Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal -
Stephen Bestbier (iATS), Aaron Crosman (Message Agency), Erik Mathy (Pantheon)
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal
1. Data Security, Fraud Prevention
and PCI for Nonprofit Payment
Processors in Drupal
Don’t let the bad guys win!
2. Agenda
• Bit of Theory
• PCI compliance as a service Provider
• Practical implication for Non-Profits
3. Presenters
• Stephen Bestbier
– VP Marketing and Business Development at
iATS Payments
• Erik Mathy
– Enterprise Onboarding Manager, GetPantheon
• Aaron Crosman
– Software Engineer, Message Agency
4. A bit about fraudsters…
• They know to target charities
• They’re SMART
• They have a big bag of tricks
• They’re always changing and adapting
• They cost charities money
– (median loss: $85K)
5. What do they do?
• Testing stolen card numbers
– $1.00 donations
• Card number tumbling
• Name tumbling
• Refund scam
• Creation of clone charities
6. Ways to STOP them
• Velocity checking
• Address verification (AVS)
• CVV2 capability
• IP blocking (high risk countries)
• Minimum transaction limit
• Payment Form
– iFrame (least risk)
– Direct Post (medium risk)
7. What is PCI?
• Payment Card Industry Data Security
Standard (PCI-DSS)
• All merchants (regardless of size)
must meet established standards of
security relating to how credit card
data is stored, processed and
transmitted
8. How PCI Helps
• Creates an actionable framework to
ensure safe handling of credit card data
• Enables prevention, detection and
appropriate handling of incidents
• Maintaining PCI certification helps build
donors’ trust
9. How to become PCI Compliant?
• How
– SAQ: Self Assessment Questionnaire, or
– RoC: Report on Compliance using ISA or QSA
• Identify Level of PCI Compliance
• Security Assessment Questionnaire (SAQ)
• Different SAQ depending on merchant’s
systems and processes
10. PCI Compliance Levels
Level Description
1 Any merchant — regardless of acceptance channel —
processing over 6M Visa transactions per year. Any
merchant that Visa, at its sole discretion, determines
should meet the Level 1 merchant requirements to
minimize risk to the Visa system.
2 Any merchant — regardless of acceptance channel —
processing 1M to 6M Visa transactions per year.
3 Any merchant processing 20,000 to 1M Visa e-commerce
transactions per year.
4 Any merchant processing fewer than 20,000
transactions per year, and all other merchants —
regardless of acceptance channel — processing up to 1M
Visa transactions per year.
11. SAQ’s – PCI DSS v. 3.0
SAQ Description
A Card-not-present (e-commerce or mail/telephone-order) merchants, all
cardholder data functions outsourced. This would never apply to face-to-face
merchants.
A-EP* E-commerce merchants who outsource all payment processing to PCI DSS
third parties and who have a website that doesn’t directly receive
cardholder data but can impact the security of the transaction.
B Imprint-only merchants with no electronic cardholder data storage, or
standalone, dial-out terminal merchants with no electronic cardholder data
storage
B-IP* Merchants using only standalone, PTS-approved payment terminals with an
IP connection to the processor and no electronic data storage.
C-VT Merchants using only web-based virtual terminals, no electronic cardholder
data storage
C* Merchants with payment application systems connected to the Internet, no
electronic cardholder data storage
P2PE-HW Merchants using only hardware payment terminals that are included in/managed
via a PCI SSC-listed P2PE solution. No card holder data storage.
D* All other merchants not included in descriptions for SAQ types A through C
above, and all service providers defined by a payment card brand as eligible to
complete an SAQ
13. What to do…
• Achieve and maintain PCI compliance
• Talk to your merchant provider
– What tools are available?
– How to implement?
• Train your staff so they know what to
look for
– Refund policies, account patterns, etc.
14. PCI Compliance as a Cloud Service Provider
PCI DSS Requirement for Cloud Software
Providers (CSP) - Platform as a Service
(PaaS)
1: Install and maintain a firewall configuration to protect
cardholder data
2: Do not use vendor supplied defaults for system passwords and
other security parameters
3: Protect stored cardholder data
4: Encrypt transmission of cardholder data across open, public
networks
5: Use and regularly update anti-virus software or programs
6: Develop and maintain secure systems and applications
7: Restrict access to cardholder data by business need to know
8: Assign a unique ID to each person with computer access
9: Restrict physical access to cardholder data
10: Track and monitor all access to network resources and
cardholder data
11: Regularly test security systems and processes
12: Maintain a policy that addresses information security for all
personnel
15. PCI Compliance as a Cloud Service Provider
What does that all mean?
• Securing/removing direct access (physical
and software based) to servers and
networks
• Completely locking down direct access to
all platform API’s
• Fully logging every action taken on every
server and API
• Creating 2 factor authentication to all
systems used by Pantheon
• Created strong internal processes and
policies around password
strength/maximum allowed age, SSL
certificates for identification, office access,
and more…
PCI compliance isn’t just
about the hardware, it’s
also about strong
internal, secure business
and personnel
management practices.
16. Yes, there are ways to handle all this and stay sane.
Now what?
17. Avoid
➔Outsource as much as possible to someone
else.
Minimize
➔Work hard to only need to follow SAQ-A or
SAQ-AEP.
Learn
➔Make sure you understand all the questions
you’re answering.
Basic Strategy
We have to do what?!?
18. PCI standards encourage useful habits
➔Some of the policies are a good idea
anyway.
Don’t sacrifice user experience
➔Don’t outsource to a platform your users will
hate. That may cost you more than
compliance.
But don’t totally avoid it...
Some of these things are worth doing.
19. The main resource:
➔DrupalPCICompliance.org
Services/Modules to look into:
➔iATS Payments (Direct Post Method)
➔HostedPCI
➔BrainTree/PayPal
➔Authorize.net (Direct Post Method)
➔Stripe
Some helpful Drupal references
Some references worth reading
20. Resources from iATS
• White paper: Credit Card
Fraud Prevention in
Nonprofits
• Infographic: Credit Card
Fraud: How it impacts
nonprofits
• Infographic: Why PCI-
DSS Compliance is a
must have
22. • Q: If I only accept credit cards over the phone, does PCI still
apply to me?
• Q: Do organizations using third-party processors have to be PCI
compliant?
• Q: Are debit card transactions in scope for PCI?
• Q: What are the penalties for noncompliance?
• What is a vulnerability scan?
• Q: What if a merchant refuses to cooperate?