How PCI Compliance Helps Nonprofits Protect Donors

Data breaches are an ominous and ever-present threat, particularly when financial data is at play. So how can nonprofits ensure their systems are safe and their donors are protected? 

It’s actually as easy as following some rules. PCI, or Payment Card Industry, compliance means that your nonprofit (or your payment processor) meets security standards set by the PCI Security Standards Council.

Is compliance required by law? No, but your nonprofit can be fined anywhere from $5,000 to $500,000 if adherence slips. So PCI compliance isn’t really a choice!

In this article, we will explain what PCI compliance is and how it protects donor data. Then we will offer an overview of how to know which compliance group your nonprofit is in and a checklist for getting compliant, if needed.

(A caveat: we aren’t PCI experts. As a payment processor, we must be experts in keeping our own PCI certification current and can offer this high-level guidance to customers. And, since we are PCI certified, our clients never have to worry about their data being secure. Regardless, we will always point you straight to the PCI source to have your questions answered.)

(Another caveat: we will explain the easy way for nonprofits to steer clear of compliance headaches, but every organization is ultimately responsible for maintaining compliance—even if that’s through the vendors you choose. We urge all nonprofits to do an annual audit of their usage of credit card data to make sure you’re compliant across the board.)

No more caveats! Let's dig in.

What is PCI Compliance?

The Payment Card Industry sets standards to handle credit card data securely. Any organization that accepts payments, including nonprofits, must take steps to keep their donor data protected.

There are two phases of these standards: compliance and certification.

PCI Compliance

For your nonprofit to be PCI compliant, you will:

• Take a self-assessment to ensure you are following the guidelines.
• Install a firewall between your wireless network and your donors’ cardholder data.
• Implement a strong vulnerability management program.

PCI Certification

PCI certification is a step up from compliance, and it is particularly important for payment processors, like CharityEngine, to be PCI certified. 

Attaining this certification is rigorous, and maintaining it is critical. It means we are regularly audited to ensure the software is safe and security measures are in place. As a PCI-certified payment processor, our training and systems are under a microscope, and we operate with absolute confidence that the payments we process are safe.

When selecting a partner for payment processing, nonprofits must ask if the organization is PCI-compliant or PCI-certified. Compliant vendors are held to a much lower security bar than certified vendors, so aim to work with an organization like ours, which is PCI-certified.

How Does PCI Compliance Protect Donors?

Simply put, donors can give to PCI-compliant nonprofits and know their financial and donor data is safe. That element of trust is the first building block of your donor relationship and one you should strive to cultivate.

Another big piece of the security puzzle is SOC 2 compliance. It’s also voluntary, and it’s based on Trust Services Criteria determined by the American Institute of CPAs. Compliance or certification means that organizations are adhering to strict regulations about how they manage data. While PCI regulations apply to credit card data, SOC 2 focuses on all donor data, leading to a much more holistic approach of securing donor data.

CharityEngine is both PCI-certified and SOC 2-certified, meaning that our clients can be confident their data is held to the highest security standards. 

Asking about PCI certification and SOC 2 certification is a good way to ensure your partners care as much about donor security as you do.

Okay, So How the Heck Do I Get Compliant?

Everyone starts with a Self-Assessment Questionnaire, or SAQ. This will tell you which of the eight categories your nonprofit fits into, and it will determine what you need to do to achieve compliance. There are different SAQs for different environments, so you’ll want to head over to the PCI website to get started down the compliance path. We will give you as much high-level information as possible, but the website offers training and in-depth resources.

Most of our clients fall into one of the first two categories, SAQ-A and SAQ-EP. 

SAQ-A

This classification is for nonprofits who outsource all their payment processing to a third party, like CharityEngine. If you collect donations on a third-party website, sell merchandise using a system like PayPal, or collect event registration payments on a site like EventBrite, you’re SAQ-A. 

If you’re unsure, just ask yourself if anyone on your team touches cardholder data. If the answer is no, you’re SAQ-A, and PCI compliance is pretty simple because your third-party processor manages compliance.

So what do you, the SAQ-A nonprofit, have to do?

• Make 100%, absolutely positively sure your payment processor is PCI compliant or, much better, PCI certified. Get it in writing and make sure they remain compliant.
• If you do come across cardholder data, such as a donor responding to a direct mail solicitation with a credit card number, destroy it.

The easiest thing for nonprofits to do is to remain in SAQ-A status. If you have questions about payment processing, we have an article that covers the basics or a more in-depth guide you can download.

SAQ-EP

This classification requires a lot more work than SAQ-A. How do you know if it fits your nonprofit?

If you use a payment gateway, such as authorize.net or Stripe, your nonprofit is collecting card data and giving it to a third party. Once your website or your servers are involved in payments, you’re responsible for the safety of the data and compliance with the PCI standards. 

The easiest way for SAQ-EP nonprofits to save time, money, and a massive headache? Move to SAQ-A status. There are many options for payment processors, and finding one you can trust will solve what can be an overwhelming problem.

If you do fall into this SAQ-EP category and can't change your status, here’s a checklist of a dozen things you must do to become compliant (and maintain compliance):

1. Install a firewall to protect data. This should be standard operating procedure for every nonprofit. If you aren’t sure how to get started, contact your website hosting provider, and they can help.
2. Up your password game. Whether you use LastPass or Dashlane or even Google, let the software generate secure, unique passwords for you and save them so you're not writing them down in a notebook. 
3. Protect cardholder data. The piece of paper with a credit card number written on it? Shred it. Ensure any data stored on your computer is fully encrypted and the encryption keys are protected. Don’t use plain old Excel sheets to store sensitive data! Compliance also requires a flow chart of cardholder data.
4. Be sure to encrypt the transmission of cardholder data. Sending data is risky, so be certain it’s well encrypted.
5. Update your anti-virus software. Again, this is a no-brainer for all of us.
6. Maintain secure systems by keeping your systems up to date. New versions usually always include improved security.
7. Share data on a need-to-know basis. Not everyone needs access to this information.
8. Restrict online access to systems by making password authentication a two-step process.
9. Restrict physical access to data. Perhaps also a no-brainer….don’t let just anyone wander around your office.
10. Keep track of who is accessing cardholder data and how they access it. 
11. Make sure you test your security system and processes regularly.
12. Create and maintain a policy that covers your information security, and let everyone in your company have access to it. Or politely but firmly insist they read it!

PCI Compliance…It’s a Good Thing

Your donors are so important to the success of your nonprofit and its mission, and giving them peace of mind helps you build strong and long-lasting relationships.

PCI compliance can seem like a big headache, but it doesn’t have to be. Choose a partner that lives, eats, sleeps, and breathes PCI regulations, and then it’s not your headache anymore. As a reminder, CharityEngine clients don’t have to worry about PCI compliance. We take it a step further with PCI certification and SOC 2 certification.

For more information on PCI compliance, we recommend checking the PCI website for the most up-to-date, comprehensive guidance.