For most nonprofit professionals, PCI Compliance was something that we could ignore knowing that we selected a PCI compliant payment processor. But that all changes in 2025 with new requirements in PCI DSS 4.0.
The following guide walks you through what PCI compliance is, how it impacts nonprofit organizations, and what you should do to protect your organization and your supporters credit card information.
What is PCI Compliance?
PCI Compliance refers to adherence to the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.
The PCI DSS was developed by major credit card companies (Visa, MasterCard, American Express, Discover, and JCB) to protect cardholder data from breaches and fraud.
Who is required to be PCI Compliant?
PCI compliance is required for any organization that stores, processes, or transmits credit card information. This includes:
1. Merchants
Any business that accepts or processes card payments, regardless of size or volume of transactions.
2. Service Providers
Companies that handle, store, or process cardholder data on behalf of merchants, such as payment processors, hosting providers, and software developers involved in payment processing.
3. Financial Institutions
Banks and other institutions involved in payment card transactions.
Even if a business outsources card processing to a third party, it is still responsible for ensuring PCI compliance of that third-party.
Are Nonprofits required to be PCI Compliant?
Yes, any nonprofit organization that collects payments on their website is required to be PCI Compliant. While you may not consider yourself one, every nonprofit is considered a merchant in the eyes of the credit card payment industry.
And you should want to be compliant!
The primary goal of PCI compliance is to prevent fraud and protect credit card cardholder private information. Taking PCI compliance seriously is a way to ensure that your supporters’ data is protected, your organization is secure, and will reduce the likelihood of hacking or fraud on your website.
What are key elements of PCI Compliance?
Most of the requirements for PCI compliance are rather technical and handled by IT or web development professionals. However, here is a summary of some key requirements that should be considered.
1. Build and Maintain a Secure Network:
-
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
2. Protect Cardholder Data:
-
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
3. Maintain a Vulnerability Management Program:
-
- Use and regularly update antivirus software.
- Develop and maintain secure systems and applications.
4. Implement Strong Access Control Measures:
-
- Restrict access to cardholder data by business need to know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
5. Regularly Monitor and Test Networks:
-
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
6. Maintain an Information Security Policy:
-
- Maintain a policy that addresses information security for employees and contractors.
What are the consequences of not being PCI Compliant for a Nonprofit?
Failing to comply with PCI DSS (Payment Card Industry Data Security Standard) can lead to several serious consequences for nonprofit organizations that process credit cards:
Fines and Penalties
Non-compliance can result in hefty fines from the payment card networks (Visa, MasterCard, etc.). These fines can range from $5,000 to $100,000 per month, depending on the level of non-compliance and the size of the organization.
Increased Transaction Fees
Credit card companies may increase transaction fees for non-compliant merchants, making it more expensive to process card payments.
Liability for Fraud
If a security breach occurs and the company is found to be non-compliant, it may be held financially responsible for fraudulent transactions, which can be costly.
Legal Action
Victims of a data breach may pursue legal action against the business for damages resulting from the loss of personal or financial information. This can lead to expensive lawsuits and settlements.
Loss of Payment Processing Privileges
Payment card companies may revoke a business’s ability to process credit card transactions if they are found to be non-compliant, leading to a significant loss of revenue.
Damage to Reputation
A data breach or failure to comply with PCI DSS can harm a company’s reputation, causing customers to lose trust in the brand. This can result in a loss of customers and potential business.
Compliance helps protect nonprofits from these risks and ensures they can securely handle payment data.
What is changing with PCI 4.0 and why?
Before PCI DSS 4.0, so long as the credit card data never touched your organization’s server, you were automatically compliant. This worked well for embedding donation forms in popups. Even though users appeared to stay on your site, all the credit card handling actually occurred on the payment processor’s servers.
However, hackers and other ne’er-do-wellers have figured out how to exploit out-of-date scripts on payment forms.
Due to a number of high profile attacks on exactly that sort of setup, in 2022 PCI DSS 4.0 introduced new mandates specifically for sites that embed donation & payment forms. As of mid-2024 these requirements are optional best practices. After March 31, 2025 these requirements become mandatory.
How does it impact your nonprofit?
If you don’t have payment forms anywhere on your website, then you don’t need to worry about being PCI compliant. Your avoidance of accepting credit card information makes you not have to follow any requirements.
