Title: SPIguard CharitySecure Handbook 12 Steps to Peace of Mind Protecting Your Reputation and Your Donors
1SPIguard CharitySecure Handbook12 Steps to
Peace of Mind!Protecting Your Reputation and
Your Donors From Fraud and Identity Theft
2Introducing Security Compliance Protecting Your
Donors from Fraud and Identity Theft
-
- You will learn the mandatory security
fundamentals and options available to create a
trusted fundraising environment to minimize
online and physical world criminal activity.
Regulations, best practices, resources and
references provided will help the participant
understand the necessary action required to
develop a compliant risk management strategy. - This Handbood offers an overview of the security
regulations required today for all fundraising
world-wide, policies, procedures, and the tools
necessary to assure a donors privacy is
protected. This session will prepare IT
professionals, development officers and other key
nonprofit administrators to take the steps for
PCI DSS compliance, to prevent compromise of
confidential donor information and protect their
donors from fraud and identity theft.
3C.N. Wylie Group Inc.www.cnwylie.com
- Founded 1994- Socially Responsible
- Developed proprietary infrastructure of
e-solutions to faciliate positive change by
helping to create permanent sustainable
communities for a sustainable future! - Security 1
- Never compromise security for convenience, speed
or - Proprietary Infastructure
- Web and Payment Hosting
- Web and Payment App Dev
- Database Application Dev
- Complete online solutions for donation management
- Online anti-fraud tools
- VBV/Secure Code
- IP guard
- CVV/AVS
- Began performing IT audits for Visa Canada AIS
June 03 to Feb. 04 - Global auditor MasterCard SDP Feb/04
- SPIguard Security Solutions Inc. certified QSA
and ASV by PCI SSC (Security standards Council,
L.L.C.! - Fourth year certified under PCI without
remediation required - Bring real world experience and knowledge to our
security education audit process and training - Never been compromised
4Why Mandatory PCI Security Regulations? Its
Been the Wild, Wild, West and the PCI Sheriffs
have riding in to clean up!
- Internet inception no rules or regulations a
free for all for the hope of Big - Fraud, Identity Theft and other criminal
activities online and in physical office space on
the rise. - Costs to the card cos and consumers in the
hundreds of million of annually - One set of
global requirements to get everyone using one set
of policies, procedures, methodologies to reduce
crime to a minimum. Been going on for years well
hiddenbut now forced to disclose. - Examples
- Hackers grab donor info from U.K. charityBy Andy
McCuehttp//news.com.com/Hackersgrabdonorinfo
fromU.K.charity/2100-1029_3-5991361.html Dec
12, 2005 - Red Cross Identity Theft Case May Turn Up More
Victimshttp//www.news-leader.com/apps/pbcs.dll/a
rticle?AID/20060520/NEWS07/605200358 May 20,
2006 By Jim Salter THE ASSOCIATED PRESS - Ohio University Suffers Massive Security
Breachhttp//news.zdnet.co.uk/internet/0,39020369
,39268534,00.htm Greg Sandoval CNET News.com May
12, 2006
5Growing Concerns
- 53 million people have had data about themselves
exposed in the the past 13 months - 24 of consumers report shopping less online due
to security concerns - Fraud is now the top reason given for chargebacks
- Avg. consumer losses are between 500 (if theft
found early) and 4500 if they wait for paper
records - 43.4 of U.S. adults have received a phishing
e-mail and almost 5 are successful - Mar. 2006 - Major security flaw uncovered on
PayPals site that could allow scammers to send
phishing emails - Mean amount lost to consumers to identity theft
is 1,089, Harris Interactive reports. - Source www.auctionbytes.com, Zdnet, Visa,
Information week
6Identity Theft and Fraud
7The Changing Faces of the Social Engineers of
Online Crime!
