Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal -
Stephen Bestbier (iATS), Aaron Crosman (Message Agency), Erik Mathy (Pantheon)
Are you trying to wrap your head around PCI security requirements, how to securely manage payment card data and what types of credit card fraud to watch out for? This session is for you!
Learn more about the implications of PCI-DSS requirements, best practices around securely storing credit card data and how to put tools in place to prevent costly (and frustrating) credit card fraud at your organization. Be prepared, get informed and don’t let the bad guys win!
PRESENTER
Patricia O'Connor – Partner Account Manager
iATS Payments (@iATSPayments) provides payment processing products and services to over 10,000 nonprofit organizations around the world. It 's not one of the things we do - it's the only thing we do
This graphic explains what PCI compliance is, that is required for all companies that accept credit card transactions, and outlines the PCI Compliance Process.
From Bad to Worse: How to Stay Protected from a Mega Data BreachPaymetric, Inc.
Data breaches are hitting the news now more than ever before and the trend is getting nothing but worse. View our presentation to learn how deep a breach can go, common misconceptions and best practice solutions to keep your SAP-based business protected.
Are you trying to wrap your head around PCI security requirements, how to securely manage payment card data and what types of credit card fraud to watch out for? This session is for you!
Learn more about the implications of PCI-DSS requirements, best practices around securely storing credit card data and how to put tools in place to prevent costly (and frustrating) credit card fraud at your organization. Be prepared, get informed and don’t let the bad guys win!
PRESENTER
Patricia O'Connor – Partner Account Manager
iATS Payments (@iATSPayments) provides payment processing products and services to over 10,000 nonprofit organizations around the world. It 's not one of the things we do - it's the only thing we do
This graphic explains what PCI compliance is, that is required for all companies that accept credit card transactions, and outlines the PCI Compliance Process.
From Bad to Worse: How to Stay Protected from a Mega Data BreachPaymetric, Inc.
Data breaches are hitting the news now more than ever before and the trend is getting nothing but worse. View our presentation to learn how deep a breach can go, common misconceptions and best practice solutions to keep your SAP-based business protected.
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecurePaymetric, Inc.
Many companies find it challenging to keep sensitive card data out of their SAP® systems.
View this presentation to learn how you can leverage Paymetric's XiIntercept for SAP® to prevent card data from ever entering your SAP environment - minimizing PCI Compliance scope and reducing the risk of a data breach.
For more information, visit www.paymetric.com.
Payment Gateways in Kuwait - 2014 UpdateBurhan Khalid
This is my updated talk on payment gateway options available in Kuwait for 2014.
The talk was given at @sirdab_lab for the @startupq8 weekly coffee meetup.
Peter Afanasiev - Architecture of online PaymentsCiklum Ukraine
Payment Service Providers
Merchant Payment Systems
General architecture of a Payment System
Know-hows:
Payment queues with MSSQL Broker
Adapter Polymorphism
Tracing in Service Oriented World
Dynamic configuration editor with ASP.Net MVC
PCI Compliance for Community Colleges @One CISOA 2011Donald E. Hester
An introduction to PCI compliance and data security standard. Including attestation requirements, PCI merchant levels, reporting requirements. Steps to Document PCI Cardholder Data Environment CDE and to work toward compliance.
A Complete Model of the Payment Service BusinessFrank Steeneken
This slide deck provides a complete picture of the underlying skeletal structure that holds every payment service business together while achieving its goals.
The model introduces a comprehensive framework for managing the complexity of the payment service business structure, and a reusable blueprint for visualizing how a payment service business enterprise actually does business. The model’s clearly-defined core-processes and their functions provide a powerful baseline for improving business performance.
By viewing the payment service business as a single system, fully independent of its implementation, the nature of its underlying core processes becomes clear. Then by managing and improving them as parts of a single system, substantial improvements can be made on critical success factors.
A very understanding presentation about Payment Gateways .
A Payment Gateway is an E-commerce Application service provider. Service that authorises payments for E-business.
please check my slide for further study.
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
Since the deadline for level 4 merchants to be in compliance is July 2010, I thought I\'d share this presentation I did in July of 2009 at the Ecommerce Summit.
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecurePaymetric, Inc.
Many companies find it challenging to keep sensitive card data out of their SAP® systems.
