October 4, 2023

Mitigate Online Donation RisksTaking donations online is a huge benefit to nonprofit organizations, but online payments also expose potential risks. To safeguard their operations and donors’ financial information, nonprofits must prioritize Payment Card Industry (PCI) compliance and third-party risk management.

Nonprofits are at a higher risk of credit card test attacks than other organizations due to certain functionality embedded within their websites. Most nonprofits have a “Donate Now” button, an e-store, or other ways to support the organization and the general practice is to make it as easy as possible for someone to contribute. However, this creates a significant risk of credit card test attacks.

In a credit card test attack, perpetrators take advantage of a lack of controls on these payment modules to test stolen credit card information. They make $1 donations for a high volume of credit cards. Although the individual cardholder is the actual target, the nonprofit ends up as collateral damage getting stuck with payment of processing fees, filing insurance claims (assuming the organization has cyber insurance), and performing forensic investigations to identify the root cause. Understanding PCI compliance, third-party risk management, and some basic controls can go a long way in protecting your organization.

What is PCI Compliance?

PCI compliance refers to a set of security standards established to protect sensitive payment card data from theft and fraud. While these regulations are commonly associated with businesses, nonprofit organizations that accept credit card payments are also subject to these requirements. Compliance with PCI standards helps ensure that donors’ payment information remains secure.

Why Is PCI Compliance Important for Nonprofits?

Protects Donor Trust:
Donors want to know that their financial information is safe when they contribute to a nonprofit. PCI compliance helps build and maintain trust, ensuring that their data won’t fall into the wrong hands.

Minimizes Legal Risks:
Noncompliance can lead to hefty fines and legal consequences. By adhering to PCI standards, nonprofits can avoid these financial burdens and legal troubles.

Safeguards Reputation:
News of a data breach can damage a nonprofit’s reputation. Maintaining PCI compliance demonstrates a commitment to donor security and can help prevent reputational damage.

The Importance of Third-Party Risk Management

Nonprofits often rely on third-party payment processors to handle online transactions. While these partnerships offer convenience, they also introduce potential vulnerabilities. To enhance controls and minimize risk, consider the following recommendations:

Vendor Due Diligence:
Choose a reputable provider with a strong track record of safeguarding donor data. Before partnering with a payment processor, thoroughly research their security practices and compliance status. Request and review PCI compliance reports and Service Organization Controls (SOC) audit reports when available. Consider using GRF’s IT, Privacy, and Third-Party Risk Management Checklists when evaluating new vendors.

Contractual Protections:
Include security and compliance requirements in your contracts with third-party vendors. Specify that they must adhere to PCI standards and conduct regular security audits.

Regular Monitoring:
Continuously monitor your payment processor’s security practices and compliance status. Ensure they remain committed to protecting your organization and donors. Consider using technologies like the GRF Cybersecurity Scorecard to monitor risks and vulnerabilities with your third-party vendors.

Anti-Fraud Controls:
Require vendors to have fraud detection and “Completely Automated Public Turing Test to tell Computers and Humans Apart” (CAPTCHA) security controls to reduce risk of credit card test attacks. To detect fraudulent activity, consider setting up a Whistleblower Platform to receive anonymous complaints from employees, third parties, and the general public.

Incident Response Plan:
Develop a clear and effective incident response plan in case of a data breach. Be prepared to notify affected donors promptly and take appropriate action.

Insurance Coverage:
Verify that third-party has adequate insurance coverage to support proper remediation of a breach and ensure continuity of business operations.

Employee Training:
Train your staff to recognize and report suspicious activity. Security awareness training for your team can help prevent internal risks.

GRF Can Help

Maintaining PCI compliance and strong third-party risk management are vital for nonprofit organizations to reduce the risks associated with online payments. Prioritizing these practices not only protects donor data but also helps maintain trust, avoid legal troubles, and safeguard your nonprofit’s reputation.

GRF can help you implement these recommendations to enhance controls and minimize the risk of fraudulent activity, ensuring a safer environment for online donations. If you have any questions, contact Mac Lillard at the contact info below for more information.


Senior Manager, Risk & Advisory Services