woods valldata

Why PCI DSS Level 1 matters for UK charities

Published by Helen Halahan on Jan 30, 2025 4:25:26 PM

Ensuring compliance and donor confidence

For fundraisers in the UK charity sector, managing donations securely is not just about meeting regulatory standards—it’s about building and maintaining the trust of their donors.

Compliance peace of mind

As cheque donations are slowly declining, processing card payments safely and efficiently has become an even more critical part of delivering excellent donor experiences. This is where PCI DSS (Payment Card Industry Data Security Standard) becomes a key factor, especially Level 1 compliance.    

While many service providers might talk about PCI compliance only those that are compliant to Level 1 will have undergone an independent external assessment.  

What is PCI DSS

IT Governance.co.uk state that "According to UK Finance’s Fraud the Facts 2019 report, unauthorised financial fraud losses totalled £844.8 million in 2018, a year-on-year increase of 16%."

PCI DSS is a global security standard created to ensure all organisations that store, process or transmit credit or debit card information do so securely.  Compliance with PCI DSS is mandatory for any service provider involved with storing, processing, or transmitting cardholder data, but it is also mandatory for those service providers that could affect the security of card holder data.    

PCI DSS V4.0 for Service Providers contains over 260 questions detailing the associated controls that need to be implemented, maintained, monitored, reviewed, and verified. Those controls need to be applied to all applicable components within scope of the Cardholder Data Environment (CDE); and as mentioned this is not just those components that store, process, or transmit cardholder data but those that affect the security of cardholder data (this latter point is often overlooked when organisations consider what is and isn’t in scope of PCI DSS, or often they do not implement segmentation appropriately resulting in devices being accidently brought into scope but not having the appropriate controls and measured implemented).    

PCI DSS also requires certain tasks and activities to be performed consistently via a regularly scheduled and repeatable process, and in some cases at specific time intervals, e.g. external scans must be conducted by an Approved Scanning Vendor (ASV) every 3 months. Failure to do so would result in non-compliance.  

There are two levels for Service Providers which is important for you to be aware of: 

1. PCI DSS Level 1 – Qualified Security Assessor (QSA)

It is mandatory for service providers processing over 300,000 transactions (per payments brand) to achieve PCI DSS Level 1 compliance. This requires the organisation to be independently assessed by a QSA every year.  

A Report on Compliance (RoC) will be completed by the QSA and an Attestation of Compliance (AoC) will be completed and signed by the QSA company and the Service Provider.    

Some Service Providers choose to achieve Level 1 compliance even though the number of transactions they process per payment brand equate them to a Level 2. Woods Valldata is one of those providers because it knows partner charities’ donor data and reputations require the highest level of compliance

A laptop screen displaying a compliance concept, representing Woods Valldatas fundraising advisory services.

2. PCI DSS Level 2 - Self-assessment 

Self-assessment applies to any service provider that processes fewer than 300,000 card payments for a single payment brand such as Visa, Mastercard, American Express etc.

So in reality a service provider could be processing a lot more than 300,000 card payments in total but because they do not exceed the 300,000 for a single payment brand they are permitted to self-assess their compliance status by completing a Self-Assessment Questionnaire and a Attestation of Compliance (AoC) annually.

It’s worth noting then that a service provider could be processing in excess of 500,000 card payments and they could still self-assess! 

Why does Level 1 matter?

Ultimately, achieving PCI DSS compliance requires a Provider to meet the most stringent standards, ensuring comprehensive and robust protection of cardholder data. 
Only those that achieve level 1 compliance have had the following externally validated against PCI DSS requirements:

  • Their scope
  • Data flows
  • Network diagrams
  • Technical controls
  • Internal and external scan results and penetration testing results
  • Configuration standards
  • Change control
  • Contracts
  • Training material and records
  • Supplier management processes
  • Business continuity exercises
  • Incident management processes
  • 12 months’ worth of evidence

Therefore, for charities relying on outsourced payment processing, understanding the provider’s PCI DSS level matters. 

