SlideShare una empresa de Scribd logo

Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal

S
Stephanie Gutowski

Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal - Stephen Bestbier (iATS), Aaron Crosman (Message Agency), Erik Mathy (Pantheon)

Tecnología
1 de 22
Descargar para leer sin conexión
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal Don’t let the bad guys win!
Agenda • Bit of Theory • PCI compliance as a service Provider • Practical implication for Non-Profits
Presenters • Stephen Bestbier – VP Marketing and Business Development at iATS Payments • Erik Mathy – Enterprise Onboarding Manager, GetPantheon • Aaron Crosman – Software Engineer, Message Agency
A bit about fraudsters… • They know to target charities • They’re SMART • They have a big bag of tricks • They’re always changing and adapting • They cost charities money – (median loss: $85K)
What do they do? • Testing stolen card numbers – $1.00 donations • Card number tumbling • Name tumbling • Refund scam • Creation of clone charities
Ways to STOP them • Velocity checking • Address verification (AVS) • CVV2 capability • IP blocking (high risk countries) • Minimum transaction limit • Payment Form – iFrame (least risk) – Direct Post (medium risk)
What is PCI? • Payment Card Industry Data Security Standard (PCI-DSS) • All merchants (regardless of size) must meet established standards of security relating to how credit card data is stored, processed and transmitted
How PCI Helps • Creates an actionable framework to ensure safe handling of credit card data • Enables prevention, detection and appropriate handling of incidents • Maintaining PCI certification helps build donors’ trust
How to become PCI Compliant? • How – SAQ: Self Assessment Questionnaire, or – RoC: Report on Compliance using ISA or QSA • Identify Level of PCI Compliance • Security Assessment Questionnaire (SAQ) • Different SAQ depending on merchant’s systems and processes
PCI Compliance Levels Level Description 1 Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. 2 Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year. 3 Any merchant processing 20,000 to 1M Visa e-commerce transactions per year. 4 Any merchant processing fewer than 20,000 transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.
SAQ’s – PCI DSS v. 3.0 SAQ Description A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. A-EP* E-commerce merchants who outsource all payment processing to PCI DSS third parties and who have a website that doesn’t directly receive cardholder data but can impact the security of the transaction. B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage B-IP* Merchants using only standalone, PTS-approved payment terminals with an IP connection to the processor and no electronic data storage. C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage C* Merchants with payment application systems connected to the Internet, no electronic cardholder data storage P2PE-HW Merchants using only hardware payment terminals that are included in/managed via a PCI SSC-listed P2PE solution. No card holder data storage. D* All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment card brand as eligible to complete an SAQ
SAQ’s – PCI DSS v. 3.0
What to do… • Achieve and maintain PCI compliance • Talk to your merchant provider – What tools are available? – How to implement? • Train your staff so they know what to look for – Refund policies, account patterns, etc.
PCI Compliance as a Cloud Service Provider PCI DSS Requirement for Cloud Software Providers (CSP) - Platform as a Service (PaaS) 1: Install and maintain a firewall configuration to protect cardholder data 2: Do not use vendor supplied defaults for system passwords and other security parameters 3: Protect stored cardholder data 4: Encrypt transmission of cardholder data across open, public networks 5: Use and regularly update anti-virus software or programs 6: Develop and maintain secure systems and applications 7: Restrict access to cardholder data by business need to know 8: Assign a unique ID to each person with computer access 9: Restrict physical access to cardholder data 10: Track and monitor all access to network resources and cardholder data 11: Regularly test security systems and processes 12: Maintain a policy that addresses information security for all personnel
PCI Compliance as a Cloud Service Provider What does that all mean? • Securing/removing direct access (physical and software based) to servers and networks • Completely locking down direct access to all platform API’s • Fully logging every action taken on every server and API • Creating 2 factor authentication to all systems used by Pantheon • Created strong internal processes and policies around password strength/maximum allowed age, SSL certificates for identification, office access, and more… PCI compliance isn’t just about the hardware, it’s also about strong internal, secure business and personnel management practices.
Yes, there are ways to handle all this and stay sane. Now what?
Avoid ➔Outsource as much as possible to someone else. Minimize ➔Work hard to only need to follow SAQ-A or SAQ-AEP. Learn ➔Make sure you understand all the questions you’re answering. Basic Strategy We have to do what?!?
PCI standards encourage useful habits ➔Some of the policies are a good idea anyway. Don’t sacrifice user experience ➔Don’t outsource to a platform your users will hate. That may cost you more than compliance. But don’t totally avoid it... Some of these things are worth doing.
The main resource: ➔DrupalPCICompliance.org Services/Modules to look into: ➔iATS Payments (Direct Post Method) ➔HostedPCI ➔BrainTree/PayPal ➔Authorize.net (Direct Post Method) ➔Stripe Some helpful Drupal references Some references worth reading
Resources from iATS • White paper: Credit Card Fraud Prevention in Nonprofits • Infographic: Credit Card Fraud: How it impacts nonprofits • Infographic: Why PCI- DSS Compliance is a must have
Questions?
• Q: If I only accept credit cards over the phone, does PCI still apply to me? • Q: Do organizations using third-party processors have to be PCI compliant? • Q: Are debit card transactions in scope for PCI? • Q: What are the penalties for noncompliance? • What is a vulnerability scan? • Q: What if a merchant refuses to cooperate?

