This past December, Russian hackers managed to infiltrate a North Carolina County website and demand ransom of $26,000. Sounds like the storyline from a Hollywood movie right? This disturbing trend is becoming an everyday part of reality for municipalities and county governments across the country as these hackers are exposing the vulnerabilities in antiquated government computing systems.
The term PCI compliance has become a household name over the past few years as the need for a standard approach to protecting data breaches and fraud have become synonymous with the ability to accept digital currency. Major corporations spend hundreds of thousands of dollars annually to maintain strict protocols that have been recommended by the security council and it’s something the public sector can no longer place as a low-level priority. PCI Compliance takes into consideration multiple factors including hardware compliance, software compliance and general rules and practices utilized by merchants who handle sensitive data. The way you store receipts, the length of time you hold on to credit card data, how you enter credit card information are just a few of the hundreds of questions on how compliance is maintained.
Most local government agencies, however, fall into the lowest category of compliance that requires a simple questionnaire and scan of their systems annually. This scan typically identifies obvious errors or issues and serves as a reminder to make certain sensitive data is being protected. Governments that process a higher volume (1+ million in annual transactions) are often subject to rigorous standards and more comprehensive audits. These third-party audits can take weeks, require multiple vendors to be on site and can cost thousands of dollars.
One of the biggest issues we’ve found is that private sector businesses that utilize a third-party vendor to collect their payments often think that they’re immune to PCI compliance as the processing is outside of their walls. Businesses must still maintain protocols to manage and maintain any data that is shared with those third parties including how that information is transmitted. There are multiple PCI Compliance companies that continue to simplify the process of completing annual questionnaires, quarterly and annual scans and recommendations for weaknesses in your systems. Most credit card processing companies align with a vendor to help simplify the process, but will often allow customers to choose their own vendor.
Any business whether public or private that accepts payments digitally should strive to maintain the highest standard of compliance to not only meet the required standards but to protect the very data that their customers and constituents trust them to maintain. Keeping data safe from an accidental breach, a lost computer or from Russian hackers should be something that every business should make significant efforts to prevent. The time and energy to fix that breach far out ways the investment and making sure you remain compliant.