The Payment Card Industry Data Security Standards (PCI DSS) are designed to secure credit and debit card transactions and protect cardholder data. These standards apply to all organizations handling credit card information, including nonprofits that accept credit cards for donations, merchandise sales, or other purposes.

The latest version of PCI DSS became effective in 2024, but most of the new requirements became effective on March 31, 2025.

Wide-ranging security standard

The PCI Security Standards Council is an independent organization established nearly 20 years ago by major credit card networks, including American Express, Discover, JCB International, MasterCard, and Visa. Its primary goal is to enhance payment account data security and promote the global adoption of consistent data security practices.

PCI DSS standards apply to all entities storing, processing, or transmitting cardholder or sensitive authentication data. This includes organizations of all sizes, regardless of the volume of transactions they handle.

12 core requirements

The current standards (PCI DSS v4.x) consist of 12 core requirements, each encompassing more specific rules, testing procedures, and guidance. The core requirements dictate that covered entities must:

1. Install and maintain network security controls (firewalls) to protect cardholder data
2. Employ secure configurations for all system components (replacing vendor-supplied defaults with unique passwords and settings)
3. Protect account data through encryption, truncation, masking and hashing
4. Defend cardholder data by encrypting its transmission over open or public networks
5. Protect all systems and networks from malicious software (for example, with anti-malware programs)
6. Develop and maintain secure systems and software
7. Restrict access to system components and cardholder data based on “need to know” (staffers should be restricted to the least data necessary to perform their jobs)
8. Identify users and authenticate access to system components through unique identifiers and associated authentication factors, such as passwords, smart cards or biometric elements
9. Restrict physical access to cardholder data and systems that store, process or transmit cardholder data
10. Log and monitor all access to system components and cardholder data
11. Regularly test the security of systems and networks to ensure security controls continue to reflect the changing environment and
12. Support information security with organizational policies and programs that inform all personnel of the sensitivity of cardholder data and their responsibilities for protecting it

The latest updates added 64 new sub-requirements, including 51 that took effect on March 31, 2025.

Card network enforcement

Although the PCI Security Council promulgates the standards, it doesn’t enforce them. That’s generally left to the card networks. The networks establish their compliance requirements in terms and conditions, typically based on the number of transactions processed. The greater the number of transactions, the tighter the provider’s requirements will likely be.

Noncompliance can prove costly. The network may impose substantial penalties or even prohibit you from processing card payments. Moreover, noncompliance could lead to data breaches, resulting in steep legal and mitigation costs, hefty fines, and devastating reputational damage.

Best practices

Nonprofits often manage compliance by outsourcing it to online payment platforms or payment service providers — such as PayPal, Stripe, or Square — and incorporating compliance in their service agreements. It’s important to know that card networks will hold nonprofits liable for noncompliance if a provider falls short. In addition, nonprofits may need to submit a Report on Compliance (ROC) or complete a Self-Assessment Questionnaire.

Conduct thorough due diligence before selecting a provider to reduce the risk of noncompliance. Request examples of PCI ROCs and monitor a provider’s compliance with its contract’s security and compliance provisions and audit requests.

What if you don’t use a provider for your credit card transactions? Be careful. If you handle cardholder data on your website or servers, you’re responsible for complying with the PCI requirements issued by your card networks. Make sure your IT professionals are up to date on the new requirements.

Other standards

The PCI DSS may not be your nonprofit’s only data security requirement. Organizations must also comply with other laws, regulations, and formal or informal standards that set parameters for protecting individuals’ personal information. Of course, your nonprofit can only benefit from adopting more stringent safeguards than those mandated.

Look for ‘secure-by-design.’

Credit card transactions aren’t the only potential vulnerabilities nonprofits must address to safeguard their and their supporters’ data and finances (see main article). Hackers and cybercriminals can exploit weaknesses in various software systems. Rather than focusing solely on whether your software providers satisfy various compliance standards, determine whether they adhere to the “secure-by-design” approach. This can reduce risk.

Software designed under the secure-by-design standard prioritizes customers’ security as a core business requirement — rather than treating it as just a technical feature. Software makers that implement secure-by-design principles in the earliest design phase of a product’s development lifecycle reduce the number of exploitable flaws before the product is introduced to the market for widespread use. Out-of-the-box software, for example, should include multifactor authentication, logging and single sign-on for no extra fee.

© 2025