Editor's Note: This article was originally published in February 2007, and was updated by Carlos Bergfeld, a web content writer at TechSoup.
Due to credit card thefts, identity thefts, and other unsavory online criminal activities, businesses that handle credit card data are required by state and international laws to protect sensitive information or risk fines and penalties.
Many of these laws affect large e-commerce outfits, but nonprofits accepting online donations or dealing with certain types of personal information should also take certain precautions to keep data safe.
Online identity thieves can steal credit card numbers, Social Security numbers, online banking passwords, and other information linked to a person's identity. They can use this information to purchase goods, access bank accounts, and take out loans or mortgages in someone else's name.
Identity thieves also resell stolen identities on a bustling black market conducted in Internet chat rooms. The going rate for a credit card number, the account holder's date of birth, and the card's three- or four-digit security code is $20, according to a CNN.com article.
How bad is the problem? More than 260 million records containing sensitive information have been exposed since January 2005, according to the Privacy Rights Clearinghouse, a website that tracks security breaches.
Every organization that accepts credit cards and other personal information through its website should encrypt that information as it crosses the Internet. But thieves typically don't bother to steal data during transmission; instead, they break into computers that are connected to the Internet, or simply steal the physical machines that store sensitive data.
Laws Mandate Data Protection
Regulatory bodies and U.S. states have reacted to the identity theft crisis by creating rules and laws governing how personal information is to be protected and when organizations are obligated to publicly report a data breach.
Nonprofit organizations that accept credit card donations should pay particular attention to the Payment Card Industry Data Security Standard (PCI DSS) and state identity theft and breach notification laws.
The PCI DSS, which provides explicit guidelines for securing credit card information, was created by credit card companies MasterCard, Visa, American Express, JCB, and Discover after these organizations formed the PCI Security Standards Council.
These rules affect any U.S. organization — regardless of size — that processes, stores, or transmits credit card data. An organization that fails to comply with this standard and suffers a data breach may be fined by the bank that processes the organization's transactions. Nonprofits should contact their bank or card processor to determine if they must comply with the standard.
Different Rules for Different Organizations
Those organizations required to comply with the standard are categorized into four levels according to their annual number of credit card transactions.
For instance, for Level 1 merchants (those processing more than six million transactions a year), compliance means being evaluated by a qualified third-party auditor. Level 1 merchants must also undergo quarterly security-assessment scans. These scans probe the merchant's network for common software vulnerabilities that could be exploited by an attacker, and to assess the configuration of security devices such as firewalls and intrusion detection systems.
Level 2 includes merchants that process one million to six million transactions per year. Level 3 is 20,000 to one million transactions, and Level 4 is fewer than 20,000 transactions.
Level 4 organizations don't have to hire a third-party auditor. Instead, they can perform a self-assessment using a questionnaire developed by the PCI Security Standards Council. There are five versions of the questionnaire, depending on the type of transactions an organization processes, and all questionnaires are available on the PCI SSC website. Level 4 organizations must also undergo an annual security assessment scan from a PCI DSS-qualified organization, known as an approved scanning vendor (ASV). A list of all ASVs is available here, and your bank should be able to recommend an ASV as well.
The complete copy of the PCI DSS version 1.2 is available online.
Level 4 Requirements
Most nonprofits process fewer than 20,000 transactions and will fall into Level 4. The standard consists of 12 requirements that cover a broad range of security issues, from network protection to access controls to creating an information security policy.
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update antivirus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
The full standard goes into significant detail on these requirements. For instance, Requirement 1 delves into issues of firewall configuration, the creation of a DMZ (demilitarized zone, the common term for a buffer between the public Internet and your private network, in which your internal IP addresses are masked by the IP address of your firewall or firewalls), and the documentation of ports and protocols used by your organization.
Given the complexity of PCI DSS compliance, you should first contact your bank or credit card processor to ascertain whether you are obligated to comply. If you are, the next step is to address each of the requirements laid out in the standard.
Essentially, this means you will identify where this information resides in your organization, according to David Taylor, founder of the PCI Knowledge Base, an independent research community focused on PCI DSS.
"We go into the organization and ask how many servers, how many databases, how many applications use credit card data," said Taylor. "Look at the data flow to figure out how it gets from here to there."
The next question to ask is how your constituents' credit card data is protected when it's stored in your organization's database or on the hard drive of one of your computers. For instance, Requirement 3 specifies the use of encryption for credit card numbers, including on any databases, PCs and laptops, and backup media containing sensitive data.
