back to all discussions

04/16/2021 PCI Compliant

Ross, City of Santa Cruz

Recently I have been fielding questions related to PCI compliance at the City.  The main quesitons that come up are around if the City is PCI compliant and how does the City become PCI compliant?
Does anyone have experience with ensuring their city is PCI compliant and what have you done to become PCI compliant?  
Do you use a third party for PCI compliance?  Is there a way to have a city become PCI compliant independent of a third party?
Santa Cruz is a full service City providing both water and refuse collection so we do process a lot of payments which I think is one of the main issues with why we are not PCI compliant.  
Thanks for any thoughts or suggestions.  
3 replies
Sandra

04/19/2021 01:55:33 PM

Palo Alto used a third-party consultant to establish PCI standards and reach compliance with requirements. It seemed to me that successful implementation was due to expert knowledge. Palo Alto IT department managed this project. Palo Alto outsources many payment processes but does still have some internal payment administration. 
Jena

04/19/2021 01:27:16 PM

We work the same as Mountain View and have a third party for payments. I agree with Claudia it would be difficult for a City to manage this.
Claudia

04/19/2021 01:11:31 PM

City of Mountain View uses a third party vendor - Paymentus.  Paymentus is PCI compliant and certified with annual security assessments.

Payment Card Industry Data Security Standard became effective in 2006 but I doubt government agencies were on top of this.

I believe an entity could manage this process without a 3rd party vendor but you would require a substantial Information Technology department with experience in encryption, checks and balances, fire wall strengths, periodic testing and annual security assessments and submit all policies and procedures to obtain certification.  I am not confident a City can manage all of this, however, a County may be able to manage their own PCI Compliance.