To help protect data and IT infrastructure and guard against fraud, website security certificates have strong encryption and software is written to comply with PCI DSS standards. Personal information security is also top priority. The European Union’s General Data Protection Regulation (GDPR) has recently come into effect, and it is likely that other regions will follow with similar policies. While we are all taking extra precautions digitally to protect our members and contacts within iMIS, now is a great time to review the processes and policies around how your organisation handles credit card details, and personal information security outside of these systems. Some key points to review:
Do you receive credit card information on paper-based forms?
iMIS manages PCI compliance requirements through RiSE for online purchases such as membership dues payments, event registrations and merchandise orders. But do you also accept payments via email, fax or in the mail with credit card numbers written down? What do you do with those paper forms? If you retain these forms: Where are they stored? Who has access? Are they shredded before being discarded? These are all important considerations that can impact information security. To safeguard the personal information and financial details of your members and clients, it is crucial to have clear business processes in place for staff to follow, to ensure the appropriate storage and destruction of paper-based forms.
Do you accept credit card information over the phone?
While we like to think staff take the utmost care with sensitive member information, it can be difficult to stamp out habits - such as writing down credit card information on notepads or scrap paper to process at a later stage. Are these reliably destroyed once the transaction is complete? It is not enough to simply throw them in a bin where they can potentially be retrieved. It is worth considering putting a shredder in those areas for staff to properly destroy any hand written notes.
Do contacts email you their credit card number or personal information?
It can be difficult to prevent members from sending credit card details or personal information via email, but there are steps you can take to prevent this information being accessed by other parties. When replying to or forwarding an email that contains personal information or financial details, these details should be removed from the reply – especially if you CC other parties. It is something that can easily be overlooked, but the best approach is to protect members’ personal data as if it was your own.
Exporting IQAs / ad hoc queries
One of the most useful features of IQAs is the ability to export to CSV, PDF or Excel. Depending on your browser, a lot of the time these exported files will end up in your downloads folder. If you frequently export information from iMIS, it’s worth regularly looking at your downloads folder to see how many and what type of files you have in there. Do they contain personal information – names, addresses, phone numbers, email addresses? While your iMIS database is secure, exported files are not password protected, so anyone who stumbles across them can access them. Previously, the iMIS desktop would also export ad hoc queries – there was a file called allfields.csv on the c:\ drive. This is also one to look out for. If you have a laptop or tablet, any exported information could be easily accessed if your device is lost, stolen or hacked. It is worth setting a reminder to delete your downloads folder regularly, or immediately after use. How often do you email exported files and reports internally? There is always the potential for them to be incorrectly emailed to a third party, potentially exposing confidential records. Instead of emailing files as attachments, a more secure procedure is to them into a secure location and share a link – your IT department should be able to assist with this.
Do you ever screenshot personal information in iMIS and email it to others? This is a common thing to do when seeking support - at Causeis, we receive a lot of screen shots to help troubleshoot issues and error messages. However, screenshots can sometimes include personal information that should not be disseminated outside the organisation. Be aware of what you are sending and make the necessary changes to the image prior to sending to third parties or internally. There are some great software tools available to assist with redacting confidential information from screenshots.
Information security is an ever-evolving area, and as hackers and fraudsters employ more and more sophisticated methods, our processes must adapt to keep pace with the risks. If you take some time to map out some policies around how information is handled outside iMIS, or any other payment system, you are on the right track to ensure your association is one step ahead in regard to security.
More information on how to enable PCI can be found here, and the PCI Security Standards Council website is an excellent resource to refer to.