PCI Compliance Checklist for Nonprofits – Overview & Guidelines for Certification

Materdei Consulting, LLC, offers the following PCI compliance checklist for nonprofits, an essential overview complete with guidelines on helping nonprofits throughout North America achieve certification – comprehensively and cost-effectively – in accordance with the Payment Card Industry Data Security Standards (PCI DSS).

1. Understand what PCI DSS is. The Payment Card Industry Data Security Standards (PCI DSS) can be an incredibly difficult mandate for nonprofits, as many organizations are not only challenged with financial costs for compliance, they also struggle to maintain adequate I.T. and operational personnel for assisting with PCI endeavors. The more you understand what PCI DSS is – and what it’s not – the better you’ll better be able to slay what’s arguably the biggest regulatory compliance mandate facing nonprofits in North America. So, what do you need to know about PCI? Here are the essentials for giving you a quick primer on the Payment Card Industry Data Security Standards (PCI DSS), courtesy of Materdei Consulting, LLC:

2. Compliance is About Documentation: More specifically, regardless of one’s industry, sector, or size, businesses will need to develop comprehensive information security policies and procedures for the Payment Card Industry Data Security Standards (PCI DSS) mandates – approximately 50 + policies. This can be an incredibly challenging, time-consuming and taxing process – especially for nonprofits – and it’ why sourcing high-quality PCI policy templates – such as those offered for instant download at pcipolicyportal.com – is the best approach to take.

3. Compliance is also About Implementing Various Initiatives: Both security awareness training and risk assessments are two (2) fundamentally important mandates for PCI DSS compliance, and they’re much more than just developing policy statements. Specifically, they’re about undertaking various actions for helping ensure the safety and security of cardholder data. You actually have to roll up your sleeves and put in place these initiatives – and after all – they’re best practices you should be performing regardless of PCI DSS compliance or not, particularly in today’s world of regulatory compliance.

The documentation we offer for nonprofits – available for instant download – includes material for implementing both a security awareness training program, along with a risk assessment platform. Visit pcipolicyportal.com to learn more about our industry leading policy packets and compliance materials.

4. Compliance is about “Continuous Monitoring”: What’s “Continuous Monitoring”, it’s about assessing and monitoring your controls on a regular basis for helping ensure the safety and security of cardholder data and other organizational-wide assets. While every business that stores, processes, and transmits cardholder data must become PCI DSS compliant – which often means having a third-party assessor validate compliance (i.e., PCI-QSA) – the real compliance initiatives take root long after the assessors are gone.

Specifically, monitoring your own environment for nonprofits is really what provides long-term security for your organization, not a once-a-year validation for a PCI-QSA. For nonprofits, this means putting in place initiatives for monitoring your internal controls – the policies, procedures and processes – for maintaining PCI DSS compliance. We can help put such a program in place – we’ve done it numerous times for nonprofits all across the country, so email us today at pci@pcipolicyportal.com today.

5. Learn about the reporting requirements for nonprofits: Unless you take credit card information in a traditional merchant scenario, either as a card-present function or through any number of e-commerce platforms, then you’ll likely be considered a service provider for terms of Payment Card Industry Data Security Standards (PCI DSS) compliance. This means that as a service provider, you’ll either be conducting your PCI assessment in accordance with Self-Assessment Questionnaire (SAQ) D or via an actual Level 1 onsite assessment via a Qualified Security Assessor (QSA). As to what are the parameters for deciding between SAQ D or a Level 1 onsite assessment, that can be a tricky answer, so call and speak with the PCI compliance nonprofit experts today at 424-274-1952.

6. Are you a merchant or a service provider nonprofit? Good question, because nonprofits can really be both. If you’re selling products and services via an e-commerce portal, you’re a merchant, and if you have some type of credible nexus to cardholder data, you’re a service provider. Don’t get too caught up in the merchant vs. service provider comparison because at the end of the day, the reporting requirements for both still entail the same: policies, procedures, and documented processes have to be in place.

7. Begin with a scoping & readiness assessment: The very best way to begin understanding, assessing – and properly planning – for PCI DSS compliance for nonprofits is by performing a PCI scoping & readiness assessment. Why? Because you need to truly gain insight into important issues, such as scoping boundaries, areas of remediation, personnel needs, etc. Without conducting any type of meaningful scoping & readiness assessment, you’re jeopardizing the long-term success of your PCI endeavors. What’s more, our PCI DSS scoping & readiness assessments are cost-effective, brief, and yield valuable results for helping plan and successfully complete compliance in a timely manner for your organization.

