presented by bob wesolowski james r. rennert, cfre president dir. of mission advancement caring...

Presented byBob Wesolowski James R. Rennert, CFRE President Dir. of Mission AdvancementCaring Habits, Inc. Sisters of St. Joseph Briarcliff Manor, NY Brentwood, NY

When is a good deal not a good deal?

2

•Figuring out credit card fees – Why are credit cards so expensive?•Understanding EMV cards – Will it change the way you process

payments?•The PCI data security standards – Why are they so important?•Sister of St. Joseph – The steps one “merchant” took to become

compliant.

Overview

When is a good deal not a good deal? Copyright © 2015 Caring Habits, Inc., Briarcliff Manor NY and Sister of St. Joseph, Brentwood, NY

3

•Anatomy of a Transaction – The numbers show the sequence of events

Figuring out credit card fees -


Charity Donor

“Platform”or

“Gateway”

IssuingBank

3rd Party

ResellerMerchant

Bank

MerchantBank

12

3

4

5

6

72

2

4



5

•Credit cards are an unsecured, short term loan.▫You receive donation proceeds in anticipation of the donor making a

payment.•VISA, MasterCard and Discover continue designing specialty cards that

result in higher fees for merchants and cardholders.▫The “discount rate” is based on the cards presented by donors.▫The card issuers (VISA, MasterCard and Discover) charge “Interchange” fees

for processing the donation.•Many software providers require annual upgrades to remain PCI

compliant.



6

•Additional fees are charged for almost everything, including:▫Monthly, paper statements.▫Assorted “downgrades”.▫Chargebacks and reversals.▫Breach protection.▫Failure to be PCI compliant.



7

•Two types of credit card transactions, Card Present and Card Not Present.▫Card Present – The cardholder presents the credit card in person.

Typically a retail transaction, e.g. a book store or a gift shop. Typically the lowest discount rate because the threat from a stolen card is less. Transactions must be swiped to get the lowest rate.

▫Transactions “downgrade”, i.e. subject to higher fees if criteria are not met. Credit cards that are manually keyed (the swipe machine can’t read the card). Failing to use address verification or the CVV2. Accepting corporate or other specialty cards. Failing to settle batches at the end of each day.



8

▫Card Not Present – The cardholder is not able to present the card in person. Typically direct mail, telemarketing or web transactions. Also includes monthly

giving transactions. Often referred to as MOTO (Mail Order/Telephone Order). Transactions can be processed through special processing software or manually

keyed to a touch pad or swipe machine.▫Card Not Present transactions “downgrade” if strict criteria are not met.

Processing some donations without the CVV2. Transactions processed without address verification (AVS). Accepting corporate or other specialty cards. Failing to settle batches at the end of each day.



9



10

• Steps you can take to reduce fees.▫Consolidate credit card merchant accounts. Eliminate redundant charges.▫Be wary of monthly minimum fees. ▫Paper statement fees can be expensive. Go paperless. ▫Become PCI compliant. Penalties can reach $150.00 per month.▫Review credit card statements every month. Understand all charges. ▫Use providers who offer faster funds availability.▫Process donations using AVS and CVV, use processing technology correctly, settle

credit card batches daily.▫Understand ALL fees before you move.▫Understand termination fees. Make sure to retain rights to cardholder data.



11

•EMV (Europay, MasterCard, VISA) cards were available beginning in 2005.

•Sometimes referred to as “Chip and PIN” or “Chip and signature” cards.•Designed for ATM, point-of-sale or unattended terminal transactions.• Implementation required by October 1, 2015 for POS terminals.• Implementation required by October 1, 2017 for gas stations.•Experience in Europe suggests that implementation shifts attackers’

focus to card-not-present transactions.

Implementing EMV Cards -


12

•Understanding the effect:▫If you accept a stolen, “Fallback” card, the bank will bear the loss.▫If you accept a stolen EMV card and use an EMV reader, the bank will bear

the loss.▫If you accept a stolen EMV card and use a “Fallback” POS reader, you bear

the loss.•Should you purchase a new card reader?

Implementing EMV Cards -


13

•A comprehensive set of security standards for use by organizations that process, store or transmit credit card data or that build technology for these purposes.▫The standards identify four user groups: merchants, service providers,

hardware manufacturers and software developers.▫Compliance is achieved by implementing policies, procedures and training.▫Compliance is certified through:

Scanning internet facing devices, systems and applications from MasterCard-certified products and providers;

Audits performed by VISA-certified assessors; Self-Assessment Questionnaires (SAQ’s).

