PCI Compliance for Nonprofits: The Definitive 2026 Guide
PCI compliance for nonprofits means following the Payment Card Industry Data Security Standard (PCI DSS) to protect donors’ card data across every channel. It applies to any nonprofit that accepts, stores, processes, or transmits cardholder data. Under PCI DSS v4.0.1, nonprofits must validate compliance annually and implement controls like universal MFA and external scans and script monitoring on donation forms to reduce fraud, avoid fines, and sustain donor trust.
“PCI compliance is mandatory for any organization that handles cardholder data, including nonprofits and charities, but the process of maintaining compliance shouldn’t feel like an impossible task,” said Tiffany Ramzy, Head of Compliance and Risk at Engaging Networks. “Engaging Networks helps by maintaining a high level of security standards for all donation pages. We work with our nonprofit clients and partners to ensure everyone understands their role in PCI compliance, since it is a shared responsibility. We strive to make security easy, so our clients can focus on their mission (instead of on compliance). This is especially true for our new Smart Pages.”
This guide demystifies PCI DSS for nonprofit teams with limited time and resources. You will learn what the standard requires, how to scope your environment, and how to reduce risk with practical controls. We also explain the shared responsibility model and where vendors help, so you can streamline compliance without sacrificing supporter experience.
Key Takeaways
- Cyberattacks against nonprofits are common — in one survey, 85% reported that their nonprofit has been a victim of a cyberattack.
- PCI DSS v4.0.1 includes requirements like universal MFA and script oversight on payment pages.
- Fines for non-compliance typically range from $5,000 to $100,000 per month, plus breach costs that can be severe.
PCI Compliance and Its Importance for Nonprofits
PCI DSS is the global security standard that governs how organizations handle credit card data, from online donations to point-of-sale transactions. If your nonprofit accepts, stores, processes, or transmits card data, you must follow PCI DSS. The standard is enforced contractually by payment brands and acquiring banks.
The stakes are high. In a 2024 survey, 85% of nonprofits reported that they’ve been victims of cyberattacks, and 53% said they lack enough full-time staff to protect cybersecurity. In the broader landscape, the United States recorded a record 3,322 data compromises in 2025, underscoring rising exposure across sectors. Processors impose monthly fines for PCI non-compliance that typically range from $5,000 to $100,000, which can cripple operating budgets.
Nonprofit realities complicate PCI work: Legacy donor systems, event-based fundraising, and volunteer involvement can all open the organization up to a cyberattack.
Related reading: Nonprofit Cybersecurity & Compliance: How Engaging Networks Keeps Your Data Protected with a Multi-Layered Approach
Core Principles of PCI DSS
PCI DSS is organized into six goals and 12 requirements that span network security, data protection, vulnerability management, access control, monitoring and testing, and policy governance. PCI DSS v4.0.1 is the active standard with full enforcement beginning March 31, 2025.
Three requirements matter greatly to nonprofits running online donation forms. Requirement 6.4.3 requires you to authorize, inventory, and monitor every third-party script that can access the payment form. This targets modern skimming attacks that hide in tag managers or analytics code. Requirement 8 mandates strong authentication to universal MFA for all access into the Cardholder Data Environment, or CDE, reducing the risk of credential theft and account takeover. Requirement 11.3.2 which mandates quarterly external vulnerability scans of donation pages by an Approved Scanning Vendor.
Here’s a glossary of key terms you will see often:
- Cardholder Data Environment (CDE): The systems and networks that store, process, or transmit card data
- Self-Assessment Questionnaire (SAQ): The form that validates compliance for most nonprofits
- Qualified Security Assessor (QSA): A professional who performs onsite audits for the highest-volume merchants
- Approved Scanning Vendor (ASV): A PCI-approved organization that scans for possible risks or vulnerabilities
- Attestation of Compliance (AOC): A document that validates compliance status for external parties
Assessing Your Nonprofit’s PCI Compliance Status
Start by mapping every place card data could enter your organization, such as:
- Website donation pages
- Event devices
- Mail or phone entries
- Integrations that touch payment fields
Then minimize scope by outsourcing card data capture to vetted providers wherever possible.
Determine your merchant level, which is based on the number of transactions your nonprofit processes each year:
- Level 1: More than 6 million transactions
- Level 2: Between 1 and 6 million transactions
- Level 3: Between 20,000 and 1 million transactions
- Level 4: Fewer than 20,000 transactions
Your nonprofit’s level impacts your PCI compliance validation requirements. Level 1 merchants must file a yearly Report on Compliance (ROC) with a QSA, along with an AOC, while level 2 and 3 merchants have to complete and submit an SAQ. Level 4 merchants face looser requirements than others, but should still plan to complete an SAQ to ensure they’re PCI compliant.
SAQs vary depending on the way your nonprofit accepts credit card payments. If you fully outsource cardholder data capture and your pages use hosted fields or iframes with no direct card data touch, SAQ A is usually the simplest option.
Ensure that your nonprofit validates and monitors compliance on a schedule. E-commerce environments require quarterly network vulnerability scans by an ASV. Your processor will expect passing scan results every 90 days and an annual SAQ with an AOC.
