Security first

Automated payments are becoming increasingly prevalent within the public sector and, as with the private sector, measures have to be taken to ensure the security of both the public who make these payments and the organisations receiving them.
Public sector organisations that receive payments from citizens increasingly recognise that securing timely payments is considerably aided when there is a choice of convenient and easy-to-use payment channels. These include self-service payments via the internet, automated telephone or even SMS text. Those making payments want to be confident that payments made by credit or debit card take place in an environment that provides the highest level of security as regard to cardholder data. In recent times, we have seen additional fraud protection measures being put in place such as Chip & PIN for cardholder present payments, Card Security Code for payments made over the telephone or internet and more recently, card password validation (verified by Visa and MasterCard SecureCode) for internet payments.
Setting the standard
Over the last couple of years, all organisations that accept card payments have also been moving towards compliance with the Payment Card Industry Data Security Standard (PCI DSS). The standard sets out to ensure that the whole environment in which card payments are taken (including processes, software, hardware and infrastructure) complies with the well-documented and rigorous requirements of this standard.
Many organisations are still confusing information security with ICT services provision, when they should be treated as independent (albeit overlapping) business functions. This is potentially leaving ICT departments weighed down with complex security compliance obligations that they don’t fully understand. For instance, a typical IT manager may well deliver encryption to a database holding credit card data, but will often miss the importance of delivering good key management processes around the encryption routines, such as having multiple key holders to provide separation of duties and ensuring regular key changes are scheduled. These types of areas are the key considerations when trying to achieve and maintain a PCI DSS compliance and can sometimes be the difference between suffering a card data breach or not.
Any organisation that accepts card payments will see the clear benefit of compliance with PCI DSS. Having invested heavily in services that take payment by card, any card breach can have a severe impact on a business. This may result in penalties imposed by the banks or card schemes, loss of customer confidence, delays in payment impacting revenue flow and a possible channel shift back to less favourable and more resource intensive payment methods such as cash or cheque.
A number of organisations are now choosing to call upon the services of expert partners who can take on much of the responsibility for compliance with PCI DSS. In doing so, they are looking at working with a “payment service provider” who can offer:

  • An established and proven managed service
  • A PCI DSS compliant service
  • Payment Application Data Security Standard (PA-DSS) certified applications
  • Payment Card Industry PIN Transaction Security (PCI PTS) compliant Chip & PIN devices
  • A wide range of payment channels
  • PCI DSS advice and consultancy
  • PCI DSS network scanning from an Approved Scanning Vendor (ASV)
  • Competitive card processing rates
  • The latest in card security measures

It is inevitable that where security exists compliance will follow and there is no doubt that customers will feel assured by certain industry standards. Our own managed service was certified to Payment Card Industry Data Security Standard (PCI DSS) Level 1 in 2007, making us the first of the leading local government providers to achieve this standard.
It can be a daunting process to hand over responsibility for security to an external organisation but it can also be very rewarding especially when you build a strong long-term partnership. We work with over 200 customers to provide payment services along with a managed service. These customers are largely drawn from the public sector including the local government, further and higher education, social housing and health sectors. The volume of payments taken continues to grow and at May 2010, stood at around 1.6 million card payments worth over £130 million each month.
Automating payments systems is undoubtedly an increasingly popular method of generating efficiencies within public sector organisations but with so much continued focus on card fraud and the protection of citizens’ data, convenience shouldn’t take precedence over safety and security.

For more information

Please register to comment on this article