Public sector opportunity in payments compliance
FOIA investigation suggests low compliance among councils when it comes to payments data
A merchant account services firm has discovered a lack of PCI DSS compliance among councils - suggesting an untapped opportunity for technology providers.
Graham Hallewell, managing director of the Card Processing Advisory Service (CPRAS), a company which aims to help its customers investigate card payment costs and reduce them if they are too high, said his organisation had asked 280 councils about their PCI compliance.
"We received responses from just 44 councils - which I think is a story in itself," he confirmed. "Of these, 26 admitted non-compliance; 11 said they are compliant and have the appropriate certification; seven said they are compliant or working towards compliance but have no certification."
CPRAS used Freedom of Information Act (FOIA) requests in its investigation, which require responses to be made within a specific time frame if certain criteria are met - such as the enquiry being of sufficient public interest, not being too costly to respond to, and not affecting issues of national security.
Its results suggest that IT channel companies could be missing a trick when supplying to the public sector - whether by offering assistance in terms of services or appropriate products that can help bodies become compliant, thereby better protecting the data of citizen customers, partners, and suppliers.
Hallewell (pictured) noted that the consequences of data breach can be catastrophic.
"Not only would individuals be exposed to cyber theft, but the councils' ability to function at all could be jeopardised, as they could lose the ability to accept card payments and would have to pay potentially massive fines," he explained.
"The PCI DSS regulations have been in place for a long time now and it is actually easy and inexpensive to make sure that all their customers' data is properly protected."
CPRAS' investigation followed up on one two years ago where 80 per cent of respondents to that FOIA request indicated that councils are being overcharged by the banks for processing card transactions. "Of course that's a different story altogether," said Hallewell.
Information Commissioner's Office (ICO) figures on UK data breaches between April 2013 and March 2014 show that local government notified 234 incidents, and central government 45.