DSG Security Newsletter Issue 1 July 1, 2009

What’s going on?

DSG has been working for some time to achieve PCI compliance and effective this date, DSG
has made its first annual submission of PCI documentation to the card brands. We’ll talk more
about PCI later in this newsletter, but one thing is important to stress here: compliance with PCI is
an ongoing process, not a point in time submission.

Among the many PCI requirements are the implementation and maintenance of a formal security
awareness program. This newsletter is one component of that program. It’s the first in what will be
an ongoing series of bimonthly communications addressing security issues relevant to the DSG
organization. In this first issue we will cover DSG’s security awareness program itself, the what
and why of PCI, and we’ll also talk about general payment card and ATM security.

This security awareness program is intended to keep the idea of security in front of you, instead
of having security only working behind the scenes. It is a reminder of one aspect of your
employment responsibilities, and will be a vehicle for keeping you up to date with security projects
at DSG as well as current threats and vulnerabilities both at work and at home.

This is a longish newsletter, but please read it all; there are things in it that you need to know.

What is PCI, and what does it have to do with a small business like DSG?

PCI (you may also see it referenced as PCI DSS) is short for the Payment Card Industry Data
Security Standard. This is not a form of governmental regulation, like HIPAA or Sarbanes-Oxley,
but a set of business-imposed requirements whose focus is the protection of payment card
(personal credit card, corporate credit card, debit card, etc.) information.

The requirements address a wide range of security issues. Not all of them are technical in nature,
and many of them deal with the establishment of proper security policy, procedure and
documentation. Although its primary intent is the protection of payment card information, PCI in
fact provides a framework for an organization’s overall security. DSG has approached PCI
compliance with this in mind.

The PCI requirements are maintained and issued by the PCI Security Standards Council, a
consortium established by the five major card brands: American Express, Discover Financial
Services, JCB International, MasterCard Worldwide, and Visa, Inc. (JCB is a card issued by the
Japan Credit Bureau, and is not widely accepted in the US; DSG does not handle JCB card
pledges.)

It is the card brands who determine who must comply with the PCI requirements, and how that
compliance must be demonstrated.

Every organization that touches payment card data must comply with PCI; there are no
exceptions or lower limits. For-profit organizations like The Walt Disney Company must comply.
Each of DSG’s non-profit clients must comply. If your dental or medical office accepts payment
cards, they must comply.

PCI considers in-scope organizations as forming two groups: Merchants, who are the ones
actually getting paid, and Service Providers, who play some other role in the multi-step payment
card authorization and settlement process. (Here’s an explanation of the whole process:
http://usa.visa.com/merchants/new_acceptance/how_it_works.html) DSG is a member of the
second group.

Confidential Page 1 of 6
DSG Security Newsletter Issue 1 July 1, 2009

All in-scope organizations must comply with all of the PCI requirements; the groupings are used
to determine to whom an organization must report their PCI compliance. Merchants send their
report to the acquiring bank with whom they have a business account, while service providers
send their report directly to the card brands themselves.

If it’s not a governmental regulation, what would happen if we just ignored it?

To start with, it isn’t a governmental regulation . . . yet.

The state of Nevada just passed legislation which explicitly requires compliance with PCI:
http://pcianswers.com/2009/06/22/nevada-mandates-pci-dss/. It isn’t much of a stretch to imagine
similar legislation being passed in California and other states. And Congress, too, is looking at
PCI.

Some of this legislation is being formed in the wake of recent criticisms of PCI (see, for example:
http://www.digitaltransactions.net/newsstory.cfm?newsid=2234), but anyone who believes that
state or federal legislation is the path to clarity and simplification has never traveled along that
path before.

Another consideration is that any given merchant’s PCI compliance is dependent in part upon
their monitoring of the PCI compliance status of every service provider who handles payment
card information on their behalf.

Every one of DSG’s clients has such a relationship with DSG, and they will be (and several
already have been) asking about DSG’s PCI status. Industry analysts are already seeing a shift
among merchants to only doing business with PCI-compliant service providers.

Confidential Page 2 of 6
DSG Security Newsletter Issue 1 July 1, 2009

Furthermore, if a breach occurred – no matter what size – the ramifications could be devastating
whether or not DSG was PCI compliant, but they would be greatly amplified if DSG was deemed
to be non-PCI compliant at the time of the breach.

Numerous small businesses have closed following a breach due to the loss of business, the
lawsuits from the individuals affected and the imposition of fines from the banks who suffered
losses. In some cases, the card brands themselves will impose sanctions (rarely publicized, but
here’s one that made the news: http://www.usatoday.com/money/industries/retail/2007-11-30-tjx-
visa-breach-settlement_N.htm), and the Federal Trade Commission has also stepped in where
they felt necessary.

Why do we need all this security?

