New payment card data security changes (PCI DSS) – what your charity needs to know

As if Meta’s recent changes weren’t enough, online payments are about to get more complicated. Any website that processes payment card details will soon need to meet new security standards.

2025 is shaping up to be a year of big changes, with tighter security rules designed to protect payment data. From March 2025, all organisations handling payments on their website must comply with updates to the Payment Card Industry Data Security Standard (PCI DSS).

This includes donations, online shop purchases, event registrations, and lottery sign-ups. Even if you use a third-party payment platform, these rules still apply.

The changes reduce risk of online fraud

Online fraud is a growing issue, and these changes aim to reduce risk. A key focus within this is tighter management of the scripts used by organisations to track user behaviour and pass information to third-party platforms. This would include the scripts used for common platforms like the Meta Pixel and Google Analytics 4.

The responsibility doesn’t just sit with your payment processor. Your charity must ensure that any scripts on payment pages are secure, serve a clear purpose, and are checked regularly. You need to make sure your scripts are tamper-free and reviewed weekly.

If you use Google Tag Manager or have hard-coded scripts on payment pages, you must act before the end of March 2025. 

Our Data Analytics Team at Platypus is here to help if you need support!

What your charity should do next

We’ve consulted some donation platforms we work with and reviewed the guidance from key players within the payment card industry. 

We advise you to take the following steps:

  1. Identify all payment journeys

Map out every point where payment card details are collected. This includes donations, shop checkouts, challenge event sign-ups, membership payments, and anything else requiring card details.

  1. For each identified journey, check platform-specific PCI DSS guidance

This could involve speaking to the platform directly or reviewing their documentation to ensure compliance. Your internal compliance team should also be confident that each platform has the necessary measures.

  1. Review how you are currently managing tags and scripts.

We advise using Google Tag Manager to ensure a single place to manage scripts across your domain. Some donation and e-commerce platforms also offer a Managed Script Service, where they will manage scripts on the user journeys their platform facilitates. 

This may result in fragmenting your set-up, as some tags that are not managed by the platform you work with remain in Google Tag Manager whilst others are managed by the platform. 

If you choose to pursue a Managed Script Service (which does have several benefits), we recommend speaking to the platform to discuss the scope of their service. Find out how it can exist alongside the Tags and Scripts you’d need to manage for actions taken away from that platform elsewhere on your site. 

  1. Maintain an inventory of scripts. 

The Payment Card Industry Data Security Standard places the onus on your organisation to ensure you know what scripts are present on Payment pages.

Although PCI DSS focuses on checkout pages, keeping a full log of all scripts is a good practice for website security.

A simple template could include:

  • Tag/Script name
  • A link to the tag/script
  • Trigger that fires the tag
  • Explanation of when the tag fires 
  • Business reason for the tag/script (why do you need it?)
  • When the tag was approved
  • When the tag was last checked

Support with identifying old/unused tags.

Check what’s currently running and decide whether to keep, amend, or delete each tag. Outdated or unused scripts should be removed. This can be included in your existing retainer.

Encourage regular GTM monitoring.

  1. Review the change log in GTM every week. At this stage, we recommend keeping this in-house. An agency can do it, but it would come at an additional cost.
  2. Remove Publish permissions for anyone who isn’t an employee or explicitly contracted for tag management. Edit access may be appropriate for some users, but only a select few should have full control.

An evolving situation, but we’re here to help

These security updates are still evolving. As more details emerge, best practices may shift. 

Our Data and Analytics Team at Platypus are ready to help charities stay compliant and secure.

March 2025 will come around fast – now is the time to prepare! If you have questions or need support, get in touch

Jamie Pitts

Other posts by this author

Share on social

Facebook-f

Jamie Pitts

Other posts by this author

Share on social

Facebook-f

Recent Posts

Find out how we can help your cause

If you would like to learn more about how we can help your cause or you have a general query, please get in touch using the contact form below and we will get back to you as soon as possible.

“I've worked with the Platypus team multiple times. They're the agency we always go back to because of their broad range of skills, consistently great team, good sense and pragmatism and the fact that hey are always a joy to work with."
Lynn RobertsAssistant Director - Digital & Innovation, Action for Children
"Platypus is the best search marketing agency I've worked with in over 20 years. No other agency has the level of paid search knowledge than they do."
Kim WatsonVersus Arthritis
“In a sometimes confusing and murky digital world, the guys at Platypus are a breath of fresh air. They know their stuff, they tell us it straight and really care about the work we do together. There’s a true sense of partnership between the Sightsavers and Platypus teams, which makes working together more productive and more enjoyable.”
Ella PierceDirector of fundraising, Sightsavers
"Platypus' social media review was incredibly useful for us. It helped us identify areas for improvement and provided practical recommendations that we could implement right away. The team's expertise and collaborative approach made the process smooth and very enjoyable!"
Sarah CooperCommunications Manager, Motor Insurance Bureau.
“The Platypus team were a dream to work with on this campaign. They clearly didn’t just use a boilerplate approach with us – they were flexible, adaptable, and quick to respond. What’s more, they are true Facebook Ads experts. It was the combination of their approach and expertise that made this campaign so successful. Thanks, Platypus!”
Joanna Sullivan, Head of Community & Events FundraisingDementia UK