|
Is your online donation processing compliant?
Warning: There are technical issues addressed in this article. Don't stop reading!!! Web merchants who collect credit card donations via web sites are facing a deadline this month to provide better security. We have asked Kurt Hansen of Charity Web (charityweb.net) some questions regarding this looming deadline. Charity Web provides online donation processing for nonprofits. We hope that at the end of this article you will know what questions to ask your IT staff or online donation vendor. NPA: Can you briefly explain what the "Payment Card Industry (PCI) Data Security Standards" are? KH: They are a set of standards, 12 to be exact, defined by the Payment Card Industry for keeping cardholder data safe and secure from theft or misuse. Cardholder data is defined as any personally identifiable data, e.g. name, address, phone number, etc. that is accompanied by a credit card number. The standards come into effect when the credit card number is included with the personally identifiable data. NPA: Does this set of standards affect nonprofits? KH: Yes. Quoting from the manual, "these standards apply to all members, merchants, and service providers that store, process, or transmit cardholder data." Thus, if you accept credit cards or store credit card information for later payment, you are required to comply with the standards. However, what you need to do to prove compliance varies depending on how many transactions you process and how you process them. If you process more than 20,000 e-commerce transactions per year through any one card, e.g. Visa or MasterCard, or 6,000,000 transactions per year for one card through any medium (including direct mail and phone), you have a June 30, 2005 deadline for proving compliance. If you are under those limits, your proof of compliance is voluntary, but you still must abide by the standards. NPA: Who is governing this and what are the consequences for noncompliance? KH: That's a good question. It's a bit hard to find out. Non-profits are probably finding out about this from their merchant account provider, usually their bank. The banks will be the ones verifying compliance in most cases. However, the major credit card companies, Visa, MasterCard, Amex, and Discover, are the ones who have come up with these standards and are requiring them of their customers who use their networks. They have had independent programs for a few years but have decided to combine them into one set of standards. If you are in compliance with any one of those programs, you are in compliance with all and with the PCI standards. Non-compliance can result in fines which can be $1000's. Banks could also choose to cancel an account and make it hard to get a new one. If cardholder data is stolen and one is found to be in non-compliance, Visa has threatened to issue fines of $500,000 and hold the entity liable for all losses. NPA: Most of our readers are managers or fundraisers. Who should they ask about compliance with the Data Security Standards? KH: They should question their accounting, finance, and IT departments about compliance. They also need to talk to any service provider who might see or store a credit card number, e.g. e-commerce provider, telemarketing firms, data storage companies, sustainer management companies, etc. NPA: What questions should they ask? KH: There are three they need to ask: NPA: Briefly, What steps did Charity Web take to ensure that their donation processing is secure and compliant? KH: CharityWeb is a Tier 3 provider. So, we are required to fill out a questionnaire annually and have a third party scan our network quarterly. We are on target for getting this done by June 30th. The questionnaire is designed to ensure that a large organization is safe and secure. Since we are a small company that uses only open source software which has proven to be more stable, some of the requirements are redundant, but we are implementing them anyway. NPA: Is there anything that our readers should know regarding this new set of regulations? KH: First, DON'T PANIC. These standards were only set last December and have not been well advertised. VeriSign Payment Services, one of the largest Tier 1 entities, only became compliant on March 1st, 2005 even though they had an earlier deadline. My guess is that if you are a Tier 2 or 3, do your best to be compliant by June 30th. If there are standards you can't meet, have an action plan ready with dates for getting compliant. Second, these standards apply to ALL entities processing or storing credit card numbers be they primarily Web-based or not. This includes database companies, telemarketing firms, or any firms that may be storing cardholder data for you. My experience with such off-line, "traditional" firms is that they are bit more cavalier about keeping credit card data secure. Third, here are some links for learning more about the PCI Data Standards: Visa CISP is Visa's predecessor to PCI. The 4 Tiers are explained on this page. Also, links to relevant PCI documents, especially the self-assessment questionnaire on on the left: Wells Fargo Information for customers (good overall explanation of PCI): For more specific information on PCI Data Security Standards, see the visa site at: http://usa.visa.com/download/business/accepting_visa/... NPA: Kurt, thanks for explaining this to us and our nonprofit clients and subscribers. June 2005 | ||
