Introduction
If your charity processes, stores, or transmits payment card data, compliance with the Payment Card Industry Data Security Standard (PCI DSS) is essential. PCI DSS v4.0 is the latest version, designed to improve security and flexibility while addressing evolving cyber threats.
Charities handling donations online, in-person, or via telephone must ensure that donor payment details remain secure. This guide will help your organisation understand the key requirements of PCI DSS v4.0 and how to implement them in a practical and manageable way.
Key changes in PCI DSS v4.0
PCI DSS v4.0 builds upon the previous version (v3.2.1) and introduces:
- Expanded Multi-Factor Authentication (MFA) – MFA is now required for all accounts that access cardholder data.
- Enhanced Password Requirements – Stronger password policies ensure better security.
- New E-Commerce and Phishing Protection Measures – Additional safeguards against common cyber threats.
- Continuous Security Monitoring – Security must be an ongoing process, not just an annual compliance check.
- More Flexibility in Compliance Approaches – Organisations can use different methods to meet security objectives.
Step-by-step guide
Step 1: Understand Your Charity’s PCI Compliance Level
The level of compliance required depends on the number of card transactions your charity processes annually:
- Level 1 – Over 6 million transactions per year
- Level 2 – 1 to 6 million transactions
- Level 3 – 20,000 to 1 million transactions
- Level 4 – Less than 20,000 transactions
Most charities will fall under Level 3 or Level 4, meaning they must complete a Self-Assessment Questionnaire (SAQ) rather than undergoing a full external audit.
Step 2: Secure payment data
- Only collect the payment data you need.
- Ensure all stored data is encrypted.
- Restrict access to cardholder data on a need-to-know basis.
- Implement Multi-Factor Authentication (MFA) for all users accessing payment systems.
Example:
Ensure that only authorised staff have access to the Stripe dashboard, enable Multi-Factor Authentication (MFA) for all users, and regularly review who has access to payment data.
Step 3: Protect your charity from cyber threats
- Regularly update security software and firewalls.
- Train staff to recognise and report phishing attempts.
- Implement strong password policies (longer passwords with complexity requirements).
Example:
Ensure any third-party scripts installed on your website are necessary and up to date/using best practice, eg. Google Tag Manager (GTM). Additionally, set up automated monitoring tools to detect and log all changes.
Bonus Example:
Ensure you have the correct SPF, DKIM and DMARC records set up on your domain’s DNS to ensure you’re showing you’re actively protecting your email services.
Step 4: Maintain secure payment processing
- If using an external payment provider, confirm they are PCI DSS compliant.
- Avoid storing full card details unless absolutely necessary.
- Ensure online donation platforms have fraud detection and monitoring in place.
Example:
Ask your donation platform if they’re PCI DSS compliant. Look for terms like “PCI compliant”
Step 5: Monitor and test security regularly
- Conduct regular security scans and vulnerability assessments.
- Perform risk assessments to identify and address potential threats.
- Keep logs of all payment processing activity for security monitoring.
Step 6: Validate compliance annually
- Complete the relevant Self-Assessment Questionnaire (SAQ) based on your transaction volume.
- Submit an Attestation of Compliance (AOC) if required.
- Work with your acquiring bank or payment processor to confirm compliance requirements.
Real-world examples
My Charity uses Donorfy/Another donation CRM
Donorfy integrates with PCI-compliant payment processors, so your primary responsibility is ensuring that your team follows best practices:
- Verify that Donorfy’s payment integration (e.g., Stripe, GoCardless) is PCI DSS compliant.
- Ensure that no card details are stored within Donorfy unless encrypted and justified.
- Train staff on phishing risks and secure handling of payment data.
My charity has a bespoke donation platform using Stripe
If your charity has a custom-built donation platform that processes payments via Stripe:
- Ensure your integration with Stripe follows PCI DSS guidelines, including tokenisation.
- Use Stripe’s hosted payment elements to avoid handling raw cardholder data.
- Conduct regular security scans and patch vulnerabilities in your system.
- Complete the appropriate PCI DSS Self-Assessment Questionnaire (SAQ) for your transaction level.
My charity raises funds in-person using a Square card machine
For charities using Square for in-person fundraising:
- Ensure that all devices are running the latest firmware and security updates.
- Use strong passwords and multi-factor authentication for the Square account.
- Train fundraising staff to recognise social engineering and fraud risks.
- Regularly review Square’s PCI DSS compliance status and security recommendations.
Timeline for Compliance
- 31 March 2025 – Future-dated new requirements become mandatory.
Charities should aim to transition to PCI DSS v4.0 as soon as possible to ensure continued compliance and donor trust.
Final Thoughts
PCI DSS compliance might seem complex, but it is crucial for protecting your charity and its supporters. By following these steps, you can ensure a smooth transition to PCI DSS v4.0 while maintaining secure and trusted payment processes.
For additional guidance, visit the PCI Security Standards Council website.
Useful resources/Further reading
- PCI DSS: v4.0.1 PDF
- What’s New in PCI DSS 4.0? Key Updates Explained
- Preparing for PCI DSS 4.0: What you need to know
Frequently asked questions (FAQs)
What is an SAQ (Self Assessment Questionnaire)?
A Self-Assessment Questionnaire (SAQ) is a self-validation tool to assess security for cardholder data. It’s suitable for smaller merchants and service providers who are not required to submit a Report on Compliance.
The Self-Assessment Questionnaire includes a series of yes-or-no questions for the security requirements. If an answer is no, your organisation may need to specify what you will do to achieve the required level and by when.
There are a series of nine different SAQs available from the PCI Security Standards Council to meet different types of merchant and service provider requirements.
See more from the PCI Security Standards Council
We use Opayo/Stripe/PayPal etc, does that mean we don’t need to do anyhthing?
If you accept or process payment cards, PCI DSS applies to you. Using a payment provider like Stripe or PayPal may make it much easier to achieve and demonstrate that you are PCI compliant, but it does not in any way make you exempt.
Can I just answer ‘Yes’ to all the questions on the Self-assessment Questionnaire (SAQ)?
This stance is highly risky. The SAQ must be signed by a company officer, and if they answer ‘Yes’ to a question without properly meeting the required control, they are not only being dishonest but also putting the organisation at significant risk. In the event of a card data breach, if it is revealed that the merchant was never truly compliant, the repercussions could be severe.
Do I need a PCI DSS QSA, or can I complete compliance myself?
If you are a Level 1 merchant or service provider—processing over 6 million transactions annually—or operate within a complex payment environment that stores or processes cardholder data, you are required to engage a Qualified Security Assessor (QSA) to complete a Report on Compliance (ROC).
For smaller businesses, a Self-Assessment Questionnaire (SAQ) may be sufficient. However, working with a QSA can:
1. Help avoid common compliance mistakes
2. Ensure all security controls are properly implemented
3. Minimise the risk of non-compliance penalties