Crowdfunding on Campus – Considerations for PCI

Article PCI DSS
Crowdfunding

 

Traditional fundraising methods are still prevalent on college campuses, but as people’s behaviors towards charitable giving have shifted, we have also seen several new approaches to fundraising develop. People are now spending a significant amount of time on their smartphones, consuming information on social media, websites, email, and more. Donors are selecting the communication channels they prefer, and that allows them more flexibility in deciding how they are contacted, and regarding what topics.

One new method of fundraising that has significantly increased over the past few years is crowdfunding. Crowdfunding is the practice of funding a project or campaign by soliciting relatively small donations of money from a large number of people, typically via the Internet.

Initially created by companies like Kickstarter and Indiegogo, crowdfunding began as a way to help small organizations launch new products and ideas, and allow consumers decide which products moved forward in the market through their personal, financial assistance. Now crowdfunding is used in many arenas, including higher education, to present donors with a wide range of projects and secure support for things like student travel opportunities, faculty/scientific research, alumni campaigns, etc. This type of approach makes it easy to present targeted messages and reminders to donors that grab their attention, and makes it even simpler for them to immediately contribute online. Often contributions may be broadcast on a social network to help increase visibility and make donating more of a “social activity”.

Many institutions have custom built portals that showcase various projects across campus and help engage the entire university, spread awareness about new events, and increase involvement from alumni. Recent statistics show that 50 percent of donors that come to crowdfunding are new contributors, and these social fundraising platforms are raising millions of dollars in donations. A 2016 Washington Post article highlighted one such campaign from a small liberal arts school in Massachusetts that was able to raise nearly $2 million in 2 days by ditching their usual campaign of phone calls and mailers and launching a crowdfunding website.

With regards to PCI compliance, we did want to share some basic guidance on what to evaluate before launching a crowdfunding campaign for your organization.

1) Thoroughly evaluate all third-party involvement

There are now a number of vendors that provide crowdfunding resources. If you are using a website or application that outsources all donor activity to a third-party, it is still important to verify that the entire process is PCI compliant. A breach of payment card data would likely devastate both your current campaign and future fundraising activities.

A common scenario is the use of one third-party website for promoting campaigns, sharing project details, gathering information, etc., but when it comes time for entering in the payment information, the cardholder is redirected to a third-party payment gateway or processor (like Stripe or PayPal). The initial third-party application will often not view themselves as acting as a PCI service provider, but the PCI Council recognizes that there is still risk inherent in web redirection models. The PCI Council defines service providers as those storing, processing, or transmitting cardholder data on behalf of another entity, or who could affect the security of another entity’s cardholder data environment. While a vendor may not be not storing, processing, or transmitting cardholder data on behalf of your institution, by administering the web redirection environment they are, by definition, affecting the security of your CDE. In other words, just because the web redirect function is outsourced, the risk does not disappear. The vendor is the entity administering the environment where this risk resides, and they should be managing this risk appropriately.

Before partnering with a third-party vendor in this manner, we recommend verifying the appropriate contract language is added to your agreement defining the PCI responsibilities of each party (per DSS Requirement 12.8.2). You should also request an Attestation of Compliance (AOC) annually from the third-party. They should be completing either a QSA-led Onsite Assessment (also known as a Report on Compliance, or ROC) or an SAQ D for Service Providers. In many cases, when requesting an AOC from a vendor in this type of situation, we have seen the vendor send back an SAQ A or SAQ A-EP, and not the appropriately completed AOC. Though their solution may be PCI compliant, your focus must remain on the potential impact to your PCI compliance so make sure you get the proper documentation. The best place to start is the PCI DSS, Requirements 12.8.1 through 12.8.5.

2) Monitor Activities on Campus

As with any payment card activity on campus, it is important to have policies and procedures in place defining the use of and controls around crowdfunding on campus. College-affiliated student and faculty organizations will conduct fundraising activities in order to finance events or to raise money for charitable causes, and will often not take into consideration the need for PCI compliance. As an institution, it is important that you require registered organizations to get pre-approval for all activities, noting the nature of the fundraising, documenting the vendor(s) involved and proposed solution, listing any university facilities or equipment that will be utilized, and how funds will be collected. Involve the appropriate parties, such as the PCI Team or Committee, so you can ensure all donations are being collected in a secure and PCI-compliant manner.

3) Provide Standardized Processes

Where possible, identify a limited number of crowdfunding options that have been vetted and approved by the PCI Team. Many colleges and universities have launched portals that showcase multiple projects across campus but there are other options as well. By providing a venue for different groups on campus to present their campaigns, you can be in control of the process and avoid random, unsecure activities popping up without your approval. Crowdfunding benefits the individual groups by bring their campaign to a larger audience. By providing them with a pre-approved, PCI-compliant solution that won’t negatively impact your PCI-compliance status is a win for everyone.

Does your campus support crowdfunding projects? If you have questions on how to ensure donations are handled in a secure and compliant manner, or are having trouble explaining the needs for an AOC from the vendor, please reach out to us.

Some additional guidance from our Security Advisor Team:

[King]: One of the most challenging aspects of managing PCI compliance with crowdfunding is creating an approval process that all departments are aware of and follow. Having an easy, understandable procedure established for departments seeking options allows a smoother adoption for all areas. Once a procedure is established, ensure department managers are notified of the new procedure and who to contact if they have questions. Consider including this information in hiring packets and annual training materials for key personnel, as well as posting on intranet or resource websites for staff.

Share

About the Author
Katie Johnson

Katie Johnson

PCIP

Manager, Operations Support

As the manager of Operations Support, Katie leads the team responsible for supporting and delivering CampusGuard services including online training, vulnerability scanning, and the CampusGuard Central® portal. With over 15 years of experience in information security awareness training, Katie is also the Product Lead for CampusGuard’s online training services. As a Senior Customer Relationship Manager for a limited number of customers, Katie assists organizations with their information security and compliance programs and is responsible for coordinating the various teams involved.