Understanding PCI DSS Compliance

PCI compliance protects your donors' payment information and maintains their trust in your organization. This guide explains what PCI compliance means, why it matters, and how to achieve it with iDonate.

What is PCI/DSS Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements designed to protect credit card information. Created by major card brands (Visa, MasterCard, American Express, Discover, and JCB) and administered by the Payment Card Industry Security Standards Council, these standards help reduce credit card fraud and protect cardholder data.

 

If your organization accepts, processes, or stores credit card payments through any method such as online donations, point-of-sale terminals, or mobile payments, you must comply with PCI DSS.

 

Why PCI Compliance Matters

While PCI DSS consists of policies rather than federal laws, nearly every state has legislation requiring organizations to notify donors of security breaches. Failing to comply with PCI standards puts your organization at significant risk.

Consequences of Non-compliance:

1. Financial Impact: Organizations face substantial fines, legal fees, forensic audit costs, and increased transaction fees from payment processors.

2. Legal Consequences: State and federal privacy regulations impose penalties for storing unencrypted cardholder data, PINs, and security codes.

3. Operational Damage: Non-compliance can result in losing your ability to accept card payments, decreased stock equity (if applicable), and damage to your reputation.

4. Loss of Donor Trust: A data breach can permanently damage relationships with donors who trusted your organization with their sensitive information.

How Payment Processors Support PCI Compliance

Using a payment processor like CardConnect doesn't automatically make you compliant, but it significantly simplifies the process. Third-party processors help by:

1. Reducing Your Compliance Burden: They handle most of the technical security requirements, allowing you to focus on a smaller set of organizational responsibilities.

2. Providing Ongoing Security: Professional processors actively monitor for vulnerabilities and stay current with the latest compliance requirements.

3. Offering Expert Guidance: They help identify potential security gaps in your systems and recommend solutions to strengthen your defenses.

4. Managing Sensitive Data: By handling payment information on secure servers, processors minimize your organization's exposure to cardholder data.

Think of your payment processor as a security partner. While they manage the technical infrastructure, your organization remains responsible for certain operational security practices.

Your Organization's Compliance Responsibilities

Although iDonate and CardConnect handle the majority of PCI compliance requirements, your organization must still maintain specific security practices. Here's what you need to do:

Network and System Security

1. Firewall Protection: Install and maintain a firewall configuration to protect cardholder data from unauthorized access.

2. Strong Passwords: Never use vendor supplied default passwords. Create strong, unique passwords for accessing iDonate and CardConnect, and update them regularly.

3. Antivirus Protection: Use and regularly update antivirus software on all systems that connect to your payment processing.

4. System Maintenance: Keep all systems and applications updated with the latest security patches.

Data Protection Practices

1. Physical Security: Require staff to lock computers when away from their desks, especially when visitors are in the building. Never allow anyone to write down donor credit card numbers.

2. Access Control: Restrict access to cardholder data based on business need. Assign unique login credentials to each person with system access, and track who accesses sensitive information.

3. Data Transmission: Ensure all cardholder data is encrypted when transmitted across public networks (this is handled automatically by iDonate).

4. Data Storage: Limit the storage of cardholder data and protect any data you must retain. Follow policies for secure storage and eventual deletion.

Ongoing Compliance Maintenance

1. Regular Testing: Test your security systems and processes regularly. Document all tests and promptly address any vulnerabilities discovered.

2. Security Monitoring: Track and monitor all access to network resources and cardholder data to detect suspicious activity.

3. Security Policy: Maintain a written Information Security Policy that covers all personnel. Make this policy part of your organization's official documentation and ensure all staff members understand their responsibilities.

Completing Your Annual PCI Questionnaire

Organizations using CardConnect must complete an annual PCI compliance questionnaire through VikingCloud (formerly SecureTrust). This process validates that you're maintaining the required security practices.

How to Complete Your Questionnaire:

1. Log into the VikingCloud Portal.
2. If you have not created a profile yet, you'll see a button to Start Business Profile. Click it to begin a series of questions tailored to determine the correct Self-Assessment Questionnaire (SAQ) for your business.
   
   1. Guide Me (recommended): A step-by-step process that guides you through completing the compliance requirements.
   2. Expert: Proceed directly to the compliance questions without additional guidance. You can reference information as needed.
   3. Upload: Upload your documentation directly if you've prepared it separately.

If you need assistance after completing your merchant profile, contact VikingCloud at 877-257-0239 with your Merchant ID number.

Display Your Compliance

Once approved, display the PCI Compliant logo on your website. This badge builds donor confidence by demonstrating your commitment to protecting their payment information.

Additional resources

For more information about PCI compliance standards and requirements, visit the PCI Security Standards Council website.

---