PCI 4.0: What Do Nonprofits Need to Know?

Have you been hearing some buzz about changes coming for nonprofits processing credit card donations? As the industry moves to PCI DSS Version 4.0.1 on March 31, 2025, nonprofits must adhere to new requirements designed to prevent sophisticated cyberattacks.

To refresh your mind, PCI DSS 4.0 (Payment Card Industry Data Security Standard) is the newest version of a security framework that governs how organizations—including nonprofits—handle credit card payments. Nonprofits that process credit card donations, whether online, over the phone, or in person, must comply with the new regulations to keep donor data safe and avoid penalties. If you have a CRM or payment processing vendor, they must be compliant.

PCI DSS 4.0 will address evolving security threats, improve compliance flexibility, and offer greater protection for cardholder data. The changes are in response to increased cyberattacks targeting payment data and will make credit card processing safer for consumers.

CharityEngine is offering a free webinar about PCI DSS 4.0 on March 26, 2025, at 2:00 PM EST. Register here to ask questions of experts live! If you can't attend, the recording will be sent to the email address you use when you register.

What Nonprofits Need to Know

Let’s break down the most critical changes and explore how they will impact your nonprofit and donors.

There is a caveat that will make many of you feel better: while your nonprofit will be asked to employ a few best-practices strategies internally, many of these changes fall to the vendor of your fundraising software.

If you’re like many organizations, you do not store or process credit card data in-house. Rather, you lean on CRM and payment processing vendors to provide these services. If you fall into this group, you’ll want to implement the two things we note and ask your vendors if they’re handling the rest.

On the other hand, if you process credit cards in-house or store credit card data, you should pay attention to the whole list.

Here’s a list of the significant changes. We begin with what all nonprofits are required to do, then cover what CRM and payment processor vendors must do.

Internal Changes Nonprofits Must Implement

There are just a few things to do.

1. Stronger Authentication Requirements

The new requirements enhance authentication and access control. There are three measures nonprofits must take:

• Implement Multi-Factor Authentication (MFA) on all accounts accessing credit card data. This was previously only required for remote access but will now be required for all access.
• Nonprofits must change passwords to a minimum length of 12 characters if your system will allow it. The previous minimum was seven characters. This rule applies to passwords used to access cardholder data environments (CDEs) and payment processing systems.
• Enhanced monitoring and lockouts will be required to prevent automated attacks on authentication systems.

These changes make it harder for cybercriminals to break into systems that store donor data.

2. More Frequent Security Training and Awareness

This requirement has two parts, both designed to keep your staff involved in data security.

If your nonprofit uses third-party vendors (cloud-based CRMs, donation platforms, payment processors), PCI DSS 4.0 requires clear definitions of security responsibilities.

• This can look like a Service Provider Responsibility Matrix, in which your nonprofit and all vendors clearly define who handles what regarding data security.
• These measures will prevent security gaps.

Nonprofit employees and volunteers might often handle donor data but not possess IT expertise or training. Enhanced training is required to teach staff how to spot threats. The training can include:

• Phishing awareness so staff can learn to spot fake emails trying to steal login credentials.
• Awareness of social engineering attacks, in which team members are manipulated into sharing data.
• Understanding cloud and vendor security risks inherent in using third-party platforms.

These measures will prevent human error, such as an employee unknowingly clicking a bad link or sharing a password.

Changes Your Nonprofit CRM Vendor Must Implement

While these changes are your vendor's responsibility, it’s never a bad idea to check in and confirm they are compliant.

1. More Flexibility in Security Compliance

PCI 4.0 introduces greater flexibility in compliance rather than relying on a “one-size-fits-all” approach. If you’re a nonprofit using a third-party payment processor, you’ll benefit from this. Organizations can use different security measures if they demonstrate equivalent protection, making compliance easier.

Similarly, you can now define risk-based penetration testing intervals to check for compliance in a way that’s suitable for their operations. The criteria can include the volume and sensitivity of payment data processed, the complexity of the IT department, past vulnerabilities or security incidents, or changes in technology and infrastructure.

2. Increased Focus on Security Monitoring

The new requirements emphasize regular risk assessments and automated monitoring.

• More frequent testing requires organizations to test segmentation controls to ensure network security continually.
• The regulations encourage using automated threat intelligence in security monitoring and vulnerability testing.

Nonprofits should ask to be sure their payment systems provide real-time security alerts.

3. Expanded Encryption and Data Protection Measures

The TLS 1.2+ requirement in PCI DSS 4.0 mandates that organizations use Transport Layer Security (TLS) version 1.2 or higher to encrypt payment data in transit. This ensures secure communication between systems, reducing the risk of cyberattacks such as man-in-the-middle (MITM) attacks and data interception.

Organizations must also apply modern cryptographic techniques to protect stored cardholder data. These can include:

• Encryption algorithms that convert data into an unreadable format until it’s unencrypted with the correct key
• Secure communication protocols like TLS 1.2+
• Digital signatures and certificates to prove authentication and advance trust
• Tokenization that replaces sensitive data with a unique, non-sensitive token

These more substantial encryption standards now apply to stored and transmitted card data and protect payment pages from script injections, which have been used in recent high-profile data breaches.

If your nonprofit stores donor payment information, you must verify that your systems comply with these new protocols.

4. Enhanced E-Commerce and Web Security

Websites that process donations, which includes almost all nonprofit websites, must implement additional security controls. These include:

• Stronger Web App Protections include automated security scanning of Web Application Firewalls (WAFs) to detect vulnerabilities.
• Secure Software Development Practices must be implemented, emphasizing secure coding training and software lifecycle management.

Check with your website provider or donation platform to confirm compliance.

5. Increased Security Logging

These requirements address expanded logging requirements and automated log reviews.

• Granular details must be logged, including access to sensitive data and system activity.
• Organizations must automate log reviews or implement centralized logging solutions to detect threats and anomalies faster.

These changes protect data, enhance threat detection, reduce the IT burden, and strengthen donor trust in your nonprofit.

What Nonprofits Should Do Now

Some of these things can be done by your nonprofit, and some must be followed by CRM and payment processing vendors. Compliance is a shared responsibility, but nonprofits can be proactive.

Here are a few logical next steps:

• Check with Payment Processors and Vendors to ensure your donation platforms and CRM providers are PCI 4.0 compliant.
• Update Security Policies internally by strengthening authentication, encryption, and monitoring processes.
• Train Staff and Volunteers and commit to regularly educating anyone handling donor payment data.
• Review all Contracts to verify that vendors handling cardholder data meet the new security requirements.

Now is the time to start reviewing your systems and talking to vendors.

The Deadline for Compliance

PCI DSS 4.0 was officially released in March 2022, so there has been time to prepare for these changes. Organizations still using PCI DSS 3.2.1 have until March 31, 2025, to transition to the enhanced requirements.

Preparing for PCI 4.0: It's Time to Act!

With the March 31, 2025, deadline quickly approaching, nonprofits must ensure they are ready now!

By strengthening authentication, enhancing security monitoring, and working closely with vendors, nonprofits can protect donor data while maintaining compliance. Proactively reviewing your systems, updating policies, and training staff will help meet the new requirements and reinforce donor trust.

Taking these steps now will set your organization up for secure, compliant, and efficient donation processing in the future. And, most importantly, it will keep donor data safe and protect the integrity of philanthropic donations.