AUSTIN (KXAN) — After days of hearing management at the Texas Department of Transportation discuss potential concerns with the security of millions of tollway customers’ private information, one employee said he’s not pleased with how the state is handling it.

The whistleblower said he felt compelled to reach out to KXAN after seeing our reports of nearly $1 billion in late fees added to 2.2 million driver accounts as well as concerns with improper billing at TxTag, a system used by millions of drivers across the state.

“TxDOT’s toll contractor Conduent has lost PCI [payment card industry] compliance certification,” said the tipster, whose employment KXAN verified using state records. “This is required to take credit card payments. Yet they continue to process credit card payments and the agency is not holding them accountable for this contract breach.”

PCI compliance is the standard used by the five major credit card companies – Visa, Mastercard, Discover, American Express and JCB – to process and store customers card information and ensure transactions are secure and safe from hacking or data breaches.

There have been no breaches or hacking of customer data at TxTag that we know of. However, TxDOT contracts with Conduent State & Local Solutions to handle all TxTag operations and after researching the vendor’s PCI status, we learned it lost compliance with Visa this past summer, and did not have compliance with Mastercard, according to those two companies’ websites. Conduent is contractually obligated to have PCI compliance to handle TxTag customer information.

That compliance is the minimum set of standards used to protect cardholder data, such as a customer’s name, card number, expiration date, magnetic stripe and chip or any other information stored on the card, said Lance Hayden, an adjunct assistant professor at the University of Texas School of Information and the UT Center for Identity, who teaches courses on information security and privacy.

“If you’re processing credit card information, there is no alternative to PCI compliance, because it’s mandated on you by the companies that are allowing you the privilege of using their payment card,” Hayden said.

TxDOT processes tens of millions of toll transactions annually and, Hayden said, PCI compliance is especially important for companies that process millions of payments.

Conduent referred KXAN’s questions to TxDOT.

“Most important is that, as we have previously stated, there is no impact to our customers,” TxDOT said in a statement to KXAN.

Instead, the state agency said there was a delay in its vendor’s renewal of certification, meaning the certification expired but it’s possible paperwork hasn’t been completed to renew it.

“Conduent informed TxDOT that a data center transition delayed the timeline for completing the required assessments to renew PCI compliance certification,” TxDOT told KXAN. “These assessments are underway and an additional security assessment is being conducted by a third-party consultant hired by TxDOT while the PCI certification process is being completed.”

The company TxDOT hired to conduct its security risk assessment is Deloitte, which provides audits, consulting and financial advisory in over 100 countries around the world and has an office in Austin, according to its website.

Deloitte is responsible for conducting a vulnerability assessment of about 100 webpages associated with TxTag and its payment system, according a work authorization contract signed by TxDOT on August 29. The company will hold multiple workshops with “system stakeholders” to review the implementation of PCI standards and safeguards in place to protect cardholder data. They’ll also be responsible for providing TxDOT with weekly progress reports throughout the assessment.

Boost in TxTag users

Drivers in Texas can choose to get a TxTag sticker, which is placed on their windshield and allows customers to link their credit or debit card to their TxTag account so funds can automatically be withdrawn every time they drive through a toll.

Toll users without a sticker are billed via postal mail based on the address linked to their license plate. They can either pay their bills by mail or go to TxTag.org to submit a payment.

TxTag – which advertises “Small sticker. Big savings.” – offers a 25 percent discount to anyone who signs up for an account and puts a TxTag sticker on their car. There are currently about 2.2 million active TxTag accounts. Since it started ramping up the campaign amid financial concerns KXAN first reported, more than 66,000 people signed up for a TxTag over the last six months.

Hayden said an extra layer of protection is typically required in cases where a customer’s card information is saved and stored on a website – like a TxTag account – to make future payments versus someone entering their information to make a one-time payment.

If I’m giving you that information and I’m trusting you to take that money out of my account, then I’m hoping you’re using every safeguard you’ve got to make sure nobody else has access to that information”

Hayden said compliance isn’t “one size fits all,” and can be lost for something as simple as misfiled paperwork to serious problems that put consumers’ information at risk.

“You’re essentially trusting that that organization is going to store your credit card information so that you don’t have to go back every month,” said Hayden, who is also chief privacy and security officer for the Austin healthcare startup, Elligo Health Research. “If you’re processing, you know, millions and millions of transactions every year, then you’re going to have more sort of serious requirements that you [have to] meet.”

Tiffinie Edge, of Del Valle, is among hundreds of customers who reached out to KXAN last fall about billing issues and inflated fees after a KXAN investigation into TxTag’s collection practices. She said months would go by before she finally got a bill. And, because of the delay, last October she was hit with $825 in administrative fees for only $71.23 in toll usage.

