Don’t think PCI doesn’t apply to you – Most non-profits process fewer than 20,000 transactions per year and are thus considered Level 4 Merchants. Currently this means that certifying PCI-compliance is not mandatory, however they are still responsible for the security of cardholder data and still subject to fines if the data is breached.
Don’t ever keep account verification data – This includes the 3 or 4 digit CVV security code on the card, PIN #s or data stored on the magnetic stripe of the card.
Don’t collect or send credit data via email – Email provides very little security and should not be used to transmit credit card data. This means discouraging donors from providing their account numbers via email, but also eliminating any “online forms” that collect card data and then send it via email. If you can’t justify the fairly minor expense to offer a truly secure online donation form, just don’t offer the option to make a gift online.
Three PCI Compliance Dos
Do store cardholder data securely – In order to process monthly pledge payments via credit card or ACH, the account data must be stored somewhere. If it is stored in a spreadsheet, Word document or database on your computer or servers, it must be encrypted and password protected. It’s far easier to use processing software that allows you to store account data at a Level 1 PCI-certified hosting facility. For instance we recently adapted all our donation processing software to store only a unique ID “token” that allows processing of future pledge payments without the need to store credit card data on our or our client’s computers.
Do promote security for online donations – If you’ve made the effort to ensure that your online processes are secure, promote this fact on your online donation pages using appropriate text and security icons. This will increase donor confidence when providing their information and thus increase donations.
Do review handling & storage of paper records – Securing cardholder data does not only apply to electronic records. Any donation forms, pledge cards, reports or other paper records that contain credit card numbers should be destroyed (or at least stored in locked files) once they have been processed.
PCI Compliance is Vital for Nonprofits
The bottom line is that protecting your donors’ credit card data is critical — not just because of PCI, but also to ensure their trust in your organization is maintained. Following these Dos and Dont’s is a really good way to begin.