Nonprofit PCI Compliance: Donation Processing Security

Introduction

As a nonprofit organization, your mission is to make a positive impact in the world. But while you’re focused on serving your cause, there’s a critical behind-the-scenes responsibility you can’t afford to overlook: protecting your donors’ payment card information.

What you’ll learn in this guide:

• The fundamentals of PCI compliance for nonprofits
• Step-by-step instructions to secure your donation processing
• How to avoid costly mistakes and data breaches
• When to handle compliance yourself versus hiring help

Why this matters:
Every time someone makes a donation with a credit or debit card—whether online, over the phone, or at your fundraising event—you’re handling sensitive financial data. One security breach could not only expose your donors to identity theft but also devastate your organization’s reputation and finances.

Who this guide is for:
This comprehensive guide is designed for nonprofit staff members, board members, and volunteers who need to understand PCI compliance but don’t have a technical background. Whether you’re a small community organization or a larger nonprofit, this guide will help you protect your donors and your mission.

The Basics

what is PCI compliance?

PCI compliance refers to following the Payment Card Industry Data Security Standard (PCI DSS)—a set of PCI and designed to protect credit and debit card information. Think of it as a comprehensive checklist that ensures your organization handles payment data safely.

Key terminology you need to know:

• PCI DSS: The Payment Card Industry Data Security Standard—the rulebook for card data security
• SAQ (Self-Assessment Questionnaire): A form you complete to demonstrate your compliance efforts
• Cardholder Data: Any information printed on a payment card, including the card number, expiration date, and cardholder name
• Payment Processor: The company that handles your card transactions (like Stripe, PayPal, or your bank)
• Merchant Account: Your organization’s account for accepting card payments

How PCI Compliance Relates to Your Nonprofit

Every nonprofit that accepts credit or debit cards—regardless of size or transaction volume—must comply with PCI DSS. This applies whether you:

• Process donations online through your website
• Accept cards at fundraising events
• Take payments over the phone
• Use mobile card readers at community outreach events
• Sell merchandise to support your cause

The requirements scale with your organization’s size and how you process payments, but the fundamental responsibility remains the same: protect donor payment information.

Why It Matters

Business Implications

For nonprofits, PCI compliance isn’t just about following rules—it’s about preserving trust and sustainability. Consider these critical implications:

Donor Trust: Your donors trust you with their personal and financial information. A data breach can permanently damage this trust, leading to decreased donations and volunteer participation.

Operational Continuity: Non-compliance can result in your ability to process card payments being suspended, directly impacting your fundraising capabilities.

Financial Stability: The costs associated with a data breach—including forensic investigations, legal fees, and potential lawsuits—can be devastating for organizations operating on tight budgets.

Risks of Non-Compliance

The consequences of ignoring PCI compliance can be severe:

Fines and Penalties: Monthly fines ranging from $5,000 to $100,000, depending on your processing volume and the severity of non-compliance.

Increased Processing Costs: Payment processors may impose higher transaction fees on non-compliant merchants.

Data Breach Costs: The average cost of a data breach for small organizations can exceed $100,000 when you factor in investigation costs, legal fees, notification expenses, and potential lawsuits.

Reputation Damage: News of a data breach can spread quickly through social media and local news, potentially causing long-lasting harm to your organization’s reputation.

Benefits of Compliance

Achieving PCI compliance provides significant advantages:

Enhanced Security: Following PCI standards dramatically reduces your risk of experiencing a data breach.

Donor Confidence: Demonstrating your commitment to security can actually become a talking point in your fundraising efforts.

Operational Peace of Mind: Knowing you’re protected allows you to focus on your mission rather than worrying about security threats.

Reduced Liability: Compliance can limit your financial exposure in the event of a breach.

Step-by-Step Guide

Step 1: Determine Your Compliance Level (Week 1)

Your first task is identifying which Self-Assessment Questionnaire (SAQ) applies to your organization. This depends on how you process card payments:

• SAQ A: You only use third-party payment processors (like PayPal or Stripe) and don’t store card data
• SAQ A-EP: You use e-commerce platforms but have some additional requirements
• SAQ B: You use standalone card terminals (like those countertop devices at events)
• SAQ B-IP: You use payment terminals connected to the internet
• SAQ C: You have payment applications connected to the internet
• SAQ D: You store, process, or transmit cardholder data (most complex)

Most small to medium nonprofits fall into categories A, A-EP, or B.

