Welcome

nonprofit solutions
By Organizational Focus
By Solution Area
By Goal
Products A-Z All Services Can't find what you're looking for? Chat Live!
resources
Products A-Z Can't find what you're looking for? Chat Live!
support
Can't find what you're looking for? Chat Live!
training
Can't find what you're looking for? Chat Live!
events
- Web Seminars
- User Groups
- Regional Sales Seminars
- BBCon 2012
Can't find what you're looking for? Chat Live!
company
Can't find what you're looking for? Chat Live!

PCI Compliance

Company>PCI Compliance>Frequently Asked Questions

Frequently Asked Questions about PCI Compliance

How does PCI affect specific Blackbaud products?

Who regulates these standards?

The Payment Card Industry Data Security Standards are a set of requirements instituted and regulated by the https://www.pcisecuritystandards.org/. The PCI SSC is a consortium of major card brands including VISA, MasterCard, AMEX, DiscoverCard and JCB, created to enhance credit and debit card data security. All organizations that process, store, or transmit payment card data must comply with PCI DSS requirements or risk losing their ability to process credit card payments. The council also supports Payment Application (PA) security standards for software products that are installed and used locally by merchants to process, store or transmit credit card data. Software products that meet PA DSS standards have been validated as compliant with PCI DSS requirements and enable merchants to readily attain PCI compliance.

I’ve heard a lot of dates associated with PCI. What are the “real” ones?

Visa has been the principle driver in setting these compliance dates. Here are the dates from Visa:

October, 1 2008

Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PABP-compliant applications.
Merchants must be PCI DSS compliant or use PA DSS validated applications to obtain a NEW merchant ID number

October, 1 2009

VisaNet Processors (VNPs) …..must decertify all vulnerable payment applications.
Systems that have been subject to a security breech

July 1, 2010

Acquirers must ensure their merchants, VNPs and agents use only PABP-compliant applications
Applies to all organizations that process credit cards

Keep in mind that payment gateways are enforcing these dates independently. You need to check with your processor to find out if their dates are different that what has been published by the card brands..

What do I have to do?

It is the responsibility of each organization to comply with the PCI DSS by the dates prescribed by the PCI Security Council or by your acquiring bank. Blackbaud can help you comply by providing applications and solutions that meet these standards. You should review the standards provided by the security council and assess your PCI requirements

Download the PCI Quick Reference Guide
Download and complete the appropriate Self-Assessment Questionnaire
Download the PCI DSS 1.2
Contact your acquiring bank or the agency that issued your merchant ID and ask for clarity on their dates for compliance.
Use compliant applications when they become available.

What are the merchant levels?

Visa and the other card brands distinguish “merchants” by levels depending on the number of transactions transmitted on an annual basis.

Level 1: Merchants processing over 6 million Visa transactions annually (all channels) or global merchants identified as Level 1 by any Visa region**. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
Level 2: Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.
Level 3: Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

** A merchant meeting Level 1 criteria in any Visa country/region that operates in more than one country/region is considered a global Level 1 merchant. Exceptions may apply to global merchants if no common infrastructure exists or if Visa data is not aggregated across borders; in such cases the merchant validates according to regional levels.

Are these PCI regulations laws?

PCI DSS are a set of regulations developed by the PCI Security Council and the card brands. One of the goals is to achieve self-regulation and to avoid legal jurisprudence. There are, however a number of states that have implemented laws associated with data security that includes credit card security.

You should ask your legal counsel if there are laws in your state that are applicable to credit card security.

What has Blackbaud done to become PCI compliant?

One - Blackbaud has modified every application that processes, stores, transmits credit card numbers to become PCIDSS and PADSS compliant. We have implemented PCI standards regarding secure storage of data, strong access control, and other requirements. The list of affected products includes:

Altru
The Raiser’s Edge
Blackbaud NetSolutions
Blackbaud NetCommunity
Blackbaud CRM
The Education Edge
Blackbaud Student Information System
The Financial Edge
The Patron Edge/The Patron Edge Online

Two - Blackbaud developed a secure, PCI DSS compliant credit card gateway that facilitates processing via our products. This gateway has passed a Level 1 PCI DSS audit certified by Trustwave, our PCI auditors. This enables users to process credit card transactions as they do today without the burden of maintaining all card data locally.

The Blackbaud Payment Service (BBPS), a secure vaulting and tokening service to make being PCI compliant easier for our customers.

Three - Blackbaud has upgraded our entire OnDemand hosting environment to ensure PCI DSS compliance and data security.

Four - Blackbaud has passed all audits conducted by our 3rd-party Qualified Security Assessor, Trustwave.

Five - For existing Blackbaud customers, we have created Knowledge Base solutions to explain in detail the changes to each of the applications. We have also included Implementation Guides for the applications that have completed their audit process, system requirements and upgrade procedures..

The Blackbaud Payment Service (BBPS)

What is the Blackbaud Payment Service (BBPS)?
In order to make The Raiser's Edge, NetSolutions, Blackbaud NetCommunity, and Blackbaud Enterprise CRM compliant with PCI DSS and PA DSS, we have developed the Blackbaud Payment Service (BBPS). BBPS integrates with the PA DSS compliant versions of our software and stores credit card and merchant account information in a secure environment. Credit card numbers will no longer be visible in our software and will be replaced with reference tokens. When you process credit card transactions, the reference token in your database will summon the stored credit card number from BBPS to be used in the transaction.

Download the BBPS Overview for or more information

How does the BBPS work?
When you migrate to the next version of The Raiser’s Edge, Blackbaud NetCommunity and Blackbaud CRM, you will connect to the BBPS which will scan your Raiser’s Edge or CRM database for credit card numbers and upload them to the service. BBPS will communicate to your credit card processor, validate your credit cards and return a unique token to your database that will always reference that credit card. Users will see this token as the last four digits of the credit card number.

What credit card processor is supported by BBPS?
BBPS supports many processors. Additionally, Blackbaud has partnered with several payment processors to provide multiple options for payment processing.

Are there any additional charges for the PA DSS versions of these applications?
No. These are considered regular upgrades and are covered in your maintenance contract.

Can we use the token to add new donations or do we need to get the credit card again?
You do not need to get a credit card number again from the donor once the original number has been saved and tokenized. The token is stored in your database and will appear to users as a truncated credit card number. You just reference the token and the new donations are attributed to the credit card.

If I use these new versions of Blackbaud software will I be PCI compliant?
Using PA DSS Blackbaud’s certified applications will help you become PCI compliant by no longer storing credit card information in the databases, but you will still need to assess if your organization and network complies with PCI DSS requirements.

However, each organization is responsible for validating their compliancy with the PCI standards. We suggest you review the self-assessment at the PCI Security Council’s website.

If we are not using The Raiser’s Edge and use a 3rd party vendor to process our credit cards, how do we know if they are PCI compliant?
You should contact your vendor and request a copy of their Report on Compliance (ROC) and ask who did the assessment. You may want to contact the assessing body for additional information.

The Raiser's Edge

What changes are being made to The Raiser's Edge?
In order to make The Raiser's Edge compliant with PCI DSS and PA DSS, we have developed the Blackbaud Payment Service (BBPS). BBPS will integrate with The Raiser's Edge and store credit card and merchant account information in a secure environment.

During the update to PA DSS version of The Raiser's Edge, you will be prompted to choose whether to store your credit cards in BBPS or to delete them. If you choose to use BBPS, credit card numbers will no longer be visible in The Raiser's Edge and will be replaced with reference tokens; users will see these token as the last four digits of the credit card number. When you process credit card transactions, the reference token in your database will summon the stored credit card number from BBPS to be used in the transaction. Currently, if you choose to use The Raiser’s Edge with BBPS, you can only use IATS or IC Verify to process credit card transactions. Additional processors will be added in the second half of 2009.

If you choose not to use BBPS, back up your credit card data before updating to the PA DSS version of our software as all credit card information will be removed. Contact a Qualified Security Assessor for advice on how to secure this credit card information in accordance with PCI DSS. Blackbaud has a partnership with Trustwave to provide discounted PCI services to our customers.

