An Overview of Secure Credit Card Donation Processing & PCI Compliance
If a company stores credit card numbers in its system, it falls into the strictest level of PCI compliance. That requires annual on-site audits and quarterly network scans, and is very costly. This is regardless of the number of transactions. (The old first drafts of PCI gave different levels depending on quantity of cards processed. That is no longer the case.) So even if you just process 10,000 transactions a year but store credit card numbers, you need to certify against PCI Level 1.
If you use a third party to store/process the recurring billing (i.e., Artez Interactive), then you drop into a lower level that requires only that you complete a Self Assessment Questionnaire (SAQ) annually. Most payment service providers can help with recurring billing if you discuss your requirements with them.
In addition to all the social, mobile and Web giving features and all of the great administrative enhancements, reliable online fundraising tools providers spend significant effort to ensure that the back-end processing element of service is robust, safe and secure.
Ask your processing partner if it is PCI-compliant
Talk to your credit card processing partner about its level of PCI compliance. Most of the services that have been around for a while are PCI-compliant at some level, although not all are PCI Level 1 because of the cost and rigors that are required annually to maintain certification. However, you may find that some newer and very small services haven’t yet passed a PCI Certification. Visa’s list of PCI DSS Validated Service Providers is a great resource for learning about PCI DSS compliance and credit card security.
This article should get you thinking about back-office security and the compliance process, and provide an overview of the importance of PCI DSS compliance standards. For most of us in fundraising, we don’t have to be experts on this, however, it’s always good to have a baseline of knowledge.