CAS Rules and Security Requirements

Rules for Using CAS

When processing credit and debit card transactions, you must comply with the Treasury Financial Manual (TFM), Part 5, Chapter 7000, Credit and Debit Card Collection Transactions.

Security Requirements

Any agency that accepts credit or debit cards as a form of payment is also responsible for protecting customers' sensitive card information. An overview of the security requirements is below. When an agency enrolls in CAS, they will be sent detailed security requirements.

CAS Security Posture

To conduct business through the program, there are minimum security standard elements that ensure the consistency of cardholder data protection across a given footprint. Collectively, these 4 elements are referred to as the CAS Security Posture:

1. Payment Card Industry Data Security Standard (PCI DSS)
2. Europay, MasterCard, Visa (EMV)
3. Encryption
4. Tokenization

All federal agencies that process, store, or transmit credit and debit card transactions must comply fully with the Payment Card Industry Data Security Standard (PCI DSS). This is in addition to the Office of Management and Budget (OMB) Personally Identifiable Information (PII) guidelines related to accidental or purposeful disclosure of cardholder information.

Failure to maintain compliance with the PCI DSS puts your agency at risk of significant fines, fees, penalties, or losing the ability to process card payments. Furthermore, a suspected or known compromise of your card processing systems can result in serious damage to your agency's reputation, fines imposed by the Card Networks, and potential litigation brought by impacted cardholders and issuing banks who suffer losses as a result of compromised information.

You must not keep sensitive data

A critical aspect of the standard is not storing sensitive authentication data after a transaction has been authorized. The card brands refer to this data as Prohibited Data.

You must not store:

• the full content of any track on the back of a card's magnetic stripe
• the three or four digit code from the back of the card (CVV2 / CVC2 / CAV2 / CID)
• PIN or encrypted PIN blocks

Storing any of these items after a transaction has been authorized is a direct violation of the card association rules.

You must validate your compliance

Agencies must continually evaluate their systems and processes to ensure that their business is fully protected and in compliance with the PCI DSS. The required validation depends, in part, on how many credit and debit card transactions your agency processes in a year. The card associations place all organizations that accept credit or debit card payments into one of the four levels:

All agencies should consider themselves Level 4, unless the Bureau of the Fiscal Service and Worldpay notify them that they are at a different level. If your agency moves to Level 3, 2, or 1, you will receive specific guidance from the Bureau of the Fiscal Service and Worldpay on what you must do.

1. Complete an annual PCI Self-Assessment Questionnaire.

   The questionnaires are at this site external to the Bureau of the Fiscal Service: www.pcisecuritystandards.org/saq/instructions_dss.shtml

   You must complete the appropriate questionnaire for your agency.

2. Have an Approved Scanning Vendor (ASV) conduct a quarterly network vulnerability scan.

   A list of Approved Scanning Vendors who are authorized to perform the network vulnerability scans on your behalf is available at this site external to the Bureau of the Fiscal Service: www.pcisecuritystandards.org/qsa_asv/find_one.shtml. Network vulnerability scans are required for all agencies with external-facing Internet Protocol (IP) addresses in contact with the cardholder data environment.

If you need help complying with the security requirements, please e-mail the CAS Agency Outreach Mailbox at CardAcquiringService@fiscal.treasury.gov.

For more information on PCI DSS