SlideShare a Scribd company logo

Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal

S
Stephanie Gutowski

The document discusses data security and PCI compliance specifically for nonprofit payment processors using Drupal, highlighting the risks of fraud and strategies to mitigate it. It outlines the importance of maintaining PCI compliance to protect donor trust and details various compliance levels and self-assessment requirements. Additionally, it emphasizes the need for nonprofits to utilize security measures and resources to ensure safe handling of credit card information while minimizing risks.

Technology
1 of 22
Downloaded 15 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal Don’t let the bad guys win!
Agenda • Bit of Theory • PCI compliance as a service Provider • Practical implication for Non-Profits
Presenters • Stephen Bestbier – VP Marketing and Business Development at iATS Payments • Erik Mathy – Enterprise Onboarding Manager, GetPantheon • Aaron Crosman – Software Engineer, Message Agency
A bit about fraudsters… • They know to target charities • They’re SMART • They have a big bag of tricks • They’re always changing and adapting • They cost charities money – (median loss: $85K)
What do they do? • Testing stolen card numbers – $1.00 donations • Card number tumbling • Name tumbling • Refund scam • Creation of clone charities
Ways to STOP them • Velocity checking • Address verification (AVS) • CVV2 capability • IP blocking (high risk countries) • Minimum transaction limit • Payment Form – iFrame (least risk) – Direct Post (medium risk)
What is PCI? • Payment Card Industry Data Security Standard (PCI-DSS) • All merchants (regardless of size) must meet established standards of security relating to how credit card data is stored, processed and transmitted
How PCI Helps • Creates an actionable framework to ensure safe handling of credit card data • Enables prevention, detection and appropriate handling of incidents • Maintaining PCI certification helps build donors’ trust
How to become PCI Compliant? • How – SAQ: Self Assessment Questionnaire, or – RoC: Report on Compliance using ISA or QSA • Identify Level of PCI Compliance • Security Assessment Questionnaire (SAQ) • Different SAQ depending on merchant’s systems and processes
PCI Compliance Levels Level Description 1 Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. 2 Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year. 3 Any merchant processing 20,000 to 1M Visa e-commerce transactions per year. 4 Any merchant processing fewer than 20,000 transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.
SAQ’s – PCI DSS v. 3.0 SAQ Description A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. A-EP* E-commerce merchants who outsource all payment processing to PCI DSS third parties and who have a website that doesn’t directly receive cardholder data but can impact the security of the transaction. B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage B-IP* Merchants using only standalone, PTS-approved payment terminals with an IP connection to the processor and no electronic data storage. C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage C* Merchants with payment application systems connected to the Internet, no electronic cardholder data storage P2PE-HW Merchants using only hardware payment terminals that are included in/managed via a PCI SSC-listed P2PE solution. No card holder data storage. D* All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment card brand as eligible to complete an SAQ
SAQ’s – PCI DSS v. 3.0
What to do… • Achieve and maintain PCI compliance • Talk to your merchant provider – What tools are available? – How to implement? • Train your staff so they know what to look for – Refund policies, account patterns, etc.
PCI Compliance as a Cloud Service Provider PCI DSS Requirement for Cloud Software Providers (CSP) - Platform as a Service (PaaS) 1: Install and maintain a firewall configuration to protect cardholder data 2: Do not use vendor supplied defaults for system passwords and other security parameters 3: Protect stored cardholder data 4: Encrypt transmission of cardholder data across open, public networks 5: Use and regularly update anti-virus software or programs 6: Develop and maintain secure systems and applications 7: Restrict access to cardholder data by business need to know 8: Assign a unique ID to each person with computer access 9: Restrict physical access to cardholder data 10: Track and monitor all access to network resources and cardholder data 11: Regularly test security systems and processes 12: Maintain a policy that addresses information security for all personnel
PCI Compliance as a Cloud Service Provider What does that all mean? • Securing/removing direct access (physical and software based) to servers and networks • Completely locking down direct access to all platform API’s • Fully logging every action taken on every server and API • Creating 2 factor authentication to all systems used by Pantheon • Created strong internal processes and policies around password strength/maximum allowed age, SSL certificates for identification, office access, and more… PCI compliance isn’t just about the hardware, it’s also about strong internal, secure business and personnel management practices.
Yes, there are ways to handle all this and stay sane. Now what?
Avoid ➔Outsource as much as possible to someone else. Minimize ➔Work hard to only need to follow SAQ-A or SAQ-AEP. Learn ➔Make sure you understand all the questions you’re answering. Basic Strategy We have to do what?!?
PCI standards encourage useful habits ➔Some of the policies are a good idea anyway. Don’t sacrifice user experience ➔Don’t outsource to a platform your users will hate. That may cost you more than compliance. But don’t totally avoid it... Some of these things are worth doing.
The main resource: ➔DrupalPCICompliance.org Services/Modules to look into: ➔iATS Payments (Direct Post Method) ➔HostedPCI ➔BrainTree/PayPal ➔Authorize.net (Direct Post Method) ➔Stripe Some helpful Drupal references Some references worth reading
Resources from iATS • White paper: Credit Card Fraud Prevention in Nonprofits • Infographic: Credit Card Fraud: How it impacts nonprofits • Infographic: Why PCI- DSS Compliance is a must have
Questions?
• Q: If I only accept credit cards over the phone, does PCI still apply to me? • Q: Do organizations using third-party processors have to be PCI compliant? • Q: Are debit card transactions in scope for PCI? • Q: What are the penalties for noncompliance? • What is a vulnerability scan? • Q: What if a merchant refuses to cooperate?

