transactions?

Albertans make credit card payments to the province for a variety of things, such as permits, fines, museum tickets and books. The Alberta government processes about 4.3 million credit and debit card transactions each year, with transaction volume roughly tripling in the past three years. The government has nearly 600 merchant numbers and hundreds of point-of-sale terminals.

For more information please visit http://pcicompliance.alberta.ca.