Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal
-
Upload
skgutowski -
Category
Technology
-
view
125 -
download
1
Transcript of Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal
![Page 1: Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal](https://reader030.fdocuments.net/reader030/viewer/2022032502/55b847a2bb61eb6f028b45c6/html5/thumbnails/1.jpg)
Data Security, Fraud Prevention and PCI for Nonprofit Payment
Processors in Drupal
Don’t let the bad guys win!
![Page 2: Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal](https://reader030.fdocuments.net/reader030/viewer/2022032502/55b847a2bb61eb6f028b45c6/html5/thumbnails/2.jpg)
Agenda
• Bit of Theory
• PCI compliance as a service Provider
• Practical implication for Non-Profits
![Page 3: Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal](https://reader030.fdocuments.net/reader030/viewer/2022032502/55b847a2bb61eb6f028b45c6/html5/thumbnails/3.jpg)
Presenters
• Stephen Bestbier – VP Marketing and Business Development at
iATS Payments
• Erik Mathy – Enterprise Onboarding Manager, GetPantheon
• Aaron Crosman – Software Engineer, Message Agency
![Page 4: Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal](https://reader030.fdocuments.net/reader030/viewer/2022032502/55b847a2bb61eb6f028b45c6/html5/thumbnails/4.jpg)
A bit about fraudsters…
• They know to target charities • They’re SMART • They have a big bag of tricks • They’re always changing and adapting • They cost charities money
– (median loss: $85K)
![Page 5: Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal](https://reader030.fdocuments.net/reader030/viewer/2022032502/55b847a2bb61eb6f028b45c6/html5/thumbnails/5.jpg)
What do they do?
• Testing stolen card numbers – $1.00 donations
• Card number tumbling • Name tumbling • Refund scam • Creation of clone charities
![Page 6: Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal](https://reader030.fdocuments.net/reader030/viewer/2022032502/55b847a2bb61eb6f028b45c6/html5/thumbnails/6.jpg)
Ways to STOP them
• Velocity checking • Address verification (AVS) • CVV2 capability • IP blocking (high risk countries) • Minimum transaction limit • Payment Form
– iFrame (least risk) – Direct Post (medium risk)
![Page 7: Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal](https://reader030.fdocuments.net/reader030/viewer/2022032502/55b847a2bb61eb6f028b45c6/html5/thumbnails/7.jpg)
What is PCI?
• Payment Card Industry Data Security Standard (PCI-DSS)
• All merchants (regardless of size) must meet established standards of security relating to how credit card data is stored, processed and transmitted
![Page 8: Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal](https://reader030.fdocuments.net/reader030/viewer/2022032502/55b847a2bb61eb6f028b45c6/html5/thumbnails/8.jpg)
How PCI Helps
• Creates an actionable framework to ensure safe handling of credit card data
• Enables prevention, detection and appropriate handling of incidents
• Maintaining PCI certification helps build donors’ trust
![Page 9: Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal](https://reader030.fdocuments.net/reader030/viewer/2022032502/55b847a2bb61eb6f028b45c6/html5/thumbnails/9.jpg)
How to become PCI Compliant?
• How – SAQ: Self Assessment Questionnaire, or – RoC: Report on Compliance using ISA or QSA
• Identify Level of PCI Compliance • Security Assessment Questionnaire (SAQ) • Different SAQ depending on merchant’s
systems and processes
![Page 10: Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal](https://reader030.fdocuments.net/reader030/viewer/2022032502/55b847a2bb61eb6f028b45c6/html5/thumbnails/10.jpg)
PCI Compliance Levels Level Description
1 Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
2 Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.
3 Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
4 Any merchant processing fewer than 20,000 transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.
![Page 11: Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal](https://reader030.fdocuments.net/reader030/viewer/2022032502/55b847a2bb61eb6f028b45c6/html5/thumbnails/11.jpg)
SAQ’s – PCI DSS v. 3.0 SAQ Description
A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
A-EP* E-commerce merchants who outsource all payment processing to PCI DSS third parties and who have a website that doesn’t directly receive cardholder data but can impact the security of the transaction.
B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage
B-IP* Merchants using only standalone, PTS-approved payment terminals with an IP connection to the processor and no electronic data storage.
C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage
C* Merchants with payment application systems connected to the Internet, no electronic cardholder data storage
P2PE-HW Merchants using only hardware payment terminals that are included in/managed via a PCI SSC-listed P2PE solution. No card holder data storage.
