On the Road With Bucky Wall
Posted on behalf of Bucky Wall:
Last week, Jake Marcinko, Blackbaud's Data Security Manager, and I attended the PCI Security Standard Council's (PCISSC) annual community meeting in Orlando, FL (You may recall from an earlier press release that Blackbaud joined the PCISSC this past summer.) The main focus of this year's meeting was the roll-out of the PA & PCI DSS Standards 1.2.
In general, it was a bit of an eye-opener. This was mostly because it's fairly clear that the non-profit space is not on the Security Council's RADAR. You would think it should, since charitable giving topped 300 billion last year in the US alone (and while I don't have stats as to the amount donated via credit cards, you can bet it's a sizable number).
Why is the non-profit community a bit of an afterthought? A few things come to mind….
- We haven't seen a serious breach of security resulting in the loss of a large number of credit card information. And, unfortunately, many organizations don't have self-auditing processes and wouldn't know if there was a breach.
- Most non-profits have a relatively small number of credit cards in their databases, so any loss would be relatively small in comparison to a large merchant (can you say, "TJ-MAX?")
- General credit card security concerns have been slow to arise in the non-profit space.
- The unique relationship between donor and the receiving organization is fundamentally different than that between merchant and purchaser. Donors don't complain as much as purchasers…
Why should we want to be on the Council's RADAR?
Decisions have been made and will continue to be made over the next few years that will impact the way non-profits accept credit card donations. You will want a say in these decisions. You might even consider joining the council (see: https://www.pcisecuritystandards.org/participation/join.shtml)
By joining you will be able to:
- Vote for Participating Organization representatives on the PCI Security Standards Council Board of Advisors.
- Nominate a representative to stand for election to the PCI Security Standards Council Board of Advisors.
- Comment on drafts of all revisions to the DSS specification, and on any new specifications, prior to public release.
- Attend Community Meetings hosted by the PCI Security Standards Council.
- Recommend new initiatives for consideration to the PCI Security Standards Council.
I plan to push for a special interest group within the council focusing on the needs of non-profits, but it may take some politicking to get this approved.
What were my main take-aways?
- Look for the "touch points" regarding credit card data. Who sees or touches credit card information and why? If you don't need this information, then get rid of it.
- Self-assess. Contact a Qualified Assessor to help if needed, but take some time to see how vulnerable your data environment is, keeping in mind you will probably need change some of your business practices based on what you discover.
- Requirements are not absolute. There is a lot of grey area associated with these requirements, look at the best practices and see what makes sense to your organization.