Card payment security is a paramount concern for any organization that accepts online payments. After all, security breeds public trust, sets a standard of organizational professionalism, and encourages future transactions between organizations and their donors or customers. And with credit card payments comprising over 47% of all e-commerce transactions, safeguarding these card transactions is essential to the financial success of businesses and nonprofits alike.
But how can you measure security? As your organization reviews its internal payment system, how can you distinguish between a poor and a secure payment processor? You must search for a system that offers payment card industry (PCI) compliance.
Over the course of this guide, we’ll take a look at the essential security metric that is PCI compliance, addressing your most important questions, reviewing PCI data security standard (DSS) best practices, and offering our own top choice for secure payment processing. We’ll cover:
- What is PCI Compliance?
- Why is PCI Compliance Important For Your Organization?
- The PCI Compliance Checklist
- Simple Tips to Increase Your Security
- iATS Payments: Our All-in-One, PCI-Compliant Payment Processor
Whether you’re a nonprofit professional hoping to fortify your payment processing or a fundraising leader trying to increase donor trust, these insights will help you increase strength, security, and faith in your payment processes.
What is PCI Compliance?
Payment Card Industry (PCI) compliance refers to the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a checklist of rules and requirements created by the major credit card companies to ensure that merchants are securely handling customer information.
Merchants, service providers, and other payment processing entities are held to this standard to protect cardholders from fraud, data leaks, and the theft of their personal and financial details.
The certification for PCI compliance is ultimately administered and managed by the PCI Security Standards Council. This council determines which organizations are up to code, and they have the power to fine merchants determined to be out of compliance until they bring their systems up to standards.
However, organizations aren’t just given a broad stamp of approval for whether or not they qualify as “PCI-compliant.” The Council recognizes various levels of compliance, with Level 1 being the highest, most trusted, and most secure designation possible.
Why is PCI DSS Compliance Important For Your Organization?
As we’ve discussed, PCI compliance isn’t just some arbitrary metric or a gentle suggestion—it’s the official standard by which merchants are mandated to uphold their payment security for card-related transactions. And it’s no wonder why—studies show that over 18 million websites are infected with malware each week and 34% of businesses that are hit with malware take a week or more to regain data access.
If your organization holds, handles, or manages cardholder or digital payment information, then the PCI DSS has been created with you (and your supporters!) in mind. It is one of the most essential measures, among others, to protect you from online fraud.
Just as the government has set road safety standards by, say, mandating that people wear seat belts, AmericanExpress, MasterCard, and other major credit card companies have banded together to create this required standard of payment processing security.
It doesn’t matter if you’re a sprawling, international nonprofit or a small-town local business. Merchants and organizations of all shapes and sizes are subject to the PCI DSS for the sake of customer safety.
So, considering how important card-related payments are for your organization, it’s essential that you gain a thorough understanding of credit card processing, PCI compliance, and the standard by which you’re expected to carry out cardholder transactions.
The PCI Compliance Checklist
With technology constantly evolving and new methods of payment fraud cropping up by the day, PCI compliance standards are continuously updated to keep up with new trends in the world of cardholder security.
We recommend that you stay educated about the level of security offered by your organization’s payment tools by regularly checking in on the PCI compliance checklist and your payment processing system’s level of compliance.
For your reference, here are the most up-to-date official PCI DSS requirements that your payment processing tools will have to abide by to meet basic PCI compliance, which is made up of six security categories and twelve total steps:
Build and Maintain a Secure Network
1. Install and maintain a firewall to protect cardholder data.
A firewall will be your first line of defense against would-be hackers and fraudsters attempting to break into your organization’s network. This security gateway manages incoming and outgoing traffic through your internal data network. Be sure to monitor this activity and regularly update your firewall to increase its effectiveness against outside threats.
2. Disable default security settings.
When you first acquire the processors, servers, or applications that will be used to manage your organization’s data, be mindful to disable the vendor-supplied defaults that come with these tools. Hackers can easily discover and take advantage of weak points in these default settings. Your systems will be far better equipped to handle external attacks once you have created your own special administrative settings.
Protect Cardholder Data
3. Protect stored cardholder data.
Managing protective measures around data storage is one of the most effective ways to safeguard cardholder data. For example, you should routinely purge unnecessary data, track the movement of cardholder data, encrypt primary account numbers (PAN), and invest in a payment processor that purges authentication data after it has been used.
4. Encrypt cardholder data transmission across open, public networks.
Cardholder data is most vulnerable when it is being transmitted through public wireless networks. A secure payment processing tool should come equipped with encryption and tokenization capabilities, ensuring that sensitive payment details are protected at all times.
Maintain a Vulnerability Management Program
5. Install and update anti-virus software.
Even a seemingly innocuous email could contain dangerous malware meant to infect your organization’s systems. Download, manage, and regularly update antivirus and anti-malware software to protect all systems at risk of being compromised by these invasive tools.
6. Launch secure systems and applications.
Perform risk assessments on your various systems and applications to determine where your organization is most vulnerable, applying patches and access management where necessary. Additionally, partner with service providers (such as your payment processor) that maintain a high level of security and PCI compliance.
Implement Strong Access Control Measures
7. Restrict cardholder data access to essential personnel.
According to the Varonis 2021 data risk report, nearly two-thirds of companies have 1,000+ sensitive files that are open to every employee—a dangerous oversight. To protect cardholder data, determine the necessary staff that must be granted access and restrict access to those whose jobs do not require them to view, move, or monitor this delicate payment information.
8. Assign unique user IDs to those with data access.
Once you have selected the dedicated team who will be granted sensitive data access, implement authentication procedures (such as unique, complex user IDs, passwords, and two-factor authentication) to track the activity of each individual logging into your system.
