PCI compliance: protecting your donors and your organization.
Nonprofit organizations Nonprofit Organization
An association that is given tax-free status. Donations to a non-profit organization are often tax deductible as well.
Examples of non-profit organizations are charities, hospitals and schools. have become increasingly concerned about data security--and with cause. It was recently reported that a major public institution discovered three security breaches since late April. Credit card numbers, tax forms and Social Security numbers were among the data that had been exposed to intruders. Prior to that, the Washington Post went so far as to call 2005 "the year of the data breach."
According to according to
1. As stated or indicated by; on the authority of: according to historians.
2. In keeping with: according to instructions.
3. the Privacy Rights Clearing-house, universities nationwide have accounted for nearly 50 percent of computer data theft since February 2005. Perhaps that's why the recent EDUCAUSE Current IT Issues Survey Report for 2006 determined that "Security and Identity Management" has topped the list for the first time as the number one IT-related issue of strategic importance to the participating institutions.
In addition, the report found that "Security and Identity Management" is also the number one issue expected to become even more significant next year.
With recent hacking See hack and hacker. , data theft and fraud affecting nonprofits recently, industry professionals have every right to be concerned. But what many nonprofit organizations don't know Don't know (DK, DKed)
"Don't know the trade." A Street expression used whenever one party lacks knowledge of a trade or receives conflicting instructions from the other party. is that PCI (1) (Payment Card Industry) See PCI DSS.
(2) (Peripheral Component Interconnect) The most widely used I/O bus (peripheral bus). compliance provides the necessary--and required--protection for donor credit card information captured online and/or stored by a nonprofit A corporation or an association that conducts business for the benefit of the general public without shareholders and without a profit motive.
Nonprofits are also called not-for-profit corporations. Nonprofit corporations are created according to state law. . In fact, organizations should insist that they or their fundraising software vendor be PCI compliant.
Understanding PCI Compliance
As consumers have become more comfortable with using credit and debit cards debit card, card that allows the cost of goods or services that are purchased to be deducted directly from the purchaser's checking account. They can also be used at automated teller machines for withdrawing cash from the user's checking account. online, nonprofits are focusing more efforts and resources on engaging supporters via the Web and encouraging online donations.
While the growth and success of online giving has been instrumental in helping nonprofits achieve their missions, the responsibility surrounding the capture, transmittal, storage, processing and security of the credit card and personal information needed to make that contribution has dramatically increased for nonprofits. Security breaches have been rampant in both nonprofit and commercial environments, which have led to the development of industry standards surrounding the protection of cardholder card·hold·er
One who holds a card, especially a credit card.
The Payment Card Industry Data Security Standard (PCI DSS (Payment Card Industry Data Security Standard) Security procedures from the PCI Security Standards Council for merchants that accept credit cards online. ) is the result of a collaboration between MasterCard and Visa to create common industry security requirements. All credit card companies in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. have endorsed the guidelines guidelines,
n.pl a set of standards, criteria, or specifications to be used or followed in the performance of certain tasks. of this standard. Any entity that stores, processes, transmits or comes into contact with cardholder data has been required to attain PCI compliance as early as June 30, 2004.
The PCI Data Security Standard consists for 12 basic requirements:
Build and maintain a secure network
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters In cryptography, the security parameter is a variable that measures the input size of the problem. Both the resource requirements of the cryptographic algorithm or protocol as well as the adversary's probability of breaking security are expressed in terms of the security parameter.
Protect cardholder data
3. Protect stored data
4. Encrypt See encryption. transmission of cardholder data and sensitive information across public networks
Maintain a vulnerability management program
5. Use and regularly update anti-virus software anti-virus software n → Antivirensoftware f
6. Develop and maintain security systems and applications
Implement strong access control measures
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and procedures Maintain an information security policy
12. Maintain a policy that address information security
The 12-point PCI data security standard also requires that organizations provide proof of compliance annually and submit network scans performed by an independent vendor on a quarterly basis. Visa and MasterCard regulations contain more than 200 sub-regulations that organizations must meet as part of the 12 categories listed above.
