Super-Boring, Crazy-Important: PCI and Protecting Your Donors' Data

This presentation is the property of Global Payments Inc. or its subsidiaries and affiliates, is for sole use of the intended recipient(s) and may contain confidential or privileged
information. Any unauthorized review, use, disclosure or distribution is prohibited. 1
PCI and Protecting Your
Donors’ Data
Super-Boring, Crazy-
Important:

@greatergiving
#16NTCpci

Your Presenters
Tracey Lorts
Community Marketing Manager
Greater Giving
Jessica Creager
Director of Finance and Special Events
Family House
Joshua Allen
Solutions Engineer
Greater Giving #16NTCpci

• I talk fast (we have a lot to cover!)
• I am not on the PCI council or certified in PCI
• I have consulted with individuals who are experts
• Some information shared is anecdotal in nature
• We will do our best to answer questions, but some
may need to be answered by an expert. We will
make note and do our best to get you an answer.
• I was a classroom teacher (sorry!)
Disclaimer
#16NTCpci

• What kind of power do you hold in your nonprofit?
• What are you responsible for?
• Do your responsibilities give you power?
• What would happen in your organization had a breach?
• What is one question you have about this content that you
hope I answer today?
Share first name, where you’re from, organization (optional)
Question?
#16NTCpci

#16NTCpci

Donor Data
#16NTCpci

• Does your nonprofit collect online donations?
• How do you handle credit card transactions?
• Who in your organization has access to donor
PII?
• Do any members of your team (volunteers or
staff) REALLY need to see credit card
information? Are you sure?
Food for Thought
#16NTCpci

PCI-Removing the Myths
#16NTCpci

• What is PCI Compliance?
• The 12 PCI-DSS Requirements
• PCI Self-Assessment Questionnaire
• The new world of EMV & NFC
• Do’s and Don’ts of data compliance
• Family House Case Study
• Q and A
What We’re Covering
#16NTCpci

• Handout when you came in
• Includes all the acronyms most common in this
presentation
• Hopefully, can be a tool you use in the future
Terms & Acronyms Cheat Sheet
#16NTCpci

PCI
Compliance

Crazy-Boring, Super-Important
#16NTCpci

• THINK – PAIR - SHARE
• After the discussion on this section, divide into
groups of 8-10
• Assign a recorder and a reporter
• Discussion questions:
– Where are your organization’s strengths with PCI
compliance?
– What are your organization’s largest challenges with
PCI compliance?
Section Discussion and Report Back
#16NTCpci

• PCI=Payment Card Industry
• Developed to encourage and enhance
cardholder data security
• Levels of Compliance 1-4
• PCI Security Standards Council (American
Express, Discover, JCB, Master Card, and Visa)
What is PCI?
#16NTCpci

• The members of the PCI Security Standards
Council monitor occurrences of account data
compromise
• Compromises happen at all levels of
organizations
• A security breach and subsequent compromise
of payment card data has far-reaching
consequences for affected organizations
What is PCI?
#16NTCpci

• PCI-DSS=Payment Card Industry Data Security
Standard
• Facilitates adoption of consistent data security
measures globally
• Baseline of technical and operational
requirements
What is PCI-DSS?
#16NTCpci

Who-PCI-DSS
• Selling goods or services to individual consumers or businesses.
• You, coffee shop, Amazon.Merchants
• Companies appointed by the merchant to handle transactions.
• Provide merchant ID to both Merchants and Acquirers.Processors
• A bank or financial institution that processes on behalf of a merchant.
• Banks.Acquirers
• A bank or financial institution providing payment cards to consumers.
• AMEX, Visa, MasterCard, Discover. Also, Chase and other banks.Issuers
• Any entity providing a product or service that could influence
processing.
• Data center, cloud providers, building security.
Service Providers
#16NTCpci

• ALL entities that store, process or transmit
cardholder data
• And/or sensitive authentication data (SAD)
– Card validation codes/values (CVV)
– Full track data (magnetic stripe or chip)
– PINs
– PIN blocks
Who-PCI-DSS
#16NTCpci

Sensitive Authentication Data (SAD)
Image from: https://www.pcisecuritystandards.org/pci_security/why_security_matters
#16NTCpci

12 Requirements
of PCI-DSS

• High level security concepts
• Each requirement has additional sub-categories
and testing procedures of what to do to
demonstrate meeting each requirement
• Expected to implement and review on an annual
basis
The 12 PCI-DSS Requirements
#16NTCpci

