PCI & SOC 2: The Gap Between “Compliant” and Secure

Hello and welcome back. We have got a, a really special deep dive today. Usually we're looking at the shiny stuff, you know, fundraising strategies, donor psychology, all the things that get the applause at the board meeting. But today, today we are going underground. We're looking at the plumbing, we're peeling back the curtain on the one thing that I think 99% of us just take for granted, the donate button.

And more specifically, the, terrifying reality of what happens when that button isn't as safe as you think it is.

Welcome to this edition of Click and Pledge's Fundraising Command Center podcast, where we talk the why, the what, and the how in Click and Pledge's ecosystem. This is the why series.

I am so glad we're framing this as the why series because the source material we have today, it poses a really uncomfortable question. Why do we assume we're safe? I mean, think most nonprofit leaders, they operate with this kind of binary belief. I see a little padlock icon in the browser or, you know I use a big name payment processor therefore I am safe. It feels like once you sign the contract the worry should just disappear.

That binary belief is probably the most dangerous thing in the industry right now. We call it security theater.

Security theater. Okay. That sounds like something you'd see an airport but hearing it applied to my donation form is a little unsettling.

It should be, it's the illusion of safety, it's the difference between actually being secure and just feeling secure because you you checked a compliance box on a form five years ago and that is really the thesis for our deep dive today. Donor trust is not a checkbox, it is infrastructure.

Okay, let's unpack this. I can hear the listeners right now thinking, okay, hold on. I use a form builder. That form posts to Stripe or PayPal or some other massive billion dollar company. They have armies of security people.

They have buildings full of servers. Aren't I safe simply because I'm using them? I mean, they're the experts. Right?

That is the million dollar question. And the answer is well it's complicated. Yes, the Gateway Stripe for example is incredibly secure. They are what we call PCI level one certified, they are Fort Knox. But relying on that alone gives you a false sense of security.

To understand why we have to look at the road versus car analogy.

Love a good analogy. Lay it on me. Road versus car.

Okay. So imagine the payment gateway. The processor is the road. It is a beautiful, well paved, four lane highway. It has guardrails.

It has lights. It's perfectly maintained. That's the secure gateway. Now, your nonprofit's website or the server where your donation form actually lives, that is the car.

I think I see where this is

going. Exactly. Just because the road is safe doesn't mean your car is safe. You could be driving a vehicle with bald tires, no brakes, and, you know, a leaking gas tank. If you drive that car onto a perfect highway, you are still gonna crash.

The road cannot save a broken car.

So in this scenario, what exactly are the bald tires? What does a broken car look like in digital terms? Because I think a lot of us assume the car comes with the road.

And that's the misconception. The bald tires are a server with no security patches. Maybe it's running an old version of PHP that hasn't been supported in three years. Maybe there is no dedicated administrator watching the traffic logs. The reality is that intrusions rarely happen at the gateway level.

Hackers don't usually try to break into the four lane highway. It's too hard. They break into the car. They attack the server environment where the donation form sits.

That is a crucial distinction. So just outsourcing the payment processing doesn't actually outsource the risk.

Not entirely. No. If you don't have a dedicated admin checking your tires, checking those server patches, and running monitoring, you are vulnerable. You are driving a dangerous vehicle and it doesn't matter how good the road is, you're still the one who's gonna crash.

That puts a whole new spin on secure payments. But I wanna get technical for a minute here. Not too deep, but enough to understand the mechanism. If the money is going to the processor and I'm just hosting the form, how do they actually steal it? Where's the vulnerability?

This brings us to a concept called e skimming or sometimes it's called payment page compromise. And to explain this, we have to go back to the TJ Maxx analogy. Do you remember that big TJ Maxx hack from years ago?

Oh, vividly. Yeah. That was massive news.

Right. So in that scenario, the bad guys didn't break into the bank vault. They didn't attack Visa directly. They put physical skimmers on the card machines at the store. They stole the data before it went through the wires to the bank.

Right. So they caught it at the source, at the point of entry.

Exactly. Eskimming is the digital version of that. In this case, the card machine is the donor's web browser, Chrome, Safari, whatever they're using to view your donation page.

So the hacker isn't attacking the server database to steal old records, they're attacking the browser live.

Yes. That's the ideal way for them. The hacker acts as a digital stowaway. Mhmm. They inject a malicious script, just a few lines of JavaScript code into the donation page.

It sits there, invisible, doesn't break the page, doesn't change how it looks. But when a donor types in their credit card number, that script is recording the keystrokes.

Wait. So this happens while they are typing?