Recomendados

PCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsPCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsNetSquared Vancouver
 
To swipe or not to swipe payment card processing in sap
To swipe or not to swipe payment card processing in sapTo swipe or not to swipe payment card processing in sap
To swipe or not to swipe payment card processing in sapSunando Ghosh
 
Intro to-payment-processing-in-sap
Intro to-payment-processing-in-sapIntro to-payment-processing-in-sap
Intro to-payment-processing-in-sappuppala
 
P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overviewb28stu
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Donald E. Hester
 
PCI Compliance Process
PCI Compliance ProcessPCI Compliance Process
PCI Compliance ProcessBluePayProcessing
 
From Bad to Worse: How to Stay Protected from a Mega Data Breach
From Bad to Worse: How to Stay Protected from a Mega Data BreachFrom Bad to Worse: How to Stay Protected from a Mega Data Breach
From Bad to Worse: How to Stay Protected from a Mega Data BreachPaymetric, Inc.
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASISDermot Clarke
 

Recomendados

PCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsPCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsNetSquared Vancouver
 
To swipe or not to swipe payment card processing in sap
To swipe or not to swipe payment card processing in sapTo swipe or not to swipe payment card processing in sap
To swipe or not to swipe payment card processing in sapSunando Ghosh
 
Intro to-payment-processing-in-sap
Intro to-payment-processing-in-sapIntro to-payment-processing-in-sap
Intro to-payment-processing-in-sappuppala
 
P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overviewb28stu
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Donald E. Hester
 
PCI Compliance Process
PCI Compliance ProcessPCI Compliance Process
PCI Compliance ProcessBluePayProcessing
 
From Bad to Worse: How to Stay Protected from a Mega Data Breach
From Bad to Worse: How to Stay Protected from a Mega Data BreachFrom Bad to Worse: How to Stay Protected from a Mega Data Breach
From Bad to Worse: How to Stay Protected from a Mega Data BreachPaymetric, Inc.
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASISDermot Clarke
 
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.Paymetric, Inc.
 
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecureHow To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecurePaymetric, Inc.
 
Payment Gateway
Payment GatewayPayment Gateway
Payment GatewayAsif Hussain
 
Payment Gateways in Kuwait - 2014 Update
Payment Gateways in Kuwait - 2014 UpdatePayment Gateways in Kuwait - 2014 Update
Payment Gateways in Kuwait - 2014 UpdateBurhan Khalid
 
Introduction To SAQ 4 U
Introduction To SAQ 4 UIntroduction To SAQ 4 U
Introduction To SAQ 4 URAlcala65
 
Ccavenue presentation
Ccavenue presentationCcavenue presentation
Ccavenue presentationAnurag Vikram
 
