Don't Get Hacked! Know the Risks of Accepting Credit Cards

Don’t Get Hacked! Know the Risks Associated with Accepting Credit Cards

February 20, 2014

Maaria Seider, CISA, QSA 314.983.1384 [email protected] Michael Springer, GPEN 314.983.1374 [email protected] Janet Ramey, CPA 636.754.0231 [email protected]

mailto:[email protected]



2

Welcome to our quarterly Non Profit Organization Speaker Series Event!

Today’s topic:

Understanding the Risks Associated with

Accepting Credit Cards

© 2014 All Rights Reserved Brown Smith Wallace LLC 3

CPE Credit

In order to receive CPE credit for this session, please:

• Ensure you signed the sign-in sheet.

• Complete an event evaluation form.

–You may fill out a hard copy and turn it in before you leave.

–Complete the e-version via email.


Today’s Guest Speakers

Maaria Seider, CISA, QSA • Maaria is a Manager in the Brown

Smith Wallace Advisory Services practice.

• She provides consulting and compliance services related to client requirements to comply with payment card industry (PCI) standards.

• Maaria serves as the awards chair for the Institute of Internal Auditors (IIA).


Today’s Guest Speakers

Michael Springer, CEH, GPEN • Michael is a Senior in the Brown

Smith Wallace Information Security & Privacy practice.

• He provides consulting and assessment security services related to technical reviews and ethical hacking, as required by PCI.

• He holds industry certifications of CEH – Certified Ethical Hacker – and GPEN – GIAC Certified Penetration Tester.

6

Trends in NPO Fundraising

Since 2008, less than 50% of charitable organizations saw an increase in any form of fundraising/giving, aside from online.



Source: http://causera.org/nonprofit-journal/10-fundraising-lessons-for-2013/



Source: http://causera.org/nonprofit-journal/10-fundraising-lessons-for-2013/

Where is the money coming from? • Online donations

• Events

– Galas

– Trivia Nights

• Contributions & Services Fee Payments

– Cash

– Check

– Credit Card



How is the money being collected?

Know the risks!

• Hard copy of credit card data

– Who is handling it?

– Where is it being stored? (paper copy, excel sheet, etc.)

– Is it secured?

– How is it disposed?

• Organizations should have a clear understanding of who is handling credit card data, access to data, and security

• Credit card data should be disposed once it’s no longer needed either by purging the file or using a crosscut shredder


Image source: http://www.digitaltrends.com/wp-content/uploads/2011/05/Square-iPhone-Credit-Card-Reader.jpg



Know the risks!

• Third party processing

– Are you using a secure website to collect donations?

– Are they PCI compliant?





Know the risks!

• Portable terminals

– Encryption?

– Secure networks?

– Are you storing credit card information in spreadsheets?





• Mobile – Square

– Text message donations



Image source: http://creditcardforum.com/blog/warning-credit-card-numbers-are-being-stolen-via-text-message/


• To consider when thinking of mobile: – Does it prevent data from being intercepted when being swiped,

processed or stored, and transmitted?

– What kind of device is being used? • Jailbroken, disabled for anything unneeded, device tracking if stolen

• Use the PCI Council website to see if your device is listed as a validated Point-to-Point Encryption (P2PE) solution

• These solutions have been validated that data is encrypted before it enters a mobile devices

• Solution providers will typically provide a card reader that works with the mobile device



…so can you!


If they can be hacked…

Image source: http://cdn.iphonehacks.com/wp-content/uploads/2013/11/Target-logo.gif http://www.theshelbyreport.com/wp-content/uploads/2013/05/schnucks.jpg http://www.livefreecoupons.com/uploadfile/logo/neimanmarcus.jpg


Global Card Fraud Losses ($Billions)


Compliance Snapshot

18

What are Payment Card Industry (PCI)

Data Security Standards?

The PCI Data Security Standard provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents.

From the PCI Security Standards Council


PCI DSS Definition

• All entities involved in payment card processing: – Merchants

– Processors

– Financial institutions

– Basically anyone who handles credit card information (store, process, or transmit)


Who does PCI apply to?