9. Restrict physical access to cardholder data.
Cardholder data doesn’t just exist intangibly in your online cloud. Paper records, data servers, and flash drives are all physical mediums for sensitive data which should be monitored and regulated at all times. Security cameras, assigned ID badges, and the destruction of unnecessary data records are just a few measures that can increase physical data security.
Regularly Monitor and Test Networks
10. Track access to networks and cardholder data.
Maintaining an organized, time-stamped activity log is not only important in detecting potential threats, but it is also essential for mitigating damage and identifying the root cause of attacks when they do happen. Create and record audit trails to track user identity and intent as they navigate through your data systems.
11. Regularly test your security systems and processes.
Wireless access point testing, network vulnerability scans, penetration testing, and intrusion detection tools are all essential security tests that you should regularly conduct to fortify system security on all levels.
Maintain an Information Security Policy
12. Make and manage an information security policy.
Did you know that 95% of cybersecurity breaches are caused by human error? In addition to the technical safeguards listed above, disseminating an organization-wide information security policy can help reduce these easily-avoidable hiccups. This policy guide should be reviewed on at least an annual basis, covering the duties that each employee is expected to follow to maintain data security for the organization.
For even more information on these twelve steps and recommended strategies for accomplishing these tasks, the PCI Security Standards Council has created a quick reference guide for merchants involved in payment card processing.
Simple Tips to Increase Your Security
Abiding by the many rules set by the Payment Security Standards Council can seem like a daunting challenge, especially for those who aren’t particularly technologically savvy. But have no fear—these simple tips can help your organization achieve high levels of data protection that satisfy many of the PCI DSS requirements.
Invest in integrated payment processing tools.
If you’re hoping to find the best payment processor or processing tools for your organization, then integration capabilities are a must. Integration means that whatever outside software you are using can be embedded directly into your website pages (typically through your checkout or donation form) and feed important constituent data straight into your CRM or database.
Not only do these integrated tools reduce human error by streamlining the management, transfer, and storage of sensitive data, but they often come equipped with sophisticated security measures such as encryption and tokenization.
This feature is especially important where payments and communication are concerned. For one thing, the payment process includes the transference of some of the most sensitive data that your organization will encounter, making these security measures a major concern. On top of that, the automatic tracking and organization of donor data is critical for following up with donors after they’ve contributed through your online donation page.
Make sure every tool affiliated with your online payment pages (from matching gift databases to full-fledged payment processors) is fitted with integration capabilities!
Maintain Good Data Hygiene.
Data hygiene refers to the “cleaning” and prudent management of organized data records, and is an essential practice for companies and nonprofits alike. The responsible handling and organization of your data can create a positive impact well beyond security— constituent engagement strategies, marketing campaigns, and fundraising efforts can all be improved with the proper data hygiene.
On the security side of things, here are some essential data hygiene tips to keep your organization PCI-compliant:
- Eliminate outdated, unnecessary, or harmful information or user accounts
- Verify email addresses and similar constituent data
- Standardize data training and input practices
- Routinely refresh and manage passwords to sensitive folders
- Only use payment software that has been certified by the PCI SSC
These straightforward but effective hygiene best practices will streamline your data management policies, allowing you to more effectively leverage one of the most important tools you have at your disposal: information.
Obtain an SSL Certificate.
One of the simplest tips to fortify your cybersecurity is to get an SSL certificate for your organization’s website. SSL is short for Secure Sockets Layer, an added layer of security and privacy for donor, customer, or constituent data that:
- Encrypts all data that is transferred between your platform and website users
- Helps establish the validity and authority of your platform to search engines and the public
This encryption tool, displayed in your URL bar as a lock, is a cheap and relatively easy step that you can take to strengthen the security of your online transactions and reaffirm public trust in your organization.
iATS Payments: Explore Our Robust, Level 1 PCI-Compliant Processor
Speaking of affordable, robust, and easy-to-use tools, iATS Payments provides one of the leading payment processing systems on the market, complete with unmatched security features officially certified by the PCI SSC.
As mentioned earlier, the Payment Card Industry Security Standards Council doesn’t simply award a blanket approval for PCI compliance to every passing organization. Instead, the organization designates and certifies specific levels of security. And we are proud to announce that iATS Payments has received and maintained the highest possible security ranking attainable, a level 1 PCI compliance standard, since its inception.
Take a look at just a few of the powerful security features that the iATS payment processing system utilizes to ensure the safety of your organization and users’ experiences:
- Identity authentication measures, such as CVV2 and BIN verification
- Dedicated anti-fraud tools, from 2-factor authentication to IP blocking
- Tokenization & encryption, making it impossible for hackers to read sensitive constituent and payment data
In addition to this effective toolkit of PCI-compliance security measures, iATS Payments also boasts full integration capabilities, dedicated payment channels, and international processing to provide one of the most comprehensive and versatile payment tools available.
At a manageable monthly rate, this Salesforce-compatible platform and mobile application can optimize payment processing procedures, data collection, and security for any organization looking to join the 14,000+ clients who currently rely on iATS Payments.
Additional Payment Processing & PCI Compliance Resources
For more information on payment security, processing, and the powerful suite of tools offered by iATS Payments, take a look at these additional resources:
- Online Payments Fraud Protection for Nonprofits. Take an even deeper look into the world of online security and discover what resources are available to shield your organization from the growing threat of digital fraud.
- Nonprofit Payment Processing | Buyer’s Guide. Are you ready to invest in the future of your organization’s fundraising efforts? From auction software to all-in-one payment processors, this guide has the perfect payment processing solution for all nonprofits.
Double the Donation’s Beginner’s Guide to Nonprofit Payment Processing. Begin your payment processing search on the right foot with Double the Donation’s comprehensive beginner’s guide.