If your organization is collecting money or doing financial transactions online, nothing is more important than security. Internet criminals want access to your computer, your money and your identity…and small to mid-size nonprofits are popular targets. The prime objective for hackers and online thieves has shifted from targeting major corporations to gaining control of home and workplace desktops.

Hackers are always on the lookout to steal customer or business information, and it’s not hard to find. Nonprofits in particular must protect their assets. Unfortunately, they either do not have the resources or the knowledge to get the sort of protection they need today. That creates vulnerability and that’s exactly the type of access that hackers are looking for.

Web applications that give customers, employees and business partners access to services and information are difficult to secure. They have become an increasingly soft target for hackers and highly vulnerable to viruses.

“Criminals today use small nonprofits as resources for committing larger crimes, like stealing sensitive data and selling or using it,” said Dr. Kamran Razvan, president of Click & Pledge. “Another common practice among online thieves is to use stolen credit cards to donate a small amount of money online to charity Web sites. This allows them a way to confirm that the stolen credit/debit cards are active. Then, they use the cards to purchase expensive items at retail,” he added.

So, what is there to do about it?

Outsource your security and payment processing. It will save you money. It will reduce the burden on your IT staff. But most importantly, outsourcing your payment transactions will allow you to access powerful security tools to fight back against online fraud.

Here’s where to start and what to look for:

Seek out a vendor that is PCI /CISP Compliant: Demand it and do not settle for anything less. The PCI Standard is intended to protect cardholders’ credit card transaction information.

PCI stands for Payment Card Industry Data Security Standard. The standards result from collaboration between Visa and Master Card to create common industry security standards. CISP is the acronym for Cardholder Information Security Program. American Express, Diners Club, Discover, and JCB also issued a requirement for merchants to comply with the PCI standard. Click & Pledge is a certified PCI service provider.

Not a day goes by without a potential client asking us if we are “secure”. But what does “being secure” mean? Most people have a vague understanding of what online security entails. Based on our experience, most people consider their Internet site as “being secure” because they see a lock symbol at the bottom of the payment page. That won’t do.

At ClickandPledge, security is designed into every aspect of our company’s operations. We adhere to the highest security standards in the industry. What does “industry standards” mean, and why should you be concerned about security? Let us explore some facts and figures and explain some of our practices. You will gain a better understanding of what “secure” means and why you should demand it. Security is for the paranoid. And security paranoia definitely pays off --- both for you and for your donors.

Security is not about keeping the “bad” guys out, but more about letting the “good” guys in. In other words, one should be able to do what one is allowed to do – nothing more and nothing less. Adhering to the above principle in a network environment, where the world can access a web site, creates challenges that need to be thoroughly understood.

Each recognized source on Internet security defines it within the following key words:

• Confidentiality
• Integrity
• Availability

Let’s examine these key words and how our company interprets each.

CONFIDENTIALITY

Only authorized people or systems can access protected data. This definition can also extend to user interaction with the application.

INTEGRITY

A difficult term to define since the word means different things in different contexts. The Trusted Network Interpretation states that integrity ensures that data has not been exposed to accidental or malicious alteration or destruction. Three particular aspects of integrity are identified as:

• Authorized action
• Separation and protection of resources
• Error detection and correction

AVAILABILITY

Similar to integrity, availability can mean different things. Within the context of network security and the SaaS (Software as a Service) environment, an overall description of availability falls within the following arguments:

• Timely response to requests
• All requesters are treated equal
• Fault tolerance ensures graceful failover in case of failures
• Ease of use within the anticipated expectations
• Controlled concurrency that is support for simultaneous access.

Now let us examine how the Click & Pledge system and business practices are designed to ensure that the above arguments are complied with.

Confidentiality

Holding donor and organizational data confidential, and only available to authorized personnel and users, is at the forefront of our practices. Donor data are only available to the organization they have made a payment to. The following information is saved for retrieval by the organization and for tax and reporting purposes:

Donor information:

• Name
• Billing / shipping address
• Email
• Phone number

As a matter of policy no private data is recorded, saved, or archived. The following information is neither saved nor recorded.

