Security Policy

FirstGiving is committed to maintaining the highest possible standards of data security. We have implemented key international standards of best practice in online and data security, including Payment Card Industry Data Security Standard.

Thousands of nonprofits outsource their transaction security to us. It is our top priority to ensure that transaction data is kept secure at all times.

We take an active role in the overall reduction of identity theft and fraud on the internet by ensuring the security of our IT systems, personnel and infrastructure.

Our staff are trained in all aspects of web application security, including infrastructure vulnerabilities, cross-site scripting, secure data storage, and using the software development life cycle to maintain and improve security.

FirstGiving has been certified as Level1 PCI-DSS compliant by ControlCase, an official Visa Qualified Security Assessor. This means our systems and services comply with the highest level of Payment Card Industry Data Security Standard and that we actively protect our customers’ identities, personal information and financial details.


Transaction security
All transaction and credit card information entering FirstGiving systems is encrypted using 128-bit or 256-bit SSL/TLS certificates from GeoTrust. No cardholder information is ever passed unencrypted in a web browser to FirstGiving. You can be completely secure in the knowledge that nothing you enter as part of a secure FirstGiving transaction can be examined, used or modified by any third parties attempting to gain access to sensitive information.

Encryption and data storage
Once your data is on our systems, credit card data is encrypted and securely stored in our dedicated hosting facilities at our Data Center. Our servers and network infrastructure are owned and used by FirstGiving for the provision of fundraising services, and not shared with any other company or industry.

Links to Card Processors
FirstGiving authorizes credit card transactions in partnership with Vantiv. Transactions data is exchanged with Vantiv utilizing industry standard security protocols.

Employee access
Our systems only allow access to authorized staff. Your transaction information and customer card information is secure even from our own employees because our systems never display the full card numbers, even on administration screens.

Payment Card Industry (PCI) Data Security Standard compliance
The PCI DSS is a set of security standards that apply across the card payment industry worldwide that help safeguard cardholder information and improve consumer confidence.

The Standard was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help facilitate the broad adoption of consistent data security measures on a global basis.

The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

FirstGiving is PCI compliant. For more information on our status please click Click Here.

There are six categories of PCI compliance security standards:

(1)Building and maintaining a secure network
Requirement 1 : Install and maintain a firewall configuration to protect cardholder data
Requirement 2 : Do not use vendor-supplied defaults for system passwords and other security parameters

(2) Protecting cardholder data
Requirement 3 : Protect stored cardholder data
Requirement 4 : Encrypt transmission of cardholder data across open, public networks

(3) Maintaining a vulnerability management program
Requirement 5 : Use and regularly update anti-virus software
Requirement 6 : Develop and maintain secure systems and applications

(4) Implementing strong access control measures
Requirement 7 : Restrict access to cardholder data by business need-to-know
Requirement 8 : Assign a unique ID to each person with computer access
Requirement 9 : Restrict physical access to cardholder data

(5) Regular monitoring and testing of networks
Requirement 10 : Track and monitor all access to network resources and cardholder data
Requirement 11 : Regularly test security systems and processes

(6) Maintaining an information security policy
Requirement 12 : Maintain a policy that addresses information security.

If you have any questions about our Security Policy please contact us via email at