Thursday, May 15, 2008

New Laws for Organizations that Accept Online Payments

Thanks to TechSoup for publishing this important article:
New Laws for Organizations that Accept Online Payments

Nonprofit organizations that accept credit card donations should pay particular attention to the Payment Card Industry Data Security Standard (PCI DSS) and state identity theft and breach notification laws.

Most nonprofits process fewer than 20,000 transactions and will fall into Level 4. The standard consists of 12 requirements that cover a broad range of security issues, from network protection to access controls to creating an information security policy.

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update antivirus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.
Sounds like quite a change -- but don't be worried. There is an alternative that you can consider:

"The simplest and cheapest way to get compliant with PCI is to not have the data," said David Taylor, Vice President of Data Security Strategies at Protegrity, which provides data security products and consulting to Fortune 2000 clients.

Learn more here:

What do you think? Please click the COMMENTS button below.