Online Payment Security

In reply to the Hon. M.C. PARNELL (6 June 2018).

The Hon. R.I. LUCAS (Treasurer): I have been advised:

Individual government agencies are responsible for ensuring that their ICT infrastructure, systems (including payment related websites) and information are secure.

The Department of the Premier and Cabinet maintains a number of polices for website security that all government agencies are required to comply with. These policies are consistent with international standards for information security management and include those requirements specified in the Payment Card Industry Data Security Standards for any websites that store, process or transmit payment card data.

As part of these policies agencies are required to conduct regular security testing and undergo an audit before a new website is commissioned.

I am advised that, based on a high level review undertaken across agencies where Shared Services SA provides an accounts receivable service, none of the associated government websites actually store, process or transmit payment data. In all cases where a customer seeks to make a payment, these websites open a secure interface to the Commonwealth Banks's BPOINT system (which would typically display to a user as HTTPS).

BPOINT is owned and managed by the Commonwealth Bank and is the preferred solution under the whole of government banking contract. Proper use of BPOINT ensures that sensitive payment data is being managed within the bank's systems without reliance on the security arrangements applying to the government website.

Specifically in relation to the SA Pathology, I am advised that the transaction performed by your constituent was indeed secure. This website opened a secure connection into BPOINT, in the same way as described above.

I understand that based on previous feedback from member of the public, SA Pathology updated their website on 7 May 2018 to use a different technical method for connecting with BPOINT, which now clearly highlights that the user is accessing a secure site.

In terms of other payment methods offered by government agencies such as, over the phone services or provision of card details via a form, the Payment Card Industry Data Security Standards also apply to the associated processes and systems. In particular there is a clear requirement not to store any sensitive cardholder data on computer systems or in paper form. I am advised that this is typically achieved through fully or partly redacting card numbers from documents after the applicable payment has been processed.

Should there be any further queries regarding specific agency payment websites, I would encourage that these be referred to the responsible minister.