In addition to our Planning Center Security Practices and Procedures, we take some extra precautions for Giving. We only allow a specific permission to access giving, and we keep track of each change made in the system logs.
Like any merchant that handles credit card payments, Planning Center must comply with Payment Card Industry Data Security Standards (PCI DSS, or PCI for short). Planning Center is a Level One compliant merchant. Our Attestation of Compliance documentation is available upon request at firstname.lastname@example.org.
In practice, we go well beyond what basic security frameworks require. For example:
Instead of scheduled and narrowly scoped penetration testing required by these security frameworks, we conduct ongoing penetration testing through HackerOne's open bounty program.
We use local 2-factor-auth (hardware keys, fingerprint scanners, etc) for any employee accessing customer data in the course of providing customer support.
Although the General Data Protection Regulation (GDPR) applies only to customers within the EU, we hold to this standard for all customers even though 95% of them are in the US.
Planning Center allows an overarching permission which has access to all applications, the Organization Administrator. However, the Organization Administrator does not have access to Giving by default because Giving access is more tightly controlled. Even an Organization Administrator needs to be given permission to access Giving.
The user roles in Giving include:
Giving Administrator: Controls all parts of Giving, including the permissions of all users and system settings. The person who sets up the Giving account is the first Administrator. Only a few people in your organization should have this level of control.
Bookkeeper: Can access nearly all parts of Giving, but can't edit funds or pledge campaigns. Bookkeepers can view, but not modify, system settings and the permissions of other users.
Counter: Limited access to allow entering check and cash donations in batches. Counters can't commit batches, view full donor profiles, access reports, or access anything outside of the batches they have created.
Reviewer: Limited access role for reviewing the dashboard reports and pledge campaign progress. Reviewers have no editing capability of any kind and no access to donor profiles or history.
In order to have access to Giving, a person must be added by a Giving Administrator. When a new Giving user is added, all Giving Administrators are emailed about the change. When someone's Giving access is revoked, they have to be added back by a current Administrator, even if they're the one who originally set up the account.