Wednesday, July 18, 2012

FYI: Minority Resources....Money & More


FYI: Minority Resources...Money & More

Provided by the Office of Minority Health Resource Center's Information Services Team
July 18, 2012

OMH /The HOGG Foundation Release New Report

The latest paper from OMH and the HOGG Foundation looks at integrating culturally competent care into the locations minority populations currently visit in order to provide care that fully meets behavioral health needs. Enhancing the Delivery of Health Care [PDF | 317KB].


Funding

Federal Grants

  • HHS/National Institutes of Health: Physical activity and weight control interventions among cancer survivors: Effects on biomarkers of prognosis and survival (R01) Grant. View Full Announcement
  • HHS/Centers for Medicare & Medicaid Services: Strong Start for Mothers and Newborns. View Full Announcement [PDF | 580KB]
Minority Population Specific: $500k or more . . .  
  • HHS/National Institutes of Health: NIMHD Transdisciplinary Collaborative Centers for Health Disparities Research (U54) Grant. View Full Announcement
$500k or more . . .  
  • HHS/Centers for Disease Control and Prevention: Tuberculosis Regional Training and Medical Consultation Centers Grant. View Full Announcement
  • HHS/Health Resources & Services Administration: Affordable Care Act - Maternal, Infant and Early Childhood Home Visiting Program Grant. View Full Announcement
  • HHS/Centers for Disease Control and Prevention: PPHF 2012: National Diabetes Prevention Program: Preventing Type 2 Diabetes Among People at High Risk financed solely by 2012 Prevention and Public Health Funds. View Full Announcement
  • HHS/Centers for Disease Control and Prevention: National Organizations for Chronic Disease Prevention and Health Promotion: CDC-RFA-DP10-1008 Grant. View Full Announcement
  • HHS/National Institutes of Health: Tobacco Centers of Regulatory Science for Research Relevant to the Family Smoking Prevention and Tobacco Control Act (P50) Grant. View Full Announcement
  • HHS/Health Resources & Services Administration: Affordable Care Act - Maternal, Infant and Early Childhood Home Visiting Program. View Full Announcement
$500k or less . . .  
  • HHS/National Institutes of Health: Research on Children in Military Families: The Impact of Parental Military Deployment and Reintegration on Child and Family Functioning (R13) Grant. View Full Announcement
  • HHS/National Institutes of Health: Advancing Community-level Approaches to Reduce HIV Infection in Highly Impacted Communities (R01). Grant View Full Announcement
  • HHS/National Institutes of Health: Development and Testing of Novel Interventions to Improve HIV Prevention, Care, and Program Implementation (R34) Grant. View Full Announcement
  • HHS/National Institutes of Health: Advancing Community-level Approaches to Reduce HIV Infection in Highly Impacted Communities (R01). View Full Announcement
  • HHS/Centers for Disease Control and Prevention: Secretary's Minority AIDS Initiative Funding for Care and Prevention in the United States (CAPUS) Demonstration Project. View Full Announcement [PDF | 198KB]
  • HHS/Health Resources & Services Administration: Social and Behavioral Interventions to Increase Solid Organ Donation Grant. View Full Announcement
  • HHS/National Institutes of Health: Addressing Needs of Informal Caregivers of Individuals with Alzheimers Disease in the Context of Sociodemographic Factors (R01). Grant View Full Announcement
  • HHS/National Institutes of Health: Development and Testing of Novel Interventions to Improve HIV Prevention, Care, and Program Implementation (R3). View Full Announcement
  • HHS/Centers for Disease Control and Prevention: PPHF 2012: Health Care Surveillance/Health Statistics - Surveillance Program Announcement: Behavioral Risk Factor Surveillance System Financed in part by 2012 Prevention and Public Health Funds. View Full Announcement

Non Federal Grants

$500k or less . . . 
  • The American Sleep Medicine Foundation: Humanitarian Projects Awards. View Full Announcement Exit Disclaimer
  • Robert Wood Johnson Foundation/ Pew Charitable Trust: Health Impact Project call for proposals (CFP) to support two types of health impact assessment (HIA) initiatives: 1) HIA demonstration projects that inform a specific decision and help to build the case for the value of HIA; and 2) HIA program grants to enable organizations with previous HIA experience to conduct HIAs and develop sustainable, self-supporting HIA programs at the local, state, or tribal level. View Full Announcement Exit Disclaimer

Events

  • Partnerships for Environmental Public Health: Webinar. Hydraulic Fracturing and Environmental Public Health. July 20, 2012 from 12:00 pm - 1:30 pm ET. Learn More Exit Disclaimer

American Indians/Alaska Native Health

Events

  • Native American Rehabilitation Association of the Northwest: Spirit of Giving Conference. "Embracing the 7 Generations." July 29, 2012 - August 1, 2012 in Portland, OR. Learn More Exit Disclaimer

