Tillamook County has gone through the steps to obtain PCI compliance. We have several departments that accept credit cards, and their operations would be severely curtailed if we did not accept the responsibility of PCI compliance. However, we do not retain credit card data on our system, but simply pass-thru the CC data to the processer. We already have CJIS and HiPPA standards to meet, and network/Computer security is a big topic here, so meeting the requirement for PCI/DSS gives us another level of "certification" to show we are serious about data security. The PCI requirements complement our other security efforts by requiring periodic scans, reviews, computer user training, and policies which are not covered by other standards. Yes, the PCI requirements apply even with hosted solutions, but in that case the certification is more or less only to certify that someone else has the data. The PCI requirements apply with an analog swipe machine also. We found ourselves being charged a "PCI Compliance fee" for each swipe machine. The control measures and security requirements are not so onerous as to be frightening, but should be looked at as "best Practices", with a bit of reporting. Michael Soots Tillamook County I.S. Director 503-842-3406 x3478 Visit Tillamook County on the web at http://www.co.tillamook.or.us From: oagitm-bounce@xxxxxxxxxxxxx [mailto:oagitm-bounce@xxxxxxxxxxxxx] On Behalf Of WELCH Brad Sent: Friday, February 14, 2014 5:05 PM To: oagitm@xxxxxxxxxxxxx Subject: [oagitm] PCI Compliance I would like to hear from you on how your jurisdiction has approached PCI compliance for any computer based processing of credit cards by staff, i.e. accepting public payments from your desk or front counter. Lane County's mission is to be fully PCI compliant in all our processing of credit cards. Our research and consulting advice have all indicated that any card processing from a pc on our network places significant security requirements and control measures on our IT infrastructure. These requirements appear to apply even in the case of web hosted solutions such as virtual terminals or a web based point of sales systems. Please tell me of any computer based or hosted card solutions your staff use and how you interpreted and approached PCI compliance for your computers and infrastructure. Thanks for your time and input. Brad Welch Business Applications Manager Lane County Information Services 541-682-4117 brad.welch@xxxxxxxxxxxxx<mailto:brad.welch@xxxxxxxxxxxxx>