22 Jun How payments and Co can help Councils take card payments securely via email
Islington council recently came under fire for taking payments over email and the allegation was that this practice was an insecure means of taking card payment.
This article explores how Paymentsandco.com’s innovative payment solutions has helped many retailers and councils in taking PCI DSS compliant email payment effortlessly.
A London council’s data protection efforts are under review after it told residents to email in their payment card details for parking bay suspensions via a Word document.
Islington Council had required residents to share the security code from the rear of their cards, as well as their address, among other details.
One security expert said this appeared to be a breach of the payment card industry’s security rules.
The system has now been suspended.
“We have begun an internal investigation into the process of applying for and paying for parking bay suspensions,” a spokeswoman for the local authority told the BBC.
“In the short term, we have removed that form from our website.”
The Local Government Association said it was not currently aware of any other incidents like this.
The matter came to light after one resident contacted the council in order to secure a spot outside his home for a furniture-moving service.
“I was really surprised that they were collecting credit card details over email, because email isn’t secure,” said Dafydd Vaughan, who works for a technology consultancy.
“If something happened and the details were leaked, they could be used by other people, and the bank would hold me responsible for sending my details in an insecure way.
“I asked the council if I could pay online or over the phone, but was told that email was the only option.”
One cyber-security expert said that Islington Council appeared to have violated a requirement that payment cards’ security codes never be stored by third-parties.
Scott Helme added that there were also several other ways to transmit the other payment information more securely.
“I hope the council will take steps to ensure they properly erase any historic data they have collected in this fashion and notify those involved of any risk they may face,” he said.
“We need to know how many staff had access to these emails, could copies have been made, were they properly erased after use, or are they still stored.
“It will be interesting to see what steps will be taken to prevent incidents like this in the future given this seems to be the only way that constituents had to access and pay for this service.”
How paymentsandco.com could have assisted Islington Council
Email payment request as described above clearly brings the Islington council’s email desktop and email server as well as all the connected services into scope for PCI compliance. This is going to be a very expensive solution to fix as it is. If paymentsandco.com were engaged, we could easily fix this issue for Islington council and allow them to take more email payments but in a PCI compliant manner.
paymentsandco.com has a mature email payment solution
The link on the left describes the process that is followed to:
- allow the admin to raise an invoice
- send a link to the customer
- customer clicks on the link and is redirected to the bank
- the customer enters their card data and their security code, all the data is entered directly on to the bank’s system who have a mature security team to manage the risk
- customer makes the payment and the confirmation is sent to the customer.
- Admin dashboard manages every single outstanding payment and and track any issue
The diagram to be the left shows the process and the forms that are completed and the resulting dashboard that would have allowed Islington.
the payment logs from email payments
The form to make email payment permissible is shown below
for more information please contact [email protected]