https://governmentasaplatform.blog.gov.uk/2016/07/29/pay-pci-accreditation/

GOV.UK Pay gets Payment Card Industry (PCI) accreditation

Image with 'PCI DSS Compliance written on it, with the 'Done' printed through the middle'

Keeping the credit and debit card details of our users safe and secure is as important to us as making payments more convenient and efficient. It’s one of the most important user needs we’re meeting with GOV.UK Pay.

GOV.UK Pay meets the Payment Card Industry (PCI) Data Security Standard

As we’ve been building GOV.UK Pay we’ve undergone two extensive security assessments, from both government and industry accreditors. As well as passing our government security assessment, we’re delighted to announce that we’re now officially compliant with the Payment Card Industry (PCI) Data Security Standard as a Service Provider Level 1.

This means we are now approved to process credit and debit card payments on behalf of other government departments and wider public sector organisations. There’s no upper limit on the number of payments we can process.

This is great news.

We wanted to take this opportunity to explain that security isn’t just something we think about once a year when we do our annual security assessments. It’s part of what we do each day. Everyone in the team, whether they’re a security specialist or not, is always focused on making sure we do everything possible to protect our users’ personal information.

Security is central to everything we do

Many of the processes required by the PCI are already part of the way we work at GDS. For example, every line of code that’s written by a developer needs to be reviewed by another developer before it’s deployed to our live environment. In some cases we’ve gone further than PCI requirements. For example, we’ve encrypted all data within our networks and environments, not just data we send or receive from other parties.

We also make sure we log everything that happens on GOV.UK Pay, so we get alerts for any unexpected events. This allows us to detect possible attacks, but it’s also really helpful when we’re developing new features in our test environments. The alerts allow us to focus on anything that isn’t working properly.

The most important thing we’ve learned is that more process doesn’t necessarily lead to a more secure system. If team members have too many processes to follow and too many security documents to read, they’re more likely to make a mistake. So we make sure we have ‘just enough process’ to put security at the heart of everything we do. We’re very proud to say that this is a natural part of our day-to-day work.

Agile software development underpins better security

One of the enablers of robust security is our agile software development and continuous delivery approach here at GDS.

Many legacy payment systems release changes and new features only a few times a year. Releases are often large bundles of changes, and it can be challenging to assess their security implications.

At GOV.UK Pay, we deploy new code to our live environment a couple of times each day. Each new code release is small and focused so it’s easy for the team to understand the impact and security implications. Making frequent changes also means we have the experience and tools available to fix any newly identified security vulnerabilities quickly.

We’re confident that if people have a thorough understanding of agile delivery methodology, they’ll have a better appreciation of the security benefits. That’s certainly been our experience of working with security colleagues in government and the Qualified Security Assessor who confirmed our PCI Data Security Standard compliance.

Testing our security

One of the key PCI requirements is that an Approved Scanning Vendor conducts quarterly external penetration testing. We also hire independent testers to do a more thorough review of our external defences and our internal networks. Additionally, we automate security testing to scan every code release for vulnerabilities.

Again, we’ve gone beyond the standard requirement by working with colleagues from across government such as CESG, the Information Security Arm of GCHQ, and an ethical hacker, to get our security right.

What this means for our users

At GDS, we’ve always been clear that security and usability are two sides of the same coin. So while we’re building GOV.UK Pay to keep users’ data safe, we’re also building it to make paying government easier and more efficient.

And we’re making it as easy as possible for government service teams to use GOV.UK Pay to process payments.

If you work in government and would like to use GOV.UK Pay or would like more detailed information on the assessment by the Cabinet Office’s Senior Information Risk Officer (SIRO) and our privacy impact assessments, please get in touch.

We’re doing the hard work once for the rest of government by creating a secure and user-friendly way of taking payments for your services.

Follow Till Wirth and Rory Smith on Twitter and don't forget to sign up for email alerts.

GDS is expanding, and we have a number of positions that need to be filled - especially on the Government as a Platform team. So we’re always on the lookout for talented people. Have a look at our videos describing how we workour vacancies page, or drop us a line.