Super-Boring, Crazy-Important: PCI and Protecting Your Donors' Data

This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged

information. Any unauthorized review, use, disclosure or distribution is prohibited. 1

PCI and Protecting Your

Donors’ Data

Super-Boring, Crazy-

Important:



@greatergiving

#16NTCpci



Your Presenters

Tracey Lorts Community Marketing Manager

Greater Giving

Jessica Creager Director of Finance and Special Events

Family House

Joshua Allen Solutions Engineer

Greater Giving #16NTCpci



• I talk fast (we have a lot to cover!)

• I am not on the PCI council or certified in PCI

• I have consulted with individuals who are experts

• Some information shared is anecdotal in nature

• We will do our best to answer questions, but some may need to be answered by an expert. We will make note and do our best to get you an answer.

• I was a classroom teacher (sorry!)

Disclaimer

#16NTCpci



• What kind of power do you hold in your nonprofit?

• What are you responsible for?

• Do your responsibilities give you power?

• What would happen in your organization had a breach?

• What is one question you have about this content that you hope I answer today?

Share first name, where you’re from, organization (optional)

Question?

#16NTCpci



#16NTCpci



Donor Data

#16NTCpci



• Does your nonprofit collect online donations?

• How do you handle credit card transactions?

• Who in your organization has access to donor PII?

• Do any members of your team (volunteers or staff) REALLY need to see credit card information? Are you sure?

Food for Thought

#16NTCpci



PCI-Removing the Myths

#16NTCpci



• What is PCI Compliance?

• The 12 PCI-DSS Requirements

• PCI Self-Assessment Questionnaire

• The new world of EMV & NFC

• Do’s and Don’ts of data compliance

• Family House Case Study

• Q and A

What We’re Covering

#16NTCpci



• Handout when you came in

• Includes all the acronyms most common in this

presentation

• Hopefully, can be a tool you use in the future

Terms & Acronyms Cheat Sheet

#16NTCpci



PCI

Compliance



Crazy-Boring, Super-Important

#16NTCpci



• THINK – PAIR - SHARE

• After the discussion on this section, divide into groups of 8-10

• Assign a recorder and a reporter

• Discussion questions: – Where are your organization’s strengths with PCI

compliance?

– What are your organization’s largest challenges with PCI compliance?

Section Discussion and Report Back

#16NTCpci



• PCI=Payment Card Industry

• Developed to encourage and enhance

cardholder data security

• Levels of Compliance 1-4

• PCI Security Standards Council (American

Express, Discover, JCB, Master Card, and Visa)

What is PCI?

#16NTCpci



• The members of the PCI Security Standards Council monitor occurrences of account data compromise

• Compromises happen at all levels of organizations

• A security breach and subsequent compromise of payment card data has far-reaching consequences for affected organizations

What is PCI?

#16NTCpci



• PCI-DSS=Payment Card Industry Data Security

Standard

• Facilitates adoption of consistent data security

measures globally

• Baseline of technical and operational

requirements

What is PCI-DSS?

#16NTCpci



Who-PCI-DSS

• Selling goods or services to individual consumers or businesses.

• You, coffee shop, Amazon. Merchants

• Companies appointed by the merchant to handle transactions.

• Provide merchant ID to both Merchants and Acquirers. Processors

• A bank or financial institution that processes on behalf of a merchant.

• Banks. Acquirers

• A bank or financial institution providing payment cards to consumers.

• AMEX, Visa, MasterCard, Discover. Also, Chase and other banks. Issuers

• Any entity providing a product or service that could influence processing.

• Data center, cloud providers, building security. Service Providers

#16NTCpci



• ALL entities that store, process or transmit

cardholder data

• And/or sensitive authentication data (SAD)

– Card validation codes/values (CVV)

– Full track data (magnetic stripe or chip)

– PINs

– PIN blocks

Who-PCI-DSS

#16NTCpci



Sensitive Authentication Data (SAD)

Image from: https://www.pcisecuritystandards.org/pci_security/why_security_matters

