“With great power, comes great responsibility.” —Spider-Man
We at Greater Giving understand how yawn-worthy data storage and compliance can seem. We also know it’s one of the single most important aspects of protecting your organization’s reputation and donors’ data. As an organization, protecting donor confidentiality is crucial to building trust and confidence. In this session, we will focus on providing you with the tools and education to ensure your donors’ information doesn’t end up in the wrong hands.
In this session we will cover:
PCI compliance and protecting donor data
The new world of EMV and NFC
Dos and don’ts of data compliance
Presented by: Tracey Lorts-Greater Giving, Jessica Creager-Family House, and Joshua Allen-Greater Giving
Super-Boring, Crazy-Important: PCI and Protecting Your Donors' Data
1. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 1
PCI and Protecting Your
Donors’ Data
Super-Boring, Crazy-
Important:
2. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 2
@greatergiving
#16NTCpci
3. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 3
Your Presenters
Tracey Lorts
Community Marketing Manager
Greater Giving
Jessica Creager
Director of Finance and Special Events
Family House
Joshua Allen
Solutions Engineer
Greater Giving #16NTCpci
4. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 4
• I talk fast (we have a lot to cover!)
• I am not on the PCI council or certified in PCI
• I have consulted with individuals who are experts
• Some information shared is anecdotal in nature
• We will do our best to answer questions, but some
may need to be answered by an expert. We will
make note and do our best to get you an answer.
• I was a classroom teacher (sorry!)
Disclaimer
#16NTCpci
5. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 5
• What kind of power do you hold in your nonprofit?
• What are you responsible for?
• Do your responsibilities give you power?
• What would happen in your organization had a breach?
• What is one question you have about this content that you
hope I answer today?
Share first name, where you’re from, organization (optional)
Question?
#16NTCpci
6. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 6
#16NTCpci
7. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 7
Donor Data
#16NTCpci
8. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 8
• Does your nonprofit collect online donations?
• How do you handle credit card transactions?
• Who in your organization has access to donor
PII?
• Do any members of your team (volunteers or
staff) REALLY need to see credit card
information? Are you sure?
Food for Thought
#16NTCpci
9. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 9
PCI-Removing the Myths
#16NTCpci
10. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 10
• What is PCI Compliance?
• The 12 PCI-DSS Requirements
• PCI Self-Assessment Questionnaire
• The new world of EMV & NFC
• Do’s and Don’ts of data compliance
• Family House Case Study
• Q and A
What We’re Covering
#16NTCpci
11. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 11
• Handout when you came in
• Includes all the acronyms most common in this
presentation
• Hopefully, can be a tool you use in the future
Terms & Acronyms Cheat Sheet
#16NTCpci
12. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 12
PCI
Compliance
13. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 13
Crazy-Boring, Super-Important
#16NTCpci
14. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 14
• THINK – PAIR - SHARE
• After the discussion on this section, divide into
groups of 8-10
• Assign a recorder and a reporter
• Discussion questions:
– Where are your organization’s strengths with PCI
compliance?
– What are your organization’s largest challenges with
PCI compliance?
Section Discussion and Report Back
#16NTCpci
15. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 15
• PCI=Payment Card Industry
• Developed to encourage and enhance
cardholder data security
• Levels of Compliance 1-4
• PCI Security Standards Council (American
Express, Discover, JCB, Master Card, and Visa)
What is PCI?
#16NTCpci
16. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 16
• The members of the PCI Security Standards
Council monitor occurrences of account data
compromise
• Compromises happen at all levels of
organizations
• A security breach and subsequent compromise
of payment card data has far-reaching
consequences for affected organizations
What is PCI?
#16NTCpci
17. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 17
• PCI-DSS=Payment Card Industry Data Security
Standard
• Facilitates adoption of consistent data security
measures globally
• Baseline of technical and operational
requirements
What is PCI-DSS?
#16NTCpci
18. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 18
Who-PCI-DSS
• Selling goods or services to individual consumers or businesses.
• You, coffee shop, Amazon.Merchants
• Companies appointed by the merchant to handle transactions.
