Industry Compliance Guide
Nonprofit / Religious Organization Compliance
PCI DSS, state breach laws, and donor data protection requirements for nonprofits, churches, charities, and foundations.
What’s at stake: Donor data is regulated personal information. Grant funders increasingly ask about cybersecurity controls — and a breach can put both 501(c)(3) status and donor trust at risk.
Regulations That Apply
| Regulation | What It Covers |
|---|---|
| State Charitable Registration | Charitable solicitation laws across 40+ states |
| PCI DSS | If accepting credit card donations |
| State Breach Laws | Donor data is regulated PII |
| IRS Form 990 | Public disclosure obligations |
| HIPAA | Health-related charities or services |
| Grant / Funder Requirements | Federal grants require NIST 800-53; foundation grants vary |
What You Need In Place
- Donor database access controls
- Encryption of donor PII and payment information
- Multi-factor authentication on donor systems
- Vendor management for CRM and payment processors
- Separation of duties for financial transactions
- Volunteer access control and training
- Phishing awareness — high risk for grant fraud
Common Threats In This Sector
Nonprofits and faith-based organizations hold concentrated donor data, often with limited security oversight and high volunteer-turnover environments. Attackers exploit the trust culture — staff and volunteers are taught to assume good intent.
- Business email compromise targeting donations, grant disbursements, and vendor payments
- Phishing for donor-management system credentials (Blackbaud, DonorPerfect, Bloomerang, etc.)
- Ransomware encrypting donor databases — with secondary exfiltration threat
- Online donation skimming and card-data theft (PCI scope often misunderstood)
- Volunteer credential abuse — turnover without proper offboarding leaves orphaned access
- Tax-exempt status fraud and impersonation of the organization to solicit donations
Documentation You’ll Be Asked For
Funders and grantmakers increasingly include data-security questions in their due diligence. State charity regulators require registration and basic compliance. PCI DSS applies to any organization processing card donations.
- PCI DSS SAQ for online donation flows
- Active state charitable solicitation registrations (40+ states require it)
- Donor data handling policies and retention schedules
- Volunteer access management procedures (onboarding, offboarding, time-bound access)
- HIPAA documentation if operating healthcare ministries, clinics, or counseling services
- 501(c)(3) records retention policy
- Incident response plan with state breach-notification timelines
Where Most Small Nonprofits Fall Short
The Blackbaud breach of 2020 reset expectations for the sector. Insurance underwriters and major funders now expect documented basics. Most small nonprofits operate well below that baseline.
- No volunteer credential lifecycle — access is granted casually and never revoked
- PCI compliance not addressed for online donations (assuming the donor platform handles it entirely)
- Donor data shared via personal email and unencrypted attachments
- State charitable solicitation registrations expired or never filed
- No MFA on email or donor-management systems
- No tested backup of the donor database, and no recovery plan if it goes down
How CGetty Helps
Right-sized cybersecurity assessments and donor data protection guidance for charities, religious organizations, and small nonprofits.
Not Sure Where Your Business Stands?
We help small businesses understand what applies to them and build a practical plan to get there. Let’s talk.