In a serious breach of PCI security rules, Islington Council required residents to share their credit card details, including security codes, via email in plain text to pay for parking bay suspensions, a resident has alleged.
According to Dafydd Vaughan who spoke to the BBC, Islington Council advised him to share his credit card details, including security code, and address only via email even when he offered to share his card details via more secure options.
“I was really surprised that they were collecting credit card details over email, because email isn’t secure. If something happened and the details were leaked, they could be used by other people, and the bank would hold me responsible for sending my details in an insecure way.
“I asked the council if I could pay online or over the phone, but was told that email was the only option,” he said.
Following Mr. Vaughan’s allegations, Islington Council admitted that it indeed requested residents to share payment card details via email but the process had been stopped and an investigation has been initiated into the payment process.
“We have begun an internal investigation into the process of applying for and paying for parking bay suspensions. In the short term, we have removed that form from our website,” said a spokesperson from Islington Council to BBC.
Lack of compliance with PCI security standards
Islington Council isn’t alone when it comes to organisations requesting and storing payment card information in violation of PCI security standards. According to the Verizon 2017 Payment Security Report, as many as 44.6% of organisations failed to comply with the security standards laid out by the Payment Cards Industry in 2016.
Verizon added that of all the payment card data breaches that it investigated between 2010 and 2016, none of them was fully PCI DSS compliant. However, full compliance with PCI DSS standards has progressed over the years, with the percentage of compliant firms going up from 11.1% in 2012 to 55.4% in 2016.
How non-compliance with PCI security standards can compromise sensitive financial information of millions was demonstrated in November last year when fashion retailer Forever 21 announced that between March and October last year, hackers gained unauthorised access to several of its unencrypted payment card systems and possibly stole payment card information belonging to customers in the six-month period.
Commenting on the news on Islington Council requesting residents to share their credit card details in plain text via email, Rashmi Knowles, Field CTO for RSA Security said that asking for financial information in a plain text word doc is frankly shocking and is a serious breach of PCI security rules, and could potentially fall foul of GDPR as well.
“Not only has Islington Council asked for card numbers, but also the holders name, start and expiry dates and even the security code on the back of the card. In short, all the information a hacker would dream of having all packaged up in one relatively easy to access place. This type of information should always be encrypted, otherwise it is very easy for a hacker to obtain.
“People will often put a lot of trust in councils and assume they know best, but this is a good example of the need for us all to be vigilant. If you are ever asked to provide this kind of information, always stop to ask questions and never share such information if it is not encrypted, even if it is a trusted partner that is asking you to,” she added.