• Provide merchant ID to both Merchants and Acquirers.Processors
• A bank or financial institution that processes on behalf of a merchant.
• Banks.Acquirers
• A bank or financial institution providing payment cards to consumers.
• AMEX, Visa, MasterCard, Discover. Also, Chase and other banks.Issuers
• Any entity providing a product or service that could influence
processing.
• Data center, cloud providers, building security.
Service Providers
#16NTCpci
19. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 19
• ALL entities that store, process or transmit
cardholder data
• And/or sensitive authentication data (SAD)
– Card validation codes/values (CVV)
– Full track data (magnetic stripe or chip)
– PINs
– PIN blocks
Who-PCI-DSS
#16NTCpci
20. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 20
Sensitive Authentication Data (SAD)
Image from: https://www.pcisecuritystandards.org/pci_security/why_security_matters
#16NTCpci
21. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 21
12 Requirements
of PCI-DSS
22. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 22
• High level security concepts
• Each requirement has additional sub-categories
and testing procedures of what to do to
demonstrate meeting each requirement
• Expected to implement and review on an annual
basis
The 12 PCI-DSS Requirements
#16NTCpci
23. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 23
• Baseline, starting point to raise the conversation
of credit card security in your organization
• Easily implemented at all organizations-yearly
self-assessment questionnaire
• A minimum set of standards recommended for
use by any business or organization that
handles credit card transactions
The 12 PCI-DSS Requirements
#16NTCpci
24. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 24
• 1- Install and maintain a
firewall
• 2-Do not use vendor supplied
defaults for system passwords
The 12 PCI-DSS Requirements
Build and
Maintain a
Secure Network
and Systems
#16NTCpci
25. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 25
1. 123456
2. password
3. 12345678
4. qwerty
5. 12345
6. 123456789
7. football
8. 1234
9. 1234567
10. baseball
11. welcome
12. 1234567890
13. abc123
14. 111111
15. 1qaz2wsx
16. dragon
17. master
18. monkey
19. letmein
20. login
21. princess
22. qwertyuiop
23. solo
24. passw0rd
25. starwars
Top 25 Passwords in 2015
#16NTCpci
26. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 26
• 3-Protect stored cardholder
data
• 4-Encrypt transmission of
cardholder data across open,
public networks
The 12 PCI-DSS Requirements
Protect
Cardholder
Data
#16NTCpci
27. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 27
#16NTCpci
28. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 28
• 5-Protect all systems against
malware and regularly update
anti-virus software or programs
• 6-Develop and maintain secure
systems and applications
The 12 PCI-DSS Requirements
Maintain a
Vulnerability
Management
Program
#16NTCpci
29. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 29
• 7-Restrict access to cardholder
data by business need to know
• 8-Identify and authenticate
access to system components
• 9-Restrict physical access to
cardholder data
The 12 PCI-DSS Requirements
Implement
Strong Access
Control
Measures
#16NTCpci
30. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 30
#16NTCpci
31. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 31
• 10- Track and monitor all
access to network resources
and cardholder data
• 11-Regularly test security
systems and processes
The 12 PCI-DSS Requirements
Regularly
Monitor and
Test Networks
#16NTCpci
32. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 32
• 12- Maintain a policy that
addresses information security
for all personnel
The 12 PCI-DSS Requirements
Maintain an
Information
Security
Policy
#16NTCpci
33. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 33
1. Install and maintain a firewall
2. Do not use vendor supplied defaults
for system passwords
3. Protect stored cardholder data
4. Encrypt transmission of cardholder
data across open, public networks
5. Protect all systems against malware
and regularly update anti-virus
software or programs
6. Develop and maintain secure systems
and applications
7. Restrict access to cardholder data by
business need to know
8. Identify and authenticate access to
system components
9. Restrict physical access to cardholder
data
10.Track and monitor all access to
network resources and cardholder
data
11.Regularly test security systems and
processes
12.Maintain a policy that addresses
information security for all personnel
The 12- PCI-DSS
#16NTCpci
34. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 34
• PCI-DSS addresses common security
weaknesses
• Often exploited because controls either were not
in place or were poorly implemented
Common PCI-DSS Control Failures
#16NTCpci
35. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 35
• Examples common control failures:
– Storage of SAD after authorization
– Inadequate access controls due to improperly installed
POS systems
– Default system settings and passwords not changed
– Unnecessary and insecure services not removed or
secured when services were installed
– Missing and outdated security patches
– Lack of monitoring
Common PCI-DSS Failures
#16NTCpci
36. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 36
#16NTCpci
37. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 37
• You MUST secure cardholder data where it is
captured at the point of sale and as it flows into
the payment system. The best step you can take
is to not store any cardholder data after
processing.
