The payments industry has taken it upon itself to police any entity that accepts credit or debit cards — even when that entity is the police.
Police departments accepting payments for traffic tickets, treasurers accepting tax payments or a public health department taking payments for inspection fees have to fully embrace compliance with the Payment Card Industry data security standard, says Jayne Holland, associate general counsel and chief security officer for NIC Inc., an Olathe, Kan.-based government online portal provider and payment processor.
Holland provided an overview of PCI compliance issues during a Sept. 20 secure payment processing webinar for government agencies. Any government entity accepting card payments will be considered a merchant in the eyes of the payments industry because it generally holds the merchant account with the acquiring bank, Holland says.
Richard Petrecca Jr., manager of systems integration and deployment strategies for the city of Indianapolis and Marion County's information services agency, also presented during the webinar hosted by NIC and the Center for Digital Government.
The city of Indianapolis and Marion County handle 45,563 payment transactions each month, Petrecca says. The advent of online payment options has increased transaction volume and the need for stringent data security, he says.
NIC, as the payment processor, helps the city establish compliance in PCI's core requirements, which could include more than 200 security controls, Petrecca says,
"The time, effort and money required for compliance is substantial," he says.
A government considered a Level 1 to Level 3 merchant, based on its number of transactions, could spend between $44,000 to $125,000 for scoping and assessment of payments systems and between $81,000 and $568,000 for system upgrades to reach compliance.
Government agencies will eventually upgrade to point of sale technology needed for chip-and-PIN transactions and even mobile payment acceptance, Holland says.
"As for mobile, that's undoubtedly where we are headed," Holland says.
Petrecca says police wouldn't be taking credit card payments for speeding tickets on a card-reader device attached to their mobile phones any time soon.
"But if someone is traveling through Indianapolis, on their way to St. Louis, and they get a speeding ticket, they may be able to pay for that from their mobile phone," Petrecca says.
The government carries the responsibility of ensuring its payment acceptance systems are PCI compliant by adhering to the standard's key security requirements. But a service provider, processing payments on behalf of the government, would in turn accept the liability of PCI compliance, Holland says.
One of the main challenges for government agencies when dealing with PCI compliance is realizing compliance becomes an "ongoing, everyday task," Holland says.
"The PCI council always says if you are compliant today, it doesn't mean you will be compliant a day, a week or a month from now," Holland says. "Many things [technology shifts or new cyber attacks] can happen and evolve in a short period of time to change things."
