PCI DSS: With charities gearing up for contactless payments what could possibly go wrong?

More than 40 organisations, including McMillan Cancer, the NSPCC, the RNLI and the Church of England, have introduced technology which means that donations can be made with a quick tap of a card. But as the charitable sector embraces contactless payments their enthusiasm must be tempered by robust compliance with Payment Card Industry (PCI) standards or they risk a world of pain. Just one whiff of a breach will bring notoriety and loss of reputation, bringing this Brave New World of charitable giving crashing down around their ears.

The driver for this new approach is clear. The NSPCC ran a trial which showed that donations by card are higher, compared to cash donations and Barclaycard has estimated that charities will miss out on £80m a year if they only accept cash donations. Some have gone even further with things like the Helping Heart jacket, developed so digital donations can be made via this piece of clothing worn by collectors to a homeless charity, and the Blue Cross ‘tap dogs’ who wear a vest with a sewn-in pocket that holds a contactless device.

So what could possibly go wrong? Well, firstly, in spite of the benign motivation behind the new approach, there is no getting away from the fact that where there is money, there will be crime. Defences will therefore need to be geared specifically for this new technology or charities will risk fatal damage to their reputations.

Secondly, the regulatory environment is getting more stringent with the implementation of the General Data Protection Regulation (GDPR) on 25th May 2018. In addition, the Payment Card Industry (PCI) continues to be hyper vigilant when it comes to the Data Security Standard (PCI DSS) and it has already proved that charities are not exempt from the full force of the law when it comes to administering fines for non-compliance.

If an incident occurs, swift action is required to minimise the impact of an individual attack. But prevention is always better than cure. Those organisations that retain an information security consultant to assist with PCI compliance and to ensure their defences are robust, will reduce the potential of being breached.

SRM offers a full range of services to protect the online environment. Using a range of tools from penetration testing to vulnerability assessments and network security testing, we enhance risk mitigation and ensure that the online environment of our clients is as robust as it is possible to be. We work extensively with charities and HM Government as well as all shapes and sizes of businesses and organisations across various business sectors. For many we provide a bespoke retained PCI Forensic Investigation (PFI) service, working proactively through regular strategic reviews to develop enhanced risk mitigation. Anticipating the potential risk areas for attack, we provide highly-targeted cost-effective solutions.

Given the constantly evolving world of cybercrime and the ingenuity of hackers, attacks can and do happen, however. But with a retained PFI already familiar with a charity’s systems, remediation is rapid and disruption minimal.

For more information on SRM’s PCI services please visit our website.

Or visit our blog:

Network intrusions are on the increase: time to engage a Retained Forensic specialist

 

Posted 3 months ago on · Permalink