Concerned about credit card fraud and security breaches, the credit card industry established standards in 2004 called Payment Card Industry Data Security Standards (PCI DSS, but often referred to as just PCI compliance). Basically, these standards help protect your donors’ sensitive payment card information—and this is something that should be of utmost importance to you as well. Establishing trust among your constituents is a key factor in increasing donations.
PCI compliance can be a little complex to understand, but it’s essentially about payment security. It has to do with how your organization handles, stores and transmits cardholder data.
If donors contribute to your organization using a credit or debit card, you must comply by the PCI standards, according to the PCI Compliance Guide. One of the requirements includes using antivirus software and testing it regularly. Another condition of compliance includes completing and submitting a self-assessment questionnaire, which evaluates your organization’s current security status. You can learn about the specifics of these requirements in the PCI Compliance Guide.
How This Applies to Your Nonprofit
Every organization that accepts credit cards is required to be PCI compliant, but the requirements for compliance can vary depending on the types of processing you do and the volume of credit card transactions you process. Companies and organizations fall into one of four levels. Most nonprofits fall into level 4, the lowest processing volume category. Even if you don’t have to prove that you’re PCI compliant, you’re still expected to be.
Why PCI Compliance is Important
Your organization could be assessed hefty fines (as much as $500,000) if cardholder data is breached and your nonprofit is found to be noncompliant. Equally important is the simple but crucial need to protect your donors’ personal information. PCI compliance builds trust among your donors, and confident supporters are more likely to become consistent supporters who fully embrace your organization’s mission.
It may take a while to build a standing as a trusted, secure organization, but it only takes one security breach to damage your reputation. Plus, data breaches can have serious negative effects include lawsuits, insurance claims and government fines.
Here are some basic dos and don’t for any organization that processes credit card transactions:
1. Don’t brush this off.
Most nonprofits process fewer than 20,000 transactions per year. This means that certifying PCI-compliance is not mandatory—however you’re still expected to be compliant, and you are responsible for the security of cardholder data and still subject to fines if the data is breached.
2. But don’t freak out either.
It’s not difficult to be PCI compliant, and even less worrisome if you use an online donation tool from a provider that has proven itself to be PCI compliant.
3. Don’t store or keep account verification data.
This includes the 3 or 4-digit security code on the back of the card, PIN numbers or data from the card’s magnetic strip.
4. Don’t collect or send credit card data via email.
Email provides very little security. Always discourage donors from providing their account numbers via email. If you offer online donation processing, do it only through a truly secure online donation form, with no emailing of data involved.
5. Do store cardholder data the right way.
If you use a spreadsheet, Word document or database on your computer or servers, it must be encrypted and password protected. It’s much better to use processing software that allows you to store account data more securely.
6. Do show your donors that online donating is safe and secure.
If you’re making the effort to be PCI compliant, you want to promote that. Let supporters know that you’ll keep their credit card information safe and secure by assuring them on your donation pages, appeal emails, direct mail—anywhere you talk about online donations. This will go a long way in establishing trust and security.
7. Do make sure your paper storage is secure.
Protecting cardholder data doesn’t only apply to electronic records. Any donation forms, pledge cards or other paper records with secure information should be destroyed or locked up following processing.
The bottom line is that protecting your donors’ credit card data is crucial—for both you and your supporters. But it’s not something that you need to worry about if you use an online donation tool from a provider that is indeed PCI compliant.
Firespring provides a PCI-compliant donation processing tool that will help your supporters feel confident and secure in supporting your organization. They’ll never have to leave your website to make a donation, and you’ll rest assured knowing your donation processing meets all the required standards.