Upload
skgutowski
View
123
Download
1
Tags:
Embed Size (px)
Citation preview
Data Security, Fraud Prevention and PCI for Nonprofit Payment
Processors in Drupal
Don’t let the bad guys win!
Agenda
• Bit of Theory
• PCI compliance as a service Provider
• Practical implication for Non-Profits
Presenters
• Stephen Bestbier – VP Marketing and Business Development at
iATS Payments
• Erik Mathy – Enterprise Onboarding Manager, GetPantheon
• Aaron Crosman – Software Engineer, Message Agency
A bit about fraudsters…
• They know to target charities • They’re SMART • They have a big bag of tricks • They’re always changing and adapting • They cost charities money
– (median loss: $85K)
What do they do?
• Testing stolen card numbers – $1.00 donations
• Card number tumbling • Name tumbling • Refund scam • Creation of clone charities
Ways to STOP them
• Velocity checking • Address verification (AVS) • CVV2 capability • IP blocking (high risk countries) • Minimum transaction limit • Payment Form
– iFrame (least risk) – Direct Post (medium risk)
What is PCI?
• Payment Card Industry Data Security Standard (PCI-DSS)
• All merchants (regardless of size) must meet established standards of security relating to how credit card data is stored, processed and transmitted
How PCI Helps
• Creates an actionable framework to ensure safe handling of credit card data
• Enables prevention, detection and appropriate handling of incidents
• Maintaining PCI certification helps build donors’ trust
How to become PCI Compliant?
• How – SAQ: Self Assessment Questionnaire, or – RoC: Report on Compliance using ISA or QSA
• Identify Level of PCI Compliance • Security Assessment Questionnaire (SAQ) • Different SAQ depending on merchant’s
systems and processes
PCI Compliance Levels Level Description
1 Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
2 Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.
3 Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
4 Any merchant processing fewer than 20,000 transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.
SAQ’s – PCI DSS v. 3.0 SAQ Description
A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
A-EP* E-commerce merchants who outsource all payment processing to PCI DSS third parties and who have a website that doesn’t directly receive cardholder data but can impact the security of the transaction.
B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage
B-IP* Merchants using only standalone, PTS-approved payment terminals with an IP connection to the processor and no electronic data storage.
C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage
C* Merchants with payment application systems connected to the Internet, no electronic cardholder data storage
P2PE-HW Merchants using only hardware payment terminals that are included in/managed via a PCI SSC-listed P2PE solution. No card holder data storage.
D* All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment card brand as eligible to complete an SAQ
SAQ’s – PCI DSS v. 3.0
What to do…
• Achieve and maintain PCI compliance • Talk to your merchant provider
– What tools are available? – How to implement?
• Train your staff so they know what to look for – Refund policies, account patterns, etc.
PCI Compliance as a Cloud Service Provider
PCI DSS Requirement for Cloud Software Providers (CSP) - Platform as a Service (PaaS) 1: Install and maintain a firewall configuration to protect cardholder data 2: Do not use vendor supplied defaults for system passwords and other security parameters 3: Protect stored cardholder data 4: Encrypt transmission of cardholder data across open, public networks 5: Use and regularly update anti-virus software or programs 6: Develop and maintain secure systems and applications 7: Restrict access to cardholder data by business need to know 8: Assign a unique ID to each person with computer access 9: Restrict physical access to cardholder data 10: Track and monitor all access to network resources and cardholder data 11: Regularly test security systems and processes 12: Maintain a policy that addresses information security for all personnel
PCI Compliance as a Cloud Service Provider
What does that all mean? • Securing/removing direct access (physical
and software based) to servers and networks
• Completely locking down direct access to all platform API’s
• Fully logging every action taken on every server and API
• Creating 2 factor authentication to all systems used by Pantheon
• Created strong internal processes and policies around password strength/maximum allowed age, SSL certificates for identification, office access, and more…
PCI compliance isn’t just about the hardware, it’s also about strong internal, secure business and personnel management practices.
Yes, there are ways to handle all this and stay sane.
Now what?
Avoid ➔Outsource as much as possible to someone
else. Minimize ➔Work hard to only need to follow SAQ-A or
SAQ-AEP. Learn ➔Make sure you understand all the questions
you’re answering.
Basic Strategy
We have to do what?!?
PCI standards encourage useful habits ➔Some of the policies are a good idea
anyway. Don’t sacrifice user experience ➔Don’t outsource to a platform your users will
hate. That may cost you more than compliance.
But don’t totally avoid it...
Some of these things are worth doing.
The main resource: ➔DrupalPCICompliance.org Services/Modules to look into: ➔ iATS Payments (Direct Post Method) ➔HostedPCI ➔BrainTree/PayPal ➔Authorize.net (Direct Post Method) ➔Stripe
Some helpful Drupal references
Some references worth reading
Resources from iATS
• White paper: Credit Card Fraud Prevention in Nonprofits
• Infographic: Credit Card Fraud: How it impacts nonprofits
• Infographic: Why PCI-DSS Compliance is a must have
Questions?
• Q: If I only accept credit cards over the phone, does PCI still apply to me?
• Q: Do organizations using third-party processors have to be PCI compliant?
• Q: Are debit card transactions in scope for PCI? • Q: What are the penalties for noncompliance? • What is a vulnerability scan? • Q: What if a merchant refuses to cooperate?