Did you know that if you handle credit card information for the purpose of processing donations or payments, you need to be in compliance with the Payment Card Industry Data Security Standard (PCI DSS, but often referred to as just PCI compliance)? We’ll tell you everything you need to know, including how Sumac can help with compliance.
What is PCI DSS?
The PCI DSS was established by the credit card industry to increase controls around cardholder data to reduce credit card fraud via its exposure. The standard includes 12 requirements. You can read them in entirety here.
Does My Non-profit Need to Comply?
According to the Standard, compliance is necessary if your organization “stores, processes and/or transmits cardholder data.” Essentially, if your non-profit accepts credit card payments, you will need to comply.
Requirements for compliance, however, vary widely depending on the types of processing you do and the volume of credit card transactions processed. Merchants fall into one of four levels. Most non-profits fall into the lowest processing volume category (Level 4 with less than 20,000 Visa/MC transactions per year), where the primary requirement is completion of a PCI self-assessment questionnaire and a mandate to use Payment Application-Data Security Standard (PA-DSS) compliant payment applications.
What’s a PA-DSS Compliant Payment Application?
A compliant payment application will allow you to handle credit card data in the way stipulated in the Standard. You can see what payment applications have been validated by visiting the PCI Security Standards Council website and typing the company name. Sumac is a PA-DSS compliant payment application.
What this means is that Sumac has been assessed by a certified third party organization to ensure the compliance of both the software and its supporting documentation and procedures. This ensures that Sumac complies with detailed standards regarding secure storage of data, secure transmission of data, strong access controls, and many other technical requirements. Information about Sumac security and risk management is documented here.
Why Should PCI Compliance Be Important to My Organization?
Even though compliance has not been made mandatory for all Level 4 merchants, your organization could receive substantial fines (as much as $500,000) if cardholder data is breached and your non-profit is not compliant.
Equally important is the simple need to protect your donors and their data they’ve entrusted with your organization.