PCI compliance applies to software, infrastructure networks, physical access, business process and documentation. In addition, organizations face the possibility of severe fines and penalties of up to six figures per non-compliance incident. For example, the Visa PCI program maintains that members can be fined up to $500,000 per incident if any of their Merchant or Service Providers that are not PCI compliant are compromised.
Four merchant validation categories have been outlined:
1. Merchants with more than 6 million transactions per year (all channels);
2. Merchants with between 1 million and 6 million transactions per year (all channels);
3. Merchants with between 20,000 to 150,000 e-commerce transactions per year;
4. Merchants with less than 20,000 e-commerce transactions and who process less than one million transactions (all channels) per year.
All organizations that accept credit or debit cards from the top four major card industry providers--American Express, Discover, MasterCard and Visa--must meet PCI standards. Not a legal regulation, PCI compliance is a contractual obligation with the credit card companies.
Fortunately, many nonprofits rely on third-party vendors for their database, Web site, e-commerce and credit card processing needs. These services require providers to either store, process, transmit or otherwise come into contact with donor credit card information. Unfortunately, however, nonprofits have not ensured they are working with PCI compliant vendors throughout the transaction cycle.
For example, organizations that accept online donations via their Web site assume they are meeting PCI compliance requirements Compliance requirements are a series of directives established by United States Federal government agencies that summarize hundreds of Federal laws and regulations applicable to Federal assistance (also known as Federal aid or Federal funds). by transmitting credit card data to a transaction processing Updating the appropriate database records as soon as a transaction (order, payment, etc.) is entered into the computer. It may also imply that confirmations are sent at the same time.
Transaction processing systems are the backbone of an organization because they update constantly. vendor, such as Verisign. This does not mean, however, that nonprofits are protected during the capture of data on their Web site or during the storage of credit card data into their Web site. Nonprofits must ensure that they are working with PCI compliant vendors throughout the transaction cycle--from the point of data capture through the long-term storage of the information--provide optimum protection to their donors.
Chase Paymentech, a leading payment processing company that processed more than $500 billion in transactions during 2005 and provides payment processing services to more than half of all Internet retailers and service providers, has this to say to nonprofits: "Experience has proven that smaller merchants are just as much at risk of a data security breach--if not more so--than larger merchants," said Michael L. Herman, chief compliance officer at Chase Paymentech. "Compliance with the PCI Data Security Standards is required by all merchants to protect all stakeholders Stakeholders
All parties that have an interest, financial or otherwise, in a firm-stockholders, creditors, bondholders, employees, customers, management, the community, and the government. in the electronic payment systems."
PCI compliance can afford nonprofits the peace of mind of shielding contributors from identity fraud and theft, maintain a positive reputation surrounding the safeguard of sensitive information, minimize risk, and contribute to increased consumer confidence in donating online.
Without using PCI compliant vendors, nonprofits could be expected to institute the required data security standards internally or convert to PCI compliant providers. Another option for nonprofits partnering with both compliant and non-compliant vendors is to use an existing PCI compliant provider for the entire transaction cycle. This way the vendor bears the expense of PCI compliance and amortizes it across an extensive client base vs. an organization working directly with a merchant processor. It is recommended that nonprofits choosing to partner with a PCI compliant vendor request to see the compliance certificate for proof of fulfillment ful·fill also ful·fil
tr.v. ful·filled, ful·fill·ing, ful·fills also ful·fils
1. To bring into actuality; effect: fulfilled their promises.
2. of requirements.
In a world where security breaches, data theft and identity fraud have become more commonplace, PCI compliance protects both nonprofit organizations and donors by putting necessary security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising"
security in place to protect sensitive cardholder data. Partnering with one or more PCI compliant providers throughout the transaction cycle ensures that donor information is protected from the point of data capture through data storage--and providing donors with the peace of mind in knowing their financial contribution is safe and secure.
Steve Klein is senior vice president of business development for Kintera in San Diego San Diego (săn dēā`gō), city (1990 pop. 1,110,549), seat of San Diego co., S Calif., on San Diego Bay; inc. 1850. San Diego includes the unincorporated communities of La Jolla and Spring Valley. Coronado is across the bay. . His email is firstname.lastname@example.org