PCI Compliance

James Measey

Hi, I'm after some advice/guidance from other charities on how they are coping with PCI compliance. Raisers Edge is PCI compliant, but obviously each charity also has to also be PCI compliant, which is where I am a bit hazy on exactly what is required. Currently we use Raisers Edge Batch to process credit card donations which we receive via the post, and the donation slips are destroyed afterwards. We have been advised that because we are entering credit cards into a PC on our network, that it is possible someone could hack our network and place a key-logging program onto our network, meaning someone could potentially obtain credit card details. The regulations suggest you need firewalls, regular penetration tests etc, which sounds very expensive, but im wondering if this actually the case, or are there some simple, low cost steps we can take to ensure compliance? Currently we are discussing if we should stop processing credit cards via Raisers Edge completely so we dont have to worry about requiring the higher level of PCI compliance - but im concerned we may be making decisions based on not having enough knowledge/information. We are planning to get a PCI assessor to come in and help us, but any advice anyone could give me on what you may have done in your charities would be really helpful - thanks in advance. James

JoAnn Strommen

James Measey:
Hi, I'm after some advice/guidance from other charities on how they are coping with PCI compliance. Raisers Edge is PCI compliant, but obviously each charity also has to also be PCI compliant, which is where I am a bit hazy on exactly what is required. Currently we use Raisers Edge Batch to process credit card donations which we receive via the post, and the donation slips are destroyed afterwards. We have been advised that because we are entering credit cards into a PC on our network, that it is possible someone could hack our network and place a key-logging program onto our network, meaning someone could potentially obtain credit card details. The regulations suggest you need firewalls, regular penetration tests etc, which sounds very expensive, but im wondering if this actually the case, or are there some simple, low cost steps we can take to ensure compliance? Currently we are discussing if we should stop processing credit cards via Raisers Edge completely so we dont have to worry about requiring the higher level of PCI compliance - but im concerned we may be making decisions based on not having enough knowledge/information. We are planning to get a PCI assessor to come in and help us, but any advice anyone could give me on what you may have done in your charities would be really helpful - thanks in advance. James

Your bio doesn't have what type of org you work for but regardless I would sure hope you have some firewall and security programs on your network.  As it is reported in the news quite frequently, it would seem just about any business could be subject to hacking. 

If you "stop processing credit cards via Raisers Edge completely" are you saying that you will not accept any credit card payments?  If you use other software for membership/events/accounting for processing credit card payments, it's all subject to the same requirements. 

Side note, don't know where you are located but you may want to check with your auditor/tax advisor about completely destroying donation slips.  Ours are kept with the card number removed/obliterated except the last 4 digits.  Another  for-profit business I work for I also required to keep some documentation of charges made in PCI compliant manner.

Your PCI assessor should be able to give you some advice.