Super-Boring, Crazy-Important: PCI and Protecting Your Donors' Data
-
Upload
greater-giving -
Category
Technology
-
view
287 -
download
0
Transcript of Super-Boring, Crazy-Important: PCI and Protecting Your Donors' Data
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 1
PCI and Protecting Your
Donors’ Data
Super-Boring, Crazy-
Important:
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 2
@greatergiving
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 3
Your Presenters
Tracey Lorts Community Marketing Manager
Greater Giving
Jessica Creager Director of Finance and Special Events
Family House
Joshua Allen Solutions Engineer
Greater Giving #16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 4
• I talk fast (we have a lot to cover!)
• I am not on the PCI council or certified in PCI
• I have consulted with individuals who are experts
• Some information shared is anecdotal in nature
• We will do our best to answer questions, but some may need to be answered by an expert. We will make note and do our best to get you an answer.
• I was a classroom teacher (sorry!)
Disclaimer
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 5
• What kind of power do you hold in your nonprofit?
• What are you responsible for?
• Do your responsibilities give you power?
• What would happen in your organization had a breach?
• What is one question you have about this content that you hope I answer today?
Share first name, where you’re from, organization (optional)
Question?
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 6
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 7
Donor Data
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 8
• Does your nonprofit collect online donations?
• How do you handle credit card transactions?
• Who in your organization has access to donor PII?
• Do any members of your team (volunteers or staff) REALLY need to see credit card information? Are you sure?
Food for Thought
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 9
PCI-Removing the Myths
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 10
• What is PCI Compliance?
• The 12 PCI-DSS Requirements
• PCI Self-Assessment Questionnaire
• The new world of EMV & NFC
• Do’s and Don’ts of data compliance
• Family House Case Study
• Q and A
What We’re Covering
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 11
• Handout when you came in
• Includes all the acronyms most common in this
presentation
• Hopefully, can be a tool you use in the future
Terms & Acronyms Cheat Sheet
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 12
PCI
Compliance
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 13
Crazy-Boring, Super-Important
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 14
• THINK – PAIR - SHARE
• After the discussion on this section, divide into groups of 8-10
• Assign a recorder and a reporter
• Discussion questions: – Where are your organization’s strengths with PCI
compliance?
– What are your organization’s largest challenges with PCI compliance?
Section Discussion and Report Back
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 15
• PCI=Payment Card Industry
• Developed to encourage and enhance
cardholder data security
• Levels of Compliance 1-4
• PCI Security Standards Council (American
Express, Discover, JCB, Master Card, and Visa)
What is PCI?
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 16
• The members of the PCI Security Standards Council monitor occurrences of account data compromise
• Compromises happen at all levels of organizations
• A security breach and subsequent compromise of payment card data has far-reaching consequences for affected organizations
What is PCI?
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 17
• PCI-DSS=Payment Card Industry Data Security
Standard
• Facilitates adoption of consistent data security
measures globally
• Baseline of technical and operational
requirements
What is PCI-DSS?
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 18
Who-PCI-DSS
• Selling goods or services to individual consumers or businesses.
• You, coffee shop, Amazon. Merchants
• Companies appointed by the merchant to handle transactions.
• Provide merchant ID to both Merchants and Acquirers. Processors
• A bank or financial institution that processes on behalf of a merchant.
• Banks. Acquirers
• A bank or financial institution providing payment cards to consumers.
• AMEX, Visa, MasterCard, Discover. Also, Chase and other banks. Issuers
• Any entity providing a product or service that could influence processing.