Circumventing the Issue
For organizations concerned about the effort needed for PCI DSS compliance (which is likely to be significant for small organizations that don't have a dedicated IT or security expert on staff), there is an alternative.
"The simplest and cheapest way to get compliant with PCI is to not have the data," said Taylor.
Taylor recommends finding a third-party service to handle processing for you, so that you don't have to store credit card information on servers or databases that belong to you. Check with your bank to see if it can recommend a reputable service.
Of course, the processor will also have to be compliant with the standard. "Ask for a signature on a letter, or for a certification, which the company should be able to give you," said Taylor.
Another option is to use PayPal instead of accepting credit cards. PayPal, owned by eBay, brokers payments from one account holder to another over the Internet. Accepting donations through PayPal means organizations don't have to process or store credit card transactions — PayPal simply sends the money to the organization's account for a percentage of the transaction and a small fee. On the other hand, credit-card processing companies charge for their services, not per transaction. PayPal offers a special program for nonprofits called PayPal Donations.
PayPal is also established throughout the world, and supports payments in a variety of currencies (including the U.S. dollar, the Euro, the yen, and the Canadian and Hong Kong dollars), making PayPal an ideal option for international nonprofits. For more information, see PayPal Worldwide.
Other organizations offer similar services to PayPal, but tailored to the nonprofit community. A few of these offerings are available to eligible organizations through TechSoup, like BlackbaudNow and Network for Good. BlackbaudNow's fundraising starter kit provides small organizations with tools to create a donation-ready Web site, powered by PayPal. Similarly, Network for Good's internet fundraising services allow organizations with their own websites to add donation buttons so donors can make credit card contributions through the Network for Good secure web server. To find out about other third-party options, read Idealware's article A Few Good Online Payment Multitaskers .
Laws and Regulations by State and Overseas
Nonprofits must also be aware of U.S. and international laws dealing with the privacy of personal information, including credit cards, Social Security numbers, and bank account information. Now, 45 U.S. states have breach notification laws on the books.
The European Union has data privacy laws, known as Directive 95/46/EC (you can download a copy of the law in a variety of languages), but as of yet the EU does not have breach notification laws.
Japan does have a breach notification law, called the Act on the Protection of Personal Information. An English translation of the law is available online.
While the PCI DSS standard lays out specific requirements for securing data, most state breach notification laws have a different purpose. Rather than tell organizations what steps to take to protect information, these laws compel businesses of all sizes to notify customers that information that could be used to perpetrate identity theft has been exposed.
The goal of these laws is to spur companies into protecting sensitive information more carefully, because organizations generally don't like to report data breaches. It's embarrassing, and may cost them in lost business, a damaged reputation, or even lawsuits. The same goes for nonprofits: You may lose both existing and potential donors if donors believe you aren't a good steward of their personal information.
Each state law will have its differences, which means you'll have to do some research depending on where your organization is based. Many state laws also require a company based in one state to report a breach if it exposes personal information of out-of-state residents.
California’s Data Breach Law
California's data breach notification law, SB 1386, requires any person, business or state agency with California residents as customers must report a breach even if that organization company isn't located in California. Nonprofits that aren't based in the United States should consult with a lawyer to determine if they are liable under U.S. state laws.
SB 1386, which went into effect in 2003, provides a good example of the kinds of requirements you'll find in other state laws. It has also been touted as a model for potential federal legislation.
Some of the key provisions of the bill:
First, it compels organizations with California customers to notify those customers about known or suspected disclosure of personal information to an unauthorized person. SB 1386 defines personal information as a person's first name or first initial and last name, in combination with any of the following:
- Social Security number
- Driver's license number
- Account number, debit or credit card number, plus whatever password allows access to the account
Notification can include any one of the following: a written notice, an electronic notice (email), or substitute notice if the cost of notification would exceed $25,000 or more than 500,000 people. (Though this varies by state.) Substitute notification includes email, conspicuous posting on the organization's web page, or an announcement to statewide media.
Note that the bill says organizations don't have to disclose a breach if the disclosure would affect an ongoing criminal investigation. Personal information that was encrypted at the time of exposure would also remove the obligation to notify customers.
Because individual state laws will have their own definitions of personal information and their own notification triggers, organizations that store personal information should consult a lawyer about state and international breach notification laws.
The Urge to Purge
Collecting donor information is a standard procedure for nonprofits, but you must understand the risks associated with that practice, particularly for sensitive data such as credit card numbers. The most prudent policy to follow regarding such information, says Taylor, is, "You don't want to get it, and if you do get it, you don't want to keep it."