Geoff Forsyth

If you’re responsible for PCI compliance in your organisation, you’ll probably be well aware that as part of the latest PCI DSS Version 3.2 update, it’s become clear that ongoing auditing of your practices is the only guarantee your business will remain compliant.

Gone are the days of only auditing your processes once a year when you apply for compliance verification. Now, PCI compliance must be a business as usual operation, built into the core running of the business.

Nothing has illustrated this better than the news that Islington Borough Council has been asking its residents to submit payment for suspended bay licenses via email.

Luckily, the error was exposed by a technology consultant – rather than a hacker – who quickly flagged the issues to the council, as well as telling the BBC about the huge security risk. He phoned up to ask whether he could pay the fee using a more secure method and was told the council could only process the payment if the form was returned with all his card details via email.

Details the council asked for via email included the cardholder’s name, address, card number, expiry date and security code – presumably so it could be processed via a card terminal by a contact centre operative.

But these details should never be stored if possible according to PCI DSS, let alone transmitted over an insecure network where any number of colleagues or interceptors could copy the information, send onto others, or just siphon it off and use it for fraudulent activities.

Islington Council claimed it did know the form was present on its website and said staff were told payment could only be accepted via email.

This is a clear example of what happens when payment data practices aren’t enforced properly. The council has now removed the form and will look at alternative ways of collecting payments.

What’s even more surprising is that the company actually achieved both PCI and PSN compliance in 2017. Although it’s likely the council was compliant then, a disconnected strategy has meant it’s now failed PCI DSS compliance and is under investigation for breaching basic sensitive data standards.

If Islington Council had been continuously monitoring and auditing its payment processes, this glaring security hole would have been identified and probably fixed without anyone realising the mammoth slip up.

Furthermore, if staff had been properly trained in the basics of PCI compliance, they would be well aware that sending such information via email is a big no-no and should have pushed for transformation.

This is just one example of why it’s key to continuously audit and monitor your payment processes to ensure there’s no risk of losing compliance. Implementing the right payment solution, such as Dual Tone Multi Frequency (DTMF) takes the pressure off the contact centre to manually comply because no payment data is stored.

To discuss how PCI Pal can assist you with your PCI compliance journey, get in touch with one of our experts.