Tuesday, July 17, 2012

Laws for Organizations that Accept Online Payments



Protect sensitive information or risk fines and penalties

By: Andrew Conry-Murray
September 2, 2009
Editor's Note: This article was originally published in February 2007, and was updated by Carlos Bergfeld, a web content writer at TechSoup Global.

Due to credit card thefts, identity thefts, and other unsavory online criminal activities, businesses that handle credit card data are required by state and international laws to protect sensitive information or risk fines and penalties.

Many of these laws affect large e-commerce outfits, but nonprofits accepting online donations or dealing with certain types of personal information should also take certain precautions to keep data safe.

Not-So-Secret Identity

Online identity thieves can steal credit card numbers, Social Security numbers, online banking passwords, and other information linked to a person's identity. They can use this information to purchase goods, access bank accounts, and take out loans or mortgages in someone else's name.

Identity thieves also resell stolen identities on a bustling black market conducted in Internet chat rooms. The going rate for a credit card number, the account holder's date of birth, and the card's three- or four-digit security code is $20, according to a CNN.com article.

How bad is the problem? More than 260 million records containing sensitive information have been exposed since January 2005, according to the Privacy Rights Clearinghouse, a website that tracks security breaches.

Every organization that accepts credit cards and other personal information through its website should encrypt that information as it crosses the Internet. But thieves typically don't bother to steal data during transmission; instead, they break into computers that are connected to the Internet, or simply steal the physical machines that store sensitive data.

Laws Mandate Data Protection

Regulatory bodies and U.S. states have reacted to the identity theft crisis by creating rules and laws governing how personal information is to be protected and when organizations are obligated to publicly report a data breach.

Nonprofit organizations that accept credit card donations should pay particular attention to the Payment Card Industry Data Security Standard (PCI DSS) and state identity theft and breach notification laws.

The PCI DSS, which provides explicit guidelines for securing credit card information, was created by credit card companies MasterCard, Visa, American Express, JCB, and Discover after these organizations formed the PCI Security Standards Council.

These rules affect any U.S. organization — regardless of size — that processes, stores, or transmits credit card data. An organization that fails to comply with this standard and suffers a data breach may be fined by the bank that processes the organization's transactions. Nonprofits should contact their bank or card processor to determine if they must comply with the standard.

Different Rules for Different Organizations

Those organizations required to comply with the standard are categorized into four levels according to their annual number of credit card transactions.

For instance, for Level 1 merchants (those processing more than six million transactions a year), compliance means being evaluated by a qualified third-party auditor. Level 1 merchants must also undergo quarterly security-assessment scans. These scans probe the merchant's network for common software vulnerabilities that could be exploited by an attacker, and to assess the configuration of security devices such as firewalls and intrusion detection systems.
Level 2 includes merchants that process one million to six million transactions per year. Level 3 is 20,000 to one million transactions, and Level 4 is fewer than 20,000 transactions.

Level 4 organizations don't have to hire a third-party auditor. Instead, they can perform a self-assessment using a questionnaire developed by the PCI Security Standards Council. There are five versions of the questionnaire, depending on the type of transactions an organization processes, and all questionnaires are available on the PCI SSC website. Level 4 organizations must also undergo an annual security assessment scan from a PCI DSS-qualified organization, known as an approved scanning vendor (ASV). A list of all ASVs is available here, and your bank should be able to recommend an ASV as well.

The complete copy of the PCI DSS version 1.2 is available online.

Level 4 Requirements

Most nonprofits process fewer than 20,000 transactions and will fall into Level 4. The standard consists of 12 requirements that cover a broad range of security issues, from network protection to access controls to creating an information security policy.
  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other
    security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update antivirus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.
The full standard goes into significant detail on these requirements. For instance, Requirement 1 delves into issues of firewall configuration, the creation of a DMZ (demilitarized zone, the common term for a buffer between the public Internet and your private network, in which your internal IP addresses are masked by the IP address of your firewall or firewalls), and the documentation of ports and protocols used by your organization.

