1. Resources and Documentation
  2. Merchant Services and Billing

Five Questions to Understanding PCI Compliance

When you boil it all down, PCI compliance is about doing what is right for your donors and maintaining their trust.

All organizations and churches want to keep their systems secure and safeguard donors' payment information. Unfortunately, the process and standards for keeping this sensitive data safe continue to become increasingly complex and require more resources.

Let's have a quick look at general questions related to PCI compliance.

What is PCI compliance?

Any organization or church that processes, stores, or transmits payment cardholder data must adhere to PCI DSS –the Payment Card Industry Data Security Standard.

Cardholder data refers to the personally identifiable information (PII) associated with the owner of a debit, credit, or pre-paid payment card. PCI compliance is how the Payment Card Industry Security Standards Council (PCI SSC) ensures that organizations/churches handle cardholder data in a secure environment.
All organizations/churches accepting card donations must be PCI compliant or risk financial penalties (fees typically). 

Which organizations are required to comply with PCI standards?

Any debit, credit, or pre-paid card associated with any of the five members of the PCI SSC – American Express, Discover, JCB, MasterCard, and Visa – falls under the scope of PCI compliance.

So, all churches and organizations that accept card donations by any mechanism – from point-of-sale swipe terminals to e-commerce shopping carts – must meet and maintain some PCI compliance criteria.

What are the risks of not being PCI compliant?

PCI DSS is a set of standards, not laws, but almost every state has enacted legislation requiring organizations/churches to notify their donors of security breaches. Current state and federal privacy regulations forbid organizations/churches from storing unencrypted donor data, PINs, and other PII.

Organizations/churches that do not comply with PCI standards risk being subject to costly consequences –  fines, legal fees, card replacement costs, forensic audits, decreases in stock equity, reputation damage, and loss of donors.

How do third-party payment processors help organizations reach PCI compliance?

Outsourced payment processors do not automatically provide compliance. However, strong and resourceful partners like CardConnect can help organizations/churches simplify ongoing compliance needs and rest easy knowing they're meeting all requirements.

Hackers are growing more innovative and more relentless every day. A third-party processor can reduce your organization's risk of exposure and serve as an ongoing security consultant.

Processors can identify system vulnerabilities that could be targeted by cybercriminals seeking access to your private network. They also should have expert knowledge of the latest compliance rules and a pulse on new and customizable technologies that can decrease or remove your system from the scope of PCI compliance.

What steps should our church or organization take to meet PCI compliance?

Although iDonate and CardConnect are responsible for the majority of PCI Compliance coverage, your organization still owns some responsibilities. Twelve PCI DSS requirements must be passed to be considered compliant. The 12 categories are listed below:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.      Have a strong password for logging in to iDonate and CardPointe.com. 
  3. Protect stored cardholder data. Adhere to a policy requiring everyone to lock their computers before leaving their desks, especially when visitors are in the building.
  4. Encrypt the transmission of cardholder data across open, public networks.
  5. Use and regularly update anti-virus software or programs.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need to know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data. Please let everyone in your office know they should never write down a donor's credit card number.  
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes. PCI compliance requires permission from you to run a basic scan of your organization's website to verify that no security leaks can be found that might compromise a donor's personal information. They will let you know if anything is found and give you helpful information to resolve the matter.  
  12. Maintain a policy that addresses information security for all personnel. This policy should exist in writing as a part of your organization's overall Security Policy. These are requirements of the PCI that we cannot take responsibility for you. The PCI Compliance Online Assessment requires you to attest to these policies and more being in place. With this attestation, they can approve and list you as compliant.

    Your organization and church benefit from including the "PCI Compliant" Logo on your website after you've been approved. This creates added confidence for your donors when they come to your website to look around, fill out any forms, or give a donation!