A good reputation is one of an organization’s greatest assets. Often though, many don’t manage the risks associated with this intangible benefit.
Reputational risk is legitimate and should be controlled like any other risk facing an organization. Building value in a reputation can take years, but that status is fragile and should be viewed as such. While many factors influence reputation, the improper handling of donors’ or customers’ sensitive data will destroy a well-earned reputation in a matter of seconds.
Organizations that process credit card data understand the need to comply with the Payment Card Industry Data Security Standards (PCI DSS) to protect cardholder data. Technical terms like “firewalls,” “network parameters” and “antivirus software” are abundant in the standards, so many organizations mistakenly assume the risk of noncompliance lies solely within their information technology functions and infrastructure. But the standards outline the need to protect sensitive data everywhere it’s captured, processed and stored. Many times, these transactions occur in an organization’s operational areas. Here are operational conditions often overlooked in assessing controls for handling sensitive cardholder data.
- Phone calls – Organizations that take orders or donations over the phone often record calls to monitor customer service, quality or employee performance. The recordings contain personally identifiable information, credit card numbers, expiration dates and security codes and are at risk for theft and misuse. If digitally recorded, it’s critical to encrypt this data and make sure it’s password-protected. If the recordings are on tape, physical access to the tapes should be restricted to only those with a business need. Tapes should be indexed and tracked as they are checked out for use.
- Clean desk policy – While we live in a world of computers, some transactions are still processed on paper. Mail order slips and signed donor forms are examples of documents that may contain credit card numbers. Physical access to documents of this type should be restricted at all times. Many organizations attempt to meet the requirements by designating the order processing area as restricted or requiring a badge for access. What’s often overlooked is nonbusiness hours access. It’s important to remember that cleaning, maintenance and security personnel may have access outside of normal business hours. Implementing and enforcing a clean desk policy will create awareness and promote the protection of sensitive data.
There are many other areas for consideration. BKD’s Enterprise Risk Solutions team can assist with your compliance efforts. We have the expertise to identify and offer strategies to mitigate the risks of handling sensitive data using an integrated approach that addresses both technical and operational risks. Contact us for more information.
Latest posts by Christie Clements (see all)
- Enterprise Risk Management – Is It for Every Organization? - August 22, 2014
- Beyond the Network – Is Your Organization’s Reputation at Risk? - May 28, 2014