- Social Engineers used to be high school and
college kids like - Chen-Ing Hau the author of the CIH virus,
- Joseph McElroy who hacked the Fermi lab network
- Today we are fighting sophisticated business
types and organized crime figures such as - Jeremy Jaynes, millionairre and a spammer
- Jay Echouajni, CEO and a DDoS attacker
- Andrew Schwarmkoff a member of the Russian mob
and a phisher
8What Are We Doing About It?History of Payment
Card Industry Data Security StandardsPCI DSS
- Visa International created the regional Account
Information Security Program in 2001-CISP in US - Goal to minimize criminal activity online
initially, now physical world as well - Slow to implement and enforce
- MasterCard developed their program Global
Secure Data Protection with its own set of
requirements in 2003/04
- Dec. 2004 formed Payment Card Industry
association and aligned the card programs into
one - Endorsed by Visa, MasterCard, Amex, JCB,
Discover, Diners - New PCI SSC (Standards Security Council)
responsible for training and certifying QSA and
ASV - Card Companies have different requirements so
must coordinate all - Creates confusion without guidance
- Key to winning war against crime is EDUCATION AND
ONE SET OF GLOBAL REQUIREMENTS!
9PCI DSS Purpose
- The purpose of the PCI Data Security Standards
Council, LLC is to foster broad adoption of the
PCI Data Security Standard (DSS). The PCI DSS
represents a unified, industry standard for
protecting account data that is stored,
transmitted or processed to enhance the security
of electronic payments. - The PCI DSS version 1.1 was developed by the
founding members of PCI Security Standards
Council, LLC, including Discover, American
Express, JCB, MasterCard and Visa International,
to help facilitate the broad adoption of
consistent data security measures on a global
basis. The PCI DSS is a multifaceted security
standard that includes requirements for security
management, policies, procedures, network
architecture, software design and other critical
protective measures. - This comprehensive standard is intended to help
organizations proactively protect customer
account data. PCI Security Standards Council,
LLC, will enhance the PCI DSS as needed to ensure
the standard includes any new or modified
requirements necessary to mitigate emerging
payment security risks while continuing to foster
wide-scale adoption. - Source http//www.discovernetwork.com/resources/
data/data_security.html
10PCI DSS Mandatory for all Merchants with Visa,
MasterCard, Amex, JCB, Discover and Diners
Merchant Accounts!
- Using the PCI Data Security Standard as its
framework, provides the tools and measurements
needed to protect against cardholder data
exposure and compromise. - PCI consists of Four Merchant Levels
- The PCI DSS consists of twelve basic
requirements and corresponding sub-requirements. - SafeHarbour If your organization has a PCI DSS
compliant certificate and is compromised, you
will be exempt from any penalties(fines/loss of
M/A) once a review has been completed by the PCI
Association.
11Risk Exposure
- What risk is a business exposed to by not
complying with Visa's Account Information
Security Standards Program? - Failure to protect Account and Transaction
Information may result in financial loss due to
fraud, or a decrease in business caused by lower
consumer confidence. Because the AIS program is
mandatory for all Visa-accepting merchants, those
merchants found not complying with the AIS
program may be subject to penalty by Visa, such
as fines, and/or removal from the Visa program. - MasterCard and American Express will fine without
compliance in place. - TJX exposure to millions upon millions of
dollars in Card Association fines and class
action lawsuits. -
12Visa Merchant Level Described
- Acquirers are responsible for determining the
compliance validation levels of their merchants - Merchant Level Description and Validation
Summary - Level 1
- Any merchant-regardless of acceptance
channel-processing over 6,000,000 Visa
