SPIguard CharitySecure Handbook 12 Steps to Peace of Mind Protecting Your Reputation and Your Donors - PowerPoint PPT Presentation

1 / 40
About This Presentation

SPIguard CharitySecure Handbook 12 Steps to Peace of Mind Protecting Your Reputation and Your Donors


24% of consumers report shopping less online due to security concerns ... Do you take credit cards online or over the phone or in the field? ... – PowerPoint PPT presentation

Number of Views:111
Avg rating:3.0/5.0
Slides: 41
Provided by: richar743


Transcript and Presenter's Notes

Title: SPIguard CharitySecure Handbook 12 Steps to Peace of Mind Protecting Your Reputation and Your Donors

SPIguard CharitySecure Handbook12 Steps to
Peace of Mind!Protecting Your Reputation and
Your Donors From Fraud and Identity Theft
Introducing Security Compliance Protecting Your
Donors from Fraud and Identity Theft
  • You will learn the mandatory security
    fundamentals and options available to create a
    trusted fundraising environment to minimize
    online and physical world criminal activity.
    Regulations, best practices, resources and
    references provided will help the participant
    understand the necessary action required to
    develop a compliant risk management strategy.
  • This Handbood offers an overview of the security
    regulations required today for all fundraising
    world-wide, policies, procedures, and the tools
    necessary to assure a donors privacy is
    protected. This session will prepare IT
    professionals, development officers and other key
    nonprofit administrators to take the steps for
    PCI DSS compliance, to prevent compromise of
    confidential donor information and protect their
    donors from fraud and identity theft.

C.N. Wylie Group Inc.www.cnwylie.com
  • Founded 1994- Socially Responsible
  • Developed proprietary infrastructure of
    e-solutions to faciliate positive change by
    helping to create permanent sustainable
    communities for a sustainable future!
  • Security 1
  • Never compromise security for convenience, speed
  • Proprietary Infastructure
  • Web and Payment Hosting
  • Web and Payment App Dev
  • Database Application Dev
  • Complete online solutions for donation management
  • Online anti-fraud tools
  • VBV/Secure Code
  • IP guard
  • Began performing IT audits for Visa Canada AIS
    June 03 to Feb. 04
  • Global auditor MasterCard SDP Feb/04
  • SPIguard Security Solutions Inc. certified QSA
    and ASV by PCI SSC (Security standards Council,
  • Fourth year certified under PCI without
    remediation required
  • Bring real world experience and knowledge to our
    security education audit process and training
  • Never been compromised

Why Mandatory PCI Security Regulations? Its
Been the Wild, Wild, West and the PCI Sheriffs
have riding in to clean up!
  • Internet inception no rules or regulations a
    free for all for the hope of Big
  • Fraud, Identity Theft and other criminal
    activities online and in physical office space on
    the rise.
  • Costs to the card cos and consumers in the
    hundreds of million of annually - One set of
    global requirements to get everyone using one set
    of policies, procedures, methodologies to reduce
    crime to a minimum. Been going on for years well
    hiddenbut now forced to disclose.
  • Examples
  • Hackers grab donor info from U.K. charityBy Andy
    fromU.K.charity/2100-1029_3-5991361.html Dec
    12, 2005
  • Red Cross Identity Theft Case May Turn Up More
    rticle?AID/20060520/NEWS07/605200358 May 20,
    2006   By Jim Salter THE ASSOCIATED PRESS
  • Ohio University Suffers Massive Security
    ,39268534,00.htm Greg Sandoval CNET News.com May
    12, 2006

Growing Concerns
  • 53 million people have had data about themselves
    exposed in the the past 13 months
  • 24 of consumers report shopping less online due
    to security concerns
  • Fraud is now the top reason given for chargebacks
  • Avg. consumer losses are between 500 (if theft
    found early) and 4500 if they wait for paper
  • 43.4 of U.S. adults have received a phishing
    e-mail and almost 5 are successful
  • Mar. 2006 - Major security flaw uncovered on
    PayPals site that could allow scammers to send
    phishing emails
  • Mean amount lost to consumers to identity theft
    is 1,089, Harris Interactive reports.
  • Source www.auctionbytes.com, Zdnet, Visa,
    Information week

Identity Theft and Fraud
The Changing Faces of the Social Engineers of
Online Crime!
  • Social Engineers used to be high school and
    college kids like
  • Chen-Ing Hau the author of the CIH virus,
  • Joseph McElroy who hacked the Fermi lab network
  • Today we are fighting sophisticated business
    types and organized crime figures such as
  • Jeremy Jaynes, millionairre and a spammer
  • Jay Echouajni, CEO and a DDoS attacker
  • Andrew Schwarmkoff a member of the Russian mob
    and a phisher

What Are We Doing About It?History of Payment
Card Industry Data Security StandardsPCI DSS
  • Visa International created the regional Account
    Information Security Program in 2001-CISP in US
  • Goal to minimize criminal activity online
    initially, now physical world as well
  • Slow to implement and enforce
  • MasterCard developed their program Global
    Secure Data Protection with its own set of
    requirements in 2003/04
  • Dec. 2004 formed Payment Card Industry
    association and aligned the card programs into
  • Endorsed by Visa, MasterCard, Amex, JCB,
    Discover, Diners
  • New PCI SSC (Standards Security Council)
    responsible for training and certifying QSA and
  • Card Companies have different requirements so
    must coordinate all
  • Creates confusion without guidance
  • Key to winning war against crime is EDUCATION AND

PCI DSS Purpose
  • The purpose of the PCI Data Security Standards
    Council, LLC is to foster broad adoption of the
    PCI Data Security Standard (DSS). The PCI DSS
    represents a unified, industry standard for
    protecting account data that is stored,
    transmitted or processed to enhance the security
    of electronic payments.
  • The PCI DSS version 1.1 was developed by the
    founding members of PCI Security Standards
    Council, LLC, including Discover, American
    Express, JCB, MasterCard and Visa International,
    to help facilitate the broad adoption of
    consistent data security measures on a global
    basis. The PCI DSS is a multifaceted security
    standard that includes requirements for security
    management, policies, procedures, network
    architecture, software design and other critical
    protective measures.
  • This comprehensive standard is intended to help
    organizations proactively protect customer
    account data. PCI Security Standards Council,
    LLC, will enhance the PCI DSS as needed to ensure
    the standard includes any new or modified
    requirements necessary to mitigate emerging
    payment security risks while continuing to foster
    wide-scale adoption.
  • Source http//www.discovernetwork.com/resources/

PCI DSS Mandatory for all Merchants with Visa,
MasterCard, Amex, JCB, Discover and Diners
Merchant Accounts!
  • Using the PCI Data Security Standard as its
    framework, provides the tools and measurements
    needed to protect against cardholder data
    exposure and compromise.
  • PCI consists of Four Merchant Levels
  • The PCI DSS consists of twelve basic
    requirements and corresponding sub-requirements.
  • SafeHarbour If your organization has a PCI DSS
    compliant certificate and is compromised, you
    will be exempt from any penalties(fines/loss of
    M/A) once a review has been completed by the PCI

Risk Exposure
  • What risk is a business exposed to by not
    complying with Visa's Account Information
    Security Standards Program?
  • Failure to protect Account and Transaction
    Information may result in financial loss due to
    fraud, or a decrease in business caused by lower
    consumer confidence. Because the AIS program is
    mandatory for all Visa-accepting merchants, those
    merchants found not complying with the AIS
    program may be subject to penalty by Visa, such
    as fines, and/or removal from the Visa program.
  • MasterCard and American Express will fine without
    compliance in place.
  • TJX exposure to millions upon millions of
    dollars in Card Association fines and class
    action lawsuits.

Visa Merchant Level Described
  • Acquirers are responsible for determining the
    compliance validation levels of their merchants
  • Merchant Level Description and Validation
  • Level 1
  • Any merchant-regardless of acceptance
    channel-processing over 6,000,000 Visa
    transactions per year.
  • Any merchant that has suffered a hack or an
    attack that resulted in an account data
  • Any merchant that Visa, at its sole discretion,
    determines should meet the Level 1 merchant
    requirements to minimize risk to the Visa system.
  • Any merchant identified by any other payment card
    brand as Level 1.
  • All Brick Mortar, MOTO, E-commerce
  • Validation
  • Annual Self-Assessment Questionnaire,
  • Quarterly Vulnerability Scan if risk highest
    this could go to daily or weekly
  • Annual On-site Review
  • Level 2
  • Any merchant processing 150,000 to 6,000,000 Visa
    e-commerce transactions per year
  • Validation Summary
  • Annual Self-Assessment Questionnaire
  • Quarterly Vulnerability Scans
  • Deadline for compliance was Dec. 31, 2005
  • Level 3
  • Any merchant processing 20,000 to 150,000 Visa
    e-commerce transactions per year.
  • Same as Level 2
  • Level 4
  • Any merchant processing fewer than 20,000 Visa
    e-commerce transactions per year, and all other
    merchants processing up to 6,000,000 Visa
    transactions per year.
  • Annual self-assessment questionnaire and
    vulnerability scan unless deemed high risk by the
  • In Canada 4a. All brick and mortar and MOTO
  • Level 4b is B/Mlt 1,000,000 transactions and E-com
  • Looking to achieve compliance for 2007/08

MasterCard SDP for PCI DSS
  • Merchant Definition Criteria
  • Onsite Review
  • Self Assessment
  • Network Security Scan
  • Initial Compliance Validation Date
  • Level 1 Onsite Review
  • All merchants, including electronic commerce
    merchants, with more than 6 million total
    MasterCard transactions annually
  • All merchants that experienced an account
  • All merchants meeting the Level 1 criteria of a
    competing payment brand
  • Any merchant that MasterCard, at its sole
    discretion, determines should meet the Level 1
    merchant requirements
  • Required Annually
  • Quarterly Scans
  • Validation Date 30 June 2005
  • Level 2 no onsite unless compromised or a PSP
  • All merchants with more than one million total
    MasterCard transactions but less than six million
    total transactions annually
  • All merchants meeting the Level 2 criteria of a
    competing payment brand
  • Self Assessment Questionairre (SAQ) required
  • Level 3 -no onsite unless compromised or a PSP
  • All merchants with annual MasterCard e-commerce
    transactions greater than 20,000 but less than
    one million total transactions
  • All merchants meeting the Level 3 criteria of a
    competing payment brand
  • Self Assessment Questionairre (SAQ) required
  • Quarterly Scans
  • Validation Date 30 June 2005
  • Level 4 no onsite unless compromised
  • All other merchants
  • Self Assessment Questionairre AnnuallyRequired
  • Quarterly Scans
  • Consult Acquirer for Validation Date
  • 1. For Level 1 merchants, the annual onsite
    review may be conducted by either the merchants
    internal auditor or a Qualified Security
  • 2. To fulfill the network scanning requirement,
    all merchants must conduct scans on a quarterly
    basis using an Approved Scanning Vendor.
  • 3. Level 4 Merchants are required to comply with
    the PCI Data Security Standard. Level 4 Merchants
    should consult their acquirer to determine if
    compliance validation is also required.
  • Sourcehttp//www.mastercard.com/us/sdp/merchants/

American Express Data Security Operating Policy
  • IMPORTANT! Demonstration of
  • Compliance with Data Security Operating Policy
  • Merchants must take the following steps to
    demonstrate their
  • compliance with this Data Security Operating
  • Step 1 Determine your Merchant Level and
  • Requirements
  • Most Merchant Levels are based on the merchants
    volume of
  • American Express Card transactions submitted by
  • Establishments that roll-up to the highest
    American Express account level. Merchants fall
    into one of three levels specified in the table
  • Level 3 Merchants need not submit Validation
    Documentation, but nevertheless must comply
  • with, and are subject to liability under, all
    other provisions of this Data Security Operating
  • Policy.
  • Determine your level and the documents that you
    must send to American Express in order to
    validate your compliance with this policy.
  • Level
  • Definition
  • Validation
  • Documentation
  • Requirement
  • Level 1
  • 2.5 million American
  • Express Card transactions or more per year or
    any merchant that has had a data incident or any
    merchant that American Express otherwise deems a
    Level 1
  • Annual Onsite
  • Security Audit
  • Report
  • Quarterly Network Scan Mandatory
  • Level 2
  • 50,000 to 2.5 million
  • American Express Card
  • transactions per year
  • Quarterly
  • Network Scan
  • Mandatory
  • Level 3
  • Less than 50,000 American Express Card
    transactions per year
  • Quarterly Network Scan
  • Strongly Recommended

PCI DSS 12 Basic Requirements and
Sub-Requirements Standards
  • Build and Maintain a Secure Network
  • Install and maintain a firewall configuration to
    protect data
  • Do not use vendor-supplied defaults for system
    passwords and other security parameters
  • Protect Cardholder Data
  • Protect stored data
  • Encrypt transmission of cardholder data and
    sensitive information across public networks
  • Maintain a Vulnerability Management Program
  • Use and regularly update anti-virus software
  • Develop and maintain secure systems and
    applications owasp.org
  • Implement Strong Access Control Measures
  • Restrict access to data by business need-to-know
  • Assign a unique ID to each person with computer
  • Restrict physical access to cardholder data

PCI DSS 12 Basic Requirements and
Sub-Requirements Standards
  • Maintain an Information Security Policy
  • Maintain a policy that addresses information
  • Regularly Monitor and Test Networks
  • Track and monitor all access to network
    resources and cardholder data
  • Regularly test security systems and processes

Cardholder Data Definition
  • Applicable Information
  • Account and Transaction Information includes
    information that is necessary to process Card
    transactions correctly, including all information
    recorded electromechanically or otherwise on a
    card, and more specifically includes

Most Common Methodologies for Committing Crime
Social Engineering
  • Social Engineering is a serious problem as people
    are usually the weakest link SE is the
    acquisition of sensitive or inappropriate access
    privileges by an unauthorized outsider, based on
    the building of inappropriate trust relationships
    with insiders. The goal of the unauthorized
    outsider is to trick an insider into providing
    valuable information or to gain access to that
  • The social engineer preys on the qualities of
    human nature such as the tendency to trust people
    and the fear of getting into trouble. Successful
    defense of a social engineering attack depends on
    having clear policies in place and providing
    ongoing security training to all staff and
    volunteers on how to follow these policies.

Common Crime Methodologies Online and OffSocial
Engineering Human and Computer
  • Human-based Social Engineering
  • Impersonation Pretends to be someone important
    in the organization to gain passwords or access
    to private data.
  • Important User Pretends to be a Management or
    Supervisor and threatens employee position if
    they dont gain access to sensitive data.
  • Third Party Authorization Pretends to be an
    outside valued source with authorization to gain
    access to sensitive data.
  • Tech Support Pretends to be someone from the
    technical department with a legitimate reason for
    gaining access to passwords or sensitive data.
  • Dumpster Diving Going through garbage for
    cardholder data.
  • Shoulder Surfing Looking over your shoulder to
    gain access to sensitive data.

Action Required
  • DO NOT give out confidential or access
    information or re-set passwords without following
    the approved security policy procedures.
  • Be aware of any person or person(s) that do not
    have the proper authorization to be in the
  • Follow the security policy procedures for
    disposing of all confidential data and media such
    as disks, CDs, DVDs, backup tapes.
  • Be aware of any unauthorized person(s) that are
    trying to eavesdrop on confidential conversations
    or may have access to look over your shoulder to
    gain access to confidential.
  • Report any unusual behavior, phone calls or
    activities that could fall into the above
    outlined activities to appropriate person in

Computer-based Social Engineering 
  • Phishing
  • Action- DO NOT follow the email instructions. If
    in doubt forward the email to the actual
    organization for review and further instructions.
    Report this email to the appropriate authority.
  • Popup Windows  
  • Action - do not re-enter your username or
    password. Restart your system and log in.
    Report the incident to the appropriate person in
  • Mail attachments
  • Action - DO NOT open any attachments at work or
    at home that you are not expecting from a trusted
    and authorized person.
  • Spam, Chain Letters and Hoaxes
  • Action DO NOT open or respond to anything or
    anyone you dont know personally. If in doubt
    check with authorities.

Other types of Criminal Activity
  • Mac OS X viruses are here
  • Mobile for-profit viruses prolific10s of
    thousands of infections world-wide
  • For-profit virus writers getting more aggressive
  • DDoS attacks increasing and causing Big loss
  • Ranson trojans
  • Global Phishing
  • Pharming modifying a PC with a virus or trojan
    so that access to the correct URLs goes to the
    wrong server
  • DNS poisoning BC government system was
  • the hacker tried a DNS poisoning against our
    systems over two days
  • It failed as we monitor but the Gov.t had no clue
    it was happening!

Action RequiredThings to do to minimize the
social engineering risk.
  • Cross-cut shred any phone lists, email lists or
    other important documents before recycling them
    or throwing them in the trash
  • Give extra security training to the people on the
    company's perimeter -- security guards, help desk
    workers, receptionists
  • Pay help desk workers well and try to keep the
    turnover rate down. They have route access and a
    tremendous amount of power. Treat them with
  • Put procedures in place that outline what to do
    if someone calls needing assistance with a
    password, user ID or other form of
  • Give the chief security officer access to top
    executives. Put him or her in the boardroom so
    security concerns are given the corporate
    attention they warrant
  • Have a security assessment test performed and
    heed the recommendations. Make sure you test the
    company's ability to protect its environment, its
    ability to detect the attack and its ability to
    react and repel the attack-- Have the first
    test performed when the company is expecting
    it-- Do a blind test the second time around

Action RequiredThings to do to minimize the
social engineering risk.
  • Train ALLof your employees and let them know they
    all have a role in protecting the company and
    that means they're protecting their own jobs
  • Let employees know they don't have to be pushed
    around. If someone calls and tries to threaten
    them or confuse them, it should raise a red flag
  • Remember to update training and train new
    employees as they come on board
  • Set up policies for what can be discussed over
    the telephone, what can be discussed outside the
    building, what can be posted in news groups, what
    can be written in instant messages and what can
    be written in an email
  • Don't forget the security basics, like never
    leaving a password on a sticky note on the
    computer monitor
  • Encrypt information on desktops, laptops and
  • Install cameras so you can see who is coming and
  • Use biometrics or electronic security badges to
    limit access to the building
  • No one should hold the door open for anyone not
    showing proper ID
  • Don't allow employees to leave email notification
    or voicemails alerting callers that they are away
    on a business trip or vacation. It sets up the
    replacement as a target

How to PCI DSS Certify In Your Organization!
  • Are you PCI DSS certified now
  • if not- determine transaction level
  • Review your IT and office security policies
    against the PCI requirements documents and create
    a risk assessment report including all staff and
    volunteers! https//www.pcisecuritystandards.org/p
  • Make a list of all your third party vendor
    suppliers handling cardholder data and ensure
    compliant dont assume they are secure no PCI
    cert they are not secure!
  • Web, Mail and Payment Hosting
  • Software suppliers
  • Couriers
  • Pay particular attention to how cardholder data
    is handled and transported online, in the office
    and in the field(events, door/door).
  • Locked up, cross-cut shredded, locked boxes for
    large volume disaster data
  • Encrypted
  • Do you have all the correct compliance equipment?
  • Is your privacy policy posted for easy viewing
  • Create a preliminary budget for security audit,
    remediation, training costs current and ongoing.
  • Hire an auditor from the PCI SSC approved vendor

Auditing Process
  • Review audit quote
  • Hire an auditor from the Visa or MasterCard
    vendor lists depending on the size of your
    organization and region
  • Complete the Self-assessment Questionnaire,
    prepare remediation action plans, implement and
  • Schedule your scans, prepare remediation action
    plan, implement and enforce.
  • Prepare ongoing training if required and schedule
    quarterly reviews to monitor behavior changes
  • Once compliant, certificate will be issued and
    re-certification is required annually. See our
    certificate on our site at www.cnwylie.com

What will Impact Your Organization the Most!
  • Audit costs range 150 to 100,000 depending on
  • Human cost to prepare, train, implement and
    enforce staff and volunteers to the new security
    policies, procedures and methodologies for both
    IT,Office and field
  • Cost of equipment
  • Cross-cut shredders
  • Locking files, boxes, drawers
  • Hardware and software upgrades and purchases
  • Cost of the Criminal Record checks
  • If you dont implement according to the mandatory
    guidelines you are subject to
  • Fines
  • Loss of merchant account use
  • If Compromised
  • Damage to Reputation
  • Losing Donor Revenues
  • The cost of the Audit is just a small part of
    compliance budget.

