Ensuring the security and compliance of payment systems is paramount, not only to protect data but also to maintain the trust and confidence of the local community. The higher volume of transactions processed by unitaries in comparison with smaller local authorities also presents a wider range of vulnerabilities and a higher risk of fraudulent activity.
Make sure to follow these expert tips if you’re looking to bolster the security of your payment processing system.
Tip #1: Consolidate your systems to simplify compliance
If you’re inheriting a number of separate finance systems from a set of legacy councils, each system will need to be scrutinised from a compliance perspective to ensure the latest standards of PCI DSS, GDPR and other regulatory guidelines are being met.
Consolidating into a single payment system makes it easier to control, implement and report on security measures. Even so, unitary authorities should still commit to conducting regular audits and comprehensive compliance checks to protect sensitive information and maintain public trust.
Tip #2: Implement multiple levels of safeguarding
Different types of payments require their own unique security measures. We’d recommend splitting your payments into three categories – online, telephone and face to face – before analysing each from a security perspective.
Online payments, bank transfers and Direct Debits should be protected by CV2 (last three digit request) and AVS (address verification system) as a minimum. However, many local authorities are now making use of 3D Secure account holder authentication (password or one-time passcode) to further boost fraud protection.
Telephone payments should be protected by call securing and account validation, both of which are fundamental to the scope of PCI DSS. This enables residents to enter card details via their telephone keypad, or pay through a secure payment link sent to their email or mobile.
Face-to-face card payments should be protected by integrated Chip & PIN services and facilitated through devices validated by a PCI-qualified P2PE assessor. Cash payments can also be facilitated at a Post Office or Pay Point via a secure barcode generation system.
Tip #3: Don’t skimp on PCI DSS requirements
The recent update to Payment Card Industry Data Security Standard 4.0 (PCI DSS) has major implications for unitary authorities and local bodies responsible for handling card transactions.
New changes came into effect on April 1st 2024 and have introduced more rigorous security controls which intend to ramp up protection of cardholder data. This includes enhanced authentication protocols, password management and security training requirements.
Unitaries must be able to demonstrate full compliance with all PCI DSS guidelines and show the preventative measures taken to protect local residents from fraud – or they risk hefty financial penalties and reputational damage.
From the provision of appropriate process documentation to completion and submission of all the appropriate PCI DSS forms, we can support in selecting and deploying the appropriate technology, demonstrating compliance and business benefits.
Tip #4: Provide regular security training
Cyber threats are constantly evolving, with hackers developing new methods to exploit vulnerabilities within local authority payment systems.
Regular training helps staff stay informed on the latest threats and ensures they can recognise and respond to potential security breaches as and when they happen. It also ensures that all staff members understand the importance of protecting this data. This is especially important for unitary authorities given the sheer amount of sensitive data they are responsible for protecting.