FundSvcs Community

 View Only
Expand all | Collapse all

PCI Compliance -- "response plan for data breach"

  • 1.  PCI Compliance -- "response plan for data breach"

    Posted 23 days ago

    Hi AASP community,

    I'm new here but excited to learn from this group.

    I'm developing my organization's PCI Compliance Staff Training Manual to meet our obligations with Braintree, our payment processor for our online donation platform. We qualify as SAQ A, like many nonprofits (Self Assessment Questionnaire A = we don't electronically store, process, or transmit any cardholder data ourselves, rely entirely upon third parties to handle these functions.)

    I am stuck on the requirement to develop an "incidence response plan in the event that cardholder data has been compromised." We never have access to a whole credit card number, but I'm guessing this is supposed to refer to other pieces of information like a donor's name or address. Does anyone have advice on developing an appropriate response plan for a data breach for SAQ A?

    Thanks!

    Leslie



    ------------------------------
    Leslie Proudfoot
    Philanthropy Operations Manager
    GRID Alternatives
    lproudfoot@gridalternatives.org
    ------------------------------


  • 2.  RE: PCI Compliance -- "response plan for data breach"

    Posted 19 days ago

    You **never** have a donor email you a credit card number? Wow! Lucky!

     

     

    Aaron Forrest CPA

    Senior Director Gift and Donor Services

    University of Rochester Office of Advancement

    585.275.2799 | aaron.forrest@rochester.edu

     






  • 3.  RE: PCI Compliance -- "response plan for data breach"

    Posted 19 days ago
    Hi Leslie,

    Firstly, you will want to check with your IT folks about existing incident response plans they may already have in place for data breaches, so your PCI response plan aligns with those. Here's an example of a short PCI policy that leverages existing policies:

    A more self-contained policy can be seen here: https://www.vhcc.edu/home/showdocument?id=7109



    Thank you,
    Isaac Shalev
    Data Strategy Expert
    Sage70, Inc.
    (917) 859-0151
    isaac@sage70.com

    Schedule a 30-minute consultation now: