Skip to main content
Government Solutions

A County Treasurer’s Guide to PCI Compliance in 2025

By September 18, 2025No Comments

A County Treasurer’s Guide to PCI Compliance in 2025

What You Need to Know Right Now

County treasurers face a simple reality: if you accept credit cards, you must follow PCI compliance rules. This isn’t optional, and it’s not just for stores. Every county that takes card payments for taxes, permits, court fees, or any service is a merchant under federal payment card rules.

The stakes are high. A data breach won’t just cost money—it can destroy public trust, damage your reputation, and end careers. Citizens expect government to protect their information better than private companies do.

But here’s the good news: you don’t need to become a cybersecurity expert. The smartest approach is simple—never touch card data at all. Let secure processors handle everything while you focus on serving your community.

Why Counties Can’t Ignore PCI Compliance

You’re a Merchant Whether You Like It or Not

Many county offices think PCI rules don’t apply because they’re “government, not retail.” This thinking is dangerous and wrong. Card companies like Visa and Mastercard don’t care if you’re a grocery store or a courthouse. If you process card payments, you follow the same security rules.

Political Damage Hurts More Than Fines

Private companies worry about penalty costs when they have security problems. County officials face something worse—permanent damage to public trust. When citizens lose faith in your ability to protect their payment information, they lose faith in government itself.

This affects everything: voter turnout drops, citizens stop cooperating with county programs, and your credibility never fully recovers. The real cost isn’t measured in dollars—it’s measured in lost trust that takes decades to rebuild.

Old Systems Create New Problems

Many counties still rely heavily on paper checks and cash, using systems that haven’t changed in decades. While these feel familiar, they create their own risks: check fraud, mail theft, and processing delays that frustrate citizens trying to pay what they owe.

These old systems also make it harder to upgrade to secure digital payments because staff resist change and existing processes seem “good enough.” But true security means protecting every step of the payment process, from your mailroom to your data systems.

The Smart Strategy: Never Touch Card Data

The easiest path to PCI compliance is surprisingly simple—never handle payment card data in the first place. Here’s how this works:

A secure, PCI-compliant processor manages all card payments whether they happen online, in person at your counter, or over the phone with your staff. Your county systems never see actual card numbers. Instead, you receive only a harmless “token”—random characters that represent the transaction for your records but have no value to criminals.

Real Example: A citizen pays $2,847 in property taxes online. They enter their card information directly into your processor’s secure system (hosted on their servers, not yours). Your county system receives “Token ABC123 paid $2,847 for parcel 456-789-012” without ever seeing the actual card number.

This approach keeps sensitive data completely out of your network, dramatically reduces your compliance requirements, and lets your IT team focus on community services instead of managing card security.

What PCI Compliance Actually Costs Counties

Understanding these costs helps justify budgets and plan properly:

Small Counties (Under 50,000 people): $15,000-$25,000 yearly

  • Security assessment: $3,000-$5,000
  • Secure payment processing: $8,000-$12,000
  • Staff training: $2,000-$3,000
  • Monitoring systems: $2,000-$5,000

Medium Counties (50,000-200,000 people): $25,000-$50,000 yearly

  • Security assessment: $5,000-$8,000
  • Payment processing: $15,000-$30,000
  • Additional staff/consultant time: $3,000-$7,000
  • Advanced monitoring: $2,000-$5,000

Large Counties (200,000+ people): $50,000-$75,000+ yearly

  • Comprehensive security assessment: $8,000-$15,000
  • Enterprise payment solutions: $30,000-$45,000
  • Dedicated security staff/consultants: $10,000-$15,000
  • Complete monitoring systems: $2,000-$5,000

Understanding the New PCI DSS 4.0 Rules

The latest payment security standards became required in March 2025. They’re more flexible than before but require more documentation.

More Choices, More Paperwork

Counties can now choose different ways to meet security requirements, but you must document and defend every choice. This “customized approach” sounds easier but actually creates more work—you have to prove your alternative method provides equal security.

For most counties, sticking with standard security requirements is simpler and easier to defend during audits.

Every New Payment Method Needs Review

Any new way citizens can pay—mobile parking apps, online permit portals, phone payment systems—requires a formal risk assessment before you launch it. This makes planning mandatory, not optional.

