Most local governments aren’t yet compliant with Payment Card Industry security standards, industry consultant says.
Cash and check payments slowly are falling out of favor with the general public —replaced by credit cards and debit cards, paid via the Internet or on mobile devices. State and local governments are becoming increasingly aware that the onus is on them to keep up to date on the newest cyber-security standards. The requirements, from the Payment Card Industry (PCI), have been developed by a coalition of payment card companies and are enforced through a PCI council. Noncompliance can result in fines — or worse, can make a government vulnerable to a data breach.
Government Technology spoke with Joe Oleksak, who heads Plante and Moran’s security assurance and consulting practice in Chicago. The consultancy has worked with several local governments on PCI compliance. Oleksak shared the challenges he sees for state and local governments to become fully compliant and what smartphones and other mobile devices could mean for the future of the e-payment industry.
We have a fairly large group of local governments that we have helped with PCI. Honestly many of them are not where they need to be. I would say most. That’s not necessarily the truth for everyone, but the issue really comes into play because PCI is so specific on what they require. Local governments and smaller governments are starting to move into this more technology-based receipt of payments, but they haven’t had the time for maturity to slowly, over time, implement controls that the PCI requires. So they implement new technology, and all of a sudden — bang — they have to re-architect their network and implement new policy and procedures that they never had to before because they are doing new forms of payment.
It just depends on the maturity of the organization. How long have they been doing this? Do they have the right focus? There are a lot of companies, government organizations, schools and hospitals that haven’t necessarily taken security as seriously in the past as they need to now. They haven’t put in the dollars and the elbow grease necessary to be where they need to be today. So those organizations are going to struggle to meet the compliance guidelines of PCI.
There is some good news for the smaller organization or smaller government. PCI is specific but it does provide for levels. Level One is for merchants who have more than 6 million transactions a year. Most smaller governments are not going to have that many. The Level Ones have to go through a very stringent certification process. So that’s the first thing, and most of your governments are not going to be there. Levels two, three and four go down in the number of transactions. Level Two is 1 million to 6 million transactions in a year, Level Three is 20,000 to 1 million, and Level Four is less than 20,000 transactions a year. This is an assumption, but most local and county governments are going to be more at a Level Three or Four. Now there is further good news for those who are smaller. For the Level Four category, it depends on who the [government’s] credit card company is, which has the option under PCI to say what they require from their customers. [Some of them] recommend [the most stringent PCI standards] but don’t require them. At Level Three, you have to pretty much have to follow the guidance of PCI compliance.
PCI has been around for a while, but it’s really starting to gain traction outside of those Level one merchants. And what I see in state and local government is a renewed interest, based on the current environment and economy, in identifying ways to save constituents money and to drive more revenue to their organization. So PCI is becoming much more relevant in 2010 than it ever was in 2005. In addition, because of the economy you’re seeing a sharp trend in [cyber-attacks]. Hackers are hurting and they want to make their money too. They’re finding new ways to make money through identity, credit card and health information theft — anything they can do.
Why is this relevant? Originally they would go after the banks. What’s going on is financial institutions have been regulated so severely over the years that they’re becoming a much harder target. They’re still not impervious, but they’re a much harder target. So now hackers are saying, “What are some other industries that are easier to get into because they haven’t been held to stringent standards because they aren’t required to go through annual security audits from independent professionals.” Government is one of those industries. You have a sharp rise in the number of attacks, and new technologies being implemented which will enable organizations to receive credit card information. It’s slam dunk for a hacker now.
If you’re a merchant who requires many transactions during a year, you have to use what we call a qualified security assessor (QSA). And the QSA has to come and validate that. If you are Level Two, Three or Four, you don’t have to use a QSA; you can use what we call a SAQ — a self-assessment questionnaire. We’ve found that the self-assessment questionnaire is still very technical and rather stringent. So most organizations are going to need the help of someone who is well versed in PCI and the data security standard to help them through the first year. But once they get help through the first year, then it’s just a matter of keeping it up to date.
If you’re Level One, you really have no choice. Again, we’re dealing with smaller organizations that aren’t Level One. So right now, PCI is more about insurance for these smaller organizations. I say that because there is nobody proactively going after a government organization, company or hospital that’s a Level Three. There is no government body that is coming out and auditing you, and they’re going to fine you. Let’s say you are a county government, and you have a breach of customer credit card data. What ends up happening is based on the severity of the breach. The PCI council will fine you for being noncompliant with PCI. The way they will retrieve that money is basically taking a certain dollar amount out of your transactions and billing you over a period of time. They anticipate that the average breach is going to cost organizations — including fines, legal costs, forensic costs, the investigation, etc. — around $500,000. They’re not talking about government organizations versus retailers; they’re just saying in general that’s what to expect.
It’s a mixture of the three. I think where you have the biggest challenge in a governmental organization is a cultural challenge. It’s a change in thinking; it’s a change in the way you’re doing business because in a governmental organization, you want to be open, free and enable your constituents to get the information they want. PCI is more about containing information and keeping it under control. What ends up happening is you’re coming from an environment where you want to help people, you want to be as open and honest with folks as you can be, to where now PCI is saying, “You need to segregate your data. You need to make sure only people who need access to data can access the data.” All of a sudden you have to take off your “I like people” hat and put on your security hat and say, “I’m cautious of everyone. You say you’re constituent A, B or C, but I need to see D.” You have to do verification; it’s much more stringent. You have to implement policies and procedures for protecting data, and everyone in the organization needs to be trained on that. So it’s a shift in thinking — a new way to think about customer service.
The challenge right now is the mobile market is different from the Internet. Most people say there’s the mobile Web and the Internet, and they’re the same thing — but they’re not. Mobile Web is distinct and different from the Internet. The Internet is more mature — it’s still young and has issues — but a lot of the risks are starting to be understood, whereas in the mobile world there hasn’t been enough time and research from the security industry to really understand all the threats and attack vectors in the mobile world. In addition, mobile devices, they’re smaller and are with a person 24/7. They’re with somebody on the bus or train. Those devices can be easily lost, so physical security becomes a bigger issue too. It’s not just about training your own people and your own staff, it’s about training your users how to secure and perform transactions over the mobile Web.