When will the PA DSS version of The Raiser's Edge become generally available?
The PA DSS version of The Raiser's Edge is available today.

Altru

The Payment Card Industry Data Security Standards (PCI DSS) and Payment Application Data Security Standards (PA DSS) were created by the Payment Card Industry Security Standards Council to help facilitate the broad adoption of consistent payment card data security measures on a global basis. In order to meet the requirements as defined in these standards, we have opted to remove credit card and merchant account data from all applications that process, store, or transmit payment card data.

What changes are being made to Altru?
In order to make Altru compliant with PCI DSS and PA DSS, we have developed the Blackbaud Payment Service (BBPS). Beginning in version 2.0, Altru is integrated with BBPS to securely store credit card and merchant account information and facilitate credit card processing in a PCI-compliant environment.

If you are a customer who processes credit card transactions within Altru, upon upgrade to version 2.0, full credit card numbers will no longer be visible in the product and will be replaced with reference tokens; users will see these token as the last four digits of the credit card number. When you process credit card transactions, the reference token in your database will summon the full credit card number that will be stored in BBPS to be used in the transaction. You will be able to continue to process credit card transactions as you do today and no other functionality is affected by the change.

When will the PA DSS version of Altru become generally available?
The PA DSS version of Altru is available today.

Blackbaud CRM

The Payment Card Industry Data Security Standards (PCI DSS) and Payment Application Data Security Standards (PA DSS) were created by the Payment Card Industry Security Standards Council to help facilitate the broad adoption of consistent payment card data security measures on a global basis. In order to meet the requirements as defined in these standards, we have opted to remove credit card and merchant account data from all applications that process, store, or transmit payment card data.

What changes are being made to Blackbaud CRM?
In order to make Blackbaud CRM compliant with PCI DSS and PA DSS, we have developed the Blackbaud Payment Service (BBPS). Beginning in version 2.0, Blackbaud CRM is integrated with BBPS to securely store credit card and merchant account information and facilitate credit card processing in a PCI-compliant environment.

If you are a customer who processes credit card transactions within Blackbaud CRM, upon upgrade to version 2.0, full credit card numbers will no longer be visible in the product and will be replaced with reference tokens; users will see these token as the last four digits of the credit card number. When you process credit card transactions, the reference token in your database will summon the full credit card number that will be stored in BBPS to be used in the transaction. You will be able to continue to process credit card transactions as you do today and no other functionality is affected by the change.

When will the PA DSS version of Blackbaud CRM become generally available?
The PA DSS version of Blackbaud CRM is available today.

The Patron Edge

The Payment Application Data Security Standards (PA DSS) were created by the Payment Card Industry Security Standards Council to help software vendors develop secure payment applications in compliance with PCI DSS. To make our software PA DSS compliant, we have opted to remove credit card and merchant account data from all applications that process, store, or transmit payment card data.

What changes are being made to The Patron Edge and Patron Edge Online?
Earlier versions of The Patron Edge stored unencrypted credit card information before transactions cleared. Once the transactions cleared, the credit card numbers were encrypted and stored in the database. All organizations used the same encryption algorithm key.

Beginning in The Patron Edge version 3.34 and Patron Edge Online version 3.35, credit card information will be encrypted prior to clearing transactions. After the transactions are cleared, all but the last four digits of the credit card number will be deleted from the database. During the update to The Patron Edge 3.34 and Patron Edge Online 3.35, a new encryption utility will locate all credit card numbers stored in the database and mask them, retaining only the last four digits.

Will I need to update Microsoft SQL Server?
Beginning in version 3.34, The Patron Edge will no longer be compatible with MS SQL Server 2000. If you have not already done so, your organization will need to upgrade to Microsoft SQL Server 2005 before installing version 3.34. This is required for the encryption key used for credit card transactions. To prepare for the changes with Microsoft SQL compatibility, review the new system recommendations.

Will I have backwards compatibility?
The Patron Edge 3.34 and Patron Edge Online 3.35 are not compatible with older versions and must be updated simultaneously. Your account executive will contact you to discuss update plans and Support will be available to assist you during the update process.