Given the complexity of PCI DSS compliance, you should first contact your bank or credit card processor to ascertain whether you are obligated to comply. If you are, the next step is to address each of the requirements laid out in the standard.

Essentially, this means you will identify where this information resides in your organization, according to David Taylor, founder of the PCI Knowledge Base, an independent research community focused on PCI DSS.

"We go into the organization and ask how many servers, how many databases, how many applications use credit card data," said Taylor. "Look at the data flow to figure out how it gets from here to there."

The next question to ask is how your constituents' credit card data is protected when it's stored in your organization's database or on the hard drive of one of your computers. For instance, Requirement 3 specifies the use of encryption for credit card numbers, including on any databases, PCs and laptops, and backup media containing sensitive data.

Circumventing the Issue

For organizations concerned about the effort needed for PCI DSS compliance (which is likely to be significant for small organizations that don't have a dedicated IT or security expert on staff), there is an alternative.

"The simplest and cheapest way to get compliant with PCI is to not have the data," said Taylor.

Taylor recommends finding a third-party service to handle processing for you, so that you don't have to store credit card information on servers or databases that belong to you. Check with your bank to see if it can recommend a reputable service.

Of course, the processor will also have to be compliant with the standard. "Ask for a signature on a letter, or for a certification, which the company should be able to give you," said Taylor.

Another option is to use PayPal instead of accepting credit cards. PayPal, owned by eBay, brokers payments from one account holder to another over the Internet. Accepting donations through PayPal means organizations don't have to process or store credit card transactions — PayPal simply sends the money to the organization's account for a percentage of the transaction and a small fee. On the other hand, credit-card processing companies charge for their services, not per transaction. PayPal offers a special program for nonprofits called PayPal Donations.

PayPal is also established throughout the world, and supports payments in a variety of currencies (including the U.S. dollar, the Euro, the yen, and the Canadian and Hong Kong dollars), making PayPal an ideal option for international nonprofits. For more information, see PayPal Worldwide.

Other organizations offer similar services to PayPal, but tailored to the nonprofit community. A few of these offerings are available to eligible organizations through TechSoup, like BlackbaudNow and Network for Good. BlackbaudNow's fundraising starter kit provides small organizations with tools to create a donation-ready Web site, powered by PayPal. Similarly, Network for Good's internet fundraising services allow organizations with their own websites to add donation buttons so donors can make credit card contributions through the Network for Good secure web server. To find out about other third-party options, read Idealware's article A Few Good Online Payment Multitaskers .

Laws and Regulations by State and Overseas

Nonprofits must also be aware of U.S. and international laws dealing with the privacy of personal information, including credit cards, Social Security numbers, and bank account information. Now, 45 U.S. states have breach notification laws on the books.
The European Union has data privacy laws, known as Directive 95/46/EC (you can download a copy of the law in a variety of languages), but as of yet the EU does not have breach notification laws.

Japan does have a breach notification law, called the Act on the Protection of Personal Information. An English translation of the law is available online.

While the PCI DSS standard lays out specific requirements for securing data, most state breach notification laws have a different purpose. Rather than tell organizations what steps to take to protect information, these laws compel businesses of all sizes to notify customers that information that could be used to perpetrate identity theft has been exposed.

The goal of these laws is to spur companies into protecting sensitive information more carefully, because organizations generally don't like to report data breaches. It's embarrassing, and may cost them in lost business, a damaged reputation, or even lawsuits. The same goes for nonprofits: You may lose both existing and potential donors if donors believe you aren't a good steward of their personal information.

Each state law will have its differences, which means you'll have to do some research depending on where your organization is based. Many state laws also require a company based in one state to report a breach if it exposes personal information of out-of-state residents.

California’s Data Breach Law

California's data breach notification law, SB 1386, requires any person, business or state agency with California residents as customers must report a breach even if that organization company isn't located in California. Nonprofits that aren't based in the United States should consult with a lawyer to determine if they are liable under U.S. state laws.

SB 1386, which went into effect in 2003, provides a good example of the kinds of requirements you'll find in other state laws. It has also been touted as a model for potential federal legislation.
Some of the key provisions of the bill:

First, it compels organizations with California customers to notify those customers about known or suspected disclosure of personal information to an unauthorized person. SB 1386 defines personal information as a person's first name or first initial and last name, in combination with any of the following:
  • Social Security number
  • Driver's license number
  • Account number, debit or credit card number, plus whatever password allows access to the account
Notification can include any one of the following: a written notice, an electronic notice (email), or substitute notice if the cost of notification would exceed $25,000 or more than 500,000 people. (Though this varies by state.) Substitute notification includes email, conspicuous posting on the organization's web page, or an announcement to statewide media.

Note that the bill says organizations don't have to disclose a breach if the disclosure would affect an ongoing criminal investigation. Personal information that was encrypted at the time of exposure would also remove the obligation to notify customers.

Because individual state laws will have their own definitions of personal information and their own notification triggers, organizations that store personal information should consult a lawyer about state and international breach notification laws.

The Urge to Purge

Collecting donor information is a standard procedure for nonprofits, but you must understand the risks associated with that practice, particularly for sensitive data such as credit card numbers. The most prudent policy to follow regarding such information, says Taylor, is, "You don't want to get it, and if you do get it, you don't want to keep it."
at No comments:

Tuesday, July 10, 2012

Cuba: Cholera cases


  • Posted on Monday, July 9, 2012

Cuba reports more cholera cases

Juan O. Tamayo | McClatchy Newspapers

MIAMI — The number of cholera cases confirmed in eastern Cuba jumped from 30 to 85 over the weekend but the death toll remained at three, one government official said, although independent reports put the number of deaths as high as 15.
As many as five other cases of cholera also were unofficially reported in Havana, and dissidents in Guantanamo near the eastern tip of the island reported cholera-like cases in Caimanera, a village on the edge of the U.S. naval base.
The state-owned TV station in Granma province, where the outbreak has hit hardest, suggested that residents avoid traveling outside the area, and trucks with loudspeakers urged them to boil water and wash their hands often, two residents said.
Public health officials in the British-run Cayman Islands, just south of Granma, issued a advisory against travel to Cuba, and U.S. Rep. Ileana Ros-Lehtinen, R-Fla., warned potential travelers that visiting the island "may put them at risk of becoming ill with cholera."
The U.S. Centers for Disease Control and Prevention in Atlanta had not issued any special travel notices on Cuba as of Monday evening. Its Web page recommends only general vaccinations, like those for Hepatitis A and B, typhoid fever and rabies.
Cuban government epidemiologist Ana Maria Batista Gonzalez told Granma's Telecentro TV station Saturday that 30 cholera cases had been confirmed in the province, then raised the number to 85 when she appeared again on the station Sunday, said Santiago Marquez, a doctor and dissident in the Granma town of Manzanillo.
A Cuban government statement July 3 - the only other official word on the outbreak - said 53 cholera cases had been confirmed and that the outbreak was "under control." There was no explanation for the conflicting numbers, although it's possible that the number 53 referred to cases in the southeastern region, not just Granma.
Batista also noted the number of suspected cases in Granma rose from 332 to 346, and more general cases of diarrhea and vomiting rose from 3,422 to 3,998, Marquez said.
Most of the cases have been recorded in Manzanillo and the provincial capital, Bayamo, as well as nearby municipalities of Niquero, Yara and Bartolome Maso, Batista said. All are along Cuba's southern coast, about 415 miles east of Havana.
Batista said the death toll remained at three - the same number the government reported on July 3. Bayamo dissident Yoandris Montoya said he had heard reports of five deaths and Marquez put it at about 10. Havana dissident Calixto Martinez has reported about 15.
Police continued a a heavy security presence at area hospitals and relatives were not allowed to visit patients with cholera, Marquez said. He was fired from his public health job after he began speaking out against the government and his wife, Tania de la Torre, became a human rights activist.
Cholera was declared eradicated in Cuba no later than the early 1900s, but an ongoing outbreak in neighboring Haiti has killed more than 7,400 people and scores of Cuban doctors have worked there. A Florida woman and others in the Dominican Republic who visited Haiti came down with cholera in 2010 but survived.
Cholera is generally not fatal but can kill in a matter of hours when the diarrhea and vomiting cause dehydration, especially among the elderly. The three dead confirmed by the Cuban government were 60 or older.
©2012 The Miami Herald

