Does your organization accept credit card payments for any of the memberships, products, services, certifications, or events it offers? If so, you're required to comply with Payment Card Industry (PCI) Security Standards Council Data Security Standard (DSS).
With continuing news of cyberthreats, identity theft, and what often seems like a new scam or fraud scheme emerging every day, nonprofits are looking to implement practices to protect their members, donors, and other stakeholders. The PCI standards are intended to do just that — to help organizations create a secure environment to safeguard payment card information.
Groups that process, transmit, or store any card data are impacted. No matter the size of your organization or which of the major cards you accept — whether you accept them at the point-of-sale or online, whether you process payments internally or outsource, or even if you direct purchase to PayPal to complete transactions — you’re obligated to implement and comply with at least a subset of the standard’s requirements.
Protecting member, donor, and customer data
To protect cardholder data (CHD), the goals of the security standard are sixfold:
- Build and maintain a secure network.
- Protect cardholder data.
- Maintain a vendor management program.
- Implement strong access control measures.
- Regularly monitor and test networks.
- Maintain an information security policy.
Each goal encompasses several specific requirements, and failing to implement them, or falling out of compliance may cost you — big time. Violations can cause payment brands to fine your acquiring bank thousands of dollars per month, fines that likely will be passed along to you, the merchant. Your bank may raise transaction fees, terminate your processing agreement, or even close your merchant account.
Worse yet is the costly reputational risk your organization faces in the event of a security breach that imperils the CHD of your donors and other stakeholders.
Just as the scams and threats to your CHD environment change continuously, so do the risks to your organization.
We know, the learning curve and compliance can seem overwhelming. Start by taking these three steps.
1. Know the risks. Begin by understanding the specific risks your organization faces and identifying areas where it might be vulnerable. Common examples include monetary fines, forensic audits, and termination of payment services, to name a few. Gaining a realistic picture is a strong start and can quickly lessen your exposure by pointing you to the trouble spots to address. Then, you can remedy those concerns directly and systematically to prepare for compliance.
2. Conduct a gap analysis. We often see organizations jump headfirst into an assessment rather than taking the time to conduct an initial gap analysis. To maximize efficiency, take a step back and first identify the scope of your environment with respect to CHD. What data do you transmit, store, or process? What processes are involved? Where are the gaps in documentation and in understanding the requirements? Initially looking at compliance in this way helps you focus on the right data, systems, and processes for assessing your organization's compliance.
3. Designate a PCI project manager. As you work toward compliance, you’ll want to designate one person, or a committee, to oversee the effort. The charge of the individual or group is to facilitate the transition to compliance, which encompasses people, processes, and technology; it may also entail a shift in organizational culture.
Just as the scams and threats to your CHD environment change continuously, so do the risks to your organization. On a regular basis, your organization’s leadership needs to ask this key question: What measures are in place to help us be sure we’re doing everything we can to protect our members', donors', and other stakeholders’ payment card data?
Proactively considering the data security requirements for PCI compliance and areas of risk for processing credit card transactions helps you reduce the risks of a data breach — and protects your stakeholders and your organization’s reputation as it carries out its mission.