Plan Canada faces a compliance challenge common to many nonprofits: securing payment card donations. Even in a recession, nonprofits are receiving billions of dollars in donations, often electronically. According to Mark Banbury, vice president and CIO at Plan Canada, the Toronto-based nonprofit takes a third of its gifts through electronic donations made with gifts cards, with more than 180,000 sponsors involved in recurring giving plans. That represents more than $25 million dollars in aggregate revenue -- which makes Plan Canada a Level 3 PCI merchant.
As is the case with other nonprofit entities, Payment Card Industry (PCI) compliance represents more than just a basic level of security for Plan Canada: It's the foundation for donor trust. When it came to achieving compliance with the Payment Card Industry Data Security Standard (PCI DSS), Banbury chose to outsource the payment process. He turned to Blackbaud Inc., a Charleston, S.C.-based security firm that provides such services to many nonprofits.
The difficulties that nonprofits encounter in meeting PCI compliance are similar to those that most organizations face: changing standards and interpretations. The stakes may be even higher. "For nonprofits, trust matters even more than for commercial businesses," Anton Chuvakin, director of PCI compliance at Qualys Inc., explained. "The costs of failure are higher."
How an organization actually applies standards in such a way to achieve both compliance -- and security -- is a complex issue. Training staff to change workflows and interactions with vendors is key. Banbury said he has experienced "a lot of back and forth between auditors, vendors and software," along with a new challenge: finding auditors. "A lot of the big guys have backed away from the PCI world because of liability."
One of the challenges for any organization is staying up to date with the laws and regulations that affect operations. Nonprofit compliance is particularly challenging because of budget constraints. Jake Marcinko, information security manager at Blackbaud, has briefed many organizations on the issues they will face. "With U.S.-based clients, I focus on an aggregation of the Massachusetts data privacy laws, multitude of breach disclosure laws and international standards like ISO or COBIT," he said. "What I suggest is not to take a single approach -- only PCI or 201 CMR 17.00. In order to be successful, you need to take an umbrella approach as input into your compliance program."
Where should a nonprofit begin with PCI?
First, understand the problem. In Banbury's assessment, smaller nonprofits are behind the curve when it comes to PCI compliance. "Look at the way that PCI DSS has been rolled out. The larger nonprofits have been dealing with it. When you get down to the Level 4 merchants, there's an awareness issue." Banbury found certain elements of PCI DSS helpful in terms of standardization. "Because PCI DSS is an international standard, we can dovetail our operations around it," he said. "We operate in 18 countries. We found that there were only five that were processing credit cards that were actively processing and storing cards: U.S., U.K., Canada, Australia and now Hong Kong. The rest had outsourced the operation to others. The issue there was monitoring that the external vendor was compliant."
Second, focus on assessing organizational risk, not just meeting PCI standards. Banbury said Plan Canada has a full-time internal risk team. Given the nonprofit's focus on providing aid to children, securing data isn't just a financial concern -- protection is also an issue. Plan Canada started with an external readiness test, followed by an assessment by Deloitte. Banbury said the process gave Plan Canada a "laundry list of where we needed to tighten up," adding that "any nonprofit looking for software needs a clause in its RFP that a vendor needs to be PCI-compliant."
Third, follow up on the assessments. Banbury examined payment processes that had been externalized and internal processes, like email. He asked fundraisers if card numbers were coming in through mail. He looked at whether business development was logging suppliers. Banbury knew third parties were sending data files that would have to be logged and audited. He also evaluated back-end processes and did due diligence on vendors.
Technology infrastructure for nonprofits and PCI compliance
Plan Canada chose to outsource payment processing to Blackbaud, which shifts responsibility -- if not accountability -- to the technology provider. "Blackbaud's storage system -- vaulting -- stores the data in the cloud," Marcinko said. "We only see truncated credit card information. The solution gives us an encrypted key that is recognized. It's in our core CRM system -- we call it a donor relations system or DRS -- which is the same vaulting system adapted online. The information is moved to the system. We don't store the data."
Chuvakin is a strong proponent of both outsourcing and minimizing the amount of card data that is stored. "The best advice under PCI is to destroy the data -- not to have the data. That may not apply to other kinds of data -- but card data you can destroy." After talking with a quality security assessor who was tasked with securing fees through electronic payment cards, Chuvakin took away a clear lesson: "if the QSA would not want to process in-house, it's a sign not to do it yourself."
Banbury did a similar cost-benefit analysis. "If my other option is building secure payment processing internally, my costs become exponential," he said. "We become a software development company. That's not our core mission, which is helping children."
Banbury built his technology infrastructure around minimized risk and data protection. "One of the challenges dealing with the vendors is in receiving encrypted files from the vendor," he said. "We've created a separate network that uses two standards of authentication: A PGP [Pretty Good Privacy] key exchanged with vendors and a unique password for each employee at the vendors."
Banbury also uses an ASA firewall for his secure FTP site and does not allow remote desktops to access the FTP site. "We ended up with a couple of high-end Cisco boxes for the network segment and a server for the secure FTP connection," he said. "When you add hardware, software and the people, you're looking at about $200,000 or so, with ongoing costs for personnel."
Banbury chose to outsource his networking needs to consultants from Cisco Systems Inc., which he says "helped those providers to draw up a roadmap for what they'll need to for other nonprofits."
Should nonprofits move into the cloud? Does PCI apply?
When it comes to cloud compliance, Marcinko said he's concerned about both standards and data classification. "Aspects of it are still relatively new," he said. "PCI only deals with credit card information. Many nonprofits handle information that goes beyond that -- Social Security numbers or other data. My fear with PCI is that nonprofits will get so focused on PCI that they will ignore other kinds of data in their systems."
Will PCI be applied to cloud computing? "One of the problems we have as an industry is that we don't have a universal privacy standard," Marcinko said. "I've got mixed feelings. Part of me says it should -- it's the only thing out there with any kind of depth and granularity. Is it the right solution for the long term? My sense is that the answer is no."
Should HR 2221 pass, a national data privacy law may clarify the issue -- or confuse it further, depending on its contents.
More standards that actually help nonprofits achieve security and prevent data breaches are needed. As Marcinko observed, "you don't need to go further than educational institutions to gauge how well compliance and security issues are being adopted." Banbury agreed: "There's going to come a time when a nonprofit makes the news. My goal is to make sure it's not me."
Both men were right: Earlier this month, more than 6,000 records from ROTC personnel were inadvertently exposed in a data breach. PCI compliance may not solve P2P security concerns, of course, but it would be a good start.
This was first published in September 2009