PCI Compliance
This article will help you understand the scope of the rules around PCI Compliance, how GiveWP helps with it, what is outside the scope of GiveWP’s role, and how you can learn more.
What is PCI Compliance?
In the words of the PCI Security Standards website itself:
“The PCI Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.”
The main concern around PCI Compliance is preventing fraud, both with customer passwords or details as well as credit cards. It is essentially a list of rules and standards which reflect how well your whole organization is protecting the sensitive data of any person you gather any kind of information on.
Specifically, when it comes to online donations PCI Compliance is concerned with how the donor’s personal and credit card information is stored and protected.
Protection of online donor information and data is something every nonprofit organization should prioritize.
Do I have to be PCI Compliant?
Broadly speaking, anyone who collects sensitive, personal information from their site visitors should have an eye on compliance. More specifically, if you are transmitting credit card data via your website, then yes, your website should be what’s called PCI-DSS compliant.
You can avoid this requirement. One way to avoid a PCI-DSS requirement is to have your entire donation page hosted by a third-party or by pushing all donation activity to a third-party website. Most commonly, this is done with something like PayPal Standard which collects and processes payment information on their site.
At GiveWP, we always want to remind organizations that donors are far less likely to complete their donation if they are routed away from your branded website. So while this is an option to avoid PCI-DSS requirements, it is likely not optimal for your revenue.
If you choose to collect donations on your website, make sure to be aware of your compliance.
How do I check my compliance?
The latest version of PCI Compliance is PCI DSS 3.2. This new standard has two primary levels of PCI Compliance for anyone processing online payments: SAQ A, and SAQ A-EP.
How do you know which is right for you? The best way is to review their self-assessment questionnaires.
Choosing the level that suits your organization will determine how you want to collect your online donations. Different collection methods fit different compliance levels.
How does GiveWP handle PCI Compliance?
The first thing to keep in mind regarding your organization’s PCI compliance is that it is far broader of a question than simply your donation form on your website.
There are six different areas that PCI compliance is concerned with. Only some of them are related to your donation form. Ultimately, compliance is the responsibility of you and your organization, but we can provide general advice and guidance. It’s important to know that while GiveWP is not PCI-DSS certified, we do everything we can to ensure GiveWP is not a hindrance to your organization’s PCI compliance.
Let’s review the six areas of concern for compliance and how GiveWP fits into the scope of it. Each item will first describe whether it is “Part of scope” or “Out of scope” for GiveWP. “Part of scope” means that it relates directly to what GiveWP does but not exclusively. “Out of Scope” means it has nothing to do with GiveWP’s functionality at all.
PCI-DSS Core Requirements
1. Install and maintain a firewall configuration to protect cardholder data
Out of scope
This is the responsibility of how you are hosting your data. Having a reliable and PCI compliant web host who can provide or support a dedicated firewall is what will help you most here.
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Out of scope
This is your responsibility when configuring your web-hosting environment.
3. Protect stored cardholder data
Part of scope
GiveWP helps with this by ensuring this data is never stored on your server, it is transmitted encrypted (with your SSL certificate) over the payment gateway’s API.
4. Encrypt transmission of cardholder data across open, public networks
Out of scope
It is your responsibility to work with your hosting provider to have an SSL certificate for your website and ensure all traffic is routed over HTTPS only. We have a guide on all things SSL which should help with the transition. Our Priority Support also assists with insight and resources to help you make sure your connection with the payment gateway is encrypted properly.
5. Use and regularly update anti-virus software
Out of scope
It is your responsibility to ensure all your organization’s local computers have anti-virus software.
6. Develop and maintain secure systems and applications
Out of scope
It is your responsibility to work with your hosting provider to ensure you have strong and effective security measures.
7. Restrict access to cardholder data by business need-to-know
Part of scope
GiveWP provides a WordPress login function and leverages WordPress’ user roles and capabilities so you can properly manage all user accounts on your site to effectively restrict access to donor information.
8. Assign a unique ID to each person with computer access
Out of scope
This is the responsibility of whomever manages your organization’s internal network. Ensure each user has their own unique credentials and their activity is trackable in order to be accountable for their actions.
9. Restrict physical access to cardholder data
Out of scope
Because GiveWP does not store this data in any way, you are responsible for making sure you control who can and cannot access credit card information.
10. Track and monitor all access to network resources and cardholder data
Out of scope
This is the responsibility of your internal network admins and/or your hosting provider.
11. Regularly test security systems and processes
Out of scope
Use an ASV (approved scanning vendor) to regular scan your site for issues
12. Maintain a policy that addresses information security
Out of scope
Creating, maintaining, and distributing these kinds of policies is the responsibility of you and your administrative staff.
GiveWP’s role in your overall PCI compliance is relatively limited. This is done intentionally in order to limit your liability and in order for you to have fewer things to be concerned with.
Where can I learn more about PCI Compliance?
If you have additional questions regarding PCI Compliance, we highly recommend reaching out directly to the PCI Security Standards team via their website. While our Priority Support is happy to provide you with any knowledge and insight, they are the experts and authority on the matter.
Here are other articles we find particularly insightful and useful:
- Sucuri has several very useful articles on this subject and they are writing more on it continually. Here’s a few:
Navigating PCI Self Assessment Questionaires
Intro to E-Commerce and PCI Compliance
PCI for SMBs - The Center for Nonprofit Excellence has a nice “Easy Reference Guide”
- SUMAC provides training and webinars for nonprofits seeking official PCI compliance