What to Do if a Compromise is Discovered
  • Contain and limit the exposure
  • Inform PCI Association within 24 hours
  • Alert all necessary parties.
  • Within four business days of the reported
  • Provide Visa with an incident report.
  • Depending on the level of risk and data elements
    obtained, complete an independent forensic review
    and conduct a compliance questionnaire and
    vulnerability scan upon Visa's discretion.

What You Can do to Get Your Non-Profit Secure Now!
  • Be proactive and ASK the decision makers in your
  • Do you take credit cards online or over the phone
    or in the field?
  • Do you have a security policy manual governing
    both your IT and physical security in the office
    and in the field?
  • Are you passing cardholder data unencrypted over
    email or storing unencrypted in computers or
  • Do people handling cardholder data have criminal
    records checks done if not why not?
  • Does your nonprofit and your third party vendors
    have a PCI DSS certificate? If not go through the
    audit and tell your vendor/suppliers they have to
    as well.

What You Can Do Today Before PCI to Reduce Fraud
and Identity Theft in Your OrganizationClean
Desk Policy
  • Clean Desk
  • The principle of a "clean desk"
  • Staff members and volunteers must leave their
    desks, workspace, or work environment in the
    field including special fundraising events,
    "neat and tidy", as if it is messy, you may not
    notice when something is missing.

Clean Desk Policy
  • An IT user, volunteer or other staff member must
    see to it that, when leaving his/her workplace,
    the appropriate arrangements have been made to
    prevent unauthorized persons from having access
    to IT applications or to card holder data. He/she
    must also just as conscientiously check his/her
    workplace and must ensure that no loss of
    availability, confidentiality or integrity will
    be entailed by any access of unauthorized persons
    to data media (diskette, hard disk) or to any
    documents (print-outs, checks , etc.)
  • For short absences during working hours, it will
    suffice to lock the room or file sensitive data
    in a locked filing cabinet. Outside working
    hours, the workplace must be tidied up so that no
    media or documents requiring protection that are
    not locked away, will be left behind at the
  • If no locking desk or appropriate filing cabinet
    exists to lock away confidential material outside
    work hours, then the room must be locked and
    absolutely no unauthorized personnel can have
    access to the locked room

Clean Desk Implementation
  • Implementation responsibility to be outlined to
    Staff members including Volunteers with access to
    sensitive data.
  • Must create an inventory list of all available
    lockable office equipment available in each zone
    for employees and volunteers to lock up
    confidential account/cardholder data.
  • Create an inventory of lockable boxes or files
    for employees and volunteers to use to lock up
    and transport confidential data in the field
    outside of the workplace, at special fundraising
    events, new disaster relief campaigns, and for
    door to door campaigns.
  • Must create roles and responsibility outline and
    list of authorized person(s) for those handling
    the keys or cards for locking equipment, the
    workspace, and transporting secured confidential
    account/cardholder data to and from the field
    and special fundraising events.

Clean Desk Implementation
  • Must create the procedures for the lockup and
    transport procedure
  • Throughout the day
  • Lock sensitive confidential documents and
    computer media in drawers or filing cabinets
  • Physically secure laptops with security cables
  • Secure your workstation before walking away
  • Ensure you are logged off your terminal when
    leaving your terminal unattended.
  • If no locking desk or file cabinet exists, store
    sensitive/confidential documents and computer
    media in a filing cabinet or desk drawer, then
    lock the work environment/room before leaving to
    assure no unauthorized personnel can access the
    work environment/room where sensitive/confidential
    data is stored

Do Not Post Sensitive Data
  • Examples include
  • User IDs Passwords
  • IP addresses
  • Contracts
  • Account numbers
  • Checks
  • Client lists
  • Intellectual property
  • Employee records
  • Anything you wouldn't want disclosed
  • At the end of the day, take a moment to
  • Tidy up and secure sensitive material
  • Lock drawers, file cabinets and offices
  • Secure expensive equipment (laptops, PDAs, etc.)