View this presentation to learn how you can leverage Paymetric's XiIntercept for SAP® to prevent card data from ever entering your SAP environment - minimizing PCI Compliance scope and reducing the risk of a data breach.
For more information, visit www.paymetric.com.
Payment Gateways in Kuwait - 2014 UpdateBurhan Khalid
This is my updated talk on payment gateway options available in Kuwait for 2014.
The talk was given at @sirdab_lab for the @startupq8 weekly coffee meetup.
Peter Afanasiev - Architecture of online PaymentsCiklum Ukraine
Payment Service Providers
Merchant Payment Systems
General architecture of a Payment System
Know-hows:
Payment queues with MSSQL Broker
Adapter Polymorphism
Tracing in Service Oriented World
Dynamic configuration editor with ASP.Net MVC
PCI Compliance for Community Colleges @One CISOA 2011Donald E. Hester
An introduction to PCI compliance and data security standard. Including attestation requirements, PCI merchant levels, reporting requirements. Steps to Document PCI Cardholder Data Environment CDE and to work toward compliance.
A Complete Model of the Payment Service BusinessFrank Steeneken
This slide deck provides a complete picture of the underlying skeletal structure that holds every payment service business together while achieving its goals.
The model introduces a comprehensive framework for managing the complexity of the payment service business structure, and a reusable blueprint for visualizing how a payment service business enterprise actually does business. The model’s clearly-defined core-processes and their functions provide a powerful baseline for improving business performance.
By viewing the payment service business as a single system, fully independent of its implementation, the nature of its underlying core processes becomes clear. Then by managing and improving them as parts of a single system, substantial improvements can be made on critical success factors.
A very understanding presentation about Payment Gateways .
A Payment Gateway is an E-commerce Application service provider. Service that authorises payments for E-business.
please check my slide for further study.
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
Since the deadline for level 4 merchants to be in compliance is July 2010, I thought I\'d share this presentation I did in July of 2009 at the Ecommerce Summit.
From the eCommerce Summit in Atlanta June 3-4, 2009 where Mountain Media explains the topic of PC Compliance for online merchants. Visit http://www.ecmta.org to find out more.
What Everybody Ought to Know About PCI DSS and PA-DSS.
Learn how to comply with the training requirements of PCI DSS, protect cardholder data, avoiding social engineering and malicious downloads and how to update software and anti-virus programs.
Assignment 1Assignment 1 Bottling Company Case StudyDue Week.docxtrippettjettie
Assignment 1
Assignment 1: Bottling Company Case Study<
Due Week 10 and worth 140 points
Imagine you are a manager at a major bottling company. Customers have begun to complain that the bottles of the brand of soda produced in your company contain less than the advertised sixteen (16) ounces of product. Your boss wants to solve the problem at hand and has asked you to investigate. You have your employees pull thirty (30) bottles off the line at random from all the shifts at the bottling plant. You ask your employees to measure the amount of soda there is in each bottle. Note: Use the data set provided by your instructor to complete this assignment.
Bottle Number
Ounces
Bottle Number
Ounces
Bottle Number
Ounces
1
14.23
11
15.77
21
16.23
2
14.32
12
15.80
22
16.25
3
14.98
13
15.82
23
16.31
4
15.00
14
15.87
24
16.32
5
15.11
15
15.98
25
16.34
6
15.21
16
16.00
26
16.46
7
15.42
17
16.02
27
16.47
8
15.47
18
16.05
28
16.51
9
15.65
19
16.21
29
16.91
10
15.74
20
16.21
30
16.96
Write a two to three (2-3) page report in which you:
1. Calculate the mean, median, and standard deviation for ounces in the bottles.
2. Construct a 95% Confidence Interval for the ounces in the bottles.
3. Conduct a hypothesis test to verify if the claim that a bottle contains less than sixteen (16) ounces is supported. Clearly state the logic of your test, the calculations, and the conclusion of your test.
4. Provide the following discussion based on the conclusion of your test:
a. If you conclude that there are less than sixteen (16) ounces in a bottle of soda, speculate on three (3) possible causes. Next, suggest the strategies to avoid the deficit in the future.
Or
b. If you conclude that the claim of less soda per bottle is not supported or justified, provide a detailed explanation to your boss about the situation. Include your speculation on the reason(s) behind the claim, and recommend one (1) strategy geared toward mitigating this issue in the future.
