Internal Controls & PCI Compliance
by Mary Stange – SJFS Client Advisor
We are continuing our review of the importance of internal controls in Church Finances, and key processes. A Catch-Twenty-Two for living in an advanced technological society is that the guidelines around data security are always updating and improving. One of the positive benefits is that there are third parties that exist that can be used to create transactions and protect data. These third parties are held to a standard known as PCI (Payment Card Industry Data Security Standard) Compliance. Understanding these guidelines can equip you to make the best decisions when choosing third party vendors to work with as businesses that are out of compliance may face penalties.
Basics:
- Point of sale systems and softwares should be regularly updated.
- Cardholder information may not be stored locally in any way.
- Point-to-point encryption of cardholder information. (Check on your credit card swiper.)
- Robust passwords should be in use.
- Firewalls need to be on all computers as well as your internal network.
- Your network should be secure and actively maintained.
- Employees should be educated on how to protect cardholder data and policies should be in place to support this.
Four Levels:
There are four levels of PCI Compliance.
- PCI Level 1: Processing over 6 million transactions per year.
- PCI Level 2: Processing 1-6 million transactions per year.
- PCI Level 3: Processing 20,000-1 million transactions per year.
- PCI Level 4: Processing less than 20,000 million transactions per year.
Each level is required to complete an annual compliance report or self-assessment questionnaire. This is backed up by quarterly network scans and the completion of a form declaring compliance.