Globalgood Corporation

Menu
Donate
Edit Content
At Global Good Corporation, we are a team of passionate individuals with the vision to build a stronger society by helping people regardless of race, gender, ability to pay, economic background, or religion.
Facebook X-twitter Linkedin

Contact Us

Make a Donation

Donation is the key to unlocking happiness. Donate more to help build a stronger economy.

Donate
For More Donation Options
Donate
Edit Content
At Global Good Corporation, we are a team of passionate individuals with the vision to build a stronger society by helping people regardless of race, gender, ability to pay, economic background, or religion.
Facebook X-twitter Linkedin

Contact Us

Make a Donation

Donation is the key to unlocking happiness. Donate more to help build a stronger economy.

Donate
For More Donation Options

Payment Card Industry Data Security Standard (PCI DSS) Rules for Fundraisers

Compliance & Transparency for Fundraisers – Key Statutes and Standards You Must Know

1. Purpose

This policy ensures Globalgood Corporation (“Globalgood”) and all associated fundraisers process payment‑card data in full compliance with the Payment Card Industry Data Security Standard (PCI DSS v4.0). It mandates the exclusive use of Globalgood’s approved payment gateway and prohibits manual storage or handling of cardholder data (CHD) in any unencrypted form, thereby safeguarding donors and maintaining merchant privileges.

2. Scope

Applies to:

  • Existing Fundraisers—employees, volunteers, contractors, and partner organizations soliciting credit/debit‑card donations.
  • Prospective Fundraisers seeking authorization.
  • All channels that capture card payments (webforms, mobile apps, phone pledges, point‑of‑donation kiosks).

3. Key PCI DSS Requirements for Fundraisers

PCI DSS Requirement

Operational Rule for Fundraisers

Req 3: Protect Stored Cardholder Data

Never store Primary Account Numbers (PANs), expiration dates, CVV2, or magnetic‑stripe data in spreadsheets, notes, or CRM. Tokenized references from gateway only.

Req 4: Encrypt Transmission

All payment pages served over TLS 1.2+ with strong cipher suites.

Req 6: Develop & Maintain Secure Systems

Use only Globalgood‑approved plugins and payment SDKs; apply patches within 30 days.

Req 8: Identify & Authenticate Access

Unique credentials for each user; MFA on gateway portals. Volunteers get no direct gateway login.

Req 9: Restrict Physical Access

No cardholder slips; shredders available at events; locked cash drop boxes.

Req 10: Log & Monitor Access

Gateway maintains audit logs; fundraisers must not disable logging.

Req 12: Support InfoSec Policy

Annual PCI security awareness training for all fundraisers.

4. Approved Payment Gateway

  • Gateway Name: [Insert vendor – e.g., Stripe, Authorize.Net, Worldpay]
  • Integration Method: Client‑side Hosted Payment Page or iFrame capturing card data directly to the gateway—no PAN passes through Globalgood servers.
  • Gateway PCI Level: Level 1 Service Provider (independently audited).

5. Prohibited Practices

  1. Manual Entry of Card Data into Spreadsheets or Paper Notes—strictly forbidden.
  2. Emailing or Messaging PANs or CVVs.
  3. Photographing card fronts/backs.
  4. Recording card data on voicemail or call logs (use secure IVR hand‑off where available).
  5. Retaining printed batch slips beyond reconciliation (shred immediately after).

Violations trigger immediate incident response and disciplinary action.

6. Event & Field Fundraising Procedures

  • Utilize encrypted card readers (P2PE certified) supplied by Finance.
  • Confirm cellular/Wi‑Fi connection to the gateway before accepting payment.
  • If gateway connection fails, collect donor contact info only and follow up via secure payment link—do not take card details.

7. Incident Response

  1. Suspected Data Exposure → Notify security@globalgoodcorp.org within 15 minutes.
  2. Compliance Office convenes PCI Forensic Investigation (PFI) team.
  3. Contain breach, preserve logs, coordinate with acquiring bank and card brands.
  4. Donor notification per card‑brand rules and applicable breach laws.

8. Roles & Responsibilities

Role

PCI DSS Responsibilities

Fundraisers / Volunteers

Use gateway links/devices; never write down card numbers; complete annual PCI training

Finance Department

Maintain merchant account; reconcile tokens to donations; ensure gateway attestation of compliance (AOC)

IT Security

Oversee technical PCI controls; TLS certificates; vulnerability scans; penetration tests

Chief Compliance Officer

Approve third‑party service providers; ensure SAQ A (or relevant) completed annually

Third‑Party Processors

Provide PCI Level 1 AOC; adhere to Data Protection Addendum; enable logging

9. Training & Awareness

  • PCI DSS Security Awareness Course—must be completed within 30 days of onboarding and yearly.
  • Quarterly security reminders and phishing simulations.

10. Record‑Keeping & Retention

Record

Retention Period

Tokenized transaction data

7 years (aligns with audit requirements)

PCI compliance reports (SAQ, AOC, scans)

3 years

Incident and breach logs

7 years

11. Non‑Compliance & Penalties

  • Internal disciplinary measures, up to termination.
  • Card‑brand fines (up to $100,000 per month).
  • Suspension of Globalgood’s merchant privileges.
  • Reputational damage and donor trust loss.

12. Review & Amendment

Reviewed annually or upon PCI DSS version update. Approved by the Chief Compliance Officer and published under Legal Policies and Notices on globalgoodcorp.org.

13. Contact Information

Globalgood Compliance Office
Email: security@globalgoodcorp.org
Phone: +1 614‑829‑5030
Mail: 7211 Charleton Ct., Canal Winchester, OH 43110, USA

Disclaimer

This policy is provided for informational purposes only and does not constitute legal or technical advice. Fundraisers should consult qualified professionals for PCI DSS implementation details.

Scroll to Top