Feature Articles and Resources

• The Payment Card Industry Data Security Standard: Where to Begin
  
• Useful Resources on PCI Compliance
  
• Update from Washington
  
• Index of 2007 Articles
  

• Panel of Economists: Economic Outlook
  
• Interest Rate Outlook
  
• Snapshot of Economy and Interest Rates

• Performance Benchmarks
  • 10-Bill Index
  • Money Market Fund Index
  • LGIP Index
  • Key Rates: Cash Markets
  • Relative Value Yield Chart

The Payment Card Industry Data Security Standard: Where to Begin

By Michael Petitti

Because payment card (credit or debit cards) acceptance has become common online, in stores, and through telephone and mail order, citizens are beginning to demand, if not expect, that their local and state governments accept payment cards.

Stories of high-profile data security breaches continue to make the news. Whether they are reports of government agencies missing laptops or criminals stealing cardholder data from a large retailer, data security breaches—or at least their disclosure—are on the rise. With automated tools that even amateurs can use to discover unprotected cardholder data over the Internet along with a burgeoning black market providing financial incentives to malicious individuals to steal that information, payment card acceptance can put government agencies at risk.

Fortunately, the card brands (American Express, Discover, JCB, MasterCard, and Visa) have come together to create a security standard for all entities that process, store, and transmit cardholder data. The standard is the Payment Card Industry Data Security Standard (PCI DSS) that guides organizations in protecting the cardholder information they process, transmit, or store.

Payment Cards – Convenient for Both Constituents and Crooks. Even if a government entity does not accept e-commerce transactions, they are still at risk. A connection to the Internet anywhere within your network can serve as the artery through which a malicious individual armed with the proper tools (many available for free on the Internet) can extract cardholder information. In fact, our company's investigations of payment card compromises show that 73 percent of compromises occur in traditional, brick-and-mortar environments as opposed to e-commerce environments.

A payment card breach does not bode well for a state or local government's reputation. Not only will accusations of incompetence fly, the breach will inconvenience constituents as they deal with the repercussions. They must examine their payment card statements for erroneous charges, cancel their card or cards, and cope with a frozen account until their card is re-issued.

Because the card brands require that every entity that processes, stores, or transmits cardholder data comply with all 12 requirements of the PCI DSS, they will issue fines if an investigation of the compromise determines that a government entity was not in compliance with the PCI DSS at the time. So in this example, not only are taxpayers the victim of a crime, they must also foot the bill for punitive fines.

Takeoff – Embarking on Your Compliance Journey. Implementing the PCI DSS requires IT and data security knowledge. To get an idea, download the standard at http://www.pcisecuritystandards.org. But do stay calm. Before you balk at the 17-page document and its 12 pages of requirements and sub-requirements, understand that organizations from corner stores to franchises to the biggest retailers and institutions in the world have validated or are working toward PCI DSS compliance.

What is most important is to get started. To do so, you must survey your environment, benchmark current security practices, limit the scope of the standard (or consolidate where payment card acceptance occurs), and have your network scanned for vulnerabilities.

Step 1: Survey Environment. During this stage, it is important to develop a network diagram that clearly illustrates where payment cards are accepted within your network and through what channel. Acceptance channels include e-commerce, telephone and mail order, and face-to-face transactions through Point-of-Sale (POS) terminals. Find out what payment acceptance applications your organization uses and whether those applications are found on Visa's list of secure payment applications (applications that have been certified as adhering to Visa's Payment Application Best Practices—PABP). To view the list, visit http://www.visa.com/pabp.

During the surveying process, you also should begin to understand whether or not your organization has the resources necessary to handle the compliance process internally. The network diagram will serve as a valuable resource when you begin requesting proposals from vendors should you decide to seek outside help.

Step 2: Benchmark Security Practices. Determine whether any information security policies and procedures currently exist within your organization. Also, determine what steps have already been taken to secure your network. Does your organization currently use a firewall or any other data security technology? Is that technology properly configured?

During this phase of the process, have a qualified individual compare the PCI DSS to your current security controls to determine where your organization is lacking. This will help you understand how much time needs to be invested in the project and whether your organization will need to invest in new technology.

