From the Washington Post article by Brian Krebs:
The Internal Revenue Service has awarded a contract to process tax return payments for the coming filing season to RBS Worldpay, a company that recently disclosed that a hacker break-in jeopardized financial data on 1.5 million payroll card holders and at least 1.1 million Social Security numbers.It would seem to me that this is rubbing salt in our wounds. The article goes on to show how even the government is resting on the laurels of PCI Compliance, in an effort to comprehend (or at least pretend to comprehend) the complexities behind securing private information in the banking/card services sector.
IRS spokesman Anthony Burke said RBS will not be allowed to process credit card payments for taxpayers owing money to Uncle Sam until Jan. 20, 2010. Before that date, he said, RBS will not only have to show that it is once again PCI compliant, but that it also has passed the IRS's own payment security audit.
All I can really say is... yikes. So are we once again equating passing a "point in time" audit as demonstration of overall good ongoing security? I know this could spark a disagreement between the two sides in the compliance-based security debate, so I'm going to leave that alone for now. My bigger concern is that the US Government (the same government which has now spent our great-great-grand-children's money) is making some very poor decisions. There is also a hint of using the IRS's "own payment security audit"... but a browse and search through the IRS.gov website, including their FOIA (Freedom of Information Act) reading room, shows zero documents or disclosures relating to this audit process... In a government which is re-inventing itself as more transparent... this type of information would be nice to have.
This quote caught my attention immediately, as it hints at a 3rd party "verifier" of security; running a "series of tests" which I can only guess is a functional testing cycle rather than a security "vulnerability test"?
"All service providers must undergo system acceptability testing," Burke said. "We have a third-party who runs a series of tests on all of our providers to make sure their systems are security before they accept credit card payments" on behalf of taxpayers, he said.
In the end, I suspect we the taxpayers will be the ones who pay (literally and figuratively) for the failures of the IRS in managing their processing and payment partners...