8. Remediate all gaps and issues: From missing policies to internal controls that are simply not functioning correctly, becoming – and staying – compliant with the Payment Card Industry Data Security Standards (PCI DSS) “can” be a time-consuming and challenging task for nonprofits. If you choose the right provider for assisting you – and if you have the correct documentation in place, such as what we offer for instant download – then becoming compliant is that much easier. Depending on how mature your control environment is, you may have only marginal areas to remediate – it all depends on your current posture relating to one’s operational, security, and technical controls for nonprofits.

9. Obtain critical PCI policies and procedures templates: Regulatory compliance is often difficult and time-consuming, and adding to its complexities are the heavy requirements for documentation – specifically – policies and procedures. Nobody likes to author them, it’s a mundane process that often gets pushed off to somebody with little time or knowledge of the materials, thus it flounders. What you need are high-quality, well-written, and easy-to-use templates available for instant download today, and that’s exactly what’s offered at pcipolicyportal.com today. From Requirement 1 to Requirement 12, there’s almost fifty (50) PCI policies and supporting procedures that need to be in place, and we’ve got them for you.

10. Perform essential security awareness training: One of the very best initiatives you can do – and also one that’s quite cost-effective – is training all your nonprofit employees on today’s emerging information security best practices for helping ensue they stay abreast of security threats, challenges, and other dangers. Your employees – yes, your human skillset – is without question your first line of defense against threat vectors facing your network, so shouldn’t you take the time to train and educate these individuals – you should – and security awareness training is easy-to-do, cost-effective, and provides a high return on investment (ROI). pcipolicyportal.com offers an incredibly comprehensive security awareness training packet that’s available for instant download today as part of our industry leading PCI Policy Packets. Visit pcipolicyportal.com today to learn more.

11. Undertake an annual risk assessment process: Nonprofits will also need to perform an annual risk-assessment if you choose to go with SAQ D or a Level 1 onsite assessment with a Payment Card Industry Qualified Security Assessor (PCI-QSA). There seems to be quite a bit of chatter on the Internet as to what constitutes a risk-assessment for PCI compliance, at least in terms of scope, mechanisms to use, and the final deliverable. The easy answer is to simply use our all-in-one, comprehensive risk assessment package that includes a well-written policy and procedures templates, along with an easy-to-use risk management spreadsheet. Together, these documents will help you meet the PCI requirements of performing an annual risk assessment. The documentation is available for instant download today at pcipolicyportal.com.

12. Determine any third-party applicability for PCI DSS compliance: Do you have third-parties providing critical services that could impact the safety and security of cardholder data? Are these entities also storing, processing, and/or transmitting cardholder data for which you have a responsibility to protect for your clients? If so, then it’s time to put in place a comprehensive third-party monitoring program. Sure, it’s a requirement for PCI DSS compliance, but it’s also a best practice that any business should be implementing, regardless of industry, size or sector. We can help as we offer our industry leading PCI DSS monitoring packet for download today.

13. Engage in “Continuous Monitoring”: As stated earlier in this article, (and stated again now because of the importance of continuous monitoring!) the efforts needed for ensuring the continued safety and security of one’s cardholder data environment in terms of PCI DSS compliance is widely known as “Continuous Monitoring”. Specifically, it’s about establishing processes and procedures for assessing, reviewing, and enhancing, if necessary, one’s internal controls relating to PCI DSS compliance. Becoming PCI compliant is a notable milestone, but staying compliant, well, that can be a challenging endeavor indeed.

It’s why we offer nonprofits a proven process for monitoring one’s internal controls on a regular basis, complete with forms, checklists, and other processes to compliment your existing checks and balances. Staying compliant with the PCI mandates is a must, and it all begins with comprehensive continuous monitoring initiatives, so contact us today at pci@pcipolicyportal.com to learn more.

Proven PCI Solutions for Nonprofits in North America

If you’re a nonprofit seeking expert guidance, open dialogue, straight talk and fixed-fee services for PCI DSS compliance, then it’s time to talk. From PCI scoping & readiness assessments to assistance with completion of the various PCI Self-Assessment Questionnaires (SAQ), and more, we can help. Contact us today at pci@pcipolicyportal.com to learn more about our capabilities for nonprofits regarding PCI compliance and subsequent certification. We’re ready to help nonprofits succeed in the often costly and complex world of PCI compliance.  We hope you’ve found the PCI compliance checklist for nonprofits helpful in your quest for becoming PCI DSS compliant.