• Baseline, starting point to raise the conversation
of credit card security in your organization
• Easily implemented at all organizations-yearly
self-assessment questionnaire
• A minimum set of standards recommended for
use by any business or organization that
handles credit card transactions
#16NTCpci

• 1- Install and maintain a
firewall
• 2-Do not use vendor supplied
defaults for system passwords
Build and
Maintain a
Secure Network
and Systems
#16NTCpci

1. 123456
2. password
3. 12345678
4. qwerty
5. 12345
6. 123456789
7. football
8. 1234
9. 1234567
10. baseball
11. welcome
12. 1234567890
13. abc123
14. 111111
15. 1qaz2wsx
16. dragon
17. master
18. monkey
19. letmein
20. login
21. princess
22. qwertyuiop
23. solo
24. passw0rd
25. starwars
Top 25 Passwords in 2015
#16NTCpci

• 3-Protect stored cardholder
data
• 4-Encrypt transmission of
cardholder data across open,
public networks
Protect
Cardholder
Data
#16NTCpci

#16NTCpci

• 5-Protect all systems against
malware and regularly update
anti-virus software or programs
• 6-Develop and maintain secure
systems and applications
Maintain a
Vulnerability
Management
Program
#16NTCpci

• 7-Restrict access to cardholder
data by business need to know
• 8-Identify and authenticate
access to system components
• 9-Restrict physical access to
cardholder data
Implement
Strong Access
Control
Measures
#16NTCpci

#16NTCpci

• 10- Track and monitor all
access to network resources
and cardholder data
• 11-Regularly test security
systems and processes
Regularly
Monitor and
Test Networks
#16NTCpci

• 12- Maintain a policy that
addresses information security
for all personnel
Maintain an
Information
Security
Policy
#16NTCpci

1. Install and maintain a firewall
2. Do not use vendor supplied defaults
for system passwords
3. Protect stored cardholder data
4. Encrypt transmission of cardholder
data across open, public networks
5. Protect all systems against malware
and regularly update anti-virus
software or programs
6. Develop and maintain secure systems
and applications
7. Restrict access to cardholder data by
business need to know
8. Identify and authenticate access to
system components
9. Restrict physical access to cardholder
data
10.Track and monitor all access to
network resources and cardholder
data
11.Regularly test security systems and
processes
12.Maintain a policy that addresses
information security for all personnel
The 12- PCI-DSS
#16NTCpci

• PCI-DSS addresses common security
weaknesses
• Often exploited because controls either were not
in place or were poorly implemented
Common PCI-DSS Control Failures
#16NTCpci

• Examples common control failures:
– Storage of SAD after authorization
– Inadequate access controls due to improperly installed
POS systems
– Default system settings and passwords not changed
– Unnecessary and insecure services not removed or
secured when services were installed
– Missing and outdated security patches
– Lack of monitoring
Common PCI-DSS Failures
#16NTCpci

#16NTCpci

• You MUST secure cardholder data where it is
captured at the point of sale and as it flows into
the payment system. The best step you can take
is to not store any cardholder data after
processing.
What needs to be secure?
#16NTCpci

This includes protecting:
• Card readers
• Point of sale systems
• Store networks & wireless access routers
• Payment card data storage and transmission
• Payment card data stored in paper-based records
• Online payment applications and shopping carts
What needs to be secure?
#16NTCpci

Questions
#16NTCpci

Merchant Tiers

• Apply to those processing transactions
• Each card brand has a different set of tiers,
they set them up themselves
• The tiers are based on number of transactions
per year not processing amount
Merchant Tiers
#16NTCpci

Level/
Tier
Merchant Criteria Validation Requirements
1 • Processing over 6 million
transactions annually
• If you are a service provider
• If your acquirer deems you a tier 1
• If at any point you have a breach of
cardholder data
• Annual Report on
Compliance (ROC) by
Qualified Security
Assessor (QSA)
• Quarterly network scan by
Approved Scan Vendor
(ASV)
• Attestation of Compliance
Form (AOC)
Merchant Tiers
#16NTCpci

Level/
Tier
2 Merchants processing 1 million to 6
million transactions annually
• Annual SAQ
ASV
• AOC Form
Merchant Tiers
#16NTCpci

Level/
Tier
3 Merchants processing 20,000 to 1
million transactions annually
• Annual SAQ
ASV
• AOC Form
Merchant Tiers
#16NTCpci

