Credit Card Security for Non-profits
Ecommerce is a way of life and that includes non-profits receiving donations. Unfortunately, email was not created with data privacy in mind so sending credit card information through email is vulnerable to hackers or others who have a way to access accounts. Anyone who wants to run a reputable business or non-profit should have a secure ecommerce system in place to accept credit card information.
If someone sends you sensitive financial data, such as credit card information via email, it is best to contact that person as opposed to using the information or forwarding it to another department. When CC information is sent through email you just won’t know for certain whether it has been intercepted and used fraudulently. Businesses who do a high volume of transactions and have accepted financial data via email have often had payments held up due to fraud investigations. As well, they can get chargebacks. This is a fee against the merchant or donor recipient when the credit card holder disputes a charge. Organizations who have too many chargebacks can have specific credit cards terminated, thus paralyzing their ability to accept that card from anyone in the future.
If for some reason, your non-profit doesn’t have a secure ecommerce system set up yet, here are a few safe ways donors can send financial data:
- Send it via a secure file transfer, such as Dropbox
- Use a self-destruct website, such as One Share
- Phone it in
More and more non-profits are setting up secure ecommerce sites to protect themselves and their donors. To deal with the issues of fraud the PCI system was developed. PCI, which stands for Payment Card Industry Compliance, is a vital set of security standards that helps protect cardholder data. Any non-profit that accepts credit card payments should be PCI compliant.
Large companies that process a significant number of transactions are required to have an independent review of their security systems by an accredited security professional. Smaller organizations have traditionally been held to an honour system. In other words, reviewing their systems regularly. Non-profits also have to use PA-DDS or Payment Application-Data Security Standard compliant payment application. If someone wanted to see if Sumac was PA-DSS compliant all they have to do is visit the PCI Security Standards Council website and type in the name, Sumac. Yes – Sumac is PA-DSS compliant. This essentially means, Sumac has been assessed by a certified third party organization that ensures our organization complies with standards of secure storage and transmission of data.
Below you will find some tips for running a strong ecommerce system:
- Build a secure network – regulations require non-profits to have a secure network. This involves installing and maintaining a good firewall to protect cardholder data, changing vender-supplied defaults for system passwords and conducting regular scans.
- Train staff – make sure that your staff know how to look for irregularities and are aware of their responsibilities in terms of security.
- Consider 2-factor authentication – this is a two-step verification system that requires more than a username and password.
- Use strong control measures – limit access to cardholder and sensitive information. Outside guidance from a security expert can help ensure your network is secure.
- Shift burden – the responsibility for safety can be transferred to a service provider that already offers a secure payment process. PayPal is an example of such a service.
While credit card security measures may sound cumbersome, the reality is that taking the time to ensure your organization and your donors are safe is time well spent when you consider the negative consequences of not having a secure network.