State of Maine Electronic Commerce
By Lisa Leahy, eGov Services, OIT
What do these recent headlines have to do with technological responsibility within the State of Maine infrastructure? Hopefully nothing. A recent survey finds that 66% of internet users visit local, state, or federal government web sites. Seventy-one per cent of internet users buy products (see the chart below). The State of Maine offers many online and remote points of sale purchasing opportunities; hunting/fishing licenses, IF&W shirts, car registrations, and professional license renewals are just a few. How do we assure our customers a safe and secure interface with the State?
The standards in the above link, published in 2005, establish a common industry approach for the use of payment cards. Industry leaders (Visa, Diners Club, Discover, Amex, and MasterCard) set the security requirements that apply to all “systems components”. The systems components include some of the following: web, database, authentication, mail, proxy, network time protocol, and domain name server. Applications include all purchased and custom applications, including internal and external (internet) applications.
Who must comply?
- All members, merchants, and service providers that store, process or transmit cardholder data
- All parties with access to cardholder data
- All such parties must be contractually required to adhere to payment card industry security requirements
The majority of the State of Maine electronic commerce transactions occur through maine.gov using the InforME PCI-DSS merchant account, while some agencies use their own PCI-DSS merchant account (from Treasury). Additionally, agencies use Point of Sale terminals in remote locations that are PCI-DSS compliant. Lastly, a few agencies contract with a trusted third party that is PCI DSS compliant.
In addition to PCI – DSS compliance, the State Treasurer’s Office is pursing a state policy for payment card use. The State Treasurer and CIO realize the importance of codifying the process and educating state employees. While we can be assured that most of our electronic transactions are secure, there have been a few instances over the past year of transacting, collecting and saving payment card information in high risk manners. Examples of high risk procedures include:
- entering payment card information such as name, expiration date, payment card number, and three digit security codes into a spread sheet for future use or record keeping
- use of old payment card software applications (pre-2005)
- filing payment card information in hard copy file cabinets
- e-mailing payment card information
Under no circumstances should a state employee record and/or store payment card information. The technology exists for addressing most payment card scenarios in a secure fashion. The Treasurer’s Office is available to assist with agency specific needs. The purpose of this article is to reach out to IT staff and raise their awareness on compliance around PCI-DSS. If you become aware of any situation in which an agency may be collecting or storing payment card information in a non-compliant manner, please bring this to the attention of your Agency Information Technology Director (AITD). They, in turn, can work with the agency management and the Treasurer’s Office to create a secure environment.
|According to the Pew Internet & American Life Project’s December 2006 survey, 70% of American adults use the internet. That currently represents about 141 million people. Here are some of the things they do online:||Percent of internet users who report this activity||Most recent survey date|
|Send or read e-mail||91||December 2006|
|Use a search engine to find information||91||December 2006|
|Search for a map or driving directions||84||February 2004|
|Research a product or service before buying it||78||February-March 2005|
|Get travel info||73||May-June 2004|
|Buy a product||71||August 2006|
|Get news||67||December 2006|
|Visit a local, state or federal government website||66||August 2006|
|Buy or make a reservation for travel||63||August 2006|
|Surf the Web for fun||62||February-April 2006|