D
Policy Group – 19 June 2013
Cash Receipting System – upgrade to comply with latest
security standards
1.
Purpose of report
To obtain Policy Group support for an upgrade to the Council’s existing cash receipting
system to achieve compliance with the latest mandatory security standards for processing
of debit and credit card payments.
2.
Main report
2.1
Any business which accepts debit and credit card payments is required to comply with the
Payment Card Industry Data Security Standard (PCI DSS), which is designed to ensure that
customers’ payment card details are kept secure at all times. Failure to comply with PCI
DSS will result ultimately in withdrawal of the ability to take debit and credit card payments.
The Council’s cash receipting system uses a Payment Application that enables debit and
credit card payments made over the internet, by telephone and at the counter to be
processed. Unfortunately this does not meet the requirements of the latest version of PCI
DSS and the Council needs to either upgrade the existing system or replace it with a
compliant system if it is to continue offering debit and credit card payment facilities.
2.2
A financial appraisal has been undertaken comparing the cost over 3 and 5 years of an
upgrade to the existing system with the likely cost of a completely new system. This
approach allows for a fairer comparison to be made where the initial capital cost is lower but
the annual support and maintenance cost is higher, as is the case of the existing system
when compared to some other systems. The financial appraisal shows an upgrade to the
existing system will be less expensive than purchasing a new system over these
timescales. Other factors, such the risks associated with a new unfamiliar system together
with the staff time and effort that would be spent on implementation tasks, also need to be
taken into account.
2.3
The Cashier and other users are satisfied with the existing cash receipting system, which
has a number of bespoke features. In response to support service issues raised by Council
staff, the Supplier has also given a commitment to improving the helpdesk and technical
support service.
2.4
A provision of £40,000 is included in the 2013/14 unapproved capital programme in respect
of the upgrade/replacement of the cash receipting system. The quoted cost of the upgrade
is £13,140 plus expenses, which are estimated to be no more than £1,000. In addition, by
entering into a 3 year contract, the annual support and maintenance charge will be reduced
by £1,100 from the current level.
3.
Recommendation
A report be submitted to Council recommending the Council’s existing cash receipting
system is upgraded to comply with the latest version of the Payment Card Industry Data
Security Standard (PCI DSS) at an estimated one off cost of £14,140.
(PJM)(im) PG 190603 Cash Receipting System - upgrade to comply with latest security standards.docx
1
D
4.
Policy issues
4.1
How will this affect the environment, social issues and the local economy?
The provision of internet and telephone payment facilities directly contributes to the
corporate priority ‘being an efficient and effective council’. Payments by debit and credit
card can be made from home and other locations that are more convenient than visiting a
post office, bank or Westport House or by postal remittance. It can save time and may
reduce the number of journeys made.
4.2
Implications
4.2.1 Resources
A provision of £40,000 is included in the 2013/14 unapproved capital programme in
respect of the upgrade/replacement of the cash receipting system. A quote has been
obtained for the upgrade to the existing cash receipted system at a cost of £13,140
plus expenses, which are estimated to be no more than £1,000.
The 2013/14 revenue budget includes £7,362 in respect of the annual support and
maintenance charges for the existing system. The supplier has indicated that it would
be prepared to reduce these annual charges by £1,100 to £6,262 for a 3 year
contract.
On a like for like basis, a financial appraisal of an upgrade of the existing system
compared to the estimated cost of purchasing a new system indicates the upgrade
will be at least £16,700 less expensive over 3 years and £9,300 less expensive over
5 years. The saving would be higher if the staff time spent of implementing a new
system is also taken into account.
4.2.2 Equalities
There are no new equality issues arising from this report.
5.
Further information
5.1
PCI DSS sets the requirements for security management, policies, procedures, network
architecture, software design and other critical protective measures for the processing of
debit and credit cards. In operational terms, it means that the Council (as a Merchant) plays
its part to make sure its customers' payment card details are is being kept safe throughout
every transaction, and that they – and the Council – can have confidence that they're
protected against the pain and cost of security breaches.
5.2
In the last financial year 2012/13 the Council processed over 13,000 debit and credit card
transactions with a total value in excess of £2 million.
5.3
The existing system is supplied by Northgate Information Solutions and was purchased by
the Council in 2003.
5.4
Indicative costs for a new system have been obtained from 3 suppliers with substantial local
government customer bases. The estimated total cost (capital plus revenue) of upgrading
(PJM)(im) PG 190603 Cash Receipting System - upgrade to comply with latest security standards.docx
2
D
the existing system compared to purchasing a new system over 3 and 5 year periods using
a 2.5% Discount factor is given below.
Supplier
3 year cost £
5 year cost £
34,042
47,572
New 1
123,420
143,950
New 2
55,346
70,772
New 3
50,776
56,887
Existing - upgrade
5.5
Included in the above figures is the estimated annual cost of processing card payments and
this will be affected by the number and value of payments processed. It is expected the
volumes of card payments will increase year on year and a sensitivity analysis has been
undertaken using 5% and 10% year on year increases. At 5% the cost of the upgrade
increases to £34,170 and £48,000 for an upgrade of the existing system and to £50,905
and £57,315 for the closest new system. At 10% the respective figures are £34,303 and
£48,472 (upgrade), and £51,037 and £57,787.
Background papers:

General Manager – Central Services, Cash receipting system files.
For further information contact:
Phil McStraw, General Manager – Central Services
(PJM)(im) PG 190603 Cash Receipting System - upgrade to comply with latest security standards.docx
3