PCI 4.0 is Coming. Is Your Nonprofit Ready?

For more than 20 years, the Payment Card Industry Data Security Standard (PCI DSS) has been mandated by major credit card brands to better control cardholder data, keep donor data safe, and reduce credit card fraud. Nonprofits accepting donations have adhered to all requirements as they’ve evolved.

Over the past few years, there’s been a slow rollout of the most recent updates: PCI DSS 4.0. By March 31, 2025, they will be mandatory, and nonprofits must comply with the new regulations. These changes are in response to increased cyberattacks stealing credit card data.

Understandably, the changes have nonprofits wondering exactly what they need to do to check the right boxes and remain compliant.

The first regulation to note regards donation forms. This compliance requirement will apply to all nonprofits using embedded forms on their websites.

After the forms, compliance requirements are split into two groups: those nonprofits that don’t store or process credit card data, and those that do.

• Nonprofits that do not process credit cards or store credit card data in-house likely lean on CRM and payment processing vendors to provide services. They don’t have a heavy compliance burden.
• A smaller group of nonprofits process credit cards in-house or store credit card data. Those organizations will have a more extensive to-do list.

We will examine the impact of PCI 4.0 on each of those groups. But first, there’s one aspect of these new guidelines that applies to nearly every nonprofit. If you have a donation form on your website, this is must-know information.

A Word on Donation Forms

When a supporter clicks on your “Donate” button, what happens? Chances are good it’s one of two things:

• You see an embedded form or a form pops up right on the website
• The donor is redirected to a new hosted webpage with a donation form

It’s likely that the donor experience is better when an embedded form pops up and the donation is easy. However, PCI 4.0 brings a level of responsibility to nonprofits using embedded forms.

Plainly put, if your nonprofit uses embedded donation forms, you are now responsible for the PCI compliance of the web pages on which the forms appear.

The form itself isn’t your responsibility; that falls on the payment processor. However, the scripts running on the page, i.e. Google Analytics running on your donation page, are in the scope of PCI compliance. It’s your nonprofit’s responsibility to prove compliance.

The change was precipitated by bad actors manipulating scripts to steal credit card information from pages housing forms or launching web skimming attacks.

Which pages will you need to monitor? Only those where an embedded donation form appears. For many nonprofits, that simply means the donation page. But if, for example, there’s a pop-up form on your home page, that’s included.

If you choose to keep embedded forms, there are some processes you’ll need to implement:

• Nonprofits will be required to have a process of written documentation for every script on website pages that embed a donation form. This will likely be an inventory of scripts running and justification for them.
• Your organization must develop and implement a change management and detection process.
• Performing security scans on your website and fixing vulnerabilities will be critical.

Risks include hefty fines and legal fees; or worse, data breaches and loss of revenue and donor trust.

This does not mean nonprofits should avoid embedded forms. It does mean they should accept the responsibility of compliance and understand that the improved donor experience requires added attention to data security. Nonprofits can complete Self-Assessment Questionnaire A (SAQ A) from PCI DSS to help them remain compliant.

If your nonprofit wants to avoid this compliance risk, ask your payment processor to use a redirect. This means the “donate” button sends the user to another site hosted by your payment processor, and all PCI compliance responsibility will rest with them.

Now let’s look at what additional information those two groups of nonprofits need to know.

Nonprofits That Use a CRM or Payment Processor

Good news! Your fundraising software and payment processing vendors are responsible for the majority of the changes. However, there are a few key changes you will have to implement before March 31.

1. Stronger Authentication Requirements

This requirement will strengthen the security of all systems (laptops, desktops, web applications, servers, software-as-a-service) by tightening access. There are three measures nonprofits must take:

• Implement Multi-Factor Authentication, or MFA, for logins to access credit card data. This might mean you need to enter a code sent to your email or cell phone to log in.
• Change system passwords to a minimum length of 12 characters, unless your system won’t allow it. This applies to passwords allowing you to access any system that contains cardholder data and payment processing systems.
• Set stronger monitoring practices, such as watching for suspicious logins or locking accounts after too many failed password attempts.

These changes make it harder for cybercriminals to break into systems that can access donor data.

2. More Frequent Trainings and Awareness

This requirement aims to do two things: clarify who does what when it comes to data security and ensure your staff is trained to spot fraud.

Consider a Service Provider Responsibility Matrix, in which you and your vendors define responsibilities with donor data. Adhering to these defined roles prevents things from falling through the cracks because everyone thought someone else was handling a task.

Train your staff to identify threats. This can be teaching them about phishing emails or social engineering attacks or ensuring they won’t click on unknown links or share sensitive data like passwords.

And that’s it! If you aren’t storing data or processing payments, that’s how you can remain compliant when PCI 4.0 is mandatory.

Nonprofits That Store Credit Card Data

This is a much smaller number of organizations, but if you fall into this category, you have additional responsibilities to stay compliant. We will describe them briefly here, but if you’d like more information, review this comprehensive article on PCI 4.0.

If you process payments or store credit card data, you must adhere to the authentication and training requirements. You need a PCI assessment; the SAQ A form isn’t adequate.

There are a few more points you’ll want to review. You might need to do a deeper dive into them, but we will cover them in broad terms.

1. More Flexibility in Security Compliance

• Nonprofits handling credit card data and vendors now have more flexibility with proving compliance. If you can prove equivalent protection, it will count.
• Similarly, you can define risk-based penetration testing intervals to check for compliance in a way that fits your organization.

2. Increased Focus on Security Monitoring

• Test controls more frequently to ensure network security.
• Employ AI-based threat detection in security monitoring and vulnerability testing.

3. Expanded Encryption and Data Protection Measures

• Use Transport Layer Security (TLS) version 1.2 or higher for encrypting payment data in transit.
• Apply modern encryption techniques to protect stored cardholder data.

4. Enhanced E-Commerce and Web Security

• Use stronger Web App Protections, such as automated security scanning of Web Application Firewalls (WAFs) to detect vulnerabilities.
• Implement secure software development practices.

5. Increased Security Logging

• Log granular details about access to sensitive data and system activity.
• Automate log reviews in your system or implement centralized logging solutions to detect threats faster.

If you store data, those standards are necessary to remain compliant. If you don’t store data or process donations, you can confirm PCI 4.0 compliance with your vendors. It is always good practice to confirm we’re working together to keep donor data safe!

Staying Secure and Moving Forward

PCI DSS 4.0 may seem like a big shift. While it’s imperative nonprofits take stock of what types of donation forms are on their websites and knowingly accept the burden of compliance with embedded forms, there aren’t any other drastic changes for most nonprofits.

If you rely on a CRM or payment processor, your role in compliance is minimal—just ensuring your systems use strong authentication and that your team stays informed on security best practices.

For those storing or processing credit card data in-house, the new standards offer greater flexibility while emphasizing security monitoring and data protection.

The key takeaways? Check your forms! And if you’re already following best practices and working with trusted vendors, there’s no need to panic. PCI 4.0 is simply an evolution in keeping donor data safe, and with the right approach, your nonprofit will be well-prepared for the March 31, 2025 deadline.

---

TNPA members may wish to join a March 26 webinar exploring the pros and cons of embedded payment forms, offered by CharityEngine at no cost. 

Philip Schmitz is CEO of CharityEngine, a complete fundraising platform and CRM offering a robust suite of built-in fundraising tools and unified data. As with all our guest posts, the views and opinions expressed in this article are those of the author and do not necessarily represent the official position of The Nonprofit Alliance.