Keeping Credit Card Information Secure
|Everyone is worried about identity theft and misuse of credit card data these days. Whose responsibility is it to keep this data secure? Well, if you accept credit cards, the responsibility, in part, is yours. And since June 30th, the Payment Card Industry (PCI), the umbrella industry group for the credit card providers, has been requiring that you meet quite a stiff standard for keeping this data locked down.|
And be forwarned - these rules are not just for the big guys. In an article in Network World shortly before the requirements became mandatory, Ann Bednarz wrote:
Particularly for smaller merchants, PCI compliance might require purchasing security products, such as encryption, access control, and activity monitoring and logging devices. There are also procedural mandates - such as the need to implement formal security policies and vulnerability management programs - that will require IT resources.
Not only does the standard require you keep all sensitive data encrypted, and that you eliminate data no longer needed, it also stipulates that you document your procedures for handling the data. Do you allow supporters pay a pledge via credit card? You will need to document how that data is recorded, entered into the database, and utilized. Do you take credit card numbers in the mail? You'll need to document who receives that mail, how it is recorded, and how the originals are destroyed. You can find the complete standard here.
Database security begins with strict login control. You'd better make sure each person has a unique login, and that people are not walking away from their desks with the computer logged in and available. Requiring your users to logout or lock, and use screen savers that require a password to re-enter, are wise moves.
Although the non-profit world is late in meeting the implementation deadline, people are starting to wake up. We have exactly one client who started to meet these requirements without any prodding from us. And now the YMCA of the USA is urging compliance: they devoted a session to this issue at their Technology Conference last week.
We are in the midst of announcing what we are doing on this issue for the users of our software. If you use MEMBERS ONLY and have not yet received information from us, please give your project manager a call. And if you are not a MEMBERS ONLY user, call your vendors and ask about this issue. It's time to start moving on this issue before you have to explain to your donors -- or your bank -- that your card data was stolen.
Technorati Tags: nptech, cisp