Cultural Competency/LAS

Events

  • Cross Cultural Health Care Program: training. A Cultural Competency Training Of Trainers Institute. October 1 - 5, 2012. Learn More Exit Disclaimer

Diabetes

Events

  • American Diabetes Association: 5th Disparities Partnership Forum. Overcoming Diabetes: Diabetes Care in High Risk Populations. October 22 - 23, 2012 in Washington, DC. Learn More Exit Disclaimer

Health Care

Events

  • National Academy for State Health Policy: 25th Annual State Health Policy Conference. Promoting Excellence Today and Tomorrow. October 15-17, 2012 in Baltimore, Maryland. Learn More Exit Disclaimer
  • NIHCM Foundation: Webinar. Fostering Healthy Families Through Stable Housing: The Role of the Health Care System. July 26, 2012 from 1:00 pm - 2:30 pm EDT. Learn More Exit Disclaimer

Health Equity

  • HHS: New report released. HHS LGBT Issues Coordinating Committee 2012 Report. Read Full Report

Events

  • The University of Pittsburgh/Drexel University's Centers for Public Health Practice: One day training. Communicating Public Health Messages Through the Media. September 19, 2012 in State College, Pennsylvania. Learn More Exit Disclaimer

Hepatitis

  • CDC: New MMWR report released. Updated CDC Recommendations for the Management of Hepatitis B Virus. Infected Health-Care Providers and Students. Read Full Report

Hispanic/Latino Health

Events

  • The Hispanic Association of Colleges and Universities (HACU): 26th Annual Conference. Championing Hispanic Higher Eductaion Success: Advancing Access and Opportunity in a hanging Environment. October 20 - 22, 2012 in Washington, DC. Learn More Exit Disclaimer

HIV/AIDS-STDs

  • CDC: New national communication campaign launched. Let's Stop HIV Together. Learn More

Events

  • HHS/Regional Resource Network Program: Regional Meeting. Region III National HIV/AIDS Strategy Meeting. August 2, 2012 from 8:30 am - 4:30 pm in Philadelphia, PA. Learn More Exit Disclaimer
  • International AIDS Society: 2012 International AIDS Conference. Turning the Tide Together. July 22 - 27, 2012 in Washington, DC. Learn More Exit Disclaimer

Oral Health

Events

  • Healthy Mothers, Healthy Babies Coalition: Webinar. Oral Health Care During the Perinatal Period. July 23rd from 2:00 pm - 3:30 pm EDT. Learn More Exit Disclaimer
  • HDA, NDA & SAID Multi-Cultural Oral Health Summit. Collectively Meeting the Needs of a Diverse Population to Improve Oral Health July 20 - 24, 2012. Boca Raton Florida. Learn More Exit Disclaimer

Women's Health

  • Commonwealth Fund: New report released. Oceans Apart: The Higher Health Costs of Women in the U.S. Compared to Other Nations, and How Reform Is Helping. Read Full Report Exit Disclaimer

Opportunities for Public Comment

  • Maryland Office of Minority Health and Health Disparities: Request for Public Comment. Health Enterprise Zone draft documents. Learn More

Tuesday, July 17, 2012

A Few Good Methods for Processing Credit Cards


Tips for nonprofits and libraries to process credit card transactions both online and off


By: Laura S. Quinn and Kyle Andrei
August 15, 2011


This article — originally written in 2008 — is courtesy of Idealware, which provides candid information to help nonprofits choose effective software. For more articles and reviews, go towww.idealware.org.
Once you’ve read through the different methods for processing credit cards, read Getting the Best Prices for Processing Credit Cards to understand rates and fees from credit card processing vendors.

Accepting payments by credit card is not necessarily difficult or expensive. We provide some tips and tools to process credit card transactions, both on- and offline, for organizations of all sizes.

Maybe you’re hoping to process payments made by donors over the phone, or to allow on-site registration at your next conference. Perhaps you want to take credit card payments at a T-shirt booth at a concert, your library’s gift shop, or a craft fair or farmer’s market. What’s involved?

The world of credit cards is complex, and there are a number of ways to accept them as payment — some of which require different types of hardware and software, and relationships with banks. We talked to six nonprofit staff members and consultants with a lot of experience in credit card processing to better understand the options and combined their recommendations in this article.


Security First and Foremost

Taking credit card payments requires you to sign an agreement to uphold the Payment Card Industry Data Security Standard, commonly known as PCI requirements. Any method will require some vigilance, like making sure payment hardware and software is secured, but some will be more security-intensive than others. For instance, using a card imprinter (described below) will require that you document and enforce procedures for handling and subsequently destroying imprinter slips, while using a terminal or online payment method — which makes it harder for anyone to get at credit card information — requires less of a security effort.

