Created in 1997, the adfinitas relationship marketing agency specializes in private fundraising for the charitable and humanitarian sector. Present in Germany, France, the Netherlands and the UK, adfinitas provides international expertise and an innovative approach for non-profit associations and foundations. It has extended its skills to on-line fundraising, making payments easy, rapid and secure, avoiding the need of a third party web site.
However, the public’s fear of paying on-line by bank card is often a barrier to on-line giving. Donors may worry that a hacker will get hold of the card number entered on-line and use it to make fraudulent payments.
To counter any doubts that clients and donors might have about making on-line payments, adfinitas launched a project to bring its “On-line Giving” system in line with PCI DSS standards at the end of 2011. Antoine Martel, Director of the Internet department at adfinitas, talks about how the project came about and the reasons behind the choice of Bull as PCI DSS Qualified Security Assessor (QSA).
What challenges did you face with the issue of on-line giving?
On-line giving accounts for only 5% of donations made, but it is set to increase to 25% over the next 5 years, and over 50% in the next 10 years. This is a major issue and we need to have a faultless approach to security.
Working with iRaiser, a SaaS developer specializing 100% in the not-for-profit sector, we have developed a full and comprehensive software suite to support associations in their daily business. iRaiser ensures security for bank details entered by donors through its “On-line Giving” application – by restricting card data collection and retention to a strict minimum, for example. Tens of millions of euros are collected via this application every year. However, if we wanted to expand into European markets and move from 50 mainly French clients to over 500 spread across Belgium, France, Germany, Italy, Luxembourg, the Netherlands, Portugal, Spain, Switzerland and the UK … we had to move things on.
In addition to this, in order to gain the trust of our clients in the humanitarian sector that they need to have from their donors, and in anticipation of any regulatory and banking requirements, we decided to go ahead with PCI DSS certification as a way to ensure that all necessary steps have been taken to protect donors.
How is the “On-line giving” application made secure?
The approach proposed by Bull is based on three successive phases:
- Pre-audit or gap analysis: in this phase, Bull consultants make an initial diagnosis and evaluate our level of maturity with regard to the PCI DSS standard. The 133 requirements of the standard are reviewed, enabling them to identify areas of non-compliance, and therefore the major areas on which we need to focus our efforts to achieve the level required by the PCI DSS.
- Compliance: based on the road map and milestones that Bull has established for these areas, we gradually move forward, introducing or improving existing security management processes or modifying some elements of our system configuration, for example. Bull consultants are available at each essential stage of the procedure to answer any queries and approve the solutions (or not) that we plan to implement, including precautions as required.
- PCI DSS certification audit: once the entire (technical, organizational and human) environment through which bank card data passes has been brought up to PCI DSS requirements, Bull consultants can then certify compliance in their capacity as QSAs.
Given that we are a young company undergoing rapid expansion, we had the option to certify our PCI DSS compliance using a Self-Assessment Questionnaire, but we preferred to go for an audit and official certification, leading to a compliance certificate issued according to PCI SSC regulations. The certificate will be signed by Bull QSAs.
Why did you choose Bull for your PCI DSS certification?
Given that Bull is certified as a Qualified Security Assessor (QSA) by the PCI SSC, its QSAs were able to support us throughout and take us through certification, all whilst adhering to PCI DSS ethical requirements. Indeed, because QSAs are responsible for what they certify as compliant, there is no bias. On the contrary – being certified by the company that has provided the support shows that it has true commitment to the recommendations it has made and the associated level of security!
We knew the Bull Group by reputation, which reassured us in terms of their close support and maintaining the confidentiality of the sensitive data that we were about to entrust to them. Bull also has a business line dedicated to cybersecurity and critical systems with over 1,000 experts. Amongst these, its PCI DSS QSAs have years of experience in penetration testing and carrying out security audits according to a range of different national and international standards.
Given that PCI DSS requirements cover areas as wide-ranging as internal company security organization, systems and network infrastructure configuration and operation, physical security and staff awareness, it is essential to have the support of experts who are skilled and experienced in these fields when going through a PCI DSS compliance procedure.
Following the migration of our infrastructure to a physical environment compatible with PCI DSS requirements, we are entering the second phase of the compliance procedure, which involves strengthening our internal processes with the assistance of Bull. On completion of this phase, Bull will begin the compliance certification procedure for our “On-line giving” platform.
Further information >>> http://www.bull.com/securite/
 PCI DSS: the Payment Card Industry Data Security Standard is a data security standard for payment cards that helps issuing companies to protect their data and prevent fraud.
 The PCI SSC (PCI Security Standards Council) is the international body that devised the PCI DSS standard. The PCI SSC was created by the major card providers (American Express, Discover, JCB, MasterCard and Visa) to improve payment data security.