Skip to content
online fundraising
4 min read

PCI-DSS for charities: securing your online fundraising

Understanding PCI DSS: protecting donor data and online donations

PCI DSS stands for Payment Card Industry Data Security Standard. It is an international security standard created by the major payment card networks — Visa, Mastercard, American Express, Discover, and JCB — to protect cardholder data and reduce fraud.

The PCI DSS standard defines a set of security rules and technical as well as organisational requirements that apply to any organisation that stores, processes, or transmits payment card data. Its goal is to protect donors from fraud and data leaks, and to ensure a high level of trust in online payments.

It therefore applies to any entity that accepts card payments, including nonprofits when they collect online donations. For charities, this standard is especially important: whenever you manage online giving or run fundraising campaigns, you are handling sensitive donor information. Failure to comply with this standard may expose an organisation to financial risks (fines, additional fees) as well as a loss of trust from donors.

A brief history of PCI-DSS

  • 2004

    The first foundations of the standard were laid by Visa, MasterCard, Amex, JCB, and Discover.

  • 2006 (v1.0)

    The PCI Security Standards Council (PCI SSC) was created. The first official set of 12 security requirements was introduced.

  • 2010 (v2.0)

    The standard evolved to address new risks and threats, as well as the development of new technologies.

  • 2013 (v3.0)

    This version introduced the concept of security as a continuous process. It reinforced control and management of access, vulnerabilities, and third-party providers.

  • 2022 (v4.0)

    The transition from version 3 to version 4 emphasised the need for ongoing security processes, with a stronger focus on cloud-related risks. This major update also mandated multi-factor authentication and TLS 1.2+ encryption.

  • 2024

    Certain complex aspects of the standard were clarified. Version 4 became the reference, with some new requirements being phased in gradually until 2025.

6 PCI DSS principles to keep your online donations safe

The PCI DSS standard is divided into six main principles, each with associated requirements (12 in total). These principles structure the standard and define practical, detailed rules to achieve compliance.

Principle (Objective) Associated Requirements

1. Build and maintain a secure network and systems

Ensure your website, charity fundraising platforms and donation tools are protected (firewalls, SSL certificates). Manage password security.

1. Install and maintain a firewall configuration to protect cardholder data.

2. Do not use vendor-supplied defaults for system passwords and other security settings.

2. Protect cardholder data

Never store card details. Entrust processing to a certified provider and use secure connections (HTTPS).

3. Protect stored cardholder data — and do not store card numbers yourself.

4. Encrypt transmission of cardholder data across open, public networks. All your donation forms and online fundraising pages must use HTTPS.

3. Maintain a vulnerability management program

Identify and address security flaws. Regularly update software, CMS, and plugins. Install antivirus to reduce intrusion or hacking risks.

5. Use and regularly update antivirus software.

6. Develop and maintain secure systems and applications.

4. Implement strong access control measures

Control who has access to data and limit access to donation tools and sensitive information only to those who need it. Create secure individual accounts.

7. Restrict access to data by business need-to-know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.

5. Regularly monitor and test networks

Check connections and suspicious activities regularly. Periodically test your entire donation process to ensure it works securely.

10. Track and monitor all access to network resources and cardholder data (e.g., monitoring back-office logins and detecting suspicious behavior).

11. Regularly test security systems and processes.

6. Maintain an information security policy

Set simple rules (passwords, email awareness) and train staff, volunteers, and employees in best practices. For example, it is forbidden to collect card data manually from a cardholder.

12. Maintain a policy that addresses information security for all personnel.


Key takeaways for secure online fundraising

  • Any organisation that accepts card payments (e-commerce site, nonprofit raising funds online, ticketing provider, etc.) must ensure PCI DSS compliance.

  • The level of certification depends on the annual transaction volume. For charities with high volumes of online donations, stricter controls are required to ensure data is fully protected.

  • iRaiser offers its clients an integrated payment solution — the iRaiser Payment System — to manage all aspects of payment processing. It streamlines the donation process, optimises conversion rates, and reduces failed payments, while providing detailed financial management insights. To meet security requirements, we work with a wide range of certified payment providers to ensure donations are processed securely, reliably, and efficiently.

PCI DSS compliance is only one piece of the puzzle when it comes to protecting your donors and securing your online fundraising. Beyond payment data, nonprofits also face broader risks related to cyber attacks, phishing, and data breaches. To go further, explore our step-by-step guide article: Cyber security: Best practices to protect your organisation.

RELATED ARTICLES