The deadline to fully comply with new PCI DSS 4.0 requirements is quickly approaching on March 31, 2025. If you haven’t already, it’s time to take action to ensure your nonprofit stays compliant and continues processing donations securely.
In addition to fines and penalties, not meeting PCI compliance standards can put donor data at risk and expose your organization to security breaches. To help you stay on track, here are six immediate actions you can take today.
Immediate actions to stay PCI compliant
PCI DSS (or Payment Card Industry Data Security Standard) is a mandatory security framework for all organizations that handle credit card transactions. For nonprofits, this means any online donation or payment processing must adhere to PCI standards to reduce the risk of data breaches, fraud, and cyberattacks.
1. Audit your PCI compliance status
Before making any updates, start by assessing your nonprofit’s current PCI compliance standing. This includes determining which Self-Assessment Questionnaire (SAQ) applies to your nonprofit and identifying potential security gaps.
- Determine your merchant type: Most nonprofits fall under SAQ A or SAQ D, depending on how they handle transactions.
- Access website security: If your nonprofit qualifies for SAQ A, pull in your IT team to ensure your website is not vulnerable to script attacks that could compromise donor data.
Not sure what defines a merchant type? Read more about merchant types and completing the Self-Assessment Questionnaire here.
2. Confirm compliance with vendors
Your nonprofit may be PCI compliant, but are your vendors? Any third-party payment processor, CRM, or software handling transactions must also be PCI compliant.
To verify compliance, you can ask each vendor for their Attestation of Compliance (AOC) or certification as proof of PCI DSS compliance. If your vendor does not have an AOC or if you have concerns, ask to review their security measures to ensure they meet PCI standards.
3. Update your policies
PCI DSS 4.0 requires stricter security measures, which means your internal policies should follow suit. Review your current policies to make sure they include:
- Stronger passwords: Implement passwords that are at least 12 characters long, including special characters, uppercase and lowercase letters, and numbers.
- Multi-factor authentication: PCI mandates MFA for all access to cardholder data to prevent unauthorized access.
- Streamlined website policies: Ensure your nonprofit’s website maintains up-to-date SSL certificates, firewall protection, and real-time monitoring to detect and mitigate threats.
4. Consider switching from legacy vendors
Many nonprofits unknowingly fall out of compliance because of outdated practices or legacy vendors with older platforms. And if your vendors can’t provide proof of compliance, or if they push the compliance work to you, it may be time to seriously consider switching providers.
No matter which direction your nonprofit chooses to go, be sure that your payment process partners offer built-in PCI compliance or have a plan to follow best practices.
5. Understand the importance of PCI compliance
Beyond avoiding fines, PCI compliance makes a difference in fundraising success. It’s a big lift, but your efforts to comply contribute to protecting donor data, strengthening cybersecurity, and helping your nonprofit build long-term trust with supporters.
PCI DSS 4.0 updates address new cybersecurity threats. And a strong security posture can reassure donors that their sensitive information is safe and protected. By prioritizing compliance now, your nonprofit can stay ahead of security risks while demonstrating accountability to donors.
6. Get the guide and template
At Fundraise Up, we see PCI compliance changes as an opportunity to reassure donors. But we also understand that it can be a big lift for nonprofit organizations around the globe.
To simplify the compliance process, check out this comprehensive breakdown of PCI DSS 4.0, which includes a ready-to-use SAQ A template for nonprofits.
Take action now to stay compliant
March 31 is almost here. By taking these six immediate steps, your nonprofit can ensure continued PCI compliance, protect donor data, and build long-term trust. Check out these 2025 PCI requirements or watch our on-demand webinar here for more information on PCI.