Are your donation reply cards secure?
Julie Whelan Capell |
When was the last time you thought about the payment security of your organization’s fundraising tools?
For decades, nonprofits have sent out donation response cards. We’ve all seen them: a card where donors can write their credit card information that they return via the US Postal Service. I’ve never heard of a security breach related to these cards, but some accountants are beginning to tell their nonprofit clients that they’re too risky.
We asked a few nonprofits and trusted advisors for their opinions on this topic, and share their feedback in this week’s blog post. As always, MWA advises you to check with your legal counsel and accountant regarding your organization’s situation. This article does not represent accounting or legal advice.
Concern about the security of credit card payments is often driven by Payment Card Industry (PCI) compliance rules and regulations. Being found out of compliance could generate a sizable fine.
The good news is, as long as your nonprofit outsources its online credit card processing to a third party, you don’t have much to worry about. They are the ones who bear the burden for maintaining PCI compliance.
But even if your website donations are handled by a third party vendor, there’s still some risk related to those donation reply cards.
When I asked around about offering credit card payments by mail, the feedback ran the gamut from places that are still comfortable doing this to those that have completely banned the practice. Directing donors to your website to make a completely secure donation seems to be the most common way to avoid the problem completely.
Questions about payment security
To decide if your organization should continue to collect donor credit card information by mail, ask yourself:
- What is your internal controls situation? How many people inside your organization are touching that donation card? How many have access to the credit card information? Do you destroy that card after the gift is processed?
- Do you really need to collect the CVV code? This is the three-digit security code on the back of a credit card. There are ways to process credit card payments that don’t involve asking for this code. Make sure you are using one of these and take that box off your reply devices.
Think about it from your donors’ perspective
What are your donors telling you? Are they still sending credit card information by mail? A lot of older donors are not comfortable making donations online. If no one is complaining, and you are confident that your internal systems are secure, then you might decide to continue to collect this information by mail.
If you want to talk more about this, MWA can talk you through the risk/benefit analysis. Give us a call, we’re here to help!