PCI-DSS (Payment Card Industry Data Security Standards) is a global standard for ensuring the data security of payment cards (credit cards and debit cards) and cardholder information. Established by the Payment Card Industry Security Standards Council, the PCI standards are relevant to all merchants who accept, store, and transmit credit card data.
While every organization that accepts card payments needs to comply with PCI, the compliance requirement varies depending on the volume of transactions and the processing involved. In this article, we will cover how PCI compliance relates to non-profits.
Are non-profits required to comply with PCI?
The simple answer is yes. A non-profit that accepts donations on its websites will invariably have to deal with credit card information. PCI compliance is important on the website page that accepts donations as well as for fundraising events. It ensures secure payments, and that the cardholder data is safe from hackers and scammers.
A data breach or fraud can make it very difficult to bring new donors on board. Also, the legal fees and fines involved can amount to thousands of dollars. PCI compliance helps you to manage the risk of a data breach and gain trust with your donors.
Another important thing to note is that PCI compliance is not a once-and-done task. Once your non-profit is PCI compliant, you need to ensure you maintain the compliance and validate it every year.
Are there any exceptions for non-profits?
There are no exceptions when it comes to PCI compliance. Non-profits must comply with PCI just like any other business. However, the PCI compliance requirements depend on the PCI level applicable to an organization.
The payment card brands have their own set of rules to decide the level of compliance required. Also, there are other factors in play such as whether the organization has suffered a recent breach. However, the below table shows the levels in their simplified form
|Level||No. of transactions annually|
|Level 1||Over 6 million|
|Level 2||1 million to 6 million|
|Level 3||20,000 to 1 million|
|Level 4||Less than 20,000|
Most non-profits need a Level 4 PCI compliance. But even if your annual volume of transactions is very low, compliance cannot be ignored citing the low risk involved. PCI compliance is not an optional requirement. Non-profits must be PCI compliant, or they can be liable to fines between $5,000 and $50,000.
Do note that if you use an e-commerce package or an online donation tool, usually, the provider makes sure that these packages and tools are PCI compliant. In this case, there is not much you need to do to ensure PCI compliance. However, you still need to understand the compliance level provided and ensure that the complete donation process is PCI compliant.
What do non-profits need to comply with PCI regulations?
The first step to being compliant is to understand the compliance requirements through self-assessment. There are two primary Self-Assessment Questionnaires (SAQ) that you need to choose from.
SAQ-A is applicable to those organizations whose PCI compliance is outsourced to payment processing companies. In this case, you will need to ensure that the vendor you are outsourcing to is PCI compliant. Also, it is important to make sure that any credit card information that you may receive must not be stored and appropriately destroyed.
Examples where SAQ-A is applicable:
- A third-party site such as DonorBox accepts payments.
- Donation is made on the non-profit website, but the website uses a PCI-compliant integration.
- Payments at fundraising events are made on third-party sites such as EventBrite.
- E-commerce integration is used such as Shopify.
- Payments are made through PayPal.
What do non-profits need to do in such cases?
- Check if the third-party vendor is PCI compliant and if possible, get it in writing from them.
- Monitor that the vendors remain PCI compliant by regularly checking with them.
- Destroy all cardholder information you may receive including any paper copies.
SAQ-EP is applicable to you if at any point during the payment processing, your site or servers are involved. This is for all cases where the payment processing is not completely outsourced. While it is easiest for non-profits to outsource payment processing, it might not always be possible.
Examples where SAQ-EP is applicable:
- Donations are directly made on the non-profit website using a payment gateway.
- The non-profit uses a solution such as PayFlow.
What do non-profits need to do in such cases?
- Non-profits that handle cardholder data on their site and servers must follow the 12 steps of PCI compliance given in the below section.
12 Requirements of PCI compliance
The 12 steps of PCI compliance are as below.
- Install and maintain firewall protection. A reliable hosting provider will do this for you.
- Don’t use default system passwords and security parameters. By all means, avoid passwords that are easy to guess such as ‘password123’ or your pet’s name.
- Any cardholder data stored should be duly protected. This means, stored data should be fully encrypted and encryption keys are protected. This basically means that cardholder data or encryption keys should not be lying around in printed form. All such data in the computer should be protected with password authorization.
- If cardholder data needs to be transmitted, it should be fully encrypted with protected encryption keys.
- Antivirus software and programs need to be regularly updated to ensure that cardholder data does not come in contact with any application that is not protected.
- Ensure that the security of all applications and systems is maintained. Check for outdated systems and software and replace them with the latest, stable versions.
- Access to cardholder data must be restricted, strictly on a need-to-know basis.
- Each person with system access should have a unique ID. Also, a strong password policy helps.
- Restrict access to physical spaces. You don’t want unauthorized people gaining access to physical spaces where the computers with sensitive data are housed.
- Access to network resources and cardholder data must be tracked and monitored with a detailed log of who is accessing what information.
- All security systems and processes must be regularly audited and tested.
- A strong information security policy for all personnel must be in place. This ensures that everyone involved can follow a set of rules.
As stated above, it is easier to switch to SAQ-A. But, if you cannot do that, following the above 12 steps is critical to PCI compliance. The PCI standard and its compliance requirements keep evolving. Since PCI compliance is a continuous process, you also need to ensure that you keep up with any changes to the regulations. Achieving and maintaining compliance consumes resources and budgets. However, when stacked against the risks involved, the effort is justified.
Related article: Are you ready for PCI 4.0?