Don't Get Hacked! Know the Risks of Accepting Credit Cards

724 views

Published on

Fundraising is the lifeblood of any not-for-profit organization. Advances in technology have made collecting contributions via credit card easier than ever for NPOs. Tools like Square offer simple solutions to help organizations of all sizes collect funds. But are you compromising security for convenience?

This presentation addresses how NPOs can prepare a secure environment for accepting donations before the gala and special events season starts.

Published in: Economy & Finance
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
724
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Don't Get Hacked! Know the Risks of Accepting Credit Cards

  1. 1. Don’t Get Hacked! Know the Risks Associated with Accepting Credit Cards Maaria Seider, CISA, QSA 314.983.1384 mseider@bswllc.com Michael Springer, GPEN 314.983.1374 mspringer@bswllc.com Janet Ramey, CPA 636.754.0231 jramey@bswllc.com February 20, 2014
  2. 2. Welcome to our quarterly Non Profit Organization Speaker Series Event! Today’s topic: Understanding the Risks Associated with Accepting Credit Cards 2
  3. 3. CPE Credit In order to receive CPE credit for this session, please: • Ensure you signed the sign-in sheet. • Complete an event evaluation form. – You may fill out a hard copy and turn it in before you leave. – Complete the e-version via email. © 2014 All Rights Reserved Brown Smith Wallace LLC 3
  4. 4. Today’s Guest Speakers Maaria Seider, CISA, QSA • Maaria is a Manager in the Brown Smith Wallace Advisory Services practice. • She provides consulting and compliance services related to client requirements to comply with payment card industry (PCI) standards. • Maaria serves as the awards chair for the Institute of Internal Auditors (IIA). © 2014 All Rights Reserved Brown Smith Wallace LLC 4
  5. 5. Today’s Guest Speakers Michael Springer, CEH, GPEN • Michael is a Senior in the Brown Smith Wallace Information Security & Privacy practice. • He provides consulting and assessment security services related to technical reviews and ethical hacking, as required by PCI. • He holds industry certifications of CEH – Certified Ethical Hacker – and GPEN – GIAC Certified Penetration Tester. © 2014 All Rights Reserved Brown Smith Wallace LLC 5
  6. 6. Trends in NPO Fundraising 6
  7. 7. Trends in NPO Fundraising Since 2008, less than 50% of charitable organizations saw an increase in any form of fundraising/giving, aside from online. Source: http://causera.org/nonprofit-journal/10-fundraising-lessons-for-2013/ © 2014 All Rights Reserved Brown Smith Wallace LLC 7
  8. 8. Trends in NPO Fundraising Source: http://causera.org/nonprofit-journal/10-fundraising-lessons-for-2013/ © 2014 All Rights Reserved Brown Smith Wallace LLC 8
  9. 9. Trends in NPO Fundraising Where is the money coming from? • Online donations • Events – Galas – Trivia Nights • Contributions & Services Fee Payments – Cash – Check – Credit Card © 2014 All Rights Reserved Brown Smith Wallace LLC 9
  10. 10. Trends in NPO Fundraising How is the money being collected? Know the risks! • Hard copy of credit card data – Who is handling it? – Where is it being stored? (paper copy, excel sheet, etc.) – Is it secured? – How is it disposed? • • Organizations should have a clear understanding of who is handling credit card data, access to data, and security Credit card data should be disposed once it’s no longer needed either by purging the file or using a crosscut shredder Image source: http://www.digitaltrends.com/wp-content/uploads/2011/05/Square-iPhone-Credit-Card-Reader.jpg © 2014 All Rights Reserved Brown Smith Wallace LLC 10
  11. 11. Trends in NPO Fundraising How is the money being collected? Know the risks! • Third party processing – Are you using a secure website to collect donations? – Are they PCI compliant? Image source: http://www.digitaltrends.com/wp-content/uploads/2011/05/Square-iPhone-Credit-Card-Reader.jpg © 2014 All Rights Reserved Brown Smith Wallace LLC 11
