How CAS Works
Existing Card Acquiring Service Operations are Extensive and Complex. Processing payment card transactions typically involves two primary stages:
- Transaction authorization, where a payment request initiated with a card account is sent electronically through various parties in the payment card ecosystem (i.e., from the accepting merchant/agency to the acquirer/processor, and routed through the card network to the issuing bank), with an approval or decline message returned back to the acceptance point; and,
- Clearing and settlement, where card transactions are reconciled with the acquirer/ processor, routed via the card networks and settled against issuing and acquiring accounts. CAS card transactions are accepted throughout the day, with next day funds availability. Transactions settle to the Treasury’s account at the Federal Reserve prior to 2:00 pm ET for the prior day’s transactions.
The diagram below demonstrates the payment card processing from authorization (red) through clearing and settlement (blue and green, respectively).
CAS Rules and Security Requirements
Rules for Using CAS
When processing credit and debit card transactions, you must comply with the Treasury Financial Manual (TFM), Part 5, Chapter 7000, Credit and Debit Card Collection Transactions. Go to Chapter 7000 of the Treasury Financial Manual.Download TFM Chapter 7000
Limit for Credit Card Transaction: $24,999.99
The maximum that an agency may collect in a single credit card transaction has been reduced to $24,999.99.
Any agency that accepts credit or debit cards as a form of payment is also responsible for protecting customers' sensitive card information.
CAS Security Posture
To conduct business through the program, there are minimum security standard elements that ensure the consistency of cardholder data protection across a given footprint. Collectively, these 4 elements are referred to as the CAS Security Posture:
- Payment Card Industry Data Security Standard (PCI DSS)
- Europay, MasterCard, Visa (EMV)
All federal agencies that process, store or transmit credit and debit card transactions must comply fully with the Payment Card Industry Data Security Standard (PCI DSS). This is in addition to the Office of Management and Budget (OMB) Personally Identifiable Information (PII) guidelines related to accidental or purposeful disclosure of cardholder information.
Failure to maintain compliance with the PCI DSS puts your agency at risk of significant fines, fees, penalties, or losing the ability to process card payments. Furthermore, a suspected or known compromise of your card processing systems can result in serious damage to your agency's reputation, fines imposed by the Card Networks, and potential litigation brought by impacted cardholders and issuing banks who suffer losses as a result of compromised information.
You must not keep sensitive data
A critical aspect of the standard is not storing sensitive authentication data after a transaction has been authorized. The card brands refer to this data as Prohibited Data.
You must not store:
- the full content of any track on the back of a card's magnetic stripe
- the three or four digit code from the back of the card (CVV2 / CVC2 / CAV2 / CID)
- PIN or encrypted PIN blocks
Storing any of these items after a transaction has been authorized is a direct violation of the card association rules.
You must validate your compliance
Agencies must continually evaluate their systems and processes to ensure that their business is fully protected and in compliance with the PCI DSS. The required validation depends, in part, on how many credit and debit card transactions your agency processes in a year. The card associations place all organizations that accept credit or debit card payments into one of the four levels:
- Any merchant, regardless of acceptance channel, processing more than 6 million transactions per year in one card brand.
- Any merchant that has suffered a hack or an attack that resulted in an account data compromise.
- Any merchant that any card association determines to be a Level 1.
- Any merchant, regardless of acceptance channel, processing 1 to 6 million transactions per year in one card brand.
- Any merchant processing 20,000 to 1 million Visa or MasterCard e-commerce transactions per year.
- Any other merchants, regardless of acceptance channel.
All agencies should consider themselves Level 4, unless the Bureau of the Fiscal Service and Worldpay notify them that they are at a different level. If your agency moves to Level 3, 2, or 1, you will receive specific guidance from the Bureau of the Fiscal Service and Worldpay on what you must do.
Complete an annual PCI Self-Assessment Questionnaire.
The questionnaires are at this site external to the Bureau of the Fiscal Service: www.pcisecuritystandards.org/saq/instructions_dss.shtml
You must complete the appropriate questionnaire for your agency.
Have an Approved Scanning Vendor (ASV) conduct a quarterly network vulnerability scan.
A list of Approved Scanning Vendors who are authorized to perform the network vulnerability scans on your behalf is available at this site external to the Bureau of the Fiscal Service: www.pcisecuritystandards.org/qsa_asv/find_one.shtml
Network vulnerability scans are required for all agencies with external-facing Internet Protocol (IP) addresses in contact with the cardholder data environment.
You can get help with these two tasks
Worldpay, in conjunction with Fiscal Service Card Acquiring Service, has partnered with Trustwave®, an industry leader in information security and compliance, to help agencies simplify the PCI DSS validation process. Trustwave provides a set of online data security tools called PCI Assist.
The PCI Assist tools are specifically designed to guide Level 4 merchants through the PCI DSS validation process.
PCI Assist includes an online "wizard" that will direct you to the Self-Assessment Questionnaire for your agency's specific card data environment. The questionnaire will help determine where your agency is compliant and where it is not compliant with PCI DSS requirements.
PCI Assist also includes a network vulnerability-scanning tool to help identify weaknesses in your external network, if scanning is required for your compliance validation.
Fiscal Service is offering PCI Assist to agencies at no charge. We strongly encourage you to use PCI Assist to evaluate your systems and processes to ensure card data is fully protected.
Although PCI Assist is designed to facilitate an agency’s compliance efforts, Treasury does not guarantee that using PCI Assist will ensure compliance with the PCI DSS. Agencies are under no obligation to use PCI Assist and may choose to get PCI compliance tools or services from other providers at their own expense.
You may log in to PCI Assist at this site external to the Bureau of the Fiscal Service: pci.trustwave.com/fms
If you need help setting up or using PCI Assist, e-mail us at CardAcquiringService@fiscal.treasury.gov
For more information on PCIA DSSwww.pcisecuritystandards.org