While they are typing. Before they even hit the submit button, before the data is encrypted and sent to the secure processor. The data is copied right out of the form field. It's like someone reading over your shoulder while you write a check, but they are completely invisible.

That is incredibly unsettling. So all that encryption that happens after I hit submit, it's useless because they already have the raw number.

Precisely. The data is already gone before the encryption protocol even kicks in. And this is why we say that using a secure processor isn't a total defense. The page itself, the environment where the donor is tyking, must be defended.

Okay, if the page itself needs defense, that's incredible. That sounds expensive. I know we see these terms thrown around like PCI compliance. I see vendors all the time saying, we are PCI compliant, but based on what you saying, that phrase might not mean what we think it means. Is there like a spectrum of compliance?

There is a massive spectrum and honestly this is where a lot of non profits get misled. We have to talk about the levels. There is a world of difference between PCI Level four and PCI level one.

Level four versus level one. Break it down for us. What are we looking at here?

Okay. So level four is what we call the cup of coffee level.

The cup of coffee level. That sounds minimal.

It is. We call it that because you can finish the requirements in about the time it takes to drink a cup of coffee. It is a self assessment questionnaire. It's free. Often a small vendor will have an intern fill it out.

They check some boxes saying yes we do this and they file it away. It relies entirely on claims not proof.

Okay. So that's essentially the honor system. I promise I'm secure.

Essentially. And to be fair, for very small merchants that might be allowed. But compare that to level one. Level one is an infrastructure level. It is a massive commitment.

We are talking about an annual investment of 100,000 to over 250,000.

Wow. Okay. Hold on. $250,000 a year? That is not a cup of coffee.

That is luxury car. What are you possibly buying for that amount of money?

You're buying eyes on the glass. You aren't just paying for a certificate. Level one demands a full time dedicated network administrator. It requires monitoring twenty four hours a day, seven days a week. And I don't mean a computer program that sends an email if something crashes, I mean human beings watching the network traffic, and critically, it requires mandatory on-site audits by professionals.

So you can't just grade your own homework anymore?

No. An auditor physically comes to your location, sits in your server room, reviews your logs, interviews your staff, but there's another cost factor that people forget. A big chunk of that money goes to what we call ethical hackers.

Oh, the good guys who act like bad guys.

Exactly. To maintain level one status, you have to hire authorized researchers, ethical hackers, to launch simulated attacks on your own network. You are paying the smartest people you can find to try and break into your house so you can find the loose windows before the criminals do. That expertise is not cheap.

That makes a lot of sense. If you aren't paying someone to find the holes, the real hackers will find them for free. But here's what I don't get. When must a vendor do this? Is it voluntary?

This is the detail that catches so many software vendors off guard, and it's a huge trap for nonprofits choosing a vendor. Usually, merchants, like a standard retail store don't have to hit level one until they process 6,000,000 transactions. It's a huge number.

Right. So a small start up making a donation plugin thinks, we're nowhere near 6,000,000 transactions, we're fine.

Exactly. They think they have years. But here is the catch. If you are service provider, meaning you are providing the software that others use to process donations, the threshold drops dramatically. It kicks in at only 300,000 transactions.

300,000. That is a much lower bar. That's not actually that many donations if you have a few 100 clients.

It is a significantly lower bar and once a platform hits that they are legally and ethically obligated to step up to that level one infrastructure. But many stay at the cup of coffee level because level one is just too expensive to maintain. They fly under the radar.

So as a non profit, if I'm shopping for a vendor, I need to be asking are you level one? Not just are you compliant?

Exactly. Compliant can mean level four. You want level one. You want the infrastructure, not just the paperwork.

Okay, want to pivot to another acronym I keep seeing in your SOC two. What is SOC two?

SOC two stands for System and Organization Controls. It was developed by the AICPA. While PCI is focused strictly on credit card data protecting the money SOC, two is broader. It addresses security, availability, and privacy over a period of time. It's a holistic health check for the organization.

So PCI is the vault safe and SOC two is the bank reliable.

That's a good way to put it. But just like with PCI, there is a trap here. You have SOC two type one and SOC two type two. And the difference is night and day.

Type one and type two. Explain the difference without making my eyes glaze over.

I like to use the gym membership analogy here. It clarifies the intent versus the action.

I'm ready.

SOC two. Type one is like buying a gym membership on January 1. It shows intent. You have the card in your wallet. It proves that at a specific point in time, you signed up.

You intended to be healthy.

Okay. So I have the card, but I might be sitting on the couch eating pizza while the card is in my pocket.

Exactly. You proved you designed the system, but you haven't proved you use it. That's type one. It's a snapshot. Now SOC two, type two.

