Payment Card Industry (PCI) Compliance and Your Nonprofit Organization

November 21, 2018

By Mac Lillard, CPA, CITP, CISA, CFE | Audit Senior Accountant

According to the Payment Card Industry Data Security Council (PCD DSC) any organization that stores, processes, and/or transmits cardholder data is required to be compliant with Payment Card Industry Data Security Standard (PCI DSS). There is a common misconception that use of a third-party provider to process and store cardholder data shields you from PCI requirements. As a result, many organizations are unaware that they are required to be in compliance and/or are unfamiliar with how to achieve and maintain compliance, and may be subject to fines between $5,000 – $500,000 if they do not conform with the applicable standards. If your organization accepts credit card payments of any kind, you should become familiar with PCI compliance requirements, determine which level of compliance applies to your organization, and take proactive steps toward meeting the requirements.

PCI DSS compliance is broken down into 4 levels:

• Level 1 – over 6,000,000 e-commerce transactions annually
• Level 2 – 1,000,000 – 6,000,000 e-commerce transactions annually
• Level 3 – 20,000 – 1,000,000 e-commerce transactions annually
• Level 4 – Less than 20,000 e-commerce transactions annually

Most nonprofit organizations will fall into levels 3-4 and may be required to have quarterly network scans performed by an approved scanning vendor, complete an annual Self-Assessment Questionnaire (SAQ), and have an Attestation of Compliance Form. The type of SAQ an organization should undergo is dependent on how the organization handles e-commerce transactions:

SAQs evaluate the organizations’ systems based on the 12 PCI DSS requirements summarized into 6 broad categories or “goals”. The goals are as follows:

PCI DSS affects all nonprofits and associations, but many are still unaware of the monetary and regulatory liabilities it poses if their compliance is deficient. For those who need more information, resources are available through the PCI DSS Quick Reference Guide and the PCI DSS Self-Assessment Questionnaire Types.

Consulting an advisor with expertise in PCI DSS compliance is a good first step toward developing a plan for compliance. If you have questions or concerns about your organization’s PCI compliance and how to meet the requirements, please contact Mac Lillard, CPA, CISA, CITP, CFE Audit Senior Accountant at 301-951-9090 or mlillard@grfcpa.com.