Credit Card Data Safety: You Can’t Afford Not To
Today’s guest blog post is written by Alex Pagano, Documentation Supervisor, PatronManager.
Hello, hi everyone, thanks for coming to tonight’s article. Looks like we have a great crowd, so let’s jump right in — show of hands, who handles credit card information on a regular basis? Let’s see…. Mm-hmm, that’s just about everybody in the room. OK, and I think I know the answer to this one, but just to check — how many of you feel like you could run your organization if you suddenly couldn’t accept credit cards tomorrow? Yeah, I’m not sure anybody could; my hand is down, too.
The fact is, credit card information is an integral part of how we do business. In the 2016 U.S. Consumer Payment Study by TSYS, 75% of consumers said they preferred to pay with plastic, and only 11% preferred to pay with cash.1 Think about the ways patrons pay you with credit or debit cards: recurring donations, mail-in subscription orders, online donations and ticket orders, walk-up sales the night of the show… can you imagine not being able to utilize these revenue methods?
And yet, many organizations are a whole lot closer to this nightmare scenario than they realize. Plenty of risks come with accepting credit card payments — specifically to organizations without the proper policy and technology solutions in place to mitigate those risks.
You need only read the news to find a reason be concerned for your credit card data security: Target and Yahoo! in 2013, eBay and JP Morgan in 2014, Uber in 2016, Equifax in 2017,2 and OnePlus just last month.3 If gigantic companies like these can be hacked, with entire teams dedicated to security infrastructure, nonprofit organizations certainly have risks to consider. Need proof? Look no further than Utah Food Bank, who had just over 10,000 donor records (each including names, addresses, and credit card numbers) stolen in 2015.4
So how can that happen to you, and to your organization? Each point in a transaction, each computer with sensitive data on it, is a potential security breach. Credit card readers can be tampered with if left unattended, even if just for a few moments. Malware can be installed simply by visiting a website or clicking the wrong email, and can subtly give hackers access to your patrons’ precious information. Remote, unauthorized access to your office computers can put every credit card and every one of your patrons at risk for credit card fraud.5
Once that happens, you’re looking at a lot more than lawsuits and fines — you also suffer irreparable damage to your reputation. They say all press is good press, but a security breach might be the lone exception to that rule. Within a week of Target’s 2013 large-scale security breach, public perception of the retailer dropped from +26 to -19 on BrandIndexer’s -100 to +100 scale.6 As Gene Carr, Patron Technology’s President likes to say, the absolute last thing you want is to end up on the front page of the local newspaper under a “compromised security” headline.
Overall, experts estimate a security breach costs your organization approximately $225 per record lost. That number counts for immediate costs, such as paying for credit monitoring for affected patrons, but also accounts for less tangible costs, such as a damaged reputation.7
But even if your transaction data isn’t compromised, straying from PCI DSS — that is, Data Security Standards formed by a council of credit card companies like Visa and Mastercard — can cost you. “When a nonprofit fails to abide by the PCI DSS requirements…[they can be fined] thousands of dollars or more,” warns Venable LLP, a Baltimore based law firm. Venable adds, “Furthermore, the acquiring bank might terminate its relationship with the noncompliant nonprofit, ending its ability to process payment cards altogether.”8
Yikes! That all sounds pretty scary. But not to fear — here’s where a P2PE solution can swoop in to save the day!
A Point-to–Point Encryption solution is comprised of two things: (1) a card swiper that encrypts your patron’s credit card data right when you swipe it, right there on the device, and (2) a secure transfer of that information to the company who makes said card swiper. The company can then safely decode the information and send the payment to you. Encryption at the point of sale is the key here — it renders the card data useless to any would-be hackers or fraudsters, even if they were to somehow obtain the encrypted information.
As Ruston Miles, a top officer at Bluefin and recognized P2PE solution innovator, put it: “You can build high castle walls to protect your data, but that doesn’t work, and it’s been failing companies for ten years. Or, you could devalue the data — take the gold out of the castle — and then you don’t need the high castle walls.”9
So why is P2PE such a big deal? First and foremost, it safeguards you and your patrons from security breaches by rendering any compromised data useless to potential thieves.
Second, remember those PCI DSS requirements I talked about earlier —the Data Security Standards set up by the PCI Council? Well, many of those requirements are centered around the way card data gets from your card swipers to your bank. Without a P2PE solution, these requirements are extremely difficult to meet, and proving that you’ve done so is even more difficult.
If you’re unable to prove your PCI DSS compliance, you can be fined, you can be liable for damages related to a security breach, and you can lose your ability to process credit card transactions altogether. So how do you prove your PCI compliance? The PCI Council has set up a Self-Assessment Questionnaire you can take once per year, and passing that questionnaire proves your PCI compliance.
So what’s the catch? Well, the questionnaire is 263 questions long, and it’s filled with dry, technical questions about how you accept and handle credit card information. I’ve got good news, though: if you’re using a P2PE solution, that questionnaire is reduced down to 42 questions, just by virtue of the safety inherent in using P2PE.
Simply put, a P2PE solution protects you and your patrons from costly data breaches and makes PCI compliance a breeze.
Whew! That’s a whole lotta talking about a really specific part of your business. It’s a small part of what you do on a day-to-day basis, but make no mistake — proper handling of credit card information is absolutely crucial to your long-term success.
Let’s recap the takeaways from today:
- Nonprofit organizations, no matter how small, must take action to (a) protect their patrons’ credit card data and (b) protect their ability to accept credit card payments.
- Retailers (that’s you!) are fully liable for a card security breach unless they can prove their PCI compliance.
- P2PE solutions do the lion’s share of protecting both patron card data and ensuring PCI DSS compliance.
Thanks for reading — I hope this article helps you avoid security-related “card”iac arrest.
1“TSYS U.S. Consumer Payment Study.” 2016 Oct. https://www.tsys.com/Assets/TSYS/downloads/rs_2016-us-consumer-payment-study.pdf
2 “The 17 biggest data breaches of the 21st century.” 2018 Jan 26. https://www.csoonline.com/article/2130877/data-breach/the-biggest-data-breaches-of-the-21st-century.html
3 “OnePlus Was Hacked And Up To 40,000 Customers Had Credit Card Info Stolen.” 2018 Jan 19. https://www.forbes.com/sites/thomasbrewster/2018/01/19/oneplus-hacked-40000-credit-card-data-theft/#389d2ca177ad
4 “Nonprofit Nightmare: Data Breach Exposes 10,000 Donors’ Financial Records.” 2015 Nov 4. https://nonprofit.insureon.com/news/nonprofit-nightmare-data-breach-exposes-10000-donorsrsquo-financial-records
5“Five ways thieves steal credit card information.” 2017 Dec 15. https://www.bankrate.com/finance/credit-cards/5-ways-thieves-steal-credit-card-data-1.aspx
6 “After security breach, Target’s brand takes a hit.” 2013 Dec 27. https://www.cbsnews.com/news/after-security-breach-targets-brand-takes-a-body-blow/
7 “A Closer Look at the Findings from IBM Security and the Ponemon Institute’s 2017 Cost of Data Breach Study.” 2017 Jun 29. https://www.bluefin.com/bluefin-news/closer-look-findings-ibm-security-ponemon-institutes-2017-cost-data-breach-study/
8 “What Your Nonprofit Needs to Know about Credit Card Payments: The Latest from PCI DSS.” 2016 Jan 16.
9 “Ruston Miles from Bluefin on fraud, data encryption and being an entrepreneur.” Interview with BankNXT. 2017 May 08. https://banknxt.com/60681/ruston-miles-bluefin/