LANSING – Michigan government has again been certified that it is compliant with the Payment Card Industry’s strict standards for ensuring that cardholder information is protected and secure.

The PCI Data Security Standards apply to financial institutions, Internet vendors and retail merchants and detail the security measures and auditing procedures required to protect private cardholder information during payment card transactions. All major card brands require these Data Security Standards to assure the protection of cardholder data gathered during transactions.

“This is a big win for us and I am proud of the collaboration and teamwork that took place to get this done for all of state government,” said Ken Theis, Director of the Michigan Department of Information Technology (MDIT) and CIO for the State of Michigan. “We have a responsibility to meet the strict standards for safe and secure transactions when citizens share their payment card information with the state, and we take that responsibility very seriously.”

The effort to get Michigan recertified has eliminated fines the state would have had to pay for being out of compliance, and it also reduces costs for the state through reduced transaction fees. Many state governments do not have centralized management of credit cards like Michigan, which means Michigan is one of the few states to have PCI compliance for all state credit card applications.

“Compliance with the Payment Card Industry’s strict security standards is no small feat,” said State Treasurer Robert Kleine. “I am extremely proud of what we have done to get to this point, proud of our partnership with MDIT, and proud that we are living up to the trust that our citizens place in the hands of their government.”

One of the major accomplishments in achieving compliance was installing new credit card readers in all of the Secretary of State Branch Offices that accept credit cards, which included making programming changes to the branch office system to allow for the encryption and de-encryption of the data. MDIT worked in close collaboration with the Department of Treasury to ensure success.

Some of the other major steps required for compliance include:

Maintaining a firewall configuration to protect cardholder data

Not using vendor-supplied defaults for system passwords

Protecting stored cardholder data

Encrypting transmission of data across open/public networks

Using and updating anti-virus software

Developing and maintaining secure systems and applications

Restricting access to cardholder data to the need-to-know business

Assigning a unique ID to each person with computer access

Restricting physical access to cardholder data

Tracking and monitoring access to network resources

Regularly testing security systems and processes

Maintaining a policy focused on information security

“Our goal is to keep citizen information safe and secure,” said Trent Carpenter, Chief Information Security Officer for MDIT. “This effort is a prime example of the importance we place on doing everything possible to meet that goal.”

a>>