Conceptual image of micro circuit. Security concept

Why partnering with Woods Valldata is the right move

At Woods Valldata, we understand the unique needs of UK charities and are committed to providing the best-in-class solutions for their fundraising activities. We know that when you outsource, you're outsourcing your charity's reputation. We’re in it with you to deliver the best possible experience for your supporters and the highest possible return for your fundraising spend. Here’s why we stand out:

  • PCI DSS Level 1 compliance: We’re externally validated to meet the highest standard in payment security, meaning you can be certain your donors’ card data is handled with maximum protection.

  • Expertise in charity fundraising: With decades of experience, we’ve developed services tailored specifically to the charitable sector, including raffles, lotteries, response handling across platforms, fulfilment and data strategy.

  • End-to-end support: Our solutions go beyond compliance to include ongoing operational support, insightful reporting, and optimisation to enhance your fundraising success.

  • Reputation for excellence: Trusted by leading UK charities, our proven track record demonstrates that partnering with us delivers tangible benefits.


Secure your fundraising future

Partnering with a provider like Woods Valldata not only ensures compliance with the highest standards but also demonstrates your commitment to protecting your supporters’ sensitive information.
By outsourcing your card payment processing to Woods Valldata, you can safeguard your organisation’s reputation, grow your donor base, and focus on what truly matters—delivering impact through your charitable mission.

Ready to learn more?

Let’s discuss how we can help you take your fundraising to the next level with secure and efficient payment processing solutions. Get in touch with Woods Valldata today.

New call-to-action
Tags: charity fundraising, Fulfilment, Appeal response handling, Response Handling, Income Generation for Charities, Compliance
Please share this blog...
Back to Blog

Categories

see all

Archives

see all

Related Articles

Outsourcing Response Handling 5 Things To Think About | Woods Valldata

If you are feeling the pressure when it comes to processing your donor responses, it might be time...
Read the full blog

How to achieve your individual giving fundraising goals

What practical strategies can you employ to achieve your goals? As the objectives of individual...
Read the full blog

9 things to look for to get more with Direct Debit processing

Regular giving remains vital to sustainable fundraising Regular giving is the mainstay of most...
Read the full blog
Group-3
iof-logo
Lotteries-Council-Platnum-Member-white
gc-logo
PCI-logo
27001-Logo

2023 Copyright Woods Group Ltd (trading as Woods valldata). Company number 03665861, VAT number GB991231322

Resolution design logo

Affinity

Affinity Lottery is the ideal solution for charities looking for the joys to be had in acquiring and building relationships with players without the operational administrative burden. 

This option enables your charity to increase player acquisition and boost your fundraising from the very first draw – with a prize fund with a £25,000 top prize at no cost or risk to your organisation.

Perfect for:

  • Testing if lottery is right for your charity
  • When charity admin and financial resources are limited
  • Charities and societies of any size

Book a demo. Find out if Affinity Lottery is your perfect fit.

Get more info on Affinity Lottery including our ROI calculator

Aspire

Owned by you and managed by us, Aspire Lottery is perfect for charities and not-for-profits looking to increase regular giving income from a different type of supporter.  

Your Aspire lottery is unique to you, perfectly matched to your cause and ready to go to deliver increased fundraising income to your charity. 

Perfect for:

  • Quickly and easily setting up your own lottery 
  • Migrating a small to medium sized lottery to a more intuitive platform

Book a demo. Find out if Aspire Lottery is your perfect fit.

Get more info on Aspire Lottery

Advantage

Advantage Lottery is the best weekly lottery product to take you and your fundraising efforts to a higher level!  

It’s customisable and adaptable to fit with the growth needs of your programme and offers greater freedom in how you run your lottery, whilst giving you everything needed to help it reach its full potential. 

Perfect for:

  • Charities who want to make their lottery unique
  • Migrating a medium to large sized lottery to benefit from Woods Valldata’s experience and expertise

Chat to us. Let’s take your lottery to the next level.

Get more info on Advantage Lottery