Step 3: Limit Scope. Using the information gathered during the survey step, determine what agencies or departments accept payment cards and whether they need to accept them. Explore whether certain departments can transition card acceptance to another department (e.g., the department of revenue) to consolidate the number of acceptance channels. In addition, begin to consider whether outsourcing payment acceptance to a third-party processor would be more efficient for your organization.

If your organization dismisses outsourcing payment acceptance, begin to develop a plan for segmenting the associated technology from the rest of the network. Also, determine which employees and departments actually need access to cardholder information.

Step 4: Vulnerability Scan. A vulnerability scan of your network consists of a company scanning your network IP addresses for vulnerabilities that could be exploited by hackers and used to gain unauthorized access to your network (and cardholder data). A non-technical analogy is hiring a consultant to walk around your government building jiggling doorknobs and windows to determine where a thief may be able to gain access to the building. A vulnerability scan performed by a scanning vendor approved by the PCI SSC will clarify where your network is lacking in terms of the security controls detailed within the PCI DSS. For a list of approved scanning vendors, visit https://www.pcisecuritystandards.org/pdfs/asv_report.html .

Examine the results of your vulnerability scan to corroborate and supplement the information gathered in the survey phase. The results will detail where your network is vulnerable, and some scanning vendors' reports will include remediation recommendations providing your organization with a clear action plan for compliance.

Michael Petitti is the Chief Marketing Officer for Trustwave.

Update from Washington

By Susan Gaffney

With the start of the new year, Congress has many pieces of developing legislation that are of interest to state and local governments. Below is the status of several issues of particular interest to Treasury Management readers.

Withholding Requirement of 3 Percent on Government Payments. Beginning in 2011, state and local governments that spend more than $100 million on goods and services annually will be required to withhold 3 percent of all payments made to vendors and remit that 3 percent to the federal government. This requirement was mandated by Section 511 of the 2005 Tax Increase Prevention and Reconciliation Act ( TIPRA ). Fortunately, legislation to repeal this requirement has gained a great deal of support, but the likelihood of enactment remains in question. The repeal legislation, H.R. 1023, S. 777, and S. 2394, has 225 co-sponsors in the House, and tremendous support from both the public and private sectors.

Separately, the House passed legislation (H.R. 3996) that provides for a one year delay in the implementation of the withholding provision and calls upon the U.S. Treasury Department to write a report detailing how the provision could be implemented. H.R. 3996 contains many different components including an important one year patch to the alternative minimum tax (to prevent many middle income tax payers from having to pay higher taxes) and extends for one year many expiring tax provisions, including the deductibility of state and local sales taxes, which especially helps residents in states without an income tax. The Senate also wants to provide a one-year patch and extend expiring tax provisions, but their draft proposal does not include a one-year delay for the withholding provision. The House and Senate have yet to work out their differences on this important tax bill, but leaders have deemed it a priority that must get done before leaving for the holidays.

Federal Home Loan Bank Letters of Credit. Legislation has been introduced (S. 1963 and H.R. 2091) that would allow Federal Home Loan Banks (FHLB) to offer letters of credit for tax-exempt bonds. Letters of credit provide governments with a credit enhancement that could help lower borrowing costs. Since 1984, Congress has barred FHLBs from offering letters of credit without jeopardizing the tax-exempt status of the governmental bonds. The FHLB is arguing that the time has come for Congress to recognize the importance of allowing them to offer letters of credit in order to assist smaller and mid-sized governments to access credit enhancements, especially when bond insurers usually do not serve this population.

Credit Card Interchange Fees. In July, the House Judiciary Committee's Antitrust Task Force held a hearing on credit card interchange fees. During the hearing, the Judiciary Committee's Chairman, John Conyers (D-Michigan), spoke of his concerns about the unfair burden the fees impose upon consumers and merchants noting that $26 billion in fees was collected in 2006 and whether credit card companies engage in anti-competitive behavior. Witnesses from credit card companies defended their practices, despite tough questioning from the chairman. Private sector businesses have been outspoken about these practices, and some have developed a Web site to educate the public on this issue – unfaircreditcardfees.com. Although the hearing and the Judiciary Chairman's interest in this issue are seen as positive steps, it is unlikely that Congress will address this issue yet in the 110th Congress.