What needs to be secure?
#16NTCpci
38. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 38
This includes protecting:
• Card readers
• Point of sale systems
• Store networks & wireless access routers
• Payment card data storage and transmission
• Payment card data stored in paper-based records
• Online payment applications and shopping carts
What needs to be secure?
#16NTCpci
39. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 39
Questions
#16NTCpci
40. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 40
Merchant Tiers
41. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 41
• Apply to those processing transactions
• Each card brand has a different set of tiers,
they set them up themselves
• The tiers are based on number of transactions
per year not processing amount
Merchant Tiers
#16NTCpci
42. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 42
Level/
Tier
Merchant Criteria Validation Requirements
1 • Processing over 6 million
transactions annually
• If you are a service provider
• If your acquirer deems you a tier 1
• If at any point you have a breach of
cardholder data
• Annual Report on
Compliance (ROC) by
Qualified Security
Assessor (QSA)
• Quarterly network scan by
Approved Scan Vendor
(ASV)
• Attestation of Compliance
Form (AOC)
Merchant Tiers
#16NTCpci
43. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 43
Level/
Tier
Merchant Criteria Validation Requirements
2 Merchants processing 1 million to 6
million transactions annually
• Annual SAQ
• Quarterly network scan by
ASV
• AOC Form
Merchant Tiers
#16NTCpci
44. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 44
Level/
Tier
Merchant Criteria Validation Requirements
3 Merchants processing 20,000 to 1
million transactions annually
• Annual SAQ
• Quarterly network scan by
ASV
• AOC Form
Merchant Tiers
#16NTCpci
45. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 45
Level/
Tier
Merchant Criteria Validation Requirements
4 Merchants processing less than 20,000
transactions annually
• Annual SAQ
• Quarterly network scan by
ASV if applicable
• Compliance validation
requirements set by
acquirer
Merchant Tiers
#16NTCpci
46. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 46
Questions?
#16NTCpci
47. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 47
PCI-DSS SAQ
48. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 48
#16NTCpci
49. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 49
• PCI-DSS common set of industry tools to ensure
safe handling of cardholder data
• The 12 standards provide an actionable
framework for a security process
– Preventing
– Detecting
– Reacting to security incidents
How it fits
#16NTCpci
50. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 50
• SAQ= Self-Assessment Questionnaire
• Validation tools intended to assist in the
reporting of results of an organization’s PCI-DSS
self-assessment
• Multiple versions to meet various scenarios (e-
commerce merchants only)
What is the Self-Assessment?
#16NTCpci
51. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 51
• Each SAQ Contains:
– Questions related to the PCI-DSS requirements
(slightly different depending on your CC processing)
– Attestation of Compliance
• Declaration of eligibility for completing the SAQ and results
of a PCI-DSS Self-Assessment
PCI-DSS SAQ
#16NTCpci
52. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 52
• www.pcisecuritystandards.org
• Document library
• SAQ Documents
Completing the PCI-DSS SAQ
#16NTCpci
53. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 53
PCI-DSS
Discussion
54. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 54
• THINK – GROUP – SHARE
• Divide into groups of 8-10
• Assign a recorder and a reporter
• Discussion questions:
– Where are your organization’s strengths with PCI
compliance?
– What are your organization’s largest challenges with
PCI compliance?