Violating the PCI requirements can result in a substantial fine and the loss of your ability to accept credit card payments. If the information gets into the wrong hands, you also risk losing your constituents’ trust.


Three Steps to Processing Credit Cards



Weighing your options for processing credit card payments requires a basic understanding of how the system works. The multiple steps are complex, and can involve a number of different vendors and entities.
  1. Collect and enter credit card information. In order to process a payment, you’ll obviously first need to collect the credit card information from the person making the payment and transfer it — either electronically or manually — to a service that can actually process it. This step can range from writing down the card information and sending it to your bank to typing it into an online system or swiping the card through a specific kind of hardware.
  2. Authorize and commit the charge. Once the payment information is entered, it’s transferred electronically to a payment processor that authorizes it by checking to see that the credit card account exists and has enough money to cover the charge. The processor then charges the card. Whichever method you use, you’ll have some kind of processing specialist in the mix who will manage the electronic flow of money for credit card transactions. They typically do very little else, so they tend to work hand-in-hand with another system that provides the interface to enter information and handles any other needed functionality.
  3. Deposit money to bank account. Once the card has been charged, there’s a critical step: receiving the money. The payment processor always deposits the money in a bank account called a “merchant account.” Money is then automatically transferred from your merchant account into a bank account from which you can actually withdraw it.
For most of the methods covered here, you’ll need to open a merchant account through your bank or one recommended by your payment processor. Like any bank account, you’ll want to shop around, as rates vary. These accounts define the base amount you’ll pay for each transaction.
Because credit card companies also charge a per-transaction fee, there will always be some fee involved, but the size and terms can vary substantially. For instance, a merchant account might charge you $25 per month plus 2.2 percent of each transaction — a good rate, applicable to an organization with a high volume of transactions. Or they might charge a simple 2.8 percent of each transaction with no monthly fee, which could be more appealing if you’ll have a low volume of transactions.
If you want to take online payments, make sure your merchant account allows them. You might want to choose an online payment vendor first and ask them for recommendations for a merchant account bank to make sure it’s compatible with your online payment method.

Credit Card Processing Methods

That’s how it works. But how do you start actually taking credit card payments? There’s a wide variety of methods, each appropriate to different situations.

Credit Card Imprinting Machines

Credit Card Imprinting Machine
The simplest way to process credit card transactions is also the one that’s been around the longest. Imprinters, those little plastic swipe machines that carbon copy the credit card, make quick imprints of the credit card information for you to process later. The downside is that, if a card is declined, you won’t find out until long after the payer is gone, and you might have to work to track them down. You can generally get an imprinting machine for free, or for a small fee, from the bank where you opened your merchant account.
Imprinters are an easy and inexpensive way to collect information on site. However, you still need to process the charges later using one of the other methods, and there’s a substantial risk inherent in carrying imprinting slips around, as you’re essentially carrying a stack of credit cards. If you lose the slips, in the best case you’re out a bunch of payments. In the worst, you may have just funded some nefarious person’s taste for expensive electronics and exotic trips.
Imprinters make the most sense when you only need to take a few payments in some kind of temporary location. They’re a short-term, quick-fix type of processing method rather than something you’d use to process a volume of credit cards over a long period of time.

Bank Processing

If you’ve collected credit card information — via an imprinter or through mailed-in donation-via-credit-card forms — one of the most straightforward ways to process the charges, though likely not the cheapest, is to ask your bank to do it. Many banks will run these payments for organizations that have merchant accounts with them.
The payments are then deposited into your merchant account and make their way into your regular bank account within a few days. The bank is responsible for destroying the paper forms, reducing your risk. If you almost always receive your credit card payment information in paper, bank processing can make a lot of sense.

Credit Card Terminals

Credit Card Terminal
If you need to take a higher volume of payments in on-site situations, consider investing in a credit card terminal, also called a “swipe terminal.” These small machines allow you to swipe a credit card, enter the payment amount on a keypad, and then process the payment — and, in many cases, even print out a receipt. In most cases, you can buy them for a couple of hundred dollars from the bank that hosts your merchant account, or rent one for a particular event.AuctionPay and sites like it rent terminals with a focus on nonprofit events. [Editor’s Note: TechSoup offers discounted terminals and merchant accounts to nonprofits and public libraries through its programs with Dharma Merchant Services andSage.]
Terminals may require a power source, though some run on batteries. They also require connectivity, generally a telephone line, to process credit cards in real time. Some allow you to store transaction information to process when you can connect to a phone line. Unlike imprinters, the terminal stores the information internally so it’s more secure, and so you won’t have to enter it later, but you still run the risk of not receiving payment for any declined cards.
Terminals are widely used and effective in a number of different situations, from on-site events or a development office that needs to process a lot of phone credit card donations to gift-shop type settings. However, integrating terminals with other databases — say, to process a donation and record it at the same time to a constituent record — can be difficult. If you need to do a lot of this, one of the other methods might work better for you.

