Credit Card Security

We care about your security!

Just to give a brief update of the MLS Billing Transition, as of July 1st, we begin auto-billing agents $30 per month for MLS fees.  We have 60% of our membership confirmed with this new billing method and some offices will be continuing to pay for all agents because of existing agreements or payments previously made – it all counts! We just need to hear from everyone by the 1st so that we can make the transition.  With so many credit card numbers being called and sent into the Board Office, we have had a few questions about security (only 3 out of 300, but still!), so we are happy to share the process for all concerned.

QuickBooks:  We use QuickBooks Professional Version for our credit card processing, and they are PCI DSS compliant.  PCI Data Security Standard is a set of cyber security principles and operational best practices, designed to protect merchants and cardholders against card data breaches.  In addition to QuickBooks security measures, we also pay an annual fee to ensure our credit card data an processes are PCI complaint as well.  There are unique passwords to access the quickbooks file, as well as a different and unique password on each of our office computers.

Storage and Backups: Our credit card data is only stored on QuickBooks servers, using Amazon Web Services (AWS) data centers with 24×7 physical security, full-time security guards, video surveillance, and alarms to prevent high-tech breaches. Locally, we cannot see the credit card data once entered into the Quickbooks payment processor.  Further, we store our accounting datafile on a local server that has been the subject of a very intensive security audit by Matthew Cohen of WAV group.  He flew in and tested our systems, software and hardware for 2 days to make sure our policies and practices were also PCI and Mass WISP complaint.  Through this process, we accepted his recommendations and purchased and installed a new external firewall system in addition to our software firewall, decoupled the internet connections used by the classroom and our office, and changed to an offsite backup of our data on an encrypted server remotely.  Sue occasionally runs a local backup copy via a flash drive that is stored in our safe.  Not that it matters for this process, but at the time of our security audit, we also changed to an encrypted email system as well.

Office Access: When we take credit card information over the phone, it is logged on a piece of paper that is kept in locked cabinets until we enter it into the system. Once the credit card number is entered into the QuickBooks system, the paper file is slipped through a slot in an inaccessible, locked shredding cabinet that is commercially confetti shredded monthly by Valley Green Shredding Services, who is NAID AAA compliant for on-site shredding.  As you know, our computers are not accessed by anyone other than staff.    All of our PCs have software and firmware firewall and virus / malware protection, and passwords are required to change every three months. After the initial entry into QuickBooks, staff is no longer able to see or restore the full credit card information – we can only see the only the last 4 digits.  Despite this, we still take care to secure our computers.

While we can never guarantee anything with 100% certainty, we have gone above and beyond to make sure your data is safe and secure.  We take our responsibility very seriously, especially with credit card numbers and that is the number one reason why we brought in a professional auditor to make sure.  We hope that helps ease your mind.