QUESTION: Security of online payments on government websites

During Question Time Mark asked the Treasurer about the security of government online payment websites.

The Hon. M.C. PARNELL: Recently, I received a query from a constituent who was concerned about the security of online payment gateways to state government agencies. In particular, we believe there is an issue with SA Pathology, although it may be that there are other government agencies or departments that face similar issues. The issue is that when you go to pay an invoice you see that the payment page, which is part of the domain, is not secure, that is, it is a non-SSL website. I am sure the Treasurer knows that SSL stands for 'secure sockets layer' and that it is the standard security technology for establishing an encrypted link between a web server and a browser. The thing that we look for on web pages is the prefix 'https' rather than just 'http'.

The most significant risk of collecting payments through a non-secure website is that malicious third parties can potentially intercept and steal login information, passwords, credit card details and the like which are transmitted without encryption. My questions are:

1. How many government departments or agencies provide non-secure websites for the payment of invoices, accounts, fines or other payments?

2. What is the government doing to ensure that all online payments to government agencies are secure?

The Hon. R.I. LUCAS (Treasurer) : That sounds like a very sensible and reasonable question from the honourable member. I will certainly take advice and bring back a reply as soon as I can.

The following reply was provided on 6th June 2018

The Hon. R.I. LUCAS

I have been advised that:

Individual government agencies are responsible for ensuring that their ICT infrastructure, systems (including payment related websites) and information are secure.

The Department of the Premier and Cabinet maintains a number of polices for website security that all government agencies are required to comply with. These policies are consistent with international standards for information security management and include those requirements specified in the Payment Card Industry Data Security Standards for any websites that store, process or transmit payment card data.

As part of these policies agencies are required to conduct regular security testing and undergo an audit before a new website is commissioned.

I am advised that, based on a high level review undertaken across agencies where Shared Services SA provides an accounts receivable service, none of the associated government websites actually store, process or transmit payment data. In all cases where a customer seeks to make a payment, these websites open a secure interface to the Commonwealth Banks's BPOINT system (which would typically display to a user as HTTPS).

BPOINT is owned and managed by the Commonwealth Bank and is the preferred solution under the whole of government banking contract. Proper use of BPOINT ensures that sensitive payment data is being managed within the Bank's systems without reliance on the security arrangements applying to the government website.

Specifically in relation to the SA Pathology, I am advised that the transaction performed by your constituent was indeed secure. This website opened a secure connection into BPOINT, in the same way as described above.

I understand that based on previous feedback from member of the public, SA Pathology updated their website on 7 May 2018 to use a different technical method for connecting with BPOINT, which now clearly highlights that the user is accessing a secure site.

In terms of other payment methods offered by government agencies such as, over the phone services or provision of card details via a form, the Payment Card Industry Data Security Standards also apply to the associated processes and systems. In particular there is a clear requirement not to store any sensitive cardholder data on computer systems or in paper form. I am advised that this is typically achieved through fully or partly redacting card numbers from documents after the applicable payment has been processed.

Should there be any further queries regarding specific agency payment websites, I would encourage that these be referred to the responsible Minister.