Is The City of Port Orange Computer Network Secure?

secure-payment-iconMr. James Hicks,
Thank you for putting in the time to respond to my questions.  Nothing against you personally, but it is like pulling teeth to get straight answers about PCI compliance for the City of Port Orange.
In my previous email, I included some very specific information about the SSL certificate (TLS 1.0, RC4 with 128 bit encryption (High); RSA with 2048 bit exchange (TLS_RSA_WITH_RC4_128_SHA)) that I determined from looking at the web page and SSL certificate.  With your comments below, which basically confirmed the accuracy of my determination, I think City Council and the City Manager can rely on the fact that I have a certain level of expertise.  City Council and City Manager should also be able to rely on my comments when I say there is a serious problem here.
The web page, egov.port-orange.org, is not secure.  Simple checking will reveal that without even a in depth security scan.
PCI Compliance would require that Port Orange at a minimum has two documents, 1)A Questionnaire from an Authorized PCI compliance vendor that has been completed and passed and 2) a recent scan report from an Authorized PCI compliance vendor that has been completed and passed.  If Port Orange does not have those two documents, there is no PCI Compliance.  I will ask again.  Does Port Orange have those two documents?  There is no provision for “shifting the responsibility of PCI compliance”.
PCI Compliance will take some time and effort by a team of Staff.  There are a lot of inexpensive options available.  First Data, which you mentioned below, has available solutions.  Other is https://www.trustwave.com which we use costs $299.00 per year and there are many more.  It looks like the taxpayers are again spending tens of thousands on a process that should be handled by staff.  If the current web page is an example of what these vendors are providing, we should ask for our money back.
Please answer the question on whether or not Port Orange has the two documents that will show PCI compliance.
 
Thanks,
Mark Schaefer
3606 Donna Street
Port Orange, Florida 32129
386-316-1206
 
Life isn’t about waiting for the storms to pass, its about learning to dance in the rain.


 

From: Hicks, James [mailto:jhicks@port-orange.org]
Sent: 08/08/2013 12:43 PM
To: ‘mark@mark-schaefer.com’
Cc: Fenwick, Robin; Marino, Tony; Kisela, Greg; Lewis, Shannon
Subject: RE: Public Information request

Mr. Schaefer,

 My name is James Hicks and I am the Network Administrator for the City of Port Orange. I am responsible for managing and maintaining our network and server infrastructure including security of our municipal data network. I can answer some of your questions and give you some background regarding our PCI compliance endeavor.
In August of 2010 we contacted Security Metrics on recommendation from our software vendor Sungard HTE. Security Metrics was hired to guide us on PCI compliance as well as perform the initial security testing. During our initial meetings with Security Metrics, we realized that we had multiple options as far as PCI compliance goes. Since, at the time, we were housing and processing credit card information on site, we would have been required to bring our entire municipal network up to PCI security standards. This would have been a massive undertaking considering the size of our network and our staff on hand as well as come at a very expensive cost since they were recommending we purchase more equipment to further secure our network. As you may know, PCI compliance security standards specify that not only do the servers that handle the credit card information meet their standards, but also any device that is accessible on that network, including all workstations, mobile devices, etc. While our server infrastructure was highly secure, and the majority of our servers and network devices passed PCI compliance testing, we were concerned that any one of our more than 400 workstations and laptops could cause an issue down the road.
Our other option was to stop storing and processing credit cards on our network. At the time, our software vendor Sungard had a new product called OnePoint, which several municipalities were moving to for online payments. The OnePoint system effectively shifted the responsibility of PCI compliance from us to our software vendor. With this system in place, we no longer housed any credit card information on site. Our server only acts as a portal to the payment gateway. All communication between the server and payment gateway is encrypted. This server is segmented from the rest of our network.
The new system went live in September of 2012. We then had Sungard HTE run a program on our financial system which scrubbed any remaining credit card information off of it.
The following link will take you to the PCI Compliance Validated Payment Providers search. If you type in ‘Sungard Public Sector’ you will see that the OnePoint Payment Service is validated PCI Compliant by Security Metrics.
https://www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php?agree=true
The security certificate we purchased for use on the OnePoint server is the one recommended by Sungard to use with their software. Before we renew it in October, we plan on exploring the option of using a 256-bit certificate instead of 128-bit.  As for RC4, it is still the most commonly used cipher in SSL certificates. In fact, Chase Bank and Suntrust Online Banking both use an RC4 cipher for their SSL connection.
 
We were also advised that since we took credit card payments in person, that all of our POS terminals would also need to meet PCI compliance. We worked closely with the finance department to order and replace all of our credit card terminals with I believe are First Data FD200 IP based units. All of these units are connected to the internet via a segregated, firewalled network which is not accessible via the rest of our municipal network. These units establish an 128-bit encrypted secure connection with the payment processor. They do not integrate with the OnePoint server.
As far as penetration testing goes, we currently have an RFP out right now for outside security and penetration testing on our network. We are hoping to get that bidded out and completed within the next 90 days.
I hope that answers some of your questions regarding PCI. Please feel free to contact me directly if you have any further questions, I would be glad to answer them for you.
 
Regards,
 
James Hicks
Network Administrator | City of Port Orange
Ph: 386-506-5545 | jhicks@port-orange.org


 
 

One thought on “Is The City of Port Orange Computer Network Secure?

  • August 13, 2013 at 11:43 am
    Permalink

    Mark,
    The City of Port Orange IT Department does have the records you are requesting; however, they are exempt and confidential and cannot be released.
    Please see excerpt below of the specific exemption:
    Security issues relating to electronic records
    Risk analysis information relative to security threats to data, information, and information technology resources of an agency is confidential and exempt. Section 282.318(4) (c), F.S. And see s. 282.0041(1), F.S., defining “agency” for purposes of Ch. 282, F.S., as having
    the same meaning as in s. 216.011(1)(qq), F.S.
    Internal policies and procedures to assure the security of the data and information technology resources which, if disclosed, could facilitate the unauthorized modification, disclosure, or destruction of data, information, or information technology resources are confidential and exempt. Section 282.318(4)(d), F.S. Results of periodic audits and evaluations of a security program for an agency’s data and information technology resources are confidential and exempt. Section 282.318(4)(f ), F.S.
    Should you have any further questions, please do not hesitate to contact us.
    Thank you,
    ROBIN FENWICK

    Reply

Leave a Reply

Your email address will not be published.