Security Issues & PCI Compliance

The protection of credit card information is a paramount concern for the credit card industry and there are many initiatives with numerous acronyms (CISP, PCI) that continue to impose tighter rules on the handling and storage of credit card data. The bottom line is that, if possible, you do not want to store credit card information and if you do keep it, it must be secured. In computer form, this means both password protected and encrypted, with similar protection of paper records that include credit card information.

Currently, many of the most onerous rules apply only to organizations that process large volumes of transactions, but there is a clear trend toward continuing to tighten controls throughout the credit card world. As a result, the current practices of many nonprofits, such as keeping a list of donor credit cards to process each month, will need to change. Even worse are web forms that collect credit card information on a non-secure server (note: you can quickly tell if the server is secure by looking to see if the web site address starts with https:, not just http:), or forms that simply generate an email that lists the credit card information.

You simply don’t want to put your donor’s information at risk or expose your organization to fines.

What is PCI Compliance?

Due to growing concerns with credit card fraud and widely publicized security breaches involving cardholder data, the credit card industry established new standards called Payment Card Industry Data Security Standards (PCI DSS but often referred to as just PCI compliance).

These requirements cover a wide assortment of practices, technology, and systems and can be very complex to understand, let alone comply with.   Primarily, they relate to how your organization handles stores and transmits cardholder data.  Here are a few of the most important elements:

  • Never store CVV2 data (the 3-digit code on the back of cards) or magnetic strip data
  • If credit card numbers need to be stored or transmitted, they should generally be encrypted with at least 128-bit encryption.
  • Restrict access to physical and electronic cardholder data with user specific passwords and based on business need-to-know.
  • More complete information on the PCI DSS can be found at www.pcisecuritystandards.org

Does this apply to my nonprofit?

Every organization that accepts credit cards is being required to comply with PCI DSS, but the requirements for compliance can vary widely depending on the types of processing you do and the volume of credit card transactions processed. Merchants fall into one of four levels. Most non-profits fall into the lowest processing volume category (Level 4 with less than 20,000 Visa/MC transactions per year), where the primary requirement is completion of a PCI self-assessment questionnaire and quarterly network scans. Currently, there is no PCI mandated date for Level 4 merchant compliance.

Why is PCI compliance important to my organization?

Even though participation in compliance has not been made mandatory for Level 4 merchants, your organization could be assessed substantial fines (as much as $500,000) if cardholder data is breached and your nonprofit is not compliant.

Equally important is the simple need to protect your donors and their sensitive data they’ve entrusted your organization with.

What to look for in your technology.

Your tools for credit card processing should use PCI compliant methods for encrypting, securely transmitting credit card data, and issues associated with storage of cardholder data. Some web-based fundraising vendors offer solutions that can be securely store donor credit card (or bank account data) in a PCI certified hosting facility. A donor’s record will just contain an “Alias ID” that uniquely identifies that securely stored data so that future transactions can be processed without the need to re-enter any data.