Regulatory agencies must ensure that the software systems they use meet strict security standards set by state IT departments. In order to keep users’ data safe, however, they need to do even more. They also must ensure that third-party vendors comply with security standards. That can be difficult, but the consequences of third-party data breaches can be severe, both for the public and for agency reputation.
A security breach of the computer system Arkansas uses to process unemployment compensation benefits compromised the personal information, including banking information, of many applicants. On July 16, the Arkansas Democrat Gazette reports, the vendor that developed the system was sued on behalf of thousands of applicants. Though the state is not a defendant in the suit, the incident harmed the reputation of the agencies involved. The breach also hurt the people the agency serves.
As dramatic as unemployment system failures may be, payment processors are the third-party vendors most frequently scrutinized for compliance with state security standards. It’s easy to understand why. A typical regulatory agency processes thousands of payments every year for licenses, renewals, permits and other fees. These tend to involve credit card companies and other payment processors, and many occur through agency websites and do not involve agency staff at all.
An agency’s payment processing interface plays an important role in keeping data safe. GL Solutions has configured the GL Suite application to work with many credit card vendors, and the application programming interface (API) can integrate with any type of payment vendor, including PayPal. This flexibility allows agencies to switch easily from vendors that do not meet security standards to those that do.
Many GL Solutions clients use GL Suite’s payment processing capability, including:
- The Minnesota Board of Cosmetology, which contracts with a third-party vendor to process renewal fees online.
- The Virginia Department of Criminal Justice Services, which contracts with a third-party vendor to process online payments.
GL Suite itself meets PCI DSS standards, and GL Solutions accommodates client requests for information about compliance with common security standards for software and hardware.
Additional components of payment processing in GL Suite include:
- Credit card processing is a standard component of GL Suite’s online functionality.
- GL Suite’s API can integrate with many credit card vendors.
- GL Suite’s API can integrate with any payment vendor.
- Upon payment submission, GL Suite generates a unique receipt number for each payment and applies it to the correct license record.
- GL Suite meets PCI DSS standards.
- GL Suite does not retain credit card numbers. It retains only credit card confirmation number response from the payment processor.