The GuideStar Blog retired September 9, 2019. We invite you to visit its replacement, the Candid Blog. You’re also welcome to browse or search the GuideStar Blog archives. Onward!

GuideStar Blog

How PCI Compliance Reduces Data Breach Risks

How PCI Compliance Reduces Data Breach RisksPayment card industry (PCI) compliance can be a daunting subject for many nonprofits, but maintaining compliance is an important precaution to protect your organization’s reputation and fundraising goals. Today, data breaches are increasingly common. There are 5,113,159 records lost or stolen every day, and in 2016 63 percent of nonprofits suffered at least one breach. For nonprofits, the threat of a data breach includes loss of reputation with donors, and potentially six figure fees to cover the cost of audits performed by the payment card industry.

If your nonprofit accepts donations, you are responsible for ensuring your organization is PCI compliant for each stage of the donation process that you are involved with. For most nonprofits, the amount of data you actually store is minimal, so there are fewer stages you need to report on. Areas that may apply to you are online giving forms, workstations and servers. This includes any medium that payment information is stored on, including Excel files, databases, payment forms, emails, servers, and even Post-It notes. The main purpose of PCI is to ensure the security of transmitted data and the storage of payment details, but PCI requirements vary based on the number of credit cards an organization processes and the data it stores.

To avoid risks associated with data compromise, a nonprofit should ensure it is PCI compliant. In many cases, a nonprofit will store little data itself, and obtaining compliance is as simple as completing a quick questionnaire and acting on the security assessor’s response. Additionally, to ensure full security, you should confirm your payments service provider’s compliance. (Your payments service provider is the company that processes credit card donations for your organization.) Your payments service provider should be forthcoming with its certificate of compliance and SOC (Service Organization Controls) report, which documents internal controls relevant to an audit of financial statements. By obtaining these documents from your provider, you can ensure their compliance and that your donors’ information is being properly captured and stored.

How do you know if your payment service provider is compliant?

Make it a priority to discuss compliance with your payment provider and request its certificate of compliance. Many veteran service providers are PCI compliant at some level but may not fall under PCI Level 1 due to the cost and requirements of maintaining that certification. You may also find that some newer or smaller services haven’t yet passed their compliance. If this is the case, schedule some time to discuss your payment provider’s compliance to better understand their obligations and levels of security.

If your payments provider is compliant, does that mean your organization is, too?

No, a payment provider may provide a service to assist in becoming compliant, but does not pass its compliance onto its clients. Your organization and your payments service provider are two separate entities, and you both must demonstrate your compliance. It’s also likely that your organization and your processor will have to demonstrate different levels of compliance. Through your PCI certificate of compliance, the payment card industry is looking to verify that your nonprofit handles your part of the payment process securely.

What level of compliance should your organization fall under?

The level of compliance is in part determined by whether you store donor payment details on property or in facilities owned by your nonprofit. For example, data entered into your online donation form may not touch your workstations or servers, but instead go directly from the donor (or operator keying the transaction) to the processor or software provider’s server.  In this case, your nonprofit would just need to ensure that your workstations and phones are free from malware and recorders. Here are some specifics on levels of compliance and their requirements:

Category Criteria Compliance Requirements
  • Any merchant that processes more than 6 million transactions per year
  • Any merchant that Visa determines should be a Level 1 merchant to minimize risks to the Visa system
  • Annual on-site reviews by internal auditor
  • Pass a quarterly network scan
  • Any merchant that processes 20,000 to 1 million eCommerce transactions per year
  • Annual self-assessment
  • On-site assessment at merchant’s discretion
  • Any merchant with more than 20,000 transactions per year
  • Annual self-assessment
  • On-site assessment at merchant’s discretion
  • Quarterly network scan
  • All other merchants
  • Annual self-assessment
  • On-site assessment at merchant’s discretion
  • Quarterly network scan

Do you need to work on your organization’s compliance?

We’ve created a checklist to help get you started. PCI compliance can seem intimidating, but if you’re not storing much data on your own servers, there are likely fewer steps needed than you might think.

  • Build and maintain a secure network
    • Install a firewall configuration that protects your donors’ sensitive data. Make sure you work to maintain this level of security even after the firewall is built.
    • Update passwords from vendor-supplied defaults and review any other security parameters
  • Protect cardholder data
    • Research best practices and work with your service providers to ensure any stored data is secure
    • Encrypt cardholder data when transmitting across open, public networks
  • Maintain a vulnerability management program
    • Use and regularly update anti-virus software
    • Develop and maintain secure systems and applications
  • Implement strong access control measures
    • Restrict access to cardholder data to need-to-know. Ensure a trusted employee is handling this data rather than volunteers with high turnover.
    • Assign a unique ID to each person who has access to computers containing or linking to cardholder data.
    • Regularly test security systems and processes
  • Maintain an information security policy
    • Maintain a policy that addresses information security, and educate your employees and volunteers on best practices

PCI compliance may seem daunting, especially when you want to focus on fundraising for your cause, but security measures ultimately benefit your organization. When you can assure your donors that their data is safe, and protect yourself from potential risks, your fundraising efforts are ultimately maximized.

How PCI Compliance Reduces Data Breach RisksThis piece has been cross-posted from iATS Payments. Courtney Nielsen is a partner relationship manager at iATS Payments. During her long tenure at iATS, she has had the privilege to stand at the forefront of the fastest moving finance technology industry and witness the challenges nonprofit organizations encounter daily. She intuitively sees the threads of opportunity that wind through a nonprofit organization, and with her innate vision and ability, she helps nonprofits find long-term solutions and success. Courtney is an accomplished business development professional with over 15 years in the finance and technology sector, and consistently uses her expertise to ensure the success of her clients. When she is not feeding her insatiable interest in the developing technologies within the nonprofit sector, she is outside hiking and spending time exploring beautiful British Columbia with her three children and family.

Topics: Data Security Payment Card Industry Compliance PCI Compliance