If your church donation envelopes have a space for donors to write down their credit card numbers, debit card numbers, or bank account information, this article is for you.
What's so bad about about collecting handwritten credit card info?
1. It's not secure.
Having donors write their full card number, expiration date, and CVV code on an envelope is effectively like handing over a copy of their card. In the past few years there have been growing concerns with credit card fraud. Security breaches involving cardholder data have been widely publicized and are becoming more and more common. It's particularly risky for debit cards since real, irrecoverable money can be stolen from a donor if the number were to leak.
2. It's not compliant.
If you handle donor credit cards, VISA, MasterCard, and American Express require that you do so in a PCI compliant way. If your donors use the online donor interface in PCO Giving to donate, your church is able to take credit card donations without handling the credit cards themselves. In fact, PCO Giving doesn't even store them. They go straight to Stripe - a fully PCI compliant payment processor. When you take down credit cards on paper, you enter a world of compliance concerns. How long you store that paper, the paper's chain of custody and even the type of shredder that can be used to destroy it are all things you have to start worrying about.
3. It discourages giving.
Here are two major trends happening in the charitable giving world. First, people are using credit and debit cards to donate a lot more than cash and check. Many donors just don't carry checkbooks and cash around. Second, people are becoming increasingly aware that identity theft and credit card fraud is a legitimate concern in today's world. Donors want secure ways of using their cards.
What's the best way to handle credit and debit cards?
Encourage donors to use the online donor interface provided by PCO Giving. This way, card data is transmitted directly to the payment processor securely, it's kept private, it decreases the liability for your church, it removes the chance of your staff making an error and we know your donors will appreciate that you take their security and privacy seriously.
So, we can't run credit cards in PCO Giving?
Although running cards is discouraged in the normal flow of counting donations (counting batches) it's possible to add one of these payment methods to a donor's account from the administrative side of Giving. For example, if a donor calls in and says they aren't able to donate online, you can add a payment method at their verbal request. Just navigate to their profile and enter the card or bank account information. Like the donor interface, the payment method will be immediately sent to Stripe and stored there.
Again, this should be used as sparingly as possible. Never write down the information in the process.
Software should be flexible... to a point.
At Planning Center we try to make flexible software. Many of us use PCO applications at our own churches so we know first hand that every church is a bit different. However, when it comes to finances, there are things no church should do - regardless of its size or demographic.
In fact, part of the reason for using a system like PCO Giving is to let the software enforce practices known to be good and discourage practices known to be bad. Here are some examples:
- Every church should have a paper trail of administrative activity. That's why Giving Admins can't disable the log. No matter what.
- Every church should issue a donation receipt - especially with online donations. That's why Giving issues receipts for donations by default.
- Every church should keep tight control on who can access their donor database. That's why the permission system in Giving is built so that only Giving Admins can access donor info. When someone is added or removed the whole team of Giving Admins will know.
- Every church should handle payment methods responsibly, take their donor's privacy seriously, and limit their donor's risk of theft. That's why Giving doesn't allow you to run credit card and ACH transactions in the course of batch processing.