Summary
| Report Number: | 2010-005 |
|---|---|
| Report Title: | Department of Financial Services and Selected Participating State Agencies - Payment Card Programs - Information Technology Audit |
| Report Period: | 10/2008 - 01/2009 |
| Release Date: | 07/24/2009 |
Section 215.322(1), Florida Statutes, provides that it is the intent of the Legislature to encourage State agencies, the judicial branch, and units of local government to make their goods, services, and information more convenient to the public through the acceptance of payments by credit cards, charge cards, and debit cards (collectively referred to in this report as payment cards) to the maximum extent practicable when the benefits to the participating agency and the public substantiate the cost of accepting these types of payments. State agencies and the judicial branch may, pursuant to Section 215.322(2), Florida Statutes, accept payment cards in payment for goods and services with the prior approval of the Chief Financial Officer (CFO). The major payment card brands (i.e., Visa, MasterCard, etc.) require entities that accept payment cards in payment for goods and services to comply with Payment Card Industry (PCI) security standards set by the PCI Security Standards Council (Council) to protect cardholder data.
Our audit, for the period October 2008 through January 2009, and selected actions through March 2, 2009, focused on evaluating selected internal controls at the Agency for Enterprise Information Technology (AEIT), Department of Community Affairs (DCA), Department of Environmental Protection (DEP), Department of Financial Services (DFS), Department of Military Affairs (DMA), Department of State (DOS), and Department of Transportation (DOT) relating to compliance with the provisions of Section 215.322, Florida Statutes, pertaining to the acceptance of payment cards by State agencies and other relevant State laws. (See Exhibit A.) Our audit also focused on evaluating selected information technology (IT) controls relating to compliance with the PCI Data Security Standard at DCA, DEP, DMA, and DOS. In addition, we determined the status of corrective actions regarding selected deficiencies disclosed in our report No. 2004-053 that were applicable to the scope of this audit. Our audit was not a PCI Data Security Standard compliance validation assessment pursuant to the requirements of the Council, and we did not validate agencies' compliance with the PCI Data Security Standard.
The results of our audit are summarized below:
Finding No. 1: State agencies need improved guidance for ensuring an appropriate level of security of cardholder data and complying with the PCI Data Security Standard. In addition, DFS and AEIT should seek clarification in State law regarding their responsibilities in providing guidance for securing cardholder data.
Finding No. 2: Guidance and information within DFS rules and the DFS Web site relating to the acceptance of payment cards were out of date.
Finding No. 3: DCA, DEP, DMA, and DOS did not complete the appropriate Self-Assessment Questionnaire to self‑evaluate their compliance with the PCI Data Security Standard.
Finding No. 4: DEP and DMA had not engaged an approved scanning vendor to perform external network scans for applicable payment card applications. In addition, DCA had not successfully passed network scans performed by an approved scanning vendor prior to audit inquiry.
Finding No. 5: Because DOT had engaged a qualified security assessor to perform PCI Data Security Standard assessments of SunPass, we did not similarly evaluate applicable SunPass IT controls. However, the qualified security assessor's initial assessment of SunPass identified 98 instances where security controls required by the PCI Data Security Standard were not in place. Under these conditions, the risk was increased that cardholder data could be breached and that sanctions could be applied by the major payment card brands.
Finding No. 6: DCA, DEP, and DMA lacked certain written information security policies and procedures required by the PCI Data Security Standard.
Finding No. 7: DEP and DMA point-of-sale systems did not comply with some requirements included in the PCI Data Security Standard.
Finding No. 8: Certain user identifications (IDs) and passwords to the Sunbiz database were being shared by DOS employees.
Finding No. 9: DMA and DOS did not follow certain approval and reporting requirements set forth in Section 215.322, Florida Statutes, and the related DFS rules.
Finding No. 10: The DOS Letter of Understanding for payment card services lacked certain provisions required by Sections 287.058(1) and (2), Florida Statutes, and contained outdated provisions.
Finding No. 11: DCA lacked appropriate procedures for the reconciliation of income and expenses related to the acceptance of payment cards.
Managements' responses are included in the report as Exhibit - C.