Payment security is not just an IT nuisance. It is the foundation of donor stewardship on which customer data security relies. PCI compliance for Nonprofits is necessary because they are among the primary targets of cybercriminals. The reason is that they process high volumes of transactions every day but often lack enterprise-grade security features. Donor data stored in nonprofit databases is often at high risk of exposure in the event of a data breach.
Nonprofits faced a 35% increase in email-based cyberattacks in 2025 as compared to the previous year. The truth is, good intentions and a noble cause do not protect your data from attackers. You need to implement security policies and use the right nonprofit payment resources to protect sensitive customer data, such as card numbers and payment tokens.
There is no such thing as “an organization too small to be targeted”—securing donor data is of utmost importance for any nonprofit, regardless of its size or donation volume. Understanding PCI-DSS compliance for nonprofit organizations is no longer optional. It has become a structural necessity to understand these policies and implement them. PCI DSS stands for Payment Card Industry Data Security Standard. The ultimate goal of compliance policies is to protect donor data. These policies are crucial to uphold an organization’s reputation because customer trust is lost if data collected by any organization is leaked.
PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security standards designed to ensure that all organizations that accept, process, store, or transmit credit card information maintain a secure environment. In simple terms, PCI compliance is required for any organization that processes credit card payments. You must be PCI compliant if you accept credit cards in any way, whether online, over the phone, or via paper mail.
Most nonprofits believe that they are not required to be PCI compliant because they are either too small, tax-exempt, or have low transaction volume. This is a misconception of most nonprofits. The truth is, you are required to be PCI compliant regardless of your organization’s size, transaction volume, or tax-exempt status. Every organization that processes credit card payments needs to be PCI compliant.
PCI is like the house rules for payments. These guidelines are formalized and enforced by major card networks. PCI SSC is the governing council formed by major card networks, like VISA, Mastercard, and others. These organizations update and enforce these guidelines for all the organizations under the scope of PCI DSS. Understanding PCI compliance is crucial for you, as non-compliance with PCI DSS can lead to major issues for your organization.
PCI compliance is essential for every organization, especially nonprofits, because they operate on customer trust and loyalty. It is not just a legal checkbox; it is a trust enabler and a risk management strategy for your organization.
Before a donor actually pays money to a nonprofit, they sign a psychological contract of trust with your nonprofit. They give their money because they trust the organization. Suppose a data breach occurs and the donor data is leaked. It is not just a technical failure; you have failed to protect the customer’s sensitive information. In the donor’s mind, you have now lost the trust they had in your organization. Not complying with PCI puts your nonprofit’s reputation at high risk of attack and at risk of losing donors’ trust.
The intangible currency of customer trust directly translates into donation revenue for your nonprofit. But non-compliance is not limited to that. Non-compliance with PCI DSS guidelines has tangible consequences for merchant accounts, such as penalties levied by acquiring banks. This is financially devastating for a nonprofit. Fines, audits, and the cost of replacing compromised cards can potentially bankrupt a small nonprofit. That is not all, even if you survive the waves of reputational and financial hits, an operational tsunami is coming your way. Non-compliance can lead to merchant accounts getting revoked, which literally freezes your ability to accept new funds.
PCI is a private industry standard, not a federal law. This means that non-compliance is not limited — failure to adhere can result in crippling lawsuits if a data breach occurs.
To identify the risks in your payment flow, we need to understand how donations are typically made to nonprofits. There are some major types of transactions through which a nonprofit accepts donations. The most common transactions are Card-Present/POS-based. In these transactions, the card is physically present, and these donations are common in galas, fundraising events, or retail thrift shops. This method is the safest for accepting payments, as it has the lowest risk of fraud.
Online and mobile giving are rapidly overtaking traditional donation methods. In 2024, 58% of online charitable giving in the US was received through digital channels. Online forms and web portals are the most popular ways to give online gifts. This method is the most secure when outsourced to reputable partners.
Other channels for accepting donations include MOTO (Mail and Telephone Order) donations, which are high-risk due to the likelihood of human error. In-person events and galas accept donations through dip jars, card readers, or modern POS retail systems.
