• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Don't Get Hacked! Know the Risks of Accepting Credit Cards
 

Don't Get Hacked! Know the Risks of Accepting Credit Cards

on

  • 318 views

Fundraising is the lifeblood of any not-for-profit organization. Advances in technology have made collecting contributions via credit card easier than ever for NPOs. Tools like Square offer simple ...

Fundraising is the lifeblood of any not-for-profit organization. Advances in technology have made collecting contributions via credit card easier than ever for NPOs. Tools like Square offer simple solutions to help organizations of all sizes collect funds. But are you compromising security for convenience?

This presentation addresses how NPOs can prepare a secure environment for accepting donations before the gala and special events season starts.

Statistics

Views

Total Views
318
Views on SlideShare
318
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Don't Get Hacked! Know the Risks of Accepting Credit Cards Don't Get Hacked! Know the Risks of Accepting Credit Cards Presentation Transcript

    • Don’t Get Hacked! Know the Risks Associated with Accepting Credit Cards Maaria Seider, CISA, QSA 314.983.1384 mseider@bswllc.com Michael Springer, GPEN 314.983.1374 mspringer@bswllc.com Janet Ramey, CPA 636.754.0231 jramey@bswllc.com February 20, 2014
    • Welcome to our quarterly Non Profit Organization Speaker Series Event! Today’s topic: Understanding the Risks Associated with Accepting Credit Cards 2
    • CPE Credit In order to receive CPE credit for this session, please: • Ensure you signed the sign-in sheet. • Complete an event evaluation form. – You may fill out a hard copy and turn it in before you leave. – Complete the e-version via email. © 2014 All Rights Reserved Brown Smith Wallace LLC 3
    • Today’s Guest Speakers Maaria Seider, CISA, QSA • Maaria is a Manager in the Brown Smith Wallace Advisory Services practice. • She provides consulting and compliance services related to client requirements to comply with payment card industry (PCI) standards. • Maaria serves as the awards chair for the Institute of Internal Auditors (IIA). © 2014 All Rights Reserved Brown Smith Wallace LLC 4
    • Today’s Guest Speakers Michael Springer, CEH, GPEN • Michael is a Senior in the Brown Smith Wallace Information Security & Privacy practice. • He provides consulting and assessment security services related to technical reviews and ethical hacking, as required by PCI. • He holds industry certifications of CEH – Certified Ethical Hacker – and GPEN – GIAC Certified Penetration Tester. © 2014 All Rights Reserved Brown Smith Wallace LLC 5
    • Trends in NPO Fundraising 6
    • Trends in NPO Fundraising Since 2008, less than 50% of charitable organizations saw an increase in any form of fundraising/giving, aside from online. Source: http://causera.org/nonprofit-journal/10-fundraising-lessons-for-2013/ © 2014 All Rights Reserved Brown Smith Wallace LLC 7
    • Trends in NPO Fundraising Source: http://causera.org/nonprofit-journal/10-fundraising-lessons-for-2013/ © 2014 All Rights Reserved Brown Smith Wallace LLC 8
    • Trends in NPO Fundraising Where is the money coming from? • Online donations • Events – Galas – Trivia Nights • Contributions & Services Fee Payments – Cash – Check – Credit Card © 2014 All Rights Reserved Brown Smith Wallace LLC 9
    • Trends in NPO Fundraising How is the money being collected? Know the risks! • Hard copy of credit card data – Who is handling it? – Where is it being stored? (paper copy, excel sheet, etc.) – Is it secured? – How is it disposed? • • Organizations should have a clear understanding of who is handling credit card data, access to data, and security Credit card data should be disposed once it’s no longer needed either by purging the file or using a crosscut shredder Image source: http://www.digitaltrends.com/wp-content/uploads/2011/05/Square-iPhone-Credit-Card-Reader.jpg © 2014 All Rights Reserved Brown Smith Wallace LLC 10
