Don't Get Hacked! Know the Risks of Accepting Credit Cards

Don’t Get Hacked!
Know the Risks Associated with Accepting Credit Cards
Maaria Seider, CISA, QSA
314.983.1384
mseider@bswllc.com
Michael Springer, GPEN
314.983.1374
mspringer@bswllc.com
Janet Ramey, CPA
636.754.0231
jramey@bswllc.com

February 20, 2014

Welcome to our quarterly
Non Profit Organization
Speaker Series Event!
Today’s topic:

Understanding the
Risks Associated with
Accepting Credit Cards

2

CPE Credit
In order to receive CPE credit for this session,
please:
• Ensure you signed the sign-in sheet.
• Complete an event evaluation form.
– You may fill out a hard copy and turn it in before
you leave.
– Complete the e-version via email.

© 2014 All Rights Reserved
Brown Smith Wallace LLC

3

Today’s Guest Speakers
Maaria Seider, CISA, QSA
• Maaria is a Manager in the Brown
Smith Wallace Advisory Services
practice.
• She provides consulting and
compliance services related to
client requirements to comply
with payment card industry (PCI)
standards.
• Maaria serves as the awards chair
for the Institute of Internal
Auditors (IIA).


4

Today’s Guest Speakers
Michael Springer, CEH, GPEN
• Michael is a Senior in the Brown
Smith Wallace Information Security &
Privacy practice.
• He provides consulting and
assessment security services related
to technical reviews and ethical
hacking, as required by PCI.
• He holds industry certifications of
CEH – Certified Ethical Hacker – and
GPEN – GIAC Certified Penetration
Tester.


5

Trends in NPO Fundraising
Since 2008, less than 50% of charitable organizations saw an increase in any
form of fundraising/giving, aside from online.

Source: http://causera.org/nonprofit-journal/10-fundraising-lessons-for-2013/

7


Source: http://causera.org/nonprofit-journal/10-fundraising-lessons-for-2013/


8

Where is the money coming from?
• Online donations
• Events
– Galas
– Trivia Nights
• Contributions & Services Fee Payments
– Cash
– Check
– Credit Card


9

How is the money being collected?
Know the risks!
•

Hard copy of credit card data
– Who is handling it?
– Where is it being stored? (paper copy,
excel sheet, etc.)
– Is it secured?
– How is it disposed?

•

•

Organizations should have a clear
understanding of who is handling credit
card data, access to data, and security
Credit card data should be disposed once
it’s no longer needed either by purging
the file or using a crosscut shredder

Image source: http://www.digitaltrends.com/wp-content/uploads/2011/05/Square-iPhone-Credit-Card-Reader.jpg

10

Know the risks!
•

Third party processing
– Are you using a secure website to collect donations?
– Are they PCI compliant?


11

Know the risks!
•

Portable terminals
– Encryption?
– Secure networks?
– Are you storing credit card information in
spreadsheets?


12

• Mobile
– Square
– Text message donations

Image source: http://creditcardforum.com/blog/warning-credit-card-numbers-are-being-stolen-via-text-message/


13

• To consider when thinking of mobile:
– Does it prevent data from being intercepted when being swiped,
processed or stored, and transmitted?
– What kind of device is being used?
• Jailbroken, disabled for anything unneeded, device tracking if stolen
• Use the PCI Council website to see if your device is listed as a validated Point-toPoint Encryption (P2PE) solution
• These solutions have been validated that data is encrypted before it enters a
mobile devices
• Solution providers will typically provide a card reader that works with the mobile
device


14

If they can be hacked…

…so can you!

Image source: http://cdn.iphonehacks.com/wp-content/uploads/2013/11/Target-logo.gif
http://www.theshelbyreport.com/wp-content/uploads/2013/05/schnucks.jpg
http://www.livefreecoupons.com/uploadfile/logo/neimanmarcus.jpg
15

Global Card Fraud Losses ($Billions)


16

Compliance Snapshot


17

What are Payment
Card Industry (PCI)
Data Security
Standards?

18

PCI DSS Definition

The PCI Data Security Standard provides an
actionable framework for developing a robust
payment card data security process -- including
prevention, detection and appropriate reaction
to security incidents.
From the PCI Security Standards Council


19

Who does PCI apply to?
• All entities involved in payment card processing:
–
–
–
–

Merchants
Processors
Financial institutions
Basically anyone who handles credit card information (store, process,
or transmit)

© 2014 All Rights Reserved Brown
Smith Wallace LLC

20

What are the PCI Data Security Standards?

