jump to navigation

New “Getting your head round PCI Compliance” Course April 7, 2011

Posted by charitysolutions in charities, charity IT, General, PCI DSS, Uncategorized.
Tags: ,
add a comment

Just a quick update for our UK readers who take credit card payments and donations. 

If you (or anyone you work with or for) is still having trouble getting their heads round all the PCI Compliance rules, regulations, red-tape and general annoyance, or if you have recently taken on new staff who missed all the training first time round, you might be interested in the PCI Foundation Course being run in May by IT Governance.  (With similar course scheduled later in the year if you are reading this later than May!)

The course is designed for anyone with any responsibility for, or involvement in, your organisation’s PCI DSS compliance activities, and anyone involved in information security management generally.  It has been created and designed by a former QSA (Qualified Security Assessor) who knows all the ins and outs of PCI compliance and aims to give you a comprehensive and practical coverage of all aspects of implementing the PCI DSS in the “real world” – rather than just on paper where everything is always so much easier!

It is designed to help you develop an efficient, cost-effective plan for meeting the PCI compliance standards. You can find out more about it here: PCI Foundation Training Course

Just to be clear, the link above is an affiliate link which means you get the same price (and discounts) as anyone else visiting the IT Governance website directly, but if you do choose to book, IT Governance pay us a small comission for letting you know about them.  But regardless of whether they pay us or not, we would still be telling you about this because we know how much of a pain PCI Compliance is for a lot of charities and we think this course can help.

Is it Time To Buy a Server? April 5, 2011

Posted by charitysolutions in charity computers, charity IT, General, Servers, Uncategorized.
Tags: , ,
add a comment

We are often asked to help small UK charities who feel (or have been told) that it is time to invest in their first server. 

Though there are huge advantages in having a server, there are significant time and cost implications, so it isn’t a decision to be taken lightly or rushed into – in some cases a server isn’t even really what is needed.  So we thought is was high time we updated our (sadly recently neglected!) blog with a few posts to help you make the decision and, if you decide it is right for your charity, implement it.

Firstly, let’s start with the basics.        What is a server?

A server is basically just another computer, designed to provide a number of centralised control and storage features – more details below.

You could use a “normal” workstation PC or laptop as a server, but it is better if at all possible to buy a machine designed for the task.  Unlike “standard” PCs and laptops, server hardware is especially designed to be left on 24/7 and often includes extra options to help keep things running if a fault develops – spare power supplies, fans, network cards etc.  The more expensive servers also often have better hard disks (faster and/or with a better warranty), though sadly this is no longer always the case … more on that in a later post.

Another significant difference between servers and PCs/laptops is that servers don’t normally by default come with any operating system software – so when budgeting you need to make sure you include this extra cost.  (And when you do, make sure you get the software with the biggest charity discount possible!)

Servers can be used for a variety of tasks including (depending on their capabilities) any number of the following:

  • Central control of users – login names and passwords, access rights etc
  • Central storage of files
  • Email
  • Databases
  • Remote access capabilities and control
  • Website hosting
  • Printer management
  • Central management of antivirus and antispam programs
  • … and lots more

But it’s unlikely (and not advised) that you get one server to do all of the above.  You would need pretty a pretty “high-spec” server to do it all effectively – and by putting all your “computing eggs in one basket” you would be risking major issues for your charity if the server ever went down.

In our next post we will look at whether a server is the right option for you or whether there could be a better/easier/cheaper solution for your specific needs.  And in later posts we will cover more about how to choose the right server for your particular needs and budget.

But if you can’t wait that long just contact us (details on the About Us page) and we will be more than happy to go through the options with you and help you find the best solution for your particular organisation.

Share

Dealing with PCI DSS Compliance Without Losing Your Sanity (or your entire IT budget) July 6, 2010

Posted by charitysolutions in charities, charity computers, charity IT, General, PCI DSS, Uncategorized.
Tags: ,
add a comment

In our last post we explained how if your charity takes credit cards (either directly or via a third-party website where donations are taken under your merchant account) you need to sort out your PCI DSS compliance.

