don't get hacked! know the risks of accepting credit cards
DESCRIPTION
Fundraising is the lifeblood of any not-for-profit organization. Advances in technology have made collecting contributions via credit card easier than ever for NPOs. Tools like Square offer simple solutions to help organizations of all sizes collect funds. But are you compromising security for convenience? This presentation addresses how NPOs can prepare a secure environment for accepting donations before the gala and special events season starts.TRANSCRIPT
Don’t Get Hacked! Know the Risks Associated with Accepting Credit Cards
February 20, 2014
Maaria Seider, CISA, QSA 314.983.1384 [email protected] Michael Springer, GPEN 314.983.1374 [email protected] Janet Ramey, CPA 636.754.0231 [email protected]
2
Welcome to our quarterly Non Profit Organization Speaker Series Event!
Today’s topic:
Understanding the Risks Associated with
Accepting Credit Cards
© 2014 All Rights Reserved Brown Smith Wallace LLC 3
CPE Credit
In order to receive CPE credit for this session, please:
• Ensure you signed the sign-in sheet.
• Complete an event evaluation form.
–You may fill out a hard copy and turn it in before you leave.
–Complete the e-version via email.
© 2014 All Rights Reserved Brown Smith Wallace LLC 4
Today’s Guest Speakers
Maaria Seider, CISA, QSA • Maaria is a Manager in the Brown
Smith Wallace Advisory Services practice.
• She provides consulting and compliance services related to client requirements to comply with payment card industry (PCI) standards.
• Maaria serves as the awards chair for the Institute of Internal Auditors (IIA).
© 2014 All Rights Reserved Brown Smith Wallace LLC 5
Today’s Guest Speakers
Michael Springer, CEH, GPEN • Michael is a Senior in the Brown
Smith Wallace Information Security & Privacy practice.
• He provides consulting and assessment security services related to technical reviews and ethical hacking, as required by PCI.
• He holds industry certifications of CEH – Certified Ethical Hacker – and GPEN – GIAC Certified Penetration Tester.
6
Trends in NPO Fundraising
Since 2008, less than 50% of charitable organizations saw an increase in any form of fundraising/giving, aside from online.
© 2014 All Rights Reserved Brown Smith Wallace LLC 7
Trends in NPO Fundraising
Source: http://causera.org/nonprofit-journal/10-fundraising-lessons-for-2013/
© 2014 All Rights Reserved Brown Smith Wallace LLC 8
Trends in NPO Fundraising
Source: http://causera.org/nonprofit-journal/10-fundraising-lessons-for-2013/
Where is the money coming from? • Online donations
• Events
– Galas
– Trivia Nights
• Contributions & Services Fee Payments
– Cash
– Check
– Credit Card
© 2014 All Rights Reserved Brown Smith Wallace LLC 9
Trends in NPO Fundraising
How is the money being collected?
Know the risks!
• Hard copy of credit card data
– Who is handling it?
– Where is it being stored? (paper copy, excel sheet, etc.)
– Is it secured?
– How is it disposed?
• Organizations should have a clear understanding of who is handling credit card data, access to data, and security
• Credit card data should be disposed once it’s no longer needed either by purging the file or using a crosscut shredder
© 2014 All Rights Reserved Brown Smith Wallace LLC 10
Image source: http://www.digitaltrends.com/wp-content/uploads/2011/05/Square-iPhone-Credit-Card-Reader.jpg
Trends in NPO Fundraising
How is the money being collected?
Know the risks!
• Third party processing
– Are you using a secure website to collect donations?
– Are they PCI compliant?
© 2014 All Rights Reserved Brown Smith Wallace LLC 11
Image source: http://www.digitaltrends.com/wp-content/uploads/2011/05/Square-iPhone-Credit-Card-Reader.jpg
Trends in NPO Fundraising
How is the money being collected?
Know the risks!
• Portable terminals
– Encryption?
– Secure networks?
– Are you storing credit card information in spreadsheets?
© 2014 All Rights Reserved Brown Smith Wallace LLC 12
Image source: http://www.digitaltrends.com/wp-content/uploads/2011/05/Square-iPhone-Credit-Card-Reader.jpg
Trends in NPO Fundraising
How is the money being collected?
• Mobile – Square
– Text message donations
© 2014 All Rights Reserved Brown Smith Wallace LLC 13
Trends in NPO Fundraising
Image source: http://creditcardforum.com/blog/warning-credit-card-numbers-are-being-stolen-via-text-message/
How is the money being collected?
• To consider when thinking of mobile: – Does it prevent data from being intercepted when being swiped,
processed or stored, and transmitted?
– What kind of device is being used? • Jailbroken, disabled for anything unneeded, device tracking if stolen
• Use the PCI Council website to see if your device is listed as a validated Point-to-Point Encryption (P2PE) solution
• These solutions have been validated that data is encrypted before it enters a mobile devices
• Solution providers will typically provide a card reader that works with the mobile device
© 2014 All Rights Reserved Brown Smith Wallace LLC 14
Trends in NPO Fundraising
…so can you!
© 2014 All Rights Reserved Brown Smith Wallace LLC 15
If they can be hacked…
Image source: http://cdn.iphonehacks.com/wp-content/uploads/2013/11/Target-logo.gif http://www.theshelbyreport.com/wp-content/uploads/2013/05/schnucks.jpg http://www.livefreecoupons.com/uploadfile/logo/neimanmarcus.jpg
© 2014 All Rights Reserved Brown Smith Wallace LLC 16
Global Card Fraud Losses ($Billions)
© 2014 All Rights Reserved Brown Smith Wallace LLC 17
Compliance Snapshot
18
What are Payment Card Industry (PCI)
Data Security Standards?
