An Overview of Secure Credit Card Donation Processing & PCI Compliance
When you look at the online fundraising tools used by your organization, often it’s easier to relate to the donor-facing tools or the area of service that your administrators use. However, the back office, credit card processing pipes and infrastructure are critically important to the security of your service and safety of your donors' personal information.
We typically don’t give much thought to this part of online donation-processing systems until something goes wrong, as it has recently in several high-profile cases involving major for-profit companies.
The reality is that online credit card processing is very safe and secure, thanks in large part to the Payment Card Industry Data Security Standards (PCI DSS) created by the PCI Security Standards Council (PCI SSC). PCI SSC was created by the major credit card companies to unify their security standards. The objective was to protect sensitive credit card information and reduce credit card fraud.
You definitely don’t need to become a certified expert in credit card processing, but it’s good to know about best practices for credit card security so you ask the right questions of your donation-processing provider and are knowledgeable when talking about this with your staff, supporters and board members.
So what is PCI compliance all about?
PCI standards seek to ensure that sensitive data such as credit card numbers and personally identifiable information are gathered through appropriate systems and physical security measures. Any entity that stores, processes or transmits payment cardholder data must be PCI-compliant. There are four levels of PCI compliance that are mainly based on the transaction volumes that the "merchant or processor" is doing annually as well as whether or not those transactions occur on the Internet (card not present) or in a physical location (where the card is present).
PCI Level 1 is the most secure level of PCI compliance and is typically for merchants that process more than 6 million Visa (or MasterCard, etc.) transactions annually. PCI Level 4 — the least stringent security level — is for merchants processing up to 1 million transactions annually. PCIComplianceGuide.org is a resource that provides complete information regarding PCI compliance levels.
If a company stores credit card numbers in its system, it falls into the strictest level of PCI compliance. That requires annual on-site audits and quarterly network scans, and is very costly. This is regardless of the number of transactions. (The old first drafts of PCI gave different levels depending on quantity of cards processed. That is no longer the case.) So even if you just process 10,000 transactions a year but store credit card numbers, you need to certify against PCI Level 1.
If you use a third party to store/process the recurring billing (i.e., Artez Interactive), then you drop into a lower level that requires only that you complete a Self Assessment Questionnaire (SAQ) annually. Most payment service providers can help with recurring billing if you discuss your requirements with them.
In addition to all the social, mobile and Web giving features and all of the great administrative enhancements, reliable online fundraising tools providers spend significant effort to ensure that the back-end processing element of service is robust, safe and secure.
Ask your processing partner if it is PCI-compliant
Talk to your credit card processing partner about its level of PCI compliance. Most of the services that have been around for a while are PCI-compliant at some level, although not all are PCI Level 1 because of the cost and rigors that are required annually to maintain certification. However, you may find that some newer and very small services haven’t yet passed a PCI Certification. Visa’s list of PCI DSS Validated Service Providers is a great resource for learning about PCI DSS compliance and credit card security.
This article should get you thinking about back-office security and the compliance process, and provide an overview of the importance of PCI DSS compliance standards. For most of us in fundraising, we don’t have to be experts on this, however, it’s always good to have a baseline of knowledge.
Mark Sutton is president of Artez Interactive.