Skip to main content

Validation of PCI Compliance Requirements

NC Office of the State Controller
June 23, 2015

Purpose

The purpose of this document is to provide instructions to entities that subscribe to merchant card processing services under the Master Services Agreement (MSA) the State of North Carolina has with Fiserv/First Data Merchant Services, LLC (FISERV), dated February 1, 2015 and renewed May 24, 2024, regarding the process to “attest” their validation of compliance with the PCI Data Security Standard (PCI DSS).

Requirements

Master Services Agreement (MSA) Requirement - The MSA states that, “The vendor and participant shall comply with all Payment Card Industry (PCI) security standards.” There are various requirements that must be adhered to, most which are contained in standards promulgated by the PCI Security Standards Council. The website for the Council is: https://www.pcisecuritystandards.org  

Office of the State Controller (OSC) Policy - OSC’s policy entitled, “Security and Privacy of Data,” requires each participant in the MSA to: “Participate in any security assessments and security scans required by the associations and/or OSC, in order to be and to remain compliant with Payment Card Industry (PCI) Security Standards, and be responsible for any fines levied as the result of not being compliant.” The policy can be viewed at the following link:
https://www.ncosc.gov/state-agency-resources/statewide-policy-directory/50013-statewide-accounting-policy-security-and-privacy-data

Components of PCI Requirements

There are three components of requirements pertaining to PCI:

  1. Compliance
  2. Validation
  3. Attestation

Compliance is performed by the participant implementing infrastructure and procedures.

Validation of compliance is two-fold – 1) Pass a vulnerability scan at least quarterly; and 2) Complete annually a Self-Assessment Questionnaire (SAQ) with no exceptions. Validation of a successful scan must be performed by a “qualified scanning vendor” (QSV). Validation of the completion of the SAQ can be performed either through a “qualified security assessor” (QSA) or by the participant itself.

Attestation of validation of compliance is required to be made by the participant (merchant). The frequency of attestation and the method of attestation depend upon the Level assigned to the participant (Levels 1, 2, 3, 4). The attestation of validation of compliance may be requested by the merchant card processor (Fiserv) periodically, dependent upon requests that it may receive from the card associations (i.e., Visa, MasterCard, American Express, Discover). The requests could apply to only certain Level merchants, or to all merchants.

Summary of Responsibilities

  • Participant
    • Become compliant and remain compliant with the PCI Data Security Standard
    • Validate its compliance with the PCI Data Security Standard for quarterly vulnerability scans and annually for Self-Assessment Questionnaires (SAQs)
    • Attest its validation of compliance with the PCI Data Security Standard (As may be requested from time to time by Fiserv and/or the card associations)
  • Fiserv/First Data Merchant Services
    • Ensure that all merchants (participants) comply with the PCI Data Security Standard
    • Provide attestation of validation of participants’ compliance as may be requested from time-to-time to the card associations
    • Address any non-compliance issues with the participant
  • Office of the State Controller
    • Provide participants optional vulnerability scanning services through a Qualified Scanning Vendor (QSV).
    • Provide participants with an optional tool to validate their compliance through a Qualified Security Assessor (QSA), and to attest such validation. Self-Assessment Questionnaire to be completed annually through an online portal.

Enrollment in MegaPlanIt and VigiTrust

OSC has contracted with MegaPlanIt and VigiTrust to provide participants in the Statewide MSA the option to 1) perform quarterly vulnerability scans with MegaPlanIt; and 2) perform annual Self-Assessment Questionnaires in the VigiTrust online portal VigiOne. These services are optional; participants are free to choose PCI compliance services from other vendors.

Multiple Business Processes – Single Online SAQ

In some cases, a participant may have merchant card programs that function separately and have different business processes, to include different capture methods. As a result, when considered individually, each outlet may be eligible to complete a different Self-Assessment Questionnaire (SAQ). Whenever more than one SAQ is applicable to a participant, the questionnaire to complete should be the one that is most stringent.

Monitoring of Validation of Compliance

The merchant card processor / acquirer (i.e., Fiserv) is the party charged by the card associations with the responsibility to periodically obtain attestation of validation of compliance from the merchant (agency). MegaPlanIt provides the ability for the entity to “attest” the validation of its scanning results on a quarterly basis, the online VigiOne portal provided by VigiTrust allows the entity to “attest” the validation of its successful completion of the appropriate Self-Assessment Questionnaire (SAQ) on an annual basis. Each participant is responsible for completing vulnerability scans and SAQs. 

Fiserv will determine any rectifying action that may be needed by an entity whose chain indicates a non-compliant status. Fiserv may contact the entity directly regarding non-compliance issues. Should one of an entity’s multiple outlets result in the “chain” reflecting a non-compliant status, Fiserv may request information on the non-compliant outlet. Non-compliant outlets will be dealt with on an individual basis.

Questions

Questions regarding this process can be addressed to osc.pcicompliance@ncosc.gov.