transactions per year. - Any merchant that has suffered a hack or an
attack that resulted in an account data
compromise. - Any merchant that Visa, at its sole discretion,
determines should meet the Level 1 merchant
requirements to minimize risk to the Visa system. - Any merchant identified by any other payment card
brand as Level 1. - All Brick Mortar, MOTO, E-commerce
- Validation
- Annual Self-Assessment Questionnaire,
- Quarterly Vulnerability Scan if risk highest
this could go to daily or weekly - Annual On-site Review
- Level 2
- Any merchant processing 150,000 to 6,000,000 Visa
e-commerce transactions per year - Validation Summary
- Annual Self-Assessment Questionnaire
- Quarterly Vulnerability Scans
- Deadline for compliance was Dec. 31, 2005
- Level 3
- Any merchant processing 20,000 to 150,000 Visa
e-commerce transactions per year. - Same as Level 2
- Level 4
- Any merchant processing fewer than 20,000 Visa
e-commerce transactions per year, and all other
merchants processing up to 6,000,000 Visa
transactions per year. - Annual self-assessment questionnaire and
vulnerability scan unless deemed high risk by the
auditor. - In Canada 4a. All brick and mortar and MOTO
- Level 4b is B/Mlt 1,000,000 transactions and E-com
lt20,0000 - Looking to achieve compliance for 2007/08
13MasterCard SDP for PCI DSS
- Merchant Definition Criteria
- Onsite Review
- Self Assessment
- Network Security Scan
- Initial Compliance Validation Date
- Level 1 Onsite Review
- All merchants, including electronic commerce
merchants, with more than 6 million total
MasterCard transactions annually - All merchants that experienced an account
compromise - All merchants meeting the Level 1 criteria of a
competing payment brand - Any merchant that MasterCard, at its sole
discretion, determines should meet the Level 1
merchant requirements - Required Annually
- Quarterly Scans
- Validation Date 30 June 2005
- Level 2 no onsite unless compromised or a PSP
- All merchants with more than one million total
MasterCard transactions but less than six million
total transactions annually - All merchants meeting the Level 2 criteria of a
competing payment brand - Self Assessment Questionairre (SAQ) required
annually
- Level 3 -no onsite unless compromised or a PSP
- All merchants with annual MasterCard e-commerce
transactions greater than 20,000 but less than
one million total transactions - All merchants meeting the Level 3 criteria of a
competing payment brand - Self Assessment Questionairre (SAQ) required
annually - Quarterly Scans
- Validation Date 30 June 2005
- Level 4 no onsite unless compromised
- All other merchants
- Self Assessment Questionairre AnnuallyRequired
- Quarterly Scans
- Consult Acquirer for Validation Date
- 1. For Level 1 merchants, the annual onsite
review may be conducted by either the merchants
internal auditor or a Qualified Security
Assessor. - 2. To fulfill the network scanning requirement,
all merchants must conduct scans on a quarterly
basis using an Approved Scanning Vendor. - 3. Level 4 Merchants are required to comply with
the PCI Data Security Standard. Level 4 Merchants
should consult their acquirer to determine if
compliance validation is also required. - Sourcehttp//www.mastercard.com/us/sdp/merchants/
merchant_levels.html
14American Express Data Security Operating Policy
(DSOP)
- IMPORTANT! Demonstration of
- Compliance with Data Security Operating Policy
- Merchants must take the following steps to
demonstrate their - compliance with this Data Security Operating
Policy. - Step 1 Determine your Merchant Level and
Compliance - Requirements
- Most Merchant Levels are based on the merchants
volume of - American Express Card transactions submitted by
its - Establishments that roll-up to the highest
American Express account level. Merchants fall
into one of three levels specified in the table
below. - Level 3 Merchants need not submit Validation
Documentation, but nevertheless must comply - with, and are subject to liability under, all
other provisions of this Data Security Operating - Policy.
