You wouldn’t trust just anyone to count the money from your offering plate. Why should your digital giving provider be any different? 

It is critical to select a giving provider with strict cybersecurity measures and compliance. This  not only protects the church’s assets but also upholds the trust your congregation places in you. 

By asking the right questions and understanding the importance of your giving provider’s security compliance, you can ensure that your church navigates the digital giving landscape safely and securely.

Here are seven questions you should ask your giving provider before sharing your data. 

1. Is your giving provider PCI DSS compliant?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information do so in accordance with the industry’s best security practices.  

Ensuring your giving provider is PCI DSS compliant is the first step in protecting your congregation’s sensitive payment information. This compliance signifies that the provider adheres to the highest security standards, significantly reducing the risk of data breaches.

2. Does your giving provider use data tokenization?

Data tokenization is a security measure that replaces sensitive data with unique identification symbols retaining all the essential information without compromising its security. 

In the context of digital giving, tokenization means replacing members’ financial details with tokens. This process makes sure that in the event of a security breach, the actual data remains secure as the tokens cannot be reverse-engineered to reveal the original information. 

Ask your provider how they implement data tokenization and how it further protects your congregation’s data.

3. What encryption methods does your giving provider use? 

While tokenization involves swapping out sensitive data with a set of symbols, encryption safeguards data by changing it into a cipher that can’t be understood without special “keys” and an underlying algorithm to unlock it. 

Inquiring about the encryption methods your giving provider uses is crucial. Ensure they employ strong encryption protocols for stored data and data moving through the network. 

4. What are your giving provider’s data storage and management policies?

The location of your giving provider’s data storage is important because it affects the security and privacy of your congregation’s information and compliance with various data protection laws. 

Ask whether they segment their data by type and away from public-facing services like their web app or mobile app. Data stores should never be public-facing and should require a gateway to reach the data stores.   

Additionally, inquire about their policies regarding data retention and disposal. A reliable giving provider should have clear procedures for securely deleting data that is no longer needed.

5. Does your giving provider have regular security audits and patch updates?

Choose a giving provider that undergoes regular security audits and vulnerability assessments. Regular audits indicate a commitment to maintaining high-security standards, providing an additional layer of trust and safety.

Regular software updates and security patches allow the provider to quickly address any discovered vulnerabilities, minimizing the window of opportunity for attackers to exploit these weaknesses.

Additionally, performing third-party evaluations from both inside and outside the provider’s environment is critical in identifying potential weaknesses and a requirement for PCI DSS. 

6. How does your giving provider handle security breaches?

If your giving provider is implementing the proper measures we’ve outlined, a security breach is very unlikely. However, there should always be a plan in place. In addition to knowing how a provider is being proactive, it’s important to know how they are also responsive.

Ask about their incident response plan, including how they detect breaches, their process for notifying affected parties, and steps taken to mitigate damages. A comprehensive response plan indicates a provider prepared to handle unexpected security incidents effectively.

7. Does your giving provider’s staff have access to donors’ data?

While your giving provider will have access to information to assist donors and administrators with their accounts, their staff should not be able to access your donors’ full card or bank account information.                     

Furthermore, donor and church information should never be shared with anyone without proper authorized access.


Selecting a giving provider is not just a matter of convenience; it’s about ensuring the security and trust of your congregation. By asking these detailed questions, you’re taking proactive steps to safeguard sensitive information and uphold the trust your congregation places in your church’s digital giving solutions.