If your organization accepts online donations, these rules are for youOne way to increase online fundraising is to reassure donors that the process is safe and secure — and the best way to do that is through PCI compliance.
"PCI" stands for Payment Card Industry. The PCI Data Security Standards Council — which includes American Express, Discover, MasterCard, JCB and Visa International — requires their merchants to meet security standards by:
- Building and maintaining a secure network
- Protecting cardholder data
- Maintaining a vulnerability management program
- Implementing strong access control measures
- Regularly monitoring and testing networks
- Maintaining an information security policy
If your organization accepts online donations, then meeting these standards is a must. The same standards apply to any organization that processes credit card payments, whether for-profit or nonprofit.
The challenges of PCI compliance
PCI compliance requires assessing risks to cardholder data, removing those risks, and submitting compliance reports to the credit card companies your organization uses. Does PCI compliance seem like a lot of work? Well, it can be — especially for small nonprofits without an IT staff.
The process starts with answering an online Security Assessment Questionnaire (SAQ) designed to pinpoint security risks. And there are two major challenges to getting this done.
First, different SAQs are required for organizations based on the number of credit card transactions they process each year. Determining which SAQ applies to your organization can be a daunting task in itself.
Second, completing the SAQ calls for deep technical expertise. Though the questions simply require a "yes" or "no" response, many nonprofits struggle to choose the correct answer.
For example, consider one SAQ item: "Are all paper and electronic media that contain cardholder data physically secure?" Before checking "yes" to that one, you'll need to ask:
- Do we have any paper records with credit card information?
- If so, where are those records stored?
- Is that location secure, and who has access to it?
If you store cardholder data in digital form, then you have even more questions to answer:
- Is cardholder data encrypted?
- Can that data be transferred to an external device, such as a USB drive?
- Is the data secure after it's transferred?
In short, each of the SAQ questions implies an entire set of security practices that nonprofit managers may find difficult to understand — let alone implement.
Beyond these challenges are the risks of dealing with any security breach that results from lack of PCI compliance. The credit card brands impose fines for such incidents — and hold offending organizations responsible for stolen funds. These organizations can even be blacklisted from doing credit card transactions in the future.
Solution 1: Work with a PCI-compliant vendor
Given the technical challenges of PCI compliance, many organizations adopt the simplest solution — outsourcing credit card transactions to a trusted, PCI-compliant vendor. This eliminates the need to store any cardholder data. It also frees you up to focus on mission-critical activities rather than the ever-changing landscape of PCI compliance.
Many online fundraising services — such as Network for Good, 4aGoodCause, Blackbaud and JustGiving — are PCI-compliant. To work effectively with them:
- Ask to see the service's PCI credentials
- In your contract with the service, require a statement of continued commitment to PCI compliance — including annual reporting to the PCI Data Security Standards Council
- Purge any paper or digital cardholder data you still have, once your service is up and running
- Let online donors know that their contributions are secure by promoting PCI compliance on your fundraising pages
A related option is to use a donor management application with secure online fundraising features. Before investing in such software, ask the vendor to certify PCI compliance.
Although outsourcing credit card transactions to an outside vendor relieves your organization of most PCI compliance work, it doesn't guarantee that your data is secure — or that you're fully compliant. To gain peace of mind:
- Ask your vendor if there are any additional steps you should take for PCI compliance
- Ask colleagues at nonprofits with a mission and capacity similar to yours how they handle PCI compliance
- Talk to a technology consultant about PCI compliance and — if you can afford it — data security practices across your organization
Solution 2: Handle PCI compliance on your own
If your organization has the necessary IT expertise, you can take PCI compliance into your own hands. For detailed instructions about how to meet the requirements, see guidelines from the PCI Security Standards Council and ComplianceGuide.org.
Also see what the major credit card brands require:
DonorPerfect: 3 dos & 3 don'ts regarding non-profit PCI compliance
Harbor Compliance: The do's and don'ts of online fundraising security and PCI compliance by James Gilmer
The NonProfit Times: Data security in a wired world by Michele Donohue (2009)
The UK Cards Association: What is PCI DSS?