Security & Risk Management: PCI Compliance Can't Be Outsourced

As we have increased our use of Online Giving and other electronic giving systems at our churches, we have become more conscious of the controls and the risks associated with payment processing. In some cases there is a great deal of anxiety around this subject. This is a good thing because we have become aware of the risks; however, we have a large number of activities that require our attention for both PCI compliance and risk management.

Does your church hold a conference? How about an auction or a dinner? Do you have a church gift store? If you are like many churches, you have these events and activities and you may allow people to pay by credit card or even direct deposit. Do you use any type of commitment card or envelope that provides the option for a churchgoer to include a credit card or bank account number on the form? Your church may very well need to be fully PCI Compliant.

There also has been some discussion of "Merchant of Record" associated with electronic giving applications for churches. This concept has been raised as if it is the critical factor when implementing an electronic giving solution. The credit card associations base the requirement for PCI compliance on the ACTIVITY performed at the church. This is regardless of formal or informal agreements defining the organization as a merchant. The church cannot outsource the risk or the compliance to another organization.

The two most important factors churches should consider when they are assessing the risk associated with electronic contributions are:

1. The flow of the donation dollars. Make sure that the church member's contribution moves from the member account to the church or bank account directly. Avoid deposits into holding accounts or escrow. Organizations that serve as a merchant on behalf of other organizations are considered aggregators by the credit card associations and are also considered to be higher risk because they hold accounts with donor funds in the accounts.
2. No church access to account information. The application should prevent the church staff from any access to donor credit card or bank account information. Make sure any function that allows the church access to account information is turned off.

Beyond that, consider the integrity and financial strength of the organization providing the solution.

Our church leadership must consider all activities related to donations and finances and we must educate ourselves on the latest requirements for compliance and risk management. We have a good start on the new systems, but don't forget some of the many activities we have done for years!