The PCI Data Security Standard provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents.
From the PCI Security Standards Council
© 2014 All Rights Reserved Brown Smith Wallace LLC 19
PCI DSS Definition
• All entities involved in payment card processing: – Merchants
– Processors
– Financial institutions
– Basically anyone who handles credit card information (store, process, or transmit)
© 2014 All Rights Reserved Brown Smith Wallace LLC 20
Who does PCI apply to?
There are 6 categories of requirements that provide a baseline of technical and operational requirements to protect cardholder data:
1. Build and Maintain a Secure Network and Systems
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy
© 2014 All Rights Reserved Brown Smith Wallace LLC 21
What are the PCI Data Security Standards?
Cardholder v. Sensitive Authentication Data
Account Data
• Cardholder Data includes: – Primary Account Number (PAN)
– Cardholder Name
– Expiration Date
– Service Code
• Sensitive Authentication Data includes: – Full track data (magnetic-stripe data or equivalent on a chip)
– CAV2/CVC2/CVV2/CID
– PINs/PIN blocks
© 2014 All Rights Reserved Brown Smith Wallace LLC 22
What are the PCI Data Security Standards?
4 Levels of Merchant Compliance 1. Any merchant -- regardless of acceptance channel -- processing over
6M transactions per year.
2. Any merchant -- regardless of acceptance channel -- processing 1M to 6M transactions per year.
3. Any merchant processing 20,000 to 1M e-commerce transactions per year.
© 2014 All Rights Reserved Brown Smith Wallace LLC 23
What are the PCI Data Security Standards?
4. Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants -- regardless of acceptance channel -- processing up to 1M Visa transactions per year.
Most of you in this room will fall into this category.
© 2014 All Rights Reserved Brown Smith Wallace LLC 24
What are the PCI Data Security Standards?
© 2014 All Rights Reserved Brown Smith Wallace LLC 25
Myths About PCI Compliance
• An annual self-assessment questionnaire (SAQ) recommended
• ASV (approved scanning vendor) quarterly scans if applicable
– Organizations approved by the PCI Council to perform quarterly vulnerability scans as it relates to PCI DSS.
• Compliance is set by merchant bank
– Your bank sets compliance of whether they want a SAQ filled out and scans.
© 2014 All Rights Reserved Brown Smith Wallace LLC 26
Level 4 Merchant Guidelines
27
PCI Risks for NPOs
1. Credit Card Breach – This can cause an array of
problems for an organization: bad press, expensive fines, remediation, loss of donors
• Knowing your credit card environment, where your data is kept, and vendors are steps in preventing this
• Filling out a SAQ helps keep organizations aware of where this data is kept and the guidelines to secure it
© 2014 All Rights Reserved Brown Smith Wallace LLC 28
Top 5 PCI Risks
Image source: http://www.safetynet-inc.com/wp-content/uploads/credit-card-breach.jpg
2. Reputation/Brand Damage – No one wants bad press,
especially related to a credit card breach
– With the recent breaches, consumers are more aware and more weary of sharing their credit card information
– By ensuring your employees/volunteers are trained to securely handle credit card data and by adhering to PCI you can help protect your organization
© 2014 All Rights Reserved Brown Smith Wallace LLC 29
Top 5 PCI Risks
Image source: http://www.indianasnewscenter.com/news/top-news/239627491.html
3. Donor Loss – If donors do not feel secure
about the collection method they are less likely to donate
– Bad press/breaches
© 2014 All Rights Reserved Brown Smith Wallace LLC 30
Top 5 PCI Risks
4. Litigation Expenses/Recovery – Recovering from a data
breach is expensive! • Consumers
• Payment Brands
• Legal /Consulting fees
• Governmental
© 2014 All Rights Reserved Brown Smith Wallace LLC 31
Top 5 PCI Risks
Image source: http://www.stoelrivesworldofemployment.com/amy-joseph-pedersen.html
5. Vendor Management – Know your vendors!
– Give access only when/as needed
– Have an understanding of what they have access too on your systems
– If they handle credit cards, make sure they are PCI Compliant
© 2014 All Rights Reserved Brown Smith Wallace LLC 32
Top 5 PCI Risks
• Credit and debit cards will be embedded with a “chip” that stores card information (name, number, expiration)
• Point of sales machines read the chips vs. swiping and signing using the magnetic strip
• Currently in use in Europe and Canada
• October 2015- MasterCard and Visa set deadline after which they will no longer accept liability for fraudulent activity using the magnetic strip, which means…
© 2014 All Rights Reserved Brown Smith Wallace LLC 33
PCI in the Future: Chip and Pin
© 2014 All Rights Reserved Brown Smith Wallace LLC 34
YOU ARE RESPONSIBLE!
• Investing in upgrading point of sales terminals to accept chip and pin ($200-$2,000)
• Make sure third-party processors are compliant
© 2014 All Rights Reserved Brown Smith Wallace LLC 35
Chip and Pin Readiness
36
Questions?
© 2014 All Rights Reserved Brown Smith Wallace LLC 37
If you enjoyed today… Keep an eye on your email for
information on our next NPO Speaker Series.
The event will be held in the next few months.
Visit our website, follow Brown Smith Wallace on LinkedIn and Twitter or Like us on Facebook!
38
Connect
6 CityPlace Drive, Suite 900│ St. Louis, Missouri 63141 │ 314.983.1200
1520 S. Fifth St., Suite 309 │ St. Charles, Missouri 63303 │ 636.255.3000
2220 S. State Route 157, Ste. 300 │ Glen Carbon, Illinois 62034 │ 618.659.7231
1.888.279.2792 │ www.bswllc.com
© 2014 All Rights Reserved Brown Smith Wallace LLC