Create a simple review process form: before any department adds new payment options, they complete a risk assessment that gets approved by your IT department and treasurer’s office.

Modern Threats: AI and Cybercriminals

Criminal organizations now use artificial intelligence to target government systems, which often have outdated security.

AI-Powered Attacks Target Counties

Smart Phishing: Criminals use AI to create incredibly convincing emails that appear to come from your IT department, state agencies, or other trusted sources. These emails reference recent county news and mimic official communication styles to trick staff into sharing login information.

Fake Official Calls: Advanced technology can now create fake audio and video calls that sound and look like county officials, state representatives, or vendor contacts. These can fool staff into making unauthorized system changes or sharing sensitive information.

Protecting Your County

Vendor Oversight: Criminal hackers often target third-party companies like billing platforms, software vendors, or service providers to access your data indirectly. The new PCI rules require much closer monitoring of anyone who might access your payment systems.

AI for Defense: When used properly, AI can significantly strengthen your security by spotting fraud patterns instantly, monitoring systems 24/7, and alerting your team to suspicious activity even during nights and weekends.

Human Oversight Required: AI security tools should alert and recommend actions, but humans must make final decisions that could affect citizen services.

Who Pays for Credit Card Processing: County vs Citizens

A PCI DSS level 1 certified local government-focused payment processor understands that, in addition to security and PCI compliance, one of the biggest decisions counties face is who pays credit card processing fees. This choice has significant budget and fairness implications.

When Counties Pay Processing Costs

How it works: County absorbs all processing fees (typically 2.5-3% of each payment)

Example: Citizen pays $500 property tax bill

  • Processing fees: $14.00
  • County receives: $486.00
  • Citizen pays: $500.00

Annual impact: A county with 25,000 card payments loses $350,000 annually to processing fees

When Citizens Pay Service Fees

How it works: Citizens pay actual processing costs when they choose to use cards

Example: Citizen pays $500 property tax bill

  • Processing fees: $14.00 (citizen pays this)
  • County receives: $500.00
  • Citizen pays: $514.00

Annual impact: County receives full payment amounts

Why Service Fees Make Sense

When counties absorb processing costs, they create an unfair situation where all taxpayers subsidize credit card users’ convenience through reduced services or higher taxes. Citizens who pay by check, cash, or bank transfer effectively pay extra to cover processing costs for credit card users.

Service fees restore fairness by ensuring only those choosing credit card convenience pay for it. This isn’t about charging citizens more—it’s about fair allocation of costs.

The bottom line: $350,000 in annual processing costs could fund two full-time employees, maintain dozens of miles of roads, or purchase essential equipment. Service fees keep that money available for actual public services.

Planning for the Future

Technology and security threats evolve rapidly, but government budgets and procurement processes move slowly. Build flexibility into your approach.

New Payment Technologies Citizens Expect

Contactless Payments: More people expect to pay with smartphones, smartwatches, or tap-to-pay cards. Make sure your systems can handle these methods securely.

Digital Wallets: Services like Apple Pay, Google Pay, and Samsung Pay actually increase security by using advanced tokenization, but your staff need training to understand and support these payment methods.

Building Long-Term Security Success

PCI compliance isn’t about buying the newest security tools or passing audits. It’s about creating a lasting security culture that protects citizen data and maintains the public trust that’s essential for effective government.

Real success requires ongoing commitment from county leadership, proper staff training, realistic budgeting, and clear communication with everyone involved. The money invested in proper PCI compliance pays dividends through reduced risk, improved citizen services, and preserved public trust.

Citizens trust you with more than their tax payments—they trust you with their financial security and personal information. Honor that trust by taking PCI compliance seriously and implementing it thoughtfully, not just checking boxes.

