Regulatory Compliance Fuels Nonprofit Success at Funraise
Funraise collaborates with Sikich to achieve PCI Compliance Level 1, inspire nonprofits clients’ confidence, and improve its cybersecurity posture.
When Funraise gained thousands of clients for its fundraising platform, it saw the need to assume ownership of compliance with PCI DSS standards and offer nonprofits the assurance of secure donation and payment processing. In a collaboration with Sikich, Funraise achieved PCI Compliance Level 1 compliance and strengthened its cybersecurity strategy to mitigate emerging threats and risks. The organization continues to innovate and empower nonprofits to pursue their mission in a highly secure technology environment.
TECHNOLOGY DESIGNED FOR NONPROFITS BY NONPROFIT EXPERTS
Funraise provides an end-to-end fundraising platform for nonprofit organizations. It equips nonprofits with the digital tools to manage donations, auctions, and events; connect with donors and volunteers; report on fundraising — and accomplish all of this securely. The company maintains a delightful, inspiring quality in its communications and services. Jason Swenski, Founder and Chief Technology Officer at Funraise, explains, “We think of ourselves as a modern technology platform built for nonprofits by nonprofit experts. We have all worked in nonprofit organizations and have a deep commitment to the sector. We don’t just provide software, we’re offering tools and resources to empower nonprofits to succeed in a digital-first world.”
For nonprofits, it can be distracting, costly, and challenging to choose, acquire, and operate digital technology. Designed as cloud-based, enterprise-level, yet highly usable and intuitive technology, the Funraise platform can be implemented in an efficient, uncomplicated manner. It enables modern giving experiences across channels, meeting donors where they are. Funraise broadly shares its expertise by providing best-practice insights, fundraising guidance, reporting tools, and other resources on its site.
COMPLIANCE MATTERS IN SECURING INNOVATION
When Funraise set out to revolutionize giving, technology marketed to nonprofit organizations tended to be overly complicated to deploy, learn, and use. As donors often needed to navigate balky webpages and fill out lengthy forms, a simple, embedded giving form was one of the first giving modernizations Funraise created. That meant Funraise also had to help its clients manage donor transactions while safeguarding sensitive personal and financial information.
In consequence, the Funraise team quickly became familiar with applicable regulations and standards, including the three tiers of the Payment Card Industry Data Security Standard (PCI DSS) developed and maintained by the PCI Security Standards Council. PCI Compliance Level 1 is the highest standard for large organizations that annually process six million transactions or more.
TAKING OWNERSHIP OF COMPLIANCE
Funraise enables nonprofit clients to manage donations on its platform through a collaboration with Spreedly, the global payment processing enterprise. By orchestrating payment processes in a highly secure manner, including encryption and tokenization, Spreedly allows Funraise to minimize its risk exposure to cybercrime and support a growing community of clients. An important part of Spreedly’s services portfolio is enabling PCI DSS compliance for its customers. The company regularly assesses and validates its own compliance by working with the Sikich PCI DSS Compliance practice. For Spreedly, Sikich has provided PCI DSS Assessments, penetration testing, and vulnerability scanning since 2013.
Rapidly winning thousands of clients and supporting a ballooning user population, Funraise accomplished PCI Compliance Level 2 with assistance from Spreedly. Soon after that, the organization decided to strengthen its compliance discipline. “As we grew, we needed to advance our compliance measures, transitioning from self-assessments and PCI Compliance Level 2 to Level 1,” Swenski comments. “Bringing the required expertise in-house would have been extremely expensive and still could have come with the risk of missing a step and compromising our efforts. We decided our best course to achieve flawless compliance was partnering with an expert, reputable, detail-conscious organization. Spreedly, our trusted payment processing partner, recommended Sikich.”
“We love Sikich. They are an excellent partner and we will continue working with them as long as we can. Thanks to the compliance and cybersecurity efforts on which they collaborated with us, our nonprofit clients can worry less about data security and focus more on their mission.”
