The Do’s and Don’ts of Online Fundraising Security and PCI Compliance

Avatar photo
Posted on July 27, 2016 by Harbor Compliance in Fundraising and Grants.

This is a post by Ronald Pruit, President of 4aGoodCause, a leading provider of easy and effective online fundraising pages that make donors want to give more. Connect with Ronald on Twitter

Online Fundraising Security and PCI Compliance do's and don'ts for nonprofits that are accepting (or considering accepting) credit card payments online.

Payment Card Industry (PCI) Compliance refers to a set of security standards for protecting cardholder data. Any business that accepts credit card payments is subject to these standards. Nonprofits that remain PCI compliant are helping provide fraud protection to both their organization and to donors.

Here are some basic do’s and don’ts for nonprofit organizations that are accepting (or considering accepting) credit card payments online and why it matters that your nonprofit website is secure:

DON’T: Disregard PCI compliance!

The biggest mistake you can make if your nonprofit is accepting or planning to accept credit card payments is thinking that PCI compliance does not matter for your organization. Regardless of your size and the amount of donations you are bringing in annually, your nonprofit is ultimately responsible for donors’ credit card data, and will be subject to fines if not handled correctly.

DO: Find out what level of compliance your nonprofit falls under

There are 4 different levels of PCI compliance, with each level relating to how many transactions you accept per year.

  • Level 1 – Organizations that accept over 6 million Visa or MasterCard transactions per year. These organizations are under very strict set of guidelines that can only be met by annual auditing from an approved auditor.
  • Level 2 – Organizations that accept between 1 million and 6 million Visa or MasterCard transactions per year. These organizations must to comply with a slightly lower level of compliance regulations, although they are still quite strict and usually require annual auditing.
  • Level 3 – Organizations that accept 20,000 to 1 million Visa or MasterCard transactions per year. Must complete a self-assessment questionnaire annually and undergo quarterly network security scans.
  • Level 4 – Organizations that accept less than 20,000 Visa and MasterCard transactions. Most nonprofits fall into the lowest processing volume category.

Each level has different requirements to prove PCI compliance. For most nonprofits proving compliance involves completing an annual survey or submitting to regular security scans. Your merchant account provider will ask you to prove compliance once you begin accepting credit card payments.

DON’T: Put it on the back burner

Your nonprofit is accepting credit card payments online or via phone, storing the credit card information and potentially transmitting credit card details to a 3rd-party organization—this means you may at some point need to prove your nonprofit is PCI compliant. Don’t ignore the issue, however, and tell yourself you will get to it eventually. If you are found to not be PCI compliant, it can be costly.

There are fines and higher merchant fees if you are found not to be compliant and your nonprofit could have customer’s credit card data stolen. In some cases, your nonprofit can be blacklisted from accepting payments until you are compliant.

DO: Consider getting help

PCI compliance can get a little confusing, but you don’t have to go at it alone. Your nonprofit can use an external vendor to manage online payments to your nonprofit. Choose a PCI compliant vendor that can create payment/donation forms that match your nonprofit’s brand and are easy to use on all devices. Make sure your donors are confident in the donations forms and understand that they are from a secure source.

If your nonprofit chooses to process online donations without a third-party vendor, read up on PCI compliance.

DON’T: Panic if you’re not currently PCI compliant

While it is important that your nonprofit be PCI compliant, don’t panic. There is plenty of information out there to help you understand the process. Our service, 4aGoodCause, is PCI DSS compliant. Some nonprofits ask whether using a service like ours exempts them from going through the compliance process. It does not. It can cut down on their risk exposure and consequently reduce the effort to validate compliance but it does not mean they can ignore PCI.

Visit or to learn more about PCI DSS.

Why it matters

As mentioned earlier, you are responsible for the loss or breach of any donor credit card information. If your organization chooses not to become compliant, the organization will be subject to a monthly non-compliance fee of $19.95. In addition, any fines and fees related to a data breach are the responsibility of your nonprofit. Your donors are putting their credit card information in your hands, and protecting your donors’ card information is both your legal and ethical responsibility.