Entering Gifts or Payments on Behalf of Someone Else
An administrator can enter gifts or online registration event payments on behalf of someone else using a paper authorization form, but this increases the scope of your PCI responsibility.
Entering credit or debit card data on behalf of a congregant will increase the scope of your church's PCI responsibility.
A form must be completed any time an online payment is added or edited.
Any time you add or update contributions or online event payments, a confirmation email is automatically sent to the congregant.
Authorizations taken by phone may only be for one-time gifts or payments.
It's best to not write down any of the card numbers, but NEVER write down or store the 3- or 4-digit security code found on a credit or debit card.
If you have questions, contact your payment processor.
Follow these best practices when obtaining written authorization over the phone for transactions.
If using a credit / debit card
The administrator should enter the credit card information directly into the system and complete the authorization form without recording the card data.
In the signature field, enter "TO" to indicate Telephone Order.
Be sure to record the date and the initials of the person who took the Telephone Order.
Completed forms must be retained in a locked cabinet and kept on file for at least 3 years.
If using ACH
Enter the congregant's bank account information they provide and be sure to keep the authorization forms on file for 2 years.
In Person Requests
Follow these best practices when obtaining in-person authorization for transactions.
For credit / debit card or ACH
The person requesting the transfer must complete the authorization form.
After entering the gift, the administrator must make all but the last four digits of the account number unreadable.
Completed forms must be retained either as paper forms or scanned images in a secure
credit / debit card authorizations must be kept for at least 3 years.
ACH authorizations must be kept for 2 years.
If you retain paper forms
Limit access to those individuals who require access in order to perform their job duties.
Store them in a locked cabinet or safe.
Mark them as confidential.
Maintain an inventory log of forms on file.
Use cross-cut shredding when destroying documents.
If you retain scanned images
- Store them in encrypted, password-protected files.
- Limit access to those individuals who require access in order to perform their job duties.
- Never store credit/debit card or banking information unless it is encrypted and password protected.
- Ensure that your computers have up-to-date virus protection programs.
- Ensure that your organization's website has a minimum of 128-bit SSL encryption.
- Never write down or share your MyVanco User ID and/or password.
- Review all Vanco reports and compare them to your bank statement to ensure transactions are being processed and deposited as expected.