But, enough gushing. One of my (many) rants regards my concern that, although the biggest group of people that we call “nptechies” are the ones who support technology in their organizations, our biggest nptech conferences focus heavily on social media and the web (NTC, Netsquared, and now SXSW). It is true that the advent of social media and the interactive web is spawning a revolution in the way that we do advocacy and fundraising. But there is no less of a revolution in our server rooms, where virtualization, cloud computing and wireless devices are changing the entire way that we manage and deliver applications.

Our System Administrators, Support Specialists and Accidental Techies need to share in the peer support that can inform their efforts and help them feel more connected, both to their missions and the broader community. This year, in deference to a throat getting hoarse from ranting, I took a first stab at addressing this gap.

The Tech Track

The tech track was conceived as a six session “mini” track; five of the proposed sessions made the cut. The topics went from the basics to the broad overview:

• Tech Track 1: Working Without a Wire (But With a Net): Dealing with Wireless Networks, Laptops, and Cell Phones


• Tech Track 2: Proper Plumbing: Virtualization and Networking Technologies


• Tech Track 3: Earth to Cloud: When, Why and How to Outsource Applications


• Tech Track 4: Budget vs Benefits: Providing Top Class Technology in Constrained Resource Environments


• Tech Track 5: Articulating Tech: How to Win Friends and Influence Luddites.

Joining me in these sessions were fellow blogger Johanna Bates of OpenIssue, Matt Eshleman of CITIDC, Tracy Kronzak of Applied Research Center, John Merritt of the San Diego YMCA, Michelle Murrain of OpenIssue, Michael Sola of National Wildlife Federation and Thomas Taylor of the Greater Philadelphia Cultural Alliance.

Subject Matter

Instead of doing the usual Powerpoint presentations and talking to the crowd, we pulled the chairs into circles for these sessions and put the session agenda up for grabs, asking each group what issues, related to the session topic, were foremost in their minds. The conversation was rich, and served as a healthy catalogue of the challenges facing nonprofit technology practitioners. Some highlights:

• Supporting remote laptop use in a western state with very little wireless bandwidth available


• Securing our networks while making network data accessible on mobile devices


• Supporting use of and crafting fair policies to address the boom in mobile devices


• Understanding the risks and benefits of virtualizing servers and desktops


• Knowing how and when to virtualize, and how Storage Area Networks fit in the big picture


• Weighing the risk of cloud computing, which also entails weighing the risks of our non-cloud networks


• Knowing what to ask a cloud provider to insure that data is safe, even in the case of the provider going out of business


• Assessing the cost of owned vs service-provided applications


• Assessing the readiness of Cloud Computing, and moving large, complex server rooms to the cloud


• Chickens and eggs: what to do when IT is asked to budget, but is not part of the planning process prior?


• What strategies can be applied to provide good technology with limited budgets?


• What tools and resources are available to help with the budgeting process?


• How can we engage our users when we roll out new technology?


• How do we get them to attend training?

Next week, I’ll follow this up with some of the answers we came up with for these questions.Similar Posts:

• The Evolution Of The NTEN Tech Track
• The Sky is Calling
• Where I’ll Be At The 10 NTC
• Why I Won’t Be At NTC (And Why You Should Be)
• NTC Wrap-up

• Do you ever process online, phoned in, or mailed-in credit card donations in-house? e.g., do you maintain the credit card number, expiration date and name of a donor?

If no, you don’t have to worry about this.

• If yes, do you have more than 20,000 such transactions annually?

Well, if you do, congratulations!  Most nonprofits don’t, so they qualify for level 4 of the PCI Compliance scale. That results in a Self Assessment Questionnaire (SAQ) Validation type of “4”.  Higher validation types are subject to stricter security standards.

The Self-Assessment Questionnaire will ask you all sorts of technical questions about your network and security procedures.  Do you have a firewall?  Are all of your transactions encrypted?  Do you use anti-virus software?  Is credit card information properly restricted to authorized staff?

Depending on your network, you might already comply with a lot of the requirements.  If you don’t, then it might require a significant investment to get there.

• What will happen if I ignore this?

This isn’t government regulation (although your state might have laws in place that do mandate some similar response). participation is mandatory.  But, should your security be breached, two things will happen:

1. The compliance requirements for your organization will be reassessed to level one or two, and they’ll be much more costly and complicated to meet.  The credit card companies might decline to do business with you if you don’t comply.  Can you afford to not take Visa?

2. You will likely be indirectly fined for non-compliance.  The credit card companies will hold your bank liable for losses due to credit card theft in situations where your security was substandard.  Your bank will likely pass that fine on to you.

• So what’s the easiest way to deal with this?

Simple: don’t handle credit cards.  There are a number of services that, for a price, will do this for you, from Paypal and Google Checkout to CharityWeb and Blackbaud’s BBNow. Outsourced ECRM software (NetCommunity, Convio, Democracy in Action, etc.) will also handle it. The cost is likely not as significant as that of maintaining compliance or suffering the consequences of a non-compliant breach.

I’ll share that, at the Goodwill where I used to work, outsourcing wasn’t an option, because we were both a charity and a retailer. Our frustration was not that we didn’t have good security in place.  It was that there were differences in how we had set up our security and the PCIDSS requirements.  So, while we had done a lot of work and made significant investments, we still had to reconfigure things and spend more in order to be compliant.  In addition to making our internal IT changes, we had to switch software programs in order to avoid storing credit cards unencrypted in our database, a typical problem.  We also engaged a consultant.  Once you are reasonably sure that you comply, then you must pay a security service to verify your efforts, another non-trivial expense.

Blackbaud has put together some good further reading on this topic (and they are one of the vendor’s whose latest software is compliant; ask your eCRM vendor!).Similar Posts:

• Complying with Data Security Regulation
• Swept Up in a Google wave
• Evaluating Wikis
• My Full NPTech Dance Card
• Won’t You Let me Take You On A Sea Change?