15 Donor Data Security and Privacy Questions

In today's online-obsessed world, data security is a major concern for donors and consumers alike. It's vital for nonprofit organizations to gather and store as much information as they possibly can to engage donors and prospective donors and ultimately to get them to give.

But in order for donors to provide that information, they must trust that your organization will use it appropriately — and that their data is safe and secure and their privacy is not violated. One slip-up or security breech and all credibility for your organization is lost.

How can your organization ensure data security and donor privacy? In the Association of Fundraising Professionals' book "Internet Management for Nonprofits: Strategies, Tools & Trade Secrets," authors Ted Hart, Steve MacLaughlin, James M. Greenfield and Philip H. Geier Jr. provide 15 questions to consider regarding donor data security in chapter 16, "12 Steps to Protect Your Organization and Donors from Fraud and Identity Theft" (Page 347):

1. Do your service providers have valid PCI DSS and PA-DSS certificates that are required today to process credit card transactions through payment applications?
2. Do all of your third-party suppliers and vendors that handle credit card transactions for you have valid PCI DSS or PA-DSS certificates?
3. How do you protect your donor's confidential data in your organization?
4. Are your organization's databases that store, transmit or process cardholder data encrypted to PCI DSS standards?
5. Who in your organization has access to sensitive donor information and cardholder data?
6. Is all cardholder data locked up, or is it left out so that unauthorized staff has access?
7. Do all people handling cardholder data have criminal and credit checks done as part of your hiring practices?
8. Is cardholder data processed, stored or transmitted on or between computers in your office or from call-center staff without proper encryption?
9. If cardholder data is stored, does it need to be?
10. How is cardholder data handled when collected by phone or in the field?
11. In times of disaster-relief campaigns, how is cardholder data transported between offices or collection offices?
12. How long do you store cardholder data?
13. Are your website and other applications coded to the security standards of the Open Web Application Security Project?
14. Do you have written security policies outlining procedures and processes?
15. Do you provide security education for all staff and volunteers?