With the introduction of new PCI compliance requirements, understanding what’s required of your nonprofit is critical to avoid costly penalties or frozen payment processing. Note: Depending on what donation platform you use, this may be a light lift or a heavy lift.
With Fundraise Up, it’s a simple as completing an SAQ A form. But other donation platforms require a significant amount of work. So if you’re using another donation platform, let’s walk through what’s expected and how to get this done before the deadline of March 31.
Recap: What is PCI compliance for nonprofits?
PCI DSS (Payment Card Industry Data Security Standard) is a set of security guidelines created to protect cardholder data during and after a financial transaction. Nonprofit compliance ensures that organizations handling credit card information — like nonprofits accepting online donations — have measures in place to reduce the risk of breaches and fraud.
Follow this plan of action for PCI compliance
Step 1: Understand Your Role
- Assess whether your organization directly processes, transmits, or stores cardholder data.
- If you do rely on a third-party processor, identify whether you’re using custom JavaScript on your donation and payment pages. If you do, proceed to Step 2.
Per Requirement 6.4.3, JavaScript embedded in your website can potentially introduce vulnerabilities, especially on payment pages. PCI DSS 4.0 requires organizations to manage and secure scripts to prevent data breaches.
Step 2: Manually inventory JavaScript files:
- Identify all JavaScript files on web pages that link to or contain payment forms.
- Maintain an up-to-date list of these scripts, noting their source and purpose.
Step 3: Authorize each script:
- Review and explicitly approve the use of each JavaScript file to ensure it is necessary and secure.
Step 4: Implement a content security policy (CSP):
- A CSP restricts which JavaScript files are allowed to execute on your website.
- Configure your CSP to whitelist only authorized scripts, blocking unauthorized or potentially harmful ones.
Per Requirement 11.6.1, nonprofits are required to ensure web pages, including payment forms, remain secure by detecting unauthorized changes.
Step 5: Implement monitoring solutions:
- Use automated services to continuously monitor web pages and scripts for unauthorized modifications or tampering.
Step 6: Detect and respond:
- Ensure your chosen solution provides real-time alerts for unauthorized changes, allowing you to respond quickly and mitigate risks.
Or, choose a simpler, safer solution
Fundraise Up: PCI compliance out-of-the-box
Nonprofits that work with Fundraise Up just have to complete the SAQ A form. And we have a free template right here.
We’re already a PCI Level 1 certified provider. That eliminates the need for you to manually inventory, authorize, and monitor hundreds (even thousands) of pages with custom JavaScript. Instead, we have trusted partners that automate the processes of:
- JavaScript inventory and authorization
- Content Security Policy configuration
- Real-time anti-tamper monitoring
Get started today
With the right donation platform, PCI compliance doesn’t have to be daunting. In fact, moving from another platform to Fundraise Up will save you a ton of work! We’ve simplified the process so you can focus on your mission. If you have questions, don’t hesitate to reach out for support. Together, let’s build a secure and compliant future for your nonprofit.