Helping Massachusetts CLE Mitigate Cybersecurity Threats

Callie Hinman
April 7, 2021

Last year, we shared the story of Larry Rungren, Director of Information Technology for Massachusetts CLE (MCLE), and his search for a payment solutions provider who could help the nonprofit with their online checkout and PCI compliance initiatives.

Here’s a brief recap...

Founded in 1969, MCLE’s mission is to offer “comprehensive and practical continuing legal education of the highest quality to the broadest possible audience.” Like most organizations, MCLE’s website is one of their primary transaction hubs. Professionals in the Massachusetts legal community can visit to purchase educational resources such as e-books, printed textbooks, and reference documents as well as register for continuing legal education (CLE) seminars.

MCLE’s PCI predicament

Because the organization was accepting cardholder data on their website, they were subject to some of the most extensive PCI Data Security Standard compliance requirements. In 2018, after watching PCI compliance obligations steadily become more complex, Larry decided he needed to identify how to modify MCLE’s process for accepting payments in a way that would effectively and efficiently reduce MCLE’s PCI liability as much as possible, without negatively impacting the experience of website visitors.

When he determined their current payment processor wouldn’t be able to make the updates they needed to achieve this objective, he began looking for a payment partner who could. For over two years, Larry and his team searched with no luck. No payment solutions provider could tick all the boxes.

A twist of fate

As luck would have it, an AffiniPay team member came across a message from an increasingly-disheartened senior member of MCLE management on a forum for users of the association management system (AMS) iMIS and reached out to start a conversation.

Following discussions about MCLE’s goals and technical requirements (including eliminating any storage or management of credit card data by MCLE, maintaining the ability to accept mobile payments, and migrating 22,000 recurring billing profiles), both parties were confident about next steps and so began a prosperous partnership. (We invite you to read the full story here.)

Now, back to the present.

Twelve months later, and Larry is still thrilled with how much MCLE’s partnership with AffiniPay has scaled down the nonprofit’s PCI compliance liability. In fact, since MCLE is now eligible for the SAQ-A (which corresponds to the lowest level of PCI requirements), the workload associated with fulfilling PCI obligations has dropped by an astounding 95%. A major contributing factor to this accomplishment is MCLE’s use of hosted fields in their online shopping cart.

The power of hosted fields

Hosted fields look exactly like any other text field on a website but function in a way that makes them an essential element of strong cybersecurity. Hosted fields replace any input fields on your site that collect sensitive payment information, such as credit card number, expiration date, and CVV.

When a visitor to your site completes checkout, any data captured by a hosted field is sent directly to the payment processor’s secure server; it never touches your server. Not only does using hosted fields ensure your visitors’ private information is protected, it also enables you to allow visitors to check out on your website without redirecting them to a third party.

Along with these benefits, in 2020 MCLE discovered another perk of using AffiniPay’s APIs to implement hosted fields: combatting novel cybersecurity threats.

Blocking malicious scripts

As reported by Law360, in 2020, multiple legal professional associations across the country were targeted by cybercriminals who embedded malicious code in the organizations’ websites to collect private information, including credit card numbers.

Unfortunately, according to Claudia Rast, co-chair of the American Bar Association (ABA) Cybersecurity Legal Task Force, bar associations and other legal entities are preferred targets for cyberattackers. This is because their databases contain considerable private and confidential information about attorneys who, in turn, have access to sensitive information about their clients.

While MCLE was not involved in this particular string of cyberattacks, they recognize that they are still at a similar level of risk as the organizations that were targeted since MCLE serves the same audience: attorneys. The good news is that even if MCLE had been targeted by these bad actors, the tactics the cybercriminals deployed would likely have been ineffective because of the nonprofit’s use of hosted fields.

__ MCLE’s partnership with AffiniPay has helped ensure the organization is in a good position to keep sensitive data protected not just from new risks but also from established threats that have recently escalated.__

Preventing credit card fraud

According to the FTC, credit card fraud surged by 104% from 2019 to early 2020. (For context, there was only a 27% increase in reported fraud cases between 2017 and 2019.) Card testing is one form of credit card fraud that seems to be particularly growing in popularity.

Card testing (also known as “card cracking”) is a tactic cybercriminals use to determine if stolen credit card credentials are valid. The fraudster will attempt to make transactions for small amounts on a merchant’s website and, if successful, will have confirmation the card number is active and can be used for larger purchases.

In 2020, our in-house risk team detected suspected card testing activity on MCLE’s website and immediately notified them. We also recommended adding Google’s reCAPTCHA, a CAPTCHA system that runs in the background of a website and helps prevent fraudulent activity, to MCLE’s online checkout process. The MCLE team implemented this recommendation and have not experienced any card testing incidents since.

When Larry Rungren decided to reduce MCLE’s PCI compliance requirements, he never anticipated that he’d have to spend more than two years just on the search for a payment solutions provider who could meet his needs. Thankfully, Larry found AffiniPay, and he’ll be the first to tell you the wait was worth it.

As the rate of cyberattacks skyrockets and cybercriminals get more creative, having a payment partner with the technology and support to help reduce your risks, keep your sensitive data safe, and minimize the impact of unexpected incidents is invaluable.