Based on this understanding, Cornershop’s recommendation for most nonprofits, especially smaller organizations that don’t want extra responsibility of compliance, is to use platforms that provide PCI compliance and process transactions on a separate, standalone payment page, as opposed to a form on your website, embedded or otherwise. This is the easiest solution to ensure you are meeting PCI compliance and have no further requirements to scan your website.
Alternatively, if you want to continue to accept payments on your website, then you are required to follow new PCI Compliance rules, which will require quarterly scans (see below). There is a comprehensive list of Approved PCI Scanning Vendors from the PCI Security Standards Council.
Of course, you should always consult your legal counsel about what requirements you have around PCI compliance.
What are the actual requirements for nonprofits?
The latest requirements that impact all users is as follows:
- 6.4.3 All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:
- A method is implemented to confirm that each script is authorized.
- A method is implemented to assure the integrity of each script.
- An inventory of all scripts is maintained with written justification as to why each is necessary.
- 11.6.1 A change- and tamper-detection mechanism is deployed as follows:
- To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser.
- The mechanism is configured to evaluate the received HTTP header and payment page.
- The mechanism functions are performed as follows:
- At least once every seven days
OR - Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1).
- At least once every seven days
Do all nonprofits need to meet the same requirements?
Your compliance requirements are based on a variety of factors, including:
- How/where you collect payments: Third-party hosted forms are likely the responsibility of the third-party (but not always, so check with your provider on any requirements), whereas, embeds, iframes, and API forms require scanning
- If you use API integrations to transmit data: If you are using an API to transmit data, you are required to use an Approved Scanning Vendor (ASV)
- If administrators can control or edit the payment form (i.e. by adding scripts): Having control over the payment page to add scripts requires using an ASV
- How many transactions you process each month: Under 20K transactions/year result in fewer requirements and no reporting submissions
When is an organization required to having scanning?
As mentioned above, there are a number of variables that impact your requirements for scanning. If you are unsure, we always recommend that you seek guidance from a legal authority or ASV.
Based on our understanding at Cornershop:
- If you have control over your payment forms, embed forms on your website, or use API integrations on your payment forms, it is required to run scans
- If your transaction volume is greater than 20,000 per year, then scans should be performed by an ASV who will handle all compliance and submission requirements
When it doubt, it’s always best to work with an ASV who can guide you on requirements, perform detailed scans, and ensure you are being compliant.
How do I find an Approved Scanning Vendor (ASV)?
Approved Scanning Vendors are located at: https://listings.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors
Our friends at Engaging Networks recommend using ControlCase for all their clients and scanning needs.
For organizations not required to use an ASV (i.e. less than 20,000 transactions per year), then Cloudflare’s Page Shield product is one option, but there are many ways to perform this necessary vulnerability scanning.
What should my nonprofit do?
It depends greatly on what payment processor you use and what platforms you use to collect payment information.
Many platforms are offering new tools to make their platforms PCI Compliant. Other flexible platforms, like Engaging Networks, are providing reports to scan for low volume pages that can be removed and connecting clients to a preferred ASV.
Here are some recommendations for a few of our favorite platforms:
Engaging Networks:
- Removing/archiving low volume forms. The fewer live forms; the fewer things that need to be PCI compliant. Engaging Networks provides you a report to view your older and low-volume forms.
- Review report and update any forms to remove unnecessary scripts. Engaging Networks provides a report to monitor this too.
- Rebuild Forms/Templates. If you have highly customized forms, then you might need to scale back some scripts and change functionality.
- Hire an ASV. All Engaging Networks clients are required to use an ASV — they recommend ControlCase — to meet scanning requirements.
- Ongoing monitoring of scripts and archiving of old forms using the reports mentioned above.
Luminate Online:
- Removing/archiving low volume forms. The fewer live forms; the fewer things that need to be PCI compliant. We can help you identify your older and low-volume forms so they can be archived. You can do that archiving work yourself, or we can take care of it for you.
- Changing the transaction element on all live forms to the new PCI compliant transaction fields. Later this year, Luminate Online will release these new fields, and we’ll be on hand to help you implement them.
Need help with this? Contact us to provide an estimate to do this for you.
Gravity Forms & WooCommerce
The Paypal and Stripe Add-ons both have features that allow for a PCI-Avoidance feature that will direct the user to an offsite form. If you collect payments with Gravity Forms or WooCommerce, we recommend using one of these add-ons (or another that works in a similar manner; we just haven’t seen any yet).
Need help with this? Contact us to provide an estimate to do this for you.
