FundSvcs Community

I am not sure how excepting credit cards by mail would be a part of any PCI compliance scope. The issue is more of the security of the credit card numbers handling once they are received in the office. On Tue, Jul 30, 2019 at 7:31 AM Isaac Shalev <isaac@sage70.com> wrote: > It is possible to accept credit card payments by mail in a PCI compliant > fashion, and it's easier to do so when those payments are all sequestered > with an outsource lockbox/caging service. However, your lockbox may not be > PCI compliant for mail-order transactions. > > I like this article for a good examination of what a compliant processing > looks like for mail-order transactions - which donations qualify as for > this purpose: > https://www.bankinfosecurity.com/blogs/qsas-view-on-pci-compliance-for-mail-orders-p-656 > > > > Thank you, > Isaac Shalev > CRM Expert > Sage70, Inc. > (917) 859-0151 > isaac@sage70.com > > Schedule a *30-minute consultation *now: > https://calendly.com/sage70/30min > > > On Tue, Jul 30, 2019 at 11:12 AM Carper Stephanie < > stephanie.carper@us.mcd.com> wrote: > >> Currently, my organization does not accept credit card payments via the >> mail or any other means except online. Our CFO says it’s not PCI compliant >> to accept credit card payments via our lockbox. But I’ve worked at four >> previous institutions who all accepted credit card payments via the mail. >> Does anyone have any additional background on this issue that they could >> share. I’m particularly interested if you do accept credit card payments >> via the mail and how you may have addressed any PCI compliant concerns. >> >> >> >> Thank you, >> >> >> >> Stephanie >> >> >> >> *Stephanie Carper* | Development Manager, Major and Planned Gifts >> >> >> >> Ronald McDonald House Charities, Inc. >> >> 110 N. Carpenter St, Chicago, IL 60607 >> <https://www.google.com/maps/search/110+N.+Carpenter+St,+Chicago,+IL%C2%A060607?entry=gmail&source=g> >> -2101 >> >> Cell: 312.520.8370 >> >> stephanie.carper@us.mcd.com | www.rmhc.org >> >> >> >> [image: cid:image001.jpg@01D24A50.04D56A20] >> >> >> > -- Dave Woodley, Director Information Services University of Alaska Foundation Adjunct Instructor of History University of Alaska Anchorage

I also would not rely too much on third party sources other than your QSA. The PCI DSS group spells out pretty clearly what the rules are for handing physical credit card numbers. https://www.pcisecuritystandards.org/pci_security/ Dave Woodley, Director *Unlock * Share * Connect* Advancement Information Services University of Alaska Foundation Adjunct Instructor of History University of Alaska Anchorage On Tue, Jul 30, 2019 at 7:31 AM Isaac Shalev <isaac@sage70.com> wrote: > It is possible to accept credit card payments by mail in a PCI compliant > fashion, and it's easier to do so when those payments are all sequestered > with an outsource lockbox/caging service. However, your lockbox may not be > PCI compliant for mail-order transactions. > > I like this article for a good examination of what a compliant processing > looks like for mail-order transactions - which donations qualify as for > this purpose: > https://www.bankinfosecurity.com/blogs/qsas-view-on-pci-compliance-for-mail-orders-p-656 > > > > Thank you, > Isaac Shalev > CRM Expert > Sage70, Inc. > (917) 859-0151 > isaac@sage70.com > > Schedule a *30-minute consultation *now: > https://calendly.com/sage70/30min > > > On Tue, Jul 30, 2019 at 11:12 AM Carper Stephanie < > stephanie.carper@us.mcd.com> wrote: > >> Currently, my organization does not accept credit card payments via the >> mail or any other means except online. Our CFO says it’s not PCI compliant >> to accept credit card payments via our lockbox. But I’ve worked at four >> previous institutions who all accepted credit card payments via the mail. >> Does anyone have any additional background on this issue that they could >> share. I’m particularly interested if you do accept credit card payments >> via the mail and how you may have addressed any PCI compliant concerns. >> >> >> >> Thank you, >> >> >> >> Stephanie >> >> >> >> *Stephanie Carper* | Development Manager, Major and Planned Gifts >> >> >> >> Ronald McDonald House Charities, Inc. >> >> 110 N. Carpenter St, Chicago, IL 60607-2101 >> >> Cell: 312.520.8370 >> >> stephanie.carper@us.mcd.com | www.rmhc.org >> >> >> >> [image: cid:image001.jpg@01D24A50.04D56A20] >> >> >> >