- Determine your level and the documents that you
must send to American Express in order to
validate your compliance with this policy. - Level
- Definition
- Validation
- Documentation
- Requirement
- Level 1
- 2.5 million American
- Express Card transactions or more per year or
any merchant that has had a data incident or any
merchant that American Express otherwise deems a
Level 1 - Annual Onsite
- Security Audit
- Report
- Quarterly Network Scan Mandatory
- Level 2
- 50,000 to 2.5 million
- American Express Card
- transactions per year
- Quarterly
- Network Scan
- Mandatory
- Level 3
- Less than 50,000 American Express Card
transactions per year - Quarterly Network Scan
- Strongly Recommended
15PCI DSS 12 Basic Requirements and
Sub-Requirements Standards
- Build and Maintain a Secure Network
- Install and maintain a firewall configuration to
protect data - Do not use vendor-supplied defaults for system
passwords and other security parameters - Protect Cardholder Data
- Protect stored data
- Encrypt transmission of cardholder data and
sensitive information across public networks
- Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software
- Develop and maintain secure systems and
applications owasp.org - Implement Strong Access Control Measures
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer
access - Restrict physical access to cardholder data
16PCI DSS 12 Basic Requirements and
Sub-Requirements Standards
- Maintain an Information Security Policy
- Maintain a policy that addresses information
security -
- Regularly Monitor and Test Networks
- Track and monitor all access to network
resources and cardholder data - Regularly test security systems and processes
17Cardholder Data Definition
- Applicable Information
- Account and Transaction Information includes
information that is necessary to process Card
transactions correctly, including all information
recorded electromechanically or otherwise on a
card, and more specifically includes -
18Most Common Methodologies for Committing Crime
Social Engineering
- Social Engineering is a serious problem as people
are usually the weakest link SE is the
acquisition of sensitive or inappropriate access
privileges by an unauthorized outsider, based on
the building of inappropriate trust relationships
with insiders. The goal of the unauthorized
outsider is to trick an insider into providing
valuable information or to gain access to that
information. - The social engineer preys on the qualities of
human nature such as the tendency to trust people
and the fear of getting into trouble. Successful
defense of a social engineering attack depends on
having clear policies in place and providing
ongoing security training to all staff and
volunteers on how to follow these policies.
19Common Crime Methodologies Online and OffSocial
Engineering Human and Computer
- Human-based Social Engineering
- Impersonation Pretends to be someone important
in the organization to gain passwords or access
to private data. - Important User Pretends to be a Management or
Supervisor and threatens employee position if
they dont gain access to sensitive data. - Third Party Authorization Pretends to be an
outside valued source with authorization to gain
access to sensitive data. - Tech Support Pretends to be someone from the
technical department with a legitimate reason for
gaining access to passwords or sensitive data. - Dumpster Diving Going through garbage for
cardholder data. - Shoulder Surfing Looking over your shoulder to
gain access to sensitive data. -
20Action Required
- DO NOT give out confidential or access
information or re-set passwords without following
the approved security policy procedures. - Be aware of any person or person(s) that do not
have the proper authorization to be in the
workplace. - Follow the security policy procedures for
disposing of all confidential data and media such
as disks, CDs, DVDs, backup tapes. - Be aware of any unauthorized person(s) that are
trying to eavesdrop on confidential conversations
or may have access to look over your shoulder to
gain access to confidential. - Report any unusual behavior, phone calls or
activities that could fall into the above
outlined activities to appropriate person in
charge.
21Computer-based Social Engineering
- Phishing
- Action- DO NOT follow the email instructions. If
in doubt forward the email to the actual
organization for review and further instructions.
Report this email to the appropriate authority. - Popup Windows
- Action - do not re-enter your username or
password. Restart your system and log in.
Report the incident to the appropriate person in
charge. - Mail attachments
- Action - DO NOT open any attachments at work or
at home that you are not expecting from a trusted
and authorized person. - Spam, Chain Letters and Hoaxes
- Action DO NOT open or respond to anything or
anyone you dont know personally. If in doubt
check with authorities.
22Other types of Criminal Activity
- Mac OS X viruses are here
- Mobile for-profit viruses prolific10s of
thousands of infections world-wide - For-profit virus writers getting more aggressive
- DDoS attacks increasing and causing Big loss
- Ranson trojans
- Global Phishing
- Pharming modifying a PC with a virus or trojan
so that access to the correct URLs goes to the
wrong server - DNS poisoning BC government system was
compromised - the hacker tried a DNS poisoning against our
systems over two days - It failed as we monitor but the Gov.t had no clue
it was happening!
23Action RequiredThings to do to minimize the
social engineering risk.
