If your donation platform says "PCI compliant," do you know what that actually means? Most nonprofits don't — and the gap between a vendor that filled out a questionnaire about itself and one that paid $200,000 for independent auditors to tear its infrastructure apart is enormous.

In this episode, we break down the two security frameworks that matter most for donor protection — PCI DSS and SOC 2 — and why having one without the other leaves half your risk uncovered. We introduce the Proof Tiers framework to help boards evaluate vendor claims, and explain why Click & Pledge maintains PCI Level 1 service provider validation alongside SOC 2 Type II certification.

The gap most nonprofits miss:

• PCI DSS protects the payment transaction — the card number at the moment of donation.
• SOC 2 Type II protects everything else — names, emails, giving history, the entire donor relationship.

A vendor can be "PCI compliant" and have zero controls on who exports your entire donor file. Tune in to hear the questions every board should be asking — and why "are you compliant?" isn't one of them.