Fiscal Fitness — August 2008

August 2008

How is your organization handling credit card information? Where do you store it and who has access to it? Have you given it much thought recently? Well, if you haven’t, you really should because the credit card companies are paying attention to what you’re doing and are tightening the screws to persuade organizations to make changes in the way they think about and handle credit card information.

In this month's issue of Nonprofit Fiscal Fitness, Blackbaud's information security manager, Jake Marcinko, discusses the impact and importance of new credit card standards to nonprofits.

» Download the PDF
» View it Online

» Editor's Note
» State of the Nonprofit Industry Survey
» Are You Ready for PCI?
» Latest and Greatest

Curious how other nonprofits are faring in today's funding environment? See how your organization compares to other nonprofit organizations in North America by taking the State of the Nonprofit Industry survey, sponsored by Blackbaud. By taking this survey you will have the chance to win a FREE Dell^® laptop. The survey results provide an overview of critical information to help you benchmark and better manage your organization.

Changing Times in the Payment Card Industry

Credit card fraud has been a growing problem and is big business for malicious individuals and organized groups alike. According to the July 2007 Neilson Report, losses to card issuers (Visa^®, MasterCard^®, etc.) due to card fraud in 2006 totaled $4.84 billion, up 12.8% from the previous year. As fraud losses have increased, credit card companies have realized a greater need for formalized security standards and practices.

In June 2004, in an effort to facilitate the broad adoption of consistent security measures on a global basis, American Express^®, Discover^® Financial Services, JCB^® International, MasterCard^® Worldwide, and Visa^® Inc. jointly created the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is based on 6 fundamental objectives that are further divided into 12 major requirements and a slew of sub-requirements. These requirements cover broad topics such as network design, software development, security administration, and IT governance.

The Impact to Nonprofits

How does PCI affect your organization? Well, first you need to determine what information you maintain and whether or not it is within the scope of PCI DSS. PCI DSS defines cardholder information as the primary account number (PAN or credit card number); data obtained as part of a payment transaction including cardholder name, expiration date, and service code; and "sensitive authentication data" such as magnetic stripe data, PIN, CVV2, or CVC2 information. The PAN is the defining factor in the applicability of PCI DSS. If your organization stores, processes, or transmits PANs then you are expected to comply with the full extent of the PCI DSS. Organizations that do not store, process, or transmit PANs are not required to comply. If you are uncertain as to how PCI affects you, the best course of action is to contact your processor or acquiring bank to determine your compliance requirements.

Penalties for non-compliance vary, ranging between $5,000 and $25,000 per month for each month an organization is found to be non-compliant. These fines are typically levied directly against the card processor or merchant bank who issues the merchant account to the merchant found to be in violation. Those fines, however, are typically passed down to the merchant in one form or another. Despite these hefty fines, the most costly penalties for non-compliance are actually incurred in the event your organization experiences data loss. The loss of your reputation, your customers, and the risk of litigation are far more damaging to your business than simple fines. If the circumstances surrounding the data loss are particularly egregious, the card companies could even deny your ability to process credit cards altogether.

Why Is This Important?

In the end, securing credit card information is not about protecting the card companies or addressing yet another compliance standard. It’s about our due diligence to protect cardholders from having their information distributed — whether intentionally or unintentionally — to those who intend to misuse it. For too long organizations have been frivolous in the use and protection of our personal information. You need only to pick up the newspaper or watch the news to see the numerous cases that substantiate this claim. If you have ever been a victim of identity theft, you know that the burden to resolve issues related to the loss of personal information is placed solely on the individual. The fact that identity theft has impacted over 3% of the U.S. population to date should be disquieting to most. What's worse is that number continues to grow. Now is the time for organizations to come together to do something about this trend, and one important step is the broad adoption of the Payment Card Industry Data Security Standard. It's simply the right thing to do, and that is what nonprofits do best.

Learn more online about the Payment Card Industry Data Security Standard , read our Frequently Asked Questions, or check out our PCI Compliance blog.

The Financial Edge^™
Join us to learn about The Financial Edge — our mission-critical, accounting information system that provides the reports and analyses you need to support effective decision making.

September 23, 2:00 p.m. ET

Credit Card Changes that Impact You
Join us to learn more about the new Payment Card Industry Data Security Standard (PCI DSS) and how it will impact the way your organization handles credit cards.

September 11, 2:00 p.m. ET

September 17, 2:00 p.m. ET

IRS Releases Final Instructions for New Tax Form for Nonprofit Groups
The Internal Revenue Service has finished the long process of revising the Form 990 with the release on August 26 of the final instructions for the tax document.

Read the entire article here.

Finding the Money for Technology
Technology is a core part of doing business for nonprofits. But it's also expensive. Get tips and best practices for finding funding for your technology needs.

Read the entire article here.

Blackbaud Delivers
Blackbaud Delivers is a thought leadership and practical nonprofit management seminar presented by some of our best experts, delivered to your city or the major city closest to you.

Register today!

The Baudcast
This episode's panel discusses Blackbaud^® NetCommunity^™ 5.5, page sharing, Facebook^™ integration, niche networking, community building, Australian fundraising, the 2008 SONI Survey, and more.

Download episode 14.
(28MB, 41 minutes)

Blackbaud, Inc. | 2000 Daniel Island Drive | Charleston, SC 29492 | 800.443.9441

You received this email because you are subscribed to Fiscal Fitness. If you would like to unsubscribe, please visit http://unsubscribe.blackbaud.com to manage your subscriptions, or simply click unsubscribe to remove your email address from this newsletter list.

If this email was forwarded to you and you would like to receive a free subscription, please visit www.blackbaud.com/profile/adduser.aspx and create an account. You'll be able to opt in to receive Fiscal Fitness and other Blackbaud publications at the bottom of the form. Once you create an account, you can manage your subscriptions at http://subscribe.blackbaud.com.

The information contained herein should not be construed as legal or professional advice. If you have questions about how this newsletter's content applies to your organization, you should seek advice from appropriate professional counsel.