Kildare County Council has denied suggestions that parking text technology used by its contractors is not safe and did not comply with recognized certification.
Cllr Sorcha O’Neill asked the Council, at last Monday’s Kildare County Council meeting, to request their pay parking providers APCOA address the unsecured and unencrypted method of payment that they offer, namely text message (SMS), and that they provide proof of an up-to-date Payment Card Industry (PCI) compliance licence certificate.
The meeting was told that the system was PCI compliant.
Cllr O’Neill told the Council’s monthly meeting on July 30 that people paying by card on the APCOA app could put in their three digit CVV.
She believed this was not safe to give over texts. “You don’t send pin numbers,” she said, after reading the written report on the motion from officials.
Cllr O’Neill said they did not know how APCOA were using the data.
Cllr Rob Power said the issue could backfire on the Council.
In a written reply Evelyn Wright, Senior Executive Officer said: “APCOA Parking Ireland have confirmed that the parkings payment process is operated via APCOA Connect.
APCOA’s payment services provider, Datacash/Mastercard, holds a PCI licence certificate which is issued annually and is valid until October 2018.
It said details of charges, registration costs , SMS charges and security is available on www.apcoaconnect.ie/faq.
Ms Wright outlined the payment process. She said firstly, the system does not accept payment card details via SMS (text message); the customer needs to be registered with the system in order to buy via SMS.
She said when the customer registers a payment card via APCOA Connect, either the app or the website, their card details are registered with and stored securely by the Payment Services Provider (PSP) - Datacash/Mastercard.
She said APCOA does not retain card details at any point.
Next when the payment card has been registered, the PSP sends APCOA a “token” which links the customer’s APCOA Connect account with the card number stored securely on the PSP system.
The report said that if the customer wants to pay via SMS, they transmit their Card Verification Value (CVV) number only.
She said that the CVV number is used to confirm the payment request, following which the APCOA Connect system talks to the PSP to process payment against the securely stored payment card.
She stressed that the CVV is not stored within the system.
Ms Wright pointed to a statement from the Visa/Mastercard payment system concerning the CVV and its use (which covers the SMS). It said that the CVV must always be protected but Visa’s position is that CVV alone, without the presence of PAN (the primary account number) doesn't need to be protected according to the full suite of PCI DSS (Payment Card Industry Data Security Standard) requirements.
It said the CVV is never stored after authorisation.
Ms Wright told the meeting that with the exception of Naas and Athy, pay phone and cash payment options remain.
She repeated that APCOA’s providers held a PCI compliance licence certificate.