Mobile Devices

An alternative to portable credit card terminals, smartphones, or other mobile devices (like iPads) can now process transactions over 3G or wireless connections. They do this by either manually entering card numbers or — with inexpensive additional hardware — swiping cards directly. This functionality can be provided through a vendor, likeSquare or Sage, or you can download a card reader app for free or at a low-cost.
This method has the advantage of portability, as you can process transactions anywhere you have phone reception, and requires less hardware to purchase provided you already have a smartphone or other mobile device. Vendors will often include a processing method, factored into the cost of the product, while the apps will work with online processing services like Authorize.Net.
There are security issues to consider, though. Does the app you’re using encrypt the numbers for protection? When a card is swiped, does it show the full number, or just the last four digits? Are the credit card numbers actually stored on your device? They shouldn’t be. Remember, too, that if you plan to leave your device somewhere, like a storefront, that they are much easier for a thief to steal than a credit card terminal, and a more attractive target.

Swipe Hardware

To save time over manually entering every credit card transaction, consider hardware that lets you swipe cards. You can buy such devices to connect to a laptop or personal computer via USB, or to most mobile devices — even Apple products. They range in size from a basic, small card reader to something that can actually hold your mobile device, often extending battery life. These readers can run from about $20 to $150 or more. One mobile payments company,Square, provides their mobile card reader for free to new customers.

Virtual Terminals

A “virtual terminal” allows you to enter credit card and payment information into an online form and process it over the Internet. You can “rent” a virtual terminal from an online payment processing specialist, such as Authorize.Net, usually for some combination of a monthly fee and a percentage of the transactions.
Virtual terminals don’t often support swipe hardware, and thus require you to take the time to manually enter credit card information, and they don’t integrate easily with constituent management systems. Such limitations mean they’re probably not the best solution for processing a lot of payments, but they can be convenient options for processing a few payments if you have an Internet connection.

Online Payment Processors

A huge number of online payment vendors specialize in specific types of online payments. For instance, it’s easy to find vendors who support online donations, event registration, or item purchases. While these vendors typically provide an interface optimized for your constituents to submit payments on their own, most work perfectly well to allow your staff to process payments as well.
Does your staff get registration requests by phone? There’s no reason they can’t enter credit card information into the same interface a registrant would use to register themselves. Just make sure that any automatic emails sent out to the registrant make sense in either situation. This method might even work for in-person scenarios — for example, to process on-site registrations, or sell a few items in a store. Keep in mind that unless you buy some compatible swipe hardware, you’ll need to type in credit card information by hand. This may seem odd to the person paying, as it’s more typical to swipe a card in this situation.
These online payment specialists often offer a number of features specific to their focus area. For example, an event registration tool might allow you to easily track lunch requests and print name tags, while online donation software might support pledges and tribute gifts. For more information, see our specific articles on this topic: A Few Good Online Payment Multitaskers and A Few Good Online Event-Registration Tools.

Payment-Enabled Software

If you’re processing payments that need to interface directly with constituent management software, like donations or membership fees, many mid-tier and advanced software packages let you process payments directly from that software. For example, DonorPerfecteTapestry, and Raiser’s Edge, three of the more popular donor management systems, all allow you to enter payment information into the software and then process the payment and create a record for it in one step. Both DonorPerfect and eTapestry are available for donation to eligible organizations through TechSoup.
This convenient option lets organizations process a high volume of a single type of payment, and saves time-consuming double-entry. Like online payment processors, this solution might also work for in-person scenarios, but is optimized for over-the-phone transactions.

Point-of-Sale Solutions

If you want to take credit cards in a permanent physical location like a gift shop, registration desk, or at cashier station, consider more hardware-intensive options. You’ll certainly want a way to swipe cards and print receipts. You could do both with a credit card terminal, or use separate swipe hardware and a receipt printer. You may also want to add up a number of items and calculate taxes, which terminals typically won’t do. If you often sell a number of items to one person, you may want a price scanner and a display pole (the small screen that displays what you’re ringing up to the customer).
If you’re heading down this path, point of sale software such as CamCommerce or Keystroke starts at a couple of hundred of dollars and helps you integrate all the hardware you’ll need. It’s also very helpful at managing actual inventory.