Peter Afanasiev - Architecture of online Payments
Peter Afanasiev - Architecture of online PaymentsPeter Afanasiev - Architecture of online Payments
Peter Afanasiev - Architecture of online PaymentsCiklum Ukraine
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011Donald E. Hester
 
2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_dataKelvin Medina, CISSP, PA-QSA, QSA, GCIH, CISA, ITIL
 
Payment gateway testing
Payment gateway testingPayment gateway testing
Payment gateway testingAtul Pant
 
Pay Easy Solutions International
Pay Easy Solutions InternationalPay Easy Solutions International
Pay Easy Solutions Internationaljeanieaguilar
 
A Complete Model of the Payment Service Business
A Complete Model of the Payment Service BusinessA Complete Model of the Payment Service Business
A Complete Model of the Payment Service BusinessFrank Steeneken
 
How to test payment gateway functionality
How to test payment gateway functionalityHow to test payment gateway functionality
How to test payment gateway functionalityTrupti Jethva
 
Payment Services in Kuwait
Payment Services in KuwaitPayment Services in Kuwait
Payment Services in KuwaitBurhan Khalid
 
Payment gateways
Payment gateways Payment gateways
Payment gateways NiyasudheenAK
 
Online payments and Security Gateways
Online payments and Security Gateways Online payments and Security Gateways
Online payments and Security Gateways Sarujan Chandrakumaran
 
Core banking solution
Core banking solutionCore banking solution
Core banking solutionRishiSundar2
 
Online payment gateway provider
Online payment gateway providerOnline payment gateway provider
Online payment gateway providerPayment Gateways
 
Maze & Associates PCI Compliance Tracker for Local Governments
Maze & Associates PCI Compliance Tracker for Local GovernmentsMaze & Associates PCI Compliance Tracker for Local Governments
Maze & Associates PCI Compliance Tracker for Local GovernmentsDonald E. Hester
 
Payment gateway
Payment gatewayPayment gateway
Payment gatewayHananBahy
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxgealehegn
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 

Más contenido relacionado

La actualidad más candente

Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.Paymetric, Inc.
 
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecureHow To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecurePaymetric, Inc.
 
Payment Gateways in Kuwait - 2014 Update
Payment Gateways in Kuwait - 2014 UpdatePayment Gateways in Kuwait - 2014 Update
Payment Gateways in Kuwait - 2014 UpdateBurhan Khalid
 
Introduction To SAQ 4 U
Introduction To SAQ 4 UIntroduction To SAQ 4 U
Introduction To SAQ 4 URAlcala65
 
Ccavenue presentation
Ccavenue presentationCcavenue presentation
Ccavenue presentationAnurag Vikram
 
Peter Afanasiev - Architecture of online Payments
Peter Afanasiev - Architecture of online PaymentsPeter Afanasiev - Architecture of online Payments
Peter Afanasiev - Architecture of online PaymentsCiklum Ukraine
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011Donald E. Hester
 
Payment gateway testing
Payment gateway testingPayment gateway testing
Payment gateway testingAtul Pant
 
Pay Easy Solutions International
Pay Easy Solutions InternationalPay Easy Solutions International
Pay Easy Solutions Internationaljeanieaguilar
 
A Complete Model of the Payment Service Business
A Complete Model of the Payment Service BusinessA Complete Model of the Payment Service Business
A Complete Model of the Payment Service BusinessFrank Steeneken
 
How to test payment gateway functionality
How to test payment gateway functionalityHow to test payment gateway functionality
How to test payment gateway functionalityTrupti Jethva
 
Payment Services in Kuwait
Payment Services in KuwaitPayment Services in Kuwait
Payment Services in KuwaitBurhan Khalid
 
Online payments and Security Gateways
Online payments and Security Gateways Online payments and Security Gateways
Online payments and Security Gateways Sarujan Chandrakumaran
 
Core banking solution
Core banking solutionCore banking solution
Core banking solutionRishiSundar2
 
Online payment gateway provider
Online payment gateway providerOnline payment gateway provider
Online payment gateway providerPayment Gateways
 