Why Compliance Matters for Reputation and Cost
The global average cost of a data breach in 2025 was estimated at $4.4 million — a figure that can devastate mission delivery for charities. Those costs don’t stop at lost donations and payment systems downtime; data breaches cost money to detect, contain, and remedy.
A data breach can also permanently harm donor trust. Once that’s lost, it’s difficult to earn back.
A Practical Nonprofit Self-Checklist for PCI Compliance
- Inventory payment channels and data flows, including embedded forms and event devices.
- Verify vendors’ current AOCs.
- Choose the right SAQ based on architecture and data handling.
- Enforce MFA and strong passwords on all systems that can reach the CDE.
- Track and approve all third-party scripts on donation forms.
- Schedule quarterly ASV scans and remediate findings promptly.
Common PCI Risks Facing Nonprofits
Nonprofits face a blend of external and internal risks amplified by lean teams and decentralized fundraising. Occupational fraud is one costly risk vector. According to a 2026 report from the Association of Certified Fraud Examiners (ACFE), fraud committed by internal employees leads to a median loss of $69,000 for nonprofits. Fraud awareness training may help nonprofits discover fraudulent activity — in fact, organizations that provided training noticed fraud two times faster than those who didn’t offer training.
Supply chain exposure is another growing risk. In this type of attack, bad actors target third-party vendors or software suppliers to gain access to sensitive information, including credit card data. Supply chain breaches have doubled since 2021 and now account for 30% of all breaches, making vendor selection and script governance critical.
Data breaches can also happen due to human error. Clicking on a malicious link or falling for a phishing scam can happen to anyone as scams get more sophisticated. Phishing is the most common cause of data breaches, accounting for 15% of all breaches.
Operational pitfalls can also cause a breach: Writing card numbers on gala pledge forms, using non-compliant mobile readers on personal phones, or leaving elevated CRM permissions in place after role changes could all open a nonprofit up for a breach.
Engaging Networks Academy: Clients can learn more about how to keep accounts secure with our short course.
Achieving and Maintaining PCI Compliance for Nonprofits
Shore Up Data Protections
Our platform makes your data processing secure. We use a third party to tokenize credit card data immediately after donors submit it on an Engaging Networks-hosted form that accepts credit card payments. This ensures your systems never touch raw primary account number (PAN) data. Enforce universal MFA for any account that can access the CDE and require strong, modern passwords. PCI v4.0.1 aligns with 12-character minimum passwords as part of strengthened authentication controls.
Focus On Risk Reducers
Tighten access by removing shared logins and ensure your organization has an automated offboarding process to remove access for former staff members. Replace paper capture of cardholder information with compliant hosted fields. Vet every embedded script on donation pages.
Prioritize People and Processes
Human error is implicated in 95% of data breaches, so invest in regular, role-based training and phishing awareness for staff and volunteers. Implement internal anti-fraud controls, which are associated with a 50% reduction in fraud loss and 50% improvement in fraud detection. Segregate duties, reconcile donations promptly, and audit access quarterly.
Operationalize Ongoing Compliance
Document a script approval process for donation pages and maintain an inventory to satisfy requirements for quarterly ASV scans and track remediation to closure. Cap the year by creating your SAQ and AOC, then brief leadership on residual risks and improvements for the next cycle.
Policy Essentials To Put in Place
- Access control policy with universal MFA and quarterly access reviews
- Secure software and change management that includes third-party script approvals
- Incident response plan aligned to your processor’s requirements and notification timelines
- Vendor management with current AOCs on file and a clear responsibility matrix
How Vendors Like Engaging Networks Support PCI Compliance
Specialized platforms can reduce your scope and simplify validation. Engaging Networks is third-party-validated compliant with PCI DSS v4.0.1. That directly reflects our high security standards and commitment to protecting cardholder data.
For simplified and secure donation pages, we’ve also introduced Smart Pages: Templated donation pages that are PCI compliant out of the box — no need for custom development work or complicated security scans.
Related reading: Introducing Smart Pages: Beautiful, High-Converting Donation Pages, Built in Minutes
Engaging Networks Supports Secure Integrations
Engaging Networks integrates with third-party vendors across the tech stack, including secure payment processors and specialized tools, such as Okta for Single Sign On (SSO) support.
Frequently Asked Questions about PCI Compliance for Nonprofits
Yes. There are no exemptions based on size or tax status. If you accept even one card donation, you must comply. Smaller nonprofits may have looser validation requirements, however.
Annually, via an SAQ or a QSA-led Report on Compliance for Level 1 merchants. E-commerce environments also require passing ASV vulnerability scans every 90 days.
The nonprofit could face monthly fines that typically range from $5,000 to $100,000. They may also see increased fees or the termination of their merchant account.
Treat PCI Compliance as a Continuous Process
PCI compliance is a continuous program, not a one-time checklist. Under PCI DSS v4.0.1, nonprofits must pair strong technical controls like universal MFA and script governance with practical policy, training, and vendor management. The risk is real across the sector. Nonprofits face rising attacks, common internal fraud patterns, and meaningful financial penalties for non-compliance, alongside the high potential cost of a breach.
Ready to achieve compliance and protect your supporters’ data? Request a personalized walkthrough of Engaging Networks and see how our platform can help you scale secure, donor-friendly giving.