Jason Swenski, Founder and Chief Technology Officer
Funraise
COLLABORATING TO MEET COMPLIANCE REQUIREMENTS
Following explorative conversations, Funraise and Sikich agreed to work together. Sikich performed a PCI DSS Readiness Assessment to make certain that policies, documents, and the cadences for quarterly scans and annual penetration testing were in place for successful completion of the challenging PCI DSS Level 1 Compliance Assessment. Sikich maintained detailed documentation regarding next steps and requirements for compliance measures in Basecamp project management software. Joseph Kang, Vice President of Engineering at Funraise, says, “The experience of working with Sikich was really awesome. The Sikich team were great communicators, with everybody always accessible and responsive. They were also incredibly well organized, which allowed usto work efficiently.”
The Sikich compliance team translated specialized PCI DSS terms and complex requirements into clear language and practical, manageable actions. They provided Funraise with frequent compliance progress updates, recommended best practices and useful resources for enhancing security, and pointed out potential security gaps in Funraise systems and processes. “Our PCI DSS compliance project with Sikich felt very collaborative,” Kang points out. “The consultants even shared how Sikich handles compliance internally. They had great ideas for how everybody in an organization can learn about and support cybersecurity and compliance. That approach of inviting people to become involved instead of coercing them into security or compliance measures truly resonated with me.”
COMPLIANCE WITHIN A CYBERSECURITY STRATEGY
For Funraise, achieving PCI DSS compliance for the first time was a high-energy effort whose success proved the effectiveness of the Sikich collaboration. “PCI Compliance Level 1 is business-critical for us,” Swenski explains. “It demonstrates that we adhere to the most rigorous standards for protecting financial information against fraud. For our nonprofit clients, this means that they can establish credibility with donors and reliably assure them that their payments and data are safe.”
Sikich consultants managed the undertaking in such a way that it helped Funraise bolster and refine its overall cybersecurity strategy. “With Sikich, we accomplished something unique that, based on their proposals, we might not have been able to do with other consultancies,” says Swenski. “We achieved PCI DSS compliance in such a way that we greatly improved our security posture at the same time. Today, Funraise operates with a strong, sustainable security culture that will be key to our ability to mitigate future risks to our data and systems. Our team members are always conscious of security concerns and their role in addressing them.”
SHARING INSIGHTS WITH THE NONPROFIT COMMUNITY
Setting nonprofit prospects and clients at ease, Funraise discloses its PCI Compliance Level 1 on the Funraise Platform Security page together with other security measures and protocols. On the Giving Form Security page, Funraise explains PCI DSS compliance in the context of its Spreedly collaboration. On the same page, Funraise also offers the downloadable Attestation of Compliance, validated and signed by Swenski and the leading Qualified Security Assessor (QSA) on the Sikich team.
In addition, Funraise mentors and educates nonprofits in maturing their security and compliance disciplines. For example, it helps organizations mitigate compliance risks by understanding why PCI DSS matters and how it works, learning to complete PCI Self Assessment Questionnaire A (SAQA), and elevating their data security practices overall.
DELIVERING ASSURANCE, ENABLING FUTURE-RESILIENCE
Businesses must prove and document their PCI Compliance Level 1 every year in order to maintain alignment with this most stringent PCI DSS standard. Funraise plans to continue relying on the Sikich team to perform the required testing and validation. “I would recommend Sikich one hundred percent,” says Kang. “I’d rather not imagine what it would have been like to pursue PCI Compliance Level 1 compliance without them.”
Funraise is considering another collaboration with Sikich to achieve compliance with Service Organization Control 2 (SOC 2), a comprehensive cybersecurity framework created by the American Institute of Certified Public Accountants (AICPA). SOC 2 has been widely adopted by technology companies that handle sensitive client information, including cloud software vendors, data centers, and managed service providers.
In closing, Swenski says, “We love Sikich. They are an excellent partner and we will continue working with them as long as we can. Thanks to the compliance and cybersecurity efforts on which they collaborated with us, our nonprofit clients can worry less about data security and focus more on their mission.”