PCI Compliance: Is Your Website Keeping Your Constituent Data Safe? | npENGAGE

PCI Compliance: Is Your Website Keeping Your Constituent Data Safe?

By on Aug 1, 2018


PCI compliance and nonprofit data

As the web has matured, breaches to personal information have become more and more common place. Those breaches have also become much more substantial, with examples like those that hit Equifax and Target in recent years making major news and causing users to take actions such as putting freezes on their credit and changing their online shopping habits. How private data is stored and secured has become a hot-button issue for most users today, and it is not going away. The recent news about Facebook’s use of personal information, even though it did not involve credit card data, still created headlines around the globe. A right to online data privacy is something many users now feel they are owed and have begun to expect from the organizations they do business with.

So, how can you make sure you are doing your part to keep constituent data private and reduce the risk of breaches? This article will discuss some steps your organization can take in this increasingly volatile online giving environment.

Let’s talk specifically about cardholder data for a moment. This information is, along with Social Security numbers, the most impactful to your constituents in the event of a breach, as it can mean direct financial implications to them and their family. This data also holds the most risk for credit card issuers, which is why back in 2004 the major credit card issuers and merchant banded together to create the Payment Card Industry Digital Security Standard, or PCI DSS.

What is PCI DSS?

PCI DSS is the set of rules to provide a minimum level of security for how payment card information can be transmitted and stored. This standard has gone through regular revisions since its inception in 2004 (it is now on version 3.2.1) to adapt to the changing needs of online transactions, and to respond to changes in the way sites are secured as a result of major breaches. One such revision, v. 3.2 released in April of 2016, incorporated some lessons learned from the Target breach in 2013 – one of those key lessons being that referring links to payment forms, or embedded payment forms served by a 3rd party could bring a website into scope of PCI. It this this detail that changed the game for nonprofits taking donations online.

How does this impact nonprofits?

Unlike major online eCommerce retailers that leverage their own payment systems on their websites, non-profit organizations almost universally utilize external services and merchants to provide online giving. Whether this be PayPal, Stripe or Blackbaud to name a few, nonprofit organizations rely on these services to provide a giving capability so that credit cards can be accepted online. Under the latest PCI specifications, it is no longer so simple as to embed a giving form on a site, whether that form be from Blackbaud Online Express, PayPal, or some other platform. The moment that form exists within your site and a user is entering their credit card data into it, your site becomes liable to maintain a certain level of PCI compliance to protect that data and the resulting transaction.

What happens if I am not PCI compliant?

The risk to your organization from not being PCI complaint is substantial – card issuers may forbid you from processing their cards going forward, and you may be subject to monetary penalties. And if a breach did occur, there is the unmeasurable impact in lost donation due to a shattering of trust between your organization and the constituents giving online.

So how do I protect my constituents and become PCI compliant?

PCI compliance is a matter of establishing a basic level of data security, all of which can be researched further at https://www.pcisecuritystandards.org. That said, for many organizations, the staff may not exist to handle these compliance tasks, or you may already be at risk as you are currently hosting a form on your non-compliant site and you need a solution yesterday. Thankfully, most companies that serve up giving forms online have solutions in place to remedy this need.

Here are a few additional tips for ensuring PCI compliance:


Since joining Blackbaud 8 years ago, I’ve been involved purely within the various incarnations of Blackbaud Internet Services. During that time, I have moved from an Interactive Designer I to my current role as an Interactive Development Manager, managing a passionate group of creatives and developers. My career up this point has felt very organic; I have naturally grown in this sort of role, and feel privileged to be able to help manage such an amazing group. With that in mind, I in turn am growing the talent on my team to allow those with the will and determination to be more than simply an individual contributor the chance to be put in situation in which they can gain new experiences, recognition, and the chance to improve their soft skills in leadership and customer relations. These are the same sort of opportunities I was given in my career that have allowed me to grow and advance at Blackbaud, and now I am trying to pay that forward.

Outside of Blackbaud, my wife and I have a 2-year-old boy who is simply amazing. We try and do as many activities outdoors that we can as a family – camping, hiking, boating, fishing, etc. I’m an active volunteer in my local church, playing bass in the worship team. Finally, I am an avid homebrewer and have often found myself with the good problem of having far too much beer on hand.

Leave a Reply

Your email address will not be published. Required fields are marked *