How to Decide

With so many options, how do you decide what will work for you? Think through the following considerations:
  • Will you have access to the actual, physical credit card? Having cards in hand will save you time. For any volume, you’ll want a method that will allow you to swipe the card rather than typing in numbers, and to print a receipt.
  • Will you have power and connectivity? Processing credit cards without an Internet connection substantially limits your options. Similarly, if you don’t have a phone line, you’ll need to use an imprinter, mobile device, or specialized terminal.
  • Does the transaction need to be stored in your constituent management system? Processing donations or membership renewals that need to be tracked in another piece of software means integration should be a key concern. Payment-enabled software, an online payment processing solution, or a point of sale setup can help.
  • Is this a short-term, low-volume need, or a permanent high-volume setup? The right hardware and integration with other systems can be a big time-saver, but they require some initial up-front investment. Does it really makes sense to use a quick and dirty method like an imprinter or virtual terminal, or will investing in a more-efficient solution save money in the long run?
  • Do you need to store credit card numbers? Doing so in any format requires strict and specific security measures under PCI requirements, and unless you have a thorough understanding of the regulations and have spent the time and money to create a system that is in compliance, you’ll want to use an online payment processor or payment-enabled software to handle recurring transactions.
  • What will your constituents expect? Don’t forget this important consideration. Be careful of methods that require you to gather someone’s life story in order to run a simple payment, or require your staff to go through strange and time-consuming machinations with a constituent standing in front of them.
It can be complicated to understand your options in processing credit cards. Many of the methods themselves are actually quite straightforward, however, and every organization should be able to find one that’s suitable. Whether you’re taking donations, registering members or attendees, selling T-shirts, or running a complex retail organization, there’s a method that will allow you to take credit cards straightforwardly and securely.

Thanks to the nonprofit technology professionals who provided recommendations, advice, and other help for the original and updated articles.




Laws for Organizations that Accept Online Payments


Editor's Note: This article was originally published in February 2007, and was updated by Carlos Bergfeld, a web content writer at TechSoup Global.

Due to credit card thefts, identity thefts, and other unsavory online criminal activities, businesses that handle credit card data are required by state and international laws to protect sensitive information or risk fines and penalties.

Many of these laws affect large e-commerce outfits, but nonprofits accepting online donations or dealing with certain types of personal information should also take certain precautions to keep data safe.

Not-So-Secret Identity

Online identity thieves can steal credit card numbers, Social Security numbers, online banking passwords, and other information linked to a person's identity. They can use this information to purchase goods, access bank accounts, and take out loans or mortgages in someone else's name.

Identity thieves also resell stolen identities on a bustling black market conducted in Internet chat rooms. The going rate for a credit card number, the account holder's date of birth, and the card's three- or four-digit security code is $20, according to a CNN.com article.

How bad is the problem? More than 260 million records containing sensitive information have been exposed since January 2005, according to the Privacy Rights Clearinghouse, a website that tracks security breaches.

Every organization that accepts credit cards and other personal information through its website should encrypt that information as it crosses the Internet. But thieves typically don't bother to steal data during transmission; instead, they break into computers that are connected to the Internet, or simply steal the physical machines that store sensitive data.

Laws Mandate Data Protection

Regulatory bodies and U.S. states have reacted to the identity theft crisis by creating rules and laws governing how personal information is to be protected and when organizations are obligated to publicly report a data breach.

Nonprofit organizations that accept credit card donations should pay particular attention to the Payment Card Industry Data Security Standard (PCI DSS) and state identity theft and breach notification laws.

The PCI DSS, which provides explicit guidelines for securing credit card information, was created by credit card companies MasterCard, Visa, American Express, JCB, and Discover after these organizations formed the PCI Security Standards Council.

These rules affect any U.S. organization — regardless of size — that processes, stores, or transmits credit card data. An organization that fails to comply with this standard and suffers a data breach may be fined by the bank that processes the organization's transactions. Nonprofits should contact their bank or card processor to determine if they must comply with the standard.

Different Rules for Different Organizations

Those organizations required to comply with the standard are categorized into four levels according to their annual number of credit card transactions.

For instance, for Level 1 merchants (those processing more than six million transactions a year), compliance means being evaluated by a qualified third-party auditor. Level 1 merchants must also undergo quarterly security-assessment scans. These scans probe the merchant's network for common software vulnerabilities that could be exploited by an attacker, and to assess the configuration of security devices such as firewalls and intrusion detection systems.
Level 2 includes merchants that process one million to six million transactions per year. Level 3 is 20,000 to one million transactions, and Level 4 is fewer than 20,000 transactions.

Level 4 organizations don't have to hire a third-party auditor. Instead, they can perform a self-assessment using a questionnaire developed by the PCI Security Standards Council. There are five versions of the questionnaire, depending on the type of transactions an organization processes, and all questionnaires are available on the PCI SSC website. Level 4 organizations must also undergo an annual security assessment scan from a PCI DSS-qualified organization, known as an approved scanning vendor (ASV). A list of all ASVs is available here, and your bank should be able to recommend an ASV as well.

The complete copy of the PCI DSS version 1.2 is available online.

