PCI DSS (Payment Card Industry Data Security Standard) introduced new requirements that affect nonprofit organizations around the globe. With changes taking effect by March 31, 2025, we hosted an on-demand webinar that covers changes to PCI and how nonprofits can respond.
Here are the most frequently asked PCI questions.
What is PCI compliance?
What is PCI compliance?
PCI DSS (Payment Card Industry Data Security Standard) is a global compliance standard to protect cardholder data. It matters to any organization that handles credit card payments, including nonprofits, and it's meant to safeguard sensitive payment information.
How do PCI changes affect nonprofits?
How do PCI changes affect nonprofits?
In short: PCI DSS 4.0 changes will require nonprofits to become more involved. But, your nonprofit's level of involvement will depend on how cardholder data is processed, stored, and transmitted.
Nonprofits will be required to complete an annual Self-Assessment questionnaire or a PCI SAQ.
What is a PCI SAQ?
What is a PCI SAQ?
A PCI SAQ is a PCI Self-Assessment Questionnaire, and the questions you are asked are determined by how your organization processes donations. The goal of the SAQ is for nonprofits to confirm that their website and vendors are PCI compliant.
Read more about completing the Self-Assessment Questionnaire.
How do I know which PCI SAQ to fill out?
How do I know which PCI SAQ to fill out?
Most nonprofits will fall under SAQ A or SAQ D, depending on how cardholder data is stored, processed, or transmitted.
Here's a breakdown of SAQ A vs. SAQ D:
| SAQ A | SAQ D |
| No cardholder data is stored, processed, or transmitted on merchant systems. | Applies to businesses that store, process, or transmit full cardholder data. (Note: This doesn't apply to only storing the last four digits.) |
| Fully outsourced payment processing to PCI DSS-validated third-party service providers. | The most comprehensive SAQ with full PCI DSS requirements. |
| Applies to businesses using hosted payment pages or iFrame solutions. | Required for merchants who don't fit into other SAQ types. |
If you're not sure which questionnaire applies to you, reach out to your Qualified Security Assessor (QSA).
What is a QSA?
What is a QSA?
A QSA is short for a Qualified Security Assessor. QSAs are independent organizations that are certified through the PCI Security Standards Council. They can help determine your merchant type and ensure your nonprofit is PCI compliant.
Where do I find the PCI SAQ form?
Where do I find the PCI SAQ form?
Once you've determined your merchant type, check the PCI website for instructions and documents to complete the Self-Assessment.
Where do I submit the PCI SAQ form?
Where do I submit the PCI SAQ form?
Your payment processor (Stripe, PayPal, Square, etc.) should ask for your annual Self-Assessment questionnaire. You'll be able to submit your questionnaire through your payment processor.
How do I know if my vendors are compliant?
How do I know if my vendors are compliant?
- Ask your vendor how they secure 3rd-party JavaScript on their donation pages. Does your solution provider support custom JavaScript, tag management systems, etc.? If so, work with your provider to confirm they're fully PCI DSS 4.0 compliant. Note: Fundraise Up customers can be confident that we are fully compliant and have already implemented the required security measures.
- Use automated compliance tools going forward. The new PCI standards focus on script management and tamper detection, which can be very difficult and time-consuming to audit and monitor manually. Fundraise Up recommends DomDog* as an automated solution to help facilitate compliance. *DomDog is not a QSA, but they will work with you to ensure all necessary implementations meet PCI DSS requirements 6.4.3. and 11.6.1.
Is Fundraise Up PCI compliant?
Is Fundraise Up PCI compliant?
Yes! Fundraise Up is a PCI Level 1 4.0 certified provider, which eliminates the need for our customers to inventory, authorize, and monitor pages with custom JavaScript. Fundraise Up is the only solutions platform to offer enterprise certifications for fundraising anywhere in the world.
What countries do the PCI DSS 4.0 updates apply to?
What countries do the PCI DSS 4.0 updates apply to?
PCI DSS updates apply to all countries. PCI is a global standard implemented by credit card companies (Visa, Mastercard, etc.) regardless of geographic location.
Are PCI updates urgent?
Are PCI updates urgent?
Yes. PCI DSS 4.0 changes will be implemented on March 31, 2025.
What happens if I'm not PCI compliant?
What happens if I'm not PCI compliant?
Non-compliance could result in:
- Payment processors (Stripe, PayPal, Square, etc.) may suspend services
- Costly PCI fines
- Loss of donor trust
Does PCI only apply to online donations?
Does PCI only apply to online donations?
No, PCI applies to online and offline donations that require credit card holder data. This includes direct mail, virtual terminals, call centers, events, etc.
What are the next steps to ensure my nonprofit is PCI compliant?
What are the next steps to ensure my nonprofit is PCI compliant?
- Confirm your merchant type: Understand where your organization processes credit card donations and how those donations are being processed today.
- Engage your qualified security assessor (QSA). If you need additional guidance, a QSA can help you understand your merchant type and ensure your organization is fully prepared for PCI DSS 4.0.
- Check your online donation platform's compliance. Ensure your provider has a plan for passing standards to ensure your nonprofit is compliant and stays compliant.
- Secure your website's JavaScript. You can do this by logging, authorizing, and monitoring JavaScript files on your website. Fundraise Up recommends automating this process, even if it's not required.
Watch the on-demand webinar: PCI DSS 4.0 for nonprofits
The updates to PCI DSS can seem overwhelming, but it's a great opportunity to build donor trust and security. And with the right donor platform, it can be much easier than you think!
If you want to learn more about PCI compliance, check out our on-demand webinar. In this webinar, our experts break down PCI compliance updates, what it means for nonprofits, and how you can continue to keep your donor data safe.