Accounting for Online Payment Security as a Practice
By Vennard Wright, CIO, WSSC (Washington Suburban Sanitary Commission)
As consumers and recipients of services from utilities, our least favorite things about receipt of those services is paying bills. As service providers, one of the areas of most obvious concern is securing information and data related to those payments; customer details and credit card information.
Both concerns violently converge in a number of ways that range from fair and equitable pricing to measured transparency around operations when rate and price increases are in order, but perhaps one of the most vexing challenges is in the area of security and compliance for online payments.
The Payment Card Industry Data Security Standard (PCI DSS), which was launched in 2006, governs how companies and entities of any size must accept credit card payments. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express and Discover). This means that, if any entity intends to accept card payments, store, process, and transmit cardholder data, they must host their data securely with a PCI compliant hosting provider or take proper steps to ensure that cardholder data is secure or face financial penalties of $5,000 to $100,000 per month for PCI compliance violations.
In spite ofwell-known PCI compliance standards, in recent years, ten very notable examples of payment data breaches that involved the public loss of credit card information still occurred:
1. Chipotle – Point of sales data breach in 2017
2. Home Depot – Agreed to pay banks $25 million as part of a settlement for breach in 2014
3. eBay – Massive data breach of sensitive data on 148 million customers
4. Target – Paid $18.5 million for data breach that affected 41 million customers
5. Citibank – Multiple breaches by hackers of credit card information of over 200,000 customers
6. Sony – $8 million settlement paid for PlayStation breach in 2014
7. Brooks Brothers – Customer payment information breached in year-long attack in 2016-2017
8. Kmart – For the 2nd time in less than three (3) years, battled a malware-based security breach
9. Sonic – In 2017, payment system resulted in up to 5 million stolen credit and debit card accounts
10. Hyatt – Two (2) breaches in two (2) years exposing credit card data from 41 hotels in 11 countries
This is only a partial list of data breaches that affected millions of consumers, but a tangible evidence of the fact that securing payment data is no small task, even when you have the luxury of a significant operational budget to account for cybersecurity and compliance.
Accounting for PCI requirements necessitates the need for significant planning up front, to develop and implement payment processing methods for customers and other entities that are expected to make payments online. This facilitates the development of a holistic plan to select a qualified vendor, well-versed in PCI compliance, who will implement a secure online payment solution.
The selected vendor will then allow for more convenient, secure methods and types of payments which allows the service provider to receive online payments securely via electronic check, credit card, and debit card transactions. Payment channels could include the internet, phone, customer service centers and payment kiosks. In addition, it also imperative that the service provider or business selects a payment provider with a proven solution that has real-time system monitoring and reporting, and the ability to integrate with the existing accounting and infrastructure.
In our modern era many businesses, utilities and other service providers receive most of their payments for services from customers and other entities online. As such, these payment collection methods have become a major target for cyber-criminals which makes it all the more important that online payments are made in a secure fashion without making the process more cumbersome and time consuming.
One proven way to validate that a payment system is secure is through periodically conducting vulnerability scans, which involve using an automated tool that checks a merchant or service provider’s systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and web applications, based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan identifies vulnerabilities in operating systems, services and devices that could be used by cyber-criminals to target the company’s private network. The scan does not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed.
In addition, mitigation strategies should be developed, in case of a breach, and periodic training and testing should be performed to ensure that technical personnel, responsible for supporting payments systems, are aware of the expectations around maintaining a secure payment system.
In the end, this doesn’t make the prospect of paying bills any more palatable for consumers, but it certainly ensures that customer data is not compromised and that companies are not subjected to hefty fines and negative press that could lead to deeper financial losses. As technical professionals, we can and should each take steps to ensure that online payments are more secure.