Explained

What Is PCI compliance and why is it important for my nonprofit?

February 6, 2021 Nonprofits Decoded Team
Ensuring PCI compliance for credit card payment for online donation

If you run a nonprofit organization and accept credit cards as a form of payment for donations or events, you’ll need to be PCI compliant to avoid paying major fines.

Now, that may sound worrying at first, but you may already be following many of the necessary steps to be PCI compliant with your donor’s information.

In this guide, we’ll cover how PCI compliance for nonprofits works, the different classifications of compliance and the 12 step test often used, plus we’ll talk about how this all connects to your credit card payment processor.

What is PCI compliance?

Payment Card Industry (PCI) compliance is a list of rules and regulations from the Payment Card Industry Security Standards Council that help to ensure payments made via credit cards are safe and secure. They allow donors of your nonprofit to remain safe and avoid any risk of credit card information being stolen during a transaction by scammers and hackers while also protecting your organization.

Who and what does PCI compliance apply to within nonprofit organizations?

PCI compliance comes into play any time you are accepting credit cards as a form of payment. During fundraising efforts, and accepting donations on your website, you will undoubtedly be handling and processing credit card information. It is important to remain PCI compliant on your website’s donation page, and also when accepting donations via credit card at fundraisers and events.

Why is it important to be PCI compliant with my nonprofit?

PCI compliance is not optional, and it is a necessary component of your organization’s security plan. Not only will you avoid paying legal fees, but you will gain trust with your donors while protecting their personal information. If your nonprofit is flagged as a company that has had credit card theft in the past, it will be very difficult to bring new donors on board for fear of history repeating itself.

Becoming and remaining PCI compliant is a must for any serious nonprofit organization. On top of the possibility of bad press making it harder to attract new donors, you run the risk of having to pay substantial fines set in place by the PCI Security Standards Council (PCI SSC). These fines range anywhere from $5,000 to $500,000 depending on the size of your operation.

Is PCI compliance a legal requirement?

Being compliant protects your organization and your donors while helping to prevent fraud.

It’s an industry mandate that payment processors have required through terms of service and user agreements and some jurisdictions may require it by law. Please note that this is not legal advice.

How do I become PCI compliant?

The first step to determining how to become PCI compliant is to determine which of the 8 classifications of PCI compliance you fall under. The Self Assessment Questionnaire (SAQ) will allow you to determine which classification your nonprofit falls under.

The two primary designations that most nonprofits fall under are SAQ-A and SAQ-EP.

Use Stripe or PayPal for your website donation payment processing? Then there’s a good chance you’re already meeting the basics of PCI compliance.

SAQ-A

SAQ-A simply means that your PCI compliance is handled by the payment processing companies that you outsource your payments to. As long as you are not personally handling the credit card information of your donors and clients, there is not much for you to do.

Essentially, you just need to destroy any credit card information you have received and speak to your vendors to ensure they are PCI compliant. If you are using a vendor that says they are PCI compliant, the burden falls to them to uphold any relevant rules and regulations.

SAQ-EP

SAQ-EP designation means that your site or servers are used at some point in the credit card payment process. If the payment process is not completely outsourced to a vendor, your servers are in contact with confidential credit card information that you are responsible for. This means you need to get your company PCI compliant.

While the easiest way to approach this situation would be to revise your payment processing plan so that you fall under SAQ-A, we understand this is not always an option. For those who are handling credit card data themselves, you will be required to follow the 12 steps of PCI compliance.

12 steps of PCI compliance

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Use and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need to know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

Are all online payment processors PCI compliant?

Most are, yes! PCI compliance guidelines state that any company that store, process, or transmit card information is required to remain PCI compliant. This means that a company that focuses on credit card processing should be PCI compliant.

As mentioned above, using one of these providers is the simplest and easiest way to ensure that you are remaining PCI compliant without having to go through the hassle of abiding by the 12 requirements for PCI compliance for your nonprofit.

Stripe payment processing

Stripe is one example of a payment processing company that makes things extremely easy for any non-profit.

They use a payment field that is hosted on their PCI DSS validated servers meaning that none of the card information you accept will ever touch your servers. You can review Stripe’s PCI compliance page for more information on how their technology makes credit card payment processing hassle-free.

Other payment processors, like PayPal, also offer solutions or website integrations that shift the PCI compliance responsibility from your nonprofit organization to the payment processing company.

Choosing another payment processor and determining PCI compliance

If you’re currently using another payment processing company, we recommend doing some digging to ensure they are PCI compliant.

A quick search with your payment processor’s name and the keyword “PCI compliance” will get you all the information you need. If you are unsure after your search, give them a call and ask for information. Any reputable nonprofit payment processing company will be happy to walk you through the steps they take to remain PCI compliant.

For more information on PCI compliance, we recommend checking out the Payment Card Industry Data Security Standards website.