Every business has assets and information of its own which need to be protected, and DSG is no
exception. In addition, DSG handles sensitive information for many other companies, and they
expect DSG to protect that information, too.

The definition of “protection” is not static; as technology changes, so do the challenges of

securing sensitive information from misuse. This is why PCI, and any other comprehensive
security scheme, is continually adapting in response to newly identified threats – even if the
potential of their actual occurrence seems low.

You may not have been personally the victim of a burglary, but you only have to watch the news,
or pick up a newspaper, to believe that burglary is a real occurrence. Anyone would consider it
prudent to lock the door when leaving home.

It is similarly prudent for DSG to protect information like bank and payment card account
information, health records, financial statements, and other sensitive company and personal data
from theft and misuse. And, just as is the case with burglary, the threats are real.

A significant difference is that burglary is usually committed by an individual or a small group,

whereas payment card theft, for example, is most often perpetrated nowadays by teams of
professional criminals who are well organized, technologically sophisticated, and highly
motivated.

DSG handles a large number of payment card pledges, and those pledges contain sufficient
information about our clients’ donors’ payment cards which could enable someone with malicious
intent to commit fraud. That information must be protected.

Is this security going to interfere with my job?

Well, first, security has always been a part of your job. The Electronic Media Policy distributed
earlier this year is just one example. A primary intent of the PCI compliance program is simply
making security a more “out in the open” issue.

To be fair, there will be some changes coming which will require you do things differently – like
the imposition of additional security for remote access to desktop PCs – but we will do our best to
inform you as far in advance as possible, and to provide whatever materials and support (and
training, if necessary) are required to help you adapt to these changes.

Confidential Page 3 of 6
DSG Security Newsletter Issue 1 July 1, 2009

We acknowledge that nowadays when someone says “security” to you, words like “convenient,”
“time-saving” and “fun” are not likely to immediately spring to mind. (OK; hands: who’s old enough
to remember when taking an airplane ride was fun?)

In addition, there are aspects of the PCI program that involve the use of logging and monitoring
tools to identify potential malicious activity within the corporate computer network. It is
conceivable that as we develop these tools over time there may be occasional interruptions, but,
again, we will do our best to keep you well-informed.

The bottom line? We’re trying not to act like Big Brother, but the security we are imposing is a
business requirement that is essential for the continued well-being – potentially the very survival –
of this company, the good people it employs, and the good work it does.

Of course, sometimes having shatterproof glass is all the security you need:
http://www.youtube.com/watch?v=KxolDDBoPu0

What about outside of the office?

Professionally, one direct impact has already been mentioned – there will be greater control
established over remote access to company devices from outside the corporate network. More
information about this will be published before it is implemented.

From a personal standpoint, consider that every transaction you conduct using a payment card
should, by the requirements of PCI, be handled by the merchant with the same degree of security
that DSG imposes on its own transactions. The more you know about PCI, the better you will be
able to gauge the security and trustworthiness of the merchants you deal with.

And it’s not just merchants you should be thinking about and checking out. Increasingly, criminals
are targeting ATMs.

Technology advances have made possible the inexpensive and not readily detectable recording
of card swipes and keystroke PIN entries. This PDF was created by an Australian bank, but the
same attacks have been found in the US and other countries:

Skimmer_presentatio
n_v1_230109_ppt_1__01.pdf

(Don’t be put off by the number of pages – it’s mostly pictures, and you can flip through it in about
a minute and a half. If you don’t have a PDF viewer, you can download one from here:
http://www.adobe.com/products/reader/.)

Here’s an example of what organized crime can do with stolen payment card data. The
perpetrators took “$9 million out of more than 130 ATMs in some 49 cities around the world over a
30-minute period”: http://www.digitaltransactions.net/newsstory.cfm?newsid=2081.

Confidential Page 4 of 6
DSG Security Newsletter Issue 1 July 1, 2009

Of course, not all fraud attempts are this sophisticated. For example:

And here’s an image of what was an actual web page banner ad. If you filled it out and clicked the
button, it would be reasonable to assume that the answer to the question they pose is: Yes.

What’s next?

Thanks for reading down this far. We hope these newsletters will prove to be of value to you.

Here’s what to expect in the near future:

• The distribution of a formal corporate security policy, whose receipt you will be
required to acknowledge. Our target for distribution of the policy is September 1,
2009.

• An invitation to a mandatory security awareness training session. This will follow

distribution of the security policy; we will provide you with advance notice.

• Further communications like this one to keep you informed of security program
activities and status, and to provide you with information about current threats
and best defense practices both at work and at home.

Have a question or comment?

Confidential Page 5 of 6
DSG Security Newsletter Issue 1 July 1, 2009

Please send your feedback (congratulatory or otherwise) to Chris Geller at:

chris.geller@donorservicesgroup.com

Confidential Page 6 of 6