By John Norton
In the .com heyday, a magazine chronicling the rise of the Internet proclaimed that online access was a serious threat to the traditional, membership-based association because of its ability to foster communities independently. It is of no small irony that the aforementioned publication has since folded, while the association industry continues to thrive.
But just like every other walk of life, the association marketplace continues to be altered by online processes and transactions, which presents a double-edged sword. While the speed and ease of communicating with members is greatly enhanced by the Internet, security and safety issues pose a different sort of threat to an association's reputation, the one generated by unsafe credit card practices.
In response, forward-thinking association leaders are doing everything they can to protect their members, including becoming PCI Compliant.
You can practically hear association staffers in conference rooms from Albany to Syosset clamoring to allow members to do it all online: Memberships, renewals, award nominations, seminars, conferences. But mention "identity theft" and you can just as easily see their eyes glaze over.
Consider what's at risk, though: The loss of trust and good will between the organization and its members, the service fees charged by banks and financial institutions, and the entire reputation of the association and its board members. And that's still not even to mention the fines and penalties that could be imposed upon the association if a violation occurs.
What is PCI Compliance and How Does It Affect Your Association?
In 2006, the major credit card brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa) jointly launched the Payment Card Industry (PCI) Security Standards Council to set security standards that protect the transmission and storage of credit card data.
An outcome was the PCI Data Security Standard (PCI-DSS), a set of standards to ensure private and secure transactions. Any association that accepts payments by credit card should take the steps to become PCI compliant. In fact, many merchant banks have made compliance a customer requirement and charge additional fees for non-compliance. Achieving PCI compliance includes a review of internal processes, an examination of vendors and service providers, and establishing procedures to be compliant.
PCI Data Security Standards govern all who accept credit card payments and comprises six security goals:
- Build and maintain a secure network;
- Protect cardholder data;
- Maintain a vulnerability management program;
- Implement strong access control measures;
- Regularly monitor and test networks;
- Maintain an Information security policy.
Each of these goals is then supported by a series of technical and operational requirements.
To become PCI Compliant, associations complete a rigorous internal examination, the successful completion of which leads to an Attestation of Compliance, which is signed by executive leadership.
There are a few overriding philosophies to accept as organizations pursue compliance and don't get sidetracked by some of the myths about PCI Compliance. One is that compliance is an organization-wide standard and should not be limited to just the information technology department. Compliance is a business issue that applies a holistic approach to data security. An easy example: Keeping a fax machine in a common area when orders or registrations are coming in with credit card numbers would easily be inconsistent with PCI compliance
Another is that outsourcing is not a quick and easy solution. In fact, to be PCI Compliant, all of an association's vendors and service providers must also certify that they are PCI compliant. Additionally, since both the merchant (association) and service provider (vendor) must be compliant in order to meet the standards, one-sided compliance does not achieve the goal.
Another common misunderstanding is that an organization should hire an outside expert in order to become PCI Compliant. While an outsider's familiarity with the standards may speed up the process, the cornerstone of the Data Security Standards (DSS) is the internally focused Self Assessment Questionnaire (SAQ).
There are multiple versions of the SAQ with varying degrees of complexity, so a good route is to talk to your PCI Compliant service providers as they have already been through the process and may be able to offer initial guidance. At that point, the decision as to whether or not to hire a consultant will be better informed.
But whatever path you choose, your first step should be a conversation with your service providers to understand how they approach PCI Compliance. Make sure you understand how they went about becoming compliant and what their procedures and processes are to maintain compliance.
PCI Compliance is technical and constantly changing. But rather than become the object of fear, it should be seen as a long-term, organization wide initiative that will continue to fulfill the role of an association in the world of the Internet, which is to provide a safe community for its members.
John Norton is Director of Network Operations for Avectra Inc., www.avectra.com. He can be reached at jnorton@avectra.com