The Security vs. Compliance...
This is course 2 of 5 in Safety and Compliance
Throughout Donation University the words Security and Compliance have been used to highlight the need for both in any online donation provider. What exactly is the difference and where is the line in the sand that separates the two? What technology applies to which category?
Security
In terms of websites and your donor's interaction with your website specifically, security is proper use of industry standard protocols. Protocols are industry wide, used on every major payment transaction made online and widely available to anyone.
When stating that a site is secure, it simply means that it’s encrypted with the SSL Protocol (secured socket layers) - an industry standard for encrypting data transmitted over the internet. Every site that wants to protect sensitive information uses this protocol. From single page sites to companies like Amazon and eBay, they all use SSL to encrypt data. The most easily identifiable signature of an SSL site is the lock icon placed in your web browser that shows security is present on a particular webpage. Data encrypted and transmitted securely by SSL is not immune to interception but having this security in place makes it far more difficult for anyone to gain access as the data crosses the internet.
Security only covers data as it moves through the internet. Even secured by SSL, once that data reaches a destination, it becomes susceptible to compromise. SSL only protects the movement of data. Once stored, the data can only be protected by Compliance with standards set forth by the security industry. Or in the case of donations made by credit card, standards set forth by the credit card industry itself.
Compliance
Once transaction data and sensitive information is stored, compliance takes over as the primary method of keeping that data safe. Compliance is adherence to strict policies that govern the way data is stored, handled, accessed and otherwise interacted with. Recurring billing data, for example, would contain complete credit card information in order to process transactions in the future. This data must be securely stored and accessed only when needed to process an actual transaction. Compliance with the industry standards set forth by the credit card companies ensure the best possible protection for that data.
These industry standards also govern internal policies of online donation companies and require specific proof that companies are doing everything possible to ensure the continued safety of stored information. The credit card industry mandates this compliance with these policies as a way to combat fraud within the online world. These standards are known as PCI-DSS, or the Payment Card Industry Data Security Standard. It covers a wide range of topics and will be explained in detail in the next Donation University course.
Penalties for non-compliance can include monetary fines levied against the online donation processor, legal proceedings and the ability to process credit cards being revoked.
The text portion of Qgiv's Donation University is licensed under a
Creative Commons License.