InforME Board Presentation on Payment Card DSS, Best Practices & Security
By Lisa Leahy, Office of eGov Services
At the June monthly InforME Board meeting, Jayne Holland, legal counsel and security officer for NIC, Inc. presented information to the Board about payment card industry data security standards (DSS), best practices and security. NIC is the parent company to the contractor which administers Maine’s web portal as well as eighteen other states, including Rhode Island. Rhode Island’s widely publicized credit card security breach in December of 2005 had led other states to further examine their processes for dealing with citizen information gathered via the web.
The Payment Card Industry (PCI) data security standards were published in 2005 and have been endorsed and adopted by all the major credit card brands; Visa, Diners Club, Amex, MasterCard, Discover, and JCB. All members, merchants and service providers that store, process or transmit cardholder data must comply. In addition, all parties with access to cardholder data are contractually required to comply. The PCI standards for Visa and MasterCard are rich in detail and consist of several types of assessments and scans.
Jayne also presented information on NICs security practices among their eighteen client states. NIC has a security council is in place that is composed of corporate IT staff, including their network security engineer, portal staff, security compliance officer and executive leadership. This council offers support to all state portals, by keeping them abreast of significant security vulnerabilities, facilitating a proactive security posture, continuously evaluating ways to enhance the security of systems and protect the data they process, store, and transmit.
NIC has purchased APPSCAN, a Watchfire product, to scan each state’s portal applications to review, identify and remediate vulnerabilities. Additionally, NIC has entered into an enterprise-wide partnership with Cybertrust one of the world’s largest providers of information security, forensic services, and PCI certification. Cybertrust’s certification program will allow for state portal certification based on essential security practices and result with a seal of approval being displayed on the portal. NIC’s goal is to be proactive versus reactive to security matters by centralizing management of key security standards and protocols.