There are 6 categories of requirements that provide a baseline of technical and operational requirements to protect cardholder data:

1. Build and Maintain a Secure Network and Systems

2. Protect Cardholder Data

3. Maintain a Vulnerability Management Program

4. Implement Strong Access Control Measures

5. Regularly Monitor and Test Networks

6. Maintain an Information Security Policy


What are the PCI Data Security Standards?

Cardholder v. Sensitive Authentication Data

Account Data

• Cardholder Data includes: – Primary Account Number (PAN)

– Cardholder Name

– Expiration Date

– Service Code

• Sensitive Authentication Data includes: – Full track data (magnetic-stripe data or equivalent on a chip)

– CAV2/CVC2/CVV2/CID

– PINs/PIN blocks



4 Levels of Merchant Compliance 1. Any merchant -- regardless of acceptance channel -- processing over

6M transactions per year.

2. Any merchant -- regardless of acceptance channel -- processing 1M to 6M transactions per year.

3. Any merchant processing 20,000 to 1M e-commerce transactions per year.



4. Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants -- regardless of acceptance channel -- processing up to 1M Visa transactions per year.

Most of you in this room will fall into this category.




Myths About PCI Compliance

• An annual self-assessment questionnaire (SAQ) recommended

• ASV (approved scanning vendor) quarterly scans if applicable

– Organizations approved by the PCI Council to perform quarterly vulnerability scans as it relates to PCI DSS.

• Compliance is set by merchant bank

– Your bank sets compliance of whether they want a SAQ filled out and scans.


Level 4 Merchant Guidelines

27

PCI Risks for NPOs

1. Credit Card Breach – This can cause an array of

problems for an organization: bad press, expensive fines, remediation, loss of donors

• Knowing your credit card environment, where your data is kept, and vendors are steps in preventing this

• Filling out a SAQ helps keep organizations aware of where this data is kept and the guidelines to secure it


Top 5 PCI Risks

Image source: http://www.safetynet-inc.com/wp-content/uploads/credit-card-breach.jpg

2. Reputation/Brand Damage – No one wants bad press,

especially related to a credit card breach

– With the recent breaches, consumers are more aware and more weary of sharing their credit card information

– By ensuring your employees/volunteers are trained to securely handle credit card data and by adhering to PCI you can help protect your organization


Top 5 PCI Risks

Image source: http://www.indianasnewscenter.com/news/top-news/239627491.html

3. Donor Loss – If donors do not feel secure

about the collection method they are less likely to donate

– Bad press/breaches


Top 5 PCI Risks

4. Litigation Expenses/Recovery – Recovering from a data

breach is expensive! • Consumers

• Payment Brands

• Legal /Consulting fees

• Governmental


Top 5 PCI Risks

Image source: http://www.stoelrivesworldofemployment.com/amy-joseph-pedersen.html

5. Vendor Management – Know your vendors!

– Give access only when/as needed

– Have an understanding of what they have access too on your systems

– If they handle credit cards, make sure they are PCI Compliant


Top 5 PCI Risks

• Credit and debit cards will be embedded with a “chip” that stores card information (name, number, expiration)

• Point of sales machines read the chips vs. swiping and signing using the magnetic strip

• Currently in use in Europe and Canada

• October 2015- MasterCard and Visa set deadline after which they will no longer accept liability for fraudulent activity using the magnetic strip, which means…


PCI in the Future: Chip and Pin


YOU ARE RESPONSIBLE!

• Investing in upgrading point of sales terminals to accept chip and pin ($200-$2,000)

• Make sure third-party processors are compliant


Chip and Pin Readiness

36

Questions?


If you enjoyed today… Keep an eye on your email for

information on our next NPO Speaker Series.

The event will be held in the next few months.

Visit our website, follow Brown Smith Wallace on LinkedIn and Twitter or Like us on Facebook!

38

Connect

6 CityPlace Drive, Suite 900│ St. Louis, Missouri 63141 │ 314.983.1200

1520 S. Fifth St., Suite 309 │ St. Charles, Missouri 63303 │ 636.255.3000

2220 S. State Route 157, Ste. 300 │ Glen Carbon, Illinois 62034 │ 618.659.7231

1.888.279.2792 │ www.bswllc.com

© 2014 All Rights Reserved Brown Smith Wallace LLC

Economy & Finance

Don't Get Hacked! Know the Risks of Accepting Credit Cards