Nonprofit Payment Processing: 4 Tips to Keep Data Secure

With so much of our daily lives moving into cyberspace, online security is becoming a greater concern for individuals and all types of organizations. It’s a concern for good reason!

Cybersecurity should be discussed more frequently in order to fully understand it and prevent attacks on nonprofit organizations. 

If you’re unaware of the dangers out there, you run major organizational risks. A breach in security can completely ruin the trust your donors have in your organization to keep their data and contributions safe. If you lose enough support, a breach can cause the end of your organization.

As you can see, security is something to take very seriously. However, there are many different aspects that you can focus on. Here, we’re going to touch on one particular aspect of security that nonprofits tend to (erroneously) ignore: payment processing.

This guide will go through what nonprofits need to understand to keep their donor’s payment information safe and strategies to keep data secure. We’ll touch on the following tips:

1. Understand the basics of nonprofit payment processing 
2. Look for PCI-certified technology
3. Know the cyber-safety vocabulary 
4. Don’t compromise on security 

Ready to dive in and learn more about payment processing and the safety tips your nonprofit should keep in mind? Let’s get started.

Credit: CharityEngine

1. Understand the Basics

Payment processing is essentially the path that information and funds take between the time the funds are contributed by your donor until it reaches your nonprofit’s bank account.

The first step to being better prepared for payment processing security is to understand the process and how it works. The process looks like this:

Credit: CharityEngine

• First, your nonprofit’s donor gives online via an online donation tool.
• Next, the payment is sent to a third-party processor.
• Then, the payment is sent to a merchant account.
• Finally, the payment is transferred to your nonprofit’s bank account.

Let’s dive a little deeper into each step:

Your donor gives via an online donation tool.

The best online fundraising software solutions are those that are customizable to create a cohesive experience for your donor. The online donation tool should streamline the donation process, not make it more complicated.

The payment is sent to a third-party processor. 

Behind the scenes, many of the donation tools out there use a third-party to process the donations. These processors usually specialize in the safety and security of the donation information. However, many nonprofits don’t research adequately to learn about which processor their donation tool uses.

The payment is sent to a merchant account. 

A merchant account is an in-between account used to hold donor funds before they’re added to your nonprofit’s bank account. This allows parties and funds to be verified before they’re moved forward in the donation process.

Dedicated payment processors use a single merchant account per client. This means your nonprofit would have its own dedicated merchant account. However, aggregators like Paypal, a very popular donation tool, use a single merchant account for multiple clients.

The payment is transferred to your nonprofit’s bank account. 

From the merchant account, the payment is securely sent to your nonprofit’s bank account. From there, you can allocate the funding to the proper budgetary funds at your organization.

Credit: CharityEngine

2. Look for PCI-Certified Tech

When you start researching different payment processors, there will likely be a lot of jargon you run into about your processing system’s safety precautions. As you research how to protect your nonprofit from carding attacks, you’re almost certain to run across the phrases PCI-compliant or PCI-certified.

The better of the two is, without a doubt, PCI-certified.

When your nonprofit uses PCI-compliant technology, it means the provider has completed a self-evaluation to ensure firewalls, vulnerability management programs and security qualifications are installed and up and running.

However, when you use PCI-certified technology, this means the provider has spent six months ensuring the security of the software, verified by a qualified security assessor. The tech has been examined to see if there are any development flaws or gaps in the training process of the developers.

In addition to ensuring PCI-certified technology, you need to look for any weaknesses in your own systems that could lead to breaches of payment security. For example:

• Saving payment data manually in a non-encrypted source. For example, if your donor database is not integrated with your donation pages, you could erroneously choose to save that data manually in an unsafe manner. 
• Creating subpar passwords to protect any online or cloud-based systems. Make sure that if you use a password, it’s unique, long and up to the ideal standards. 

Look to make sure every aspect of your donor management system (from your donation tools, to your payment processor, to your CRM) are all up to date. This article provides examples of software solutions that are secure and will help maintain the integrity of your nonprofit.

Credit: CharityEngine

3. Know the Other Safety Vocabulary

When it comes to looking for safe payment processing solutions, nonprofit staff members are rarely experts. After all, you got involved in the nonprofit industry to help others and make a difference in the world, not to become an expert in cybersecurity.

However, you should know the common cybersecurity key terms so that you have a better understanding of the discussion surrounding it. This will help when it’s time to ask your potential software vendors about their own safety measures.

Some of the definitions you should keep in your back pocket include:

• Tokenization. This is a safety measure taken for secure data information in which the sensitive data is substituted for random non-sensitive equivalents. The mapping of this information is then stored in a database. 
• Encryption. This is another safety measure taken to secure data in which the sensitive data is mathematically transformed into ciphertext. Encryption uses an algorithm and a key to read the data. 
• VPN. A virtual private network (or VPN) uses a data tunnel to hide your internet protocol address, ensuring your online activity is secure and untraceable. 
• Cyber disaster recovery plan. Your nonprofit software provider should have a cyber disaster recovery plan in case of a calamity. The goal of this plan is to maintain the safety of critical systems and data while maintaining the flow of business. 
• Breach notification plan. Ask your vendors about their notification plan regarding data breaches. You should make sure your nonprofit will be aware of any such issues. Then, create a breach notification plan for your own nonprofit so that you know what to do in an emergency too. 

Simply understanding the discussion around cybersecurity can help tremendously when it’s time to choose a payment processor for your nonprofit (or any software for that matter!). With this vocab in your back pocket, not only will you know the right questions to ask, but you also can have an insightful conversation about security with your partners in the software space.

Credit: CharityEngine

4. Don’t Compromise on Security

When your nonprofit is choosing new software, you’ve probably heard the proper steps to take. Comprehensive nonprofit software guides explain that you need to:

• First, establish your priorities for the software. 
• Then, conduct research to see what solutions will fill those priorities.
• Finally, invest in the best solution for your nonprofit. 

No matter your nonprofit, security should be one of your top priorities when investing in new software. 

Don’t compromise on this important aspect of software investment! Once you know your software is secure, you need to create a security plan for your nonprofit  to limit the accessibility of sensitive information to only the necessary eyes.

You may be saying, “I trust my team, so why shouldn’t I give them access to everything in our software systems?” This is a common misconception when it comes to data security considerations. It’s great that you trust your team, but we’re all human and we all make mistakes.

The more people who have access to sensitive information, the more likely it is that mistakes will occur. Plus, if, heaven forbid, you have a breach in security, you can track down the issue much faster when you limit the team members with access to said information.

If you’ve outsourced services, particularly accounting services, you should make sure to ask how those accountants also plan to keep your data safe. Jitasa’s nonprofit accountant explanation guide explains that accountants can help prevent detrimental mistakes, but it shouldn’t be at the expense of cybersecurity.

As long as you ask a lot of questions before outsourcing services, your nonprofit should be in tip-top shape when it comes to security.

Wrapping Up

The steps to ensuring safe payment processing and safe data storage include the following:

1. Education. Learn as much as you can about the subject of data security and make sure you know the insightful questions to ask on the topic. 
2. Invest in secure providers. Make sure your software providers and outsourced services follow strict protocols when it comes to security and they have the best plans in place in case of a disaster. 
3. Create plans for your nonprofit. Make sure you have a written understanding of the flow of sensitive information at your organization. Create disaster plans and breach protocols so that you know what to do in case of an emergency. 

The safety of donor information is vital for your nonprofit. Data breaches can cause a lack of trust in your donors that can hurt (or destroy) your nonprofit. Make sure you’re taking the necessary steps to ensure security and maintain trust.