The Canada Revenue Agency, the RCMP, Statistics Canada and more than a dozen other federal departments and agencies have failed an international test of the security of their credit card payment systems.
Altogether, half of the 34 federal institutions authorized by the banking system to accept credit-card payments from citizens and others have flunked the test — risking fines and even the revocation of their ability to accept credit and debit payments.
Those 17 departments and agencies continue to process payments on Visa, MasterCard, Amex, the Tokyo-based JCB and China UnionPay cards, and federal officials say there have been no known breaches to date.
These institutions all fell short of a global data-security standard launched in 2006 that’s meant to foil fraud artists and criminal hackers bent on stealing names, numbers and codes for credit and debit cards.
“A security violation on a department’s databases would have a terrible effect on the government’s reputation and public trust which will have a long-term effect on the stewardship functions of government,” says a June 7 briefing note.
“Departments may be subject to fines, card replacement costs or incur costly forensic audits. Moreover, a payment processor may suspend and revoke the privilege to accept payment cards, or increase transaction processing fees.”
Eleven of the 13 SSC clients who fell short of the credit card security standard say the agency itself has not fixed the security problems.
“Based on the latest information, all 13 departments which are supported by SSC are considered to be non-compliant, of which 11 have indicated SSC IT systems related problems as the largest contributing factor,” says a Public Services letter to the head of cyber and IT security at Shared Services.
“As such, we need to understand how SSC intends to support these non-compliant departments.”
The institutions that failed the credit card security checks are: Health Canada, RCMP, Industry Canada, Transport Canada, National Research Council, Canada Border Services Agency, Natural Resources Canada, Immigration Refugees and Citizenship, Statistics Canada, Fisheries and Oceans, Canada Revenue Agency, Canada Food Inspection Agency and Library and Archives Canada, all of which depend on SSC for their IT.
I think the [data security] standard that government departments should be held to is higher than this.– David Skillicorn, professor in the School of Computing, Queen’s University, Kingston, Ont.
A spokesperson for Shared Services laid some of the blame on the more than 700 small data centres it inherited in 2011, when the agency was created to assume IT responsibilities across government. Reports CBC