Security is More than Just HTTPS

To help protect data and IT infrastructure and guard against fraud, website security certificates have strong encryption and software is written to comply with PCI DSS standards. Personal information security is also top priority. The European Union’s General Data Protection Regulation (GDPR) has recently come into effect, and it is likely that other regions will follow with similar policies. While we are all taking extra precautions digitally to protect our members and contacts within iMIS, now is a great time to review the processes and policies around how your organisation handles credit card details, and personal information security outside of these systems. Some key points to review:


Do you receive credit card information on paper-based forms?

iMIS manages PCI compliance requirements through RiSE for online purchases such as membership dues payments, event registrations and merchandise orders. But do you also accept payments via email, fax or in the mail with credit card numbers written down? What do you do with those paper forms? If you retain these forms: Where are they stored? Who has access? Are they shredded before being discarded? These are all important considerations that can impact information security. To safeguard the personal information and financial details of your members and clients, it is crucial to have clear business processes in place for staff to follow, to ensure the appropriate storage and destruction of paper-based forms.


Do you accept credit card information over the phone?

While we like to think staff take the utmost care with sensitive member information, it can be difficult to stamp out habits - such as writing down credit card information on notepads or scrap paper to process at a later stage. Are these reliably destroyed once the transaction is complete? It is not enough to simply throw them in a bin where they can potentially be retrieved. It is worth considering putting a shredder in those areas for staff to properly destroy any hand written notes.


Do contacts email you their credit card number or personal information?

It can be difficult to prevent members from sending credit card details or personal information via email, but there are steps you can take to prevent this information being accessed by other parties. When replying to or forwarding an email that contains personal information or financial details, these details should be removed from the reply – especially if you CC other parties. It is something that can easily be overlooked, but the best approach is to protect members’ personal data as if it was your own.


Exporting IQAs / ad hoc queries

One of the most useful features of IQAs is the ability to export to CSV, PDF or Excel. Depending on your browser, a lot of the time these exported files will end up in your downloads folder. If you frequently export information from iMIS, it’s worth regularly looking at your downloads folder to see how many and what type of files you have in there. Do they contain personal information – names, addresses, phone numbers, email addresses? While your iMIS database is secure, exported files are not password protected, so anyone who stumbles across them can access them. Previously, the iMIS desktop would also export ad hoc queries – there was a file called allfields.csv on the c:\ drive. This is also one to look out for. If you have a laptop or tablet, any exported information could be easily accessed if your device is lost, stolen or hacked. It is worth setting a reminder to delete your downloads folder regularly, or immediately after use. How often do you email exported files and reports internally? There is always the potential for them to be incorrectly emailed to a third party, potentially exposing confidential records. Instead of emailing files as attachments, a more secure procedure is to them into a secure location and share a link – your IT department should be able to assist with this.


Screenshots

Do you ever screenshot personal information in iMIS and email it to others? This is a common thing to do when seeking support - at Causeis, we receive a lot of screen shots to help troubleshoot issues and error messages. However, screenshots can sometimes include personal information that should not be disseminated outside the organisation. Be aware of what you are sending and make the necessary changes to the image prior to sending to third parties or internally. There are some great software tools available to assist with redacting confidential information from screenshots.

Information security is an ever-evolving area, and as hackers and fraudsters employ more and more sophisticated methods, our processes must adapt to keep pace with the risks. If you take some time to map out some policies around how information is handled outside iMIS, or any other payment system, you are on the right track to ensure your association is one step ahead in regard to security.

More information on how to enable PCI can be found here, and the  PCI Security Standards Council website is an excellent resource to refer to.

About Causeis: With over 50+ years combined experience, Causeis provides an award-winning iMIS consultancy service to Australia’s leading non-profits. We specialise in business strategy alignment, engagement modelling, critical system management, website development and data analytics. To find out more about our services and what we offer, click here.

Latest blogs

Beginners Guide to SEO for your RiSE Website

Posted on 2/09/2019
Search engine optimisation (SEO) is the process of maximising the number of visitors to your website by increasing where the site appears on the list of results returned by a search engine.

Our top takeaways from the 2019 Membership Marketing Benchmarking Report

Posted on 29/07/2019
Every year at Causeis we read, dissect and interpret the Membership Marketing Benchmarking Report to help our clients maximise the key learnings within their own association.

The Factor of Time to Improving Your Member Experience

Posted on 23/05/2019
In discussion with various associations, one theme that resonated was the discussion of time, both in respect to servicing members and the limited time members have to truly engage with their association.