An Overview of Secure Credit Card Donation Processing & PCI ComplianceSeptember 7, 2011 By Mark Sutton
When you look at the online fundraising tools used by your organization, often it’s easier to relate to the donor-facing tools or the area of service that your administrators use. However, the back office, credit card processing pipes and infrastructure are critically important to the security of your service and safety of your donors' personal information.
We typically don’t give much thought to this part of online donation-processing systems until something goes wrong, as it has recently in several high-profile cases involving major for-profit companies.
The reality is that online credit card processing is very safe and secure, thanks in large part to the Payment Card Industry Data Security Standards (PCI DSS) created by the PCI Security Standards Council (PCI SSC). PCI SSC was created by the major credit card companies to unify their security standards. The objective was to protect sensitive credit card information and reduce credit card fraud.
You definitely don’t need to become a certified expert in credit card processing, but it’s good to know about best practices for credit card security so you ask the right questions of your donation-processing provider and are knowledgeable when talking about this with your staff, supporters and board members.
So what is PCI compliance all about?
PCI standards seek to ensure that sensitive data such as credit card numbers and personally identifiable information are gathered through appropriate systems and physical security measures. Any entity that stores, processes or transmits payment cardholder data must be PCI-compliant. There are four levels of PCI compliance that are mainly based on the transaction volumes that the "merchant or processor" is doing annually as well as whether or not those transactions occur on the Internet (card not present) or in a physical location (where the card is present).
PCI Level 1 is the most secure level of PCI compliance and is typically for merchants that process more than 6 million Visa (or MasterCard, etc.) transactions annually. PCI Level 4 — the least stringent security level — is for merchants processing up to 1 million transactions annually. PCIComplianceGuide.org is a resource that provides complete information regarding PCI compliance levels.