  12. 12. Trends in NPO Fundraising How is the money being collected? Know the risks! • Portable terminals – Encryption? – Secure networks? – Are you storing credit card information in spreadsheets? Image source: http://www.digitaltrends.com/wp-content/uploads/2011/05/Square-iPhone-Credit-Card-Reader.jpg © 2014 All Rights Reserved Brown Smith Wallace LLC 12
  13. 13. Trends in NPO Fundraising How is the money being collected? • Mobile – Square – Text message donations Image source: http://creditcardforum.com/blog/warning-credit-card-numbers-are-being-stolen-via-text-message/ © 2014 All Rights Reserved Brown Smith Wallace LLC 13
  14. 14. Trends in NPO Fundraising How is the money being collected? • To consider when thinking of mobile: – Does it prevent data from being intercepted when being swiped, processed or stored, and transmitted? – What kind of device is being used? • Jailbroken, disabled for anything unneeded, device tracking if stolen • Use the PCI Council website to see if your device is listed as a validated Point-toPoint Encryption (P2PE) solution • These solutions have been validated that data is encrypted before it enters a mobile devices • Solution providers will typically provide a card reader that works with the mobile device © 2014 All Rights Reserved Brown Smith Wallace LLC 14
  15. 15. If they can be hacked… …so can you! © 2014 All Rights Reserved Brown Smith Wallace LLC Image source: http://cdn.iphonehacks.com/wp-content/uploads/2013/11/Target-logo.gif http://www.theshelbyreport.com/wp-content/uploads/2013/05/schnucks.jpg http://www.livefreecoupons.com/uploadfile/logo/neimanmarcus.jpg 15
  16. 16. Global Card Fraud Losses ($Billions) © 2014 All Rights Reserved Brown Smith Wallace LLC 16
  17. 17. Compliance Snapshot © 2014 All Rights Reserved Brown Smith Wallace LLC 17
  18. 18. What are Payment Card Industry (PCI) Data Security Standards? 18
  19. 19. PCI DSS Definition The PCI Data Security Standard provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents. From the PCI Security Standards Council © 2014 All Rights Reserved Brown Smith Wallace LLC 19
  20. 20. Who does PCI apply to? • All entities involved in payment card processing: – – – – Merchants Processors Financial institutions Basically anyone who handles credit card information (store, process, or transmit) © 2014 All Rights Reserved Brown Smith Wallace LLC 20
  21. 21. What are the PCI Data Security Standards? There are 6 categories of requirements that provide a baseline of technical and operational requirements to protect cardholder data: 1. Build and Maintain a Secure Network and Systems 2. Protect Cardholder Data 3. Maintain a Vulnerability Management Program 4. Implement Strong Access Control Measures 5. Regularly Monitor and Test Networks 6. Maintain an Information Security Policy © 2014 All Rights Reserved Brown Smith Wallace LLC 21
  22. 22. What are the PCI Data Security Standards? Cardholder v. Sensitive Authentication Data Account Data • Cardholder Data includes: – – – – Primary Account Number (PAN) Cardholder Name Expiration Date Service Code • Sensitive Authentication Data includes: – Full track data (magnetic-stripe data or equivalent on a chip) – CAV2/CVC2/CVV2/CID – PINs/PIN blocks © 2014 All Rights Reserved Brown Smith Wallace LLC 22
  23. 23. What are the PCI Data Security Standards? 4 Levels of Merchant Compliance 1. 2. 3. Any merchant -- regardless of acceptance channel -- processing over 6M transactions per year. Any merchant -- regardless of acceptance channel -- processing 1M to 6M transactions per year. Any merchant processing 20,000 to 1M e-commerce transactions per year. © 2014 All Rights Reserved Brown Smith Wallace LLC 23
  24. 24. What are the PCI Data Security Standards? 4. Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants -- regardless of acceptance channel -- processing up to 1M Visa transactions per year. Most of you in this room will fall into this category. © 2014 All Rights Reserved Brown Smith Wallace LLC 24