More Related Content

PDF
PCI compliance and fraud prevention for non profits
NetSquared Vancouver
 
PDF
To swipe or not to swipe payment card processing in sap
Sunando Ghosh
 
PDF
Intro to-payment-processing-in-sap
puppala
 
PPS
P0 Pcidss Overview
b28stu
 
PPTX
Payment Card Industry CMTA NOV 2010
Donald E. Hester
 
PDF
PCI Compliance Process
BluePayProcessing
 
PPTX
From Bad to Worse: How to Stay Protected from a Mega Data Breach
Paymetric, Inc.
 
PDF
PCI_Presentation_OASIS
Dermot Clarke
 
PCI compliance and fraud prevention for non profits
NetSquared Vancouver
 
To swipe or not to swipe payment card processing in sap
Sunando Ghosh
 
Intro to-payment-processing-in-sap
puppala
 
P0 Pcidss Overview
b28stu
 
Payment Card Industry CMTA NOV 2010
Donald E. Hester
 
PCI Compliance Process
BluePayProcessing
 
From Bad to Worse: How to Stay Protected from a Mega Data Breach
Paymetric, Inc.
 
PCI_Presentation_OASIS
Dermot Clarke
 

What's hot (20)

PPT
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Paymetric, Inc.
 
PDF
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
Paymetric, Inc.
 
PPTX
Payment Gateway
Asif Hussain
 
PDF
Payment Gateways in Kuwait - 2014 Update
Burhan Khalid
 
PPTX
Introduction To SAQ 4 U
RAlcala65
 
PPSX
Ccavenue presentation
Anurag Vikram
 
PPTX
Peter Afanasiev - Architecture of online Payments
Ciklum Ukraine
 
PPTX
PCI Compliance for Community Colleges @One CISOA 2011
Donald E. Hester
 
PDF
Payment gateway testing
Atul Pant
 
PPTX
Pay Easy Solutions International
jeanieaguilar
 
PDF
A Complete Model of the Payment Service Business
Frank Steeneken
 
DOC
How to test payment gateway functionality
Trupti Jethva
 
PDF
Payment Services in Kuwait
Burhan Khalid
 
PPTX
Payment gateways
NiyasudheenAK
 
PPT
Online payments and Security Gateways
Sarujan Chandrakumaran
 
PPTX
Core banking solution
RishiSundar2
 
PPTX
Online payment gateway provider
Payment Gateways
 
PPTX
Maze & Associates PCI Compliance Tracker for Local Governments
Donald E. Hester
 
PPTX
Payment gateway
HananBahy
 
PPTX
Payment Gateway
ShujaShah
 
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Paymetric, Inc.
 
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
Paymetric, Inc.
 
Payment Gateway
Asif Hussain
 
Payment Gateways in Kuwait - 2014 Update
Burhan Khalid
 
Introduction To SAQ 4 U
RAlcala65
 
Ccavenue presentation
Anurag Vikram
 
Peter Afanasiev - Architecture of online Payments
Ciklum Ukraine
 
PCI Compliance for Community Colleges @One CISOA 2011
Donald E. Hester
 
Payment gateway testing
Atul Pant
 
Pay Easy Solutions International
jeanieaguilar
 
A Complete Model of the Payment Service Business
Frank Steeneken
 
How to test payment gateway functionality
Trupti Jethva
 
Payment Services in Kuwait
Burhan Khalid
 
Payment gateways
NiyasudheenAK
 
Online payments and Security Gateways
Sarujan Chandrakumaran
 
Core banking solution
RishiSundar2
 
Online payment gateway provider
Payment Gateways
 
Maze & Associates PCI Compliance Tracker for Local Governments
Donald E. Hester
 
Payment gateway
HananBahy
 
Payment Gateway
ShujaShah
 
Ad

Similar to Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal (20)

PPTX
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
PPT
eCommerce Summit Atlanta Mountain Media
eCommerce Merchants
 
