August 19, 2016
The Public Trust
Municipalities Large and Small are Grappling with New Requirements, Challenges for Information Security
By Carl Brown, CardNotPresent.com
The popularity of making municipal payments online is like a wave that’s slowly building. Just like in the retail world, more and more people are being drawn to the ease and convenience that municipal online payments provide.
But lurking in the depths of that wave are sharks in search of prey – cyber thieves looking for personal, sensitive information that they can latch onto and turn to their criminal advantage. Keeping these predators at bay is an ongoing battle that any entity that accepts online payments faces, including—perhaps especially—cities and towns.
Whether online payments are processed in-house or handled by a vendor, municipalities are ultimately responsible for the security of the information tied to those payments. That’s clearly spelled out in the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS 3.0 is the newest set of updates to the PCI standards, the first in three years. It stresses the importance of provider compliance, and focuses on other matters such as password requirements and how to integrate compliance best practices into daily process routines.
Some municipalities are more cognizant of their security responsibilities than others, so there’s an ongoing need to educate them, according to Jim Mitchell, sales manager at QS/1 Governmental Solutions. A division of the J M Smith Corporation in Spartanburg, S.C., QS/1 Governmental Solutions provides billing and financial software and services for state and local governments, municipal utilities and other entities, such as law enforcement departments and judicial offices.
Mitchell said his company holds annual conferences for municipal officials and others to update them on a variety of topics, including security issues surrounding online payments.
“We also end up spending up a lot of time educating our customers and prospects about the aspects of security,” he said.
QS/1 Governmental Solutions provides billing software and other related services to approximately 200 municipalities in the southeast portion of nation.
“We serve an 11-state area right now,” he said, adding that almost all the municipalities have 20,000 residents or less.
Small Towns, Big Worries
In many ways, small municipalities are like small businesses. Town governments exist to provide services to their residents: education, sanitation, recreation, emergency services, etc. That’s where their focus and their expertise lies—much like a small business laser-focused on selling its product. Taking payments and the security issues that go along with that may not be their forte. In the current environment, however, their responsibility for ensuring the security of payment and other personal data is becoming more complicated and their liability more onerous.
Of those served by QS/1, about 50 to 60 percent use both the company’s online bill payment software and its internet payment portal, Mitchell said. He noted that the percentage is increasing every day because of pressure on municipalities from customers to provide the service. It’s simpler for them to hand off the responsibility to a third party.
Municipalities using the payment portal do not collect any sensitive information, Mitchell said. Instead, customers are directed to the portal, where they provide such information. As a result, municipalities are shielded from information breaches because they don’t have anything on file, he said.
The remaining municipalities handle online bill payments internally, according to Mitchell. They prefer to keep the processing in-house because they like to keep close tabs on payments, he explained. These customers are usually much smaller in size and typically have one employee handling multiple responsibilities, such as a police chief who also serves as the IT manager and processes bill payments, he said.
Going the third-party provider route to handle its payments is Columbia, Mo., according to Lynn Cannon, the city’s assistant director of Finance. Her department has arranged to accept a variety of payments.
“We accept utility bill payments, parking ticket and permits, license fees, miscellaneous receivables, bus passes, and registration for certain events, training and activities,” she said.
Different vendors handle each of the payment categories, she said.
Security protection was an extremely important element of the contracts with these providers, Cannon noted, and it did not end with an annual PCI audit. PCI compliance, encryption, the ability to comply with the city’s red flag rules and adequate insurance protection in the event of a breach were all part of contract negotiations, she said.
Cannon pointed out that the city is taking additional steps to ensure that the outside vendors are maintaining appropriate levels of security. And that’s vital, because according to the PCI Security Standards Council, “ultimate responsibility for compliance resides with the entity, regardless of how specific responsibilities may be allocated between an entity and its [third-party provider].”
Even if a small town (or small city, Like Columbia) decides to hand off the payment process entirely to a third-party payment provider, its leadership must be aware of the new PCI-DSS 3.0 requirements that include careful due diligence before signing a contract, understanding how the third party’s services correspond to the PCI requirements, specific and detailed written agreements between the school and the payment provider that spell out all responsibilities and monitoring the third party’s compliance.
Big Cities, Still Big Worries
Tight security protocols are just as important to a city of nearly a million like Charlotte, N.C., according to Randy Moulton, its chief security officer.
Charlotte uses a hybrid of in-house resources and third party vendors to process online bill payments, Moulton said. Internally, the city follows PCI 3.0 requirements, and expects the same from its vendors, he noted. PCI standards require an annual audit of security protocols both in-house and externally, Moulton added.
“The City takes the protection of credit card information very seriously and it has always been a priority to ensure that information is secure,” Moulton said.
Mitchell said QS/1 Governmental Solutions also adheres to the yearly PCI audits schedule for the municipalities it serves.
“We have a group of people who are dedicated to staying on top of changes in security protocols so they are capable of meeting the needs of customers,” he said. “We have to always be cognizant of changes so we are providing our customers with the best services possible.”