PCI compliance guide for nonprofits: What to know

Card payment security is a paramount concern for any organization that accepts online payments. After all, security breeds trust, sets a standard of organizational professionalism and encourages future transactions between organizations and their donors or customers. And with 63 percent of donors preferring to give online with a credit or debit card, safeguarding card transactions is essential to financial and social success. 

But how can nonprofits measure security? As your organization reviews its internal payment system, how can you distinguish between a poor payment processor and a secure one? You must search for a system that offers payment card industry (PCI) compliance. 

Through this guide, learn more about the essential security metric that is PCI compliance, find answers to your most important questions and explore some best practices for adhering to PCI data security standards (DSS).

Whether you’re a nonprofit professional hoping to fortify your payment processing or a fundraising leader trying to increase donor trust, these insights will help you increase strength, security, and faith in your payment processes. 

What is PCI compliance?

Payment Card Industry compliance refers to the Payment Card Industry Data Security Standard, also known as PCI DSS. This is a checklist of rules and requirements created by major credit card companies to ensure merchants are securely handling customer information.

Merchants, service providers and other payment processing entities are held to this standard to better protect cardholders from fraud, data leaks and the theft of their personal and financial details. 

The certification for PCI compliance is ultimately administered and managed by the PCI Security Standards Council. This council determines which organizations are up to code, and they have the power to fine merchants determined to be out of compliance until they bring their systems up to standard. 

Organizations aren’t just given a broad stamp of approval for whether or not they qualify as “PCI-compliant,” however. The PCI Security Council recognizes various levels of compliance, with Level 1 being the highest, most trusted and most secure designation possible.

Why is PCI DSS compliance important for your organization? 

PCI compliance isn’t an arbitrary metric or loose suggestion—it’s the official standard by which merchants are mandated to uphold their payment security for card-related transactions.

If your organization holds, handles, or manages card holder or digital payment information, then the PCI DSS has been created with you (and your supporters!) in mind; it’s one of the most essential measures to help protect nonprofits from fraud online.

It doesn’t matter if you’re a sprawling, international nonprofit or a small-town local business—merchants and organizations of all shapes and sizes are subject to the PCI DSS for the sake of customer safety. 

Considering how important card-related payments are for your organization, it’s essential that those in your nonprofit understand credit card processing, PCI compliance and the standard by which your organization is expected to carry out cardholder transactions. 

PCI-compliance checklist

With both technology and payment fraud schemes evolving constantly, PCI compliance standards are continuously updated to meet changes in the world of cardholder security. 

For organizations of any size, it’s recommended to stay educated about the level of security offered by your payment tools; regularly check in on the PCI compliance checklist and your payment processing system’s level of compliance. 

Here are the most up-to-date official PCI DSS requirements that your payment processing tools will have to abide by to meet basic PCI compliance, per the PCI Security Standards Council. These requirements are made of six security goals and twelve total steps:

Goal #1: Build and maintain a secure network and systems

a) Install and maintain network security controls

A firewall will be your first line of defense against would-be hackers and fraudsters attempting to break into your organization’s network. This security gateway manages incoming and outgoing traffic through your internal data network. Be sure to monitor this activity and regularly update your firewall to increase its effectiveness against outside threats.

b) Apply secure configurations to all system components

When you first acquire the processors, servers, or applications that will be used to manage your organization’s data, be mindful to disable the vendor-supplied defaults that come with these tools. Hackers can easily discover and take advantage of weak points in these default settings. Your systems will be far better equipped to handle external attacks once you have created your own special administrative settings.

Goal #2: Protect account data

c) Protect stored account data

Managing protective measures around data storage is one of the most effective ways to safeguard cardholder data. For example, you should routinely purge unnecessary data, track the movement of cardholder data, encrypt primary account numbers (PAN), and invest in a payment processor that purges authentication data after it has been used.

d) Protect cardholder data with strong cryptography during transmission over open, public networks

Cardholder data is most vulnerable when it is being transmitted through public wireless networks. A secure payment processing tool should come equipped with encryption and tokenization capabilities, ensuring that sensitive payment details are protected at all times.

Goal #3: Maintain a vulnerability management program

e) Protect all systems and networks from malicious software

Even a seemingly innocuous email could contain dangerous malware meant to infect your organization’s systems. Download, manage, and regularly update antivirus and anti-malware software to protect all systems at risk of being compromised by these invasive tools. 

f) Develop and maintain secure systems and software

Perform risk assessments on your various systems and applications to determine where your organization is most vulnerable, applying patches and access management where necessary. Additionally, partner with service providers (such as your payment processor) that maintain a high level of security and PCI compliance.

