PCI Compliance 101 a.k.a. “Do I Have to Worry about This or Nah?”

What is PCI Compliance? And do I need to worry about it?

Gonna be super straight with you here: the world of PCI Compliance is not an interesting one. And it’s not super accessible to laypeople. But, because it’s not super accessible to laypeople, we’re going to lay out in simple terms what it is, why it matters, how it affects you, and if you need to worry about it.

Ready? Buckle up, this is going to be absolutely thrilling.

What’s PCI Compliance?

“PCI Compliance” is a set of standards established by The Payment Card Industry Security Standards Council. It’s designed to keep consumers safe by ensuring that any company that deals with credit card information does so in a secure environment.

In the simplest terms, any company that could possibly handle your credit card information must follow very specific rules about what they do with that information.

What kind of rules are involved in staying PCI Compliant?

Not gonna lie… there are a lot of rules. You can look over here to see the different documents that lay out expectations, rules, and standards. If you don’t feel like reading all that, here are some basic rules:

• You must have a system in place to prevent malware, viruses, and other digital nasties
• There must be authentication and identification systems in place that prevent unauthorized access to any card information
• Your organization must maintain a policy that lays out security protocol for all employees
• You must regularly test your security and response systems
• And you must keep up with lots of other regulations!

There’s a lot to PCI Compliance, but each and every rule has to do with how you handle card information, what you do with that information after you have it, who can access that information, and how to keep that information from falling into the wrong hands.

Why Do Nonprofits Have to Worry about PCI Compliance?

Well, one, it’s the law. But, for nonprofits specifically, you have a vested interest in keeping your donors’ card information safe.

Mishandling your donors’ data can lead to a data breach, and data breaches are an absolute nightmare to handle. Remember the fallout when Target had that huge breach in 2013? Or the uproar when 12 million credit card numbers were compromised when Sony’s Playstation Network was hacked? Remember how people freaked out when 56 million peoples’ cards were compromised when Home Depot was infected with malware?

Now, think about the headaches you’d face if your donors’ credit cards and personal information were compromised in a similar security breach. Wouldn’t you want to avoid that kind of chaos?

We know we would! The practices set forth by the PCI Security Standards Council help prevent that kind of event.

So What Do I Need to Do?

The first thing you need to do is to get a basic handle on data security best practices for nonprofits. Taking the precautions outlined in this article will get you started. Simple practices like not sharing accounts, being careful with passwords, and basic security measures will get you in pretty sold shape.

After you get that sorted (and probably change your passwords), do some research into your online fundraising platform and, if you have one separate from your online fundraising platform, your merchant processor. Are they PCI Compliant? How do they handle donor data? While you’re at it, you might as well ask similar questions of your CRM or donor database. What do they do to keep your donors’ personal information safe?

You can also talk to your website manager about your site’s security and any questions that might have come up during research.

Hey Qgiv Clients!

At Qgiv, we work really hard to maintain Level 1 PCI Compliance. That’s the most secure you can be! If you have any questions about how we maintain that status, or if you have questions about how it works, we’re happy to talk to you!