by Lauren Hunter 02 Jan 2007

PBS and The New York Times reported in 2004 that the convenience of credit cards had become "critical to our famously compulsive economy." Trends indicate that credit cards may soon become critical to American church giving as well. An increasing number of congregations now accept credit card donations online.

Some churches are also accommodating their parishioners with a sort of ATM that accepts credit card donations in the church building. The "Giving Kiosk," at Stevens Creek Community Church in Augusta, Ga., reported an 18 percent increase in income last year after setting up  up the kiosk, according to Voice of America News.

That may be good news for Stevens Creek and other churches interested in upping the bottom line in donations, but there are some caveats that accompany credit card payments.

Specifically, churches should know how to protect their patrons from fraud, identity theft and financial liability. And if they are accepting credit cards churches must be Payment Card Industry (PCI) compliant.

The Payment Card Industry Security Standard, or PCI, is a set of rigid guidelines meant to protect cardholders from security breaches where they could be exposed to identity theft or payment fraud via stolen credit card or personal data. Congregation members making payments through a PCI-compliant establishment can be reassured that their bankcard account information will be secure under all circumstances. The PCI Data Security Standard regulates the security and business processes of service providers, merchants and churches that store, process or transmit consumer credit card data.

In an effort to increase security, credit card companies imposed new standards in 2006 to ease the growing concerns about possible identity theft and stolen cardholder information. Under the new PCI regulations, all merchants that accept credit cards are required to comply with requirements that call for the following security measures to be in place: 1) encrypted transmission of cardholder data, 2) periodic network scans, 3) logical and physical access controls, 4) activity monitoring and logging. The standard is intended to reduce fraud and identify security issues that could lead to the compromise of cardholder information. (Source: http://www.thewhir.com/features/king-pci.cfm)

To a church, these standards sound daunting, to say the least. On average, the process of undergoing PCI compliance can take a minimum of one to two years and cost thousands of dollars to hire PCI specialists to set up technology that meets all requirements. It’s just not feasible or logical for most churches, ministries or other nonprofits to go through this process. However, given the risks from hackers and the liabilities for failing to comply with security regulations, churches cannot afford to simply ignore the issue.

Instead of subjecting themselves to the rigors of PCI compliance, churches and nonprofits can choose to use a vendor that offers a PCI-compliant solution. As more service providers realize the need to comply with industry regulations, organizations that provide online payment services are becoming compliant to save their clients the hassle.

The list of PCI-compliant service providers is published by Visa USA at www.visa.com/cisp. When evaluating online payment services, make sure that you can seamlessly integrate them with your existing Web site. Also, look for a provider that accepts a variety of payment methods such as credit cards, debit cards, checks and even PayPal.

Another area that is often overlooked is reporting. Make sure that the service provider’s reports will enable your accounting staff to quickly and easily reconcile deposits to your bank account. Good reporting can save your staff several hours each day you process transactions. By working with an online payments provider that is PCI compliant, church staff and members can have peace of mind, knowing that the data is protected and the church won’t be liable to cover customer losses if there is a breach.

"Many organizations just don’t realize the risks involved in using a payments processor that is not compliant with PCI standards," comments Tim Whitehorn, CEO of ServiceU, a company specializing in providing TransactU software to manage online donations, online payments, and online event registrations for non-profit organizations, including churches. "The truth is that if you take online payments of any kind—be it ACH, debit card or credit card—you must be compliant."

By using a vendor such as ServiceU for online payments processing, the financial information is never captured on the church’s servers. The church never "sees" the financial data—only the money deposited into their accounts. Additionally, ServiceU assumes all responsibility for payment card security.

This is the model Southland Christian Church in Lexington, Ky., adopted when they began accepting virtual payments.

"We have greater peace of mind because we know that ServiceU has put all the proper payment security measures securely into place," says Becky Martin, e-Ministry Coordinator for Southland. Members and attenders can register and pay for church events and activities online with software that also initiates the accounting process for church staff.

"Our Finance Ministry loves the fact that the monies collected flow correctly into the right accounts," Martin says.

Whether a church develops a custom application to take payments online or outsources the processes to online service providers, the church is responsible for ensuring that cardholder information is protected according to industry guidelines.