D* All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment card brand as eligible to complete an SAQ
![Page 12: Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal](https://reader030.fdocuments.net/reader030/viewer/2022032502/55b847a2bb61eb6f028b45c6/html5/thumbnails/12.jpg)
SAQ’s – PCI DSS v. 3.0
![Page 13: Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal](https://reader030.fdocuments.net/reader030/viewer/2022032502/55b847a2bb61eb6f028b45c6/html5/thumbnails/13.jpg)
What to do…
• Achieve and maintain PCI compliance • Talk to your merchant provider
– What tools are available? – How to implement?
• Train your staff so they know what to look for – Refund policies, account patterns, etc.
![Page 14: Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal](https://reader030.fdocuments.net/reader030/viewer/2022032502/55b847a2bb61eb6f028b45c6/html5/thumbnails/14.jpg)
PCI Compliance as a Cloud Service Provider
PCI DSS Requirement for Cloud Software Providers (CSP) - Platform as a Service (PaaS) 1: Install and maintain a firewall configuration to protect cardholder data 2: Do not use vendor supplied defaults for system passwords and other security parameters 3: Protect stored cardholder data 4: Encrypt transmission of cardholder data across open, public networks 5: Use and regularly update anti-virus software or programs 6: Develop and maintain secure systems and applications 7: Restrict access to cardholder data by business need to know 8: Assign a unique ID to each person with computer access 9: Restrict physical access to cardholder data 10: Track and monitor all access to network resources and cardholder data 11: Regularly test security systems and processes 12: Maintain a policy that addresses information security for all personnel
![Page 15: Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal](https://reader030.fdocuments.net/reader030/viewer/2022032502/55b847a2bb61eb6f028b45c6/html5/thumbnails/15.jpg)
PCI Compliance as a Cloud Service Provider
What does that all mean? • Securing/removing direct access (physical
and software based) to servers and networks
• Completely locking down direct access to all platform API’s
• Fully logging every action taken on every server and API
• Creating 2 factor authentication to all systems used by Pantheon
• Created strong internal processes and policies around password strength/maximum allowed age, SSL certificates for identification, office access, and more…
PCI compliance isn’t just about the hardware, it’s also about strong internal, secure business and personnel management practices.
![Page 16: Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal](https://reader030.fdocuments.net/reader030/viewer/2022032502/55b847a2bb61eb6f028b45c6/html5/thumbnails/16.jpg)
Yes, there are ways to handle all this and stay sane.
Now what?
![Page 17: Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal](https://reader030.fdocuments.net/reader030/viewer/2022032502/55b847a2bb61eb6f028b45c6/html5/thumbnails/17.jpg)
Avoid ➔Outsource as much as possible to someone
else. Minimize ➔Work hard to only need to follow SAQ-A or
SAQ-AEP. Learn ➔Make sure you understand all the questions
you’re answering.
Basic Strategy
We have to do what?!?
![Page 18: Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal](https://reader030.fdocuments.net/reader030/viewer/2022032502/55b847a2bb61eb6f028b45c6/html5/thumbnails/18.jpg)
PCI standards encourage useful habits ➔Some of the policies are a good idea
anyway. Don’t sacrifice user experience ➔Don’t outsource to a platform your users will
hate. That may cost you more than compliance.
But don’t totally avoid it...
Some of these things are worth doing.
![Page 19: Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal](https://reader030.fdocuments.net/reader030/viewer/2022032502/55b847a2bb61eb6f028b45c6/html5/thumbnails/19.jpg)
The main resource: ➔DrupalPCICompliance.org Services/Modules to look into: ➔ iATS Payments (Direct Post Method) ➔HostedPCI ➔BrainTree/PayPal ➔Authorize.net (Direct Post Method) ➔Stripe
Some helpful Drupal references
Some references worth reading
![Page 20: Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal](https://reader030.fdocuments.net/reader030/viewer/2022032502/55b847a2bb61eb6f028b45c6/html5/thumbnails/20.jpg)
Resources from iATS
• White paper: Credit Card Fraud Prevention in Nonprofits
• Infographic: Credit Card Fraud: How it impacts nonprofits
• Infographic: Why PCI-DSS Compliance is a must have
![Page 21: Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal](https://reader030.fdocuments.net/reader030/viewer/2022032502/55b847a2bb61eb6f028b45c6/html5/thumbnails/21.jpg)
Questions?
![Page 22: Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal](https://reader030.fdocuments.net/reader030/viewer/2022032502/55b847a2bb61eb6f028b45c6/html5/thumbnails/22.jpg)
• Q: If I only accept credit cards over the phone, does PCI still apply to me?
• Q: Do organizations using third-party processors have to be PCI compliant?
• Q: Are debit card transactions in scope for PCI? • Q: What are the penalties for noncompliance? • What is a vulnerability scan? • Q: What if a merchant refuses to cooperate?