The NonProfit Times - The Leading Business Publication For Nonprofit Management


HOME \| SUBSCRIBE \| DONATION PORTAL \| JOBS \| eNEWSLETTERS \| RESOURCE DIRECTORY \| GUIDES

Current Edition

Back Issues

Web Exclusives

NPT Blog

Salary Survey

NPT Top 100 Nonprofit

Editorial Links :

Quicklinks:

December 9, 2008

That Donation Just Cost You $25,000
Times are changing in the payment card industry

By Jake Marcinko

How is your organization handling credit card information? Where do you store it and who has access to it? Have you given it much thought recently? If you haven’t thought about it, you really should do so. The credit card companies are certainly paying attention to what you’re doing and are tightening the screws to persuade organizations to make changes in the way they think about and handle credit card information.

Credit card fraud has been a growing problem and is big business for malicious individuals and organized groups alike. According to July 2007’s Neilson Report, losses to card issuers (e.g. Visa, MasterCard, etc) due to card fraud in 2006 totaled $4.84 billion, up 12.8 percent from the previous year. As fraud losses have increased, credit card companies have realized a greater need for formalized security standards and practices.

In an effort to facilitate the broad adoption of consistent security measures on a global basis, American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc., in June 2004 jointly created the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is based on six fundamental objectives that are further divided into 12 major requirements and a slew of sub-requirements. These requirements cover broad topics such as network design, software development, security administration, and IT governance.

How does PCI affect your organization? Well, first you need determine what information you maintain and whether or not it is within the scope of the PCI DSS. The PCI DSS defines cardholder information as the primary account number (“PAN” or credit card number), and other data obtained as part of a payment transaction including cardholder name, expiration date, service code, and other “sensitive authentication data” such as magnetic stripe data, PIN, CVV2, or CVC2 information. The PAN is the defining factor in the applicability of PCI DSS. If your organization stores, processes, or transmits PANs then you are expected to comply with the full extent of the PCI DSS. Those that do not store, process, or transmit PANs are not required to comply. If you are uncertain as to how PCI affects you, then the best course of action is to contact your processor or acquiring bank to determine your compliance requirements.

Penalties for non-compliance vary, ranging between $5,000 and $25,000 per month for each month an organization is found to be non-compliant. These fines are typically levied directly against the card processor or merchant bank that issues the merchant account to the merchant found to be in violation.

However, those fines are typically passed down to the merchant in one form or another. Despite these hefty fines, the most costly penalties for non-compliance are actually incurred in the event your organization experiences data loss. The loss of your reputation, your customers, and the risk of litigation are far more damaging to your business than simple fines. If the circumstances surrounding the data loss are particularly egregious, the card companies could even deny your ability to process credit cards altogether.

Securing credit card information is not about protecting the card companies or addressing another compliance standard. It’s about our due diligence to protect cardholders from having their information distributed-whether intentionally or unintentionally-to those who intend to misuse it. Far too long have organizations been frivolous in the use and protection of our personal information. All you need to do is to pick up the newspaper or watch the news to see the numerous cases that substantiate this claim. If you have ever been a victim of identity theft, then you know that the burden to resolve issues related to the loss of personal information is placed solely on the individual. The fact that identity theft has impacted more than 3 percent of the U.S. population to date should be disturbing to most.

What is worse is that that number continues to grow. Now is time for organizations to come together to do something about this disturbing trend, and one important step forward is the broad adoption of the Payment Card Industry Data Security Standard. Doing so is simply the right thing to do, and that is what nonprofits do best.

***

Jake Marcinko is information security manager at Blackbaud. His email is Jake.Marcinko@blackbaud.com

***

This article is from NPT TechnoBuzz, a publication of The NonProfit Times.

Subscribe to NPT TechnoBuzz or any of our other enewsletters and get the latest nonprofit news and stories delivered to your inbox.

Web Exclusive Editorial - View articles available only on our website. Visit us every two weeks to check out our latest web-only content.

NPTimes Blog - A place to view articles never before posted, comment on our most popular stories and learn about what's new in Nonprofit.

NPTimes Rss Feed - Stay up to date on our latest articles and news through our RSS web feed.

NPTimes Audio - Listen to what nonprofit sector leaders have to say exclusively to The NonProfit Times.

NPTimes Suggested Reading
Buy and save 15%
Cause Marketing for Nonprofits
by Jocelyne Daw
This book captures the exciting potential for business and nonprofits to partner for mutual benefit and discovery.