Apr 4, 2018
Payment card industry (PCI) compliance can be a daunting subject for many nonprofits, but maintaining compliance is an important precaution to protect your organization’s reputation and fundraising goals. Today, data breaches are increasingly common. There are 5,113,159 records lost or stolen every day, and in 2016 63% of nonprofits suffered at least one breach. For nonprofits, the threat of a data breach includes loss of reputation with donors, and potentially six figure fees to cover the cost of audits performed by the payment card industry.
If your nonprofit accepts donations, you are responsible for ensuring your organization is PCI compliant for each stage of the donation process that you are involved with. For most nonprofits, the amount of data you actually store is minimal, so there are fewer stages you need to report on. Areas that may apply to you are online giving forms, workstations and servers. This includes any medium that payment information is stored on, including Excel files, databases, payment forms, emails, servers, and even Post-It notes. The main purpose of PCI is to ensure the security of transmitted data and the storage of payment details, but PCI requirements vary based on the number of credit cards an organization processes and the data it stores.
To avoid risks associated with data compromise, a nonprofit should ensure it is PCI compliant. In many cases, a nonprofit will store little data itself, and obtaining compliance is as simple as completing a quick questionnaire and acting on the security assessor’s response. Additionally, to ensure full security, you should confirm your payments service provider’s compliance. (Your payments service provider is the company that processes credit card donations for your organization.) Your payments service provider should be forthcoming with its certificate of compliance and SOC (Service Organization Controls) report, which documents internal controls relevant to an audit of financial statements. By obtaining these documents from your provider, you can ensure their compliance and that your donors’ information is being properly captured and stored.
How do you know if your payment service provider is compliant?
Make it a priority to discuss compliance with your payment provider and request its certificate of compliance. Many veteran service providers are PCI compliant at some level but may not fall under PCI Level 1 due to the cost and requirements of maintaining that certification. You may also find that some newer or smaller services haven’t yet passed their compliance. If this is the case, schedule some time to discuss your payment provider’s compliance to better understand their obligations and levels of security.
If your payments provider is compliant, does that mean your organization is, too?
No, a payment provider may provide a service to assist in becoming compliant, but does not pass its compliance onto its clients. Your organization and your payments service provider are two separate entities, and you both must demonstrate your compliance. It’s also likely that your organization and your processor will have to demonstrate different levels of compliance. Through your PCI certificate of compliance, the payment card industry is looking to verify that your nonprofit handles your part of the payment process securely.
What level of compliance should your organization fall under?
The level of compliance is in part determined by whether you store donor payment details on property or in facilities owned by your nonprofit. For example, data entered into your online donation form may not touch your workstations or servers, but instead go directly from the donor (or operator keying the transaction) to the processor or software provider’s server. In this case, your nonprofit would just need to ensure that your workstations and phones are free from malware and recorders. Here are some specifics on levels of compliance and their requirements:
Do you need to work on your organization’s compliance?
We’ve created a checklist to help get you started. PCI compliance can seem intimidating, but if you’re not storing much data on your own servers, there are likely fewer steps needed than you might think.
Build and maintain a secure network
- Install a firewall configuration that protects your donors’ sensitive data. Make sure you work to maintain this level of security even after the firewall is built.
- Update passwords from vendor-supplied defaults and review any other security parameters
Protect cardholder data
- Research best practices and work with your service providers to ensure any stored data is secure
- Encrypt cardholder data when transmitting across open, public networks
Maintain a vulnerability management program
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
Implement strong access control measures
- Restrict access to cardholder data to need-to-know. Ensure a trusted employee is handling this data rather than volunteers with high turnover.
- Assign a unique ID to each person who has access to computers containing or linking to cardholder data.
- Regularly test security systems and processes
Maintain an information security policy
- Maintain a policy that addresses information security, and educate your employees and volunteers on best practices
PCI compliance may seem daunting, especially when you want to focus on fundraising for your cause, but security measures ultimately benefit your organization. When you can assure your donors that their data is safe, and protect yourself from potential risks, your fundraising efforts are ultimately maximized.
iATS Payments is a Level 1 PCI compliant payments provider. Contact us to learn more about our services and how we can assist you in becoming PCI compliant.