Level/
Tier
4 Merchants processing less than 20,000
transactions annually
• Annual SAQ
ASV if applicable
• Compliance validation
requirements set by
acquirer
Merchant Tiers
#16NTCpci

Questions?
#16NTCpci

PCI-DSS SAQ

#16NTCpci

• PCI-DSS common set of industry tools to ensure
safe handling of cardholder data
• The 12 standards provide an actionable
framework for a security process
– Preventing
– Detecting
– Reacting to security incidents
How it fits
#16NTCpci

• SAQ= Self-Assessment Questionnaire
• Validation tools intended to assist in the
reporting of results of an organization’s PCI-DSS
self-assessment
• Multiple versions to meet various scenarios (e-
commerce merchants only)
What is the Self-Assessment?
#16NTCpci

• Each SAQ Contains:
– Questions related to the PCI-DSS requirements
(slightly different depending on your CC processing)
– Attestation of Compliance
• Declaration of eligibility for completing the SAQ and results
of a PCI-DSS Self-Assessment
PCI-DSS SAQ
#16NTCpci

• www.pcisecuritystandards.org
• Document library
• SAQ Documents
Completing the PCI-DSS SAQ
#16NTCpci

PCI-DSS
Discussion

• THINK – GROUP – SHARE
• Divide into groups of 8-10
• Assign a recorder and a reporter
• Discussion questions:
compliance?
PCI compliance?
Section Discussion and Reporting
#16NTCpci

compliance?
PCI compliance?
THINK
#16NTCpci

• Groups 8-10
• Assign a Recorder and Reporter
compliance?
PCI compliance?
GROUP
#16NTCpci

compliance?
PCI compliance?
SHARE
#16NTCpci

Do’s and Dont’s

• DON’T…Store sensitive authentication data after
authorization (mag strip, PINS)
• DON’T…store CVV codes, EVER, both print and
electronic
• DON’T…Hire a point-of-sale vendor without
discussing their PCI compliance
• DO…Use a POS vendor that uses a PCI Validated
Payment Application
PCI-DSS
#16NTCpci

• DO…follow PCI-DSS guidelines
• DON’T…consider them the end all of your
organization’s security
• DON’T…reinterpret or creatively decide on
which of the 12 standards you will follow
• DO…conduct a PCI-DSS self-assessment
questionnaire on an annual basis
PCI-DSS
#16NTCpci

• DO…Only store transaction data that is
absolutely necessary (it’s most likely that you
don’t need any transaction data!)
• DO…Use partners to secure information (cloud
based Donor Management System)
• DO…Make sure the information you are storing,
even in a secure location (hard copy or in the
cloud), is only something you really need
Personally Identifiable Information
#16NTCpci

• DON’T…store it if you don’t need it.
• DO…shred or burn it, if you have it and
don’t need it anymore.
• DON’T…need it, don’t print it.
• DO…consolidate and isolate it, if you do
need it.
Cardholder Data
#16NTCpci

• DO…Change your password to key systems
frequently (30-60 days)
• DON’T…Use the same password for multiple
systems, both online and physical systems
• DON’T...Share passwords with anyone, including
coworkers
Passwords
#16NTCpci

• DO…create an organization wide password
policy including frequency it must be changed,
number of characters, number of special
characters, and number of numbers
• DON’T…use your username or ID in the
password
• DON’T...Use a dictionary word in any language,
even in reverse
Passwords
#16NTCpci

• DO…Understand the difference between being
compliant and being secure
• DON’T…Think that just because you are
compliant at one point in time, your environment
won’t change
• DO…Ensure that controls continue to be
implemented as a part of your overall security
strategy
Compliance and Security
#16NTCpci

• DO…Have a security policy!
• DO…Be sure that everyone on staff is aware of the
policy
• DO…Require an annual review and sign-off of the
security plan by each member of the staff
• DON’T…Wait to complete staff background checks
until after hire
• DO…Test your security...if you don’t test it you don’t
have it
Organization Security
#16NTCpci

• DO…Have a company technology usage policy
that is revisited annually
• DO… An annual security awareness training for
all staff members
• DO… provide long-term volunteers with training
on your security and usage policy
Organization Security
#16NTCpci

#16NTCpci

Case Study
#16NTCpci

Who is Family House?
• Mission: Family House serves as a home away from
home for families of children with cancer and other
life-threatening illnesses providing physical comfort
and emotional support, free from financial concerns.
#16NTCpci

