The Goal of Safety
Why Safety and not Security? Safety is a combination of Security and Compliance. The ability to let a donor give online safely is a two step process that cannot be accomplished with either Security or Compliance alone. Just a secure site without compliance may be easily compromised, or may be storing information prohibited by the credit card companies. A compliant site with poor security can be easily breached and sensitive information can be stolen, often without leaving any trace that a security breach occurred.
The ultimate goal of giving online safely is to combine the highest level of security and compliance, to choose a provider with the best of both worlds. Having a provider with multiple layers of security and industry compliance certifications provides your organization a safe way to let your donors give online.
Throughout Donation University the words Security and Compliance have been used to highlight the need for both in any online donation provider. What exactly is the difference and where is the line in the sand that separates the two? What technology applies to which category?
Security
In terms of websites and your donor's interaction with your website specifically, security is proper use of industry standard protocols. Protocols are industry wide, used on every major payment transaction made online and widely available to anyone.
When stating that a site is secure, it simply means that it’s encrypted with the SSL Protocol (secured socket layers) - an industry standard for encrypting data transmitted over the internet. Every site that wants to protect sensitive information uses this protocol. From single page sites to companies like Amazon and eBay, they all use SSL to encrypt data. The most easily identifiable signature of an SSL site is the lock icon placed in your web browser that shows security is present on a particular webpage. Data encrypted and transmitted securely by SSL is not immune to interception but having this security in place makes it far more difficult for anyone to gain access as the data crosses the internet.
Security only covers data as it moves through the internet. Once stored, the data can only be protected by Compliance with standards set forth by the security industry. Or in the case of donations made by credit card, standards set forth by the credit card industry itself.
Compliance
Once transaction data and sensitive information is stored, compliance takes over as the primary method of keeping that data safe. Compliance is adherence to strict policies that govern the way data is stored, handled, accessed and otherwise interacted with. Recurring billing data, for example, would contain complete credit card information in order to process transactions in the future. This data must be securely stored and accessed only when needed to process an actual transaction. Compliance with the industry standards set forth by the credit card companies ensure the best possible protection for that data.
These industry standards also govern internal policies of online donation companies and require specific proof that companies are doing everything possible to ensure the continued safety of stored information. The credit card industry mandates this compliance with these policies as a way to combat fraud within the online world. These standards are known as PCI-DSS, or the Payment Card Industry Data Security Standard.
Penalties for non-compliance can include monetary fines levied against the online donation processor, legal proceedings and the ability to process credit cards being revoked.