Charity & Non-Profit Payment Compliance Guide

Why fraudsters target charities

Charities make tempting targets, and not by accident. Donation volumes spike around appeals and disasters, which is exactly when controls are stretched thinnest. A lot of the people taking payments are volunteers rather than trained contact-centre staff. And the public assumes a charity is safe, so a caller pretending to donate, or a fraudster testing stolen cards through a donation line, meets less friction than they would at a bank. The result is that charities see more than their share of card-testing fraud and social-engineering attempts on their phone lines.

The donation-over-the-phone problem

Telephone fundraising is where most charities get caught out. The moment a supporter reads their card number aloud and a volunteer writes it on a form or types it into a laptop, that card data is live in the room — on the device, in the call recording, sometimes on a sticky note. Every one of those becomes part of your cardholder data environment, and a single lost notepad or breached laptop can turn into a reportable incident. DTMF masking closes that gap: the donor keys their card on their own phone, the tones are flattened before anyone hears them, and the digits go straight to your payment provider. The volunteer stays on the line to help, but never handles the number.

PCI compliance on a charity budget

Compliance feels like a cost a charity can't justify, but the expensive version is the one you're probably running now. Keeping card data out of your environment is what shrinks the bill — once volunteers and recordings are out of scope, most charities drop to SAQ A, the shortest self-assessment there is, and the annual effort collapses. You don't need a security team; you need a setup where there's nothing sensitive to protect in the first place. That's a far cheaper place to be than insuring against a breach you've left the door open for.

Where the Fundraising Regulator fits

PCI DSS isn't the only rulebook in play. The Fundraising Regulator's Code of Fundraising Practice expects you to handle donors' personal and financial data securely and to treat vulnerable supporters fairly — and the two sets of rules pull in the same direction. If a donor never has to say their card number aloud to a volunteer, you've satisfied a chunk of both at once: the data is protected, and a confused or vulnerable supporter isn't being asked to read out sensitive details under pressure. Getting the payment design right is the quiet way to tick both boxes.

We work with charities and non-profits taking donations by phone, and the pattern is always the same — take the card data out of the volunteer's hands and most of the compliance problem disappears with it. If you want to see how a masked donation call works end to end, how Paytia works walks through it.

For the full feature set behind these recommendations, see our PCI DSS v4 solution.