In an increasingly paperless world, electronic data security has moved quickly up the public agenda. Almost every business now holds confidential customer information, and charity shops are no different. There is a real and growing risk of data breaches, which can cost customer relationships, damage reputations, and incur hefty fines. Charity shops which take payment by card are especially vulnerable, and new data shows that card turnover at these shops is on the rise.
Our card payments index has found that, in the second quarter of this year, the average card turnover at charity shops was £1042, up 224 per cent on the same period the year before. With more and more people using card than ever before, this trend is set to continue. This year a YouGov poll found that, while 48% of the UK populations carry £15 or less in cash, 93% carry a credit or debit card.
Growing volumes of card payments are good news for charity shops, but shop owners must be aware of the responsibility they have over customers’ financial details. Luckily, major players in the card payment industry have developed a set of regulations designed to protect both customers and the shops themselves.
The payment card industry data security standard, (PCI for short) regulates the payment card data security process. PCI, first introduced in 2006, provides merchants with guidelines on how to prevent, detect and react to security breaches. PCI compliance is designed to provide merchants’ customers with the comfort that their data is protected. In 2011 a survey revealed that PCI compliant businesses are less likely to experience data breaches. However, it also showed that 85% of businesses experienced a data breach in 2011.
While the industry has run high-profile campaigns to educate businesses as to the requirements, some, particularly smaller merchants like charity shops, still find PCI compliance difficult to understand. Many of the letters of explanation sent by card services providers are full of incomprehensible jargon and make compliance seem complicated, when in fact, it is very straightforward.
Why PCI Compliance?
Quite simply, charity shops need to understand that every time they take a card payment, personal data is captured and processed. This could be subject to fraud if not held securely which can be costly for both the shop and its customers.
How to become compliant
Some charity shops avoid PCI compliance due to the perceived time and expense it entails. In reality, becoming compliant can be very easy. Charities need to demonstrate their compliance by being certified by an independent Quality Security Assessor (QSA), and this certification should be renewed annually. Charities which take online donations may also be asked to undergo a vulnerability scan. This requires them to log into a website which will assess whether there are any holes in their security that need to resolving. The length of time taken to achieve compliance will vary according to the number of security threats revealed by the scan.
How much will it cost?
Charges are difficult to predict. They depend on factors including the number of annually processed transactions and existing IT infrastructure. Online and telephone order charities can generally expect to pay more than face to face retailers.
How do I prepare my charity shop?
Charity shop owners can also ease the process of compliance by ensuring basic security is in place when handling card transactions. They should, for example, use regularly updated anti-virus software, train their staff on security issues and properly secure any media that holds personal data.
What if I don’t comply?
If charities avoid PCI, the cost, in terms of time and money, could be detrimental. Shops breaching data security face significant fines, extensive legal fees and long-term damage to the reputation of their business. And, while PCI DSS is not a legal requirement, non-compliant charities can have the right to handle card transactions withdrawn.
Charity shops shouldn’t feel alone in PCI compliance. Seeking out a card services provider that will help with the administration is a valuable first step. The best will provide support, taking you through the set up process, and will work hard to minimise costs. It is important remember that PCI is no longer a choice. Large businesses might recover from the effects of a security breach, but for small charity shops, the consequences can be crippling.
Clive Kahn, CEO, CardSave
CardSave was formed in 1995 by an independent retailer frustrated by the high costs of credit and debit card processing. Today CardSave is a member of the WorldPay Group, Europe’s largest card processor and has more than 55,000 members operating across a multitude of business sectors, with thousands more joining each month.
Taking the pain and costs out of accepting cards, CardSave prides itself on delivering a personalised and professional service to independent businesses and start-ups. Providing individually tailored cost-effective payment solutions, its customers have the option of taking card payments through both physical terminals and online gateways. CardSave makes card processing easy for retail Chip & PIN, mail, telephone and online payments.
CardSave is headquartered in Grimsby, North-East Lincolnshire.
Get free email updates
Keep up to date with fundraising news, ideas and inspiration with a weekly or daily email. [Privacy]