Goal #4: Implement strong access control measures

g) Restrict access to system components and cardholder data by business need to know

According to a data risk report, nearly two-thirds of companies have 1,000+ sensitive files that are open to every employee—a dangerous oversight. To protect cardholder data, determine the necessary staff that must be granted access and restrict access to those whose jobs do not require them to view, move or monitor this delicate payment information.

h) Identify users and authenticate access to system components

Once you have selected the dedicated team who will be granted sensitive data access, implement authentication procedures (such as unique, complex user IDs, passwords and two-factor authentication) to track the activity of each individual logging into your system.

i) Restrict physical access to cardholder data

Cardholder data doesn’t just exist intangibly in your online cloud. Paper records, data servers, and flash drives are all physical mediums for sensitive data which should be monitored and regulated at all times. Security cameras, ID badges and the destruction of unnecessary data records are just a few measures that can increase physical data security.

Goal #5: Regularly monitor and test networks

j) Log and monitor all access to system components and cardholder data

Maintaining an organized, time-stamped activity log is not only important in detecting potential threats, but it is also essential for mitigating damage and identifying the root cause of attacks when they do happen. Create and record audit trails to track user identity and intent as they navigate through your data systems. 

k) Test security of systems and networks regularly

Wireless access point testing, network vulnerability scans, penetration testing and intrusion detection tools are all essential security tests that you should regularly conduct to fortify system security on all levels.

Goal #6: Maintain an information security policy

l) Support information security with organizational policies and programs

Did you know that 88 percent of cybersecurity breaches are caused by human error? In addition to the technical safeguards listed above, disseminating an organization-wide information security policy can help reduce these easily-avoidable blunders. This policy guide should be reviewed on at least an annual basis, covering the duties that each employee is expected to follow to maintain data security for the organization.

Tips to increase your nonprofit’s security

Abiding by the many rules set by the Payment Security Standards Council can seem like a daunting challenge, especially for those who aren’t particularly technologically savvy. Start small—these simple tips can help your organization achieve high levels of data protection that satisfy many of the PCI DSS requirements.

1. Invest in integrated payment processing tools

If you’re hoping to find the best payment processor or processing tools for your organization, then integration capabilities are a must. Integration means that whatever outside software you are using can be embedded directly into your website pages (typically through your checkout or donation form) and feed important constituent data straight into your CRM or database.  

Not only do these integrated tools reduce human error by streamlining the management, transfer, and storage of sensitive data, but they often come equipped with sophisticated security measures such as encryption and tokenization. 

This feature is especially important where payments and communication are concerned. For one thing, the payment process includes the transference of some of the most sensitive data that your organization will encounter, making these security measures a major concern. On top of that, the automatic tracking and organization of donor data is critical for following up with donors after they’ve contributed through your online donation page. 

Make sure every tool affiliated with your online payment pages (from matching gift databases to full-fledged payment processors) is fitted with integration capabilities.

2. Maintain good data hygiene

Data hygiene refers to the “cleaning” and prudent management of organized data records; it’s an essential practice for companies and nonprofits alike. The responsible handling and organization of your data can create a positive impact well beyond security— constituent engagement strategies, marketing campaigns, and fundraising efforts can all be improved with the proper data hygiene.

From a security perspective, here are some essential data hygiene tips to keep your organization PCI-compliant: 

• Eliminate outdated, unnecessary, or harmful information or user accounts 
• Verify email addresses and similar constituent data 
• Standardize data training and input practices 
• Routinely refresh and manage passwords to sensitive folders
• Only use payment software that has been certified by the PCI SSC

These straightforward but effective hygiene best practices will streamline your data management policies, allowing you to more effectively leverage one of the most important tools you have at your disposal: information. 

3. Obtain an SSL certificate

One of the simplest ways to fortify your cybersecurity is to get an SSL certificate for your organization’s website. SSL is short for Secure Sockets Layer, an added layer of security and privacy for donor, customer or constituent data that: 

• Encrypts all data that is transferred between your platform and website users
• Helps establish the validity and authority of your platform to search engines and the public

This encryption tool, displayed in your URL bar as a lock, is a cheap and relatively easy step that you can take to strengthen the security of your online transactions and reaffirm public trust in your organization. 

Choosing a robust, Level 1 PCI-compliant processor

Speaking of affordable, robust, and easy-to-use tools built specifically for nonprofits, Deluxe offers one of the leading payment processing systems on the market, complete with unmatched security features officially certified by the PCI SSC.

Remember: the Payment Card Industry Security Standards Council doesn’t simply award blanket approval for PCI compliance to every passing organization. Instead, the organization designates and certifies specific levels of security. At Deluxe, we’re proud to say our payment processors have received and maintained the highest possible security ranking attainable, a level 1 PCI compliance standard.

Here are a few of the powerful security features our payment processing system utilizes to ensure the safety of your organization and users’ experiences:

• Identity authentication measures, such as CVV2 and BIN verification
• Dedicated anti-fraud tools, from 2-factor authentication to IP blocking
• Tokenization and encryption, making it nearly impossible for hackers to read sensitive constituent and payment data

In addition to this effective toolkit of PCI-compliance security measures, Deluxe Merchant Services for Nonprofits also boasts full integration capabilities, dedicated payment channels and international processing to provide one of the most comprehensive and versatile payment tools available.