Complying with Data Security Regulation
Personal information can not be transferred to you by your customers (donors) without encryption. Personal information is defined as any transmittal of someone's name along with their credit card number, driver's license, or other data that could be used to access their financal records.
Nevada is the first state to pass legislation like this, but it's a good bet that they are the first of fifty. Massachusetts is right behind them. And if the government won't get you, the credit card industry might. The regulations that they impose on larger retailers for credit card security are even tougher. These initially applied to retailers bringing in far more money via credit card than most of us do, but they have lowered the financial threshold each year, bringing smaller and smaller organizations under that regulatory umbrella.
So, the question is, how many of you receive donations via email? If you do accept donations over the web, are you certain that they're encrypted from the time of input until they land inside your (secured) network? What do you do with them when you receive them? Do you email credit card numbers within the office? Retain them in a database, spreadsheet or document?
Most nonprofits are understaffed and unautomated. We accept donations in any manner that the donors choose to send them, and get them into our records-keeping systems in a myriad of fashions. The bad news here is that this will have to change. The good news is, if you do it right, you should be able to adopt new practices that streamline the maintenance of your donor data and reduce the workload. Even better, if the solution is to move from Excel or Word to Salesforce or Etapestry, then you'll not only have a better records-keeping system, you'll also have good analytical tools for working with your donors.
Automating systems, refining business processes, improving data management and maintenance -- these are all of the things that we know are important to do someday. It looks like the urgency is rising. So don't treat this threat as an impediment to your operations -- treat it like an opportunity to justify some necessary improvements in your organization.
The relevent snippet from the Nevada law:
" 1. A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.2. As used in this section:
(a) “Encryption” has the meaning ascribed to it in NRS 205.4742.
(b) “Personal information” has the meaning ascribed to it in NRS 603A.040.
"Personal Information" is defined as:
“Personal information” means a natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:
1. Social security number.
2. Driver’s license number or identification card number.
3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.
The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public.
Subscribe through Feedburner
6 Comments:
This is such an important consideration - so many nonprofits just aren't thinking about security of personal info. When we did the research for our credit card processing article, I heard so many alarming stories about nonprofits, say, storing credit card information in paper files. Actually, related, for some reason, online=insecure while in paper=secure in a lot of nonprofits' thought processes - they don't think through the fact that it's likely a lot easier to break into their office than to hack into their payment processor's system...
I think you're totally right Laura. I also read an article last week (which I can no longer find of course) that estimated that tens of thousands of government laptops were lost last year. That's another huge security rik for nonprofits. While you need to think about hackers, it's your well meaning employees/volunteers that will most likely cause the damage.
For the nonprofits who shy away from SaaS/hosted solutions because of security concerns, this is the flip side of that evaluation. Not that you can assume it, but a hosting service should have more resources and far more expertise available to address things like data encryption and firewalls. At a minimum, it moves some of the liability to them for unsafe practices.
Valuable information (valuable to a hacker or other other entity) doesn't know better. That said, those charged with the task of securing that information should take heed to this very post.
Non-profits are vulnerable to maladjusted online behavior, like the rest of us.
A couple of ways to go about securing online credit card processing may be to seek a shopping cart built with PCI compliance factored into it.
Or, the other school of thought may be to utilize one of many products and services of ISO agents who may also feature credit card equipment not connected to the site itself. It's more of an antiquated way of collecting payments online as it requires person-to-person contact in order for the delicate information to be hand-entered, but it is a way to circumvent expensive, effective, safe 'shopping' cart software.
If you're not sure what I mean (and I am not being clear), this is what credit card processing equipment looks like.
Additionally, data security and PCI Compliance info can be found on this organization's site (PCI compliance guide).
As a Msss resident and business owner, I can speak to the issues we face and how they affect us. We live in a constant state of worry and fear. On the one hand, we have to worry about the state laws, keeping up to date with them and being in full compliance. On the back end we have to worry about the implications of losing customer data. I have personally installed new data protection software, but I still fear this may not keep me totally protected from all angles..
credit card holders information security should be given attention by merchants and banks because lots of criminal acts like credit card fraud, identity theft, etc. are rampant nowadays. Tough security will protect the credit card holders so from carrying the burden of debts they don't even know.
Post a Comment
<< Home