PCI Compliance Standards and Nonprofits

What is PCI Compliance?

Due to growing concerns with credit card fraud and widely publicized security breaches involving cardholder data, the credit card industry established new standards called Payment Card Industry Data Security Standards (PCI DSS, but often referred to as just PCI compliance).

These requirements cover a wide assortment of practices, technology, and systems and can be very complex to understand, let alone comply with. Primarily they relate to how your organization handles, stores, and transmits cardholder data. Here are a few of the most important elements:

• Never store CVV2 data (the 3-digit code on the back of cards) or magnetic strip data.
• If credit card numbers need to be stored or transmitted, they should generally be encrypted with at least 128-bit encryption.
• Restrict access to physical and electronic cardholder data with user-specific passwords, and based on business need-to-know guidelines.

More complete information on the PCI DSS can be found at www.pcisecuritystandards.org

Does this apply to my nonprofit?

Every organization that accepts credit cards is being required to comply with PCI DSS, but the requirements for compliance can vary widely depending on the types of processing you do and the volume of credit card transactions processed. Merchants fall into one of four levels. Most nonprofits fall into the lowest processing volume category (Level 4 with less than 20,000 Visa/MC transactions per year), where the primary requirement is the completion of a PCI self-assessment questionnaire and quarterly network scans. Although PCI certification for Level 4 merchants is not required by all acquirers, effective July 1, 2010 there is a mandate to use PA-DSS compliant payment applications. DonorPerfect clients who use the SafeSave gateway are outside the scope of this mandate. Since all data is hosted via a PCI compliant service provider.

Why is PCI compliance important to my organization?

Even though participation in compliance has not been made mandatory for all Level 4 merchants, your organization could be assessed substantial fines (as much as $500,000) if cardholder data is breached and your nonprofit is not compliant.

Equally important is the simple need to protect your donors and their data they’ve entrusted to your organization.

How can DonorPerfect help?

All of DonorPerfect’s tools for credit card processing such as Insta-Charge, EZ-EFT, DonorPerfect Online Forms and Crowdfunding use PCI compliant methods for encrypting and securely transmitting credit card data. When there is a need to store cardholder data — for instance to automatically process a monthly pledge, DonorPerfect uses a Level 1 PCI-Certified Gateway to securely store the data. A donor’s record will just contain a “SafeSave Vault ID” that uniquely identifies that securely stored data, so that future transactions can be processed (via Insta-Charge, DonorPefect Online Forms, Crowdfunding and EZ-EFT) without the need to re-enter any data. This virtually eliminates PCI-compliance issues, since no cardholder data is ever stored in your computers or our servers.