• Data center, cloud providers, building security. Service Providers
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 19
• ALL entities that store, process or transmit
cardholder data
• And/or sensitive authentication data (SAD)
– Card validation codes/values (CVV)
– Full track data (magnetic stripe or chip)
– PINs
– PIN blocks
Who-PCI-DSS
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 20
Sensitive Authentication Data (SAD)
Image from: https://www.pcisecuritystandards.org/pci_security/why_security_matters
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 21
12 Requirements
of PCI-DSS
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 22
• High level security concepts
• Each requirement has additional sub-categories
and testing procedures of what to do to
demonstrate meeting each requirement
• Expected to implement and review on an annual
basis
The 12 PCI-DSS Requirements
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 23
• Baseline, starting point to raise the conversation
of credit card security in your organization
• Easily implemented at all organizations-yearly
self-assessment questionnaire
• A minimum set of standards recommended for
use by any business or organization that
handles credit card transactions
The 12 PCI-DSS Requirements
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 24
• 1- Install and maintain a
firewall
• 2-Do not use vendor supplied
defaults for system passwords
The 12 PCI-DSS Requirements
Build and
Maintain a
Secure Network
and Systems
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 25
1. 123456
2. password
3. 12345678
4. qwerty
5. 12345
6. 123456789
7. football
8. 1234
9. 1234567
10. baseball
11. welcome
12. 1234567890
13. abc123
14. 111111
15. 1qaz2wsx
16. dragon
17. master
18. monkey
19. letmein
20. login
21. princess
22. qwertyuiop
23. solo
24. passw0rd
25. starwars
Top 25 Passwords in 2015
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 26
• 3-Protect stored cardholder
data
• 4-Encrypt transmission of
cardholder data across open,
public networks
The 12 PCI-DSS Requirements
Protect
Cardholder
Data
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 27
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 28
• 5-Protect all systems against
malware and regularly update
anti-virus software or programs
• 6-Develop and maintain secure
systems and applications
The 12 PCI-DSS Requirements
Maintain a
Vulnerability
Management
Program
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 29
• 7-Restrict access to cardholder
data by business need to know
• 8-Identify and authenticate
access to system components
• 9-Restrict physical access to
cardholder data
The 12 PCI-DSS Requirements
Implement
Strong Access
Control
Measures
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 30
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 31
• 10- Track and monitor all
access to network resources
and cardholder data
• 11-Regularly test security
systems and processes
The 12 PCI-DSS Requirements
Regularly
Monitor and
Test Networks
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 32
• 12- Maintain a policy that
addresses information security
for all personnel
The 12 PCI-DSS Requirements
Maintain an
Information
Security
Policy
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 33
1. Install and maintain a firewall
2. Do not use vendor supplied defaults
for system passwords
3. Protect stored cardholder data
4. Encrypt transmission of cardholder
data across open, public networks
5. Protect all systems against malware
and regularly update anti-virus
software or programs
6. Develop and maintain secure systems
and applications
7. Restrict access to cardholder data by
business need to know
8. Identify and authenticate access to
system components
9. Restrict physical access to cardholder
data
10.Track and monitor all access to
network resources and cardholder
data
11.Regularly test security systems and
processes
12.Maintain a policy that addresses
information security for all personnel
The 12- PCI-DSS
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 34
• PCI-DSS addresses common security
weaknesses
• Often exploited because controls either were not
in place or were poorly implemented
Common PCI-DSS Control Failures
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 35
• Examples common control failures: – Storage of SAD after authorization
– Inadequate access controls due to improperly installed POS systems
– Default system settings and passwords not changed
– Unnecessary and insecure services not removed or secured when services were installed
– Missing and outdated security patches
– Lack of monitoring
Common PCI-DSS Failures
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 36
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 37
• You MUST secure cardholder data where it is
captured at the point of sale and as it flows into
the payment system. The best step you can take
is to not store any cardholder data after
processing.
What needs to be secure?
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 38
This includes protecting:
• Card readers
• Point of sale systems
• Store networks & wireless access routers
• Payment card data storage and transmission
• Payment card data stored in paper-based records
• Online payment applications and shopping carts
What needs to be secure?
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 39
Questions
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 40
Merchant Tiers
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 41
• Apply to those processing transactions
• Each card brand has a different set of tiers,
they set them up themselves
• The tiers are based on number of transactions
per year not processing amount
Merchant Tiers
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 42
Level/
Tier
Merchant Criteria Validation Requirements
1 • Processing over 6 million
transactions annually
• If you are a service provider
• If your acquirer deems you a tier 1
• If at any point you have a breach of
cardholder data
• Annual Report on
Compliance (ROC) by
Qualified Security
Assessor (QSA)
• Quarterly network scan by
Approved Scan Vendor
(ASV)
• Attestation of Compliance
Form (AOC)
Merchant Tiers
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 43
Level/
Tier
Merchant Criteria Validation Requirements
2 Merchants processing 1 million to 6
million transactions annually
• Annual SAQ
• Quarterly network scan by
ASV
• AOC Form
Merchant Tiers
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 44
Level/
Tier
Merchant Criteria Validation Requirements
3 Merchants processing 20,000 to 1
million transactions annually
• Annual SAQ
• Quarterly network scan by
ASV
• AOC Form
Merchant Tiers
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 45
Level/
Tier
Merchant Criteria Validation Requirements
4 Merchants processing less than 20,000
transactions annually
• Annual SAQ
• Quarterly network scan by
ASV if applicable
• Compliance validation
requirements set by
acquirer
Merchant Tiers
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 46
Questions?