GiveWP
Since GiveWP forms are hosted on your website, nonprofits are required to perform regular scans of ensure PCI compliance. Speak with an ASV to understand your requirements.
Need help with this? Contact us to provide an estimate to do this for you.
FundraiseUp
The FundraiseUp platform is a fully PCI Level 1 compliant platform, regardless if you host on their servers or a stand alone page. As mentioned above, if you use their stand-alone page, then you have no further action.
If you are using their embeddable widget, then you have two options:
- Switch to the FundraiseUp hosted pages
- Invest in PCI scanning for pages of your website that host the Modal form. As FundraiseUp points out, these forms receive a much higher conversation rate, so it might be worth the investment.
How does a nonprofit organization become PCI Compliant?
Becoming PCI compliant involves a series of steps to meet PCI DSS. The level of compliance required depends on the merchant’s annual transaction volume. Here’s a general guide to help a merchant achieve PCI compliance:
Determine the Merchant Level
Merchants are categorized into levels based on their annual transaction volume. The level dictates the specific requirements and the validation process needed for compliance:
- Level 1: Over 6 million transactions annually.
- Level 2: Between 1 and 6 million transactions annually.
- Level 3: Between 20,000 and 1 million e-commerce transactions annually.
- Level 4: Fewer than 20,000 e-commerce transactions or fewer than 1 million total transactions annually.
Understand the PCI DSS Requirements
The PCI DSS includes 12 core security standards that all merchants must meet. These fall under the following categories:
- Build and maintain a secure network (e.g., using firewalls, secure passwords).
- Protect cardholder data (encrypt card data, secure storage).
- Maintain a vulnerability management program (regular updates, antivirus).
- Implement strong access control measures (restrict access to card data).
- Monitor and test networks (logging and auditing).
- Maintain an information security policy.
Complete a Self-Assessment Questionnaire (SAQ)
For most merchants (especially smaller ones), the process begins by completing a Self-Assessment Questionnaire (SAQ). The SAQ helps determine which specific PCI requirements apply based on how the merchant handles cardholder data (e.g., card-present or e-commerce transactions). There are different versions of the SAQ, so it’s important to choose the right one based on your business.
Undergo a Vulnerability Scan (if applicable)
If the business stores, processes, or transmits credit card data over the internet, it is typically required to have an approved scanning vendor (ASV) conduct quarterly vulnerability scans of the network and systems.
Complete Attestation of Compliance (AOC)
Once the SAQ and, if applicable, vulnerability scans are complete, the merchant must fill out an Attestation of Compliance (AOC) form. This form certifies that the merchant has met the necessary PCI DSS requirements.
Submit Documents to Acquiring Bank
The completed SAQ, AOC, and any vulnerability scan results must be submitted to the merchant’s acquiring bank or payment processor. The bank or processor is responsible for validating and verifying compliance.
Fix Any Security Gaps
If there are gaps or areas where the business is not compliant, they must address these issues. This could include improving network security, encrypting cardholder data, or strengthening access control measures.
Maintain Ongoing Compliance
PCI compliance is not a one-time event but an ongoing process. Merchants must continuously monitor their systems, perform vulnerability scans, and ensure they are following the required security practices. PCI compliance needs to be validated every year, and vulnerability scans are required quarterly for many merchants.
Implement Employee Training
Regular training for staff who handle credit card data is essential to ensure they are aware of PCI requirements and can help prevent breaches or fraud.
By following these steps, merchants can achieve PCI compliance, reducing the risk of security breaches and protecting cardholder data.
What Resources are there to help me?
Cornershop Creative
Cornershop Creative can help you evaluate your current needs, implement solutions to avoid compliance requirements or successfully pass requirements, and provide ongoing monitoring and remediation.
Our expert team of developers know how to keep you secure. Contact us to start the discussion.
PCI Compliance Vendors
It’s always best to check with your payment processor to use a vendor that they approve of. Oftentimes, pricing is based on the number of pages you need scanned, so it’s important to reduce the number of pages that you’re collecting payments on.
The PCI Security Standards Council provides a list of approved vendors that can provide scanning.
Additional Resources
- PCI Security Standards Council
- PCI Guide to Safe Payments
- A Few Good Methods for Processing Credit Cards
- PCI Compliance for Nonprofits Guide
- PCI DSS Level 1: a must for nonprofit cybersecurity
- Neon One Free Nonprofit PCI Compliance Program
- PCI Compliance with SafeSave and SecurityMetrics
- The 12 Requirements of PCI DSS