As the web has matured, breaches to personal information have become more and more common place. Those breaches have also become much more substantial, with examples like those that hit Equifax and Target in recent years making major news and causing users to take actions such as putting freezes on their credit and changing their online shopping habits. How private data is stored and secured has become a hot-button issue for most users today, and it is not going away. The recent news about Facebook’s use of personal information, even though it did not involve credit card data, still created headlines around the globe. A right to online data privacy is something many users now feel they are owed and have begun to expect from the organizations they do business with.
So, how can you make sure you are doing your part to keep constituent data private and reduce the risk of breaches? This article will discuss some steps your organization can take in this increasingly volatile online giving environment.
Let’s talk specifically about cardholder data for a moment. This information is, along with Social Security numbers, the most impactful to your constituents in the event of a breach, as it can mean direct financial implications to them and their family. This data also holds the most risk for credit card issuers, which is why back in 2004 the major credit card issuers and merchant banded together to create the Payment Card Industry Digital Security Standard, or PCI DSS.
What is PCI DSS?
PCI DSS is the set of rules to provide a minimum level of security for how payment card information can be transmitted and stored. This standard has gone through regular revisions since its inception in 2004 (it is now on version 3.2.1) to adapt to the changing needs of online transactions, and to respond to changes in the way sites are secured as a result of major breaches. One such revision, v. 3.2 released in April of 2016, incorporated some lessons learned from the Target breach in 2013 – one of those key lessons being that referring links to payment forms, or embedded payment forms served by a 3rd party could bring a website into scope of PCI. It this this detail that changed the game for nonprofits taking donations online.
How does this impact nonprofits?
Unlike major online eCommerce retailers that leverage their own payment systems on their websites, non-profit organizations almost universally utilize external services and merchants to provide online giving. Whether this be PayPal, Stripe or Blackbaud to name a few, nonprofit organizations rely on these services to provide a giving capability so that credit cards can be accepted online. Under the latest PCI specifications, it is no longer so simple as to embed a giving form on a site, whether that form be from Blackbaud Online Express, PayPal, or some other platform. The moment that form exists within your site and a user is entering their credit card data into it, your site becomes liable to maintain a certain level of PCI compliance to protect that data and the resulting transaction.
What happens if I am not PCI compliant?
The risk to your organization from not being PCI complaint is substantial – card issuers may forbid you from processing their cards going forward, and you may be subject to monetary penalties. And if a breach did occur, there is the unmeasurable impact in lost donation due to a shattering of trust between your organization and the constituents giving online.
So how do I protect my constituents and become PCI compliant?
PCI compliance is a matter of establishing a basic level of data security, all of which can be researched further at https://www.pcisecuritystandards.org. That said, for many organizations, the staff may not exist to handle these compliance tasks, or you may already be at risk as you are currently hosting a form on your non-compliant site and you need a solution yesterday. Thankfully, most companies that serve up giving forms online have solutions in place to remedy this need.
Here are a few additional tips for ensuring PCI compliance:
- Use a technology provider that provides a complete digital ecosystem from forms to payments
- Choose a secure hosting environment that implements PCI-compliant security measures on your site, removing the burden from your organization to secure and maintain your own website
- Partner with a website vendor with PCI compliance expertise to ensure you’ve thought through everything, particularly if you use multiple systems to process credit cards