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 47
PCI-DSS SAQ
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 48
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 49
• PCI-DSS common set of industry tools to ensure
safe handling of cardholder data
• The 12 standards provide an actionable
framework for a security process
– Preventing
– Detecting
– Reacting to security incidents
How it fits
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 50
• SAQ= Self-Assessment Questionnaire
• Validation tools intended to assist in the
reporting of results of an organization’s PCI-DSS
self-assessment
• Multiple versions to meet various scenarios (e-
commerce merchants only)
What is the Self-Assessment?
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 51
• Each SAQ Contains:
– Questions related to the PCI-DSS requirements
(slightly different depending on your CC processing)
– Attestation of Compliance
• Declaration of eligibility for completing the SAQ and results
of a PCI-DSS Self-Assessment
PCI-DSS SAQ
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 52
• www.pcisecuritystandards.org
• Document library
• SAQ Documents
Completing the PCI-DSS SAQ
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 53
PCI-DSS
Discussion
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 54
• THINK – GROUP – SHARE
• Divide into groups of 8-10
• Assign a recorder and a reporter
• Discussion questions: – Where are your organization’s strengths with PCI
compliance?
– What are your organization’s largest challenges with PCI compliance?
Section Discussion and Reporting
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 55
– Where are your organization’s strengths with PCI
compliance?
– What are your organization’s largest challenges with
PCI compliance?
THINK
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 56
• Groups 8-10
• Assign a Recorder and Reporter
– Where are your organization’s strengths with PCI
compliance?
– What are your organization’s largest challenges with
PCI compliance?
GROUP
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 57
– Where are your organization’s strengths with PCI
compliance?
– What are your organization’s largest challenges with
PCI compliance?
SHARE
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 58
Do’s and Dont’s
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 59
• DON’T…Store sensitive authentication data after authorization (mag strip, PINS)
• DON’T…store CVV codes, EVER, both print and electronic
• DON’T…Hire a point-of-sale vendor without discussing their PCI compliance
• DO…Use a POS vendor that uses a PCI Validated Payment Application
PCI-DSS
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 60
• DO…follow PCI-DSS guidelines
• DON’T…consider them the end all of your
organization’s security
• DON’T…reinterpret or creatively decide on
which of the 12 standards you will follow
• DO…conduct a PCI-DSS self-assessment
questionnaire on an annual basis
PCI-DSS
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 61
• DO…Only store transaction data that is
absolutely necessary (it’s most likely that you
don’t need any transaction data!)
• DO…Use partners to secure information (cloud
based Donor Management System)
• DO…Make sure the information you are storing,
even in a secure location (hard copy or in the
cloud), is only something you really need
Personally Identifiable Information
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 62
• DON’T…store it if you don’t need it.
• DO…shred or burn it, if you have it and
don’t need it anymore.
• DON’T…need it, don’t print it.
• DO…consolidate and isolate it, if you do
need it.
Cardholder Data
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 63
• DO…Change your password to key systems
frequently (30-60 days)
• DON’T…Use the same password for multiple
systems, both online and physical systems
• DON’T...Share passwords with anyone, including
coworkers
Passwords
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 64
• DO…create an organization wide password policy including frequency it must be changed, number of characters, number of special characters, and number of numbers
• DON’T…use your username or ID in the password
• DON’T...Use a dictionary word in any language, even in reverse
Passwords
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 65
• DO…Understand the difference between being compliant and being secure
• DON’T…Think that just because you are compliant at one point in time, your environment won’t change
• DO…Ensure that controls continue to be implemented as a part of your overall security strategy
Compliance and Security
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 66
• DO…Have a security policy!
• DO…Be sure that everyone on staff is aware of the policy
• DO…Require an annual review and sign-off of the security plan by each member of the staff
• DON’T…Wait to complete staff background checks until after hire
• DO…Test your security...if you don’t test it you don’t have it
Organization Security
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 67
• DO…Have a company technology usage policy
that is revisited annually
• DO… An annual security awareness training for
all staff members
• DO… provide long-term volunteers with training
on your security and usage policy
Organization Security
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 68
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 69
Case Study
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 70
Who is Family House?
