A note regarding recent updates to PCI Compliance Standards: As of April 1st, 2024, a new version of PCI Compliance standards, dubbed PCI DSS 4.0, has been rolled out as the new standard. You can find the high-level overview of what changes/enhancements where a part of this update at PCI's site here.

Is PCI compliance required by law for nonprofits? 

The short answer? No, PCI compliance is not required by law. 

Even though the PCI Security Standards Council helps to manage security standards and is on the lookout for ways to continuously improve security, it ultimately doesn’t enforce PCI compliance.  

Compliance ultimately is driven through the terms and conditions that are set by a nonprofit’s merchant service provider or payment service provider and the associated card networks. 

The overall reason behind PCI compliance requirements are largely the same from one provider to the next, but the specifics for achieving compliance can vary from provider to provider. 
 
Also worth keeping in mind – failure to be PCI compliant can lead to serious problems, including heavy fines issued by card networks, legal fees, and costs tied to forensic audits and investigations.  

The basics of Payment Card Industry Data Security Standard (PCI DSS) compliance 

PCI compliance, or Payment Card Industry Data Security Standard (PCI DSS) compliance, ensures businesses handling credit card information maintain secure practices. 

The 12 PCI compliance requirements for nonprofits 

No need to sift through technical docs on this one - here’s the 12 PCI compliance requirements your nonprofit needs to get compliant:  

• Install and maintain a firewall to safeguard cardholder data. 
• Avoid using default passwords; use strong passwords for your digital fundraising software and credit card processing vendor. 
• Secure stored cardholder data and implement a policy to lock computers when unattended. 
• Encrypt cardholder data during transmission over public networks. 
• Use and update antivirus software regularly. 
• Develop and maintain secure systems and applications. 
• Limit access to cardholder data based on business need-to-know. 
• Assign unique computer access IDs. 
• Control physical access to cardholder data; prohibit writing down credit card numbers. 
• Monitor all network and cardholder data access. 

• Regularly test security systems and processes. 
• Maintain a comprehensive information security policy for all staff. 

How your nonprofit can become PCI compliant 

To achieve compliance, most small to medium sized nonprofits typically need to complete a self-assessment form alongside meeting the 12 requirements we outlined above. 

For larger nonprofits, there’s typically a need to submit additional paperwork, work with a third-party auditor to asses them, and hire an outside firm to scan their networks. 

Validation Requirements 

Being PCI compliant is something that is required for any nonprofit processing donation transactions, but the specifics around validation requirements and assessments typically vary across card networks. 

One of the biggest impacts to requirements? Card transaction volume. 

Card transaction volumes will be broken into one of four levels. The following compliance level example is taken from Visa: 

• Level 1 – Over 6 million VIas transactions annually across all payment channels 
• Level 2 – Between 1 and 6 million transactions annually across all payment channels 
• Level 3 – Between 20,000 and 1 million e-commerce Vias transactions annually 

• Level 4 – Less than 20,000 e-commerce transactions, or up to 1 million total annual transaction 

Who’s involved in nonprofit PCI compliance 

There’s typically four groups that are involved and responsible for achieving PCI compliance: 

Card Networks: Each network, like American Express and Visa, holds it’s own specific set of requirements for PCI compliance.  

The PCI Security Council: American Express, Discover, Visa, Mastercard, and JCB International were the principal founders of the PCI SC in 2006.  The independent organization helps to create and uphold security standards, certifies vendors, and verify new and emerging payment tech. 

Merchant account providers or payment service providers: Nonprofits will typically use a merchant account provider or payment service provider to accept card payment-based donations. These organizations also act as the default administrator for PCI compliance for nonprofits through specific PCI compliance requirements in the contract/agreement.  

Nonprofits: Every nonprofit that processes donations through card networks are held responsible to comply to their specific networks standards for PCI compliance. 

Tips for becoming PCI compliant 

Having to work through PCI compliance assessment questionnaires can be stressful for anyone, let alone resource-light nonprofits. 

Here’s a few ways your nonprofit can make the compliance journey a little easier from the jump: 

Keep your data tidy

• Use strong passwords. 
• Store only essential data; avoid physical copies of donation receipts. 
• Avoid clicking on suspicious links. 
• Use card readers and payment software validated by the PCI Security Standards Council when processing donations. 
• Educate your employees on keeping cardholder data secure. 

That PCI compliance paperwork? Take it seriously

As tempting as it might seem, avoid pencil whipping through your PCI compliance questionnaire.  

By taking the time to do the paperwork the right way the first time around, your nonprofit will potentially sidestep data related issues and costly, elevated penalties. 

Use tech & systems that make PCI compliance easier

The digital fundraising software, and the payment processing partner(s) that they use, can make PCI compliance much easier to obtain and maintain.  

Single point solutions for digital fundraising can often provide a low-maintenance, secure path to PCI compliance help. 

Nonprofit PCI compliance resource checklist 

Know your nonprofit:

• Find out which processing level your nonprofit falls under 
• Figure out which PCI compliance assessment you need to complete 

Work with your payment processor on: 

• Understanding the details on compliance requirements for your contract 
• Available resources if you need help 
• Costs, if applicable, for PCI compliance 
• Recommended services that is provided or recommended 

Resources from the PCI Security Standards Council 

• Merchant Resources: Ideal to dive deeper into how your nonprofit can further secure donor data 
• PCI DSS v4 Self-Assessment Overview : Get the scoop on the changes that went into effect on March 31st, 2024 with the rollout of the PCI DSS v4 self-assessment questionnaires (SAQs)