What You Can Do Today to Minimize Fraud, Identity
Theft and Criminal Activities Online and in the
Office and Field!
  • Be a Leader in attaining and maintain PCI DSS
    compliance in your organization
  • Get PCI DSS certified through SPIguard
    CharitySecure Compliance Seal Program
  • Review other vendors for compliance at the PCI
    SSC site
  • https//www.pcisecuritystandards.org/resources/qua
  • https//www.pcisecuritystandards.org/programs/asv_

SPIguard CharitySecure Seal Program
  • Review of current Security Risk Management
  • Aligns all the Card Companies PCI DSS Dates and
  • Review of Self-Assessment Questionnaire
  • 8 Scans Annually
  • Remediation Action Plan
  • Templates for Documentation
  • Remediation Implementation Review
  • Letter of Finding and Report on Compliance
  • PCI DSS Certificate and Seal
  • Quarterly Review
  • Annual Review for Re-certification

SPIguard CharitySecure Seal Program IFC Delegate
  • Level 1 merchants are excluded from special
    pricing for IFC delegates
  • Level 2 merchants - 2500
  • Review of current Security Risk Management
  • Review of Self-Assessment Questionnaire
  • 8 Scans annually
  • Remediation Action Plan
  • Templates for Documentation
  • Remediation Implementation Review
  • Letter of Finding and Report on Compliance
  • PCI DSS Certificate and Seal
  • Quarterly Review
  • Annual Review for Re-certification
  • Price for IFC delegate organizations if you sign
    up during the Conference 1250.00
  • Level 3 and 4 merchants 1000.00
  • Review of current Security Risk Management
  • Review of Self-Assessment Questionnaire
  • 8 Scans annually
  • Remediation Action Plan
  • Templates for Documentation
  • Remediation Implementation Review
  • Letter of Finding and Report on Compliance
  • PCI DSS Certificate and Seal
  • Quarterly Review
  • Annual Review for Re-certification
  • Price for IFC delegate organizations if sign up
    during the Conference 500.00

Resource Links for PCI DSS
  • https//www.pcisecuritystandards.org/index.htm
  • http//usa.visa.com/merchants/risk_management/cisp
  • Sourcehttp//www.mastercard.com/us/sdp/merchants/
  • https//www209.americanexpress.com/merchant/single
  • http//www.discovernetwork.com/resources/data/data
  • https//www.pcisecuritystandards.org/pdfs/pci_dss_
  • http//www.spiguard.com/charitysecure

  • Catherine Pagliaro, B.B.A. ePMT
  • CEO, C.N. Wylie Group Inc.
  • Catherine is a Social Entrepreneur by nature. In
    1993, the Internet caught Catherines attention.
    She understood immediately the Internets vast
    commercial opportunity as well as the mediums
    eventual ability to aid human development and the
    planet. Catherine envisioned the creation of a
    global hi tech solutions services organization
    that would be both profitable and socially
  • In December 1994 she founded C.N. Wylie Group
    Inc. and Strategic Profits Inc. to create
    profitable enterprises using knowledge, expertise
    and technology solutions for the purposes of
    spiritual advancement, human development and
    bringing balance to the planet. To create
    permanent sustainable communities for a
    sustainable future for all! Catherine believes
    that profit and social responsibility go hand in
    hand by creating the circle of money flow. It is
    her corporate mandate to work with people and
    organizations with similar philosophies with a
    strong focus on women and children's programs, to
    facilitate positive changes for all inhabitants
    of our planet and for our planet.
  • Catherine has an extensive knowledge and
    expertise of e-commerce gained through creating,
    with her team of experts,, a proprietary, secure
    infrastructure of e-solutions, from creating and
    teaching her Surefire series of Internet
    educational seminars, with a focus on security
    and privacy through hundreds of workshops,
    consultations over the last thirteen years. Mrs.
    Pagliaro is an excellent speaker including
    engagements with e-Philanthropy.org, Industry
    Canada, Soft World, Internet World, Comdex, and
    many other venues.
  • Catherine is married with five grown children and
    one grandson.

C.N. Wylie Group Inc.703-889 West Pender
StreetVancouver, B. C. CanadaToll Free N.A. 1
800 811-7811Toll Free Intl coming 44 (0)20
4067 7993 www.cnwylie.comwww.helpforcharities.co
mwww.spiguard.comcc_at_csfm.comToronto, Ontario
Canada905 910-0575
Write a Comment
User Comments (0)
About PowerShow.com