#16NTCpci



12 Requirements

of PCI-DSS



• High level security concepts

• Each requirement has additional sub-categories

and testing procedures of what to do to

demonstrate meeting each requirement

• Expected to implement and review on an annual

basis

The 12 PCI-DSS Requirements

#16NTCpci



• Baseline, starting point to raise the conversation

of credit card security in your organization

• Easily implemented at all organizations-yearly

self-assessment questionnaire

• A minimum set of standards recommended for

use by any business or organization that

handles credit card transactions


#16NTCpci



• 1- Install and maintain a

firewall

• 2-Do not use vendor supplied

defaults for system passwords


Build and

Maintain a

Secure Network

and Systems

#16NTCpci



1. 123456

2. password

3. 12345678

4. qwerty

5. 12345

6. 123456789

7. football

8. 1234

9. 1234567

10. baseball

11. welcome

12. 1234567890

13. abc123

14. 111111

15. 1qaz2wsx

16. dragon

17. master

18. monkey

19. letmein

20. login

21. princess

22. qwertyuiop

23. solo

24. passw0rd

25. starwars

Top 25 Passwords in 2015

#16NTCpci



• 3-Protect stored cardholder

data

• 4-Encrypt transmission of

cardholder data across open,

public networks


Protect

Cardholder

Data

#16NTCpci



#16NTCpci



• 5-Protect all systems against

malware and regularly update

anti-virus software or programs

• 6-Develop and maintain secure

systems and applications


Maintain a

Vulnerability

Management

Program

#16NTCpci



• 7-Restrict access to cardholder

data by business need to know

• 8-Identify and authenticate

access to system components

• 9-Restrict physical access to

cardholder data


Implement

Strong Access

Control

Measures

#16NTCpci



#16NTCpci



• 10- Track and monitor all

access to network resources

and cardholder data

• 11-Regularly test security

systems and processes


Regularly

Monitor and

Test Networks

#16NTCpci



• 12- Maintain a policy that

addresses information security

for all personnel


Maintain an

Information

Security

Policy

#16NTCpci



1. Install and maintain a firewall

2. Do not use vendor supplied defaults

for system passwords

3. Protect stored cardholder data

4. Encrypt transmission of cardholder

data across open, public networks

5. Protect all systems against malware

and regularly update anti-virus

software or programs

6. Develop and maintain secure systems

and applications

7. Restrict access to cardholder data by

business need to know

8. Identify and authenticate access to

system components

9. Restrict physical access to cardholder

data

10.Track and monitor all access to

network resources and cardholder

data

11.Regularly test security systems and

processes

12.Maintain a policy that addresses

information security for all personnel

The 12- PCI-DSS

#16NTCpci



• PCI-DSS addresses common security

weaknesses

• Often exploited because controls either were not

in place or were poorly implemented

Common PCI-DSS Control Failures

#16NTCpci



• Examples common control failures: – Storage of SAD after authorization

– Inadequate access controls due to improperly installed POS systems

– Default system settings and passwords not changed

– Unnecessary and insecure services not removed or secured when services were installed

– Missing and outdated security patches

– Lack of monitoring

Common PCI-DSS Failures

#16NTCpci



#16NTCpci



• You MUST secure cardholder data where it is

captured at the point of sale and as it flows into

the payment system. The best step you can take

is to not store any cardholder data after

processing.

What needs to be secure?

#16NTCpci



This includes protecting:

• Card readers

• Point of sale systems

• Store networks & wireless access routers

• Payment card data storage and transmission

• Payment card data stored in paper-based records

• Online payment applications and shopping carts

What needs to be secure?

#16NTCpci



Questions

#16NTCpci



Merchant Tiers



• Apply to those processing transactions

• Each card brand has a different set of tiers,

they set them up themselves

• The tiers are based on number of transactions

per year not processing amount

Merchant Tiers

#16NTCpci



Level/

Tier

Merchant Criteria Validation Requirements

1 • Processing over 6 million

transactions annually

• If you are a service provider

• If your acquirer deems you a tier 1

• If at any point you have a breach of

cardholder data

• Annual Report on

Compliance (ROC) by

Qualified Security

Assessor (QSA)

• Quarterly network scan by

Approved Scan Vendor

(ASV)

• Attestation of Compliance

Form (AOC)

Merchant Tiers

#16NTCpci



Level/

Tier


2 Merchants processing 1 million to 6

million transactions annually

• Annual SAQ


ASV

• AOC Form

Merchant Tiers

#16NTCpci



Level/

Tier


3 Merchants processing 20,000 to 1

million transactions annually

• Annual SAQ


ASV

• AOC Form

Merchant Tiers

#16NTCpci



Level/

Tier


4 Merchants processing less than 20,000

transactions annually

• Annual SAQ


ASV if applicable

• Compliance validation

requirements set by

acquirer

Merchant Tiers

#16NTCpci



Questions?

#16NTCpci



PCI-DSS SAQ



#16NTCpci



• PCI-DSS common set of industry tools to ensure

safe handling of cardholder data

• The 12 standards provide an actionable

framework for a security process

– Preventing

– Detecting

– Reacting to security incidents

How it fits

#16NTCpci



• SAQ= Self-Assessment Questionnaire

• Validation tools intended to assist in the

reporting of results of an organization’s PCI-DSS

self-assessment

• Multiple versions to meet various scenarios (e-

commerce merchants only)

What is the Self-Assessment?

#16NTCpci



• Each SAQ Contains:

– Questions related to the PCI-DSS requirements

(slightly different depending on your CC processing)

– Attestation of Compliance

• Declaration of eligibility for completing the SAQ and results

of a PCI-DSS Self-Assessment

PCI-DSS SAQ

#16NTCpci



• www.pcisecuritystandards.org

• Document library

• SAQ Documents

Completing the PCI-DSS SAQ

#16NTCpci



PCI-DSS

Discussion



• THINK – GROUP – SHARE

• Divide into groups of 8-10

• Assign a recorder and a reporter

• Discussion questions: – Where are your organization’s strengths with PCI

compliance?

– What are your organization’s largest challenges with PCI compliance?

Section Discussion and Reporting

#16NTCpci



– Where are your organization’s strengths with PCI

compliance?

– What are your organization’s largest challenges with

PCI compliance?

THINK

#16NTCpci



• Groups 8-10

• Assign a Recorder and Reporter


compliance?


PCI compliance?

GROUP

#16NTCpci




compliance?


PCI compliance?

SHARE

#16NTCpci



Do’s and Dont’s



• DON’T…Store sensitive authentication data after authorization (mag strip, PINS)

• DON’T…store CVV codes, EVER, both print and electronic

• DON’T…Hire a point-of-sale vendor without discussing their PCI compliance

• DO…Use a POS vendor that uses a PCI Validated Payment Application

PCI-DSS

#16NTCpci



• DO…follow PCI-DSS guidelines

• DON’T…consider them the end all of your

organization’s security

• DON’T…reinterpret or creatively decide on

which of the 12 standards you will follow

• DO…conduct a PCI-DSS self-assessment

questionnaire on an annual basis

PCI-DSS

#16NTCpci



• DO…Only store transaction data that is

absolutely necessary (it’s most likely that you

don’t need any transaction data!)

• DO…Use partners to secure information (cloud

based Donor Management System)

• DO…Make sure the information you are storing,

even in a secure location (hard copy or in the

cloud), is only something you really need

Personally Identifiable Information

#16NTCpci



• DON’T…store it if you don’t need it.

• DO…shred or burn it, if you have it and

don’t need it anymore.

• DON’T…need it, don’t print it.

• DO…consolidate and isolate it, if you do

need it.

Cardholder Data

#16NTCpci



• DO…Change your password to key systems

frequently (30-60 days)

• DON’T…Use the same password for multiple

systems, both online and physical systems

• DON’T...Share passwords with anyone, including

coworkers

Passwords

#16NTCpci



• DO…create an organization wide password policy including frequency it must be changed, number of characters, number of special characters, and number of numbers

• DON’T…use your username or ID in the password

• DON’T...Use a dictionary word in any language, even in reverse

Passwords

#16NTCpci



• DO…Understand the difference between being compliant and being secure

• DON’T…Think that just because you are compliant at one point in time, your environment won’t change

• DO…Ensure that controls continue to be implemented as a part of your overall security strategy

Compliance and Security

#16NTCpci



• DO…Have a security policy!

• DO…Be sure that everyone on staff is aware of the policy

• DO…Require an annual review and sign-off of the security plan by each member of the staff

• DON’T…Wait to complete staff background checks until after hire

• DO…Test your security...if you don’t test it you don’t have it

Organization Security

#16NTCpci



• DO…Have a company technology usage policy

that is revisited annually

• DO… An annual security awareness training for

all staff members

• DO… provide long-term volunteers with training

on your security and usage policy

Organization Security

#16NTCpci



#16NTCpci



Case Study

#16NTCpci



Who is Family House?

• Mission: Family House serves as a home away from

home for families of children with cancer and other

life-threatening illnesses providing physical comfort

and emotional support, free from financial concerns.