Contents
PCI Compliance
Effectiveness of PCI
Life cycle of PCI
Key business process of PCI
PCI Security Standards
PCI – DSS (Payment Card Industry – Digital Security Standards)
PCI Compliance
Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect stored cardholder data.
Encrypt transmission of cardholder data across open, public networks.
Use and regularly update anti-virus software.
Develop and maintain secure systems and applications.
Restrict access to cardholder data by business need-to-know.
Assign a unique ID to each person with computer access.
Restrict physical access to cardholder data.
Track and monitor all access to network resources and cardholder data.
Regularly test security systems and processes.
Maintain a security policy and ensure that all personnel are aware of it.
What is PCI DSS compliance?
The Payment Card Industry Data Security Standard (PCI DSS) refers to payment security st ...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Rapid7
The Payment Card Industry Data Security Standards (PCI DSS), with its over 200 requirements, can seem like a daunting set of regulations. Nonetheless, if your organization handles any kind of credit card information, you must be PCI DSS compliant. As difficult as this can seem, you can get expert help with our new eBook: Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS Compliance.
This talk was presented in NULL Delhi chapter meet in 2014, as an insight into the world of PCI (Payment Card Industry) and the 12 requirements of PCI DSS
PCI DSS can be one of the most infuriating set of standards on the compliance landscape. While it seems simple--six domains and twelve requirements--the art of interpreting PCI can lead to full blown war in an organization--with the security team at the center. In this session we’ll demystify some of the more difficult and misunderstood aspects of PCI DSS. We’ll cover the important changes from recently announced PCI DSS 3.0. We’ll also discuss the best practices for starting (and maintaining) a PCI DSS initiative in an organization and how to avoid battles with the QSA.
Payment Card Industry Compliance for Local Governments CSMFO 2009Donald E. Hester
An introduction to PCI compliance and data security standard. Including attestation requirements, PCI merchant levels, reporting requirements. Steps to Document PCI Cardholder Data Environment CDE and to work toward compliance.
Similar to Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal (20)
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Epistemic Interaction - tuning interfaces to provide information for AI support
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal
1. Data Security, Fraud Prevention
and PCI for Nonprofit Payment
Processors in Drupal
Don’t let the bad guys win!
2. Agenda
• Bit of Theory
• PCI compliance as a service Provider
• Practical implication for Non-Profits
3. Presenters
• Stephen Bestbier
– VP Marketing and Business Development at
iATS Payments
• Erik Mathy
– Enterprise Onboarding Manager, GetPantheon
• Aaron Crosman
– Software Engineer, Message Agency
4. A bit about fraudsters…
• They know to target charities
• They’re SMART
• They have a big bag of tricks
• They’re always changing and adapting
• They cost charities money
– (median loss: $85K)
5. What do they do?
• Testing stolen card numbers
– $1.00 donations
• Card number tumbling
• Name tumbling
• Refund scam
• Creation of clone charities
6. Ways to STOP them
• Velocity checking
• Address verification (AVS)
• CVV2 capability
• IP blocking (high risk countries)
• Minimum transaction limit
• Payment Form
– iFrame (least risk)
– Direct Post (medium risk)
7. What is PCI?
• Payment Card Industry Data Security
Standard (PCI-DSS)
• All merchants (regardless of size)
must meet established standards of
security relating to how credit card
data is stored, processed and
transmitted
8. How PCI Helps
• Creates an actionable framework to
ensure safe handling of credit card data
• Enables prevention, detection and
appropriate handling of incidents
• Maintaining PCI certification helps build
donors’ trust
9. How to become PCI Compliant?
• How
– SAQ: Self Assessment Questionnaire, or
– RoC: Report on Compliance using ISA or QSA
• Identify Level of PCI Compliance
• Security Assessment Questionnaire (SAQ)
• Different SAQ depending on merchant’s
systems and processes
10. PCI Compliance Levels
Level Description
1 Any merchant — regardless of acceptance channel —
processing over 6M Visa transactions per year. Any
merchant that Visa, at its sole discretion, determines
should meet the Level 1 merchant requirements to
minimize risk to the Visa system.
2 Any merchant — regardless of acceptance channel —
processing 1M to 6M Visa transactions per year.