Step 2: Inventory Your Payment Processes (Week 2)

Document every way your organization handles card payments:

• Online donation forms on your website
• Phone-based donations
• Event payment processing
• Merchandise sales
• Recurring donation systems
• Mobile payment processing

For each method, note:

• Which staff members have access
• Where card data might be stored
• What systems are involved
• How data flows through your organization

Step 3: Implement Security Measures (Weeks 3-6)

Based on your SAQ requirements, implement necessary security controls:

For all organizations:

• Install and maintain antivirus software on all computers that handle payments
• Use strong, unique passwords for all payment-related systems
• Limit access to card data on a “need-to-know” basis
• Regularly update software and security patches

For organizations storing card data:

• Encrypt all stored card information
• Implement access controls and monitoring
• Conduct regular security scans
• Maintain detailed logs of system access

Step 4: Complete Your Self-Assessment (Week 7)

Fill out the appropriate SAQ honestly and thoroughly. This questionnaire will ask about your security practices and controls. Don’t guess—if you’re unsure about an answer, research it or seek help.

Step 5: Address Any Gaps (Week 8)

If your self-assessment reveals areas where you’re not meeting requirements, create an action plan to address these gaps. Prioritize the most critical security issues first.

Step 6: Submit Documentation (Week 9)

Submit your completed SAQ and any required documentation to your payment processor or acquiring bank. Keep copies of all submitted materials for your records.

Timeline Expectations

Most nonprofits can achieve initial PCI compliance within 8-12 weeks, assuming they don’t have complex payment processing systems. However, compliance is an ongoing responsibility that requires regular attention and annual renewal.

Common Questions Beginners Have

“We’re a small nonprofit—do we really need to worry about PCI compliance?”

Yes, absolutely. Cybercriminals often target smaller organizations precisely because they typically have fewer security measures in place. Size doesn’t exempt you from compliance requirements or make you less attractive to hackers.

“We use PayPal for all donations—are we automatically compliant?”

Using PayPal (or similar services) significantly simplifies your compliance requirements, but it doesn’t eliminate them entirely. You’ll likely qualify for SAQ A, which is the simplest questionnaire, but you still need to complete the assessment process.

“What if we only process a few donations per year?”

Transaction volume doesn’t determine whether you need to be compliant—it only affects which level of compliance requirements apply to you. Even organizations processing very few transactions must follow PCI standards.

“Is PCI compliance the same as being secure?”

PCI compliance establishes a baseline for security, but it’s not a guarantee against all threats. Think of it as the minimum standard rather than the ultimate goal. Additional security measures beyond PCI requirements are often beneficial.

“How much will this cost our organization?”

Costs vary widely depending on your current setup and compliance level. Many small nonprofits using third-party processors can achieve compliance for under $500 annually, while organizations with more complex systems may need to invest several thousand dollars.

“What happens if we can’t afford compliance?”

The cost of non-compliance typically far exceeds the investment required to achieve compliance. If budget is a concern, prioritize the most critical security measures first and consider seeking grants or donations specifically for cybersecurity improvements.

Mistakes to Avoid

Common Beginner Errors

Storing card numbers “just in case”: Never store complete card numbers unless absolutely necessary and you have proper encryption and security controls in place. Most nonprofits should avoid storing card data entirely.

Using the same password everywhere: Each system should have its own strong, unique password. Consider using a password manager to keep track of multiple credentials.

Ignoring software updates: Failing to install security patches and updates is one of the most common ways organizations become vulnerable to attacks.

Assuming someone else handles it: Don’t assume your website developer, payment processor, or IT volunteer has taken care of PCI compliance. Verify that all requirements are being met.

Choosing the wrong SAQ: Using an inappropriate Self-Assessment Questionnaire can lead to incomplete compliance. Take time to carefully determine which SAQ applies to your situation.

How to Prevent These Mistakes

• Create written policies for handling payment data
• Establish regular review schedules for security measures
• Assign specific staff members to oversee compliance
• Document all payment processing procedures
• Conduct regular training for staff and volunteers who handle payments

What to Do If You Make Mistakes

If you discover compliance gaps or mistakes:

1. Don’t panic: Most issues can be resolved with proper corrective action
2. Document the problem: Understanding what went wrong helps prevent future issues
3. Take immediate corrective action: Address security vulnerabilities as quickly as possible
4. Review your processes: Determine how the mistake occurred and modify procedures to prevent recurrence
5. Seek help if needed: Don’t hesitate to consult with PCI compliance experts for complex issues

Getting Help

When to DIY vs. Seek Professional Help

You can likely handle compliance yourself if:

• You use third-party payment processors exclusively
• Your payment processing setup is simple and straightforward
• You have staff members comfortable with basic technology concepts
• Your organization processes fewer than 20,000 transactions annually

Consider professional help if:

• You store card data in your own systems
• You have complex payment processing requirements
• You’ve experienced security issues in the past
• You lack internal technical expertise
• You process more than 20,000 transactions annually

Types of Services Available

PCI compliance tools: Online platforms that guide you through the assessment process and help maintain ongoing compliance.

