Citizens are increasingly calling for the convenience of using credit and debit cards (payment cards) to pay for local government fees and services.  As more and more local governments respond to this call, they wade into the murky shark-infested waters of Payment Card Industry Data Security Standards; more commonly called PCI-DSS or just PCI. 

In addition to security, accepting payment cards quickly becomes more complex than it appears at first glance.  In this article I will discuss two areas that emerged in a recent audit of payment card processes in Snohomish County, Washington: security and costs. 

SECURITY

When we initiated our audit of payment cards, most interviewees had never heard of PCI and were only vaguely aware of data security in general.  I am happy to report that through completion of our audit we were able to significantly raise awareness of payment card security issues and leverage quick improvement to security processes.

The Payment Card Industry Data Security Standard (PCI-DSS)

PCI is promulgated by the PCI Security Standards Council- a group founded by credit card companies.  Their website states, "The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures."  Credit card companies require compliance with PCI but pass on the responsibility for ensuring compliance to banks, called "acquirers," who often, in turn, pass on responsibility to third party "qualified security assessors" (QSAs).

PCI compliance includes six primary areas of responsibility:

1. Build and Maintain a Secure Network
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy

There are four levels of priority for compliance with PCI that depend on the number of credit card transactions processed through e-commerce and/or over the counter.  Depending on merchant level, compliance includes completion of a self-assessment questionnaire, quarterly network scans by an "approved scanning vendor" (ASV), and/or a self-assessment questionnaire validated by a QSA.  Compliance with PCI and acceptance of the self-assessment questionnaire is ultimately determined by the acquiring bank.

In a well-received revision of PCI and the Self-Assessment Questionnaire just published in March 2008 (the previous version was 1.0, the new version is 1.1), the ways in which a merchant accepts card payments and subsequently stores the data determine the PCI requirements with which an entity must comply.  There are specially tailored versions A-D and which version is appropriate for a merchant is determined by the following characteristics (see PCI DSS Self-Assessment Instructions and Guidelines, v1.1 for full details):

• Outsourcing all cardholder data functions;
• Using card imprint machines only with no electronic data storage;
• Using only stand-alone, dial-out terminals with no electronic data storage;
• Using only systems connected to the internet with no electronic data storage; or
• Everyone else.

Failing to comply with PCI standards could result in costly fines and legal liability, restrictions on acceptance of credit/debit cards, withdrawal of authority to accept credit/debit cards, and potentially most notably, loss of public trust.

Who is responsible?

Because of the ways that most governmental entities are set up, the responsibility for implementation and monitoring of PCI may cross departments and systems.  In our jurisdiction the department of Information Services, Finance, and the elected Treasurer all managed pieces of the security issue.  It is important not to evaluate only online transactions or only over-the-counter transactions for compliance if your entity uses both payment channels.  Without cross-system collaboration it would be very difficult for one entity to successfully leverage PCI compliance on their own.

COSTS

When we began our audit, some believed that there were no additional costs associated with accepting payment cards, except perhaps the rental of the card processing machines.  With some investigation we were able to quantify costs and help explain ways to identify, track, and manage costs leading to additional efficiencies.

The three big areas of cost are interchange rates, card processing choices, and promoting the most beneficial payment card type for each transaction.  The following examples show data from our particular jurisdiction, our bank, and our customers and may not reflect the reality of your jurisdiction.

Interchange

The following description is excerpted from the 2006 Government Accountability Office (GAO) report, Credit Cards: Increased Complexity in Rates and Fees Heightens Need for More Effective Disclosures to Consumers.  

When a consumer makes a purchase with a credit card, the merchant selling the goods does not receive the full purchase price. When the cardholder presents the credit card to make a purchase, the merchant transmits the cardholder's account number and the amount of the transaction to the merchant's bank. The merchant's bank forwards this information to the card association, such as Visa or MasterCard, requesting authorization for the transaction. The card association forwards the authorization request to the bank that issued the card to the cardholder. The issuing bank then responds with its authorization or denial to the merchant's bank and then to the merchant. After the transaction is approved, the issuing bank will send the purchase amount, less an interchange fee, to the merchant's bank. The interchange fee is established by the card association. Before crediting the merchant's account, the merchant's bank will subtract a servicing fee. These transaction fees-called interchange fees-are commonly about 2 percent of the total purchase price.... In addition, the card association receives a transaction processing fee. 

A sample of this process in our jurisdiction follows:

Processors

In order to accept payment cards the government must choose a method to process the cards.  For example:

• The entity's bank can process the cards directly via card reading machines
• There are online processors of payment cards such as PayPal, private companies, "product" options offered by banks, etc.

Our entity has four processing systems, one over-the-counter and three online.  Each card processor has different charges and fees associated with it and government entities should make informed and reasoned policy decisions regarding the route they will take.  The formats for processing include

• The merchant pays all interchange fees;
• The merchant pays a per transaction fee plus all interchange;
• The merchant pays a membership fee plus all interchange;
• The customer pays a per transaction "convenience fee" and the merchant pays all interchange; and
• The customer pays a per transaction "convenience fee" that includes interchange and the merchant receives the full purchase amount.

The following chart shows the costs vs. revenue for three online processors that our jurisdiction utilizes.  

Card Costs

All credit and debit cards are not the same.  When processed over-the-counter they can range due to interchange costs described above.  Although some cards are solely credit cards and a few are debit only, some payment cards may be processed multiple ways.  For example, my debit card can be processed as credit, signature debit, or PIN debit.

With this information we determined that (to the extent customer service staff can influence transactions and to the extent that the card presented can be used in a multitude of ways), if a transaction is above $32, it is cheapest to accept PIN debit cards.  Transactions below $12 are cheapest to process as credit.  Between $12 and $32, it becomes more complicated. If the customer presents a Visa card, it is cheaper to process the card as credit; and if the customer presents a MasterCard, it is cheapest to process it as debit, but not PIN debit, signature debit.

CONCLUSION

In summary, evaluating the complexities of payment cards is a necessary hurdle as jurisdictions react to customer demand for convenience and the efficiencies of e-government.  The PCI tools available to ensure security have recently improved and mandate proper security of customer information.  When auditing compliance with PCI consultations with your entity's bank, QSA (Qualified Security Vendor) and ASV (Approved Scanning Vendor) along with consulting a glossary of terms and TLAs (three letter acronyms) will boost your ability to complete an audit effectively.

Average user rating