Security and risk management: PCI Compliance cannot be outsourced

As we have increased our use of Online Giving and other electronic giving systems at our dioceses and parishes, we have become more conscious of the controls and the risks associated with payment processing. In some cases there is a great deal of anxiety around this subject. This is a good thing because we have become aware of the risks; however, we have a large number of activities that require our attention for both PCI compliance and risk management.

Does your parish or diocese hold a conference? How about an auction or a parish dinner? Do you have a parish gift store? If you are like many parishes, you have these events and activities and you may allow people to pay by credit card or even direct deposit. Do you use any type of commitment card or envelope that provides the option for a parishioner to include a credit card or bank account number on the form? Your parish may very well need to be fully PCI Compliant.

There also has been some discussion of "Merchant of Record" associated with electronic giving applications for parishes and dioceses. This concept has been raised as if it is the critical factor when implementing an electronic giving solution. The credit card associations base the requirement for PCI compliance on the ACTIVITY performed at the parish. This is regardless of formal or informal agreements defining the organization as a merchant. The parish and diocese cannot outsource the risk or the compliance to another organization.

The two most important factors parishes and dioceses should consider when they are assessing the risk associated with electronic contributions are:

1. The flow of the donation dollars. Make sure that the parishioner contribution moves from the parishioner account to the parish or diocese bank account directly. Avoid deposits into holding accounts or escrow.
   
   Organizations that serve as a merchant on behalf of other organizations are considered aggregators by the credit card associations and are also considered to be higher risk because they hold accounts with donor funds in the accounts.
   
   
2. No parish access to account information. The application should prevent the parish staff from any access to donor credit card or bank account information. Make sure any function that allows the parish access to account information is turned off. 

Beyond that consider the integrity and financial strength of the organization providing the solution.

Our parish leadership and diocesan staff must consider all activities related to donations and finances and we must educate ourselves on the latest requirements for compliance and risk management. We have a good start on the new systems, but don't forget some of the many activities we have done for years!