Net Gain: Playing It Safe
"Hi, this is Heather from Charity A. I’m calling because last night our offices were broken into, and we’re convening a special board meeting to address a very serious concern.
“Our computers were stolen. All of our donor information, including constituents’ credit and bank card numbers, was in our database and on the hard drives. We’ve contacted the bank to ask how to proceed under the new laws, but we still need to alert our donors. We also want to discuss the possible fall-out we could experience from supporters, and future reluctance to donate to our organization. Can you be at our offices in an hour?”
Although this story is fictional, the threat is real. Identity-theft criminals are targeting not only large for-profit businesses, but also unsuspecting smaller businesses and nonprofit organizations.
Accepting credit cards is serious business. The credit card associations, including MasterCard and Visa, have implemented a Payment Card Industry Data Security Standard, requiring all organizations to protect cardholder data. Depending on the number of credit or debit card transactions processed each year, different security standards apply. Organizations that aren’t compliant risk fines and serious penalties — not to mention a drastic decline in donor acquisition and retention.
In this day and age, accepting credit or debit cards either on- or offline is a must. It gives your organization credibility, offers donors a convenient way to give and usually results in larger donations.
But you don’t want to be caught in a situation like Charity A. What proactive steps can your organization take to safeguard donors’ sensitive data?
Avoid storing confidential donor data.
The simplest way to be compliant is to not have the data to begin with. Nevertheless, you will have situations where you’ll be given credit card information. Direct-mail campaigns, special events, recurring giving
programs and board pledges are just a few examples. If you receive credit card numbers on a reply envelope, pledge form or at an event, ensure the document is shredded once the donation is processed. By keeping the information out of your databases, computers and files, you’ll help prevent sensitive data from being compromised.
Use a reputable, third-party payment-processing solution.
In order to accept credit cards, you’ll contract with a third-party payment processing company either directly or through your bank. Some companies offer online donation processing, terminal services (swiping credit cards as in retail stores) and/or authorization via telephone — and some do it all. It’s important to find a reputable third-party service that can manage all of the various ways you envision processing credit cards.
As you are evaluating companies, ensure the company is not only PCI compliant, but also that credit card information is not given back to your organization in any electronic format for donor-management purposes. Also, does the vendor offer options for transferring historical data out of your system or database and into its protected vault?
Look for payment-solution companies that offer seamless integration into various donor-management systems and that use an alias (unique identifier) to process the donation instead of transmitting confidential data. This prevents the sensitive data from being stored on your system but allows for comprehensive payment tracking and simple gift and pledge processing.
Be sure the donor-management systems have encryption.
If you find that you need to store credit card information in your donor-management system, ensure the information is encrypted and protected according to PCI compliance guidelines. Again, the best case is to not store any sensitive data on your computers. As you evaluate various donor-management software options, ask the vendors how credit card information is stored and secured as part of your “features and functionality” checklist. Also, ask the vendor how its system may integrate with your credit card processing solution.
Encourage donors to use your secure, online donation system.
If you have a reliable, third-party payment-processing company — one that can create secure payment portals on your Web site for online gifts, ticket sales, auction bids and shopping carts — encourage donors to use it.
Include a symbol on your Web pages to inform donors that they are using a secure form, and always give contact information where a donor can get questions answered.
By having a way for donors to enter their information and submit it directly to the payment-processing company, you prevent your organization from obtaining the sensitive information in the first place.
Allow only authorized personnel to deal with monetary transactions.
If your organization has the opportunity to be in contact or possession of donors’ credit or bank account information, ensure that the information and transactions are handled only by authorized personnel.
This especially is true for events with numerous volunteers playing various roles, from registration to selling tickets to securing sponsorships. If attendees or donors want to use their credit cards, ask volunteers to direct the donors to the authorized personnel on hand.
Create, enforce and make available an information-security policy.
A documented information-security policy is only the first step to protecting donors’ sensitive data. Your organization also needs to have a champion of the policy to ensure it is enforced, as well as to help educate all staff, volunteers and donors on the measures your organization has taken to safeguard donor information.
By making your full or summarized policy available on your Web site and during fundraising activities, you can demonstrate your stewardship and responsibility, and even create additional opportunities for increased donations.
Heather Burton is a marketing manager for nonprofit solutions at Sage Software.
- Companies:
- Sage Software