IT for Charities & NFPs

Dealing with PCI DSS Compliance Without Losing Your Sanity (or your entire IT budget) July 6, 2010

In our last post we explained how if your charity takes credit cards (either directly or via a third-party website where donations are taken under your merchant account) you need to sort out your PCI DSS compliance.

The volume and size of the hoops you need to jump through depends on the number of credit card transactions you do.  So at least if you are a small charity taking relatively few credit card payments, you won’t have to meet the same high-cost audit requirements of the huge retail organisations.  Here is a very brief summary of the criteria you need to meet:

Level 1 – If you take over 6 million transactions a year, or your data has previously been compromised

• Annual Onsite Security Audit  – either reviewed by a specially qualified adviser or (by prior agreement with your merchant provider) an Internal Audit signed by an officer of the company
• Quarterly network security scan by an Approved Scanning Vendor (ASV)

Level 2 – If you take 1,000,000 to 6 million transactions a year

• Annual Self Assessment Questionnaire
• Quarterly Scan by an Approved Scanning Vendor (ASV)

Level 3 – If you take 20,000 to 1,000,000 transactions a year

• Quarterly Scan by an Approved Scanning Vendor (ASV)
• Annual Self Assessment Questionnaire

Level 4 – If you take less than 20,000 transactions

• Annual Self Assessment Questionnaire
• Possible Quarterly Scan by an Approved Scanning Vendor (depends on your merchant providers specific requirements)

As you can see from the list above, even though PCI DSS is (supposedly at least) an agreed standard, it’s interpretation depends on your specific merchant provider – and so you need to double-check with them as to the exact requirements your charity needs to meet.

If you are not an IT compliance expert, the whole Self Assessment Questionnaire and Quarterly Scan thing can appear incredibly scary and time consuming. 

There are a number of qualified experts our there (QAS) who can help,  and if you take enough credit card transactions to need to meet the higher level criteria you are probably going to want to ask for their help, but (due to the training, certification and insurance requirements they themselves need to maintain) their services are not particularly cheap.  So for smaller organisations, a DIY approach, probably with help from your internal or external IT experts, is going to be the most likely route to take.

As well as consulting your IT experts, there are a number of organisations who provide “fill in the gaps” type toolkits to help you complete your PCI DSS requirements with the minimum of pain, and a number of organisations who can provide those quarterly scans for a relatively low charge.  Here are a couple we have looked at, an internet search will no doubt yield a lot more:

• IT Governance PCI Toolkit -  A specially designed toolkit to help payment card-accepting organisations quickly create all the documentation required to affirmatively answer the requirements of the PCI DSS as set out in the Self Assessment Questionnaire (v1.2), containing a full set of documentation templates for the all mandatory PCI DSS policies.
     
• IT Governance ASV Scanning Service - Provides a fixed yearly contract service for scans by an Approved Scanning Vendor based on number of external IP addresses to be scanned – prices (at time of writing) from £165 for a one year contract for 10 scans per quarter across up to 5 IP addresses

Just to be clear, some of the links above are affiliate links –  which means you get the same price (and discounts) as anyone else visiting the destination websites directly, but if you do choose to buy, the website owners pay us a small comission for letting you know about them.  But regardless of whether they pay us or not, we would still be telling you about this because we know how much of a pain PCI Compliance is for a lot of charities and we think these products can really help.