Data breaches are an ominous and ever-present threat, particularly when financial data is at play. So how can nonprofits ensure their systems are safe and their donors are protected?
It’s actually as easy as following some rules. PCI, or Payment Card Industry, compliance means that your nonprofit (or your payment processor) meets security standards set by the PCI Security Standards Council.
Is compliance required by law? No, but your nonprofit can be fined anywhere from $5,000 to $500,000 if adherence slips. So PCI compliance isn’t really a choice!
In this article, we will explain what PCI compliance is and how it protects donor data. Then we will offer an overview of how to know which compliance group your nonprofit is in and a checklist for getting compliant, if needed.
(A caveat: we aren’t PCI experts. As a payment processor, we must be experts in keeping our own PCI certification current and can offer this high-level guidance to customers. And, since we are PCI certified, our clients never have to worry about their data being secure. Regardless, we will always point you straight to the PCI source to have your questions answered.)
(Another caveat: we will explain the easy way for nonprofits to steer clear of compliance headaches, but every organization is ultimately responsible for maintaining compliance—even if that’s through the vendors you choose. We urge all nonprofits to do an annual audit of their usage of credit card data to make sure you’re compliant across the board.)
No more caveats! Let's dig in.
The Payment Card Industry sets standards to handle credit card data securely. Any organization that accepts payments, including nonprofits, must take steps to keep their donor data protected.
There are two phases of these standards: compliance and certification.
For your nonprofit to be PCI compliant, you will:
PCI certification is a step up from compliance, and it is particularly important for payment processors, like CharityEngine, to be PCI certified.
Attaining this certification is rigorous, and maintaining it is critical. It means we are regularly audited to ensure the software is safe and security measures are in place. As a PCI-certified payment processor, our training and systems are under a microscope, and we operate with absolute confidence that the payments we process are safe.
When selecting a partner for payment processing, nonprofits must ask if the organization is PCI-compliant or PCI-certified. Compliant vendors are held to a much lower security bar than certified vendors, so aim to work with an organization like ours, which is PCI-certified.
Simply put, donors can give to PCI-compliant nonprofits and know their financial and donor data is safe. That element of trust is the first building block of your donor relationship and one you should strive to cultivate.
Another big piece of the security puzzle is SOC 2 compliance. It’s also voluntary, and it’s based on Trust Services Criteria determined by the American Institute of CPAs. Compliance or certification means that organizations are adhering to strict regulations about how they manage data. While PCI regulations apply to credit card data, SOC 2 focuses on all donor data, leading to a much more holistic approach of securing donor data.
CharityEngine is both PCI-certified and SOC 2-certified, meaning that our clients can be confident their data is held to the highest security standards.
Asking about PCI certification and SOC 2 certification is a good way to ensure your partners care as much about donor security as you do.
Everyone starts with a Self-Assessment Questionnaire, or SAQ. This will tell you which of the eight categories your nonprofit fits into, and it will determine what you need to do to achieve compliance. There are different SAQs for different environments, so you’ll want to head over to the PCI website to get started down the compliance path. We will give you as much high-level information as possible, but the website offers training and in-depth resources.
Most of our clients fall into one of the first two categories, SAQ-A and SAQ-EP.
This classification is for nonprofits who outsource all their payment processing to a third party, like CharityEngine. If you collect donations on a third-party website, sell merchandise using a system like PayPal, or collect event registration payments on a site like EventBrite, you’re SAQ-A.
If you’re unsure, just ask yourself if anyone on your team touches cardholder data. If the answer is no, you’re SAQ-A, and PCI compliance is pretty simple because your third-party processor manages compliance.
So what do you, the SAQ-A nonprofit, have to do?
The easiest thing for nonprofits to do is to remain in SAQ-A status. If you have questions about payment processing, we have an article that covers the basics or a more in-depth guide you can download.
This classification requires a lot more work than SAQ-A. How do you know if it fits your nonprofit?
If you use a payment gateway, such as authorize.net or Stripe, your nonprofit is collecting card data and giving it to a third party. Once your website or your servers are involved in payments, you’re responsible for the safety of the data and compliance with the PCI standards.
The easiest way for SAQ-EP nonprofits to save time, money, and a massive headache? Move to SAQ-A status. There are many options for payment processors, and finding one you can trust will solve what can be an overwhelming problem.
If you do fall into this SAQ-EP category and can't change your status, here’s a checklist of a dozen things you must do to become compliant (and maintain compliance):
Your donors are so important to the success of your nonprofit and its mission, and giving them peace of mind helps you build strong and long-lasting relationships.
PCI compliance can seem like a big headache, but it doesn’t have to be. Choose a partner that lives, eats, sleeps, and breathes PCI regulations, and then it’s not your headache anymore. As a reminder, CharityEngine clients don’t have to worry about PCI compliance. We take it a step further with PCI certification and SOC 2 certification.
For more information on PCI compliance, we recommend checking the PCI website for the most up-to-date, comprehensive guidance.