Any online donation page or ecommerce platform that accepts personal card data is vulnerable to external threats. Hackers can infiltrate systems and steal user information, or other vulnerabilities can result in significant loss or corruption of information. To prevent incidences of lost or damaged personal card data, the Payment Card Industry (PCI) Security Standards Council established data security standards (DSS) in 2007 to protect both customers and merchants involved in the transactions. Failing to meet the requirements can leave an organization open to fines or other penalties. Organizations that comply with these standards when accepting donations made via credit card significantly reduce the risk of a data breach while enjoying improved efficiency, increased donations and reduced overhead costs.
Basics of PCI DSS Compliance
There are 12 major PCI DSS compliance requirements, and a violation of just one can result in being deemed noncompliant and penalized. Every time an organization is involved in a noncompliant incident, it faces fines, suspension and revocation of card processing capabilities. Organizations are now investing time and money into implementing a PCI DSS compliance program by deploying data security features and following the council's guidelines.
There are a few easy questions organizations can answer to determine their PCI DSS needs to secure handling of customer card information. Once vendors have the information, the overall process typically can take up to a year to complete, and is an ongoing process as new technologies become available in response to evolved hacking attempts. In fact, 96 percent of 2011 data breaches were reported by noncompliant organizations. Therefore, PCI DSS compliance involves initial achievement as well as ongoing maintenance through annual reviews.
The Payment Card Industry Security Standards Council has established penalties and consequences for noncompliant organizations. Each incident of a security breach will cost an organization up to $500,000 and written notification must be sent to any victims whose information has been compromised so they are aware of potential fraudulent charges made on their cards. The organization must then recover all lost information, which can greatly increase the total cost per incident.
In 2007, 45.7 million T.J. Maxx and Marshalls customers had their credit and debit card information compromised in the largest breach in U.S. history. The noncompliant retail group realized hackers had been accessing customer information dating back to 2003 due to lacking security features. Today, consumers are more security-savvy, specifically when completing transactions online. Organizations that do not offer extensive security features will likely miss out on large populations of donors who are uncomfortable with submitting their personal information.