PCI compliance for organizations using Fundraise Up

Understand PCI DSS compliance requirements and what your organization needs to do to stay compliant when using Fundraise Up.

When your organization processes credit card transactions, it is essential to be familiar with PCI compliance. PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to protect cardholder data. Every organization that accepts credit card payments must comply with these standards to ensure secure transactions and safeguard sensitive supporter information.

Fundraise Up is PCI DSS 4.0 compliant and has processes in place to achieve 4.0.1 certification during the 2025 PCI audit. This means our platform meets the latest, most rigorous security standards, significantly reducing your PCI footprint and overall liability.

However, there are responsibilities your organization must handle directly. Below, we’ll break down what you need to know and do to stay compliant.

What should your organization’s expectations be for PCI compliance?

Link copied

Using Fundraise Up simplifies PCI compliance by offloading much of the technical responsibility to us. For example, Fundraise Up tokenizes and encrypts all payment data, ensuring sensitive cardholder details are never stored on your organization’s systems. This greatly minimizes your exposure to risk.

However, your organization still has obligations. Most organizations will need to complete an annual Self-Assessment Questionnaire (SAQ) to affirm compliance. For organizations using Fundraise Up, SAQ A is the appropriate choice, as it applies to organizations outsourcing payment processing without storing cardholder data.

Here’s what you need to do:

Obtain the SAQ.
- Option 1: Receive the SAQ A from your payment processor (Stripe or PayPal).
- Option 2: Request a pre-populated SAQ A from Fundraise Up, which requires minimal additional information to complete.
Complete and submit the SAQ.
Submit the SAQ A directly to your payment processor through their designated portal or instructions. Be mindful of submission deadlines, which are often outlined in processor communications.
Seek clarification if needed.
If you’re unsure about the SAQ or deadlines, reach out to your processor’s support team for guidance.

You received a letter from Stripe or PayPal. What does it mean?

Link copied

If you receive a letter from Stripe or PayPal about PCI compliance, it is likely a reminder of your organization’s responsibility to:

Ensure that you are using their services in a PCI-compliant manner.
Complete and submit your annual SAQ.

These letters are standard practice and not an indication of non-compliance. They’re simply part of maintaining proper documentation and accountability.

Steps your organization should take to meet PCI compliance

Link copied

Here’s a clear outline of what organizations using Fundraise Up should do:

Understand your scope of compliance:
- Fundraise Up handles sensitive cardholder data on your behalf, which reduces your organization’s scope for PCI compliance. However, you’re still responsible for ensuring your staff follows best practices.
Complete the appropriate SAQ annually:
- Most nonprofits will complete SAQ A, which is the simplest version, since Fundraise Up manages all payment processing and data storage.
- Follow the instructions provided by your payment processor (Stripe or PayPal) for completing the SAQ.
Train your staff:
Ensure all staff members who handle payment data understand basic security practices, such as:
- Avoiding phishing scams.
- Using secure passwords.
- Not storing sensitive cardholder data on internal systems.
Maintain secure systems:
- Regularly update your computers and software to protect against vulnerabilities.
- Use secure networks, particularly when accessing Fundraise Up’s platform or other payment systems.
Monitor your website for tampering:
- Implement tools that detect unauthorized changes to your website, aligning with PCI DSS Requirement 11.6.1 (see details below).
Keep documentation up-to-date:
- Save copies of your completed SAQ and any related correspondence from payment processors for your records.

What is PCI DSS 4.0.1?

Link copied

PCI DSS version 4.0.1 is the latest update to the Standard and will go into effect on March 31, 2025.

Key updates include:

Requirement 6.4.3: Inventory and secure scripts
Organizations must inventory, authorize, and secure all JavaScript files interacting with payment forms to ensure only authorized scripts are used.
Requirement 11.6.1: Anti-tamper detection
Automated tools must monitor web pages for unauthorized modifications, providing real-time alerts to prevent potential breaches.

For nonprofits, this means staying updated on these requirements is crucial for continued compliance.

How can Fundraise Up assist with 6.4.3 and 11.6.1 requirements?

Link copied

Fundraise Up is committed to supporting organizations as they navigate these new standards. Here’s how we can help:

Educational resources: We will provide educational webinars and detailed resource posts to help organizations understand and implement these new requirements effectively. These sessions will cover practical steps for script management and anti-tamper monitoring implementation.
Vendor recommendations: Recognizing the budget constraints many nonprofits face, Fundraise Up will recommend pre-vetted security vendors who offer solutions specifically tailored to nonprofit organizations’ needs and financial capabilities. These partnerships will help ensure compliance without overwhelming organizational resources.

Additional resources

Link copied

For more detailed guidance, consult the following resources:

This article is for informational purposes only and does not constitute legal advice. Consult with a legal professional for advice tailored to your organization’s specific circumstances.

In this article