PCI compliance for organizations using Fundraise Up

Fundraise Up handles much of the technical responsibility for PCI compliance, which simplifies the process for your organization. We tokenize and encrypt all payment data so that sensitive cardholder details are never stored on your organization's systems.

Because Fundraise Up handles sensitive cardholder data on your behalf, your organization's scope for PCI compliance is reduced. However, you must complete an annual Self-Assessment Questionnaire (SAQ) to affirm compliance.

For organizations that use Fundraise Up, SAQ A is the appropriate choice because it applies to organizations that outsource payment processing and do not store cardholder data.

Follow these steps to maintain PCI compliance with Fundraise Up.

Step 1. Complete your annual SAQ

Download SAQ A from the PCI Security Standards Council website, or request a pre-populated SAQ A from Fundraise Up that requires minimal additional information to complete.

Step 2. Submit your SAQ to your payment processor

Submit SAQ A directly to your payment processor (Stripe or PayPal) through their designated portal or instructions. Be mindful of submission deadlines, which are often outlined in processor communications.

If you're unsure about the SAQ or deadlines, contact your processor's support team for guidance.

Step 3. Train your staff on security practices

Make sure all staff members who handle payment data understand basic security practices:

• How to avoid phishing scams.
• The importance of secure passwords.
• That they must never store sensitive cardholder data on internal systems.

Step 4. Maintain secure systems

Regularly update your computers and software to protect against vulnerabilities. Use secure networks, particularly when you access the Fundraise Up platform or other payment systems.

Step 5. Monitor your website for tampering

Implement tools that detect unauthorized changes to your website. See PCI DSS 4.0.1 requirements below for details.

Step 6. Keep documentation up to date

Save copies of your completed SAQ and any related correspondence from payment processors for your records.

If you receive a letter from Stripe or PayPal about PCI compliance, it's likely a reminder of your organization's responsibility to:

• Use their services in a PCI-compliant manner.
• Complete and submit your annual SAQ.

These letters are standard practice and not an indication of non-compliance.

PCI DSS version 4.0.1 is the latest update to the standard that went into effect on March 31, 2025.

Key updates include:

• Requirement 6.4.3: Inventory and secure scripts. Organizations must inventory, authorize, and secure all JavaScript files that interact with payment forms so that only authorized scripts are used.
• Requirement 11.6.1: Anti-tamper detection. Automated tools must monitor web pages for unauthorized modifications and provide real-time alerts to prevent potential breaches.

Fundraise Up supports organizations as they navigate these standards:

• Educational resources. We provide educational webinars and detailed resource posts to help organizations understand and implement these requirements. These sessions cover practical steps for script management and anti-tamper monitor implementation.
• Vendor recommendations. We recommend pre-vetted security vendors who offer solutions tailored to nonprofit organizations' needs and financial capabilities.

For more detailed guidance, consult the following resources:

• Official PCI DSS Website
• Stripe's PCI Compliance Guide
• Fundraise Up's Blog on 2025 PCI Requirements