Government Digital Service says online platform has passed test for processing credit and debit card payments
GOV.UK Pay has taken a step closer to its launch by passing the relevant industry security accreditation process.
The government-wide platform for online payments has been declared compliant with the Payment Card Industry (PCI) Data Security Standard as service provider level 1, effectively approving it for processing credit and debit card payments on behalf of public sector organisations.
This follows a government accreditation for Pay, which is currently under development by the Government Digital Service (GDS).
A blogpost by Till Wirth, senior product manager for the platform, and Rory Smith, a product manager within GDS, says that a series of steps have been taken to ensure compliance.
These include subjecting every line of code to review by a developer other than the one who wrote the code before it is deployed, and the logging of everything that happens on Pay, which can provide for alerts of unexpected events and helps to identify possible attacks.
It also involves quarterly external penetration testing by an approved scanning vendor, and making each new code release small and focused so it is easy to understand the impact and security implications.
Wirth and Smith say that in some cases they have gone further than the PCI requirements, such as in encrypting all the data within the platform’s networks and environments, rather than just that it receives from other parties. The team has also worked with the Government’s information security body CESG in developing Pay.
The PCI Security Standards Council, which provides the standards for all of the major payment card providers, defines a service provider as any organisation that handles sensitive data around payments. Compliance with its Data Security Standards can be seen as a step towards providing pay with the public credibility enjoyed by major card providers such as Master Card, Visa and American Express.
Pay is currently one of the key projects in GDS’s Government as a Platform programme, in which it is building online services that can be taken up by public authorities for their own use. In recent months it has launched GOV.UK Verify for identity assurance and GOV.UK Notify for notifications on services.
Efforts to lay the ground for public take-up of Pay have involved testing the card payment process with user groups who might feel uncomfortable paying for anything online.
Among the steps to overcome their reluctance, previously outlined by GDS, are ensuring the payment description involves a period of time and that the amount to be paid is always clearly viewable.
In addition, confirmation pages should include a short reference number, a clear payment summary, a statement of what will happen next, and if applicable an indication that a receipt email will be sent.
Although the launch data of the service has not yet been specified, GDS is now encouraging public authorities that might use it to get in touch with the team.