Security Consultants: Professionals who assess your systems and recommend specific improvements.

Managed Compliance Services: Companies that handle the entire compliance process on your behalf.

Payment Processor Support: Many payment processors offer compliance assistance as part of their services.

How to Evaluate Service Providers

When selecting a compliance service provider, consider:

• Experience with nonprofits: Look for providers who understand the unique challenges facing nonprofit organizations
• Transparent pricing: Avoid providers with hidden fees or unclear pricing structures
• Ongoing support: Compliance is an ongoing responsibility, so ensure you’ll have continued access to help
• References: Ask for references from other nonprofit clients
• Credentials: Look for providers with relevant certifications and industry recognition

Next Steps

What to Do After Reading This Guide

1. Assess your current situation: Review how your organization currently processes card payments
2. Identify your compliance level: Determine which SAQ applies to your organization
3. Create a compliance timeline: Set realistic deadlines for achieving compliance
4. Assign responsibilities: Designate specific staff members to oversee different aspects of compliance
5. Begin implementation: Start with the most critical security measures

Related Topics to Explore

• Cybersecurity training for nonprofit staff: Learn how to educate your team about security best practices
• Data retention policies: Understand what information you should keep and for how long
• Incident response planning: Develop procedures for handling potential security breaches
• Donor privacy protection: Explore broader privacy considerations beyond payment data

Resources for Deeper Learning

• PCI Security Standards Council official website
• Nonprofit cybersecurity resources from organizations like TechSoup
• Industry-specific compliance guides
• Cybersecurity training programs designed for nonprofit staff

Frequently Asked Questions

Q: How often do we need to renew our PCI compliance?
A: PCI compliance must be renewed annually. You’ll need to complete a new Self-Assessment Questionnaire each year and address any changes in your payment processing systems.

Q: What should we do if we suspect a data breach?
A: Immediately contact your payment processor, document the incident, engage forensic experts if necessary, and prepare to notify affected donors. Having an incident response plan in place before you need it is crucial.

Q: Can volunteers help with PCI compliance efforts?
A: Yes, but ensure any volunteers involved in compliance activities have appropriate training and background checks. Limit access to sensitive information and maintain proper oversight of volunteer activities.

Q: Do we need compliance if we only accept donations at events a few times per year?
A: Yes, even occasional card processing requires PCI compliance. However, infrequent processing may allow you to use simpler compliance methods, such as using mobile payment services like Square or PayPal Here.

Q: What’s the difference between PCI compliance and general cybersecurity?
A: PCI compliance specifically focuses on protecting payment card data, while general cybersecurity covers all aspects of your organization’s digital security. Both are important, but PCI compliance has specific legal and financial requirements.

Q: Should we stop accepting credit cards if compliance seems too complicated?
A: Stopping card acceptance would likely hurt your fundraising significantly. Instead, consider simplifying your payment processing by using compliant third-party services, which can dramatically reduce your compliance burden while maintaining donation convenience.

Conclusion

PCI compliance might seem daunting at first, but it’s an essential investment in your nonprofit’s future. By protecting your donors’ payment information, you’re safeguarding both their trust and your organization’s ability to continue its important work.

Remember that compliance is not a one-time achievement but an ongoing commitment to security best practices. Start with the basics, build good habits, and don’t hesitate to seek help when you need it.

The most important step is getting started. Every day you delay compliance is another day your organization and donors remain vulnerable to security threats.

Ready to begin your PCI compliance journey? Use our free PCI SAQ Wizard tool at PCICompliance.com to determine which Self-Assessment Questionnaire your nonprofit needs and get started with step-by-step guidance. PCICompliance.com helps thousands of businesses achieve and maintain PCI DSS compliance with affordable tools, expert guidance, and ongoing support tailored specifically for organizations like yours.

Take the first step toward protecting your donors and securing your mission today.