The risk factor of charity giving is moving towards digital channels. This makes it important for organizations to comply with PCI guidelines to protect themselves against fraud and chargebacks, which result in operational losses.
PCI compliance classifies merchants into four levels based on their organization’s annual transaction volume. The annual transaction volume does not affect the actual guidelines that you need to comply with. Rather, it dictates the method of proving the compliance. There is one document used to report compliance, called the Self Assessment Questionnaire (SAQ).
The majority of nonprofits fall into Level 4 compliance, meaning they process fewer than 20,000 online transactions or 1 million total transactions annually. It is a good practice to check the level your nonprofit falls into before moving forward with SAQ. Since this article covers nonprofits in general, we will cover Level 4 in detail.
Level 4 means you largely self-manage compliance via an SAQ, rather than needing an external auditor (QSA). These external auditors are usually very expensive. There are different types of SAQs depending on the Merchant Category Code (MCC) under which your organization is registered. Another factor that dictates the SAQ you need to take is the method of accepting payments. Outsourcing your payment infrastructure usually results in a shorter questionnaire. A bonus tip here is to check that, if you are outsourcing, your payment service provider registers your nonprofit under the correct MCC so you get discounted processing fees and the right questionnaire.
The advantage of outsourcing your payments or using secure methods, such as iframes in your payment portals, is real. Just by switching to a secure, hosted iframe, you can shift from a 300-question SAQ-D questionnaire to a 22-question SAQ-A questionnaire.
There are 12 mandatory PCI rules that every organization that accepts card payments must follow:
The biggest mistake that brings any organization under intense scrutiny is cardholder data stored in plain, readable text. You may wonder, who would store cardholder data in such a way? But the answer is that the PCI compliance scope is not limited to deliberate non-compliance. Negligence in PCI compliance, even at the slightest level, can be heavily penalized.
Suppose your nonprofit is hosting a gala. A volunteer goes to a donor, who gives their card details to the volunteer, but for some reason, the volunteer is unable to enter them into the POS. The volunteer takes out a pen and paper and writes down the card number to take it to the main desk for logging. In this seemingly harmless course of action, PCI guidelines have been violated. The card details written on that piece of paper can be grounds for action on your nonprofit for non-compliance.
This means that your nonprofit must take compliance rules very seriously. Writing credit card information on paper, typing it into unprotected Excel sheets, and using unsecured personal devices to process payments at events are all violations of the PCI guidelines. You must not ignore modern authentication mechanisms, such as 3D Secure for online giving, as doing so exposes the organization to fraud and chargeback risks.
Understanding PCI compliance is essential to avoid intense scrutiny, protect customer data, and maintain organizational credibility. The actual costs of compliance might seem like huge investments right out of operational cash. But when you compare it with the repercussions of ignoring these guidelines, the risk is not worth it. Trying to save money on minor SaaS subscriptions won’t make a major difference to your nonprofit’s operations, but a single non-compliance audit can absolutely destroy whatever you’ve built. The loss of customer trust is by far the biggest loss for any nonprofit.
PCI compliance is not a one-time checkbox; it is a continuous process. Compliance is dynamic and must be adhered to at all times. The best way to avoid consequences is to reduce scope by outsourcing payment methods and using modern authentication systems. Overall, treating compliance as a powerful trust signal for your donors is the best approach to meeting PCI DSS requirements for your organization.
No. You heavily reduce the scope and make your SAQ much easier for your organization, but using a third-party gateway does not exempt you from PCI compliance.
In case of non-compliance, you may face consequences ranging from heavy fines from your bank to the complete revocation of your merchant account, effectively freezing your ability to collect donations.
No, you should never store a donor’s credit card information, such as the card number or the actual CVV. You must use a payment processor that utilizes “tokenization” to safely manage recurring billing.
Yes, any violation by the volunteers is subject to the organization, as they are acting on behalf of your nonprofit. Any person who acts on your behalf brings you under the scope of PCI compliance.
No. PCI DSS applies specifically to major credit and debit cards. PCI compliance applies to organizations that use card payments, and does not apply to other payment methods.