  25. 25. Myths About PCI Compliance © 2014 All Rights Reserved Brown Smith Wallace LLC 25
  26. 26. Level 4 Merchant Guidelines • An annual self-assessment questionnaire (SAQ) recommended • ASV (approved scanning vendor) quarterly scans if applicable – Organizations approved by the PCI Council to perform quarterly vulnerability scans as it relates to PCI DSS. • Compliance is set by merchant bank – Your bank sets compliance of whether they want a SAQ filled out and scans. © 2014 All Rights Reserved Brown Smith Wallace LLC 26
  27. 27. PCI Risks for NPOs 27
  28. 28. Top 5 PCI Risks 1. Credit Card Breach – • • This can cause an array of problems for an organization: bad press, expensive fines, remediation, loss of donors Knowing your credit card environment, where your data is kept, and vendors are steps in preventing this Filling out a SAQ helps keep organizations aware of where this data is kept and the guidelines to secure it © 2014 All Rights Reserved Brown Smith Wallace LLC Image source: http://www.safetynet-inc.com/wp-content/uploads/credit-card-breach.jpg 28
  29. 29. Top 5 PCI Risks 2. Reputation/Brand Damage – – – No one wants bad press, especially related to a credit card breach With the recent breaches, consumers are more aware and more weary of sharing their credit card information By ensuring your employees/volunteers are trained to securely handle credit card data and by adhering to PCI you can help protect your organization © 2014 All Rights Reserved Brown Smith Wallace LLC Image source: http://www.indianasnewscenter.com/news/top-news/239627491.html 29
  30. 30. Top 5 PCI Risks 3. Donor Loss – – If donors do not feel secure about the collection method they are less likely to donate Bad press/breaches © 2014 All Rights Reserved Brown Smith Wallace LLC 30
  31. 31. Top 5 PCI Risks 4. Litigation Expenses/Recovery – Recovering from a data breach is expensive! • • • • Consumers Payment Brands Legal /Consulting fees Governmental Image source: http://www.stoelrivesworldofemployment.com/amy-joseph-pedersen.html © 2014 All Rights Reserved Brown Smith Wallace LLC 31
  32. 32. Top 5 PCI Risks 5. Vendor Management – – – – Know your vendors! Give access only when/as needed Have an understanding of what they have access too on your systems If they handle credit cards, make sure they are PCI Compliant © 2014 All Rights Reserved Brown Smith Wallace LLC 32
  33. 33. PCI in the Future: Chip and Pin • Credit and debit cards will be embedded with a “chip” that stores card information (name, number, expiration) • Point of sales machines read the chips vs. swiping and signing using the magnetic strip • Currently in use in Europe and Canada • October 2015- MasterCard and Visa set deadline after which they will no longer accept liability for fraudulent activity using the magnetic strip, which means… © 2014 All Rights Reserved Brown Smith Wallace LLC 33
  34. 34. YOU ARE RESPONSIBLE! © 2014 All Rights Reserved Brown Smith Wallace LLC 34
  35. 35. Chip and Pin Readiness • Investing in upgrading point of sales terminals to accept chip and pin ($200-$2,000) • Make sure third-party processors are compliant © 2014 All Rights Reserved Brown Smith Wallace LLC 35
  36. 36. Questions? 36
  37. 37. If you enjoyed today… Keep an eye on your email for information on our next NPO Speaker Series. The event will be held in the next few months. © 2014 All Rights Reserved Brown Smith Wallace LLC 37
  38. 38. Connect Visit our website, follow Brown Smith Wallace on LinkedIn and Twitter or Like us on Facebook! 6 CityPlace Drive, Suite 900│ St. Louis, Missouri 63141 │ 314.983.1200 1520 S. Fifth St., Suite 309 │ St. Charles, Missouri 63303 │ 636.255.3000 2220 S. State Route 157, Ste. 300 │ Glen Carbon, Illinois 62034 │ 618.659.7231 1.888.279.2792 │ www.bswllc.com © 2014 All Rights Reserved Brown Smith Wallace LLC 38

×