If your nonprofit accepts online donations, PCI compliance is more than just a best practice — it’s a requirement. While the technicalities may feel daunting, understanding the basics is crucial to safeguarding your donors’ trust and their sensitive payment information. Let’s break it down so you know exactly what nonprofit compliance with PCI entails, what your responsibilities are, and what changes are coming in 2025.
What is PCI compliance for nonprofits?
PCI DSS (Payment Card Industry Data Security Standard) is a set of security guidelines created to protect cardholder data during and after a financial transaction. Nonprofit compliance ensures that organizations handling credit card information — like nonprofits accepting online donations—have measures in place to reduce the risk of breaches and fraud.
For nonprofits, PCI data compliance is often simplified because the actual processing of payment data is outsourced to third-party online donation platforms like Fundraise Up or payment processors like Stripe and PayPal. These providers manage much of the heavy lifting for compliance requirement, but nonprofits still have key responsibilities.
The new 2025 PCI requirements: breaking it down
Despite existing safeguards, cyberattacks have grown increasingly sophisticated and this is a driving force behind the new PCI DSS Version 4.0.1, which takes effect on March 31, 2025.
The upcoming changes focus on two key areas: script management and tamper detection.
PCI Requirement 6.4.3: Inventory and Secure Scripts
Organizations will need to inventory, authorize, and secure all JavaScript files interacting with their payment forms. This ensures:
- Only authorized scripts are allowed.
- Unauthorized changes are detected and addressed quickly.
PCI Requirement 11.6.1: Anti-Tamper Detection
This mandates the use of automated tools to monitor web pages for unauthorized modifications. Such tools provide real-time alerts to prevent breaches before they happen.
How do nonprofits fit into the PCI compliance ecosystem?
PCI compliance isn’t a solo effort; it involves a collaborative chain of custody. Here’s how the responsibility is shared:
1. Nonprofits
Nonprofits are responsible for ensuring their website and third-party vendors are PCI compliant. This includes:
- Embedding secure payment forms (like Fundraise Up’s JavaScript).
- Completing SAQ A annually.
- Maintaining a secure environment for their website.
2. Solution providers (e.g., Fundraise Up)
These platforms provide the tools nonprofits use to collect donations. Their responsibilities include:
- Embedding secure JavaScript and ensuring safe transmission of data.
- Implementing robust security measures to meet PCI standards.
3. Payment processors (e.g., Stripe, PayPal)
The processors handle the actual storage and processing of cardholder data. They adhere to the most stringent PCI standards, including encryption, network security, and regular audits.
Each party’s compliance strengthens the overall system, creating a secure environment for online giving.
A nonprofit compliance checklist for PCI 2025
Nonprofits accepting credit card donations are required to meet specific PCI standards annually. For most, this means completing SAQ A (Self-Assessment Questionnaire A). This is the simplest PCI form and applies to organizations that:
- Outsource all cardholder data processing to third-party vendors.
- Do not store, process, or transmit credit card information on their systems or premises.
- Rely on secure, hosted payment forms or JavaScript embeds (like Fundraise Up’s donation platform).
Three actions you can take right now
Preparation is key to ensuring compliance with the new standards. Here’s how you can stay ahead:
- Complete your annual SAQ A: Download our SAQ A template or reach out to our team for assistance.
- Engage your QSAs: Contact your Qualified Security Assessor (QSA) for guidance on preparing for the new standards.
- Check your online donation platform’s compliance: ensure they have a game plan for passing standards so you’re not left in breach.
Fundraise Up is fully compliant with the upcoming PCI DSS 4.0.1 standards. Our platform already includes the secure, scalable tools nonprofits need to meet these new requirements with confidence. By working with Fundraise Up, you can trust that your donation processing infrastructure is aligned with the latest security standards.
What does this mean for nonprofits like yours?
- You can confidently embed our secure JavaScript without worrying about compliance gaps.
- Our platform already incorporates the advanced security measures mandated by the new standards, including those for script management and tamper detection.
- We’re your partner in compliance, making it easier for you to focus on your mission while we handle the technical complexities.
Let’s sum it up
- PCI compliance is a requirement for all nonprofits accepting donations.
- As a nonprofit, you should take key actions, like completing your annual SAQ A and ensuring your tech stack is compliant.
- Prepare for PCI DSS 4.0.1, which takes effect on March 31, 2025.
- You can be confident that Fundraise Up is already fully compliant with the upcoming PCI DSS 4.0.1 standards.
A clear path forward
Here’s the good news: while PCI DSS 4.0.1 introduces new complexities, it also represents an opportunity to strengthen donor trust and build resilience against cyber threats. By leaning on trusted platforms and smart tools, nonprofits can turn these requirements into a stepping stone for growth.
At Fundraise Up, we’re committed to helping you navigate these changes with confidence. If you have donation compliance questions, our experts are here to help.