The Top 3 Security Mistakes Government Tech Companies Make with Online Bill Pay

It goes without saying that customer information security is paramount, particularly when it comes to public sector payments. 

As local governments continue to move systems online, hackers are also riding this momentum in search of system vulnerabilities. In the past year alone, we’ve detected (and blocked) a 43% increase in malicious web traffic to our local government and utility clients’ websites and payment portals.

But don’t freak out! Here are three of the most common mistakes governments (or more likely, govtech vendors) are making when it comes to web payments. 

Perilous govtech trends to avoid

1. Don’t let third parties kick your customers off your web domain

Customers should trust that they are paying their local government when they’re using online billing. But some vendors that process government payments require customers to pay on their company web domain instead of your official .gov website. 

The problem with this? By familiarizing your customers with paying on third-party websites, they are more vulnerable to common scams that set up fake sites to mirror your branding but steal customer payment information. 

2. iFrames look like your website, but you’re still on the hook for PCI compliance and security monitoring

Some municipal payment solutions will embed their checkout page on your website using iFrames. While this avoids the issue above, it introduces a new set of problems. For one, since you host the system which embeds the iFrame, you are still on the hook for PCI compliance — the set of rules set forth by the Payment Card Industry (PCI) Standards Council for merchants that process credit cards. 

Additionally, iFrames can be compromised by a determined attacker. Hacking payment pages and tampering with the embedded iFrame is an extremely popular attack. And you are responsible for securing and monitoring the void between the official website and the embedded website.

3. It’s tempting fate to require too much personal identifying information (PII)

Make sure you’re only displaying what’s needed for a transaction, since displaying too much PII can put a target on your back for hackers. If someone is paying their water bill on your website, for example, you only need to show the last four digits of the validated account number and the amount due — there’s no need to list the names of tenants in the building. 

Maintaining secure government technology 

Only you can prevent dumpster fires to your tech stack. If you outsource your government payment technology, talk with your govtech vendors to make sure they have a clear plan for detecting threats and mitigating risk. Take a proactive approach to security, and make sure you understand when you’re in scope for security compliance and monitoring (vs. your vendors).