On this episode of Bloomerang TV, Adrian Salmon, Vice President at Grenzebach Glier and Associates, joins us to set the record straight on PCI-DSS compliance for direct mail.
Steven: Hey there. Welcome to this week’s episode of Bloomerang TV. Happy Monday to you. I’m really excited for this week because I am joined by someone I followed on Twitter for a while, someone very well-known, garners a lot of respect in the industry. He is Adrian Salmon. He is the Vice-President at Grenzebach Glier and associate over in the UK. Adrian, how is it going?
Adrian: It’s going really well, Steve, thanks. I’m as you were just saying I’m, this is the day before I start my new role at Grenzebach Glier, and really . . .
Steven: Yeah. Yeah, you should and you were at University of Leeds prior. Is that correct?
Adrian: Before joining GG and A, I was at the University of Leeds for 7 years, so I just left on Friday.
Steven: Great, great. So what did you do at the university there and maybe you talk about what you’re going to be doing at your new role, over at the consultancy?
Adrian: Yeah, sure. Well, I’ve been a direct marketing fundraiser for getting on for 18 years now. So I started way back in ‘97, as a telephone fundraiser in Oxford. Went to become head of business development and client services for that agency called The Phone Room. Then moved up to Yorkshire, so a couple hundred miles north in the UK and the University of Leeds was looking for somebody to take on and run all of its direct marketing, fundraising, telephone appeals, emails, direct mail, so I’ve been doing that for the last 7 years for them.
Steven: Very cool, very cool. And I appreciate you doing this from across the pond. I know you’re probably just wrapping up your day. I’m kind of starting my day. But we kind of connected through our blog, through Facebook. We were chatting about PCI compliance.
Steven: I know it’s a big issue, especially for direct marketing and direct mail. And I know that’s kind of your thing. And it seems like there’s just a lot of misconceptions and confusion and just a lot of misinformation. And you’re the guy that I know that can just cut through the clutter and tell us what is it all about, what do you need to do, not need to do, what’s going on here?
Adrian: Yeah. Well, PCI compliance, its full name is PCI DSS, which stands for Payment Card Industry Data Security Standard. Is one of those things that you call a BST, a big scary thing. And you get people coming in from the outside, they say we’re going to see if you’re PCI compliant or not. And actually, all in all, it’s a very good and a very, very necessary thing.
Adrian: Going about security for donors. And the history of it, goes back to about 2005-2006, when the online, when the retailer TJ Maxx found out about 3 years after the fact, that somebody had gotten to their database.
Steven: Oh no.
Adrian: Got access to 46 million customers’ credit card details. And the loophole, the details were encrypted on their database, but the hackers had access to the encryption software as well, so they could actually get all of these credit card details off TJ Maxx’s database and decrypt them. And it was a big, big, big scandal.
Adrian: There had been a previous one where somebody had got onto another place’s website and servers and got hold of 40 million credit card records.
Adrian: So the payment industries, because the people liable for this are the credit card providers, Visa, MasterCard, Amex, if somebody hacks one of their customer’s credit card details, they’re the people liable. So for them, this is a big, big problem. PCI DSS is all being driven by the payment card providers.
Steven: I see.
Adrian: So it’s not, it’s not always law. So in some parts of the states it’s been written into state laws, but in other parts of the states it hasn’t. But if you want PCI DSS compliant, you’re going to have a very, very hard time from your credit card sponsors as it were.
Steven: Right, I know that when we were getting Bloomerang off the ground, making sure our donation forms and then technology side, making sure that was PCI compliant was a big deal. Well what are the implications for the nonprofit, do they have some responsibility in, and maybe what are the implications for that direct mail piece?
Adrian: It depends. The implications, let’s say for a start, the implications for direct mail, if all you’re doing is direct mail, and you don’t do any telephone fundraising, and you don’t do any online fundraising, then the implications for you are very, very small indeed. Because basically PCI compliance only really governs what happens when you get the credit card information, and what you do with it after that. How the credit card information comes to you is important if it’s over the telephone or online, but it’s not considered in the scope of PCI if it’s coming to you through the post.
So basically, if you’re only getting donations through the post, you’re not using the phone at all, you’re not using the mail at all, the online at all, then all you need to do is make sure you process your credit card donations on the same day you get them, if at all possible. That you have somewhere secure to store them if you can’t process them on the same day that you get them. And that you destroy all the credit card details after you processed them and that you don’t keep them. And in the simplest scenario, that is, that is it.
Adrian: You don’t have to worry any further. If you get donations online, then you’ll probably be using a third-party provider.
Adrian: Probably be using your database, or you’ll be using Blackbaud’s, or you’ll be using one of the other fundraising databases, that’s got online giving functionality built in.
Steven: Right, right.
Adrian: In which case they’re PCI compliant.
Adrian: You’re PCI compliant, and there’s no problem.
Steven: Yeah, or we all are. We wouldn’t be in business. None of them are not PCI compliant, it’s good. And there’s an interesting thing in the States, it seems like the trend or the overarching advice is to not collect credit card numbers via mail, or via the post. That seems to be . . .
Adrian: I don’t know where that’s come from.
Steven: Yeah, I know and that’s interesting. That’s kind of what I wanted to ask you about.
Adrian: It’s not only nowhere in the scope of PCI, and nowhere in the PCIDSS document that makes any reference to it.
Adrian: So I think that this is one of the things I saw this about, at the end of the ‘90s, beginning of the 2000s, when the Data Protection Act came in the UK. And there were lots of people in the UK saying that this you couldn’t do because the Data Protection Act, or this you couldn’t do because the Data Protection Act.
Adrian: And actually it had no basis in fact.
Adrian: A lot of people are being told they can’t do things. They’re being told they can’t do it because of PCIDSS, and again it has no basis in fact.
Adrian: I think, what happens is something like this gets mixed up with an organization’s conception of risk, so they say, “Okay, there’s this big scary thing, and it looks like this bit of what we do is at risk, therefore, even if it’s not covered in the big scary thing, we’ll close it down nevertheless to minimize the risk.”
Steven: Right. They’re not thinking about it.
Adrian: And I think that’s what’s going on. But in actual fact, the vast majority of credit card donations come by post.
Adrian: As you’ll know. So for people to be told you can’t collect credit card information by post, is potentially disastrous.
Adrian: Really a very important thing that we ought to say is that it is not the PCIDSS saying this. I also heard people say, “Oh, you can collect them by post, as long as you don’t collect the three digit verification number on the back of the card, the CID number.”
Adrian: Now, that is very odd, because when you look at the definition of the CID number, what it is for, it is precisely for making donations by post when you’re not present or over the phone.
Adrian: Now, again, that’s an incorrect piece of information. And you, you’re credit card provider will want you to have that three digit number to validate the transaction otherwise you won’t be able to put any of the credit cards through.
Steven: It’s so odd, and it seems like, I’m wondering if it’s going to come back around the other way, that people are so worried about all those retailers getting hacked that they would rather send the credit card information by mail or post, then post them and put it online.
Adrian: Well, when you look at the PCI DSS, I mean the document goes to about 112 pages. And it is totally, almost entirely concerned with online security.
Adrian: So it’s concerned with what happens when payment numbers are transmitted to be authorized between a merchant and the credit card company. It’s concerned with what might happen on a network where people might have access to stored card data, all of those things. But it’s not concerned at all with postal donation forms.
Adrian: And actually very little to do with the telephone either. The one big thing about PCI DSS and the telephone is that you shouldn’t be . . . if you’re recording your calls, which a lot of call centers do as a training tool, you shouldn’t be recording the part of the call where the donor gives their credit card information and it’s accepted.
Adrian: So that might be tricky for some call centers, but again, that’s a thing. If you’ve got a call on the go, and the donor’s about to give their credit card information, recording has to stop over that point where the credit card is authorized.
Steven: Okay. This is great. You set it straight for us. I so appreciate that. One last thing, people who are accepting credit card information via mail, what do they need to do that maybe they’re not doing or they’re getting wrong? You know you mentioned destroying the original document after it’s inputted.
Adrian: Well, you certainty mustn’t have credit card information lying around the office.
Adrian: I mean, so if it’s coming in, and the person who does the gift processing isn’t in for a couple of days, then anything might have credit card information on it has to be taken and locked away somewhere securely where you can’t get a hold of it. But otherwise, it’s, a matter of just taking what you would expect to be standard security precautions with donor’s data and donor’s gifts. Because you’d lock checks away in a safe, as well, you wouldn’t leave those lying around the office.
Steven: Yeah, absolutely. Well, great. Adrian, this is awesome. Thanks for coming on. It’s been great.
Adrian: There’s another thing, which is, I mean you asked me before the only other misconception is about storing credit card data. So some people might be thinking, I know in the States, we have a thing called Direct Debit over here in the UK, which means for running our monthly giving programs, we don’t need to take recurring gifts on people’s credit cards.
Adrian: But there may be people out there in the States, where I know a lot of you run your recurring gift programs by credit card, thinking, “Well, we can’t do this, because we can’t store credit card details because of PCI DSS.”
Adrian: Actually, you can store the credit card details. It’s just that they have to be rendered unreadable.
Adrian: They have to be encrypted on the database.
Adrian: So again, if you’ve got a database that creates a token of the credit card number, that authorizes that, that only stores the token number, then you can go on and you can run your sustainer giving program. You see I’m trying to use the US terminology on credit cards without being in breach of PCI DSS.
Steven: Yeah, I think that’s another thing people are so afraid of, because they push ECH, that you know, direct debit from the checking account. They think exactly what you said that they can do their credit card.
Adrian: Yeah. So I mean one other thing that happens is that I think with a lot of this kind of legislation, people go to the scariest version of it, and in fact there are several levels of PCI DSS compliance. Level 1, which is my stringent, only applies to transactions of more than 6 million credit card transactions a year. Most people are going to be in level 4, which is for anybody who does less than, I think it’s 20,000 credit card transactions a year. And let’s face it, you’d have to be a pretty big charity.
Adrian: You know, to start getting to the level of 20,000. So, the PCI that self-assessment requirements are tailored down according to the level of risk.
Steven: Well, you know how us Americans are. We tend to go to the extreme sometimes. Well, this is great. Adrian, you got to tell us where we can follow you on Twitter, follow you online, where can people know you.
Adrian: Yeah, so I talk about all sorts of stuff not just PCI DSS. In fact, it’s one of those, so you can find me on Twitter @adriansalmon, just all one word. You can find me online at adriansalmon.wordpress.com, which is my blog. And there’s quite a bit of stuff on there. And of course, you can also follow my new firm, Grenzebach Glier and Associates on LinkedIn, they have a company page on there, and they put out a lot of really interesting stuff about philanthropy.
Steven: Will do, we’ll link to all that, you got to follow Adrian. He’s a great guy, obviously super smart guy. Really appreciate you coming on. And good luck with the new gig. We’ll be following you there.
Adrian: Thank so much, Steven. Thanks so much for inviting me. And hopefully that’s cleared some stuff up.
Steven: Absolutely, absolutely.
Adrian: Set some minds at rest.
Steven: Well, have a good rest of your day. And everyone else for watching, thanks for hanging out with us for about 15 minutes or so, and we’ll catch you on the next episode, so bye now.
Adrian: Cheers, Steve, bye, bye.