The volume and size of the hoops you need to jump through depends on the number of credit card transactions you do.  So at least if you are a small charity taking relatively few credit card payments, you won’t have to meet the same high-cost audit requirements of the huge retail organisations.  Here is a very brief summary of the criteria you need to meet:

Level 1 – If you take over 6 million transactions a year, or your data has previously been compromised

  • Annual Onsite Security Audit  – either reviewed by a specially qualified adviser or (by prior agreement with your merchant provider) an Internal Audit signed by an officer of the company
  • Quarterly network security scan by an Approved Scanning Vendor (ASV)

Level 2 – If you take 1,000,000 to 6 million transactions a year

  • Annual Self Assessment Questionnaire
  • Quarterly Scan by an Approved Scanning Vendor (ASV)

Level 3 – If you take 20,000 to 1,000,000 transactions a year

  • Quarterly Scan by an Approved Scanning Vendor (ASV)
  • Annual Self Assessment Questionnaire

Level 4 – If you take less than 20,000 transactions

  • Annual Self Assessment Questionnaire
  • Possible Quarterly Scan by an Approved Scanning Vendor (depends on your merchant providers specific requirements)

As you can see from the list above, even though PCI DSS is (supposedly at least) an agreed standard, it’s interpretation depends on your specific merchant provider – and so you need to double-check with them as to the exact requirements your charity needs to meet.

If you are not an IT compliance expert, the whole Self Assessment Questionnaire and Quarterly Scan thing can appear incredibly scary and time consuming. 

There are a number of qualified experts our there (QAS) who can help,  and if you take enough credit card transactions to need to meet the higher level criteria you are probably going to want to ask for their help, but (due to the training, certification and insurance requirements they themselves need to maintain) their services are not particularly cheap.  So for smaller organisations, a DIY approach, probably with help from your internal or external IT experts, is going to be the most likely route to take.

As well as consulting your IT experts, there are a number of organisations who provide “fill in the gaps” type toolkits to help you complete your PCI DSS requirements with the minimum of pain, and a number of organisations who can provide those quarterly scans for a relatively low charge.  Here are a couple we have looked at, an internet search will no doubt yield a lot more:

  • IT Governance PCI Toolkit -  A specially designed toolkit to help payment card-accepting organisations quickly create all the documentation required to affirmatively answer the requirements of the PCI DSS as set out in the Self Assessment Questionnaire (v1.2), containing a full set of documentation templates for the all mandatory PCI DSS policies.
       
  • IT Governance ASV Scanning Service - Provides a fixed yearly contract service for scans by an Approved Scanning Vendor based on number of external IP addresses to be scanned – prices (at time of writing) from £165 for a one year contract for 10 scans per quarter across up to 5 IP addresses

Just to be clear, some of the links above are affiliate links –  which means you get the same price (and discounts) as anyone else visiting the destination websites directly, but if you do choose to buy, the website owners pay us a small comission for letting you know about them.  But regardless of whether they pay us or not, we would still be telling you about this because we know how much of a pain PCI Compliance is for a lot of charities and we think these products can really help.

Do You Take Credit Cards? Are You Prepared for PCI DSS? May 14, 2010

Posted by charitysolutions in charities, charity computers, charity database, charity IT, General, PCI DSS, Uncategorized.
add a comment

Does your charity accept donations or payment via credit cards?  If so, you will probably aready know all about PCI DSS.  But if you don’t, you will need to – VERY SOON!

If you store, process or transmit any cardholder data electronically or manually, then your organisation needs to comply with the Payment Card Industry Data Security Standard (PCI DSS) – and prove it - by 1st September this year.  And if your organisation doesn’t comply, you run the risk of a massive fine.

PCI DSS is a set of comprehensive requirements for enhancing payment account data security.  It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International, in order to ensure the broad adoption of consistent data security measures on a global basis.

It is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures – all designed to help proactively protect customer account data. 

It includes a whole range of requirements, including rules about what data you can and cannot store and what levels of security your organisation and systems network must meet.

It is important  realise that it covers your entire trading environment, including all third-party partners that store, process or transmit data for you as part of your credit card payment process.  Third parties include:

  • Resellers
  • Till vendors
  • EPOS vendors
  • Software application providers
  • Payment service providers
  • Payment processing bureaux
  • Data storage providers
  • Web hosting providers
  • Shopping cart providers
  • Software vendors

You can’t just assume that your website host or any third-party organisation you use will deal with this – the buck stops with you and you will need to make sure that all your providers, facilities and software comply before you can achieve compliance. 

More to follow soon ….

Share

Follow

Get every new post delivered to your Inbox.