It is possible to accept credit card payments by mail in a PCI compliant fashion, and it's easier to do so when those payments are all sequestered with an outsource lockbox/caging service. However, your lockbox may not be PCI compliant for mail-order transactions. I like this article for a good examination of what a compliant processing looks like for mail-order transactions - which donations qualify as for this purpose: https://www.bankinfosecurity.com/blogs/qsas-view-on-pci-compliance-for-mail-orders-p-656 Thank you, Isaac Shalev CRM Expert Sage70, Inc. (917) 859-0151 isaac@sage70.com Schedule a *30-minute consultation *now: https://calendly.com/sage70/30min On Tue, Jul 30, 2019 at 11:12 AM Carper Stephanie < stephanie.carper@us.mcd.com> wrote: > Currently, my organization does not accept credit card payments via the > mail or any other means except online. Our CFO says it’s not PCI compliant > to accept credit card payments via our lockbox. But I’ve worked at four > previous institutions who all accepted credit card payments via the mail. > Does anyone have any additional background on this issue that they could > share. I’m particularly interested if you do accept credit card payments > via the mail and how you may have addressed any PCI compliant concerns. > > > > Thank you, > > > > Stephanie > > > > *Stephanie Carper* | Development Manager, Major and Planned Gifts > > > > Ronald McDonald House Charities, Inc. > > 110 N. Carpenter St, Chicago, IL 60607-2101 > > Cell: 312.520.8370 > > stephanie.carper@us.mcd.com | www.rmhc.org > > > > [image: cid:image001.jpg@01D24A50.04D56A20] > > >

We have gotten more and more concerns about receiving credit card payments in the mail. I'm not 100% comfortable with it either, but I know we need to give as many avenues as possible for donors to make a gift. We recently took that option of writing in a credit card number off of a couple of our giving forms. I am pushing to remove it from our appeals, but I know that not every one will go to the website instead, which is the preferred method of accepting this information. You always have to destroy the reply device with the credit card information. Always. Dariel

As you will continue to hear, a great many organizations do accept credit card donations by mail. What you may not be hearing is that doing so *does not violate PCI regulations.* Mailing credit card information is not the PCI issue. It is what you do with the credit card information once it arrives. The key to PCI compliance is to have the opened mail in a safe and secure environment where the credit card information cannot be observed other than by the staff processing the card. The card information must then immediately be destroyed or irradicated. As long as you can meet those requirements, your mailed in card information will be compliant. John John H. Taylor Principal, John H. Taylor Consulting 2604 Sevier St. Durham, NC 27705 johntaylorconsulting@gmail.com 919.816.5903 (cell/text) Serving the Advancement Community Since 1987 On Tue, Jul 30, 2019 at 11:12 AM Carper Stephanie < stephanie.carper@us.mcd.com> wrote: > Currently, my organization does not accept credit card payments via the > mail or any other means except online. Our CFO says it’s not PCI compliant > to accept credit card payments via our lockbox. But I’ve worked at four > previous institutions who all accepted credit card payments via the mail. > Does anyone have any additional background on this issue that they could > share. I’m particularly interested if you do accept credit card payments > via the mail and how you may have addressed any PCI compliant concerns. > > > > Thank you, > > > > Stephanie > > > > *Stephanie Carper* | Development Manager, Major and Planned Gifts > > > > Ronald McDonald House Charities, Inc. > > 110 N. Carpenter St, Chicago, IL 60607-2101 > > Cell: 312.520.8370 > > stephanie.carper@us.mcd.com | www.rmhc.org > > > > [image: cid:image001.jpg@01D24A50.04D56A20] > > >

