This week, we welcome back Jan Jasmin from our partner, Vanco Payment Solutions, to the ACS Technologies blog.
As the electronic giving provider to over 20,000 faith-based organizations, we occasionally spot security practices that may unintentionally put member information at risk.
Our customers are a smart, savvy and devoted group who work hard to support the mission of their organizations, but errors can happen when they become complacent. If it has been awhile since you’ve examined your security policies, take a step back and look objectively at how you protect sensitive member information.
Here are 6 security mistakes that can put your data at risk:
1) Retaining a card security code on an authorization form (or anywhere else a card number is recorded)
This is probably the most common error we spot. Card security codes must not be written down or stored. If someone is able to access the account number, expiration date and card security code, they have everything they need to make unauthorized transactions. At Vanco, we encourage online donations so a written authorization isn’t necessary.
Scanning authorization forms and saving them to your desktop or laptop as a PDF is also a security vulnerability. It may seem like a convenient way to back up data, but unprotected documents that contain sensitive information are easy targets for fraudsters.
Forms also require retention. Authorization forms must be retained for 3 years from the date of last transaction processed on a card. If it is an ACH transaction, the form must be retained for 2 years.
2) Not looking at your reports in a timely manner
With electronic giving, you can easily access reports to manage and review donations. Reports should be regularly reviewed for accuracy and to spot any unusual activity. For example, you may spot a large donation from a donor that is unknown to the church. Also, be wary of someone who donates a large amount, then asks for a refund by check or a credit to a different card.
If something doesn’t seem right, trust your instincts and reach out to your processor. If you are a Vanco client, contact our Risk Management/Compliance team with any concerns.
3) Allowing widespread physical access to where documents are stored
Only authorized personnel should have access to the office or room where you store sensitive financial data. Implement a clean desk policy so that documents are securely stored at the end of each day. Physically lock cabinets or offices containing sensitive information, and password protect office systems and electronic files.
4) Poor password and device security
Each person who works with your e-Giving data should have a unique login and password. Make sure to create secure passwords that include numbers, characters and letters. Tell everyone to never check the box that says “Save this Password” or put a Post-it note on a computer to help them remember a password. Always type it in.
Secure laptops and mobile devices that have church software on them, and restrict and record access to these devices with a sign-out/sign-in process. Personal smartphones should not be used to access sensitive church information; use dedicated smartphones to process online giving.
Finally, immediately revoke the login and password of employees or volunteers who no longer help you with electronic giving.
5) Failing to update anti-virus and anti-malware software
Make sure that your webmaster, or the person responsible for your website and physical devices, regularly reviews site encryption and anti-virus/malware software to be certain that the latest patches have been installed.
6) Throwing away paper with sensitive information instead of shredding it
Paper that has sensitive information needs to be put through a paper shredder. Don’t just throw it in the trash.
Security Best Practices
Electronic giving offers a higher degree of safety than cash and paper forms, but best practices should be followed to ensure the highest level of security for your members and your organization.
A compelling reason to have your security in order is that donors are very aware of card security issues. A strong security policy lets them know their information will be protected. Both Vanco and ACS Technologies meet the highest level of PCI compliance and follow strict security protocols.