#16NTCpci



Family House

#16NTCpci



Online Donations

#16NTCpci



Event Fundraising

#16NTCpci



Emerging Card

Technology



• Card payment & processing technology coming

soon

• EMV-gradual shift that has already begun

• EMV will become the industry standard, but it is

a process to get there

• NFC is still emerging, slow adoption, but likely

the future

EMV & NFC

#16NTCpci



EMV

#16NTCpci

• https://www.youtube.com/watch?v=0jp7s-I0PJ8

https://www.youtube.com/watch?v=0jp7s-I0PJ8






• EMV= card-present transactions

– In person

EMV & PCI

#16NTCpci



• Chip decides the purchase situation, has logic in

chip to request additional information

• Chip decides if you need…

– Chip and PIN

– Chip and Signature

• Magnetic strips phased out 2020

EMV Chip

#16NTCpci



• Fact or Fiction Game

• Myths about EMV

EMV Fact or Fiction

#16NTCpci



EMV is named for the three organizations that created it:

Europay, MasterCard, and Visa

EMV Fact or Fiction?

Fact!

EMV cards have a small computer chip that makes

them more difficult to counterfeit. These cards are

designed to help reduce counterfeit card fraud for

card-present transactions. #16NTCpci



One major milestone for EMV that took place in

October 2015 was that magnetic stripe credit cards

are no longer accepted

EMV-Fact or Fiction?

Fiction!

A major milestone of implementing EMV chip cards in the US

does not include discontinuing support for traditional

magnetic stripe credit cards. It also does not impact PCI

compliance regulations. #16NTCpci



In general nonprofits experience very low rates of

fraud; typically less than 0.05 % of charges are

disputed as chargebacks


Fact!

Most chargebacks occur because a donor forgot they bought

something at an auction or another authorized cardholder

made the purchase or in-person donation and forgot to tell

them. #16NTCpci



EMV can reduce fraudulent online transactions.


Fiction!

Online transactions are not impacted by EMV changes.

These transactions are called card-not-present transactions

and are not impacted by EMV. #16NTCpci



Use of an EMV-compliant point-of-sale system is

not required today by the PCI-DSS requirements.


Fact!

EMV is intended to help reduce card-present fraud, and PCI

compliance is intended to provide security around credit card

data. Today, use (or nonuse) of EMV-enabled equipment

does not impact an organization’s PCI compliance. #16NTCpci



• In general, nonprofits have VERY low risk of

processing fraudulent charges

• Chance of fraudulent charges increases with the

number of completed transactions

EMV & Nonprofits

#16NTCpci



• NFC card emulation—enables NFC-enabled devices

such as smartphones to act like smart cards, allowing

users to perform transactions such as payment or

ticketing.

• Not mandated/overseen by PCI, at this time

• Pay Pass technology

NFC-Near Field Communications

#16NTCpci



Questions?

#16NTCpci



Who is Greater

Giving?



• 14 years experience providing

technology and credit card

processing solutions for nonprofits

and schools

• Over 8,000 clients across the country

• Products used in over 50,000

fundraising campaigns and auctions

• PCI Level 1 Compliant

Who is Greater Giving?

#16NTCpci



Greater Giving Products and Services

Greater Giving Event with Online Bidding:

Greater Giving Event:

AUCTIONPAY Accept payments at events

while improving checkout

EVENT SOFTWARE Manage all auction details

with easy-to-use software

ONLINE PAYMENTS Recurring donations,

registrations, tuition and event sites

ONLINE BIDDING Paperless way to manage

bidding at your next event

Add-ons:

Join Me Auction Booster Event Services



Finally…



• Materials & Collaboration Notes

http://po.st/pci-16NTC

• Slide Share

• Evaluation Link

http://po.st/QUUmAt

Collaborative Notes, Side Share, Session Evaluation




http://po.st/QUUmAt



Presenters Contact

Tracey Lorts Community Marketing Manager

Greater Giving

[email protected]

@traceypdx

Jessica Creager Director of Finance and Special

Events

Family House

[email protected]

@familyhousesf

Joshua Allen Solutions Engineer

Greater Giving

[email protected]

@joshallen13

mailto:[email protected]



Super-Boring, Crazy-Important: PCI and Protecting Your Donors' Data

Technology

Transcript of Super-Boring, Crazy-Important: PCI and Protecting Your Donors' Data