Currently, my organization does not accept credit card payments via the mail or any other means except online. Our CFO says it's not PCI compliant to accept credit card payments via our lockbox. But I've worked at four previous institutions who all accepted credit card payments via the mail. Does anyone have any additional background on this issue that they could share. I'm particularly interested if you do accept credit card payments via the mail and how you may have addressed any PCI compliant concerns. Thank you, Stephanie Stephanie Carper | Development Manager, Major and Planned Gifts Ronald McDonald House Charities, Inc. 110 N. Carpenter St, Chicago, IL 60607-2101 Cell: 312.520.8370 stephanie.carper@us.mcd.com<mailto:stephanie.carper@us.mcd.com> | www.rmhc.org<http://www.rmhc.org> [cid:image001.jpg@01D24A50.04D56A20]

We accept credit card payments via the mail. As soon as the gift is processed, all credit card info is destroyed. Karen L. Wilmoth '83 Institutional Advancement Consultant Halliehurst, 2nd Floor 100 Campus Drive Elkins, WV 26241 (304) 637-1374 www.dewv.edu<http://www.dewv.edu/> [D&E_linear_logo_rgb] Our mission: To prepare and inspire students for success and for thoughtful engagement in the world. From: Advancement Services Discussion List <FUNDSVCS@LISTSERV.FUNDSVCS.ORG> On Behalf Of Carper Stephanie Sent: Tuesday, July 30, 2019 11:13 AM To: FUNDSVCS@LISTSERV.FUNDSVCS.ORG Subject: [FUNDSVCS] Accepting credit card payments by mail and PCI Compliance Currently, my organization does not accept credit card payments via the mail or any other means except online. Our CFO says it's not PCI compliant to accept credit card payments via our lockbox. But I've worked at four previous institutions who all accepted credit card payments via the mail. Does anyone have any additional background on this issue that they could share. I'm particularly interested if you do accept credit card payments via the mail and how you may have addressed any PCI compliant concerns. Thank you, Stephanie Stephanie Carper | Development Manager, Major and Planned Gifts Ronald McDonald House Charities, Inc. 110 N. Carpenter St, Chicago, IL 60607-2101 Cell: 312.520.8370 stephanie.carper@us.mcd.com<mailto:stephanie.carper@us.mcd.com> | www.rmhc.org<http://www.rmhc.org> [cid:image001.jpg@01D24A50.04D56A20]

This is our practice as well. Michael Halverson, Ed.D. Senior Director of Advancement Services Loyola University Chicago T. 312-915-7283 | C. 320-363-4987<tel:320-363-4987> mhalverson@luc.edu<mailto:mhalverson@luc.edu> | www.luc.edu/advancement<http://www.luc.edu/advancement> From: Advancement Services Discussion List [mailto:FUNDSVCS@LISTSERV.FUNDSVCS.ORG] On Behalf Of Wilmoth, Karen Sent: Tuesday, July 30, 2019 10:15 AM To: FUNDSVCS@LISTSERV.FUNDSVCS.ORG Subject: Re: [FUNDSVCS] Accepting credit card payments by mail and PCI Compliance We accept credit card payments via the mail. As soon as the gift is processed, all credit card info is destroyed. Karen L. Wilmoth '83 Institutional Advancement Consultant Halliehurst, 2nd Floor 100 Campus Drive Elkins, WV 26241 (304) 637-1374 www.dewv.edu<http://www.dewv.edu/> [D&E_linear_logo_rgb] Our mission: To prepare and inspire students for success and for thoughtful engagement in the world. From: Advancement Services Discussion List <FUNDSVCS@LISTSERV.FUNDSVCS.ORG<mailto:FUNDSVCS@LISTSERV.FUNDSVCS.ORG>> On Behalf Of Carper Stephanie Sent: Tuesday, July 30, 2019 11:13 AM To: FUNDSVCS@LISTSERV.FUNDSVCS.ORG<mailto:FUNDSVCS@LISTSERV.FUNDSVCS.ORG> Subject: [FUNDSVCS] Accepting credit card payments by mail and PCI Compliance Currently, my organization does not accept credit card payments via the mail or any other means except online. Our CFO says it's not PCI compliant to accept credit card payments via our lockbox. But I've worked at four previous institutions who all accepted credit card payments via the mail. Does anyone have any additional background on this issue that they could share. I'm particularly interested if you do accept credit card payments via the mail and how you may have addressed any PCI compliant concerns. Thank you, Stephanie Stephanie Carper | Development Manager, Major and Planned Gifts Ronald McDonald House Charities, Inc. 110 N. Carpenter St, Chicago, IL 60607-2101 Cell: 312.520.8370 stephanie.carper@us.mcd.com<mailto:stephanie.carper@us.mcd.com> | www.rmhc.org<http://www.rmhc.org> [cid:image001.jpg@01D24A50.04D56A20]

