Navigating PCI DSS v4.0: What You Need to Know 

The Payment Card Industry Data Security Standard (PCI DSS) is a critical framework for safeguarding credit card transactions and protecting sensitive cardholder data. The recent release of PCI DSS v4.0 marks the most significant update in over a decade. This new version introduces enhanced security measures, greater flexibility in implementation, and a stronger focus on continuous compliance. This update is part of a broader industry shift to enhance >payment security standards and improve the user experience for donors. With a deadline to implement these updates by March 2025, organizations must take proactive steps to ensure compliance and continuity. Non-compliance may result in fines or the loss of credit card processing capabilities.

In response, nonprofit engagement platforms with donation and peer to peer functionalities have updated their products to meet the requirements. When it comes to platforms like Engaging Networks and Luminate Online, which allow greater customization in their code, the platform and the nonprofit share a responsibility to adhere to the guidelines. For nonprofits, these changes are more than just a technical requirement—they’re an opportunity to enhance donor trust and improve the online giving experience.

Let’s break down what these changes mean, why they’re essential, and how your organization can navigate the transition smoothly.

What is PCI Compliance, and Why Does It Matter? 

PCI DSS (Payment Card Industry Data Security Standard) is a global standard designed to secure credit card transactions and protect sensitive cardholder data. Version 4.0, the latest iteration, introduces stricter requirements and modernized frameworks to address evolving cybersecurity threats.

For organizations, this means adopting enhanced payment processing systems to ensure compliance with these updated standards. Failure to meet these requirements could result in penalties, increased security risks, and potential donor distrust.

What’s Changing in Luminate Online? 

Blackbaud has recently introduced a PCI v4.0-compliant checkout experience for Luminate Online (LO) donation forms and TeamRaiser transactions.

The updated checkout experience includes:

• Modernized Payment Fields: Options for modal (pop-up) and embedded payment forms.

• Expanded Digital Wallet Support: Including Apple Pay, Google Pay, PayPal, and Venmo.

• Unified Payment Gateway: Requires setting up a new Payment Gateway to support the updated forms.

• Streamlined User Experience: Designed to improve donor confidence and conversion rates.

These updates not only align with PCI v4.0 standards but also enhance the donation experience for supporters by offering secure, flexible payment options. In an increasingly digital-first world, a frictionless and secure checkout process can make all the difference in sustaining donor engagement.

In addition to donation forms, Blackbaud is extending the new checkout experience to:

• eCommerce: Online stores and merchandise sales.

• Ticketed Events: Event registration and ticket purchases.

• Gift Service Center: Donor support for managing contributions.

These updates are part of Blackbaud’s ongoing efforts to modernize its ecosystem.

Ensuring Compliance on Your Donation and Peer-to-Peer Pages 

Here’s a step-by-step guide to transition your donation forms and campaigns to the new system.

Before You Get Started: Complete an Annual Self-Assessment Questionnaire (SAQ):

If you haven’t already, make sure to complete the Annual Self-Assessment Questionnaire (SAQ) and report PCI compliance status based on transaction volume. The type of SAQ depends on the annual volume of credit card transactions. Contact your payment gateway (e.g., PayPal, Stripe) for guidance on SAQ requirements. 

Step 1: Take Inventory of Existing Donation Forms

• Take an inventory of all published forms. In LO, you can use the built-in “Donations by Form” report in Luminate Online to get a full inventory.

• Review and remove payment pages that are inactive or have low transaction volume.  Consolidate redundant forms to streamline your campaigns.

Step 2: Update Software and Set Up a New Payment Gateway

• Ensure that libraries and dependencies on payment pages are current and secure. Most platforms, including Engaging Networks, have fully compliant JavaScript code in their more recent releases.

• If you are in Luminate Online, create the new Payment Gateway specifically configured for the new checkout experience.

• Note: in LO, forms within a single campaign cannot use both the old and the new payment systems, so plan your updates carefully.

Step 3: Update Your Forms and Test for Compatibility

• If you have customized donation forms, work with a developer to ensure the code follows OWASP principles and PCI DSS merchant guidelines

• If you are a Luminate Online client:

• Begin transitioning donation forms to the new checkout experience.

• Choose between modal or embedded payment fields based on your audience’s needs and preferences.

• Test the new forms to ensure there are no conflicts with existing custom code or scripts.

• Make minor CSS adjustments if needed to align the form’s appearance with your branding.

Step 4: Communicate the Changes Internally

• Inform your team about the updated payment gateway and new standards to ensure a smooth rollout.

• Collaborate with stakeholders to plan updates to campaigns and communications.

Step 5: Conduct Quarterly Vulnerability Scans

• Scans of payment pages must be conducted every 90 days by an Approved Scanning Vendor (ASV).

Why You Should Act Now 

The March 2025 deadline may seem far off, but implementing these changes requires careful planning and testing. Updating your donation forms not only ensures compliance but also strengthens donor trust and enhances the overall giving experience.

If you need guidance or want to explore how these changes can benefit your organization, feel free to reach out—we’re here to we’re here to help!

image courtesy of rawpixel.com on Freepik