Water utility reduces PCI DSS exposure through outsourcing
Written by: Martin J Williams
This water-only utility supplies drinking water to nearly 700,000 consumers in circa 300,000 properties across a supply area over 300 sq. miles, much of which is rural.
The business is diverse and it makes maximum use of its assets. This includes utilising its garage facilities to provide public vehicle servicing and MOT testing, and providing a retail counter selling specialist plumbing supplies not readily available elsewhere to trades and the general public.
Due to growth in the business and the range of services offered, the water utility is handling an increasing number of debit and credit card payments. With such a large number of customers, the water utility takes the security of its customer data very seriously. It is keen to ensure that it takes the necessary steps not only to ensure compliance, but also to follow best practice guidance. Further still, the water utility recognises that compliance is not a one-time event, but an area that requires continuous monitoring, assessment and improvement in response to new and emerging threats.
All businesses that process card payments are subject to compliance with the Payment Card Industry (PCI) Data Security Standards (DSS). Depending upon the volume of card transactions, and the risk profile of the organisation, there are differing levels of reporting required to demonstrate compliance.
With the volume of transactions rising, the water utility had reached a threshold with its merchant card services provider – the financial organisation required to process card transactions on the water utility’s behalf. This meant that the level of reporting required was therefore being increased.
Any organisation failing to adequately protect sensitive card data risks being subject to:
- A card data breach and the subsequent large fines that can be levied by the card issuer – a fee per card put at risk
- Increased on-going transaction fees from the merchant card service provider
- Very public loss of credibility
With this renewed focus the water utility recognised the opportunity to benefit from outsourced solutions and services from a reputable provider, whilst ensuring that it maintained ownership of PCI DSS compliance.
Camford Management Consultants (Camford) engaged with the water utility and determined the following approach:
- Identify the water utility business activities, both current and future, that would benefit from taking payment by card
- Understand the PCI DSS standards and their implications upon water utility
- Detail the business processes in use, identifying where technology was involved, and pinpointing compliance weaknesses
- Research the market place to identify technology solutions and providers that could meet the water utility needs
- Run a competitive procurement exercise across a shortlist of vendors
- Provide an independent recommendation as to the most appropriate vendors and solutions
- Work with the chosen vendor and the client to determine a transition roadmap
Through the competitive procurement exercise Camford identified a single vendor who could provide a suite of technology solutions to meet the client’s needs.
The Retail Services Manager said,
“A key aim of this initiative was to reduce the complexity and number of providers involved in the processing of card transactions. We were uncertain if it would be possible to collate all services under a single vendor, and we are delighted that Camford has achieved this aim for us. In recognising that best practice requires independent regular compliance reviews, Camford also identified and engaged a specialist PCI DSS auditor on our behalf.”
The IT Manager said,
“With a focused and efficient IT team, ensuring on-going security and compliance with PCI DSS has a time and cost impact upon the team. In addition to identifying the solutions provider and developing the Business Case, Camford worked with the shortlisted vendor to determine a Transition Roadmap. Camford’s diligence in approach has ensured we can be confident that the suite of solutions and partners identified will not only ensure we meet and indeed exceed our compliance requirements, but also provides us the technology platform to enable continued business growth.”
Camford was subsequently engaged to provide programme management to oversee the vendor implementation and to ensure the needs of the water utility business are being delivered.