CPRAS advise us that:
1. Cardholder data is now sacrosanct, and if it is not properly protected when we take card payments, then senior management face potential custodial sentences, as well as personal fines of up to €20m. The potential consequences for councils are: Fines of up to €20m, reputation damage, suspension of payment facilities, card replacement costs of c. £107 for every card ever used to make a payment, and the seizure and forensic examination of computers and other payment processing hardware.
2. The complexity and highly specialised nature of the problem has meant that many Councils have spent large sums on buying in expertise and adapting systems to process payments securely. This is not only extremely inefficient, it also leaves councils dangerously exposed if any systems fall behind current best practice and are breached.
3. Many of the systems that are currently in use, such as those that record calls but pause the recording when a payment is being taken, are completely insufficient under the new regs.
It is possible to solve these problems by “de-scoping” all cardholder data, by removing all the “dangerous data” from a councils area of responsibility. De-scoping is something of a buzz term and, like anything else, there is a right way and a wrong way, but done correctly it provides comprehensive protection for customers and councils… and senior managers!
With the right partners, full de-scoping is easy and cost effective. Shropshire Council engaged CPRAS to create and manage a Framework which allows access to modern, de-scoped payment ecosystems – and, in the cases that they have handled so far, the councils have achieved cost savings at the same time.
Toni Vitali, a senior partner at payment specialist law firm Addleshaw Goddard, provided the seminar with the legal timeline for when full payment data protection MUST be in place. However, he also spoke about negligence and the potential for legal actions right now. Two key issues were highlighted:
- The payment security standard PCI DSS has been around for over a decade. Those of us who do not fully comply with this standard face huge legal, reputational and financial consequences if there is a breach in our systems. These consequences are getting even greater, very soon.
- Councils who have achieved PCI DSS compliance are at risk. Martin Morris from GCI showed us how only 13% of councils are actually compliant despite over 40% believing that they are. He commented that, in his view, trying to maintain compliance ourselves is a high risk strategy with zero reward.
The conclusion of the seminar was simple, this is an issue that needs to be addressed, and soon. I am sure that some council’s will already be addressing this, although others may not; all councils will be in a different position I’m sure. However, one option is to liaise with CPRAS who, as a SOLACE business partner, have promised to provide a full cost / savings analysis and project plan within five working days.
We will make the slides from the various presentations available in the next few days. In the meantime, the person to contact is Andy Flavell, the Framework Director at CPRAS, at firstname.lastname@example.org