What are the PCI standards -


14

•SAQ’s are based on perceived risk:▫Questionnaire A - Card-not-present (e-commerce or mail order/telephone

order) merchants. All cardholder data functions outsourced.▫Questionnaire B - Imprint-only merchants or stand-alone terminal

merchants with no electronic cardholder data storage.▫Questionnaire C - Merchants with POS systems connected to the Internet

with no electronic cardholder data storage.▫Questionnaire D - All other merchants.



15

•PCIS DSS is the minimum acceptable standard.•Compliance with the PCI data security standards is NOT a legal

requirement. However,▫Banks assess fines for non-compliance or a breach.▫A growing number of states impose substantial fines for data losses.▫Safe Harbor rules from VISA and MasterCard may apply if a compliant

merchant suffers a data loss.▫You are responsible for making certain vendors are compliant.



16

•Anticipated Changes – ▫Banks will charge more for support and offer more services, including:

Self-assessment questionnaire preparation, network vulnerability scans, policies and procedures guidelines and templates from Trustwave, Security Metrics, Verizon, Coalfire and many others.

Annual scanning fees can vary. Substantial penalties will be assessed for non-compliance and more “proof” will

be required.



17

•Only 28.6% of companies were found to be fully compliant less than one year after validation.

•Not a single, breached company had been compliant at the time of the breach.

•Greater emphasis on attacking the systems of partners and then using their trusted status to attack.

* Results taken from the Verizon 2015 PCI Compliance Report

A Quick Look at Compliance *


18

•27% of breached companies had effective firewalls in place. (1)•27% of the breached companies complied with hardened defenses. (2)▫Vendor supplied defaults and passwords.

•36% were compliant in protecting stored data.(3)•36% had effective anti-virus software. (5)•16% maintaining systems and software security. (6) •9% had effective systems testing in place. (11)

A Quick Look at Compliance *


* Results taken from the Verizon 2015 PCI Compliance Report

19

•Safeguard you organization – Fines, bad press and a higher cost of doing business.

•Safeguard donors – Protect credit card and other personal information.•Safeguard employees – Fines and termination.•Safeguard yourself – Fines and termination.

Why Be Compliant?


20

•Approved vendors are listed on the PCI DSS site.•Your bank may require you to use a specific vendor.•Security Metrics Breach Protection up to $100,000 is $600 per year for

one server.

Who Can Help You?


21

•Rep asked questions about my organization and operation.▫“Scope reduction” can dramatically reduce the size of the effort.

•They scanned my server’s I.P. address and provided a report of what needed to be change (firewall parameters, software versions, etc.)

•Your IT person will need to be involved to make recommended changes and to initiate the quarterly scan.

•You and your IT person complete the Self-Assessment Questionnaire (SAQ). Must be completed annually.

How Does the Process Work?


22

•You develop the Information Security Policy. It addresses:

You Must Sign the SAQ


PCI DSS Standards

• Firewalls • Malware and anti-virus protection

• Passwords • Maintaining current software

• Vendor access • Access control

• Protecting stored data • Regular network testing

• Data encryption • Maintaining an security policy

23

•All staff who process credit cards must take an online training class.•All staff who process credit cards must pass a test based on the training

material.•All who process credit cards must sign and agree to the Information

Security Policy

On-line Training


24

•Use a PCI-compliant service provider.•Some web developer firms may not have the ability or knowledge to

make your landing page PCI compliant (coding, complex rules, access to data, etc.)

• It is your responsibility to ensure that vendors are PCI compliant. Ask to see your vendor’s certificate.

Accepting Credit Cards Online


25

Appendix 1 – The PCI Data Standards


26

Appendix 1 (continued)


27

Appendix 2


•Please feel free to contact us with any follow-up questions.

James R. Rennert, CFRE Dir. of Mission AdvancementSisters of St. Joseph Brentwood, NY631-273-1187, Ext [email protected]

Bob WesolowskiPresidentCaring Habits, Inc. Briarcliff Manor, NY 914-923-0500, Ext [email protected]

presented by bob wesolowski james r. rennert, cfre president dir. of mission advancement caring...

Documents

good deal

credit card fees

ny brentwood

card present

briarcliff manor ny

credit cards

stolen card

joseph briarcliff manor