3 Any merchant processing 20,000 to 1M Visa e-commerce
transactions per year.
4 Any merchant processing fewer than 20,000
transactions per year, and all other merchants —
regardless of acceptance channel — processing up to 1M
Visa transactions per year.
11. SAQ’s – PCI DSS v. 3.0
SAQ Description
A Card-not-present (e-commerce or mail/telephone-order) merchants, all
cardholder data functions outsourced. This would never apply to face-to-face
merchants.
A-EP* E-commerce merchants who outsource all payment processing to PCI DSS
third parties and who have a website that doesn’t directly receive
cardholder data but can impact the security of the transaction.
B Imprint-only merchants with no electronic cardholder data storage, or
standalone, dial-out terminal merchants with no electronic cardholder data
storage
B-IP* Merchants using only standalone, PTS-approved payment terminals with an
IP connection to the processor and no electronic data storage.
C-VT Merchants using only web-based virtual terminals, no electronic cardholder
data storage
C* Merchants with payment application systems connected to the Internet, no
electronic cardholder data storage
P2PE-HW Merchants using only hardware payment terminals that are included in/managed
via a PCI SSC-listed P2PE solution. No card holder data storage.
D* All other merchants not included in descriptions for SAQ types A through C
above, and all service providers defined by a payment card brand as eligible to
complete an SAQ
13. What to do…
• Achieve and maintain PCI compliance
• Talk to your merchant provider
– What tools are available?
– How to implement?
• Train your staff so they know what to
look for
– Refund policies, account patterns, etc.
14. PCI Compliance as a Cloud Service Provider
PCI DSS Requirement for Cloud Software
Providers (CSP) - Platform as a Service
(PaaS)
1: Install and maintain a firewall configuration to protect
cardholder data
2: Do not use vendor supplied defaults for system passwords and
other security parameters
3: Protect stored cardholder data
4: Encrypt transmission of cardholder data across open, public
networks
5: Use and regularly update anti-virus software or programs
6: Develop and maintain secure systems and applications
7: Restrict access to cardholder data by business need to know
8: Assign a unique ID to each person with computer access
9: Restrict physical access to cardholder data
10: Track and monitor all access to network resources and
cardholder data
11: Regularly test security systems and processes
12: Maintain a policy that addresses information security for all
personnel
15. PCI Compliance as a Cloud Service Provider
What does that all mean?
• Securing/removing direct access (physical
and software based) to servers and
networks
• Completely locking down direct access to
all platform API’s
• Fully logging every action taken on every
server and API
• Creating 2 factor authentication to all
systems used by Pantheon
• Created strong internal processes and
policies around password
strength/maximum allowed age, SSL
certificates for identification, office access,
and more…
PCI compliance isn’t just
about the hardware, it’s
also about strong
internal, secure business
and personnel
management practices.
16. Yes, there are ways to handle all this and stay sane.
Now what?
17. Avoid
➔Outsource as much as possible to someone
else.
Minimize
➔Work hard to only need to follow SAQ-A or
SAQ-AEP.
Learn
➔Make sure you understand all the questions
you’re answering.
Basic Strategy
We have to do what?!?
18. PCI standards encourage useful habits
➔Some of the policies are a good idea
anyway.
Don’t sacrifice user experience
➔Don’t outsource to a platform your users will
hate. That may cost you more than
compliance.
But don’t totally avoid it...
Some of these things are worth doing.
19. The main resource:
➔DrupalPCICompliance.org
Services/Modules to look into:
➔iATS Payments (Direct Post Method)
➔HostedPCI
➔BrainTree/PayPal
➔Authorize.net (Direct Post Method)
➔Stripe
Some helpful Drupal references
Some references worth reading
20. Resources from iATS
• White paper: Credit Card
Fraud Prevention in
Nonprofits
• Infographic: Credit Card
Fraud: How it impacts
nonprofits
• Infographic: Why PCI-
DSS Compliance is a
must have
22. • Q: If I only accept credit cards over the phone, does PCI still
apply to me?
• Q: Do organizations using third-party processors have to be PCI
compliant?
• Q: Are debit card transactions in scope for PCI?
• Q: What are the penalties for noncompliance?
• What is a vulnerability scan?
• Q: What if a merchant refuses to cooperate?