Photo of credit card authorization reader

Card Acquiring Service (CAS)

Card Rules & Security Requirements

When processing credit and debit card transactions, you must comply with the Treasury Financial Manual (TFM), Part 5, Chapter 7000, Credit and Debit Card Collection Transactions.

Photo of alert icon Limit for each credit card transaction

The maximum that an agency may collect in a single credit card transaction is $24,999.99.

Security Requirements

Any agency that accepts credit or debit cards as a form of payment is also responsible for protecting customers' sensitive card information.

CAS Security Posture

To conduct business through the program, there are minimum security standard elements that ensure the consistency of cardholder data protection across a given footprint. Collectively, these 4 elements are referred to as the CAS Security Posture:

  1. Payment Card Industry Data Security Standard (PCI DSS)
  2. Europay, MasterCard, Visa (EMV)
  3. Encryption
  4. Tokenization

All federal agencies that process, store or transmit credit and debit card transactions must comply fully with PCI DSS. This is in addition to the Office of Management and Budget (OMB) Personally Identifiable Information (PII) guidelines related to accidental or purposeful disclosure of cardholder information.

Failure to maintain compliance with the PCI DSS puts your agency at risk of significant fines, fees, penalties, or losing the ability to process card payments. Furthermore, a suspected or known compromise of your card processing systems can result in serious damage to your agency's reputation, fines imposed by the Card Networks, and potential litigation brought by impacted cardholders and issuing banks who suffer losses as a result of compromised information.

You must not keep sensitive data

A critical aspect of the standard is not storing sensitive authentication data after a transaction has been authorized. The card brands refer to this data as Prohibited Data.

You must not store:

  • the full content of any track on the back of a card's magnetic stripe
  • the three or four digit code from the back of the card (CVV2 / CVC2 / CAV2 / CID)
  • PIN or encrypted PIN blocks

Storing any of these items after a transaction has been authorized is a direct violation of the card association rules.

You must validate your compliance

Agencies must continually evaluate their systems and processes to ensure that their business is fully protected and in compliance with the PCI DSS.

The required validation depends, in part, on how many credit and debit card transactions your agency processes annually.

The card associations place all organizations that accept credit or debit card payments into one of the four levels in the following table.

Level Description


Any merchant, regardless of acceptance channel, processing more than 6 million transactions per year in one card brand

Any merchant that has suffered a hack or an attack that resulted in an account data compromise

Any merchant that any card association determines to be a Level 1


Any merchant, regardless of acceptance channel, processing 1 to 6 million transactions per year in one card brand


Any merchant processing 20,000 to 1 million Visa or MasterCard e-commerce transactions per year


Any other merchants, regardless of acceptance channel

All agencies should consider themselves Level 4, unless otherwise notified by the Bureau of the Fiscal Service and Worldpay. If your agency moves to Level 3, 2, or 1, you will receive specific guidance from the Bureau of the Fiscal Service and Worldpay on what you must do.

To comply with the PCI DSS, Level 4 agencies must do these two tasks:

  1. Complete an annual PCI Self-Assessment Questionnaire.
  2. Have an Approved Scanning Vendor (ASV) conduct a quarterly network vulnerability scan.
    • A list of Approved Scanning Vendors who are authorized to perform the network vulnerability scans on your behalf is available at this site external to the Bureau of the Fiscal Service:
    • Network vulnerability scans are required for all agencies with external-facing Internet Protocol (IP) addresses in contact with the cardholder data environment.

You can get help with these two tasks

Worldpay, in conjunction with Fiscal Service Card Acquiring Service, has partnered with Trustwave®, an industry leader in information security and compliance, to help agencies simplify the PCI DSS validation process. Trustwave provides a set of online data security tools called PCI Assist.

The PCI Assist tools are specifically designed to guide Level 4 merchants through the PCI DSS validation process.

Fiscal Service is offering PCI Assist to agencies at no charge. We strongly encourage you to use PCI Assist to evaluate your systems and processes to ensure card data is fully protected.

To learn more about this application, log in to PCI Assist at this site external to the Bureau of the Fiscal Service: https://pci.trustwave.com/fms.

Although PCI Assist is designed to facilitate an agency’s compliance efforts, Treasury does not guarantee that using PCI Assist will ensure compliance with the PCI DSS. Agencies are under no obligation to use PCI Assist and may choose to get PCI compliance tools or services from other providers at their own expense.

For training on PCI Assist, see the options at this site external to the Bureau of the Fiscal Service: https://www3.trustwave.com/webinars/vantiv/

If you need help setting up or using PCI Assist, contact us at CardAcquiringService@fiscal.treasury.gov.

For more information on PCI DSS

News and Updates

  • Vantiv is now Worldpay

CAS Customer Support

  • Worldpay's Federal Agency Support Line
    1 (866)-914-0558
  • Email Us

Can't find it?

Tell us what specific content you're looking for and we will get back to you.

Submit a request button

Open Gov   My Money.gov   USA.gov
Linked In   Twitter   Facebook   You Tube   RSS Feed