What payment compliance means for the public sector

Across the public sector, digital transformation is making it easier to manage and process payments. But how secure are those transactions?

As digital continues to reshape the way the public sector operates, it’s increasingly important that the systems and processes used by everybody from councils to healthcare trusts remain secure and compliant. Nowhere is this felt more keenly than the topic of payment protection. 

People want to know the card information they are submitting is secure and that their finances are safe. What steps is the public sector taking to ensure this — and how could the right technology solutions help to ensure PCI compliance and improve the user experience?

What is PCI compliance?

Whether the public is using digital services to pay for hospital parking, university fees or council tax, it’s vital that the organisations in question have the technology and the processes in place to ensure those transactions are completed safely and securely.

Broadly speaking, this is what we mean by PCI compliance: the responsibility of organisations across all sectors to not only secure card information as it’s being processed or transmitted but also when it’s stored (in other words, maintained in a secure environment).

Of course, like most compliance issues, the subject quickly gets more technical than that. The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements set up and administered by the PCI Security Standards Council (PCI SSC) as part of an ongoing effort to measure and enhance payment card data security across all industries.

Using this standard, organisations can assess and demonstrate that their systems (and the processes underpinning them) are PCI compliant. There are 12 requirements in total: 

1.Use and maintain firewalls

2. Ensure proper password protections

3. Two-fold protection of cardholder data

4. The encryption of transmitted data

5. The use and maintenance of antivirus software

6. Good software housekeeping (including up-to-date software versions)

7. Restricted data access

8. Unique IDs for access

9. Restricted physical access to cardholder data

10. The creation and maintenance of access logs

11. Routine system tests (scanning for vulnerabilities)

12. Clear document policies in place

PCI DSS as we know it has been around since 2006, but the environment it is tasked with securing is changing faster than ever. Work from home trends, changing citizen expectations and digital acceleration are all impacting the systems we use — and how we use them.

What does this mean for the public sector and how can it adapt safely and securely?

It’s important that transactions handled remotely can be trusted

Remote working looks like it’s here to stay, with many councils and other government bodies already unlocking the benefits of flexible working models, but agents taking card payments from their home environment challenges several of the requirements from the PCI standard.

• Is the cardholder data protected outside of the company firewall?
• Are portable devices being properly maintained, away from the IT team’s supervision?
• Is the agent using the secure, approved systems to save cardholder data or could they be storing it elsewhere?
• Could family, friends or other individuals around the home have access to confidential payment details?

The advent of remote and hybrid work has many benefits for businesses and their employees, however, it poses a unique challenge for endpoint security. With employees working in different geolocations, it means they connect to the business to complete their work in different ways – split-tunnel VPN’s for example have been used a lot since the pandemic to lighten the load on the corporate firewall network traffic but as a consequence means that general internet browsing may not be protected using the corporate firewall.

This means if a phishing link was to be clicked, the firewall is unable to protect the user, and in addition to this, there is no visibility that this user could now be infected. If a phishing mail has got through your mail filter then the only two controls left is how well you have trained your users to spot a phishing email and the endpoint protection software running on their device.

PCI compliance opens doors to new services

A successful digital transformation project considers compliance as well as technology. A council that meets the SSC’s requirements can introduce a 24/7 self-service payment model, for example, safe in the knowledge that its citizens’ data is protected — and their needs are met.

Using the system, citizens could log in from anywhere, at any time, and complete a transaction, be that paying council tax, subscribing to a gym, or booking a court at the leisure centre. Such a platform scales easily to manage any council-run services requiring booking or payment, drastically reducing the volume of enquiries inbound to the contact centre team while effortlessly — and securely — handling even large spikes in transactions being placed, for example when tickets for a new, council-run event go live or recurring payment is due.

Agents can be relied on to take payments safely and securely

These systems don’t have to come at the expense of agent availability. In fact, because the public is able to self-serve the majority of their payments, agents are more likely to be free to handle those transactions for people who need additional help, whether the transaction is especially complex or the person is unable to complete it themselves. At all times, PCI compliance means the transactions are being handled safely and securely. 

“Even when going fully digital, the experience needs to be as friendly and human. Always give the user the option to talk to an agent if they want, for example, if they are confused by the payment platform or not comfortable with what it’s asking them to do.” Pete Whitehouse, public sector expert, Opus

More cost-effective payment processes

A secure, streamlined payment process makes it easier for government bodies across the public sector to generate revenue, helping to bring in often much-needed funding. 

Where existing payment processes currently leverage legacy systems, the ability to upgrade to safer, more secure platforms can have long-term cost benefits, too. 

As well as future-proofing payment operations, a system update is an opportunity for organisations across the public sector to remove old or outdated hardware such as chip and pin machines, which incur costs and have compliance vulnerabilities. 

When reviewing PCI compliance, information security leaders need a solution that can accurately find cardholder data, recognise when it is at risk, and deliver automated controls to protect the sensitive data before it’s exposed. What steps can you take to achieve this?

Achieving PCI compliance at the platform level

Rather than attempting to reverse-engineer existing legacy systems with third-party integrations and complex software add-ons, the most effective way to ensure compliance across all systems is by upgrading to a new platform that fulfils the PCI DSS criteria.

The benefits of upgrading to a new system extend well beyond PCI compliance, and for those councils already embarking on digital transformation journeys, the ability to ensure safe, secure transactions will seem like the icing on the systems-management cake.

If your council is not yet one of them, PCI compliance makes a strong business case for digital transformation, evidencing to the PCI SSC — as well as the public who depend on your services — that it couldn’t be safer or more straightforward to make a payment.

And as we mentioned above, new self-service platforms don’t have to mean your agents aren’t still there to lend a helping hand and guide those members of the public who would still prefer to make a payment over the phone or use live chat in a safe way. 

“With the right systems in place to manage citizen data and minimise data lakes, your agents will be in a much stronger position to deliver a better experience and help their citizens, students or patients towards a first-time resolution.” Pete Whitehouse, public sector expert, Opus

As you can imagine, this can quickly become complex. The simplest way to deliver a successful digital transformation project that achieves compliance is to utilise an IT services provider.

PCI compliance with Opus

Opus has worked with several large organisations across the public sector in recent years to deliver PCI-compliant solutions as part of ongoing digital transformation projects.

Most recently, we worked with a university to deploy a PCI payment portal hosted within the Cirrus platform, delivering a Level 1 PCI DSS compliant solution that completely de-scoped the contact centre and mitigated risk by preventing agents from being exposed to sensitive card information.

• The Cirrus configuration was based on five concurrent user licences, which also provided the university with the ability to extend payment services due to the reduction in PDQ machines to other departments/teams within the university. (Additional licences can be added on a per-user, per-month basis as required.)
• Our platform provides the university with the ability for staff to take payments from a number of devices and numbers – softphone via a PC, mobile and Unify handset — with the flexibility to work from any destination on or off the university campus.
• Should the university decide to extend payment services via email, Cirrus Link Pay+ can be provided to perform this additional service.

As part of our commitment to PCI compliance, we maintain strong relationships with the majority of the payment providers in operation today. This means that whichever provider(s) you use to process your payments, it’s likely that we already have processes set up with them, so you won’t have to worry about brokering new partner relationships. We can work with you whatever the range of payment partners you’re using.

Most of all, we understand the sensitivities surrounding payment compliance and why it’s so important. If you’re not sure about your compliance, the people required to make payments to you probably aren’t having the best experience, either. Our expert team is here to help you solve for your organisation and its users with a PCI-compliant solution that makes payment worries a thing of the past — for our customers and for yours.