Read more here: http://www.mcclatchydc.com/2012/07/09/155531/cuba-reports-more-cholera-cases.html#storylink=cpy
at No comments:

Monday, July 9, 2012

Homeland Security Department under congressional scrutiny


Davidson
There’s no summer vacation for Department of Homeland Security officials, who are again being called to Capitol Hill this week for hearings in the Senate and the House.
The Senate Homeland Security and Governmental Affairs Committee will hold two hearings, on Wednesday and Thursday, on the future of DHS.
“Ten years ago, the Department of Homeland Security was established in the wake of the worst attack on our homeland in living memory. Over the course of the decade, DHS has made great strides to protect Americans where we live and work,” said committee Chairman Joseph I. Lieberman (I-Conn.). “As a relatively new agency, however, there is plenty of room for improvement. We hope this series of hearings will help define future missions and goals for DHS as it prevents, prepares for and responds to all types of threats — natural or man-made.”
In the House, which has had numerous DHS hearings, Homeland Security subcommittees will hold three sessions on the department or its Transportation Security Agency (TSA).
On Tuesday morning, the subcommittee on border and maritime security will examine “How Can DHS Better Leverage State and Local Partnerships?”
On Tuesday afternoon, the subcommittee on transportation security will hold a hearing on “Challenging the Status Quo at TSA: Perspectives on the Future of Transportation Security.”
On Wednesday afternoon, the same panel will meet to explore the question: “Has TSA Met the Deadline to Provide Expedited Screening to Military Service Members?”
Previous columns by Joe Davidson are available atwapo.st/JoeDavidson. Follow the Federal Diary on Twitter:@JoeDavidsonWP
at No comments:

Sunday, July 8, 2012

DHS: Cybersecurity Team


Building a World-Class Cybersecurity Team

By Mark Weatherford, Deputy Under Secretary for Cybersecurity

Today, we are more connected to the Internet than ever before.  We depend on a vast array of interdependent networks for communication, travel, powering our homes, running our economy, and obtaining government services.  With so much of our daily lives dependent on cyberspace, cybersecurity has become an increasingly important part of DHS’ mission, just as it has become a larger priority for state and local governments, businesses, and individuals.

DHS continues to demonstrate our commitment to building the best cybersecurity team in the world by recruiting some of the most talented and experienced professionals available.  Since its creation, the Department has increased its cybersecurity workforce by more than 600 percent while working with universities to develop and attract talent through competitive scholarships, fellowships, and internship programs.

When I joined DHS about six months ago, I quickly realized that we could build on the strong foundation of the Department’s cyber workforce with new skills and leadership to grow and adapt in the face of an evolving cybersecurity environment.