    • Trends in NPO Fundraising How is the money being collected? Know the risks! • Third party processing – Are you using a secure website to collect donations? – Are they PCI compliant? Image source: http://www.digitaltrends.com/wp-content/uploads/2011/05/Square-iPhone-Credit-Card-Reader.jpg © 2014 All Rights Reserved Brown Smith Wallace LLC 11
    • Trends in NPO Fundraising How is the money being collected? Know the risks! • Portable terminals – Encryption? – Secure networks? – Are you storing credit card information in spreadsheets? Image source: http://www.digitaltrends.com/wp-content/uploads/2011/05/Square-iPhone-Credit-Card-Reader.jpg © 2014 All Rights Reserved Brown Smith Wallace LLC 12
    • Trends in NPO Fundraising How is the money being collected? • Mobile – Square – Text message donations Image source: http://creditcardforum.com/blog/warning-credit-card-numbers-are-being-stolen-via-text-message/ © 2014 All Rights Reserved Brown Smith Wallace LLC 13
    • Trends in NPO Fundraising How is the money being collected? • To consider when thinking of mobile: – Does it prevent data from being intercepted when being swiped, processed or stored, and transmitted? – What kind of device is being used? • Jailbroken, disabled for anything unneeded, device tracking if stolen • Use the PCI Council website to see if your device is listed as a validated Point-toPoint Encryption (P2PE) solution • These solutions have been validated that data is encrypted before it enters a mobile devices • Solution providers will typically provide a card reader that works with the mobile device © 2014 All Rights Reserved Brown Smith Wallace LLC 14
    • If they can be hacked… …so can you! © 2014 All Rights Reserved Brown Smith Wallace LLC Image source: http://cdn.iphonehacks.com/wp-content/uploads/2013/11/Target-logo.gif http://www.theshelbyreport.com/wp-content/uploads/2013/05/schnucks.jpg http://www.livefreecoupons.com/uploadfile/logo/neimanmarcus.jpg 15
    • Global Card Fraud Losses ($Billions) © 2014 All Rights Reserved Brown Smith Wallace LLC 16
    • Compliance Snapshot © 2014 All Rights Reserved Brown Smith Wallace LLC 17
    • What are Payment Card Industry (PCI) Data Security Standards? 18
    • PCI DSS Definition The PCI Data Security Standard provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents. From the PCI Security Standards Council © 2014 All Rights Reserved Brown Smith Wallace LLC 19
    • Who does PCI apply to? • All entities involved in payment card processing: – – – – Merchants Processors Financial institutions Basically anyone who handles credit card information (store, process, or transmit) © 2014 All Rights Reserved Brown Smith Wallace LLC 20
    • What are the PCI Data Security Standards? There are 6 categories of requirements that provide a baseline of technical and operational requirements to protect cardholder data: 1. Build and Maintain a Secure Network and Systems 2. Protect Cardholder Data 3. Maintain a Vulnerability Management Program 4. Implement Strong Access Control Measures 5. Regularly Monitor and Test Networks 6. Maintain an Information Security Policy © 2014 All Rights Reserved Brown Smith Wallace LLC 21
    • What are the PCI Data Security Standards? Cardholder v. Sensitive Authentication Data Account Data • Cardholder Data includes: – – – – Primary Account Number (PAN) Cardholder Name Expiration Date Service Code • Sensitive Authentication Data includes: – Full track data (magnetic-stripe data or equivalent on a chip) – CAV2/CVC2/CVV2/CID – PINs/PIN blocks © 2014 All Rights Reserved Brown Smith Wallace LLC 22
    • What are the PCI Data Security Standards? 4 Levels of Merchant Compliance 1. 2. 3. Any merchant -- regardless of acceptance channel -- processing over 6M transactions per year. Any merchant -- regardless of acceptance channel -- processing 1M to 6M transactions per year. Any merchant processing 20,000 to 1M e-commerce transactions per year. © 2014 All Rights Reserved Brown Smith Wallace LLC 23
