Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Patricia O’Connor, Partner Account Manager patricia.oconnor@iatspayments.com PCI Compliance & Fraud Prevention for Nonprof...
Agenda • The Harsh Reality: Fraudsters • First Step: PCI Compliance • Tools for Fraud Prevention • Resources
Who are they?
The Harsh Reality: Fraudsters • Fraudsters are smart and dedicated • Data breach vs. payment fraud • Attack vulnerable web...
What do they do? • Testing stolen card numbers – $1.00 donations • Card number tumbling • Name tumbling • Refund scam • Cr...
Ways to STOP them • Velocity checking • Address verification (AVS) • CVV2 capability • IP blocking (high risk countries) •...
Fraud Tools I
Quick Case Study
What is PCI? • Payment Card Industry Data Security Standard (PCI-DSS) • All merchants (regardless of size) must meet estab...
How PCI Helps • Creates an actionable framework to protect both nonprofits and donors • Enables prevention, detection, and...
Becoming Compliant • Identify level of compliance you need • Complete either: – Self Assessment Questionnaire (SAQ) – Repo...
Compliance Levels Level Description 1 Any merchant — regardless of acceptance channel — processing over 6M Visa transactio...
SAQ Types SAQ Description A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions...
Where Are You?
What to do… • Achieve and maintain PCI compliance • Talk to your merchant provider – What tools are available? – How to im...
Basic Strategy As much as possible to someone else Work hard to only need to follow SAQ-A or SAQ-EP Make sure you understa...
But don’t totally avoid it • PCI encourage useful habits – Some of the policies are a good idea anyway. • Don’t sacrifice ...
What Professional Vendors Do • Scanning systems quarterly and annually • Securing/removing direct access (physical and sof...
Key Takeaways • You must own the process • PCI encourages useful habits • Create a sustainable culture • Don’t need to sac...
Resources from iATS • White papers: Credit Card Fraud Prevention in Nonprofits Payment processing 101 • Infographic: Credi...
General resources • DrupalPCICompliance.org • PCI Security standards – https://www.pcisecuritystandards.org/s ecurity_stan...
Upcoming SlideShare
Loading in …5
×

PCI compliance and fraud prevention for non profits

2,427 views

Published on

Are you trying to wrap your head around PCI security requirements, how to securely manage payment card data and what types of credit card fraud to watch out for? This session is for you!

Learn more about the implications of PCI-DSS requirements, best practices around securely storing credit card data and how to put tools in place to prevent costly (and frustrating) credit card fraud at your organization. Be prepared, get informed and don’t let the bad guys win!

PRESENTER

Patricia O'Connor – Partner Account Manager

iATS Payments (@iATSPayments) provides payment processing products and services to over 10,000 nonprofit organizations around the world. It 's not one of the things we do - it's the only thing we do

Published in: Government & Nonprofit
License: CC Attribution License
no profile picture user

  • Login to see the comments

  • Be the first to like this

PCI compliance and fraud prevention for non profits

  1. 1. Patricia O’Connor, Partner Account Manager patricia.oconnor@iatspayments.com PCI Compliance & Fraud Prevention for Nonprofits Don’t let the bad guys win!
  2. 2. Agenda • The Harsh Reality: Fraudsters • First Step: PCI Compliance • Tools for Fraud Prevention • Resources
  3. 3. Who are they?
  4. 4. The Harsh Reality: Fraudsters • Fraudsters are smart and dedicated • Data breach vs. payment fraud • Attack vulnerable websites • Nonprofits have weaker security • Nonprofits can lose both money and reputation as a result of fraud
  5. 5. What do they do? • Testing stolen card numbers – $1.00 donations • Card number tumbling • Name tumbling • Refund scam • Creation of clone charities
  6. 6. Ways to STOP them • Velocity checking • Address verification (AVS) • CVV2 capability • IP blocking (high risk countries) • Minimum transaction limit • Payment Form – iFrame (least risk) – Direct Post (medium risk)
  7. 7. Fraud Tools I
  8. 8. Quick Case Study
  9. 9. What is PCI? • Payment Card Industry Data Security Standard (PCI-DSS) • All merchants (regardless of size) must meet established standards of security relating to how credit card data is stored, processed, and transmitted
  10. 10. How PCI Helps • Creates an actionable framework to protect both nonprofits and donors • Enables prevention, detection, and mitigation of incidents • Maintaining PCI certification helps build donors’ trust
  11. 11. Becoming Compliant • Identify level of compliance you need • Complete either: – Self Assessment Questionnaire (SAQ) – Report on Compliance (ROC) • Different types depending on systems and processes • Hire a security assessor
  12. 12. Compliance Levels Level Description 1 Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa network 2 Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year 3 Any merchant processing 20K to 1M Visa ecommerce transactions per year 4 Any merchant processing fewer than 20K Visa ecommerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.
  13. 13. SAQ Types SAQ Description A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. A-EP* E-commerce merchants who outsource all payment processing to PCI DSS third parties and who have a website that doesn’t directly receive cardholder data but can impact the security of the transaction. B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage B-IP* Merchants using only standalone, PTS-approved payment terminals with an IP connection to the processor and no electronic data storage. C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage C* Merchants with payment application systems connected to the Internet, no electronic cardholder data storage P2PE-HW Merchants using only hardware payment terminals that are included in/managed via a PCI SSC-listed P2PE solution. No card holder data storage. D* All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment card brand as eligible to complete an SAQ
  14. 14. Where Are You?
  15. 15. What to do… • Achieve and maintain PCI compliance • Talk to your merchant provider – What tools are available? – How to implement? • Train your staff so they know what to look for – Refund policies, account patterns, etc.
  16. 16. Basic Strategy As much as possible to someone else Work hard to only need to follow SAQ-A or SAQ-EP Make sure you understand questions
  17. 17. But don’t totally avoid it • PCI encourage useful habits – Some of the policies are a good idea anyway. • Don’t sacrifice user experience – Don’t outsource to a platform your users will hate. That may cost you more than compliance.
  18. 18. What Professional Vendors Do • Scanning systems quarterly and annually • Securing/removing direct access (physical and software) to servers and networks • Completely locking down direct access to all platform APIs • Fully logging every action taken on every server and API • Creating 2 factor authentication to all systems used • Created strong internal processes and policies around password strength/maximum allowed age, SSL certificates, office access, and more…
  19. 19. Key Takeaways • You must own the process • PCI encourages useful habits • Create a sustainable culture • Don’t need to sacrifice user experience
  20. 20. Resources from iATS • White papers: Credit Card Fraud Prevention in Nonprofits Payment processing 101 • Infographic: Credit Card Fraud: How it impacts nonprofits • Infographic: Why PCI-DSS Compliance is a must have
  21. 21. General resources • DrupalPCICompliance.org • PCI Security standards – https://www.pcisecuritystandards.org/s ecurity_standards/documents.php

×