It’s impossible to mention all of the dedicated cybersecurity professionals at DHS, but I’d like to highlight a few recent additions that have propelled us to higher standards and increased our capability as a department:
  • Mike Locatis is the new Assistant Secretary for Cybersecurity and Communications and comes to DHS from the Department of Energy where he was the Chief Information Officer.  He has a breadth of cybersecurity and communications experience across nearly every level of government and the private sector and has a history of charting organization transformations in the federal government.
  • Rosemary Wenchel has joined us as the new Deputy Assistant Secretary for Cybersecurity Coordination.  She will coordinate joint cybersecurity efforts between DHS and the Department of Defense.  Rosemary will also work with the Science and Technology Directorate to ensure the Department’s cybersecurity research and development efforts are fully coordinated with policy and operations. She served previously in DOD where she was responsible for Departmental activities pertaining to policy development, guidance, and oversight of Information Operations.
  • John Streufert joined DHS in January as the Director of our National Cybersecurity Division (NCSD).  John came to DHS from the Department of State (DOS), where he earned national accolades for the successful implementation of state of the art security solutions in federal departments, and transformed DOS’ security posture while enabling it to execute a world-wide mission.
  • Larry Zelvin just joined us as Director of the National Cybersecurity and Communications Integration Center, DHS’ 24x7 center to coordinate cyber awareness across government and the private sector.  Larry has experience at the National Security Staff and the DOD, where he has led interagency and stakeholder outreach related to operations. 
  • Dr. George Moore is the new Technical Director for NCSD and also comes to us from the Department of State.  Dr. Moore is a renowned expert in areas of standards and security controls and will be helping develop programs to bring new levels of security to the Federal Government
  • Danny Toler is our Director of Network Resilience and a recognized expert in transitioning IT delivery toward solutions that are more holistic and integrated.  Danny came from the Department of State, and his leadership will be crucial in helping us develop cloud and managed security service solutions that result in new levels of efficiency across the government.
  • Ron Hewitt is the new Director of the National Communications System.  A recently retired Rear Admiral from the U.S. Coast Guard, Ron has an incredible track record of bringing together diverse communities to work together toward a common goal, particularly in the areas of information technology, communications, and first responders.
  • Tom Baer has come aboard as the Deputy Director of US-CERT.  Hailing from the Federal Bureau of Investigation where he was their Chief Information Security Officer, Tom is an expert in the areas of forensics and analysis and, with impressive leadership credentials, he is charged with broadening outreach efforts and intergovernmental coordination for US-CERT.
These new members of our vast cybersecurity team bring a wide array of experience and skills.  Building on the successes of our strong and robust team, we are taking the DHS cybersecurity program to new levels that will ultimately enhance the security and safety of our nation.
at No comments:

Saturday, July 7, 2012

Webinar\Training: Guidelines Governing Criminal Background Checks

National Reentry Resources Center

Council of State Governments Justice Center

Supported by the Bureau of Justice Assistance

Hosted by the National Employment Law Project, and the National Reentry Resource Center
The nation’s 3,000 One-Stop Career Centers and their partners in the employer, non-profit, and worker rights communities play a critical role in assisting people with criminal records in finding employment. However, the workforce development community also faces challenges as workers struggle to navigate the new realities of criminal background checks for employment.

Thanks to new guidelines issued by the U.S. Department of Labor Employment and Training Administration (ETA) and Civil Rights Center (CRC), the federally-funded workforce development and employment exchange community (i.e., programs funded by the Workforce Investment Act and the Wagner-Peyser Act) are now better positioned to respond to these challenges. The guidance educates employers and workers about the civil rights and consumer protection considerations that regulate criminal background checks for employment.

DOL's guidance letter complements the new guidance recently issued by the U.S. Equal Employment Opportunity Commission, which addresses the disproportionate impact of criminal background checks on people of color. The DOL guidance provides a step-by-step guide, including model notices for both employers and workers, to ensure that the workforce development community promotes maximum compliance with the law.
Presenters:
  • Jane Oates, Assistant Secretary, Employment Training Administration, U.S. Department of Labor
  • Maurice Emsellem, Policy Co-Director, National Employment Law Project
  • Charles Turner, Adult Career Services Re-Entry Manager, Oakland Private Industry Council, Inc.
  • Others TBA
Date: Wednesday, July 18, 2012
Time: 2:15-3:15 p.m. ET
To register for this webinar, please click here.

