12 Musts for Your EFT Program
Identity-theft issues online have prompted regulatory bodies and certain U.S. states to create rules and laws governing the protection of personal information and the proper procedure for reporting a data breach.
Drilling down on this issue is Andrew Conry-Murray, business editor at Network Computing magazine and author of “The Symantec Guide to Home Internet Security,” in an article published on TechSoup.org — a hub of technology information and assistance for nonprofit organizations.
The article specifically looks at the security requirements that pertain to most nonprofit organizations that process credit card transactions online. According to Conry-Murray, nonprofits should familiarize themselves with the Payment Card Industry Data Security Standard (created by MasterCard, Visa, American Express, JCB and Discover), as well as state identity theft and breach notification laws.
PCI DSS categorizes organizations and companies into four levels according to their annual number of credit card transactions. Conry-Murray says most nonprofits process fewer than 20,000 transactions and therefore fall into Level 4, which means they must adhere to the following 12 requirements:
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update antivirus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.
An organization that fails to comply with these standards could be fined by the bank that processes its transactions. Conry-Murray advises nonprofits first check with their bank or credit card processors to find out if they need to comply with the requirements.
For organizations that do need to comply but don’t have the resources (e.g., staff) to do so, one alternative is to hire a third-party service to handle credit card processing so the organizations don’t need to store the credit card transaction data on their servers or in their databases.
To read the article “New Laws for Organizations That Accept Online Payments” visit www.techsoup.org/learningcenter/webbuilding/page6432.cfm?rss=1.
