Church Community Builder creates software that empowers churches to build an engaged, tight-knit community both within and beyond their doors. The company’s cloud-based software solution includes a variety of tools for successfully managing a church, including a component for giving. With sensitive data and millions of dollars passing through the Church Community Builder payments infrastructure, it is mission-critical that they maintain a strong cybersecurity posture as well as compliance with data security standards such as that utilized by the payment card industry (PCI).
Software providers have a responsibility to uphold a strong security posture, not only to protect their customers but also to maintain their own business integrity. Despite that, many organizations find it difficult to allocate the time and manpower to consistently meet their security and compliance obligations.
“Data security has always been of utmost importance to us because we are a trusted technology provider,” said Jonathan Sahhar, Technology Operations Lead at Church Community Builder. “A security compromise would break that trust, not only between us and the churches we serve, but also between the churches and their congregants.”
The Church Community Builder team did not intend to become part of the negative statistics, so they worked hard to keep security and compliance top-of-mind. Yet as the company’s scope for managing payment card data grew, ensuring a secure environment became more complex. It soon became necessary to enlist the help of a PCI Qualified Security Assessor (QSA).
Faced with the need to achieve PCI validation as a Level 1 Service Provider, Church Community Builder began their search for a security consultant that could guide them through the long-term challenge ongoing PCI compliance represents. In their minds, they knew that a key issue would be minimizing PCI scope creep for stronger data control and smoother annual validation.
ControlScan used a mix of education, information and inspiration to get Church Community Builder ready for their first audit and position them for ongoing compliance. At the heart of the solution was ControlScan’s PCI Security Consulting Services .
ControlScan understands that when a company is just starting out with PCI compliance, the last thing they want to do is wade through hundreds of pages of rules and requirements. In addition, the right motivation behind achieving compliance can make the difference between a once-in-time achievement and succeeding year after year. Church Community Builder was on board; the IT team understood that PCI compliance aligns with their organizational beliefs and that tying compliance into their company vision gives them a better chance at sustaining it.
Church Community Builder started with a ControlScan PCI Gap Analysis to quickly identify the organization’s security risks and corresponding compliance gaps. Having a PCI Gap Analysis before the formal QSA assessment is smart, because identifying and addressing gaps up front saves time, stress and money over the long term.
Church Community Builder is on its fourth successful year as a PCI Level 1 Service Provider. This is a direct result of taking ControlScan’s advice not only on what to do to pass their audits, but also on how to become a truly compliant organization: “Have the right heart and the right motivation about it.”
Sahhar noted, “Let’s be frank, trying to keep people excited about PCI compliance is a pretty big task, so we make it fun and continually remind our people why it's important.”
Church Community Builder now considers the ControlScan team “friends” because of the trust that has been built. And instead of the trepidation felt that first year of PCI auditing, the IT team now (almost!) looks forward to each annual QSA assessment.
“We are driven by each church’s success, and that success is based upon their ability to grow disciples as a result of using our software,” said Sahhar. “ControlScan has our back. Their knowledge and accessibility have been critical to our—and our churches’—success.”