A note regarding recent updates to PCI Compliance Standards: As of April 1st, 2024, a new version of PCI Compliance standards, dubbed PCI DSS 4.0, has been rolled out as the new standard. You can find the high-level overview of what changes/enhancements where a part of this update at PCI's site here.
The short answer? No, PCI compliance is not required by law.
Even though the PCI Security Standards Council helps to manage security standards and is on the lookout for ways to continuously improve security, it ultimately doesn’t enforce PCI compliance.
Compliance ultimately is driven through the terms and conditions that are set by a nonprofit’s merchant service provider or payment service provider and the associated card networks.
The overall reason behind PCI compliance requirements are largely the same from one provider to the next, but the specifics for achieving compliance can vary from provider to provider.
Also worth keeping in mind – failure to be PCI compliant can lead to serious problems, including heavy fines issued by card networks, legal fees, and costs tied to forensic audits and investigations.
PCI compliance, or Payment Card Industry Data Security Standard (PCI DSS) compliance, ensures businesses handling credit card information maintain secure practices.
No need to sift through technical docs on this one - here’s the 12 PCI compliance requirements your nonprofit needs to get compliant:
To achieve compliance, most small to medium sized nonprofits typically need to complete a self-assessment form alongside meeting the 12 requirements we outlined above.
For larger nonprofits, there’s typically a need to submit additional paperwork, work with a third-party auditor to asses them, and hire an outside firm to scan their networks.
Being PCI compliant is something that is required for any nonprofit processing donation transactions, but the specifics around validation requirements and assessments typically vary across card networks.
One of the biggest impacts to requirements? Card transaction volume.
Card transaction volumes will be broken into one of four levels. The following compliance level example is taken from Visa:
There’s typically four groups that are involved and responsible for achieving PCI compliance:
Card Networks: Each network, like American Express and Visa, holds it’s own specific set of requirements for PCI compliance.
The PCI Security Council: American Express, Discover, Visa, Mastercard, and JCB International were the principal founders of the PCI SC in 2006. The independent organization helps to create and uphold security standards, certifies vendors, and verify new and emerging payment tech.
Merchant account providers or payment service providers: Nonprofits will typically use a merchant account provider or payment service provider to accept card payment-based donations. These organizations also act as the default administrator for PCI compliance for nonprofits through specific PCI compliance requirements in the contract/agreement.
Nonprofits: Every nonprofit that processes donations through card networks are held responsible to comply to their specific networks standards for PCI compliance.
Having to work through PCI compliance assessment questionnaires can be stressful for anyone, let alone resource-light nonprofits.
Here’s a few ways your nonprofit can make the compliance journey a little easier from the jump:
As tempting as it might seem, avoid pencil whipping through your PCI compliance questionnaire.
By taking the time to do the paperwork the right way the first time around, your nonprofit will potentially sidestep data related issues and costly, elevated penalties.
The digital fundraising software, and the payment processing partner(s) that they use, can make PCI compliance much easier to obtain and maintain.
Single point solutions for digital fundraising can often provide a low-maintenance, secure path to PCI compliance help.
Know your nonprofit:
Work with your payment processor on: