How Are You Safeguarding Donor Data? Let’s Talk PCI DSS.
Trust is paramount when a donor commits highly sensitive payment data to a nonprofit. To ensure that the collected details are kept safe and secure at all times, a nonprofit organisation may choose to pursue appropriate measures. On this topic, an overview of PCI DSS is highly relevant.
What is the PCI DSS?
The Payment Card Industry Data Security Standard, in short PCI DSS, was introduced in 2006 by the Payment Card Industry members, Mastercard, Visa, American Express, JCB, and Discover. As a joint alignment on one unified policy, the objective is to increase standards around credit card data security and to combat fraud.
PCI compliant certification is awarded only after completing a PCI DSS audit adhering to 12 requirements.
|Build and Maintain a Secure Network and Systems||1. Install and maintain a firewall configuration to protect cardholder data|
2. Do not use vendor-supplied defaults for system passwords and other security parameters
|Protect Cardholder Data||3. Protect stored cardholder data|
4. Encrypt transmission of cardholder data across open, public networks
|Maintain a Vulnerability Management Program||5. Protect all systems against malware and regularly update anti-virus software or programs|
6. Develop and maintain secure systems and applications
|Implement Strong Access Control Measures||7. Restrict access to cardholder data by business need to know|
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
|Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data|
11. Regularly test security systems and processes
|Maintain an Information Security Policy||12. Maintain a policy that addresses information security for all personnel|
Source: PCI Security Standards Council
Following PCI compliance, organisations are categorised into 4 levels:
• Level 1: Over 6 million transactions per year
• Level 2: 1 to 6 million transactions per year
• Level 3: 20,000 to 1 million transactions per year
• Level 4: Less than 20,000 transactions per year
Organisations of all levels are subjected to an assessment, a quarterly network scan, and an “Attestation of Compliance” form. Level 1 organisations (with over 6 million transactions per year) are required to complete the assessment through an external audit, while Levels 2 to 4 organisations need only complete a self-assessment questionnaire (provided on the Official PCI Security Standards Council website).
It is important to note that PCI DSS certification is not tantamount to immunity from breaches, as it requires diligent and consistent efforts to ensure data security. The goal is not as much about receiving a status of compliance as it is about risk mitigation and security.
Why PCI certification matters to nonprofits
Ensures current donors feel safe. When an organisation collects, stores or processes any payment details, software and processing security are crucial. Ensuring that donors can donate to their intended cause without the worry of their details being compromised is a building block for an enduring relationship between donor and the nonprofit organisation. In short, being PCI DSS certified provides a minimum standard of safety for both parties.
Prevents damaging consequences from a data breach. In 2015, the Utah Food Bank suffered a data breach that subjected more than 10,000 donors to personal information and payment card data exposure. In response, the nonprofit hired independent IT forensics experts and worked on implementing extra security measures, while having to notify all potentially affected individuals. In these circumstances, hours and resources are not spared, especially when it involves a detrimental impact on donor relationships. Mending a donor’s broken trust needs work and making a comeback in the public eye needs a long recovery time.
Is there more to PCI DSS than just software compliance?
It is assumed that using renowned payment processors or software that is PCI certified, means there’s adequate protection and no need for additional resources to acquire and maintain the certification.
Or is there?
Let’s take a step back and look at the overall journey of payment collection, storage, and processing. Where’s the possibility of a leak or breach? It actually starts from the moment payment details are collected.
In what ways?
Amongst others, it could simply be the physical donation forms, over-the-phone dialogue on donations, or digital records such as email on payment detail changes. Hence, even if a nonprofit does not own any software, it can and should have its services and infrastructure (for example, call centres and data centres) audited as part of risk mitigation. As for more sophisticated breaches, the entry points are many, for example via an app, direct database or infrastructure network, all of which should be monitored to prevent any unsavoury incidents.
SG Support has been awarded the PCI DSS certification consecutively over 4 years. Our PCI compliance is through the line, extending from software, infrastructure, to cardholder data environment (CDE) users, and CDE processes. Care and commitment are not spared in exercising the 12 requirements of PCI DSS to ensure the highest level of compliance and security.
Safeguarding data aside, there are other clear positive outcomes to being certified:
- According to the 2020 Donor Trust Report from Give.Org, third-party evaluation by an independent organisation is one of the top influences for donors considering a charity’s trustworthiness.
- A nonprofit that informs potential donors of their PCI DSS certification status eases concerns over data security and paves the way for confidence in giving.
Data breaches are no longer a rare occurrence and keeping it in check requires vigilance and fully reliable methods.
Managing a large donor base makes PCI compliance a high priority for SG Support and our charity partners. The goal is to create a fully secured environment and at its best, like an onion with multiple layers of protection.
In order for non-profit organisations to focus on fundraising in confidence, look to partnering with those who can commit to take utmost care in protecting donor data.
Got a question about PCI? Get in touch for insights from our experience.