It depends on how your organization has set up its network. If your org/institution does not want its entire network to be in scope of PCI-DSS or it does not wish to segregate portions of its network in order to reduce that scope, what John describes may not be enough to keep you compliant. If at any point during data entry credit card information is traversing your organization’s network, then that entire network comes into scope, and that is what compliance officers (guessing this is your CFO) are looking at when determining whether your process is compliant or not. Most of them don’t wish to (cannot afford to) secure the entire network to the levels required by PCI-DSS or go through the more extensive questionnaire to certify compliance. Marijana Radić Boone ’01, MPA ’03 Executive Director, Advancement Services College of Charleston 66 George Street Charleston, S.C. 29424 843.953.5647 (o) 843.640.9135 (c) From: Advancement Services Discussion List <FUNDSVCS@LISTSERV.FUNDSVCS.ORG> On Behalf Of John Taylor Sent: Tuesday, July 30, 2019 11:36 AM To: FUNDSVCS@LISTSERV.FUNDSVCS.ORG Subject: Re: [FUNDSVCS] Accepting credit card payments by mail and PCI Compliance CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. As you will continue to hear, a great many organizations do accept credit card donations by mail. What you may not be hearing is that doing so does not violate PCI regulations. Mailing credit card information is not the PCI issue. It is what you do with the credit card information once it arrives. The key to PCI compliance is to have the opened mail in a safe and secure environment where the credit card information cannot be observed other than by the staff processing the card. The card information must then immediately be destroyed or irradicated. As long as you can meet those requirements, your mailed in card information will be compliant. John John H. Taylor Principal, John H. Taylor Consulting 2604 Sevier St. Durham, NC 27705 johntaylorconsulting@gmail.com<mailto:johntaylorconsulting@gmail.com> 919.816.5903 (cell/text) Serving the Advancement Community Since 1987 On Tue, Jul 30, 2019 at 11:12 AM Carper Stephanie <stephanie.carper@us.mcd.com<mailto:stephanie.carper@us.mcd.com>> wrote: Currently, my organization does not accept credit card payments via the mail or any other means except online. Our CFO says it’s not PCI compliant to accept credit card payments via our lockbox. But I’ve worked at four previous institutions who all accepted credit card payments via the mail. Does anyone have any additional background on this issue that they could share. I’m particularly interested if you do accept credit card payments via the mail and how you may have addressed any PCI compliant concerns. Thank you, Stephanie Stephanie Carper | Development Manager, Major and Planned Gifts Ronald McDonald House Charities, Inc. 110 N. Carpenter St, Chicago, IL 60607-2101 Cell: 312.520.8370 stephanie.carper@us.mcd.com<mailto:stephanie.carper@us.mcd.com> | www.rmhc.org<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rmhc.org&data=02%7C01%7Cboonemr%40COFC.EDU%7C5e7209267f0e40a8e92a08d71503aea6%7Ce285d438dbba4a4c941c593ba422deac%7C0%7C0%7C637000977871054724&sdata=d47JNiUZN%2B8WKsblCIh1%2BDIgniL3%2FOVi46TNgCCfX20%3D&reserved=0> [cid:image001.jpg@01D24A50.04D56A20]

Stephanie, As mentioned in prior responses, as long as you properly safeguard the credit card data once you receive it there should be no problem. I'll also add that if you accept credit card payments to your lockbox and the bank offers a service where they charge the cards then PCI compliance is their responsibility and not yours since they are receiving and processing the charges and the institution has no access to credit card information. We currently use this type of service. Regards, Karin Carrero Director of Gift Processing DePaul University