Getting Started: Your 90-Day Plan

Days 1-30: Assessment

  • List every way citizens currently pay (online, in-person, by phone, mail)
  • Document who in your office handles payments and how
  • Research PCI-compliant payment processors with government experience
  • Begin preparing budget requests for next fiscal year

Days 31-60: Building Support

  • Present your findings to county commissioners with focus on risk and public trust
  • Meet with all department heads who accept payments
  • Have your attorney review existing payment processing contracts
  • Start the vendor selection process following procurement rules

Days 61-90: Implementation Planning

  • Select your payment processor based on government experience and transparent pricing
  • Schedule comprehensive staff training sessions
  • Develop incident response procedures specific to your county
  • Create an ongoing compliance management calendar

Communicating Changes to Key People

Presenting to County Commissioners

Focus on protecting citizens and reducing county risk, not technical details:

  • “Ensuring taxpayer financial information stays secure”
  • “Preventing costly data breaches that damage our county’s reputation”
  • “Meeting the same security standards citizens expect from their banks”
  • “Reducing legal liability and potential lawsuit exposure”

Explaining Changes to Citizens

When you implement new security measures or service fees, communicate benefits clearly:

  • “We’re upgrading our payment systems to better protect your financial information”
  • “New security measures ensure your card details are as safe as when you shop with major retailers”
  • “These improvements help prevent identity theft and fraud”

Training Your Staff

Non-technical county employees need simple, clear guidance they can actually follow:

  • Never write down credit card numbers for any reason
  • Always log out of payment systems when you’re done
  • Report anything suspicious immediately to your supervisor
  • Understand that these procedures protect citizens who trust us with their information

Staying Compliant Year-Round

PCI compliance isn’t a one-time checklist. It requires consistent attention throughout the year.

Your Annual Compliance Calendar

  • January: Review and update incident response procedures
  • March: Complete required annual security assessment (due March 31)
  • June: Review all vendor compliance documentation
  • September: Conduct staff training refreshers
  • November: Plan next year’s compliance budget
  • Monthly: Basic security reviews
  • Quarterly: Vulnerability scans of payment systems

Track What Matters

Monitor metrics that matter for county operations:

  • How quickly you detect security problems (goal: under 24 hours)
  • Staff training completion rates (goal: 100%)
  • Vendor security review completion (goal: 100% annually)
  • Payment system uptime (goal: 99.5% or better)

Required Documentation

Government operations need thorough records that satisfy both security requirements and public records laws:

  • Security policies and procedures (updated annually)
  • Staff training records (keep for 3 years)
  • Security incident logs (permanent records)
  • Current vendor compliance certificates
  • Risk assessment reports (updated whenever systems change)

Frequently Asked Questions

Does PCI compliance really apply to counties? Yes. If you accept cards for any government service—taxes, permits, court fees, utilities—you’re a merchant under PCI rules, just like any business.

What’s the biggest risk if we don’t comply? Beyond financial penalties, the real danger is permanent damage to public trust, credibility, and community confidence. Citizens expect government to protect their information better than private companies.

How can we reduce our compliance burden? Never handle card data directly. Use PCI-compliant processors that manage all payment processing and return only harmless transaction tokens to your systems.

What’s new in PCI DSS 4.0? You have more flexibility in meeting security requirements, but every choice must be thoroughly documented and defended. New payment methods require upfront risk assessments.

How do we handle compliance with limited IT staff? Outsource payment processing entirely to qualified providers rather than trying to manage compliance internally. This requires less technical expertise and costs less.

What should we budget annually? Small counties: $15,000-$25,000; Medium counties: $25,000-$50,000; Large counties: $50,000-$75,000 or more.

How do we explain changes to citizens? Focus on benefits they care about: “protecting your financial information better,” “faster processing means quicker service,” “same security standards as your bank.”

What happens if we have a breach despite being compliant? PCI compliance significantly reduces breach likelihood and can limit your liability, but it doesn’t prevent all incidents. Having proper incident response procedures, insurance coverage, and communication plans is essential.

About IntelliPay

We help County Treasurers and Finance Directors optimize their payment processing through transparent interchange-plus pricing, compliant service fees, no hidden charges, expert guidance, and reliable technology solutions. Our team combines deep industry knowledge with personalized service to ensure every client gets the best possible payment processing solution for their operations.

The information provided here is for educational purposes only. We make no warranties regarding completeness or accuracy, and all advice is provided “as is.” This content doesn’t constitute legal, financial, or professional advice. No security measures can be guaranteed 100% effective. We disclaim liability for damages resulting from use of this information. For personalized guidance, consult qualified professionals.

Dale Erling

Dale Erling

Dale Erling is a payment processing professional with over 15 years in banking, financial technology, and payments. He helps small businesses navigate costs and compliance, and frequently writes on trends, card cost reduction, and small business payment strategies.Dale is passionate about demystifying payment processing and leveraging his expertise to drive value for clients.