Don’t be a Target – PCI compliance for associations

If you haven’t already tackled the attic or the garage, it’s time for spring cleaning and starting your summer ‘honey do’ list! As you make your list, make sure you have credit card and personal data at the top of the list. This type of data should be audited on a regular basis; related policies should be reviewed and refined at least once a year.

Target_Logo.png

A credit card data standard was established in 2006. The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment – essentially, any organization that has a Merchant ID (MID).

The Payment Card Industry Security Standards Council (PCI SSC) manages the security standards with focus on improving payment account security throughout the transaction process. It is an independent body created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB). It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

Does your association comply with PCI standards? 

Start the discussion with your network engineer, finance staff member, and information technology staff members. 

Review the general PCI rules to determine the level of compliance that is required. Many associations fall into the lowest level, requiring only a network security scan, self-assessment questionnaire, and attestation of compliance. 

While PCI compliance must be managed by an approved vendor, your organization can research several key areas that are related to credit card and customer data. Start with the basics, then discuss details with your bank, database vendors, and network security team. 

  1. Review the PCI compliance forms and processes for your association to gain a general understanding of what your association will need to conform to the standards. 
  2. Contact your bank to determine what is required to fulfill the PCI requirements to have the lowest credit card processing fees possible.
  3. Develop a list of all locations where credit card and personal contact information is processed and stored. 
    • Association Management System (AMS)
    • Learning Management System (LMS)
    • Event or exhibit management applications
    • Use of a Square or portable credit card reader
    • Use of a manual credit card machine
    • Website forms that may collect sensitive data
    • Personal databases that may store credit card data
    • Email (if customers email PDF forms with sensitive data)
    • Copiers
    • Forms with full credit card information
  4. Ask your vendors about their security policies and their PCI status.
  5. Ask your vendors if your system is configured to support PCI compliance.
  6. Review internal and external network access policy (password strength, sharing credentials, changing passwords regularly, etc.).
  7. Complete PCI forms for your association. Depending on the volume of transactions, you may require a more formal assessment by an approved scanning vendor.

Walk the walk

  1. Develop processes and policies to address any risks identified by your data security assessment.
  2. Ensure that data security policies and procedures are executed.
    • Does your organization regularly shred or destroy files? 
    • Does your organization regularly purge paper, files, email, and electronic files on the network?
    • Does your organization regularly purge files from other external devices (mobile phones, tablet, copier, FTP sites, etc.)?
  3. Ensure that passwords are not shared by staff members. If you have a temp or vendor who requires access to a system, develop unique credentials for each individual or entity.
  4. Ensure website security policies and certificates are up to date.