Donations: PCI compliance steps for using Movement

At Movement, security is built into everything we do. Protecting your supporters' payment information is our top priority, and that’s why we adhere to the Payment Card Industry Data Security Standard (PCI DSS). By following best-in-class security practices, we ensure your donors can give with confidence, knowing their data is protected at every step.

What is PCI DSS and Why Does It Matter?

PCI DSS is the global security standard designed to protect cardholder data from fraud and breaches. Any organisation that processes, stores, or transmits card details must comply with these standards - or risk financial penalties, reputational damage, and restrictions on processing payments.

For charities and non-profits, compliance is non-negotiable. Your supporters trust you with their donations, and we ensure that trust is never compromised.

How Movement Ensures PCI Compliance

1. Using PCI-Compliant Payment Processors

Movement never stores, processes, or transmits raw payment data. Instead, we integrate with PCI DSS Level 1-compliant providers—the highest level of security certification available.

By leveraging industry-leading payment platforms like Stripe, we ensure that payment details remain completely outside Movement’s infrastructure. This means:

No sensitive payment data touches our systems
No security risks from storing credit card details
Full compliance with PCI DSS SAQ A requirements

2. Secure Payment Flows

The way your donation forms handle payments matters. Some platforms embed payment fields directly into webpages, exposing them to potential security vulnerabilities like e-skimming attacks.

Movement takes a more secure approach:

Hosted Payment Pages & iFrames – Payments are processed entirely within Stripe’s secure environment, meaning no donor data is exposed on Movement-hosted pages.
No Client-Side JavaScript Risks – Unlike some solutions that rely on JavaScript to load payment fields, our approach ensures that your forms don’t introduce avoidable security risks.
Encryption at Every Step – Any donor information we handle (such as names and emails) is encrypted both at rest and in transit.

3. Rigorous Security & Compliance Measures

To ensure the highest level of security, Movement follows a strict security protocol that includes:

Role-Based Access Controls (RBAC) – Only authorised personnel can access API keys, with strict permissions in place.
Regular Compliance Audits – Our commitment to compliance doesn’t stop at implementation. We regularly assess our processes and security measures to stay aligned with evolving PCI DSS standards.
Transparent Compliance Agreements – Our contracts explicitly outline PCI DSS obligations, including security measures, breach notification policies, and audit rights.

How Movement Ensures PCI Compliance

We never store, process, or transmit raw payment data - all transactions are handled through PCI DSS Level 1-compliant payment processors such as Stripe.
Payments are processed using secure hosted pages and iFrames, ensuring no donor card data is exposed on Movement-hosted pages.
Our compliance is validated through the Self-Assessment Questionnaire (SAQ A), which is available upon request.
We implement encryption, access controls, and regular security audits to maintain compliance and protect donor information.

Client Responsibilities

While Movement ensures full PCI DSS compliance for transactions processed through our platform, clients must manage their own compliance for other payment methods, including:

Accepting card payments over the phone or via in-person transactions
Handling donor payment details manually
Completing their own PCI DSS Self-Assessment Questionnaire (SAQ) if applicable

Clients can request Movement's SAQ A compliance verification and should ensure their own payment processes meet PCI DSS standards where necessary.

What should your organisation's expectations be for PCI compliance?

Using Movement simplifies PCI compliance by offloading much of the technical responsibility to us. For example, Movement tokenises and encrypts all payment data, ensuring sensitive cardholder details are never stored on your organisation's systems. This greatly minimizes your exposure to risk.

However, your organisation still has obligations. Most organisations will need to complete an annual Self-Assessment Questionnaire (SAQ) to affirm compliance. For organisations using Movement for donations, SAQ A is the appropriate choice, as it applies to organisations outsourcing payment processing without storing cardholder data.

Here's what you need to do:

Obtain the SAQ:
- Option 1: Request a pre-populated SAQ A from Movement, which requires minimal additional information to complete.
- Option 2: Download SAQ A from the PCI Website: https://listings.pcisecuritystandards.org/pci_security/completing_self_assessment
Complete and submit the SAQ:
- Submit the SAQ A directly to your payment processor (Stripe or PayPal) through their designated portal or instructions.
- Be mindful of submission deadlines, which are often outlined in processor communications.
Seek clarification if needed:
- If you're unsure about the SAQ or deadlines, reach out to Stripe’s support team for guidance.

Steps your organisation should take to meet PCI compliance

Here's a clear outline of what organisations using Movement should do:

Understand your scope of compliance:
- Movement handles sensitive cardholder data on your behalf, which reduces your organisation's scope for PCI compliance.
- However, you're still responsible for ensuring your staff follow best practices.
Complete the appropriate SAQ annually:
- Most nonprofits will complete SAQ A, which is the simplest version, since Movement manages all payment processing and data storage.
- Follow the instructions provided by your payment processor (Stripe or PayPal) for completing the SAQ.
Train your staff:
- Ensure all staff members who handle payment data understand basic security practices, such as:
  - Avoiding phishing scams
  - Using secure passwords
  - Not storing sensitive cardholder data on internal systems
Maintain secure systems:
- Regularly update your computers and software to protect against vulnerabilities.
- Use secure networks, particularly when accessing Movement's platform or other payment systems.
Keep documentation up-to-date:
- Save copies of your completed SAQ and any related correspondence from payment processors for your records.

To maintain PCI compliance, Movement requires users to have two-factor authentication (2FA) enabled or who belong to an account with the "SSO Required" setting.

What is PCI DSS 4.0.1?

PCI DSS version 4.0.1 is the latest update to the Standard that went into effect on March 31, 2025.

Key updates include:

Requirement 6.4.3: Inventory and secure scripts
- Organisations must inventory, authorise, and secure all JavaScript files interacting with payment forms to ensure only authorised scripts are used.
Requirement 11.6.1: Anti-tamper detection
- Automated tools must monitor web pages for unauthorised modifications, providing real-time alerts to prevent potential breaches.

Since Movement uses Stripe Checkout for all payment processing, no JavaScript directly interacts with payment forms. This completely eliminates concerns around Requirement 6.4.3 for organisations using Movement. All payment data is collected directly by Stripe in their secure environment, not on Movement's platform.

How Movement handles 6.4.3 and 11.6.1 requirements

As your donation pages are hosted on Movement's platform and use Stripe Checkout:

Script inventory and security (6.4.3): This requirement is not applicable as no JavaScript interacts with payment forms when using Stripe Checkout. Payment data is collected directly by Stripe in their secure, PCI-compliant environment.
Anti-tamper protection (11.6.1): Movement implements comprehensive monitoring systems that detect any unauthorised modifications to our hosted pages, with alerts and response protocols already in place.

This significantly reduces the compliance burden for your organisation. Movement maintains PCI DSS Level 3 compliance, while leveraging Stripe's PCI DSS Level 1 certified payment processing infrastructure to handle all sensitive payment data.

Additional resources

For more detailed guidance, consult the following resources:

This article is for informational purposes only and does not constitute legal advice. Consult with a legal professional for advice tailored to your organisation's specific circumstances.