Politics

More than a dozen federal departments flunked a credit card security test

There are 34 federal departments and agencies that allow citizens and others to pay for services with credit and debit cards. An internal briefing note, obtained by CBC News, shows that half of those institutions have flunked a global test designed to help ensure that personal information is not breached by hackers.

Canada Revenue Agency, RCMP among 17 federal agencies that failed to meet security standard

Seventeen federal departments and agencies have flunked a basic test of their credit card data security. (Ryan Remiorz/The Canadian Press)

The Canada Revenue Agency, the RCMP, Statistics Canada and more than a dozen other federal departments and agencies have failed an international test of the security of their credit card payment systems.

Altogether, half of the 34 federal institutions authorized by the banking system to accept credit-card payments from citizens and others have flunked the test — risking fines and even the revocation of their ability to accept credit and debit payments.

Those 17 departments and agencies continue to process payments on Visa, MasterCard, Amex, the Tokyo-based JCB and China UnionPay cards, and federal officials say there have been no known breaches to date.

Shared Services Canada blames the aging and inefficient data centres it inherited in 2011 for the poor performance of 11 departments on a basic credit card security test. (Shared Services Canada)

These institutions all fell short of a global data-security standard launched in 2006 that's meant to foil fraud artists and criminal hackers bent on stealing names, numbers and codes for credit and debit cards.

"A security violation on a department's databases would have a terrible effect on the government's reputation and public trust which will have a long-term effect on the stewardship functions of government," says a June 7 briefing note.

"Departments may be subject to fines, card replacement costs or incur costly forensic audits. Moreover, a payment processor may suspend and revoke the privilege to accept payment cards, or increase transaction processing fees."

Main culprit?

CBC News obtained the briefing note, to the deputy minister of Public Services and Procurement Canada (PSPC), under the Access to Information Act.

The document suggests the main culprit is Shared Services Canada (SSC), the federal IT agency created in 2011 that operates and maintains data systems for 13 of the 17 non-compliant institutions.

Eleven of the 13 SSC clients who fell short of the credit card security standard say the agency itself has not fixed the security problems.

"Based on the latest information, all 13 departments which are supported by SSC are considered to be non-compliant, of which 11 have indicated SSC IT systems related problems as the largest contributing factor," says a Public Services letter to the head of cyber and IT security at Shared Services.

"As such, we need to understand how SSC intends to support these non-compliant departments."

The institutions that failed the credit card security checks are: Health Canada, RCMP, Industry Canada, Transport Canada, National Research Council, Canada Border Services Agency, Natural Resources Canada, Immigration Refugees and Citizenship, Statistics Canada, Fisheries and Oceans, Canada Revenue Agency, Canada Food Inspection Agency and Library and Archives Canada, all of which depend on SSC for their IT.

I think the [data security] standard that government departments should be held to is higher than this.- David Skillicorn, professor in the School of Computing, Queen's University, Kingston, Ont.

The Library of Parliament, National Defence, the National Film Board of Canada and the Canadian Centre for Occupational Health and Safety are also non-compliant, but are responsible for the security of their own IT systems.

The global standard is known as PCI DSS, for "Payment Card Industry Data Security Standards." It was established by five of the big credit-card firms. Federal departments must self-assess against the standard annually.

The Receiver General for Canada, a unit of PSPC responsible for, among other things, ensuring departments are compliant, inspects the self-assessment reports for problems. The Receiver General also hired the accounting firm Deloitte to review results and recommend fixes, and hired TELUS to validate the self-assessment questionnaires.

"To our knowledge there have not been any issues and no departments have had their privilege revoked as a result of non-compliance," said PSPC spokesperson Rania Haddad.

"If the independent security assessor [TELUS] were to flag any concerns of medium or high risk of a breach of privacy, PSPC would consider revoking payment card privileges. No such signal has been given to date and no department has had their privilege revoked."

The Receiver General has been pushing Shared Services Canada to "take a more leading role" in meeting the global standards for its clients, says the briefing material.

David Skillicorn, professor in the School of Computing, Queen's University, Kingston, Ont., says the security standard set by credit card companies is a "blunt tool." (The Queen's Journal)

A spokesperson for Shared Services laid some of the blame on the more than 700 small data centres it inherited in 2011, when the agency was created to assume IT responsibilities across government.

SSC has closed 155 of those centres and established three modern data centres, but still struggles with legacy data-processing systems that are aging and inefficient, said Monika Mazur.

"We have identified approximately 12 to 15 per cent of applications that are non-compliant with the [security] standard, which we are working to address with our customers," she said.

"Shared Services Canada is also coordinating vulnerability scans and penetration tests to further improve compliance and security of card holder data."

Months to discover

A 2018 global report by the telecommunications firm Verizon said 68 per cent of data breaches took months to discover, and were often first reported by a third party.

A data expert at Queen's University in Kingston, Ont., calls the PCI DSS standard a "limited instrument" and "blunt tool."

"It's one of those standards that hovers between something useful and security theatre," said David Skillicorn, a professor in the school of computing.

"There's no reason why you shouldn't meet the standard. I think the standard that government departments should be held to is a lot higher than this."

Follow @DeanBeeby on Twitter

ABOUT THE AUTHOR

Dean Beeby

Senior reporter, Parliamentary Bureau

Dean Beeby is a CBC journalist, author and specialist in freedom-of-information laws. Follow him on Twitter: @DeanBeeby