Level 4 Requirements

Most nonprofits process fewer than 20,000 transactions and will fall into Level 4. The standard consists of 12 requirements that cover a broad range of security issues, from network protection to access controls to creating an information security policy.
  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other
    security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update antivirus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.
The full standard goes into significant detail on these requirements. For instance, Requirement 1 delves into issues of firewall configuration, the creation of a DMZ (demilitarized zone, the common term for a buffer between the public Internet and your private network, in which your internal IP addresses are masked by the IP address of your firewall or firewalls), and the documentation of ports and protocols used by your organization.

Given the complexity of PCI DSS compliance, you should first contact your bank or credit card processor to ascertain whether you are obligated to comply. If you are, the next step is to address each of the requirements laid out in the standard.

Essentially, this means you will identify where this information resides in your organization, according to David Taylor, founder of the PCI Knowledge Base, an independent research community focused on PCI DSS.

"We go into the organization and ask how many servers, how many databases, how many applications use credit card data," said Taylor. "Look at the data flow to figure out how it gets from here to there."

The next question to ask is how your constituents' credit card data is protected when it's stored in your organization's database or on the hard drive of one of your computers. For instance, Requirement 3 specifies the use of encryption for credit card numbers, including on any databases, PCs and laptops, and backup media containing sensitive data.

Circumventing the Issue

For organizations concerned about the effort needed for PCI DSS compliance (which is likely to be significant for small organizations that don't have a dedicated IT or security expert on staff), there is an alternative.

"The simplest and cheapest way to get compliant with PCI is to not have the data," said Taylor.

Taylor recommends finding a third-party service to handle processing for you, so that you don't have to store credit card information on servers or databases that belong to you. Check with your bank to see if it can recommend a reputable service.

Of course, the processor will also have to be compliant with the standard. "Ask for a signature on a letter, or for a certification, which the company should be able to give you," said Taylor.

Another option is to use PayPal instead of accepting credit cards. PayPal, owned by eBay, brokers payments from one account holder to another over the Internet. Accepting donations through PayPal means organizations don't have to process or store credit card transactions — PayPal simply sends the money to the organization's account for a percentage of the transaction and a small fee. On the other hand, credit-card processing companies charge for their services, not per transaction. PayPal offers a special program for nonprofits called PayPal Donations.

PayPal is also established throughout the world, and supports payments in a variety of currencies (including the U.S. dollar, the Euro, the yen, and the Canadian and Hong Kong dollars), making PayPal an ideal option for international nonprofits. For more information, see PayPal Worldwide.

Other organizations offer similar services to PayPal, but tailored to the nonprofit community. A few of these offerings are available to eligible organizations through TechSoup, like BlackbaudNow and Network for Good. BlackbaudNow's fundraising starter kit provides small organizations with tools to create a donation-ready Web site, powered by PayPal. Similarly, Network for Good's internet fundraising services allow organizations with their own websites to add donation buttons so donors can make credit card contributions through the Network for Good secure web server. To find out about other third-party options, read Idealware's article A Few Good Online Payment Multitaskers .

Laws and Regulations by State and Overseas

Nonprofits must also be aware of U.S. and international laws dealing with the privacy of personal information, including credit cards, Social Security numbers, and bank account information. Now, 45 U.S. states have breach notification laws on the books.
The European Union has data privacy laws, known as Directive 95/46/EC (you can download a copy of the law in a variety of languages), but as of yet the EU does not have breach notification laws.

Japan does have a breach notification law, called the Act on the Protection of Personal Information. An English translation of the law is available online.

While the PCI DSS standard lays out specific requirements for securing data, most state breach notification laws have a different purpose. Rather than tell organizations what steps to take to protect information, these laws compel businesses of all sizes to notify customers that information that could be used to perpetrate identity theft has been exposed.

The goal of these laws is to spur companies into protecting sensitive information more carefully, because organizations generally don't like to report data breaches. It's embarrassing, and may cost them in lost business, a damaged reputation, or even lawsuits. The same goes for nonprofits: You may lose both existing and potential donors if donors believe you aren't a good steward of their personal information.

Each state law will have its differences, which means you'll have to do some research depending on where your organization is based. Many state laws also require a company based in one state to report a breach if it exposes personal information of out-of-state residents.

California’s Data Breach Law

California's data breach notification law, SB 1386, requires any person, business or state agency with California residents as customers must report a breach even if that organization company isn't located in California. Nonprofits that aren't based in the United States should consult with a lawyer to determine if they are liable under U.S. state laws.

