Smart Service Queensland (SSQ), a business unit of the Queensland Department of Science, Information Technology, Innovation and the Arts (DSITIA), has been recording and storing Australians' credit card numbers without being compliant with the security standards that card issuers demand.
SSQ is responsible for the security of several of the Queensland government's services, including its www.qld.gov.au website and the 13QGOV hotline. It was recently the subject of an audit by the Queensland Audit Office, which examined how effective its online service delivery is. Aside from finding that in general, Queensland's online service delivery is payment card industry data security standard (PCI-DSS). This standard sets the bare minimum level of security that organisations must achieve., the report from the audit found that SSQ does not conduct any form of penetration testing. SSQ's online services, however, were found to comply with the
As online services do not include phone services, hotlines like the 13QGOV call centre were excluded from the most recent audit.
A departmental spokesperson told ZDNet that all calls to 13QGOV are recorded unless the customer specifically requests that it not be recorded, and that some recordings include personal and credit card details.
"Some of those calls involve transactions, and a lesser proportion involves a financial transaction," the spokesperson told ZDNet in a statement.
"Our current process is ... not fully PCI compliant, as we hold the call recordings; however, we have mitigating controls in place which have been confirmed through audit processes."
In addition to the reputational damage that a data breach could bring, the PCI Security Standards Council lists lawsuits, insurance claims, cancelled accounts, payment card issuer fines, and government fines as other possible negative consequences of experiencing a breach while not PCI-DSS compliant.
However, DSITIA is in a significantly difficult position, as, according to it, calls to the 13QGOV hotline are considered public records under the Queensland Public Records Act. The Act states that public records must not be disposed of unless authorised by the state archivist or another "legal authority, justification, or cause". DSITIA's agreement with the state archivist means that these records are retained for five years.
Although named as a public record, access to such records can be restricted. In the case where a record contains "information about the personal affairs of an individual", the Public Records Act requires that the record be restricted from access for at least 100 years.
According to DSITIA, the recordings are "held securely onsite with restricted and audited access".
"These arrangements are in place while we review our options for automated practices to appropriately mask recording components."
Regardless, the intent of the PCI-DSS is not to restrict access to credit card numbers or primary account numbers (PANs), but to ensure that they are either not needlessly stored, or if they are absolutely required, that they are stored in a manner that is unreadable or non-trivial to recover. This ensures that even in the event of a breach, the risk to cardholders is minimised, as no information can be stolen.
"PCI looks to minimise the amount of data you're storing, but it particularly doesn't want you to store sensitive authentication data, which includes the CVV — the three-digit number on the back of your card," Verizon principal security consultant Darren Firman told ZDNet.
"If that's recorded, that would probably be a bigger problem for them than just storing the credit card numbers, and then they would need to look at ways of either clearing that out of recordings or making sure that you couldn't do online queries of that information."
While it isn't clear whether CVV numbers are recorded in calls, PCI DSS v2.0 requirement 3.4 further states that a PAN must be rendered unreadable anywhere it is stored, "including on portable digital media, backup media, and in logs".
Firman said that creating a PCI-compliant system could be a straightforward matter for simple organisations, but also a laborious one that could take some time to go through for larger ones.
"One of the first exercises that we take customers through is working out the scope — how many systems are involved, how many people are involved, the number of different types of processes involved — so it can be quite a costly exercise to go through."
For SSQ, it handles about 11 percent of all of its service interactions via the 13QGOV service. Last year, that represented 3.45 million calls, which covered over 260 service types. Such calls include enquiries on seniors cards, camping permits, consumer rights, and public housing maintenance.
From here, Firman said that the next steps for DSITIA would be getting advice from its bank and the PCI Council on what to prioritise — mainly reducing and removing card data.
That would include activating any function to stop recording, or to delete from a recording any cardholder information, if applicable.
"If their system is unable to do that, then it would be a big, potentially costly exercise either to replace it or find another way of stripping out the information or storing it offline somewhere," Firman said.
DSITIA told ZDNet that many of the payments taken via its call centre use an interactive voice-response touch tone system, but is often an option offered to customers rather than a requirement. However, it did state that with some other services, a customer service advisor would be required, meaning the call would be recorded, unless the customer had the foresight to request that it is not.
Despite SSQ not being PCI compliant, Firman said 13QGOV callers should not panic or be overly alarmed about the security of their details.
"I would be conscious [that] I'm using a service that isn't PCI compliant, but there's a lot of them out there, and people use the internet for making purchases and paying for things.
"If you're using a service that you must pay things to the government through and in some way that was compromised and your credit card was gone ... you're not at fault, and usually have some way of getting your money back."