This article will help you understand the scope of the rules around PCI Compliance, how Give helps with it, what is outside the scope of Give’s role, and how you can learn more.

What is PCI Compliance?

In the words of the PCI Security Standards website itself:

“The PCI Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.”

The main concern around PCI Compliance is preventing fraud, both with customer passwords or details as well as credit cards. It is essentially a list of rules and standards which reflect how well your whole organization is protecting the sensitive data of any person you gather any kind of information on.

Specifically, when it comes to online donations PCI Compliance is concerned with how the donor’s personal and credit card information is stored and protected.

Protection of online donor information and data is something every nonprofit organization should prioritize.

Do I have to be PCI Compliant?

Broadly speaking, anyone who collects sensitive, personal information from their site visitors should have an eye on compliance. More specifically, if you are transmitting credit card data via your website, then yes, your website should be what’s called PCI-DSS compliant.

You can avoid this requirement. One way to avoid a PCI-DSS requirement is to have your entire donation page hosted by a third-party or by pushing all donation activity to a third-party website. Most commonly, this is done with something like PayPal Standard which collects and processes payment information on their site.

At Give, we always want to remind organizations that donors are far less likely to complete their donation if they are routed away from your branded website. So while this is an option to avoid PCI-DSS requirements, it is likely not optimal for your revenue.

If you choose to collect donations on your website, make sure to be aware of your compliance.

How do I check my compliance?

The latest version of PCI Compliance is PCI DSS 3.2. This new standard has two primary levels of PCI Compliance for anyone processing online payments: SAQ A, and SAQ A-EP.

How do you know which is right for you? The best way is to review their self-assessment questionnaires.

  1. SAQ A Questionnaire
  2. SAQ A-EP Questionnaire

Choosing the level that suits your organization will determine how you want to collect your online donations. Different collection methods fit different compliance levels.

How does Give handle PCI Compliance?

The first thing to keep in mind regarding your organization’s PCI compliance is that it is far broader of a question than simply your donation form on your website.

There are six different areas that PCI compliance is concerned with. Only some of them are related to your donation form. Ultimately, compliance is the responsibility of you and your organization, but we can provide general advice and guidance. It’s important to know that while Give is not PCI-DSS certified, we do everything we can to ensure Give is not a hindrance to your organization’s PCI compliance.

Let’s review the six areas of concern for compliance and how Give fits into the scope of it. Each item will first describe whether it is “Part of scope” or “Out of scope” for Give. “Part of scope” means that it relates directly to what Give does but not exclusively. “Out of Scope” means it has nothing to do with Give’s functionality at all.

PCI-DSS Core Requirements

1. Install and maintain a firewall configuration to protect cardholder data

Out of scope

This is the responsibility of how you are hosting your data. Having a reliable and PCI compliant web host who can provide or support a dedicated firewall is what will help you most here.

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Out of scope

This is your responsibility when configuring your web-hosting environment.

3. Protect stored cardholder data

Part of scope

Give helps with this by ensuring this data is never stored on your server, it is transmitted encrypted (with your SSL certificate) over the payment gateway’s API.

4. Encrypt transmission of cardholder data across open, public networks

Out of scope

It is your responsibility to work with your hosting provider to have an SSL certificate for your website and ensure all traffic is routed over HTTPS only. We have a guide on all things SSL which should help with the transition. Our Priority Support also assists with insight and resources to help you make sure your connection with the payment gateway is encrypted properly.

5. Use and regularly update anti-virus software

Out of scope

It is your responsibility to ensure all your organization’s local computers have anti-virus software.

6. Develop and maintain secure systems and applications

Out of scope

It is your responsibility to work with your hosting provider to ensure you have strong and effective security measures.

7. Restrict access to cardholder data by business need-to-know

Part of scope

Give provides a WordPress login function and leverages WordPress’ user roles and capabilities so you can properly manage all user accounts on your site to effectively restrict access to donor information.

8. Assign a unique ID to each person with computer access

Out of scope

This is the responsibility of whomever manages your organization’s internal network. Ensure each user has their own unique credentials and their activity is trackable in order to be accountable for their actions.

9. Restrict physical access to cardholder data

Out of scope

Because Give does not store this data in any way, you are responsible for making sure you control who can and cannot access credit card information.

10. Track and monitor all access to network resources and cardholder data

Out of scope

This is the responsibility of your internal network admins and/or your hosting provider.

11. Regularly test security systems and processes

Out of scope

Use an ASV (approved scanning vendor) to regular scan your site for issues

12. Maintain a policy that addresses information security

Out of scope

Creating, maintaining, and distributing these kinds of policies is the responsibility of you and your administrative staff.

Give’s role in your overall PCI compliance is relatively limited. This is done intentionally in order to limit your liability and in order for you to have fewer things to be concerned with.

Where can I learn more about PCI Compliance?

If you have additional questions regarding PCI Compliance, we highly recommend reaching out directly to the PCI Security Standards team via their website. While our Priority Support is happy to provide you with any knowledge and insight, they are the experts and authority on the matter.

Here are other articles we find particularly insightful and useful: