FundSvcs Community

 View Only
Expand all | Collapse all

PCI Compliance -- "response plan for data breach"

  • 1.  PCI Compliance -- "response plan for data breach"

    Posted 07-22-2022 01:44 PM

    Hi AASP community,

    I'm new here but excited to learn from this group.

    I'm developing my organization's PCI Compliance Staff Training Manual to meet our obligations with Braintree, our payment processor for our online donation platform. We qualify as SAQ A, like many nonprofits (Self Assessment Questionnaire A = we don't electronically store, process, or transmit any cardholder data ourselves, rely entirely upon third parties to handle these functions.)

    I am stuck on the requirement to develop an "incidence response plan in the event that cardholder data has been compromised." We never have access to a whole credit card number, but I'm guessing this is supposed to refer to other pieces of information like a donor's name or address. Does anyone have advice on developing an appropriate response plan for a data breach for SAQ A?



    Leslie Proudfoot
    Philanthropy Operations Manager
    GRID Alternatives

  • 2.  RE: PCI Compliance -- "response plan for data breach"

    Posted 07-25-2022 06:02 PM

    You **never** have a donor email you a credit card number? Wow! Lucky!



    Aaron Forrest CPA

    Senior Director Gift and Donor Services

    University of Rochester Office of Advancement

    585.275.2799 |


  • 3.  RE: PCI Compliance -- "response plan for data breach"

    Posted 07-26-2022 10:46 AM
    Hi Leslie,

    Firstly, you will want to check with your IT folks about existing incident response plans they may already have in place for data breaches, so your PCI response plan aligns with those. Here's an example of a short PCI policy that leverages existing policies:

    A more self-contained policy can be seen here:

    Thank you,
    Isaac Shalev
    Data Strategy Expert
    Sage70, Inc.
    (917) 859-0151

    Schedule a 30-minute consultation now: