Portland out of compliance for data security

Published 12:00 am Tuesday, November 18, 2014

The City of Portland has been out of compliance with the industry standard on data security for payments, an audit released Tuesday shows.

The debit and credit card payments made to the city for, among other things, taxes, license fees, permit fees, inspections, parks and rec programs, water and sewer bills, parking garages and parking meters, are covered in this report from city auditor LaVonne Griffin-Valade.

The risk to consumers is that data could be compromised by fraud or breach. The international security standard is meant to reduce those risks.

“Some of them are technological, specifically protecting cardholder data,” said Drummond Kahn, the director of audit services. “Some of them are organizational.”

The city’s own policy and banks requires the city to follow the international standards, and there can be penalties for not following them. The fines can be as much as $500,000 a year for non-compliance.

Ben Berry with the Bureau of Technology Services said there are 275 initiatives under the data security standard.

“Each year since 2009 we’ve had remediation plans, be it changing the architecture, updating policies and procedures,” Berry told KOIN 6 News. “Resourcing has been a consideration for getting through all of those through each of those years, and the standards tend to change.”

But Berry added there is one clear goal.

“We will get this city into payment card industry standard compliance,” he said.

Below is Ben Berry’s full statement about the non-compliance report by the City Auditor:

We take the City’s responsibility of securing your information very seriously. PCI compliance does not guarantee your information will be safe, but it is a security measure we will meet.

There have always been measures in place to keep your personal information secure. We encrypt our data at rest and in transit, we use access control measures and network segmentation on a need to know basis.

This issue is about compliance with Payment Card Industry Data Security Standards, NOT a security breach. The report is saying that we do not meet this industry standard, NOT that your information was compromised.

Compliance with this standard is not a guarantee that your data is safe; just the same as non-compliance does not mean your information is at high risk.

The City has a plan to meet PCI compliance requirements. As the plan is implemented, the City will continue to maintain and improve the security features that have always been in place at the City of Portland.