After we told her about Conduent’s current security status, Edge, whose Visa card has been linked to her TxTag account for years, said she is “leery” of making another payment.

None of the customers KXAN reached out to say they’ve heard from TxDOT regarding any security concerns with their TxTag accounts, or, specifically, PCI compliance.

Edge said she expects all customers to be notified if there’s a problem, especially since people from all over the U.S. can use the toll roads and out-of-state users likely wouldn’t know to question the security of the site.

“If I’m giving you that information and I’m trusting you to take that money out of my account, then I’m hoping you’re using every safeguard you’ve got to make sure nobody else has access to that information,” Edge said.

However, Hayden said it’s not always possible, or needed, to inform the public since the reason could be minor. For example, he said a company could lose compliance if an employee simply doesn’t know to check a certain box or close a certain door – a compliance issue that can be easily rectified.

“It’s case by case and it’s situational and that can be problematic because it can open up a lot of room for companies and organizations to make the argument that, ‘Well we don’t have to tell anybody anything,’” Hayden said.

Details of Conduent’s contract with TxTag

Both Visa and Mastercard publish a list of companies that meet their security standards. Online records for Visa show Conduent State & Local Solutions lost its PCI compliance on June 30 – just nine days after renewing its contract with TxDOT for an additional two years.

The initial contract, nearly $100 million in value, was set to expire after a five-year term when TxDOT signed the new agreement, which became effective July 1, 2018, through June 30, 2020. Even after facing scrutiny and other concerns with the company, TxDOT said it had to renew its contract because the agency is “in the process of purchasing software that will be specifically tailored to run our TxTag system.”

Conduent State & Local Solutions is not listed on Mastercard’s list of compliant users, however “Conduent Inc.” was added to the list of compliant users within the last month. Visa and Mastercard did not provide additional information regarding Conduent’s compliance status.

Similar information is not available on American Express, Discover and JCB’s websites. Those companies say they do not typically provide the status of PCI compliance, even though vendors that process payments using their cards are required to be compliant.

As part of its contract with TxDOT, Conduent is required to secure customer information using PCI compliance, in addition to submitting quarterly network scans and annual on-site assessments.

“All of these factors will be taken into consideration when determining any potential contractual fees as allowed under TxDOT’s contract with Conduent,” the state agency said in a statement to KXAN.

KXAN requested a copy of contractually-obligated reports as well as emails from TxDOT leadership about recent concerns regarding Conduent’s PCI compliance. On Friday, TxDOT sent a letter to the Texas Attorney General, asking if they can withhold the information since it involves internal conversations about decisions they could make as well as other confidential information.

Before Conduent was contracted with the state, TxDOT executed a $97 million contract with Xerox State & Local Solutions in 2013. Xerox told KXAN it handed off contractual obligations to its spinoff company, Conduent. In January 2017, Xerox no longer owned Conduent, and Conduent is now responsible for all TxTag-related operations.

TxDOT told KXAN it has “repeatedly held Conduent responsible for not meeting metrics” of the contract. The vendors were fined more than $2.4 million between November 2014 and July 2018.

The whistleblower KXAN spoke with said TxDOT is not holding Conduent accountable because it isn’t administering fines.

New problems arise

Issues with the system run deeper than just online security, amid allegations against Conduent of improper billing and inaccurate toll charges, late fees and penalties across the U.S.

The Florida Department of Transportation, FDOT, also relies on the company to operate its toll system.

FDOT responded to reports of a security breach, saying a Conduent error allowed 38 of its new customers to have access to other customer accounts during a 7-hour period, according to a news release.

FDOT said only 15 of those 38 accounts were accessed by another user, the issue was “immediately resolved,” and affected customers were notified.

Texas State Rep. Tony Dale, R-Cedar Park, told KXAN he’s not surprised by the issues given such recent concerns.

In July, KXAN reported about two U.S. senators who called for the Federal Trade Commission to investigate Conduent for tollway billing problems in Texas, Florida, Michigan, California, New York, New Hampshire and Maryland.

Dale, who says Conduent has not been “responsible with the way they’ve managed the toll roads in terms of billing accuracy,” said he’s considering possible solutions moving forward.

“On multiple occasions, the state has assessed pretty large fines against the contractors involved,” said Dale, who also sits on the House Select Committee on Cybersecurity. “I can guarantee you I’ll be filing several bills during the next session related to toll roads and how they work, and I know that there’s a number of my colleagues that’ll be doing the same.”

Ultimately, Dale said the loss of compliance means there is a problem at TxTag that needs to be fixed.

“You have to be aware of what’s happening with your accounts,” said Dale, who has two toll roads in his district. “You have to check them frequently and you have an expectation … certainly when you’re dealing with an entity like TxTag, that your data is going to be secured.”