PPT
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
Melanie Beam
 
PPT
PCI DSS
Duy Do Phan
 
PDF
PCI DSS: What it is, and why you should care
Sean D. Goodwin
 
PPT
Evolution Pci For Pod1
Amanda Squires@Pod1
 
PPTX
PCI Compliance (for developers)
Maksim Djackov
 
PPTX
A practical guides to PCI compliance
Jisc
 
PPTX
Payment Card Industry Introduction CMTA APR 2010
Donald E. Hester
 
PPTX
E commerce overview
Woodridge Software
 
PPT
Pci compliance overview earth link business
Mike Shelah
 
PPTX
PCI DSS Compliance Readiness
Al Abbas, PMP, CISSP, MBA, MSc
 
PPTX
What Everybody Ought to Know About PCI DSS and PA-DSS
London School of Cyber Security
 
PDF
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
Miminten
 
DOCX
Assignment 1Assignment 1 Bottling Company Case StudyDue Week.docx
trippettjettie
 
PDF
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Rapid7
 
PPTX
Introduction to PCI DSS
Saumya Vishnoi
 
PDF
Adventures in PCI Wonderland
Michele Chubirka
 
PDF
Visa Compliance Mark National Certification
Mark Pollard
 
PPTX
Payment Card Industry Compliance for Local Governments CSMFO 2009
Donald E. Hester
 
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
eCommerce Summit Atlanta Mountain Media
eCommerce Merchants
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
Melanie Beam
 
PCI DSS
Duy Do Phan
 
PCI DSS: What it is, and why you should care
Sean D. Goodwin
 
Evolution Pci For Pod1
Amanda Squires@Pod1
 
PCI Compliance (for developers)
Maksim Djackov
 
A practical guides to PCI compliance
Jisc
 
Payment Card Industry Introduction CMTA APR 2010
Donald E. Hester
 
E commerce overview
Woodridge Software
 
Pci compliance overview earth link business
Mike Shelah
 
PCI DSS Compliance Readiness
Al Abbas, PMP, CISSP, MBA, MSc
 
What Everybody Ought to Know About PCI DSS and PA-DSS
London School of Cyber Security
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
Miminten
 
Assignment 1Assignment 1 Bottling Company Case StudyDue Week.docx
trippettjettie
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Rapid7
 
Introduction to PCI DSS
Saumya Vishnoi
 
Adventures in PCI Wonderland
Michele Chubirka
 
Visa Compliance Mark National Certification
Mark Pollard
 
Payment Card Industry Compliance for Local Governments CSMFO 2009
Donald E. Hester
 
Ad

More from Stephanie Gutowski (9)

PPTX
Web Development Within your Means
Stephanie Gutowski
 
PDF
Demographic Data Collection Implications and Opportunities
Stephanie Gutowski
 
PDF
2015 NTC Ignite
Stephanie Gutowski
 
PDF
Demographic Data Collection Implications and Opportunities
Stephanie Gutowski
 
PDF
Content strategy 101
Stephanie Gutowski
 
PDF
Growing with Drupal and Salesforce
Stephanie Gutowski
 
PDF
The Art of Identifying Red Flags in Drupal Projects
Stephanie Gutowski
 
PPTX
It Takes Two: The Case for CRMs in Drupal
Stephanie Gutowski
 
PDF
20 in 20 august adams
Stephanie Gutowski
 
Web Development Within your Means
Stephanie Gutowski
 
Demographic Data Collection Implications and Opportunities
Stephanie Gutowski
 
2015 NTC Ignite
Stephanie Gutowski
 
Demographic Data Collection Implications and Opportunities
Stephanie Gutowski
 
Content strategy 101
Stephanie Gutowski
 
Growing with Drupal and Salesforce
Stephanie Gutowski
 
The Art of Identifying Red Flags in Drupal Projects
Stephanie Gutowski
 
It Takes Two: The Case for CRMs in Drupal
Stephanie Gutowski
 
20 in 20 august adams
Stephanie Gutowski
 

Recently uploaded (20)

PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Cloud computing and distributed systems.
kkkkkhan
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
A Presentation on Artificial Intelligence
memembruh336
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
KodekX | Application Modernization Development
KodekX
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 

Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal

  • 1. Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal Don’t let the bad guys win!
  • 2. Agenda • Bit of Theory • PCI compliance as a service Provider • Practical implication for Non-Profits
  • 3. Presenters • Stephen Bestbier – VP Marketing and Business Development at iATS Payments • Erik Mathy – Enterprise Onboarding Manager, GetPantheon • Aaron Crosman – Software Engineer, Message Agency
  • 4. A bit about fraudsters… • They know to target charities • They’re SMART • They have a big bag of tricks • They’re always changing and adapting • They cost charities money – (median loss: $85K)
  • 5. What do they do? • Testing stolen card numbers – $1.00 donations • Card number tumbling • Name tumbling • Refund scam • Creation of clone charities
  • 6. Ways to STOP them • Velocity checking • Address verification (AVS) • CVV2 capability • IP blocking (high risk countries) • Minimum transaction limit • Payment Form – iFrame (least risk) – Direct Post (medium risk)
  • 7. What is PCI? • Payment Card Industry Data Security Standard (PCI-DSS) • All merchants (regardless of size) must meet established standards of security relating to how credit card data is stored, processed and transmitted
  • 8. How PCI Helps • Creates an actionable framework to ensure safe handling of credit card data • Enables prevention, detection and appropriate handling of incidents • Maintaining PCI certification helps build donors’ trust
  • 9. How to become PCI Compliant? • How – SAQ: Self Assessment Questionnaire, or – RoC: Report on Compliance using ISA or QSA • Identify Level of PCI Compliance • Security Assessment Questionnaire (SAQ) • Different SAQ depending on merchant’s systems and processes
  • 10. PCI Compliance Levels Level Description 1 Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. 2 Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year. 3 Any merchant processing 20,000 to 1M Visa e-commerce transactions per year. 4 Any merchant processing fewer than 20,000 transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.
  • 11. SAQ’s – PCI DSS v. 3.0 SAQ Description A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. A-EP* E-commerce merchants who outsource all payment processing to PCI DSS third parties and who have a website that doesn’t directly receive cardholder data but can impact the security of the transaction. B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage B-IP* Merchants using only standalone, PTS-approved payment terminals with an IP connection to the processor and no electronic data storage. C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage C* Merchants with payment application systems connected to the Internet, no electronic cardholder data storage P2PE-HW Merchants using only hardware payment terminals that are included in/managed via a PCI SSC-listed P2PE solution. No card holder data storage. D* All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment card brand as eligible to complete an SAQ
  • 12. SAQ’s – PCI DSS v. 3.0
  • 13. What to do… • Achieve and maintain PCI compliance • Talk to your merchant provider – What tools are available? – How to implement? • Train your staff so they know what to look for – Refund policies, account patterns, etc.
  • 14. PCI Compliance as a Cloud Service Provider PCI DSS Requirement for Cloud Software Providers (CSP) - Platform as a Service (PaaS) 1: Install and maintain a firewall configuration to protect cardholder data 2: Do not use vendor supplied defaults for system passwords and other security parameters 3: Protect stored cardholder data 4: Encrypt transmission of cardholder data across open, public networks 5: Use and regularly update anti-virus software or programs 6: Develop and maintain secure systems and applications 7: Restrict access to cardholder data by business need to know 8: Assign a unique ID to each person with computer access 9: Restrict physical access to cardholder data 10: Track and monitor all access to network resources and cardholder data 11: Regularly test security systems and processes 12: Maintain a policy that addresses information security for all personnel
  • 15. PCI Compliance as a Cloud Service Provider What does that all mean? • Securing/removing direct access (physical and software based) to servers and networks • Completely locking down direct access to all platform API’s • Fully logging every action taken on every server and API • Creating 2 factor authentication to all systems used by Pantheon • Created strong internal processes and policies around password strength/maximum allowed age, SSL certificates for identification, office access, and more… PCI compliance isn’t just about the hardware, it’s also about strong internal, secure business and personnel management practices.
  • 16. Yes, there are ways to handle all this and stay sane. Now what?
  • 17. Avoid ➔Outsource as much as possible to someone else. Minimize ➔Work hard to only need to follow SAQ-A or SAQ-AEP. Learn ➔Make sure you understand all the questions you’re answering. Basic Strategy We have to do what?!?
  • 18. PCI standards encourage useful habits ➔Some of the policies are a good idea anyway. Don’t sacrifice user experience ➔Don’t outsource to a platform your users will hate. That may cost you more than compliance. But don’t totally avoid it... Some of these things are worth doing.
  • 19. The main resource: ➔DrupalPCICompliance.org Services/Modules to look into: ➔iATS Payments (Direct Post Method) ➔HostedPCI ➔BrainTree/PayPal ➔Authorize.net (Direct Post Method) ➔Stripe Some helpful Drupal references Some references worth reading
  • 20. Resources from iATS • White paper: Credit Card Fraud Prevention in Nonprofits • Infographic: Credit Card Fraud: How it impacts nonprofits • Infographic: Why PCI- DSS Compliance is a must have
  • 22. • Q: If I only accept credit cards over the phone, does PCI still apply to me? • Q: Do organizations using third-party processors have to be PCI compliant? • Q: Are debit card transactions in scope for PCI? • Q: What are the penalties for noncompliance? • What is a vulnerability scan? • Q: What if a merchant refuses to cooperate?