Federal Government Departments Fail Credit Card Payment Security Test

More than a dozen federal government departments and agencies, including the Canada Revenue Agency (CRA) and the RCMP, have failed an international test of credit card payment security systems.

In total, 17 of 34 federal institutions (50%) that are authorized by Canada’s banking system to accept credit-card payments from citizens and institutions failed the security test — meaning their payment systems are vulnerable to being hacked or defrauded – and that the government payments systems could have their ability to accept credit and debit payments revoked.

Those 17 departments and agencies continue to process payments on Visa, MasterCard, Amex, and federal officials in Ottawa say there have been no known breaches to date. However, security experts say it is only a matter of time before Canadians credit card information is compromised.

The Canadian federal institutions failed a global data-security standard launched in 2006 that's used by developed countries around the world to foil fraud artists and criminal hackers bent on stealing names, numbers and codes for credit and debit cards.

CBC News obtained a briefing note written for the Deputy Minister of Public Services and Procurement Canada (PSPC) earlier this year that outlines the credit card vulnerabilities. The institutions that failed the credit card security checks are Health Canada, RCMP, Industry Canada, Transport Canada, National Research Council, Canada Border Services Agency, Natural Resources Canada, Immigration Refugees and Citizenship, Statistics Canada, Fisheries and Oceans, Canada Revenue Agency, Canada Food Inspection Agency and Library and Archives Canada.

The document suggests the main problem is Shared Services Canada (SSC), the federal IT agency created in 2011 that operates and maintains data systems for the non-compliant institutions. The global standard is known as PCI DSS, for "Payment Card Industry Data Security Standards." It was established by five of the big credit-card firms. Federal departments must self-assess against the standard annually.

The Receiver General for Canada is responsible for ensuring departments are compliant with global security measures for credit cards and has hired the accounting firm Deloitte to review results and recommend fixes.