PCI Data Security Standards Compliance Review for 2023

Report Highlights

Agencies complied with County deadline, submitted forms prior to September 30th Deadline

15 of the 21County and non-county entities that were required to demonstrate their compliance with the Payment Card Industry Data Security Standards ("PCI-DSS") in 2023, did so by the September 30th deadline.

Agencies Submitted the PCI DSS forms After the September 30th County Deadline

Six of the 21 County and non-county entities that were required to demonstrate their compliance with the Payment Card Industry Data Security Standards ("PCI-DSS") in 2023, submitted the forms after the September 30th deadline.

Inconsistencies between SAQ and AOC forms by Three Agencies

We found three agencies had either inconsistencies or absence of a wet or digital signature in the submitted SAQ and AOC forms. For example, one agency's response entered on the "Summary of Assessment" portion identified one requirement as not applicable, "N/A". However, the questionnaire responses were marked as "In Place" on the SAQ Form. Another agency submitted completed SAQ and AOC forms but did not sign the "Signature of Merchant Executive Officer" line.

One County agency stopped processing payment cards

Criminal Justice Services no longer processes, stores, or receives payment card information, and therefore is not required to complete SAQ and AOC forms annually for County PCI Compliance.