July 1, 2005

To Our Clients

Recent incidents of stolen cardholder account information are of great concern to all of those involved in the acceptance and processing of credit card payments. In response to this growing problem, we would like to provide you, our clients, with a review of industry data security standards, as well as give you reassurance of CHI’s awareness of and compliance with these standards.

In December 2004, the Payment Card Industry (PCI) Data Security Standards were developed by American Express®, Diners Club®, Discover® Card, JCB®, MasterCard International®, and Visa® U.S.A. Below is a summary, published by Visa® U.S.A., of these security requirements.

Payment Card Industry Data Security Standard

Build and Maintain a Secure Network

1.

/

Install and maintain a firewall configuration to protect data

2.

/

Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3.

/

Protect stored data

4.

/

Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a Vulnerability Management Program

5.

/

Use and regularly update anti-virus software

6.

/

Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7.

/

Restrict access to data by business need-to-know

8.

/

Assign a unique ID to each person with computer access

9.

/

Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10.

/

Track and monitor all access to network resources and cardholder data

11.

/

Regularly test security systems and processes

Maintain an Information Security Policy

12.

/

Maintain a policy that addresses information security

Note that these Payment Card Industry (PCI) Data Security Requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data. Additionally, these security requirements apply to all “system components” which is defined as any network component, server, or application included in, or connected to, the cardholder data environment. Network components, include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Servers include, but are not limited to, web, database, authentication, DNS, mail, proxy, and NTP. Applications include all purchased and custom applications, including internal and external (web) applications.

©2004 Visa U.S.A. Inc.

This security standard applies to you as well if you store, process or transmit cardholder data. We strongly encourage you to take a look at the full document, as well as other documents that are available regarding data security. Please go to the Caring Habits website, and navigate to NFP Resources/Helpful Links. There you will find links to downloadable documents about the Payment Card Industry and Visa® standards for maintaining secure cardholder data including the complete PCI Data Security Standard document.

At CHI, we are committed to ensuring the security of your donors’ credit card and checking data and we now have the ability to hide credit card and checking account numbers on our reports. If you would like for us to hide this information on your reports, please let us know by sending an email to . Otherwise, please be sure to read the document “Merchant Requirements for Securing Cardholder Information” which can be found in the Helpful Links on our website.

Cory Ethridge

Client Services Manager

Caring Habits, Inc.