SB 1386, which went into effect in 2003, provides a good example of the kinds of requirements you'll find in other state laws. It has also been touted as a model for potential federal legislation.
Some of the key provisions of the bill:

First, it compels organizations with California customers to notify those customers about known or suspected disclosure of personal information to an unauthorized person. SB 1386 defines personal information as a person's first name or first initial and last name, in combination with any of the following:
  • Social Security number
  • Driver's license number
  • Account number, debit or credit card number, plus whatever password allows access to the account
Notification can include any one of the following: a written notice, an electronic notice (email), or substitute notice if the cost of notification would exceed $25,000 or more than 500,000 people. (Though this varies by state.) Substitute notification includes email, conspicuous posting on the organization's web page, or an announcement to statewide media.

Note that the bill says organizations don't have to disclose a breach if the disclosure would affect an ongoing criminal investigation. Personal information that was encrypted at the time of exposure would also remove the obligation to notify customers.

Because individual state laws will have their own definitions of personal information and their own notification triggers, organizations that store personal information should consult a lawyer about state and international breach notification laws.

The Urge to Purge

Collecting donor information is a standard procedure for nonprofits, but you must understand the risks associated with that practice, particularly for sensitive data such as credit card numbers. The most prudent policy to follow regarding such information, says Taylor, is, "You don't want to get it, and if you do get it, you don't want to keep it."

Tuesday, July 10, 2012

Cuba: Cholera cases


  • Posted on Monday, July 9, 2012

Cuba reports more cholera cases

Juan O. Tamayo | McClatchy Newspapers

The number of cholera cases confirmed in eastern Cuba jumped from 30 to 85 over the weekend but the death toll remained at three, one government official said, although independent reports put the number of deaths as high as 15.
As many as five other cases of cholera also were unofficially reported in Havana, and dissidents in Guantanamo near the eastern tip of the island reported cholera-like cases in Caimanera, a village on the edge of the U.S. naval base.
The state-owned TV station in Granma province, where the outbreak has hit hardest, suggested that residents avoid traveling outside the area, and trucks with loudspeakers urged them to boil water and wash their hands often, two residents said.
Public health officials in the British-run Cayman Islands, just south of Granma, issued a advisory against travel to Cuba, and U.S. Rep. Ileana Ros-Lehtinen, R-Fla., warned potential travelers that visiting the island "may put them at risk of becoming ill with cholera."
The U.S. Centers for Disease Control and Prevention in Atlanta had not issued any special travel notices on Cuba as of Monday evening. Its Web page recommends only general vaccinations, like those for Hepatitis A and B, typhoid fever and rabies.
Cuban government epidemiologist Ana Maria Batista Gonzalez told Granma's Telecentro TV station Saturday that 30 cholera cases had been confirmed in the province, then raised the number to 85 when she appeared again on the station Sunday, said Santiago Marquez, a doctor and dissident in the Granma town of Manzanillo.
A Cuban government statement July 3 - the only other official word on the outbreak - said 53 cholera cases had been confirmed and that the outbreak was "under control." There was no explanation for the conflicting numbers, although it's possible that the number 53 referred to cases in the southeastern region, not just Granma.
Batista also noted the number of suspected cases in Granma rose from 332 to 346, and more general cases of diarrhea and vomiting rose from 3,422 to 3,998, Marquez said.
Most of the cases have been recorded in Manzanillo and the provincial capital, Bayamo, as well as nearby municipalities of Niquero, Yara and Bartolome Maso, Batista said. All are along Cuba's southern coast, about 415 miles east of Havana.
Batista said the death toll remained at three - the same number the government reported on July 3. Bayamo dissident Yoandris Montoya said he had heard reports of five deaths and Marquez put it at about 10. Havana dissident Calixto Martinez has reported about 15.
Police continued a a heavy security presence at area hospitals and relatives were not allowed to visit patients with cholera, Marquez said. He was fired from his public health job after he began speaking out against the government and his wife, Tania de la Torre, became a human rights activist.
Cholera was declared eradicated in Cuba no later than the early 1900s, but an ongoing outbreak in neighboring Haiti has killed more than 7,400 people and scores of Cuban doctors have worked there. A Florida woman and others in the Dominican Republic who visited Haiti came down with cholera in 2010 but survived.
Cholera is generally not fatal but can kill in a matter of hours when the diarrhea and vomiting cause dehydration, especially among the elderly. The three dead confirmed by the Cuban government were 60 or older.
©2012 The Miami Herald

Read more here: http://www.mcclatchydc.com/2012/07/09/155531/cuba-reports-more-cholera-cases.html#storylink=cpy