This is a National Reentry Resource Center Announcement. This announcement is funded in whole or in part through a grant (award number: 2010-MUBX-KO84) from the Bureau of Justice Assistance, Office of Justice Programs, U.S. Department of Justice. Neither the U.S. Department of Justice nor any of its components operate, control, are responsible for, or necessarily endorse, this newsletter (including, without limitation, its content, technical infrastructure, and policies, and any services or tools provided). 
at No comments:

FCC: Network Outage Reporting System (NORS) Communications Infrastructure.


NETWORK OUTAGE REPORTING SYSTEM (NORS)

network outage
Obtaining information on communications service disruptions is essential to the FCC's goal of ensuring the reliability and security of the nation's communications infrastructure. Accordingly, the FCC requires communications providers, including wireline, wireless, paging, cable, satellite and Signaling System 7 service providers, to electronically report information about significant disruptions or outages to their communications systems that meet specified thresholds set forth in Part 4 of the FCC's rules (47 C.F.R. Part 4). Communications providers must also report information regarding communications disruptions affecting Enhanced 9-1-1 facilities and airports that meet the thresholds set forth in Part 4 of the FCC's rules. Given the sensitive nature of this data to both national security and commercial competitiveness, the outage data is presumed to be confidential.
NORS is the web-based filing system through which communications providers covered by the Part 4 reporting rules submit reports to the FCC. This system uses an electronic template to promote ease of reporting and encryption technology to ensure the security of the information filed. The Communications Systems Analysis Division of the FCC's Public Safety and Homeland Security Bureau administers NORS, monitors the outage reports submitted through NORS and performs analyses and studies of the communications disruptions reported.

FCC DOCUMENTS PERTAINING TO NETWORK OUTAGE REPORTING:

at No comments:

FCC: Disaster Information Reporting System (DIRS) for Communications Companies


DISASTER INFORMATION REPORTING SYSTEM (DIRS)



DIRS is a voluntary, web-based system that communications companies, including wireless, wireline, broadcast, and cable providers, can use to report communications infrastructure status and situational awareness information during times of crisis.
The FCC encourages all communications providers to enroll in DIRS to be better prepared to respond and recover in the event of a disaster.

BENEFITS FOR COMMUNICATIONS PROVIDERS

  • Designate contact: Allows communications providers to identify the appropriate contact for his/her station during emergencies; and, in turn, eliminates lost time when trying to identify and coordinate with the federal contacts who can provide immediate assistance.
  • Receive help: Provides an avenue for communications providers to restore their operations and receive additional help during emergencies, e.g., securing generators, fuel, etc.
  • Streamline requests: Reduces the number of requests from various government agencies for status of each station. Other government agencies will rely on the FCC (DIRS) for status of each broadcast station.
  • Aid your community: Better ensures that communications providers will be able to serve their communities, providing them with critical updates and risk communications information from reliable and credible sources during emergencies.

In the event of a major disaster, the FCC and the Department of Homeland Security's National Communications System need to have accurate information regarding the status of communications services in the disaster area, particularly during restoration efforts.
When activated, DIRS will collect information concerning:
  • Switches
  • Public Safety Answering Points (used for E9-1-1)
  • Interoffice facilities
  • Cell sites
  • Broadcast stations
  • Cable television systems

HOW TO ENROLL IN DIRS:

  • Click the “Enroll” button.
  • Click “Accept” to enter the secure, protected sign-up site.
  • You will need the following information to sign up:
    • Reporting Company
    • Company ID (for existing company accounts)
    • Type of Company (Cable, Wireless, etc)
    • Contact Person
    • Phone Number, with extension of contact
    • Cell Phone Number
    • Blackberry Number
    • E-Mail
    • Address
  • Click “Submit” and record the username and password generated for your account. You can update the username and password once logged in.

FREQUENTLY ASKED QUESTIONS

Am I obligated to report information to DIRS?
Do I need a User ID to access DIRS?
During a disaster, how often should I report changes in equipment status?
Who determines when DIRS is activated?
How do I know when DIRS is activated?
What should I do if I cannot access DIRS?

RELEASES

at No comments:

RECOMMENDED READING LIST

Search This Blog

ARCHIVE List 2011 - Present