Maze & Associates PCI Compliance Tracker for Local Governments
Maze & Associates PCI Compliance Tracker for Local GovernmentsMaze & Associates PCI Compliance Tracker for Local Governments
Maze & Associates PCI Compliance Tracker for Local GovernmentsDonald E. Hester
 
Payment gateway
Payment gatewayPayment gateway
Payment gatewayHananBahy
 

La actualidad más candente (20)

Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
 
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecureHow To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
 
Payment Gateway
Payment GatewayPayment Gateway
Payment Gateway
 
Payment Gateways in Kuwait - 2014 Update
Payment Gateways in Kuwait - 2014 UpdatePayment Gateways in Kuwait - 2014 Update
Payment Gateways in Kuwait - 2014 Update
 
Introduction To SAQ 4 U
Introduction To SAQ 4 UIntroduction To SAQ 4 U
Introduction To SAQ 4 U
 
Ccavenue presentation
Ccavenue presentationCcavenue presentation
Ccavenue presentation
 
Peter Afanasiev - Architecture of online Payments
Peter Afanasiev - Architecture of online PaymentsPeter Afanasiev - Architecture of online Payments
Peter Afanasiev - Architecture of online Payments
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011
 
2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data
 
Payment gateway testing
Payment gateway testingPayment gateway testing
Payment gateway testing
 
Pay Easy Solutions International
Pay Easy Solutions InternationalPay Easy Solutions International
Pay Easy Solutions International
 
A Complete Model of the Payment Service Business
A Complete Model of the Payment Service BusinessA Complete Model of the Payment Service Business
A Complete Model of the Payment Service Business
 
How to test payment gateway functionality
How to test payment gateway functionalityHow to test payment gateway functionality
How to test payment gateway functionality
 
Payment Services in Kuwait
Payment Services in KuwaitPayment Services in Kuwait
Payment Services in Kuwait
 
Payment gateways
Payment gateways Payment gateways
Payment gateways
 
Online payments and Security Gateways
Online payments and Security Gateways Online payments and Security Gateways
Online payments and Security Gateways
 
Core banking solution
Core banking solutionCore banking solution
Core banking solution
 
Online payment gateway provider
Online payment gateway providerOnline payment gateway provider
Online payment gateway provider
 
Maze & Associates PCI Compliance Tracker for Local Governments
Maze & Associates PCI Compliance Tracker for Local GovernmentsMaze & Associates PCI Compliance Tracker for Local Governments
Maze & Associates PCI Compliance Tracker for Local Governments
 
Payment gateway
Payment gatewayPayment gateway
Payment gateway
 

Similar a Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal

Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxgealehegn
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should careSean D. Goodwin
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)Maksim Djackov
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Donald E. Hester
 
Pci compliance overview earth link business
Pci compliance overview earth link businessPci compliance overview earth link business
Pci compliance overview earth link businessMike Shelah
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)Miminten
 
Assignment 1Assignment 1 Bottling Company Case StudyDue Week.docx
Assignment 1Assignment 1 Bottling Company Case StudyDue Week.docxAssignment 1Assignment 1 Bottling Company Case StudyDue Week.docx
Assignment 1Assignment 1 Bottling Company Case StudyDue Week.docxtrippettjettie
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Rapid7
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI WonderlandMichele Chubirka
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National CertificationMark Pollard
 
Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009Donald E. Hester
 

Similar a Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal (20)

Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should care
 
Evolution Pci For Pod1
Evolution Pci For Pod1Evolution Pci For Pod1
Evolution Pci For Pod1
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
 
Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010
 
E commerce overview
E commerce overviewE commerce overview
E commerce overview
 
Pci compliance overview earth link business
Pci compliance overview earth link businessPci compliance overview earth link business
Pci compliance overview earth link business
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
What Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSSWhat Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSS
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
 
Assignment 1Assignment 1 Bottling Company Case StudyDue Week.docx
Assignment 1Assignment 1 Bottling Company Case StudyDue Week.docxAssignment 1Assignment 1 Bottling Company Case StudyDue Week.docx
Assignment 1Assignment 1 Bottling Company Case StudyDue Week.docx
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI Wonderland
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National Certification
 
Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009
 

Más de Stephanie Gutowski

Web Development Within your Means
Web Development Within your MeansWeb Development Within your Means
Web Development Within your MeansStephanie Gutowski
 
Demographic Data Collection Implications and Opportunities
Demographic Data Collection Implications and OpportunitiesDemographic Data Collection Implications and Opportunities
Demographic Data Collection Implications and OpportunitiesStephanie Gutowski
 
Demographic Data Collection Implications and Opportunities
Demographic Data Collection Implications and OpportunitiesDemographic Data Collection Implications and Opportunities
Demographic Data Collection Implications and OpportunitiesStephanie Gutowski
 
Growing with Drupal and Salesforce
Growing with Drupal and SalesforceGrowing with Drupal and Salesforce
Growing with Drupal and SalesforceStephanie Gutowski
 
The Art of Identifying Red Flags in Drupal Projects
The Art of Identifying Red Flags in Drupal ProjectsThe Art of Identifying Red Flags in Drupal Projects
The Art of Identifying Red Flags in Drupal ProjectsStephanie Gutowski
 
It Takes Two: The Case for CRMs in Drupal
It Takes Two: The Case for CRMs in Drupal It Takes Two: The Case for CRMs in Drupal
It Takes Two: The Case for CRMs in DrupalStephanie Gutowski
 

Más de Stephanie Gutowski (9)

Web Development Within your Means
Web Development Within your MeansWeb Development Within your Means
Web Development Within your Means
 
Demographic Data Collection Implications and Opportunities
Demographic Data Collection Implications and OpportunitiesDemographic Data Collection Implications and Opportunities
Demographic Data Collection Implications and Opportunities
 
2015 NTC Ignite
2015 NTC Ignite2015 NTC Ignite
2015 NTC Ignite
 
Demographic Data Collection Implications and Opportunities
Demographic Data Collection Implications and OpportunitiesDemographic Data Collection Implications and Opportunities
Demographic Data Collection Implications and Opportunities
 
Content strategy 101
Content strategy 101 Content strategy 101
Content strategy 101
 
Growing with Drupal and Salesforce
Growing with Drupal and SalesforceGrowing with Drupal and Salesforce
Growing with Drupal and Salesforce
 
The Art of Identifying Red Flags in Drupal Projects
The Art of Identifying Red Flags in Drupal ProjectsThe Art of Identifying Red Flags in Drupal Projects
The Art of Identifying Red Flags in Drupal Projects
 
It Takes Two: The Case for CRMs in Drupal
It Takes Two: The Case for CRMs in Drupal It Takes Two: The Case for CRMs in Drupal
It Takes Two: The Case for CRMs in Drupal
 
20 in 20 august adams
20 in 20 august adams20 in 20 august adams
20 in 20 august adams
 

Último

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 

Último (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 

Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal

  • 1. Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal Don’t let the bad guys win!
  • 2. Agenda • Bit of Theory • PCI compliance as a service Provider • Practical implication for Non-Profits
  • 3. Presenters • Stephen Bestbier – VP Marketing and Business Development at iATS Payments • Erik Mathy – Enterprise Onboarding Manager, GetPantheon • Aaron Crosman – Software Engineer, Message Agency
  • 4. A bit about fraudsters… • They know to target charities • They’re SMART • They have a big bag of tricks • They’re always changing and adapting • They cost charities money – (median loss: $85K)
  • 5. What do they do? • Testing stolen card numbers – $1.00 donations • Card number tumbling • Name tumbling • Refund scam • Creation of clone charities
  • 6. Ways to STOP them • Velocity checking • Address verification (AVS) • CVV2 capability • IP blocking (high risk countries) • Minimum transaction limit • Payment Form – iFrame (least risk) – Direct Post (medium risk)
  • 7. What is PCI? • Payment Card Industry Data Security Standard (PCI-DSS) • All merchants (regardless of size) must meet established standards of security relating to how credit card data is stored, processed and transmitted
  • 8. How PCI Helps • Creates an actionable framework to ensure safe handling of credit card data • Enables prevention, detection and appropriate handling of incidents • Maintaining PCI certification helps build donors’ trust
  • 9. How to become PCI Compliant? • How – SAQ: Self Assessment Questionnaire, or – RoC: Report on Compliance using ISA or QSA • Identify Level of PCI Compliance • Security Assessment Questionnaire (SAQ) • Different SAQ depending on merchant’s systems and processes
  • 10. PCI Compliance Levels Level Description 1 Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. 2 Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year. 3 Any merchant processing 20,000 to 1M Visa e-commerce transactions per year. 4 Any merchant processing fewer than 20,000 transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.
  • 11. SAQ’s – PCI DSS v. 3.0 SAQ Description A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. A-EP* E-commerce merchants who outsource all payment processing to PCI DSS third parties and who have a website that doesn’t directly receive cardholder data but can impact the security of the transaction. B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage B-IP* Merchants using only standalone, PTS-approved payment terminals with an IP connection to the processor and no electronic data storage. C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage C* Merchants with payment application systems connected to the Internet, no electronic cardholder data storage P2PE-HW Merchants using only hardware payment terminals that are included in/managed via a PCI SSC-listed P2PE solution. No card holder data storage. D* All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment card brand as eligible to complete an SAQ
  • 12. SAQ’s – PCI DSS v. 3.0
  • 13. What to do… • Achieve and maintain PCI compliance • Talk to your merchant provider – What tools are available? – How to implement? • Train your staff so they know what to look for – Refund policies, account patterns, etc.
  • 14. PCI Compliance as a Cloud Service Provider PCI DSS Requirement for Cloud Software Providers (CSP) - Platform as a Service (PaaS) 1: Install and maintain a firewall configuration to protect cardholder data 2: Do not use vendor supplied defaults for system passwords and other security parameters 3: Protect stored cardholder data 4: Encrypt transmission of cardholder data across open, public networks 5: Use and regularly update anti-virus software or programs 6: Develop and maintain secure systems and applications 7: Restrict access to cardholder data by business need to know 8: Assign a unique ID to each person with computer access 9: Restrict physical access to cardholder data 10: Track and monitor all access to network resources and cardholder data 11: Regularly test security systems and processes 12: Maintain a policy that addresses information security for all personnel
  • 15. PCI Compliance as a Cloud Service Provider What does that all mean? • Securing/removing direct access (physical and software based) to servers and networks • Completely locking down direct access to all platform API’s • Fully logging every action taken on every server and API • Creating 2 factor authentication to all systems used by Pantheon • Created strong internal processes and policies around password strength/maximum allowed age, SSL certificates for identification, office access, and more… PCI compliance isn’t just about the hardware, it’s also about strong internal, secure business and personnel management practices.
  • 16. Yes, there are ways to handle all this and stay sane. Now what?
  • 17. Avoid ➔Outsource as much as possible to someone else. Minimize ➔Work hard to only need to follow SAQ-A or SAQ-AEP. Learn ➔Make sure you understand all the questions you’re answering. Basic Strategy We have to do what?!?
  • 18. PCI standards encourage useful habits ➔Some of the policies are a good idea anyway. Don’t sacrifice user experience ➔Don’t outsource to a platform your users will hate. That may cost you more than compliance. But don’t totally avoid it... Some of these things are worth doing.
  • 19. The main resource: ➔DrupalPCICompliance.org Services/Modules to look into: ➔iATS Payments (Direct Post Method) ➔HostedPCI ➔BrainTree/PayPal ➔Authorize.net (Direct Post Method) ➔Stripe Some helpful Drupal references Some references worth reading
  • 20. Resources from iATS • White paper: Credit Card Fraud Prevention in Nonprofits • Infographic: Credit Card Fraud: How it impacts nonprofits • Infographic: Why PCI- DSS Compliance is a must have
  • 22. • Q: If I only accept credit cards over the phone, does PCI still apply to me? • Q: Do organizations using third-party processors have to be PCI compliant? • Q: Are debit card transactions in scope for PCI? • Q: What are the penalties for noncompliance? • What is a vulnerability scan? • Q: What if a merchant refuses to cooperate?