Network News

X My Profile
View More Activity

IRS Awards Tax Payment Contract to RBS Worldpay

The Internal Revenue Service has awarded a contract to process tax return payments for the coming filing season to RBS Worldpay, a company that recently disclosed that a hacker break-in jeopardized financial data on 1.5 million payroll card holders and at least 1.1 million Social Security numbers.

The contract award comes a month after credit card giant Visa said RBS was no longer in compliance with the Payment Card Industry (PCI) security standards, a set of guidelines designed to protect cardholder data.

RBS spokesman Josh Passman said the company expects to be re-certified as PCI compliant "within the next few weeks."

The contract awarded to RBS is a what's known as a "zero dollar" contract, meaning the government doesn't award a specific dollar amount. Rather, the approved vendor takes a convenience fee for each transaction it processes. According to a copy of the contract listed at, RBS's base convenience fee will be 1.95 percent of the amount the taxpayer owes the federal government.

IRS spokesman Anthony Burke said RBS will not be allowed to process credit card payments for taxpayers owing money to Uncle Sam until Jan. 20, 2010. Before that date, he said, RBS will not only have to show that it is once again PCI compliant, but that it also has passed the IRS's own payment security audit.

"All service providers must undergo system acceptability testing," Burke said. "We have a third-party who runs a series of tests on all of our providers to make sure their systems are security before they accept credit card payments" on behalf of taxpayers, he said.

The company will join two established payment processors approved by the IRS to process tax payments on behalf of the government: Nashville-based Link2Gov Corporation and Official Payments, out of San Ramon, Calif.

RBS Worldpay, based in Atlanta, is the U.S. payment-processing division of The Royal Bank of Scotland Group, the fifth biggest banking group in the world, according to the company's Web site.

By Brian Krebs  |  April 23, 2009; 9:55 AM ET
Categories:  From the Bunker , U.S. Government  | Tags: irs, rbs worldpay  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Obama's Cyber Czar Offers Few Details on Govt. Strategy
Next: Earthlink Outage Blamed on Earth Day Power Failure


Why does this administration continue to ignore history? This company has a known history of security problems. We are going to allow them to process tax payments? Talk about ignorance.

Great idea. Let's give our SSN AND credit card information to somebody who has had recent problems keeping information secure.

Posted by: blasher | April 23, 2009 12:09 PM | Report abuse

I agree with blasher's comment above to a point. But I do wonder what financial institution *has not* been infiltrated and subsequently lost data to theft.

In my humble opinion, it is better to have an organization who knows that it has a problem and admits it.

And I would be more worried by an organization that claims to have never been breached or to have never suffered data loss. More than likely they are either not telling the truth or are too inept to recognize their infrastructure or procedural weaknesses.

The true test is what RBS Worldpay does to clean up their act AND the rigor by which they are tested by both the IRS as well as the PCI review process.

I suggest that the IRS not only perform their own audit, but engage a third party to verify that audit's methodology and results. Costly? Yep. Is it worth it to provide a measure of assurance to the taxpayers? You bet.

Posted by: CB12 | April 23, 2009 12:25 PM | Report abuse

See my comment at the Federal Eye about this pending National debacle. It is a stunning acknowledgement of how the IRS leadership KNOWS ABSOLUTELY NOTHING about what is happening in their own contracting function. Where's TIGTA, where's the Taxpayer Ombudsman, where's the outrage from the people who were upset about AIG awards? This situation has all the possibilities/security breaches of another BLACKWATER event.

Posted by: kidvid | April 24, 2009 3:25 PM | Report abuse

additionally, they just lost their PCI certification. what a joke. they need to cancel this contract and rebid with the appropriate requirements. contact your congressman.

Posted by: veryconcernedcitizen | April 29, 2009 10:07 AM | Report abuse

I've received a lot of interesting responses to this blog post via e-mail. Either here in the blog comments, or via e-mail, please keep them coming! Thanks.

Posted by: BTKrebs | April 29, 2009 12:24 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company