Payment Card Industry (PCI) Compliance refers to a set of security standards for protecting cardholder data. Any business that accepts credit card payments is subject to these standards. Nonprofits that remain PCI compliant are helping provide fraud protection to both their organization and to donors.
Here are some basic do’s and don’ts for nonprofit organizations that are accepting (or considering accepting) credit card payments online and why it matters that your nonprofit website is secure:
The biggest mistake you can make if your nonprofit is accepting or planning to accept credit card payments is thinking that PCI compliance does not matter for your organization. Regardless of your size and the amount of donations you are bringing in annually, your nonprofit is ultimately responsible for donors’ credit card data, and will be subject to fines if not handled correctly.
There are 4 different levels of PCI compliance, with each level relating to how many transactions you accept per year.
Each level has different requirements to prove PCI compliance. For most nonprofits proving compliance involves completing an annual survey or submitting to regular security scans. Your merchant account provider will ask you to prove compliance once you begin accepting credit card payments.
Your nonprofit is accepting credit card payments online or via phone, storing the credit card information and potentially transmitting credit card details to a 3rd-party organization—this means you may at some point need to prove your nonprofit is PCI compliant. Don’t ignore the issue, however, and tell yourself you will get to it eventually. If you are found to not be PCI compliant, it can be costly.
There are fines and higher merchant fees if you are found not to be compliant and your nonprofit could have customer’s credit card data stolen. In some cases, your nonprofit can be blacklisted from accepting payments until you are compliant.
PCI compliance can get a little confusing, but you don’t have to go at it alone. Your nonprofit can use an external vendor to manage online payments to your nonprofit. Choose a PCI compliant vendor that can create payment/donation forms that match your nonprofit’s brand and are easy to use on all devices. Make sure your donors are confident in the donations forms and understand that they are from a secure source.
If your nonprofit chooses to process online donations without a third-party vendor, read up on PCI compliance.
While it is important that your nonprofit be PCI compliant, don’t panic. There is plenty of information out there to help you understand the process. Our service, 4aGoodCause, is PCI DSS compliant. Some nonprofits ask whether using a service like ours exempts them from going through the compliance process. It does not. It can cut down on their risk exposure and consequently reduce the effort to validate compliance but it does not mean they can ignore PCI.
As mentioned earlier, you are responsible for the loss or breach of any donor credit card information. If your organization chooses not to become compliant, the organization will be subject to a monthly non-compliance fee of $19.95. In addition, any fines and fees related to a data breach are the responsibility of your nonprofit. Your donors are putting their credit card information in your hands, and protecting your donors’ card information is both your legal and ethical responsibility.