Hi AASP community,I'm new here but excited to learn from this group.I'm developing my organization's PCI Compliance Staff Training Manual to meet our obligations with Braintree, our payment processor for our online donation platform. We qualify as SAQ A, like many nonprofits (Self Assessment Questionnaire A = we don't electronically store, process, or transmit any cardholder data ourselves, rely entirely upon third parties to handle these functions.)I am stuck on the requirement to develop an "incidence response plan in the event that cardholder data has been compromised." We never have access to a whole credit card number, but I'm guessing this is supposed to refer to other pieces of information like a donor's name or address. Does anyone have advice on developing an appropriate response plan for a data breach for SAQ A?Thanks!
You **never** have a donor email you a credit card number? Wow! Lucky!
Aaron Forrest CPA
Senior Director Gift and Donor Services
University of Rochester Office of Advancement
585.275.2799 | firstname.lastname@example.org