[Vtr-tac] Compliance with Payment Card Industry Data Security Standard Credit Card Security (PCI DSS)

Electronic Distribution of VTR Information to Texas Counties vtr-tac at extlists.dmv.state.tx.us
Thu Mar 25 13:52:42 CDT 2010

Please review and distribute as appropriate.
Action Required for Counties Participating in IVTRS
All counties participating in IVTRS are required to complete the
attached document Attestation of Compliance for Self-Assessment
Questionnaire A (SAQ-A) annually and return it to the Texas Department
of Motor Vehicles prior to April 30, 2010.  If your County Commissioners
Court approval is required, we request that you begin that process soon.
 Any county that has not submitted the SAQ-A will be removed from IVTRS
participation on June 30, 2010. 
In addition, IVTRS participating counties are required to maintain
written policies for handling IVTRS chargeback requests which include
credit card number security procedures.  This is sensitive customer
information and while in your possession must be stored in a safe place
and credit card numbers shredded when resolved.  
Background on PCI Compliance:
Texas NICUSA is a new vendor responsible for managing the TexasOnline
website.  NICUSA intends to maintain the security of TexasOnline to the
highest standards of government, commercial, and financial institutions.
Their current security standards comply with PCI DSS requirements. The
industry’s goal is to take seriously the trust cardholder’s place
with merchants that have access to their information.  The program boils
down to procedures for ensuring that cardholder information is
Cardholder information is defined as:  
-        Full contents of any track of the magnetic strip on the back
of the card
-        Card Validation Code (either on back in signature block for
most cards or on front for American Express)
-        Combination of Name, Account Number, and Expiration Date
The overall benefits of PCI DSS Compliance:
-        Customer Service “Safe”
-        Cost Containment
-        Public Image
A breach of standards may result in a fine up to $500,000 per incident
for non-compliant merchants (counties).  
TxDMV has verified with the PCI Compliance group that each merchant
(county) must complete and send back a SAQ-A.  You are being asked to
review your internal procedures where you may interact with cardholder
information.  For the most part that may only be in the event of a
request for a chargeback.  By affixing a signature to the SAQ-A, you
attest that your county is in compliance.  Failure to complete the SAQ-A
will result in your county being removed from participation in TxDMV
Additional information about PCI DSS Compliance can be found at:
Instructions for completing the SAQ-A:
1) Do NOT change any of the check boxes which have been pre-checked.
Verify that your county adheres to all policies/procedures describe by
the checked boxes.
2) Leave “Part 1” blank
3) Complete “Part 2”
4) Complete “Part 2a” : “List facilities and locations included
in PCI DSS review:”
5) Complete “Part 3b”: Either the County Tax Assessor-Collector or
another County Official should sign as the “Merchant Executive
6) Verify that your county has written policies and procedures that
support “Part 4.” This includes restricting physical access to
cardholder data and addressing information security.
7) Fax or mail the SAQ-A to the TxDMV at:
---Fax:  (512) 467-3994
---Mail:  Texas Department of Motor Vehicles 
            Attn: County Agreement Coordinator
            4000 Jackson Ave.
            Austin, TX 78731
NOTE:  The completed SAQ-A document must be returned to the TxDMV prior
to April 30, 2010, to avoid any interruption in your county’s
participation in IVTRS.
Completion of this questionnaire will be an annual requirement of the
Payment Card Industry Security Standards Council.  TxDMV will provide
instructions to the counties with sufficient advance notice.
If you have any questions or need any additional information please
contact your local Vehicle Titles and Registration Division Regional

If you have any comments or suggestions concerning this VTR
communication process, please contact your local VTR Regional Office.

If you would like to see previous postings from the "VTR Electronic
Archives," please visit
http://extlists.dot.state.tx.us/pipermail/vtr-tac/ .

More information about the VTR-TAC mailing list