- Cross-cut shred any phone lists, email lists or
other important documents before recycling them
or throwing them in the trash - Give extra security training to the people on the
company's perimeter -- security guards, help desk
workers, receptionists - Pay help desk workers well and try to keep the
turnover rate down. They have route access and a
tremendous amount of power. Treat them with
respect - Put procedures in place that outline what to do
if someone calls needing assistance with a
password, user ID or other form of
authentication - Give the chief security officer access to top
executives. Put him or her in the boardroom so
security concerns are given the corporate
attention they warrant - Have a security assessment test performed and
heed the recommendations. Make sure you test the
company's ability to protect its environment, its
ability to detect the attack and its ability to
react and repel the attack-- Have the first
test performed when the company is expecting
it-- Do a blind test the second time around
24Action RequiredThings to do to minimize the
social engineering risk.
- Train ALLof your employees and let them know they
all have a role in protecting the company and
that means they're protecting their own jobs - Let employees know they don't have to be pushed
around. If someone calls and tries to threaten
them or confuse them, it should raise a red flag
- Remember to update training and train new
employees as they come on board - Set up policies for what can be discussed over
the telephone, what can be discussed outside the
building, what can be posted in news groups, what
can be written in instant messages and what can
be written in an email - Don't forget the security basics, like never
leaving a password on a sticky note on the
computer monitor - Encrypt information on desktops, laptops and
PDAs - Install cameras so you can see who is coming and
going - Use biometrics or electronic security badges to
limit access to the building - No one should hold the door open for anyone not
showing proper ID - Don't allow employees to leave email notification
or voicemails alerting callers that they are away
on a business trip or vacation. It sets up the
replacement as a target
25How to PCI DSS Certify In Your Organization!
- Are you PCI DSS certified now
- if not- determine transaction level
- Review your IT and office security policies
against the PCI requirements documents and create
a risk assessment report including all staff and
volunteers! https//www.pcisecuritystandards.org/p
dfs/pci_dss_v1-1.pdf - Make a list of all your third party vendor
suppliers handling cardholder data and ensure
compliant dont assume they are secure no PCI
cert they are not secure! - Web, Mail and Payment Hosting
- Software suppliers
- Couriers
- Pay particular attention to how cardholder data
is handled and transported online, in the office
and in the field(events, door/door). - Locked up, cross-cut shredded, locked boxes for
large volume disaster data - Encrypted
- Do you have all the correct compliance equipment?
- Is your privacy policy posted for easy viewing
- Create a preliminary budget for security audit,
remediation, training costs current and ongoing. - Hire an auditor from the PCI SSC approved vendor
site.
26Auditing Process
- Review audit quote
- Hire an auditor from the Visa or MasterCard
vendor lists depending on the size of your
organization and region - Complete the Self-assessment Questionnaire,
prepare remediation action plans, implement and
enforce - Schedule your scans, prepare remediation action
plan, implement and enforce. - Prepare ongoing training if required and schedule
quarterly reviews to monitor behavior changes - Once compliant, certificate will be issued and
re-certification is required annually. See our
certificate on our site at www.cnwylie.com
27What will Impact Your Organization the Most!
- Audit costs range 150 to 100,000 depending on
size. - Human cost to prepare, train, implement and
enforce staff and volunteers to the new security
policies, procedures and methodologies for both
IT,Office and field - Cost of equipment
- Cross-cut shredders
- Locking files, boxes, drawers
- Hardware and software upgrades and purchases
- Cost of the Criminal Record checks
- If you dont implement according to the mandatory
guidelines you are subject to - Fines
- Loss of merchant account use
- If Compromised
- Damage to Reputation
- Losing Donor Revenues
- The cost of the Audit is just a small part of
compliance budget.
28What to Do if a Compromise is Discovered
- Contain and limit the exposure
- Inform PCI Association within 24 hours
- Alert all necessary parties.
- Within four business days of the reported
compromise - Provide Visa with an incident report.