Section Discussion and Reporting
#16NTCpci
55. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 55
– Where are your organization’s strengths with PCI
compliance?
– What are your organization’s largest challenges with
PCI compliance?
THINK
#16NTCpci
56. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 56
• Groups 8-10
• Assign a Recorder and Reporter
– Where are your organization’s strengths with PCI
compliance?
– What are your organization’s largest challenges with
PCI compliance?
GROUP
#16NTCpci
57. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 57
– Where are your organization’s strengths with PCI
compliance?
– What are your organization’s largest challenges with
PCI compliance?
SHARE
#16NTCpci
58. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 58
Do’s and Dont’s
59. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 59
• DON’T…Store sensitive authentication data after
authorization (mag strip, PINS)
• DON’T…store CVV codes, EVER, both print and
electronic
• DON’T…Hire a point-of-sale vendor without
discussing their PCI compliance
• DO…Use a POS vendor that uses a PCI Validated
Payment Application
PCI-DSS
#16NTCpci
60. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 60
• DO…follow PCI-DSS guidelines
• DON’T…consider them the end all of your
organization’s security
• DON’T…reinterpret or creatively decide on
which of the 12 standards you will follow
• DO…conduct a PCI-DSS self-assessment
questionnaire on an annual basis
PCI-DSS
#16NTCpci
61. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 61
• DO…Only store transaction data that is
absolutely necessary (it’s most likely that you
don’t need any transaction data!)
• DO…Use partners to secure information (cloud
based Donor Management System)
• DO…Make sure the information you are storing,
even in a secure location (hard copy or in the
cloud), is only something you really need
Personally Identifiable Information
#16NTCpci
62. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 62
• DON’T…store it if you don’t need it.
• DO…shred or burn it, if you have it and
don’t need it anymore.
• DON’T…need it, don’t print it.
• DO…consolidate and isolate it, if you do
need it.
Cardholder Data
#16NTCpci
63. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 63
• DO…Change your password to key systems
frequently (30-60 days)
• DON’T…Use the same password for multiple
systems, both online and physical systems
• DON’T...Share passwords with anyone, including
coworkers
Passwords
#16NTCpci
64. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 64
• DO…create an organization wide password
policy including frequency it must be changed,
number of characters, number of special
characters, and number of numbers
• DON’T…use your username or ID in the
password
• DON’T...Use a dictionary word in any language,
even in reverse
Passwords
#16NTCpci
65. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 65
• DO…Understand the difference between being
compliant and being secure
• DON’T…Think that just because you are
compliant at one point in time, your environment
won’t change
• DO…Ensure that controls continue to be
implemented as a part of your overall security
strategy
Compliance and Security
#16NTCpci
66. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 66
• DO…Have a security policy!
• DO…Be sure that everyone on staff is aware of the
policy
• DO…Require an annual review and sign-off of the
security plan by each member of the staff
• DON’T…Wait to complete staff background checks
until after hire
• DO…Test your security...if you don’t test it you don’t
have it
Organization Security
#16NTCpci
67. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 67
• DO…Have a company technology usage policy
that is revisited annually
• DO… An annual security awareness training for
all staff members
• DO… provide long-term volunteers with training
on your security and usage policy
Organization Security
#16NTCpci
68. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 68
#16NTCpci
69. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 69
Case Study
#16NTCpci
70. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 70
Who is Family House?
• Mission: Family House serves as a home away from
home for families of children with cancer and other
life-threatening illnesses providing physical comfort
and emotional support, free from financial concerns.