• Mission: Family House serves as a home away from
home for families of children with cancer and other
life-threatening illnesses providing physical comfort
and emotional support, free from financial concerns.
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 71
Family House
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 72
Online Donations
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 73
Event Fundraising
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 74
Emerging Card
Technology
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 75
• Card payment & processing technology coming
soon
• EMV-gradual shift that has already begun
• EMV will become the industry standard, but it is
a process to get there
• NFC is still emerging, slow adoption, but likely
the future
EMV & NFC
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 76
EMV
#16NTCpci
• https://www.youtube.com/watch?v=0jp7s-I0PJ8
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 77
• EMV= card-present transactions
– In person
EMV & PCI
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 78
• Chip decides the purchase situation, has logic in
chip to request additional information
• Chip decides if you need…
– Chip and PIN
– Chip and Signature
• Magnetic strips phased out 2020
EMV Chip
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 79
• Fact or Fiction Game
• Myths about EMV
EMV Fact or Fiction
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 80
EMV is named for the three organizations that created it:
Europay, MasterCard, and Visa
EMV Fact or Fiction?
Fact!
EMV cards have a small computer chip that makes
them more difficult to counterfeit. These cards are
designed to help reduce counterfeit card fraud for
card-present transactions. #16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 81
One major milestone for EMV that took place in
October 2015 was that magnetic stripe credit cards
are no longer accepted
EMV-Fact or Fiction?
Fiction!
A major milestone of implementing EMV chip cards in the US
does not include discontinuing support for traditional
magnetic stripe credit cards. It also does not impact PCI
compliance regulations. #16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 82
In general nonprofits experience very low rates of
fraud; typically less than 0.05 % of charges are
disputed as chargebacks
EMV-Fact or Fiction?
Fact!
Most chargebacks occur because a donor forgot they bought
something at an auction or another authorized cardholder
made the purchase or in-person donation and forgot to tell
them. #16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 83
EMV can reduce fraudulent online transactions.
EMV-Fact or Fiction?
Fiction!
Online transactions are not impacted by EMV changes.
These transactions are called card-not-present transactions
and are not impacted by EMV. #16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 84
Use of an EMV-compliant point-of-sale system is
not required today by the PCI-DSS requirements.
EMV-Fact or Fiction?
Fact!
EMV is intended to help reduce card-present fraud, and PCI
compliance is intended to provide security around credit card
data. Today, use (or nonuse) of EMV-enabled equipment
does not impact an organization’s PCI compliance. #16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 85
• In general, nonprofits have VERY low risk of
processing fraudulent charges
• Chance of fraudulent charges increases with the
number of completed transactions
EMV & Nonprofits
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 86
• NFC card emulation—enables NFC-enabled devices
such as smartphones to act like smart cards, allowing
users to perform transactions such as payment or
ticketing.
• Not mandated/overseen by PCI, at this time
• Pay Pass technology
NFC-Near Field Communications
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 87
Questions?
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 88
Who is Greater
Giving?
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 89
• 14 years experience providing
technology and credit card
processing solutions for nonprofits
and schools
• Over 8,000 clients across the country
• Products used in over 50,000
fundraising campaigns and auctions
• PCI Level 1 Compliant
Who is Greater Giving?
#16NTCpci
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 90
Greater Giving Products and Services
Greater Giving Event with Online Bidding:
Greater Giving Event:
AUCTIONPAY Accept payments at events
while improving checkout
EVENT SOFTWARE Manage all auction details
with easy-to-use software
ONLINE PAYMENTS Recurring donations,
registrations, tuition and event sites
ONLINE BIDDING Paperless way to manage
bidding at your next event
Add-ons:
Join Me Auction Booster Event Services
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 91
Finally…
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 92
• Materials & Collaboration Notes
http://po.st/pci-16NTC
• Slide Share
• Evaluation Link
http://po.st/QUUmAt
Collaborative Notes, Side Share, Session Evaluation
This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 93
Presenters Contact
Tracey Lorts Community Marketing Manager
Greater Giving
@traceypdx
Jessica Creager Director of Finance and Special
Events
Family House
@familyhousesf
Joshua Allen Solutions Engineer
Greater Giving
@joshallen13