|
With the breaches of data experienced by organizations and businesses like Convio last year,
many organizations were hit with a rude awakening. Everyone was reminded about the
sensitivity of constituent data stored and the potential damage to donor relationships if that data
is compromised. When e-mail addresses and credit card numbers are not protected, it is a huge
disservice to constituents and the organization risks losing the confidence of their donors after
working so hard to foster their loyalty over many years. Although it may be a difficult scenario
to think about, the reality is that once donor data is compromised due to the organization's lack
of security systems; it may take many years to regain that donor's trust and commitment back.
If you are a fund-raiser, data security probably does not cross your mind much, however it is
wise to periodically review how donor and prospect data is handled in the Raiser's Edge in order
to safeguard your constituent relationships. The hard-to-swallow fact is that in some cases, we
all have sacrificed data security for user convenience -- reluctance to change your Raiser's Edge
password, for example. In this day and age where more and more people are accessing
Raiser's Edge remotely and on traveling laptops, it is essential to maintain high security systems
to protect the confidential data stored.
Storing Credit Card Numbers by the Rule Book
Protect your donors by storing their credit card numbers according to Payment Card Industry
(PCI) Data Security Standards as set forth by MasterCard, Visa, American Express and Discover
in September 2006.
• Only record the last four digits of the credit card in the Raiser’s Edge
• Black out the Primary Account Number (PAN) on the remittances or physical hard
copies that you file away. [only leave the last four digits visible]
• Store all forms with credit card data and credit card receipts in a secure locked location
• Do not store the card-validation code (three digit code in the back of the card)
• Limit the retention time for storing credit card data
• Shred all credit card data that have been stored beyond the established retention time
User Account and Password Security
Hackers often use default system passwords to break into your database. Make it harder for
them to hack the system with the following recommendations:
• Change all default passwords before rolling out a system to users
• Have users change their passwords every 30-90 days
• Restrict access to sensitive parts of the database
• Deactivate user accounts immediately after the user leaves the organization
Source: Payment Card Industry (PCI) Data Security Standards
|
