Portland misses its own payment security deadline

City now says outside auditor's report won't be available until March or April

Signs for MasterCard and Visa credit cards are shown at the entrance to a coffee shop. (AP Photo/Mark Lennihan, File)
Signs for MasterCard and Visa credit cards are shown at the entrance to a coffee shop. (AP Photo/Mark Lennihan, File)

PORTLAND, Ore. (KOIN) — Payment security has been an ongoing issue in Portland for more than 6 years, and the city still can’t prove it meets security standards required by Visa, Mastercard and the rest of the industry.

People use their credit cards to feed parking meters, take care of utility bills and pay for things like the Arts Tax more than 9 million times every year.

But the city recently missed its own deadline to prove it keeps credit card information secure from hackers or thieves.

“We’re waiting just like you are,” Director of Audit Services Drummond Kahn said.

(MGN Online)
Payment security has been an ongoing issue in Portland for more than 6 years. (MGN Online)

Kahn and the city auditor’s office expected to see reports by an outside security auditor by now. Their findings will shed light on whether or not the city meets basic credit card security standards, known as PCI compliance.

City documents show it gave itself a December 31 deadline to become PCI compliant, and “work must be completed 3 months before the deadline so auditors will have time to audit the system.”

That would have been last September.

The city auditor released a report in November 2014 showing the city was failing in all 3 credit payment security standard categories.

Kahn says it’s now fair to ask where these reports are.

“At the same time, the folks we’ve spoken to who are experts in the payment card industry are telling us it sometimes takes merchants time to comply,” Kahn said. “But we know that for the last 6 years the city didn’t… we understand big steps have been taken, the question is what will that report show once it’s available?”

Mayor Charlie Hales says, as far as he knows, the city is “fine” when it comes to payment security.

Christopher Paidhrin was brought in 9 months ago to guide Portland’s quest for PCI compliance.

Since his arrival, the city transferred the system that processes credit cards to an outside company. That means the city no longer stores customers’ credit card information, making it vulnerable to hacking attempts.

Despite the missed deadline, Paidhrin says he insists the city is PCI compliant. He says the deadline was simply a technicality.

“The bank is aware of it, the city leadership is aware of it and our city auditors are aware of it,” he said. “We don’t have the paperwork that says ‘yes we are’ but we have the workflow that demonstrates we’ve done all the work.”

When asked where Portland stands on payment security now, he said, “in an excellent position.”

The city now says the outside auditor’s report won’t be available until March or April.

It will then be given to the city auditor to determine whether or not it is safe to use credit cards when doing business with the city.

If Portland passes, it will finally join 97% of similar merchants which already comply with PCI standards.

Comments are closed.