That is proving you actually went to the gym every single day for six to twelve months.

So the auditor's checking the sign in log.

They are checking everything. Type two proves practice, it proves effective operation. The auditor comes in and says, show me the logs from Tuesday, March 12, Show me that you actually did the monitoring you said you would do.

That is a huge difference. One is a promise, the other is proof.

Correct. And for a non profit, you need a vendor who actually goes to the gym. You need SOC two, type two. Because if something goes wrong, you don't want to tell your board, well, they had a membership card.

That leads perfectly into what we're protecting. We've talked a lot about credit cards, but the source material brings up a really interesting point about P2.

P2. That is our shorthand for PII or Personal Identifiable Information.

Right. Names, addresses, giving history. The expert notes say something really profound here. A card incident is a financial event. A donor list incident is a relationship event.

I want to double click on that. Why is that so important?

This is critical for every executive director listening. If a credit card number is stolen, it's a hassle, sure. But the bank cancels the card, they reissue it, and they usually reimburse the fraud. It's a financial transaction. You can fix it.

It's math.

Right. It's annoying, but it's solvable.

But p two, donor data. You cannot reissue trust. If a nonprofit loses a list of their major donors, their names, their home addresses, how much they gave, that is You cannot call the bank and get a new reputation.

And that data is used for what? I assume it's not just to see who donated to the local animal shelter.

No. Criminals use that data to craft highly targeted phishing emails. They know exactly who the donor is, they know they support your cause, they know how much they usually give, they can impersonate the nonprofit with terrifying accuracy.

And if that happens, the nonprofit is the one who has to break the news.

Yes. You have to email your donors and say, we exposed you.

That is the nightmare scenario.

It is. Donors rarely forgive silence or vague answers. That is why we say you are not just securing data, you are securing the relationship.

So, we have the road versus car, we have the digital stowaway, we have the gym membership. It's a lot. If I am a non profit leader or a board member, what do I actually do with this? I can't become a cybersecurity expert overnight.

No, and you shouldn't have to be. But you do need to move from what we call tier zero to tier two or three in your vendor selection.

Define tier zero for me.

Tier zero is believing the marketing claims. It's reading the website where it says secure and trusted and just leaving it at that. It's willful ignorance. You need to move to demanding evidence.

Okay. So give me the script. I'm sitting across from a software vendor. What do I ask to make sure I'm not buying a car with bald tires?

First, do not just ask, are you compliant? That gives them too much wiggle room. Ask specifically, do you have a current SOC two type two report?

Type two. Got it. And if they say, we're working on it or we have type one.

Then they are not ready for your data. Working on it doesn't stop hackers. Second, ask them. How do you defend against payment page tampering and e skimming?

That's a technical question.

It is. But watch their reaction. If they look confused or if they just say, oh, we use Stripe so it's safe, that is a red flag. Yeah. It tells you they don't understand the road versus car concept.

They should be able to talk about script monitoring.

That goes back to checking the tires.

Exactly. And finally ask, do you have monitoring twenty four hours a day, seven days a week? And listen for the nuance. Is it an automated alert? Or is there a team watching the wall?

Because bad guys don't work nine to five.

They absolutely do not. In fact, most attacks happen on holidays or weekends specifically because they hope no one is watching. The goal here for a nonprofit is to become what we call a hard target.

A hard target. I like that.

Look. You can't control the threat landscape. There are always going to be hackers. You cannot stop the rain from falling. But you can control whether you are the house with the unlocked door or the fortress with the alarm system.

You want to be too much trouble to bother with.

That is a really empowering way to look at it. It's not about being perfect. It's about being prepared.

Exactly. It's about stewardship. We talk about stewardship all the time in fundraising stewarding the money. But we must also steward the trust they place in us when they hand over that data.

I think that is the perfect place to wrap this up. We have covered so much ground today. We moved from the road versus car, understanding that a safe gateway doesn't save a vulnerable server. We looked at the gym membership of SOC two realizing we need proof of practice not just intent and ultimately we landed on the fact that protecting p two is about protecting the relationship itself.

It really is and if I could leave the listener with one final thought, it would be this. If you had to email your donors tomorrow, literally tomorrow morning, to tell them their data was exposed, would you still be comfortable with the vendor choices you have right now? Security isn't a tech feature, it's stewardship.

That is a heavy question but one we all need to ask. Thank you so much for breaking this down for us. This wasn't just about plumbing, it was about integrity. For more information about this and all Click and Pledge products make sure to visit clickandpledge.com and request a one on one training or demo. Don't forget to subscribe to stay up to date with the Fundraising Command Center.