Members Only Logo  
XML

or Subscribe by Email by entering your address below:


Powered by FeedBlitz
Learn about Subscriptions Follow me on Twitter!

The topics discussed here grow out of the bread-and-butter issues that confront my consulting and software clients on a daily basis. We'll talk about prosaic stuff like Membership Management, Meetings and Events Management and Fundraising, broader ideas like security and software project management, and the social, cultural, and organizational issues that impact IT decision-making.

Wednesday, October 26, 2005

Keeping Credit Card Information Secure

Everyone is worried about identity theft and misuse of credit card data these days. Whose responsibility is it to keep this data secure? Well, if you accept credit cards, the responsibility, in part, is yours. And since June 30th, the Payment Card Industry (PCI), the umbrella industry group for the credit card providers, has been requiring that you meet quite a stiff standard for keeping this data locked down.

And be forwarned - these rules are not just for the big guys. In an article in Network World shortly before the requirements became mandatory, Ann Bednarz wrote:
Particularly for smaller merchants, PCI compliance might require purchasing security products, such as encryption, access control, and activity monitoring and logging devices. There are also procedural mandates - such as the need to implement formal security policies and vulnerability management programs - that will require IT resources.

Not only does the standard require you keep all sensitive data encrypted, and that you eliminate data no longer needed, it also stipulates that you document your procedures for handling the data. Do you allow supporters pay a pledge via credit card? You will need to document how that data is recorded, entered into the database, and utilized. Do you take credit card numbers in the mail? You'll need to document who receives that mail, how it is recorded, and how the originals are destroyed. You can find the complete standard here.

Database security begins with strict login control. You'd better make sure each person has a unique login, and that people are not walking away from their desks with the computer logged in and available. Requiring your users to logout or lock, and use screen savers that require a password to re-enter, are wise moves.

Although the non-profit world is late in meeting the implementation deadline, people are starting to wake up. We have exactly one client who started to meet these requirements without any prodding from us. And now the YMCA of the USA is urging compliance: they devoted a session to this issue at their Technology Conference last week.

We are in the midst of announcing what we are doing on this issue for the users of our software. If you use MEMBERS ONLY and have not yet received information from us, please give your project manager a call. And if you are not a MEMBERS ONLY user, call your vendors and ask about this issue. It's time to start moving on this issue before you have to explain to your donors -- or your bank -- that your card data was stolen.


Technorati Tags: ,

Comments on "Keeping Credit Card Information Secure"

 

Anonymous Anonymous said ... (December 11, 2006 at 2:40 AM) : 

Michael,

You have provided class information on Keeping the Credit Card Secure. It's really useful to me and of course for others too.

Chris
Credit Card

 

Anonymous Anonymous said ... (August 2, 2007 at 4:49 AM) : 

Years have passed but not our credit card ifnormation is not more secure not that it was at the time you posted this. Sad...

 

Anonymous Anonymous said ... (December 22, 2007 at 7:16 AM) : 

Yes, I used to be panic when ever i enter my credit card details online. Credit card safety is a big issue that needs to be handled properly.

 

Blogger shannon said ... (January 8, 2008 at 9:51 PM) : 

It is absolutely the businesses that accept credit cards, or, fraudulent ones anyway, that are responsible for these transactions. I have heard of the actual processing company, the one that holds the merchant accounts, being responsible for the fraudulent charges before, and it makes no sense!!

 

Anonymous mastercard said ... (September 10, 2009 at 4:43 AM) : 

Post is really good. Keeping your card info secure is the best thing that a cardholder needs to do because fraudulent activities are very rampant nowadays.

 

Anonymous Bank account said ... (September 22, 2009 at 5:17 AM) : 

providing information should be handled by bank employee only. Giving out information is really scary that's why I don't just give out any of my information w/ anybody because fraudulent activity is rampant.

 

post a comment