JustGiving's security policy

Thousands of charities trust JustGiving (JG) to manage their online fundraising, so our top priority is to ensure that their transaction and supporter data is kept secure at all times.

That’s why JustGiving maintains the highest possible standards of data security. It’s why we’ve implemented key international standards of best practice in online and data security, including:

  • MasterCard® SecureCode™
  • Verified by Visa (VbV)
  • Payment Card Industry Data Security Standard.

We take an active role in the overall reduction of identity theft and fraud on the internet by ensuring the security of our IT systems, personnel and infrastructure.

Our employees are trained in all aspects of web application security, including infrastructure vulnerabilities, cross-site scripting, secure data storage, and using the software development lifecycle to maintain and improve security.

JG has been certified PCI compliant by Trustwave, an official Visa Qualified Security Assessor. This means our systems and services comply with the Payment Card Industry Data Security Standard and that we actively protect our customers' identities, personal information and financial details.

Our security efforts are focused on the following areas:

MasterCard® SecureCode™ and Verified by Visa

JustGiving has implemented the industry standard card verification schemes MasterCard® SecureCode™ and Verified by Visa.

The online equivalent of the now familiar "Chip and PIN" process used in shops and restaurants, these schemes help create a higher standard of security for online card transactions.

JustGiving has no knowledge of, or access to, your MasterCard® SecureCode™ or Verified by Visa passwords at any time. This is why you are asked to submit your password to your card issuer directly, over a secure link. Our system does not see or store your card verification password.

JustGiving has no knowledge of, or access to your MasterCard® SecureCode™ password at any time. This is why you are asked to submit your password to your card issuer directly, over a secure link. Our system does not see or store your password.

Transaction security

All transaction and credit card information entering JustGiving systems is encrypted using 128-bit SSL certificates from VeriSign. No cardholder information is ever passed unencrypted in a web browser to JustGiving. You can be completely secure in the knowledge that nothing you enter as part of a secure JG transaction can be examined, used or modified by any third parties attempting to gain access to sensitive information.

Encryption and data storage

At our Data Centre rigorous physical, electronic, and personnel security measures protect your data. Those measures are regularly assessed by One-Sec Ltd, an official Visa Qualified Security Assessor.

Once on our systems, payment card data is encrypted and securely stored in our dedicated hosting facilities at our Data Centre. Our servers and network infrastructure are owned and used by JustGiving for the provision of fundraising services, and not shared with any other company or industry.

Card Security Code (CSC) and Card Verification Value or Code (CVV or CVC)

JustGiving do not store the 3-digit Card Security Code (CSC), sometimes called Card Verification Value or Code (CVV or CVC).

Links to banks

JustGiving authorises credit card transactions in partnership with Barclaycard Merchant Services (BMS). Any cardholder information sent to the banks and any authorisation message coming back is secure and cannot be tampered with.

Employee access

Our systems only allow access to authorised staff. Your transaction information and customer card information is secure even from our own employees because our systems never display the full card numbers, even on administration screens.

Payment Card Industry (PCI) Data Security Standard compliance

The PCI DSS is a set of security standards that apply across the card payment industry worldwide that help safeguard cardholder information and improve consumer confidence. The Standard was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help facilitate the broad adoption of consistent data security measures on a global basis.

The PCI DSS is a multi-faceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organisations pro-actively protect customer account data.

JustGiving is PCI compliant. For more information on our status please click here.

There are six categories of PCI compliance security standards:

(1) Building and maintaining a secure network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

(2) Protecting cardholder data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

(3)Maintaining a vulnerability management program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

(4)Implementing strong access control measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

(5)Regular monitoring and testing of networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

(6)Maintaining an information security policy
Requirement 12: Maintain a policy that addresses information security.

If you have questions about security or privacy on our site please email us at [email protected].