Security is more than locking the door

This is the second article in a series. For the first article, click here.  
 

By Dave Voris, Horizon Bank

Data Breach Investigations Report (DBIR) DBIR found that 96 percent of record breaches involved credit card numbers/data.

Nonprofits can attain a reasonable level of security against the potential risk of a breach.

In 2006 to combat these breaches, the major credit card companies launched a security standards council to manage the evolution of security standards and requirements. For more information about the standards and materials available, click here.

The credit card association has defined four levels based on volume and provides assessment tools -- a questionnaire and vulnerability scanning -- to determine potential exposure to a breach.

Level 1: Any nonprofit regardless of how credit cards are accepted that processes more than 6 million Visa credit card transactions annually is required to:

• conduct an annual on-site security audit.
• conduct a quarterly network scan.
• conduct an independent security assessor validation.

Level 2: Any nonprofit processing 1 million to 6 million Visa or MasterCard transactions annually is required to:

• For Visa: complete an annual PCI self-assessment questionnaire and quarterly network scan
• For MasterCard: complete an annual PCI self-assessment questionnaire and quarterly network scan validated by the nonprofit or a qualified independent scan vendor

Level 3: 1 million Visa or MasterCard e-commerce transactions annually is required to:

• complete annual PCI self-assessment questionnaire and quarterly network scan of the database validated by the nonprofit or a qualified independent scan vendor

Level 4: Any nonprofit with less than 20,000 Visa or MasterCard e-commerce transactions annually and ALL other nonprofits processing up to 1 million Visa or MasterCard transactions per year are required to:

• complete annual PCI self-assessment questionnaire and quarterly network scan validated by the merchant or a qualified independent scan vendor.

The end of the business day used to be simpler. Merchants would protect their stores and inventory against theft by simply locking the door. And while bolting the door was a safeguard, these same storeowners were well aware that thieves might still find a way to enter and steal valuable inventory. 

Today inventory is not the only consideration -- protecting consumers’ personal data from theft is equally important. As breaches at Target, P.F. Chang’s and, most recently at Home Depot, rattled shoppers’ confidence in the care of their personal data, nonprofits must be concerned about the storage and protection of valuable credit card information.

But what protection services exist for nonprofits and what is mandated by law?

Today the payment card industry (PCI) offers its Data Security Standard v2.0, which includes a password policy framework. Those issuing credit cards require all merchants – including nonprofits -- to protect not only the card data that may be stored on an organization’s computers, but also donors’ personal identify information. That information is worth millions and millions of dollars for thieves on the black market, and the modern day data criminal is very smart, tech savvy. 

For nonprofits, the task is to secure the data and avert the risk of theft. While computers and web connections have given us dramatic advances in productivity and communication, they have also made it necessary for organizations to change the way they protect their assets. 

While storing credit card data might make future tasks easier, it is also risky.   Organizations often prefer to keep credit card information on file to issue refunds, to process additional transactions, to settle outstanding balances, as a convenience to regular donors and to process recurring payments.  

What organizations fail to consider is the potential effects of a data breach, which can result in brand damage, loss of client trust, unplanned costs to upgrade and maintain computer systems, fines from regulatory entities, legal costs and business disruption while attending to the breach.

So what does a nonprofit do about this mess? The PCI offers some help (See accompanying box). It has set up a list of standards that companies and nonprofits must comply with depending on the amount of business they do. 

But ultimately, it is up to companies and nonprofits themselves to instill their own internal safeguards. Industry specialists recommend that organizations use a multi-layered approach for security against physical intrusion or computer intrusion.

Internal policies and controls

• Establish a security policy and train employees to follow the policy.
• Develop a system for investigating irregularities. Consider creating a security SWAT team that includes management, IT and accounting staff.
• Create a response plan for donors who believe his/her credit card information was stolen after making a contribution. Include process for talking with the credit card company and banks and logging conversations.

Technical internal controls

• Monitor access: change default logins for newly installed systems, ensure that each computer user has a unique login ID and password, and review user information to ensure all current users are valid employees or volunteers.
• Secure network: install and maintain a firewall configuration to protect their systems, then use and regularly update anti-virus software. 
• Secure personal information: TRUST3 is an independent, nonprofit organization that enables trues-based privacy for personal information on the Internet. TRUSTe or another privacy provider can help ensure that website privacy and email policies provide protection to donors, members, volunteers and employees.
• Protect transactions: identify and install an encryption technology to protect online transactions.

At the end of the day, it’s important to remember to be safe, or to weakly paraphrase former President Clinton’s one-liner,  “It’s about security, stupid.”

Dave Voris is a vice president for Horizon Bank in Indianapolis. As a senior treasury management officer, he works closely with both middle market and small business companies from a wide variety of industries.