- Depending on the level of risk and data elements
obtained, complete an independent forensic review
and conduct a compliance questionnaire and
vulnerability scan upon Visa's discretion.
29What You Can do to Get Your Non-Profit Secure Now!
- Be proactive and ASK the decision makers in your
organization - Do you take credit cards online or over the phone
or in the field? - Do you have a security policy manual governing
both your IT and physical security in the office
and in the field? - Are you passing cardholder data unencrypted over
email or storing unencrypted in computers or
servers. - Do people handling cardholder data have criminal
records checks done if not why not? - Does your nonprofit and your third party vendors
have a PCI DSS certificate? If not go through the
audit and tell your vendor/suppliers they have to
as well.
30What You Can Do Today Before PCI to Reduce Fraud
and Identity Theft in Your OrganizationClean
Desk Policy
- Clean Desk
- The principle of a "clean desk"
- Staff members and volunteers must leave their
desks, workspace, or work environment in the
field including special fundraising events,
"neat and tidy", as if it is messy, you may not
notice when something is missing. -
31Clean Desk Policy
- An IT user, volunteer or other staff member must
see to it that, when leaving his/her workplace,
the appropriate arrangements have been made to
prevent unauthorized persons from having access
to IT applications or to card holder data. He/she
must also just as conscientiously check his/her
workplace and must ensure that no loss of
availability, confidentiality or integrity will
be entailed by any access of unauthorized persons
to data media (diskette, hard disk) or to any
documents (print-outs, checks , etc.) - For short absences during working hours, it will
suffice to lock the room or file sensitive data
in a locked filing cabinet. Outside working
hours, the workplace must be tidied up so that no
media or documents requiring protection that are
not locked away, will be left behind at the
workplace. - If no locking desk or appropriate filing cabinet
exists to lock away confidential material outside
work hours, then the room must be locked and
absolutely no unauthorized personnel can have
access to the locked room
32Clean Desk Implementation
- Implementation responsibility to be outlined to
Staff members including Volunteers with access to
sensitive data. - Must create an inventory list of all available
lockable office equipment available in each zone
for employees and volunteers to lock up
confidential account/cardholder data. - Create an inventory of lockable boxes or files
for employees and volunteers to use to lock up
and transport confidential data in the field
outside of the workplace, at special fundraising
events, new disaster relief campaigns, and for
door to door campaigns. - Must create roles and responsibility outline and
list of authorized person(s) for those handling
the keys or cards for locking equipment, the
workspace, and transporting secured confidential
account/cardholder data to and from the field
and special fundraising events. -
33Clean Desk Implementation
- Must create the procedures for the lockup and
transport procedure - Throughout the day
- Lock sensitive confidential documents and
computer media in drawers or filing cabinets - Physically secure laptops with security cables
- Secure your workstation before walking away
- Ensure you are logged off your terminal when
leaving your terminal unattended. - If no locking desk or file cabinet exists, store
sensitive/confidential documents and computer
media in a filing cabinet or desk drawer, then
lock the work environment/room before leaving to
assure no unauthorized personnel can access the
work environment/room where sensitive/confidential
data is stored
34Do Not Post Sensitive Data
- Examples include
- User IDs Passwords
- IP addresses
- Contracts
- Account numbers
- Checks
- Client lists
- Intellectual property
- Employee records
- Anything you wouldn't want disclosed
- At the end of the day, take a moment to
- Tidy up and secure sensitive material
- Lock drawers, file cabinets and offices
- Secure expensive equipment (laptops, PDAs, etc.)
35What You Can Do Today to Minimize Fraud, Identity
Theft and Criminal Activities Online and in the
Office and Field!
