Credit Card Processing Security
Posted on Wednesday, July 27, 2016
It is common for nonprofit organizations to accept credit card payments, either for program service fees or donations. In response to growing credit card fraud, the credit card industry has established the Payment Card Industry Data Security Standards (PCI DSS). The standards apply to all entities that store, process or transmit cardholder data and/or sensitive authentication data. If your nonprofit accepts credit cards, PCI DSS applies to your organization.
The PCI DSS requirements consists of twelve requirements to meet six goals relating to cardholder security. One of the most important goals is protecting cardholder data. Cardholder data refers to any information printed, processed, transmitted or stored on a payment card. Entities accepting credit cards are expected to protect cardholder data from unauthorized use. Cardholder data should not be stored by the organization unless it’s necessary to meet the business needs of the organization; however, there are some items that should never be stored after authorization. Access to data that can be stored should be restricted with passwords and encryption.
Items that may be stored:
- Primary account number
- Cardholder name
- Service code
- Expiration date
Items that that are not permitted to be stored:
- Full track data (data stored on a card’s magnetic strip or chip)
- AVC/CVC2/CVV2/CID (3 or 4 digit value printed on the front or back of the card)
- PIN/PIN Block (personal identification number entered by cardholder during a transaction)
Your organization could be assessed substantial fines if cardholder data is breached and your organization is not in compliance.
To find out more about PCI Security Standards, visit the PCI Security Standards Council website.
Posted by: Carrie Minnich, CPA
Posted in Mission Minded Nonprofits
Disclaimer: The information contained in Dulin, Ward & DeWald’s blog is provided for general educational purposes only and should not be construed as financial or legal advice on any subject matter. Before taking any action based on this information, we strongly encourage you to consult competent legal, accounting or other professional advice about your specific situation. Questions on blog posts may be submitted to your DWD representative.