3 Ways Your Nonprofit Can Prepare for PCI 3.0

Beginning January 1st, 2015 version 3.0 of the PCI Data Security Standards will go into effect. If you joined us for our webinar, “PCI 3.0 Nonprofit Impact” you are already familiar with the ways in which your organization is likely to be impacted.

Below are three things you can do today to help you as you prepare for the upcoming changes:

Map Out Your Processing Methods

PCI 3.0 brings stricter requirements regarding the Service Providers used to help facilitate card payments.  If an organization is using multiple processing methods they will need to complete a questionnaire for each method, as opposed to a single questionnaire which previously would address all methods. An example of this would be an organization whose website redirects to a donation page and also accepts cards by using a swipe terminal. In this case they would need to complete both SAQ A and SAQ B.  This change makes it critical to map out the ways in which you accept Credit Card payments – your processing methods.

A great way to do this is to use Microsoft Excel’s Shapes feature and diagram all your processing methods.  Insert shapes and then connect those shapes with lines to illustrate and map your various processing methods:


For example, you can start by inserting a shape and label this “Donor” then breakout all the different ways you allow them to submit a credit card transaction (i.e., online, shopping cart, terminals, mobile device, over the phone, through the mail, etc…).  Draw a new box for each of these methods and connect its shape to each of the processing methods you offer using one of the shapes offered under the “Lines” section – the arrow makes the most sense so you can see movement within your process map.

Next outline what happens if the donor enters payment data into your website then you should ask, “Who is hosting this payment page?” Now make a box for that company and connect it to your website flow. If you receive a pledge card in the mail or someone calls in to make a gift, ask “What happens next? Where does this process fit within our map?”

The goal is to successfully complete your flow chart which outlines all processing methods, including all the Service Providers you are working with, following each processing method through to a completed transaction.

Talk to Your Service Providers

Once your Processing Methods are completely mapped out you can use it as a guide to connect with each of your Service Providers to confirm their PCI Compliance. (Remember: Service Providers are those who store, transmit, or process card data.)

You will reach out to them to start a conversation about their role in your payment processing. Determine what their interaction is with card data and clearly define the role they play in helping you accept payments. If they store, process, or transmit card data be sure to let them know that their security impacts your ability to meet your PCI requirements and you require documentation of their compliance status with PCI.

These lists will prove helpful to you as you verify the compliance of your Service Providers you are working with.  CashLINQ is listed as a Level 1 PCI Compliant Service Provider on the Visa Global Registry of Service Providers as well as the MasterCard Compliant Service Provider List.

Evaluate Your Business Processes

Evaluating your payment processes with the aid of your process map can help you pinpoint areas that may have placed you into a higher set of security standards. Choosing to maintain control over certain pieces of the card acceptance process can change your security requirements greatly.  This process will help you to make an informed decision as to whether to meet the higher requirement or alter your process in order to reduce the requirement.

Nonprofits who often work with volunteers or a small IT staff might experience difficulty meeting the higher requirements.  While it can be a tough decision to change a card acceptance process, it could result in cost savings which could be beneficial to your organization in addition to reducing your security requirements

As you think ahead to PCI 3.0 reach out to us in the comments below and let us know how your nonprofit is preparing.