Lack of Card Payment Security Leaves UK Councils Exposed

By   ISBuzz Team
Writer , Information Security Buzz | Nov 17, 2014 05:02 pm PST

It is easy to underestimate the number and range of payment transactions processed by the public sector every single day. From council tax and passport applications to driving license fees, parking, museums, clubs, libraries, colleges, sports and leisure venues, fixed penalties, pest control, garden waste management, housing rent or insurance, business rates, child care, and more, many of these involve a council employee taking a card payment over the phone.

When it comes to card payments, the public sector faces the same security risks as other sectors, not to mention the same obligations to protect that data by complying with PCI DSS.

Featured Download: Social media access at work. Do your employees know the rules?

However, public service organisations such as local councils face considerable challenges in meeting the requirements of PCI DSS. Evidence outlined below suggests that as a result of this, many councils fail to meet the grade when it comes to card payment security.

A recent FOIA request asked 280 councils about their PCI compliance. 44 responded. Of these, 26 admitted they did not comply, and seven said they are compliant or working towards compliance but have no certification. Just 11 said they are both compliant and certified.

Validated PCI compliance is not just an administrative process. It confirms that proper safeguards have been put in place to protect payment card data during transactions, in person, online, by post, and over the phone.

Commercial sectors such as retail often have designated contact centres with trained employees to process payments by phone. Local councils, on the other hand, often have no choice but to leave phone payment in the hands of people who are untrained and lack appropriate equipment and infrastructure. This means that key security requirements, such as limiting access to and not retaining or sharing card data, can be difficult to meet.

Achieving PCI compliance can be costly, cumbersome, and complex, placing extra demands on already over-stretched budgets. On-premise and legacy telephone systems can be difficult to adapt to accommodate more secure ways of handling card payments.

Fortunately, there is an alternative. The government’s growing adoption of cloud-based services provides a perfect opportunity for local councils to consider a PCI-compliant cloud-based phone payment processing solution. These solutions are cost-effective, easy to install, and quick to scale.

The latest products allow customers to key in their card details using the phone’s push buttons and then mask the numbers so the person taking the payment never has access to the card details. This effectively removes up to 90 percent of payment processing from the scope of compliance, significantly reducing risk with minimal effort.

The public sector strives to achieve the same standards as its commercial counterparts. Looking to the cloud will help them meet this for payment processing. No council needs reminding of the reputation and financial damage a data breach can do.

By Tom Evans, CSO, Cognia

About Cognia

cognia_logoCognia is a leader in the provision of cloud-based communications and interaction intelligence solutions for enterprises and service providers. A single platform provides secure capture, storage and analytics solutions for multi-channel communications, including fixed-line and mobile, as well as all IP communications.

Cognia’s solutions include cloud based call recording, the world’s first QSA-validated, PCI DSS Level 1 service on a secure global cloud platform and interaction analytics that form part of its communications intelligence suite. This replaces the high upfront capital and support costs of on-premise systems, with the flexibility to lower TCO to a level never before possible with traditional solutions.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x