Wednesday, October 5, 2011
PCI compliance and nonprofits
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all organizations that process, store or transmit credit card information maintain a secure environment. It is a set of rules set forth by the major credit card companies on how credit card information must be handled and secured. Basic rules include things like never storing CVV2 data (the 3-digit code on the back of cards) or encrypting credit cards as they are passed for processing.
Does this apply to my nonprofit?
Yes. If your organization processes credit cards online then you must be in compliance with these rules. If you are not in compliance, you may face higher merchant processing fees or fines.
How does one become compliant?
You will normally be contacted by your merchant account provider or a company they have hired to handle the compliance process. It is the responsibility of each merchant account provider to make sure that the merchants they work with are compliant. They will normally outsource this process of validating your security procedures to a security company like Trustwave, ControlScan or Mcafee. For nonprofits that do a small volume of transactions each year, getting compliant normally means completing a survey and submitting to a quarterly security scan. The survey walks you through the rules and policies for governing credit card handling while the scan makes sure your web site is secure. You will typically pay a small fee each month to retain your compliance.
Is 4aGoodCause PCI DSS compliant?
Yes, our service is PCI DSS compliant. Some nonprofits ask whether using a service like ours exempts them from going through the compliance process. It does not. It can cut down on their risk exposure and consequently reduce the effort to validate compliance but it does not mean they can ignore PCI.
Visit http://www.pcicomplianceguide.org or http://www.pcisecuritystandards.org to learn more about PCI DSS.
If you have any questions about PCI DSS or if you have been contacted by your merchant account provider about it and are unsure what to do, please feel free to get in touch.