How to prepare your nonprofit for PCI compliance

A fair warning: We’re about to get a bit technical.

But please don’t let that stop you from reading because there are some critical updates in this month’s digital roundup that affect nonprofit organizations of all shapes and sizes. We’ll cover:

• Data security compliance on your website
• A Google Tag Manager update
• New federal regulations for SMS?
• The latest news on TikTok’s ban

Let’s start with PCI DSS v4.0 (see, I warned you).

PCI v4.0 and nonprofits: What you need to know

Most nonprofit organizations don’t wake up thinking about credit card security standards. However, if you accept donations via credit card—online or offline—you’re considered a “merchant” in the eyes of the credit card companies.

That means you must comply with the Payment Card Industry Data Security Standard (PCI DSS). This isn’t optional—it’s a requirement. And with PCI DSS v4.0.1, there are notable changes that impact nonprofits of every size.

One of the most talked-about updates in PCI v4.0 revolves around JavaScript on your website and donation forms. Why? Because hackers have increasingly turned to injecting rogue code (“web skimmers”) that quietly collects credit card numbers.

JavaScript Security and SAQ-A Merchants: What’s Changed?

One of the most talked-about updates in PCI DSS v4.0 revolves around JavaScript security on websites and donation forms. Hackers have increasingly used web skimming attacks, injecting rogue code to quietly steal credit card data.

The new requirements demand:

• An inventory of all JavaScript files on pages that collect payment data.
• An authorization process, ensuring only approved JavaScript is present.
• Ongoing monitoring to detect unauthorized changes—often referred to as “anti-tamper” checks.

At first glance, this seemed to apply to all merchants, but on Jan. 30, the PCI Committee clarified that SAQ-A merchants are exempt from these JavaScript inventory and monitoring requirements.

However, this doesn’t mean nonprofits using SAQ-A donation platforms can ignore security. Instead, the update specifies that SAQ-A merchants must ensure the scripts on their website are secure and not susceptible to attack—which sounds a lot like following the JavaScript requirements anyway.

For nonprofits that rely on donation platforms—like Blackbaud, Classy or Fundraise Up—this still matters. Even if your donation form provider manages compliance on the secured payment step, your website likely loads additional JavaScript before the donation form is complete. That means it’s up to you to confirm those scripts aren’t compromised.

4 Steps Nonprofits Should Take

1. Confirm your donation platform’s PCI compliance. Ensure your vendor has updated their checkout experience to meet PCI DSS v4.0. If you’re using a pop-up or embedded form, ask how they are maintaining compliance and protecting donor data..
2. Inventory your website’s JavaScript. Identify every script that loads on pages where you link to or embed your donation form. Tag managers and marketing tools can add scripts dynamically, making regular audits essential.
3. Monitor and authorize changes. Even if SAQ-A merchants aren’t required to track JavaScript changes, it’s still a best practice. Consider investing in a monitoring tool to automatically alert you if code changes without approval.
4. Embrace an “audience-first” security mindset. Donors trust you with their gifts. Just like you build campaigns around donor motivations and preferences, treat security as a core part of that experience. From password policies to consistent scanning, show your supporters you prioritize their data as much as your mission.

Your nonprofit may not think about donation form security every day, but all it takes is one privacy breach to change your mind. By staying proactive, you’ll protect your cause, preserve donor confidence and maintain the steady flow of gifts that fuel your mission.

A Google update to improve conversion tracking

Starting April 10, Google Tag Manager (GTM) will automatically ensure that the Google Tag loads first before firing Google Ads and Floodlight tags.

This is a good thing, and here’s why:

For nonprofits and digital marketers, clean conversion tracking is critical for optimizing ad spend. This change helps prevent errors that could lead to underreporting or lost data.

A Google Tag was already a prerequisite for conversion tracking. However, some GTM setups have allowed conversion events to fire before the Google Tag, causing timing issues and data inconsistencies.

With this change, GTM will automatically enforce the correct firing order, improving the reliability of your data and reducing tracking errors.

What you need to do:

• If your GTM setup already loads the Google Tag properly, no action is needed.
• If you’ve ever had timing issues with Google Ads conversions, this update should help resolve them.
• As always, test your setup to ensure everything still functions as expected before April 10.

Have no fear: Nothing’s changing for text messaging

If you’re considering starting a text messaging program in 2025, you may have heard some warnings about a new regulation, called the 10DLC rules, under the Telephone Consumer Protection Act (TCPA).

But Dan Foster at Tatango said there’s nothing to worry about.

“Nothing changed in 2024 that would cause any delay or disruption of launching new SMS campaigns,” he said. “There is a LOT of inaccurate information out there.”

If you are setting up your first text messaging campaign, it is important to note that there are several steps to get started, according to Synergy:

1. Your nonprofit organization must go through a formal registration process with carriers. This could take 10-14 business days, so account for that timeline in your plans.
2. You must include appropriate opt-in verbiage on any webforms (donation pages, contact-us forms, etc.) where you capture a phone number.
3. Those opt-ins require a check box for the donor to click, and it cannot be prechecked. The phone number field must also be optional on the form.
4. Likewise, your text messages must include a clear opt-out mechanism, like “Text STOP to quit.”
5. Your privacy policy must explicitly state that your nonprofit will not share or sell donors’ opt-in or consent data with third parties for reasons other than what they signed up for.

10DLC is short for 10-digit-long codes and distinguishes them from the five- or six-digit “short codes” that can also be used for texting, as Tatango explains. Under current regulations, both options are still available, and both must follow the processes outlined above.

TikTok is closing in on a sale

In last month’s digital roundup, we pondered the question, “Should nonprofits move on from TikTok?” With the app’s future in limbo over a U.S. ban, our advice was that short-form video is here to stay—regardless of channel or app.

Well, there seems to be some good news around TikTok’s future.

President Trump said his administration is in talks with four groups about a potential TikTok sale, with less than a month until the ban is set to go into effect on April 5. He also indicated that he would likely extend that deadline if talks continue to go well.

Meanwhile, all of this ban talk hasn’t slowed TikTok down a bit. It remained at the top of app store downloads in February—despite being removed from app stores for half the month.

Additional resources

• Meta wants its advertisers to connect to Google Analytics
• Google March 2025 Core Update Is Rolling Out - Here Is A Deeper Dive
• TikTok’s $30B ad boom faces US uncertainty
• AI search engines cite incorrect sources at an alarming 60% rate, study says