14 DAY TRIAL // The Internal Revenue Service (IRS) has announced that three companies have been awarded contracts to process tax-return payments beginning 2010. Amongst them is RBS WorldPay, a payment processor involved in a major security breach last November, which resulted in the company being declared no longer compliant with the Payment Card Industry's Data Security Standard (PCI-DSS).
RBS WorldPay is a subsidiary of the Royal Bank of Scotland Group, once the fifth largest banking group in the world. In December, two days before Christmas, the company publicly announced a data-breach incident, which occurred two months earlier, in November. Security professionals criticized the move at that time, arguing that announcing it just before a major holiday aimed at limiting the public exposure.
Hackers who successfully intercepted communications on the RBS WorldPay network compromised the personal details of 1.5 million customers and 1.1 million Social Security numbers. The company noted that around 100 payroll cards had been disabled because of misuse. However, it was later revealed that things had been a lot more serious.
Those 100 cards had had their limit artificially raised and allowed fraudsters to withdraw a stunning $9 million from over 130 different ATM machines in 49 cities worldwide, during a 30-minute period. The case was described by the FBI officials investigating it as one of the most widespread and complex credit card fraud operations in history.
As a result, Visa removed RBS WorldPay and Heartland Payment Systems, another company that made the subject of a large data breach, from its list of processors compliant with the PCI-DSS last month. This move left hundreds of RBS business customers susceptible to fines for using a non-compliant processor.
The 4-year-long IRS contract, awarded to RBS on April 2, will earn the company 1.95% from every tax return processed during the first year, as a convenience fee. An IRS spokesperson confirmed for Security Fix that RBS would start processing tax-return payments on January 20, 2010, but pointed out that before that happened, it had to get re-certified by the PCI and pass IRS's own security audit.
An RBS representative noted that the company expected to get awarded the PCI-DSS certification again during the upcoming weeks, although according to previous statements it hoped to get it by April. Opinions about this contract seem to vary, some thinking that the IRS procedures for selecting their contractors are flawed, while others believe that choosing a company that already dealt with a security incident and took preemptive actions could prove to be a smart decision.