- Be a Leader in attaining and maintain PCI DSS
compliance in your organization - Get PCI DSS certified through SPIguard
CharitySecure Compliance Seal Program - Review other vendors for compliance at the PCI
SSC site - https//www.pcisecuritystandards.org/resources/qua
lified_security_assessors.htm - https//www.pcisecuritystandards.org/programs/asv_
program.htm
36SPIguard CharitySecure Seal Program
- Review of current Security Risk Management
Strategy - Aligns all the Card Companies PCI DSS Dates and
Validation - Review of Self-Assessment Questionnaire
- 8 Scans Annually
- Remediation Action Plan
- Templates for Documentation
- Remediation Implementation Review
- Letter of Finding and Report on Compliance
- PCI DSS Certificate and Seal
- Quarterly Review
- Annual Review for Re-certification
37SPIguard CharitySecure Seal Program IFC Delegate
Pricing!
- Level 1 merchants are excluded from special
pricing for IFC delegates - Level 2 merchants - 2500
- Review of current Security Risk Management
Strategy - Review of Self-Assessment Questionnaire
- 8 Scans annually
- Remediation Action Plan
- Templates for Documentation
- Remediation Implementation Review
- Letter of Finding and Report on Compliance
- PCI DSS Certificate and Seal
- Quarterly Review
- Annual Review for Re-certification
- Price for IFC delegate organizations if you sign
up during the Conference 1250.00
- Level 3 and 4 merchants 1000.00
- Review of current Security Risk Management
Strategy - Review of Self-Assessment Questionnaire
- 8 Scans annually
- Remediation Action Plan
- Templates for Documentation
- Remediation Implementation Review
- Letter of Finding and Report on Compliance
- PCI DSS Certificate and Seal
- Quarterly Review
- Annual Review for Re-certification
- Price for IFC delegate organizations if sign up
during the Conference 500.00
38Resource Links for PCI DSS
- https//www.pcisecuritystandards.org/index.htm
- http//usa.visa.com/merchants/risk_management/cisp
.html - Sourcehttp//www.mastercard.com/us/sdp/merchants/
merchant_levels.html - https//www209.americanexpress.com/merchant/single
voice/pdfs/en_GB/UK20Merchant20DSOP.pdf - http//www.discovernetwork.com/resources/data/data
_security_overview.html - https//www.pcisecuritystandards.org/pdfs/pci_dss_
v1-1.pdf - http//www.spiguard.com/charitysecure
39- Catherine Pagliaro, B.B.A. ePMT
- CEO, C.N. Wylie Group Inc.
- Catherine is a Social Entrepreneur by nature. In
1993, the Internet caught Catherines attention.
She understood immediately the Internets vast
commercial opportunity as well as the mediums
eventual ability to aid human development and the
planet. Catherine envisioned the creation of a
global hi tech solutions services organization
that would be both profitable and socially
responsible. - In December 1994 she founded C.N. Wylie Group
Inc. and Strategic Profits Inc. to create
profitable enterprises using knowledge, expertise
and technology solutions for the purposes of
spiritual advancement, human development and
bringing balance to the planet. To create
permanent sustainable communities for a
sustainable future for all! Catherine believes
that profit and social responsibility go hand in
hand by creating the circle of money flow. It is
her corporate mandate to work with people and
organizations with similar philosophies with a
strong focus on women and children's programs, to
facilitate positive changes for all inhabitants
of our planet and for our planet. - Catherine has an extensive knowledge and
expertise of e-commerce gained through creating,
with her team of experts,, a proprietary, secure
infrastructure of e-solutions, from creating and
teaching her Surefire series of Internet
educational seminars, with a focus on security
and privacy through hundreds of workshops,
consultations over the last thirteen years. Mrs.
Pagliaro is an excellent speaker including
engagements with e-Philanthropy.org, Industry
Canada, Soft World, Internet World, Comdex, and
many other venues. - Catherine is married with five grown children and
one grandson.
40C.N. Wylie Group Inc.703-889 West Pender
StreetVancouver, B. C. CanadaToll Free N.A. 1
800 811-7811Toll Free Intl coming 44 (0)20
4067 7993 www.cnwylie.comwww.helpforcharities.co
mwww.spiguard.comcc_at_csfm.comToronto, Ontario
Canada905 910-0575