#16NTCpci
71. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 71
Family House
#16NTCpci
72. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 72
Online Donations
#16NTCpci
73. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 73
Event Fundraising
#16NTCpci
74. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 74
Emerging Card
Technology
75. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 75
• Card payment & processing technology coming
soon
• EMV-gradual shift that has already begun
• EMV will become the industry standard, but it is
a process to get there
• NFC is still emerging, slow adoption, but likely
the future
EMV & NFC
#16NTCpci
76. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 76
EMV
#16NTCpci
• https://www.youtube.com/watch?v=0jp7s-I0PJ8
77. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 77
• EMV= card-present transactions
– In person
EMV & PCI
#16NTCpci
78. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 78
• Chip decides the purchase situation, has logic in
chip to request additional information
• Chip decides if you need…
– Chip and PIN
– Chip and Signature
• Magnetic strips phased out 2020
EMV Chip
#16NTCpci
79. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 79
• Fact or Fiction Game
• Myths about EMV
EMV Fact or Fiction
#16NTCpci
80. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 80
EMV is named for the three organizations that created it:
Europay, MasterCard, and Visa
EMV Fact or Fiction?
Fact!
EMV cards have a small computer chip that makes
them more difficult to counterfeit. These cards are
designed to help reduce counterfeit card fraud for
card-present transactions. #16NTCpci
81. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 81
One major milestone for EMV that took place in
October 2015 was that magnetic stripe credit cards
are no longer accepted
EMV-Fact or Fiction?
Fiction!
A major milestone of implementing EMV chip cards in the US
does not include discontinuing support for traditional
magnetic stripe credit cards. It also does not impact PCI
compliance regulations. #16NTCpci
82. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 82
In general nonprofits experience very low rates of
fraud; typically less than 0.05 % of charges are
disputed as chargebacks
EMV-Fact or Fiction?
Fact!
Most chargebacks occur because a donor forgot they bought
something at an auction or another authorized cardholder
made the purchase or in-person donation and forgot to tell
them. #16NTCpci
83. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 83
EMV can reduce fraudulent online transactions.
EMV-Fact or Fiction?
Fiction!
Online transactions are not impacted by EMV changes.
These transactions are called card-not-present transactions
and are not impacted by EMV.
#16NTCpci
84. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 84
Use of an EMV-compliant point-of-sale system is
not required today by the PCI-DSS requirements.
EMV-Fact or Fiction?
Fact!
EMV is intended to help reduce card-present fraud, and PCI
compliance is intended to provide security around credit card
data. Today, use (or nonuse) of EMV-enabled equipment
does not impact an organization’s PCI compliance. #16NTCpci
85. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 85
• In general, nonprofits have VERY low risk of
processing fraudulent charges
• Chance of fraudulent charges increases with the
number of completed transactions
EMV & Nonprofits
#16NTCpci
86. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 86
• NFC card emulation—enables NFC-enabled devices
such as smartphones to act like smart cards, allowing
users to perform transactions such as payment or
ticketing.
• Not mandated/overseen by PCI, at this time
• Pay Pass technology
NFC-Near Field Communications
#16NTCpci
87. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 87
Questions?
#16NTCpci
88. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 88
Who is Greater
Giving?
89. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 89
• 14 years experience providing
technology and credit card
processing solutions for nonprofits
and schools
• Over 8,000 clients across the country
• Products used in over 50,000
fundraising campaigns and auctions
• PCI Level 1 Compliant
Who is Greater Giving?
#16NTCpci
90. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 90
Greater Giving Products and Services
Greater Giving Event with Online Bidding:
Greater Giving Event:
AUCTIONPAY
Accept payments at events
while improving checkout
EVENT SOFTWARE
Manage all auction details
with easy-to-use software
ONLINE PAYMENTS
Recurring donations,
registrations, tuition and event sites
ONLINE BIDDING
Paperless way to manage
bidding at your next event
Add-ons:
Join Me Auction Booster Event Services
91. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 91
Finally…
92. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 92
• Materials & Collaboration Notes
http://po.st/pci-16NTC
• Slide Share
• Evaluation Link
http://po.st/QUUmAt
Collaborative Notes, Side Share, Session Evaluation
93. This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 93
Presenters Contact
Tracey Lorts
Community Marketing Manager
Greater Giving
tlorts@greatergiving.com
@traceypdx
Jessica Creager
Director of Finance and Special
Events
Family House
jcreager@familyhouseinc.org
@familyhousesf
Joshua Allen
Solutions Engineer
Greater Giving
jallen@greatergiving.com
@joshallen13