Data Security, Fraud Prevention and PCI for Nonprofit Payment

Processors in Drupal

Don’t let the bad guys win!

Agenda

• Bit of Theory

• PCI compliance as a service Provider

• Practical implication for Non-Profits

Presenters

• Stephen Bestbier – VP Marketing and Business Development at

iATS Payments

• Erik Mathy – Enterprise Onboarding Manager, GetPantheon

• Aaron Crosman – Software Engineer, Message Agency

A bit about fraudsters…

• They know to target charities • They’re SMART • They have a big bag of tricks • They’re always changing and adapting • They cost charities money

– (median loss: $85K)

What do they do?

• Testing stolen card numbers – $1.00 donations

• Card number tumbling • Name tumbling • Refund scam • Creation of clone charities

Ways to STOP them

• Velocity checking • Address verification (AVS) • CVV2 capability • IP blocking (high risk countries) • Minimum transaction limit • Payment Form

– iFrame (least risk) – Direct Post (medium risk)

What is PCI?

• Payment Card Industry Data Security Standard (PCI-DSS)

• All merchants (regardless of size) must meet established standards of security relating to how credit card data is stored, processed and transmitted

How PCI Helps

• Creates an actionable framework to ensure safe handling of credit card data

• Enables prevention, detection and appropriate handling of incidents

• Maintaining PCI certification helps build donors’ trust

How to become PCI Compliant?

• How – SAQ: Self Assessment Questionnaire, or – RoC: Report on Compliance using ISA or QSA

• Identify Level of PCI Compliance • Security Assessment Questionnaire (SAQ) • Different SAQ depending on merchant’s

systems and processes

PCI Compliance Levels Level Description

1 Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.

2 Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.

3 Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.

4 Any merchant processing fewer than 20,000 transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.

SAQ’s – PCI DSS v. 3.0 SAQ Description

A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.

A-EP* E-commerce merchants who outsource all payment processing to PCI DSS third parties and who have a website that doesn’t directly receive cardholder data but can impact the security of the transaction.

B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage

B-IP* Merchants using only standalone, PTS-approved payment terminals with an IP connection to the processor and no electronic data storage.

C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage

C* Merchants with payment application systems connected to the Internet, no electronic cardholder data storage

P2PE-HW Merchants using only hardware payment terminals that are included in/managed via a PCI SSC-listed P2PE solution. No card holder data storage.

D* All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment card brand as eligible to complete an SAQ

SAQ’s – PCI DSS v. 3.0

What to do…

• Achieve and maintain PCI compliance • Talk to your merchant provider

– What tools are available? – How to implement?

• Train your staff so they know what to look for – Refund policies, account patterns, etc.

PCI Compliance as a Cloud Service Provider

PCI DSS Requirement for Cloud Software Providers (CSP) - Platform as a Service (PaaS) 1: Install and maintain a firewall configuration to protect cardholder data 2: Do not use vendor supplied defaults for system passwords and other security parameters 3: Protect stored cardholder data 4: Encrypt transmission of cardholder data across open, public networks 5: Use and regularly update anti-virus software or programs 6: Develop and maintain secure systems and applications 7: Restrict access to cardholder data by business need to know 8: Assign a unique ID to each person with computer access 9: Restrict physical access to cardholder data 10: Track and monitor all access to network resources and cardholder data 11: Regularly test security systems and processes 12: Maintain a policy that addresses information security for all personnel

PCI Compliance as a Cloud Service Provider

What does that all mean? • Securing/removing direct access (physical

and software based) to servers and networks

• Completely locking down direct access to all platform API’s

• Fully logging every action taken on every server and API

• Creating 2 factor authentication to all systems used by Pantheon

• Created strong internal processes and policies around password strength/maximum allowed age, SSL certificates for identification, office access, and more…

PCI compliance isn’t just about the hardware, it’s also about strong internal, secure business and personnel management practices.

Yes, there are ways to handle all this and stay sane.

Now what?

Avoid ➔Outsource as much as possible to someone

else. Minimize ➔Work hard to only need to follow SAQ-A or

SAQ-AEP. Learn ➔Make sure you understand all the questions

you’re answering.

Basic Strategy

We have to do what?!?

PCI standards encourage useful habits ➔Some of the policies are a good idea

anyway. Don’t sacrifice user experience ➔Don’t outsource to a platform your users will

hate. That may cost you more than compliance.

But don’t totally avoid it...

Some of these things are worth doing.

The main resource: ➔DrupalPCICompliance.org Services/Modules to look into: ➔ iATS Payments (Direct Post Method) ➔HostedPCI ➔BrainTree/PayPal ➔Authorize.net (Direct Post Method) ➔Stripe

Some helpful Drupal references

Some references worth reading

Resources from iATS

• White paper: Credit Card Fraud Prevention in Nonprofits

• Infographic: Credit Card Fraud: How it impacts nonprofits

• Infographic: Why PCI-DSS Compliance is a must have

Questions?

• Q: If I only accept credit cards over the phone, does PCI still apply to me?

• Q: Do organizations using third-party processors have to be PCI compliant?

• Q: Are debit card transactions in scope for PCI? • Q: What are the penalties for noncompliance? • What is a vulnerability scan? • Q: What if a merchant refuses to cooperate?