Improve Your Not-for-Profit's Credit Card and Data Security (article)
The ability to accept and protect credit cards is essential for all entities, including not-for-profit organizations. From ticket sales to donations, book and gift stores, dining halls, food sales and the bursar’s office, there is no escape from the use of payment cards.
With this convenience comes concern. Data breaches are common in today’s environment. Security Affairs’ Data Breach Quickview found that 19 percent of the data breaches in 2015 occurred in the government and not-for-profit sector and 8 percent hit the educational sector.
The costs of just one attack can be staggering. Data breaches involving credit cards may include fines levied by Visa, MasterCard or other payment brands that are usually passed along to the breached organization. There are also costs associated with the forensic investigation used to determine the source of the breach, the nature of the information stolen, the number of cards involved and the extent of the compromised servers. In addition, the organization often must cover costs associated with reissuing cards and repaying the actual losses. Finally, there are the costs of remediation work, such as rebuilding compromised servers, working with law enforcement agencies and submitting to the credit card issuer a detailed plan for fixing the security problem. These direct costs do not include damage to a not-for-profit’s reputation or donors’ trust.
What can colleges and universities, cultural institutions and other not-for-profit organizations do to protect themselves and the information of their constituents? Fortunately, they can do a lot.
Organizations Can Protect Themselves
Organizations that facilitate the use of credit cards are permitted to store certain types of data, including the cardholder’s name, address, ZIP code and the card’s expiration date. Storage of data such as the sensitive authentication CVC2/CVV/CID code, data that make up the full magnetic stripe and the customer’s PIN or PIN Block is prohibited.
The best way to protect consumer cardholder data is simply not to store them. However, if you absolutely need to store the data, then the Payment Card Industry Data Security Standard (PCI DSS) provides the safeguards that you need to put in place to protect that data. PCI DSS was developed as an outgrowth of data security efforts by Visa’s Cardholder Information Security Program and MasterCard’s Site Data Protection Plan and embraced by American Express, Discover Card Services and the Japan Credit Bureau.
As a result, all merchants that process, store or transmit cardholder data – including nearly all colleges and universities, cultural institutions and other not-for-profit organizations – must comply with the standard.
Not-for-Profits Should be Familiar with the Standard
The individual card brands require that many service providers and large merchants undergo an annual payment card industry (PCI) assessment conducted by a PCI Security Standards Council-approved Qualified Security Assessor (QSA) in order to demonstrate they are compliant with PCI DSS. Large service providers and merchants also must submit to quarterly network vulnerability scanning and penetration testing.
What constitutes a large merchant or service provider depends upon the number of payment card transactions the organization processes and whether the organization has ever been the victim of a data breach involving credit card information. VISA places the most stringent PCI DSS requirements on merchants that process more than 6 million VISA transactions per year and service providers that process more than 300,000 transactions per year.
Organizations that handle a smaller number of payment card transactions must still comply with the PCI DSS, but they can perform and submit the results of an annual self-assessment that demonstrates their current state of compliance. Self-assessments must meet the standard. It is important to note that the assessment is a “point in time” assessment that must be performed every year.
Credit card companies and sponsoring banks will hold organizations accountable for the information provided in the self-assessment in the event of a breach. Those that fail to meet the standards can be fined for non-compliance, may be subject to increased processing fees and can even have their ability to accept credit card payments revoked.
Organizations Can Focus on the Six Control Objectives
Whether you are subject to external reviews or conducting a self-assessment, your organization should ensure its PCI policies address the following six control objectives:
1. Build and maintain a secure network
Organizations must install and maintain an effective firewall configuration that protects internal servers against direct access from the Internet. This often involves employing separate servers for credit card transaction processing and segregating them from other servers by a firewall. In essence, network segmentation shrinks the security footprint so organizations have fewer credit card servers to protect from exposure. Implementing hardening standards for servers – such as changing default passwords and other security parameters for all systems that interface with credit cards – also is required.
Your not-for-profit should also be sure to change the vendor-supplied default passwords because hackers may know them; default system passwords may be discoverable through a Google search.
2. Protect Cardholder Data
PCI DSS will help protect stored cardholder data, but compliance does not guarantee that you will never experience a security breach. It is critical to make sure that if the worst happens, no sensitive data are compromised. There are two ways to achieve this. First, ensure that sensitive authentication data, such as CVV, CVC and CIDE are never stored after the transaction is authorized. Second, do not store the contents of the magnetic stripe on the back of the card as this data could be used to create a fake credit card. Finally, ensure that card numbers are always stored so that they are unreadable by an intruder.
This can be achieved by encrypting and masking stored card numbers.
3. Maintain a Vulnerability Management Program
Not-for-profits should use and regularly update antivirus software and vendor supplied security patches. They should also only use systems that have been rigorously tested prior to deployment.
4. Implement Strong Access Control Measures
Not-for-profits must restrict access to cardholder data and only allow persons with a business need to access the systems processing, storing or transmitting card transactions. It is necessary to assign a unique user ID to each person with access to the above systems in order to establish an audit trail for a forensic investigation in case the worst should occur.
5. Regularly Monitor and Test Networks
Access to network resources and cardholder data must be tracked by a unique user ID. Security systems and processes also must be tested regularly. This includes quarterly network vulnerability scanning and penetration testing.
6.Maintain an Information Security Policy
Finally, every organization must develop and maintain a data breach response plan, use only PCI DSS compliant service providers and ensure the organization adheres to a formal policy that addresses information security.
Compliance Can Be Challenging
To assist in your compliance efforts, consultants are available to conduct PCI assessments that show an organization precisely where it is or where it is not in compliance with PCI DSS. A third party can also provide vulnerability scanning, application penetration testing and other critical services.
By understanding areas of weakness, implementing pivotal information security practices and continually monitoring the effectiveness of these efforts, not-for-profit entities can achieve compliance. For more information, please see our webinar or contact us.
Copyright © 2016, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).