• Credit card number
• Card tracking data (CV2- the 3 digit number on the back of the card)

Credit card number or tracking data is never saved in our system and is completely discarded once submitted to the gateway processor. For tracking and reporting purposes the following is saved and reported per PCI specifications:

• First four and last four digits of credit card number
• Email receipt includes the last four digits of the card number

All communication between the donor and the system is encrypted with 128 bit security key from GeoTrust. The following sites are secure with 256 bit encryption:

• Payment Processing System- Donor interface
• Payment Management System- Administrator interface
• Payment Management System- Application interface
• Web Content Management System- Administrative interface
• Support System

As a matter of policy any web interface that allows for exchange of information between the public and the company is secured with the highest encryption key publicly available.

See also our TRUSTe privacy statement for details about our privacy policy.

Backups & Storage

Backup tapes and media are encrypted and stored in fireproof safes at the company and offsite in a safe deposit box.

Integrity

Data integrity is ensured through real-time backup of any changed state. Balancing of accounts and maintaining zero discrepancy between transactions in our system and that of the bank, on an hourly basis, ensure the highest degree of data integrity and validation.

All processes are manually checked and balanced by the accounting department prior to batch submission to the bank. All transactions are checked against our proprietary fraud detection and pattern algorithm prior to settlement.

Fraud Detection & Cancellation

Our proprietary algorithm for fraud and pattern recognition protects the organization against fraudulent charges. Fraud charges are voided at no cost to customers. As a matter of policy, when enough information is available, the card holder is contacted or the issuing bank is notified.

Availability

In a SaaS environment, availability does not refer to a single component. Any aspect of the operation can seriously change the availability of the entire system. Network access starts from the primary provider (e.g. Sprint, AT&T, etc.) to the perimeter routers and the company’s network switches, firewalls, servers and clusters. To ensure 24x7 operations, a network must be designed with redundancies and failover clusters.

Network

Our company’s bandwidth is serviced by two separate providers with failover switching. Switching at the network perimeter is done through failover routers.

The network availability is monitored from Hong Kong, London, and San Diego on a constant basis. Anomalies in network access time are reported to on-call network administrators on a 24x7 basis.

The Click & Pledge network is also monitored by an outside security firm. All traffic is monitored in real-time. Perimeter IPS and network firewalls are all designed with failover and redundancy.

Servers

Primary servers are all in a cluster or load balancing configuration depending on role and function. Load balancing allows for a high level of availability during peak demand times. Clustering allows for safe failover in case of hardware failure or maintenance.

Overall Availability

The network experienced a total of 2 minutes combined downtime between 3 a.m. – 5 a.m. EST in 2005. The downtimes were planned switches between clusters and were done during the a.m. hours to reduce its effect on clients.

Certification & Testing

As stated earlier in this discussion, ClickandPledge adheres to the highest security standards and is PCI/CISP certified. PCI/CISP certification is performed on a quarterly basis and is required by all tier 1, 2, and 3 providers. More on the topic of PCI can be found at the Visa and Master Card web site.

• Visa: Cardholder Information Security Program (CISP)
• MasterCard: Site Data Protection Program

The PCI/CISP requirements mandate the following term as a pre-requisite for certification consideration:

• Click & Pledge does not store magnetic stripe (i.e., track) data anywhere on ANY of our systems.
• Click & Pledge does not store the 3-digit CV2 code anywhere on ANY of our systems.
• Click & Pledge does not store the credit card number anywhere on ANY of our systems.

One of the many services provided by our company is recurring transactions. Using transaction replication we perform recurring transactions without storing credit cards while satisfying the highest security standard.

We hope the above discussion helps you understand what the word “secure” means and what questions you should be asking of your potential vendor. Whether you choose Click & Pledge or another vendor, we strongly suggest that you ask the following questions:

• Is the company PCI / CISP compliant? Is the certification shared with their acquirer (e.g. bank)?—IF NOT, there is no point in asking these additional questions.
• Does the company have redundant network providers?
• Does the company have clustered and redundant servers?
• How is the company’s network monitored? (while the employees are sleeping)
• What is the network access time and availability? Can the company provide samples of their monitoring report?

In recent months Visa, Master Card, Discover, and American Express are taking security a lot more seriously than they used to. In this process their demands and requirements are becoming more stringent with fines of up to $500,000 for non-compliant providers.

Security is no longer a feature, it is a requirement. You should know what “security” means and you should demand it. PCI compliance should be a prerequisite for any vendor you consider as a partner for your online presence.

ADDITIONAL READING

• Trusted Network Interpretation Environments Guideline
• CyberTrust: Models for Security Behavior and Dynamic Security Policy
• Is There a Security Problem in Computing