Upcoming changes to PCI regulations and its impact on charities
The Payment Card Industry Data Security Standard (PCI DSS) is a set of global security standards designed to ensure that all entities accepting, processing, storing, or transmitting credit card information maintain a secure environment. Version 4.0 of PCI DSS introduces significant changes that will take effect on 31st March 2025, impacting organisations worldwide, including charities.
Key Changes in PCI DSS 4.0
The updated standard emphasises enhanced security measures, particularly focusing on:
- Script Management (Requirement 6.4.3): Organisations must inventory, authorise, and secure all JavaScript files that interact with payment forms. This process ensures that only approved scripts are operational, reducing the risk of malicious code compromising payment data.
- Anti-Tamper Detection (Requirement 11.6.1): The new requirement mandates the use of automated tools to monitor web pages for unauthorised modifications. Real-time alerts from these tools enable swift responses to potential security breaches.
Implications for Charities
Charities handling credit card donations must adapt to these changes to maintain compliance. The level of required involvement depends on how cardholder data is processed, stored, and transmitted within the organisation. A critical component of compliance is the annual completion of a Self-Assessment Questionnaire (SAQ), which helps organisations evaluate their adherence to PCI DSS requirements.
Determining the Appropriate SAQ
The type of SAQ a charity should complete is determined by its specific payment processing methods:
- SAQ A: Applicable to organisations that fully outsource all cardholder data functions to PCI DSS-validated third-party service providers. These organisations do not store, process, or transmit any cardholder data on their systems or premises.
- SAQ D: Required for organisations that store, process, or transmit cardholder data on their systems. This is the most comprehensive SAQ, encompassing all PCI DSS requirements.
If there is uncertainty about which SAQ to complete, consulting a Qualified Security Assessor (QSA) is advisable.
Steps to Achieve Compliance
To align with PCI DSS 4.0, charities should:
- Assess Data Handling Practices: Determine whether your organisation directly processes, transmits, or stores cardholder data.
- Inventory and Authorise Scripts: Identify all JavaScript files on web pages associated with payment forms and ensure each script is necessary and secure.
- Implement a Content Security Policy (CSP): Configure a CSP to allow only authorised scripts to execute on your website, thereby blocking potentially harmful code.
- Deploy Monitoring Solutions: Utilise automated tools to continuously monitor web pages and scripts for unauthorised changes, ensuring prompt detection and response to potential threats.
- Implement regular ASV scans: Use an approved scanning vendor (ASV) to conduct scanning of websites to ensure they are secure from known exploits
Consequences of Non-Compliance
Failing to comply with PCI DSS 4.0 can lead to severe repercussions, including:
- Suspension of Payment Processing Services: Payment processors may halt services, disrupting the organisation’s ability to accept donations.
- Financial Penalties: Non-compliance can result in substantial fines, straining the organisation’s financial resources.
- Erosion of Donor Trust: Security breaches can damage the organisation’s reputation, leading to a loss of donor confidence and support.
How we can help
These are technical changes that need to be made to any charity website that handles donations, either on or off site, but don’t worry as we are already working with a number of our clients to put a remediation and monitoring plan in place.