Family House
#16NTCpci

Online Donations
#16NTCpci

Event Fundraising
#16NTCpci

Emerging Card
Technology

• Card payment & processing technology coming
soon
• EMV-gradual shift that has already begun
• EMV will become the industry standard, but it is
a process to get there
• NFC is still emerging, slow adoption, but likely
the future
EMV & NFC
#16NTCpci

EMV
#16NTCpci
• https://www.youtube.com/watch?v=0jp7s-I0PJ8

• EMV= card-present transactions
– In person
EMV & PCI
#16NTCpci

• Chip decides the purchase situation, has logic in
chip to request additional information
• Chip decides if you need…
– Chip and PIN
– Chip and Signature
• Magnetic strips phased out 2020
EMV Chip
#16NTCpci

• Fact or Fiction Game
• Myths about EMV
EMV Fact or Fiction
#16NTCpci

EMV is named for the three organizations that created it:
Europay, MasterCard, and Visa
EMV Fact or Fiction?
Fact!
EMV cards have a small computer chip that makes
them more difficult to counterfeit. These cards are
designed to help reduce counterfeit card fraud for
card-present transactions. #16NTCpci

One major milestone for EMV that took place in
October 2015 was that magnetic stripe credit cards
are no longer accepted
EMV-Fact or Fiction?
Fiction!
A major milestone of implementing EMV chip cards in the US
does not include discontinuing support for traditional
magnetic stripe credit cards. It also does not impact PCI
compliance regulations. #16NTCpci

In general nonprofits experience very low rates of
fraud; typically less than 0.05 % of charges are
disputed as chargebacks
Fact!
Most chargebacks occur because a donor forgot they bought
something at an auction or another authorized cardholder
made the purchase or in-person donation and forgot to tell
them. #16NTCpci

EMV can reduce fraudulent online transactions.
Fiction!
Online transactions are not impacted by EMV changes.
These transactions are called card-not-present transactions
and are not impacted by EMV.
#16NTCpci

Use of an EMV-compliant point-of-sale system is
not required today by the PCI-DSS requirements.
Fact!
EMV is intended to help reduce card-present fraud, and PCI
compliance is intended to provide security around credit card
data. Today, use (or nonuse) of EMV-enabled equipment
does not impact an organization’s PCI compliance. #16NTCpci

• In general, nonprofits have VERY low risk of
processing fraudulent charges
• Chance of fraudulent charges increases with the
number of completed transactions
EMV & Nonprofits
#16NTCpci

• NFC card emulation—enables NFC-enabled devices
such as smartphones to act like smart cards, allowing
users to perform transactions such as payment or
ticketing.
• Not mandated/overseen by PCI, at this time
• Pay Pass technology
NFC-Near Field Communications
#16NTCpci

Questions?
#16NTCpci

Who is Greater
Giving?

• 14 years experience providing
technology and credit card
processing solutions for nonprofits
and schools
• Over 8,000 clients across the country
• Products used in over 50,000
fundraising campaigns and auctions
• PCI Level 1 Compliant
Who is Greater Giving?
#16NTCpci

Greater Giving Products and Services
Greater Giving Event with Online Bidding:
Greater Giving Event:
AUCTIONPAY
Accept payments at events
while improving checkout
EVENT SOFTWARE
Manage all auction details
with easy-to-use software
ONLINE PAYMENTS
Recurring donations,
registrations, tuition and event sites
ONLINE BIDDING
Paperless way to manage
bidding at your next event
Add-ons:
Join Me Auction Booster Event Services

Finally…

• Materials & Collaboration Notes
http://po.st/pci-16NTC
• Slide Share
• Evaluation Link
http://po.st/QUUmAt
Collaborative Notes, Side Share, Session Evaluation

Presenters Contact
Tracey Lorts
Community Marketing Manager
Greater Giving
tlorts@greatergiving.com
@traceypdx
Jessica Creager
Director of Finance and Special
Events
Family House
jcreager@familyhouseinc.org
@familyhousesf
Joshua Allen
Solutions Engineer
Greater Giving
jallen@greatergiving.com
@joshallen13

Super-Boring, Crazy-Important: PCI and Protecting Your Donors' Data

Recommended

Recommended

More Related Content

Similar to Super-Boring, Crazy-Important: PCI and Protecting Your Donors' Data

Similar to Super-Boring, Crazy-Important: PCI and Protecting Your Donors' Data (20)

Recently uploaded

Recently uploaded (20)

Super-Boring, Crazy-Important: PCI and Protecting Your Donors' Data