Mortgage Reform and Lending Practices. The subprime lending crisis, which has led to great disruption in the financial and the housing markets, has garnered a great deal of attention in Congress. Various legislative proposals have been introduced that would place new requirements on lending practices, and help homeowners avoid foreclosure proceedings.

The tax-exempt bond market has also felt a ripple effect from the crisis. Some bond offerings have not been able to come to fruition due to rate volatility. In addition, bond insurers who are heavily exposed to mortgage-backed securities investments could face a downgrade in their credit ratings.

Arbitrage Rebate Rules/Electronic GIC Bidding. The IRS has proposed technical changes to the Internal Revenue Code to modify the application of arbitrage rebate rules. Many believe that this is a first step in an effort to provide more significant changes to arbitrage regulations that would be helpful to issuers and the marketplace. The proposals announced on September 24, are mostly positive for state and local governments. Specifically, the proposed regulation formally acknowledges the use of electronic bidding platforms for guaranteed investment contracts (GICs). The current regulations were approved during the era of the fax machine and thus do not accurately reflect the current market practices of using email and web sites. The regulation also provides an increase in the arbitrage rebate computation credit from $1,000 per year to $1,400 – the first increase since 1993, and clarifies the use of open market escrows when the Treasury Department stops selling State and Local Government Securities (SLGS). Finally, the proposal clarifies the rules for interest rate swaps, including a new rule to facilitate the use of LIBOR-based swaps in advance refunding transactions.

One area of concern, however, is that when an issuer overpays its arbitrage rebate to the IRS, and is owed a refund from the IRS for that overpayment, the proposed regulation states that the IRS will not include any interest on the overpayment. The GFOA is concerned with this policy and will be sending in comments later this month asking for this proposal to change and allow for interest to be paid on the arbitrage rebate overpayments. A copy of the proposed regulation is on the GFOA's Web site.

Susan Gaffney is the director of the GFOA's Federal Liaison Center in Washington, D.C..

Index of 2007 Treasury Management Newsletter Articles

For your reference, the following is a subject index of feature articles appearing in the Treasury Management newsletter during 2007.

Subprime Mortgage Crisis and the Economy

This month, Treasury Management asked its panel of economists what effect the subprime mortgage crisis is having on the economy. We also asked the panel to provide their forecasts of the economy.

John Lonski of Moody's Investor's Service says that the subprime mortgage crisis has greatly curtailed home lending and has contributed to a crisis of confidence that threatens the availability of credit to businesses. He predicts weak economic growth at least through the first quarter of 2008. Aggressive monetary easing by the Fed will be needed to avert a recession.

Scott Brown of Raymond James highlights the danger that home prices will continue to fall in the major metropolitan areas which would lead to a more severe housing correction. Brown expects the economy to grow at a slower pace in early 2008, but improve as the housing market bottoms out. Brown predicts that long term interest rates will move somewhat higher in 2008.

According to John Silvia of Wachovia Securities, the subprime mortgage crisis has resulted in reduced consumer spending and tighter credit standards, which are reducing investment and non-residential construction. For 2008, Silvia predicts GDP growth of 2.2 percent, a core deflator of 2.8 percent, a fed funds rate of 3.25 percent, and a 10 year Treasury bond rate of 4.0 percent.

Neal Soss of Credit Suisse lowered his GDP forecast from 2.5 percent to 1.5 percent for 2008. Whether or not the slowdown will satisfy the technical definition of a recession will be a close call, but Soss expects the weakness in domestic demand to parallel the 2001 experience. He expects the Federal Reserve to cut the fed funds rate to 3.5 percent by summer of 2008. Silvia predicts a slowdown in job creation that will lead to a slowdown in consumer spending. In addition, he anticipates no meaningful improvement in real residential investment in 2008 and has marked down his forecasts from an already depressed baseline.