    • What are the PCI Data Security Standards? 4. Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants -- regardless of acceptance channel -- processing up to 1M Visa transactions per year. Most of you in this room will fall into this category. © 2014 All Rights Reserved Brown Smith Wallace LLC 24
    • Myths About PCI Compliance © 2014 All Rights Reserved Brown Smith Wallace LLC 25
    • Level 4 Merchant Guidelines • An annual self-assessment questionnaire (SAQ) recommended • ASV (approved scanning vendor) quarterly scans if applicable – Organizations approved by the PCI Council to perform quarterly vulnerability scans as it relates to PCI DSS. • Compliance is set by merchant bank – Your bank sets compliance of whether they want a SAQ filled out and scans. © 2014 All Rights Reserved Brown Smith Wallace LLC 26
    • PCI Risks for NPOs 27
    • Top 5 PCI Risks 1. Credit Card Breach – • • This can cause an array of problems for an organization: bad press, expensive fines, remediation, loss of donors Knowing your credit card environment, where your data is kept, and vendors are steps in preventing this Filling out a SAQ helps keep organizations aware of where this data is kept and the guidelines to secure it © 2014 All Rights Reserved Brown Smith Wallace LLC Image source: http://www.safetynet-inc.com/wp-content/uploads/credit-card-breach.jpg 28
    • Top 5 PCI Risks 2. Reputation/Brand Damage – – – No one wants bad press, especially related to a credit card breach With the recent breaches, consumers are more aware and more weary of sharing their credit card information By ensuring your employees/volunteers are trained to securely handle credit card data and by adhering to PCI you can help protect your organization © 2014 All Rights Reserved Brown Smith Wallace LLC Image source: http://www.indianasnewscenter.com/news/top-news/239627491.html 29
    • Top 5 PCI Risks 3. Donor Loss – – If donors do not feel secure about the collection method they are less likely to donate Bad press/breaches © 2014 All Rights Reserved Brown Smith Wallace LLC 30
    • Top 5 PCI Risks 4. Litigation Expenses/Recovery – Recovering from a data breach is expensive! • • • • Consumers Payment Brands Legal /Consulting fees Governmental Image source: http://www.stoelrivesworldofemployment.com/amy-joseph-pedersen.html © 2014 All Rights Reserved Brown Smith Wallace LLC 31
    • Top 5 PCI Risks 5. Vendor Management – – – – Know your vendors! Give access only when/as needed Have an understanding of what they have access too on your systems If they handle credit cards, make sure they are PCI Compliant © 2014 All Rights Reserved Brown Smith Wallace LLC 32
    • PCI in the Future: Chip and Pin • Credit and debit cards will be embedded with a “chip” that stores card information (name, number, expiration) • Point of sales machines read the chips vs. swiping and signing using the magnetic strip • Currently in use in Europe and Canada • October 2015- MasterCard and Visa set deadline after which they will no longer accept liability for fraudulent activity using the magnetic strip, which means… © 2014 All Rights Reserved Brown Smith Wallace LLC 33
    • YOU ARE RESPONSIBLE! © 2014 All Rights Reserved Brown Smith Wallace LLC 34
    • Chip and Pin Readiness • Investing in upgrading point of sales terminals to accept chip and pin ($200-$2,000) • Make sure third-party processors are compliant © 2014 All Rights Reserved Brown Smith Wallace LLC 35
    • Questions? 36
    • If you enjoyed today… Keep an eye on your email for information on our next NPO Speaker Series. The event will be held in the next few months. © 2014 All Rights Reserved Brown Smith Wallace LLC 37
    • Connect Visit our website, follow Brown Smith Wallace on LinkedIn and Twitter or Like us on Facebook! 6 CityPlace Drive, Suite 900│ St. Louis, Missouri 63141 │ 314.983.1200 1520 S. Fifth St., Suite 309 │ St. Charles, Missouri 63303 │ 636.255.3000 2220 S. State Route 157, Ste. 300 │ Glen Carbon, Illinois 62034 │ 618.659.7231 1.888.279.2792 │ www.bswllc.com © 2014 All Rights Reserved Brown Smith Wallace LLC 38