There are 6 categories of requirements that provide a baseline of
technical and operational requirements to protect cardholder
data:
1. Build and Maintain a Secure Network and Systems
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy

Smith Wallace LLC

21


Cardholder v. Sensitive Authentication Data
Account Data
• Cardholder Data includes:
–
–
–
–

Primary Account Number (PAN)
Cardholder Name
Expiration Date
Service Code

• Sensitive Authentication Data includes:
– Full track data (magnetic-stripe data or equivalent on a chip)
– CAV2/CVC2/CVV2/CID
– PINs/PIN blocks

22


4 Levels of Merchant Compliance
1.
2.
3.

Any merchant -- regardless of acceptance channel -- processing over
6M transactions per year.
Any merchant -- regardless of acceptance channel -- processing 1M
to 6M transactions per year.
Any merchant processing 20,000 to 1M e-commerce transactions per
year.

Smith Wallace LLC

23


4.

Any merchant processing fewer than 20,000 Visa e-commerce
transactions per year, and all other merchants -- regardless of
acceptance channel -- processing up to 1M Visa transactions per
year.
Most of you in this room will fall into this category.

Smith Wallace LLC

24

Myths About PCI Compliance

Smith Wallace LLC

25

Level 4 Merchant Guidelines
• An annual self-assessment
questionnaire (SAQ)
recommended
• ASV (approved scanning vendor)
quarterly scans if applicable
– Organizations approved by the
PCI Council to perform quarterly
vulnerability scans as it relates to
PCI DSS.

• Compliance is set by merchant
bank
– Your bank sets compliance of
whether they want a SAQ filled
out and scans.
Smith Wallace LLC

26

Top 5 PCI Risks
1. Credit Card Breach
–

•

•

This can cause an array of
problems for an organization:
bad press, expensive fines,
remediation, loss of donors

Knowing your credit card
environment, where your data is
kept, and vendors are steps in
preventing this
Filling out a SAQ helps keep
organizations aware of where this
data is kept and the guidelines to
secure it

Smith Wallace LLC

Image source: http://www.safetynet-inc.com/wp-content/uploads/credit-card-breach.jpg

28

Top 5 PCI Risks
2. Reputation/Brand Damage
–

–

–

No one wants bad press,
especially related to a credit
card breach
With the recent breaches,
consumers are more aware
and more weary of sharing
their credit card information
By ensuring your
employees/volunteers are
trained to securely handle
credit card data and by
adhering to PCI you can help
protect your organization

Smith Wallace LLC

Image source: http://www.indianasnewscenter.com/news/top-news/239627491.html

29

Top 5 PCI Risks
3. Donor Loss
–

–

If donors do not feel secure
about the collection method
they are less likely to donate
Bad press/breaches

Smith Wallace LLC

30

Top 5 PCI Risks
4. Litigation
Expenses/Recovery
–

Recovering from a data
breach is expensive!
•
•
•
•

Consumers
Payment Brands
Legal /Consulting fees
Governmental
Image source: http://www.stoelrivesworldofemployment.com/amy-joseph-pedersen.html

Smith Wallace LLC

31

Top 5 PCI Risks
5. Vendor Management
–
–
–

–

Know your vendors!
Give access only when/as
needed
Have an understanding of
what they have access too on
your systems
If they handle credit cards,
make sure they are PCI
Compliant

Smith Wallace LLC

32

PCI in the Future: Chip and Pin
• Credit and debit cards will be
embedded with a “chip” that
stores card information
(name, number, expiration)
• Point of sales machines read the chips vs. swiping and signing
using the magnetic strip
• Currently in use in Europe and Canada
• October 2015- MasterCard and Visa set deadline after which
they will no longer accept liability for fraudulent activity using
the magnetic strip, which means…

33

YOU ARE RESPONSIBLE!


34

Chip and Pin Readiness
• Investing in upgrading point of sales terminals to accept chip
and pin ($200-$2,000)
• Make sure third-party processors are compliant


35

If you enjoyed today…
Keep an eye on your email for
information on our next
NPO Speaker Series.
The event will be held in the next
few months.

37

Connect

Visit our website, follow Brown Smith Wallace on LinkedIn and
Twitter or Like us on Facebook!

6 CityPlace Drive, Suite 900│ St. Louis, Missouri 63141 │ 314.983.1200
1520 S. Fifth St., Suite 309 │ St. Charles, Missouri 63303 │ 636.255.3000
2220 S. State Route 157, Ste. 300 │ Glen Carbon, Illinois 62034 │ 618.659.7231
1.888.279.2792 │ www.bswllc.com


38

Don't Get Hacked! Know the Risks of Accepting Credit Cards

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Don't Get Hacked! Know the Risks of Accepting Credit Cards

Similar to Don't Get Hacked! Know the Risks of Accepting Credit Cards (20)

More from Brown Smith Wallace

More from Brown Smith Wallace (20)

Recently uploaded

Recently uploaded (20)

Don't Get Hacked! Know the Risks of Accepting Credit Cards