Nonprofits are not immune to concerns about data security. While issues of credit card fraud or data leaks are more publicized when they happen to a large for-profit corporation, nonprofits carry all of the same risks as for-profit corporations. As good stewards to your donors, volunteers, clients, and other constituents – you owe it to them to protect their data. The Payment Card Data Industry Security Standard, PCI Standard for short, is a baseline of technical and operational requirements to help you protect your constituents’ data and your organization from liability. This standard applies to any organization that stores, processes, or transmits cardholder data or other sensitive personal information.
There are 12 high level security concepts for PCI compliance, each with a set of subcategories and testing procedures. It can easily feel overwhelming! We are going to break down the 12 steps, provide some examples and best practices specific for Salesforce and nonprofits, and guide you to additional resources to provide more information. Please note that these comments and suggestions should not be considered legal or binding advice for achieving PCI compliance or system security. If you have specific questions or concerns about PCI compliance, we recommend working with a data security specialist. Use the concepts below to start the conversation at your organization, then figure out where you need more assistance.
Build and Maintain a Secure Network and System
Install and maintain a firewall to protect data.
This is something that may be controlled system-wide by your IT department, but they can benefit from your input. It is also a point that you should review with any vendors when data is being passed between systems. Limiting ports, protocols, services and their destinations reduces the number of doorways you must secure.
Immediately change vendor-supplied and default credentials and other security parameters.
Use the Salesforce password settings to ensure that users are setting secure and complex passwords and that the passwords expire at set intervals. Do not store or save your users’ passwords. And never, ever use any of the passwords you find on this list. Below are a few passwords you should never use:
Protect Cardholder Data
Most payment gateways that integrate with Salesforce pass minimal information into Salesforce so that you are not storing credit card data. Best practice is to not store any card data after it is authenticated with the payment gateway. This includes PINs, the last 4 digits of a card, and the expiration date. Leave the credit card processing to the companies who specialize in processing credit cards, but you should ensure that vendors are compliant with PCI standards. PCI compliance should be a top priority if/when you are selecting a new payment gateway.
Encrypt the transmission of cardholder data and sensitive information across public networks.
Never ask for a donor’s credit card information by email. Ensure that you are working with a PCI compliant vendor for all online donations, ticket sales, or any other transactions. And, just to say is again, never store a donor’s credit card number in Salesforce.
Maintain a Vulnerability Management Program
Use and regularly update antivirus software.
This would be controlled system-wide by your IT department as well as something you should review with any application providers who may store, process, or relay your data.
Develop and maintain secure systems and applications.
Keep your Salesforce system and related applications up to date. Stay tuned to Trust.Salesforce.com for maintenance, releases, and Salesforce system performance. Read the Salesforce newsletters and the newsletters from your other application providers so you know about update schedules and requirements.
Implement Strong Access Control Measures
Restrict access to data by business need-to-know basis.
In Salesforce and your other systems that store donor information, limit the number of system administrators. Employ user profiles or roles of least privilege. Avoid sharing login information to ensure that users have access only to the data they require.
Identify and authenticate access to system components.
Don’t share Salesforce credentials! Unique credentials ensure everyone is accountable to their own actions within Salesforce and other systems where they authenticate.
Restrict physical access to cardholder data.
If for any reason you keep card holder data in hard copy. Say, for example, a donor reply envelope that is processed by a virtual terminal – destroy (shred) the envelope or piece of paper as soon as the transaction is authenticated and processed. If for any reason you keep personal information, ensure strong physical security measures such as keeping file cabinet locked. This is one of the riskiest areas for nonprofits, especially those who conduct transactions at any kind of live event. There is a reason that you don’t see the carbon copy credit card “processors” being used anymore – maintaining cardholder paper trails leaves your organization and your donors vulnerable.
Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder data.
Review the login history to Salesforce and other systems on a weekly basis. “Out of the box” Salesforce has several administrative reports to show your organization’s login history. You can also see this data on the individual user profiles. If there have been significant password failure login attempts, investigate!
Regularly test security systems and processes.
In Salesforce, a great example of security settings that require regular testing are IP restrictions, password reset and complexity policies, organization-wide defaults and sharing settings, field level security, and other access-related permissions and settings. Regularly test these settings to ensure that they are operating as expected.
Maintain and Information Security Policy
Maintain a policy that addresses information security.
This one is all about documentation. Be sure to document where and how things are stored and who has access to what information. Then, of course, make sure you adhere to your policy.
Want to read more about security? Check out these great posts: