The URL can be used to link to this page

Home My WebLink AboutAudit Reports - Public - Payment Card Industry's Data Security Standards (PCI DSS) - Audit Follow-up - 10/5/2017rZy. GLEN h City Auditors Office Memorandum Date: October 5, 2017 To: Kevin R. Phelps, City Manager From: Candace MacLeod, City Auditor Subject: PCI DSS Audit Follow-up In June 2016, the City Auditor's Office completed an assessment of the City's efforts to protect customers' credit card information, as required by the Payment Card Industry's Data Security Standards PCI DSS). The audit provided management with ten recommendations to strengthen controls and ensure compliance with the PCI DSS. In March 2017, a follow-up was conducted and identified that seven of the ten audit recommendations had been addressed. An additional follow-up was performed in September 2017 and one recommendation remains open relating to establishing a contract for employee background screening services. Management expects to complete the open item by November 30, 2017. Please contact me if you have any questions. Attachment cc: Michael D. Bailey, City Attorney Jim Brown, Director of Human Resources and Risk Management Lisette Camacho, Assistant Director of Budget and Finance Tom Duensing, Assistant City Manager Jack Friedline, Assistant City Manager Chuck Murphy, Director of Innovation and Technology Vicki Rios, Director of Budget and Finance City Auditor's Office 1 PCI DSS Follow-up Management Response Management Response Recommendation March 2017 September 2017 Status 1.1 City Manager's Office The City's CISO has been assigned Same response as Closed (CMO) assign complete responsibility for PCI March 2017. responsibility for PCI compliance. compliance and reporting to a member of management. 1.2 CMO assign The CISO coordinated activities with Same response as Closed responsibility for the internal departments and the City's March 2017. development of banking partner. controls to ensure SAQs, AOCs and 1. Completed compliance network scans are documentation - All required PCI accurately compliance forms and supporting completed, retained documentation are stored on and submitted to the SharePoint in the PCI Documentation City's banking dedicated folder: institution in • City's Compliance Certificates accordance with PCI • City's response to all PCI DSS requirements. requirements • Network and data -flow diagrams • Vendor AOCs SAQ compliance form �SV 2. Certification Scans - IT has contracted 2.1 Budget and Finance The cash and credit card handling policy Same response as Closed develop and maintain was updated in September 2016 and March 2017. credit card security November 2016. The updated policy procedures in includes procedures on handling credit accordance with PCI and debit card transactions and DSS requirements. information set forth by the PCI DSS. 2.2 Budget and Finance Budget and Finance trained City Same response as Closed develop controls to employees who process cash and credit March 2017. ensure personnel and debit card transactions and who handling credit cards have access to credit and debit card receive training upon information on September 28, 2016, hire and annually in October 12, 2016, October 27, 2016, accordance with PCI November 17, 2016, December 5, 2016 DSS requirements and and December 7, 2016. The updated retain annual training cash and credit card handling policy acknowledgements. also requires employees who process cash and credit and debit card transactions and who have access to credit and debit card information to attend initial and annual training from the Budget and Finance Department. City Auditor's Office 1 PCI DSS Follow-up City Auditor's Office 2 PCI DSS Follow-up Management Response Management Response Recommendation March 2017 September 2017 Status 2.3 Innovation and IT is coordinating efforts with IT developed the Closed Technology develop departments to ensure that PCI Payment Card and implement compliant processes are in place at the Industry(PCI) Policy policies, procedures department level to ensure compliance Book which was and agreements for with the City's SAQ level. published on August 1, City managed service 2017. providers in IT is developing a policy, in conjunction accordance with PCI with other departments, which identifies DSS requirements. responsibilities for various departments related to PCI compliance. Attorney's Office and Materials management has PCI requirement language in respective contracts. Finance has policies in place for training and credit card device management. IT is developing a policy that identifies departmental responsibilities with respect to PCI. The estimated completion date is July30, 2017. 3.1 HR work in In February 2017, HR created a checklist Same response as Closed conjunction with City which has been added to the temporary March 2017. departments to new hire packets. All temporary ensure personnel employees are required to have the GIS handling credit cards criminal check completed. New packets receive background with checklists have been placed on our screenings prior to hire website. or being assigned this function after hire. 3.2 HR update policies Changes to HR Policy 201 have been HR Policy 201 has been Closed and procedures to drafted and reviewed by the City updated effective July ensure PCI Attorney's Office. This policy will be 1, 2017. compliance, as reviewed by the Personnel Board at an applicable. upcoming meeting estimated to be in May 2017. 3.3 HR develop controls In November 2016, procedures were Same response as Closed to ensure background results developed to ensureiiiii. March 2017. screening results are are being tracked in A query retained, as was created to track fingerprint results appropriate. and will be done monthly. 4.1 HR work in HR is continuing to work with GIS to get a In Process. The original Open conjunction with contract in place by June 30, 2017. contract was provided Materials by GIS and is currently Management to being re -written. The ensure background estimated completion screening services date is November 30, comply with City 2017. procurement policies City Auditor's Office 2 PCI DSS Follow-up City Auditor's Office 3 PCI DSS Follow-up Recommendation Management Response March 2017 Management Response Se tember2017 Status and incorporate safeguards to protect PII. 5.1 Innovation and The City's ASV scans are currently Same response as Closed Technology maintain contracted March 2017. a program to verify im an a roved ASV scannin that vendors vendor. performing network scans are ASVs authorized to transmit scans to the City's IT's procedure, which has been verbally bank and that they approved by both City Finance and transmit scans to the Bank of America, is to run the scan, bank in accordance review it, and have it reviewed by with PCI requirements. A co is then sent to Cit Finance and Once has reviewed the report, they will send a confirmation l back to the Ci 's CISO. i The City is currently PCI com liant. Current PCI ro ect: City Auditor's Office 3 PCI DSS Follow-up