One of the many facets of my day job is making sure my company's public facing web servers are PCI compliant because we do a lot of business with Banks and financial institutions and they require it. The funny thing is, we don't really store any personally identifiable information that really requires it.
Now, if you've ever had to make sure your systems are compliant, you know what a pain in the butt it can be sometimes. That's why I get really ticked off when I see a government website that is accepting credit card information, and should be PCI compliant, isn't. I get particularly ticked off when I have to enter my credit card information in on their site to pay my bills!
Well, that is exactly the case with the city of Escondido in California. I decided to check how well they implemented their SSL on their water utility bill pay site using SSL Labs test tool. The good news is that it's not terrible. The bad news is that it wouldn't pass a PCI compliant security scan, which it should be able to do since they are accepting credit cards!
Jul 10, 2013
My Local City's Website For Paying The Water Bill Is Not PCI Compliant
10:00 AM
Paul B
This isn't the first time I've seen poor SSL implementation from a government agency. Last year I found out that my company's help desk ticketing system had better SSL implementation than the friggin' CIA!
Anyway, the main point here is that if the website belongs to the government, whether it's federal, state, city or county, they need to implement their security the right way.
Do you agree? Disagree? Why or why not? Let us know in the comments.