Monday, July 9, 2012

Homeland Security Department under congressional scrutiny


Davidson
There’s no summer vacation for Department of Homeland Security officials, who are again being called to Capitol Hill this week for hearings in the Senate and the House.
The Senate Homeland Security and Governmental Affairs Committee will hold two hearings, on Wednesday and Thursday, on the future of DHS.
“Ten years ago, the Department of Homeland Security was established in the wake of the worst attack on our homeland in living memory. Over the course of the decade, DHS has made great strides to protect Americans where we live and work,” said committee Chairman Joseph I. Lieberman (I-Conn.). “As a relatively new agency, however, there is plenty of room for improvement. We hope this series of hearings will help define future missions and goals for DHS as it prevents, prepares for and responds to all types of threats — natural or man-made.”
In the House, which has had numerous DHS hearings, Homeland Security subcommittees will hold three sessions on the department or its Transportation Security Agency (TSA).
On Tuesday morning, the subcommittee on border and maritime security will examine “How Can DHS Better Leverage State and Local Partnerships?”
On Tuesday afternoon, the subcommittee on transportation security will hold a hearing on “Challenging the Status Quo at TSA: Perspectives on the Future of Transportation Security.”
On Wednesday afternoon, the same panel will meet to explore the question: “Has TSA Met the Deadline to Provide Expedited Screening to Military Service Members?”
Previous columns by Joe Davidson are available atwapo.st/JoeDavidson. Follow the Federal Diary on Twitter:@JoeDavidsonWP

Sunday, July 8, 2012

DHS: Cybersecurity Team


Building a World-Class Cybersecurity Team

By Mark Weatherford, Deputy Under Secretary for Cybersecurity

Today, we are more connected to the Internet than ever before.  We depend on a vast array of interdependent networks for communication, travel, powering our homes, running our economy, and obtaining government services.  With so much of our daily lives dependent on cyberspace, cybersecurity has become an increasingly important part of DHS’ mission, just as it has become a larger priority for state and local governments, businesses, and individuals.

DHS continues to demonstrate our commitment to building the best cybersecurity team in the world by recruiting some of the most talented and experienced professionals available.  Since its creation, the Department has increased its cybersecurity workforce by more than 600 percent while working with universities to develop and attract talent through competitive scholarships, fellowships, and internship programs.

When I joined DHS about six months ago, I quickly realized that we could build on the strong foundation of the Department’s cyber workforce with new skills and leadership to grow and adapt in the face of an evolving cybersecurity environment.

It’s impossible to mention all of the dedicated cybersecurity professionals at DHS, but I’d like to highlight a few recent additions that have propelled us to higher standards and increased our capability as a department:
  • Mike Locatis is the new Assistant Secretary for Cybersecurity and Communications and comes to DHS from the Department of Energy where he was the Chief Information Officer.  He has a breadth of cybersecurity and communications experience across nearly every level of government and the private sector and has a history of charting organization transformations in the federal government.
  • Rosemary Wenchel has joined us as the new Deputy Assistant Secretary for Cybersecurity Coordination.  She will coordinate joint cybersecurity efforts between DHS and the Department of Defense.  Rosemary will also work with the Science and Technology Directorate to ensure the Department’s cybersecurity research and development efforts are fully coordinated with policy and operations. She served previously in DOD where she was responsible for Departmental activities pertaining to policy development, guidance, and oversight of Information Operations.
  • John Streufert joined DHS in January as the Director of our National Cybersecurity Division (NCSD).  John came to DHS from the Department of State (DOS), where he earned national accolades for the successful implementation of state of the art security solutions in federal departments, and transformed DOS’ security posture while enabling it to execute a world-wide mission.
  • Larry Zelvin just joined us as Director of the National Cybersecurity and Communications Integration Center, DHS’ 24x7 center to coordinate cyber awareness across government and the private sector.  Larry has experience at the National Security Staff and the DOD, where he has led interagency and stakeholder outreach related to operations. 
  • Dr. George Moore is the new Technical Director for NCSD and also comes to us from the Department of State.  Dr. Moore is a renowned expert in areas of standards and security controls and will be helping develop programs to bring new levels of security to the Federal Government
  • Danny Toler is our Director of Network Resilience and a recognized expert in transitioning IT delivery toward solutions that are more holistic and integrated.  Danny came from the Department of State, and his leadership will be crucial in helping us develop cloud and managed security service solutions that result in new levels of efficiency across the government.
  • Ron Hewitt is the new Director of the National Communications System.  A recently retired Rear Admiral from the U.S. Coast Guard, Ron has an incredible track record of bringing together diverse communities to work together toward a common goal, particularly in the areas of information technology, communications, and first responders.
  • Tom Baer has come aboard as the Deputy Director of US-CERT.  Hailing from the Federal Bureau of Investigation where he was their Chief Information Security Officer, Tom is an expert in the areas of forensics and analysis and, with impressive leadership credentials, he is charged with broadening outreach efforts and intergovernmental coordination for US-CERT.
These new members of our vast cybersecurity team bring a wide array of experience and skills.  Building on the successes of our strong and robust team, we are taking the DHS cybersecurity program to new levels that will ultimately enhance the security and safety of our nation.

RECOMMENDED READING LIST

Search This Blog

ARCHIVE List 2011 - Present