28 Apr What Nonprofits Need to Know About PCI Compliance & Secure Donations

Does your nonprofit allow donations via online portals? Does it accept major credit cards? The answer is likely yes, meaning you’re responsible for PCI compliance. PCI is “payment card industry compliance,” a set of 12 mandatory guidelines any organization must follow when accepting online payment. In the case of nonprofit organizations, online donations follow the same rules.

There are two important reasons to maintain PCI compliance: first is to ensure safety and trust from your donators. Second is to avoid regulatory penalties or breaches regarding PCI guidelines. While PCI guidelines are not mandatory to follow, they serve your NGO to maintain a secure environment. A compromise in security translates to brand damage. Donors are less likely to offer voluntary payments to an organization that fails to protect their card information.

However, while federal enforcement does not require PCI compliance, the cardholder agreement and/or merchant agreement are different. If you use a third-party website host or vendor offering payment options accepting major cards, there are likely PCI compliance rules in place. The best strategy is to maintain quality security standards, instead of ignoring them.

What are the major PCI standards?

There are twelve components of the PCI framework. While that sounds overwhelming, most are easy to maintain without intense IT support.

1. Maintain and update all firewalls (or install if not already done).
2. Update default passwords when supplied by the vendor.
3. Incorporate protections for cardholder data, such as an isolated network partition only accessible by admins.
4. Always use encryption.
5. Install and update anti-malware software.
6. Form a cohesive cybersecurity strategy, such as response, data management, and permissions.
7. Manage permissions for who can access cardholder data, such as IT and admins.
8. Introduce mandatory IDs for anyone who has access to network/cardholder data.
9. Grant physical access to cardholder data to selected permissioned individuals.
10. Enable monitoring and tracking to see who accessed cardholder data, when, and where it was transferred to (if applicable).
11. Routinely conduct security drills and tests to verify the strength of your cybersecurity.
12. Maintain a policy on your security.

While these twelve major guidelines can seem overwhelming, they’re easy to follow and require due diligence. Strong security habits are a mixture of common sense and procedure. But because your NGO utilizes card information for online donations and support, you do need to have a form of PCI standard in place.

How can I become PCI compliant?

Again, it serves your long-term interests to follow PCI guidelines even if they’re not federally mandated. Threat actors prey on vulnerable organizations and can wreak havoc if cardholder data is easily accessible.

It’s also worth pointing out that not all business operations are the same. If your NGO processes less than 20,000 card-based donations/transactions per year, then your needs are not the same as a business model processing millions per annum.

As for compliance, smaller NGOs can assess and verify their level of compliance. Larger ones, however, may need the assistance of third-party audits. With the general complexity of IT and cybersecurity, this can all feel overwhelming.

In these scenarios, it’s wise to utilize third-party support that can assess your PCI readiness. Doing so is cost-effective, as it reduces the chances of cyber breaches and makes your NGO safer.

Why an MSP?

Managed service providers draw from a range of IT resources and cybersecurity expertise. This includes elements like PCI compliance. A managed service provider can assess your NGO, ensure it’s compliant, and clean up any deficiencies in your security architecture.

Since nonprofits run on limited resources, taking advantage of professional services that supply remote (or local) help is the key to success.

For more information about MSP services, you can contact Bytagig today.