Ensuring customer data security
By Mukesh Patel
Every municipal agency that accepts mobile credit card payments must adhere to the Payment Card Industry Data Security Standards Council’s 2.0 guidelines, released in October 2010. However, because it is easy for day-to-day demands to shift agencies’ focus to the issue of the moment, customer data security sometimes gets scant attention.
PCI compliance is critical to performing transactions securely. Credit card brands can impose fines, penalties and other costs if non-compliant agencies experience a data breach. Fines vary by card brand, but Visa and MasterCard are permitted to impose fines of $500,000 or more per event for any service provider that is not compliant at the time of a compromise.
Hackers’ targets aren’t limited to big banks or major online retailers. City and county governments – even smaller ones – are equally vulnerable. There are people who earn a living trolling for systems that have poor architecture or haven’t been sufficiently hardened. Their goal is to find vulnerable sites where they can slip in and steal private data, regardless of the organization’s size.
Local and municipal governments can take five key steps to minimize the risk of a security breach:
Encrypting Is Key. Some payment processing systems authorize and “batch” transactions on a server until day’s end, when the batch is cleared for transmission to the merchant service provider for settlement. Ideally, government agencies should process transactions for settlement in real time and never store card information anywhere on the system or network. At a minimum, batched transactions should be encrypted and isolated from the rest of the network to prevent leaving them open to unauthorized disclosure.
Take an Enterprise Approach. Governments often leave individual agencies the flexibility to contract with payment providers, risking that some will choose providers that aren’t appropriately secure. To avoid a fragmented, agency-by-agency approach to security, governments should take an enterprise approach. A single provider can implement security best practices across all departments.
Clean Out the Log. Developers who write test logs often use lines of code that are required to capture credit card data. Later, when the system or application moves from test into production, the developer must remove that code configuration to prevent the application from continuing to write credit card numbers to the log files, where it would be unprotected. To adhere with PCI standards, conduct proper quality assurance and documented tests that a) specifically look at logging levels and content before moving to production and b) validate after code is moved to production.
Control for Safety. Beyond log files, placing adequate controls around e-commerce applications can limit your exposure to cyber crimes. For example, consider creating a common checkout module that has been tested and scanned. All developers then should use this standard set of checkout pages. This step restricts developers from making code modifications that would introduce non-PCI-compliant checkout screens into the online transaction process.
Yes, This Applies to You. A surprising number of local governments don’t realize that they have to complete PCI Self-Assessment Questionnaires, which help demonstrate their PCI compliance. In general, if you store, process, or transmit cardholder data, you must meet PCI requirements, which vary by provider. Local governments with more than 6 million annual Visa transactions, for example, are required to conduct annual on-site reviews. A government with fewer than 6 million annual Visa transactions must complete a Self-Assessment Questionnaire and have a quarterly network scan performed by an Approved Scanning Vendor.
Your merchant services provider should be your partner in making sure your e-commerce system is PCI compliant. If your processor hasn’t raised questions about how you’re securing data or whether you’re adhering to the PCI requirements, consider it a red flag.
As President of NIC Services, a wholly-owned subsidiary of NIC, Mukesh Patel is responsible for NIC’s payment processing and financial management platforms. He speaks on payment processing best practices and trends in eGovernment services.