Credit Card Data Security Standards

With not-for-profit organizations accepting credit card payments for a variety of transactions, including donations, dues, and educational courses, it’s important to understand credit card data security standards and requirements. The payment card industry (PCI) requires any organization that stores, processes, or transmits cardholder data to comply with its data security standards (DSS). PCI is an industry group created by Visa Inc., MasterCard Worldwide, American Express, Discover Financial Services, and JCB International. To protect their cardholders from the increasing number of incidents of identity theft and security breaches, they have data security standards by which all organizations, small and large, that accept, process, transmit, or store credit card data must comply.

To date, the payment card industry has focused compliance on larger merchants (see size categories in the table below). However, due to recent increases in identity theft incidents, the card issuers are moving toward enforcing full compliance by all affected organizations. 

Compliance levels

Penalties for noncompliance include a hold on your ability to accept credit card payments, increased scrutiny for the next year, and fines up to $500,000. There is potential legal liability from affected card holders due to lack of compliance with required credit card data handling security standards.

Plante & Moran is a PCI Approved Scanning Vendor (ASV) and our team can help you determine your compliance level, walk you through the self-assessment questionnaire, and/or complete the quarterly network security scans. Our services include:

• PCI DSS health check, including determining the level of compliance
• Network security scans (external, internal, wireless, etc.)
• Penetration testing (external and internal)
• Web application testing
• Annual compliance certification