Do The Patron Edge or The Patron Edge Online integrate with the Blackbaud Payment Service?
No; The Patron Edge and The Patron Edge Online are point-of-sale systems and do not store credit card information for future use.

When will the PA DSS versions of The Patron Edge or The Patron Edge Online become generally available?
The PA DSS versions of The Patron Edge or The Patron Edge Online are available today.

NetSolutions

What changes are being made to NetSolutions?
In order to make NetSolutions compliant with PCI DSS, we have developed the Blackbaud Payment Service (BBPS). The Raiser's Edge and BBPS will integrate with NetSolutions and store credit card and merchant account information in a secure environment.

When a donation is made through NetSolutions, the credit card information is verified by your credit card processor and stored in BBPS. Credit card numbers will no longer be downloaded to The Raiser's Edge and will be replaced with reference tokens; users will see these token as the last four digits of the credit card number.

Will this affect recurring gifts?
After you have updated to a compliant version of The Raiser's Edge, you will be able to continue to process credit card transactions normally. When you process recurring gifts, the reference token in your database will summon the stored credit card number from BBPS to be used in the transaction.

Will I need to update The Raiser's Edge?
If you accept recurring credit card gifts through NetSolutions, you will need to upgrade to the compliant version of The Raiser’s Edge to continue processing and accepting recurring credit card gifts in your usual manner.

Note: If your organization only accepts one-time credit card donations from NetSolutions, this update is not mandatory. However, you will not be able to download any credit card information. You will need to contact either your credit card processor or the donor to get this information.

When will the PA DSS version of NetSolutions become generally available?
The PA DSS version of NetSolutions is available today.

The Financial Edge, Blackbaud Student Information System, The Education Edge

What changes are being made to Blackbaud Student Information System, The Education Edge, and The Financial Edge?
Earlier versions of Blackbaud Student Information System, The Education Edge, and The Financial Edge stored the entire credit card number in the Credit Card Number field on payments. Beginning in version 7.77, only the last four digits of the credit card number are displayed. For new payments, users cannot enter the entire credit card number. For existing payments, on which the entire credit card number was previously displayed, the rest of the credit card number will be removed.

When will the PA DSS versions of The Financial Edge, Blackbaud Student Information System, The Education Edge become generally available?
The PA DSS versions of The Financial Edge, Blackbaud Student Information System, The Education Edge are available today.

Blackbaud NetCommunity

What changes are being made to Blackbaud NetCommunity?
In order to make Blackbaud NetCommunity compliant with PCI DSS and PA DSS, we have developed the Blackbaud Payment Service (BBPS). Blackbaud NetCommunity integrates with BBPS to store credit card and merchant account information in a secure environment. This change should not affect existing Blackbaud NetCommunity functionality.

How does the integration with BBPS work?
For one-time donations, there is no change from a user perspective between the current payment service and BBPS. Your data will move from the existing service to the BBPS.

If you accept recurring debit or credit card gifts through Blackbaud NetCommunity, you will need to upgrade to a compliant version of The Raiser’s Edge to continue processing new gifts in your usual manner. If you do not download credit card information into The Raiser’s Edge, you will not notice a difference between the current version of Blackbaud NetCommunity and the compliant version. However, if you do not upgrade to the compliant version of The Raiser's Edge, you will no longer have the option to download credit card numbers/tokens into The Raiser’s Edge.

When will the PA DSS version of Blackbaud NetCommunity become generally available?
The PA DSS version of Blackbaud NetCommunity is available today.

eTapestry

All eTapestry services are fully PCI compliant. PCI compliance is a set of security requirements endorsed by the PCI Security Standards Council, founded by a consortium of major credit card brands to enhance credit and debit card data security. The consortium includes Visa Inc., MasterCard Worldwide, American Express, Discover Financial Services and JCB.

All organizations that process, store, or transmit payment card data must comply with PCI standards. All existing merchant organizations must comply with PCI standards or risk losing their ability to process credit card payments.

Call Us