Section Navigation

 
 
 
 

Frequently Asked Questions About PCI Compliance

How does PCI affect specific Blackbaud products?

Who regulates these standards?

The Payment Card Industry Data Security Standards are a set of requirements instituted and regulated by the https://www.pcisecuritystandards.org/. The PCI SSC is a consortium of major card brands including VISA, MasterCard, AMEX, DiscoverCard and JCB, created to enhance credit and debit card data security. All organisations that process, store, or transmit payment card data must comply with PCI DSS requirements or risk losing their ability to process credit card payments. The council also supports Payment Application (PA) security standards for software products that are installed and used locally by merchants to process, store or transmit credit card data. Software products that meet PA DSS standards have been validated as compliant with PCI DSS requirements and enable merchants to readily attain PCI compliance.

I’ve heard a lot of dates associated with PCI. What are the “real” ones?

Visa has been the principle driver in setting these compliance dates. Here are the dates from Visa:

October, 1 2008

  • Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PABP-compliant applications
  • Merchants must be PCI DSS compliant or use PA DSS validated applications to obtain a NEW merchant ID number

October, 1 2009

  • VisaNet Processors (VNPs) must decertify all vulnerable payment applications
  • Systems that have been subject to a security breech

July 1, 2010

  • Acquirers must ensure their merchants, VNPs and agents use only PABP-compliant applications
  • Applies to all organisations that process credit cards

Keep in mind that payment gateways are enforcing these dates independently. You need to check with your processor to find out if their dates are different that what has been published by the card brands.

What do I have to do?

It is the responsibility of each organisation to comply with the PCI DSS by the dates prescribed by the PCI Security Council or by your acquiring bank. Blackbaud can help you comply by providing applications and solutions that meet these standards. You should review the standards provided by the security council and assess your PCI requirements

What resources are available to help me with PCI compliance?

To help promote the awareness of the security requirements for credit card and cardholder data, Blackbaud has developed Payment Application Data and Security Standards Implementation Guides about PCI DSS and how it impacts your organisation.

Note: These guides provide only an overview of PCI DSS requirements and recommended best practices to ensure compliance. For complete details, visit the PCI Security Standards Council’s website. Blackbaud cannot fill out self-assessment questionnaires for our clients because PCI compliance encompasses the client’s environment and practices.

What are the merchant levels?

Visa and the other card brands distinguish “merchants” by levels depending on the number of transactions transmitted on an annual basis.

  • Level 1: Merchants processing over 6 million Visa transactions annually (all channels) or global merchants identified as Level 1 by any Visa region**. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimise risk to the Visa system.
  • Level 2: Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.
  • Level 3: Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
  • Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

** A merchant meeting Level 1 criteria in any Visa country/region that operates in more than one country/region is considered a global Level 1 merchant. Exceptions may apply to global merchants if no common infrastructure exists or if Visa data is not aggregated across borders; in such cases the merchant validates according to regional levels.

Are these PCI regulations laws?

PCI DSS are a set of regulations developed by the PCI Security Council and the card brands. One of the goals is to achieve self-regulation and to avoid legal jurisprudence. There are, however a number of states that have implemented laws associated with data security that includes credit card security.

You should ask your legal counsel if there are laws in your state that are applicable to credit card security.

What has Blackbaud done to become PCI compliant?

One - Blackbaud has modified  every application that processes, stores, transmits credit card numbers to become PCI DSS and PA DSS compliant. We have implemented PCI standards regarding secure storage of data, strong access control, and other requirements. The list of affected products includes:

  • The Raiser’s Edge
  • Blackbaud NetCommunity
  • Blackbaud CRM
  • The Education Edge
  • The Financial Edge

Two - Blackbaud developed a secure, PCI DSS compliant credit card gateway that facilitates processing via our products. This gateway has passed a Level 1 PCI DSS audit certified by Trustwave, our PCI auditors. This enables users to process credit card transactions as they do today without the burden of maintaining all card data locally.

The Blackbaud Payment Service (BBPS), a secure vaulting and tokening service to make being PCI compliant easier for our customers.

Three - Blackbaud has upgraded our entire Blackbaud Application Hosting environment to ensure PCI DSS compliance and data security.

Four - Blackbaud has passed all  audits conducted by our 3rd-party Qualified Security Assessor, Trustwave.

Five - For existing Blackbaud customers, we have created Knowledge Base solutions to explain in detail the changes to each of the applications. We have also included Implementation Guides for the applications that have completed their audit process, system requirements and upgrade procedures.

Where can I validate Blackbaud’s PCI compliance?

Blackbaud provides secure storage of clients’ credit card data and is currently registered and maintains it services as Level 1 PCI Compliant Service Provider. Blackbaud’s applications are also certified DSS compliant, as follows:

The Blackbaud Payment Service (BBPS)

What is the Blackbaud Payment Service (BBPS)?
In order to make The Raiser's Edge, NetSolutions, Blackbaud NetCommunity, and Blackbaud Enterprise CRM compliant with PCI DSS and PA DSS, we have developed the Blackbaud Payment Service (BBPS). BBPS integrates with the PA DSS compliant versions of our software and stores credit card and merchant account information in a secure environment. Credit card numbers will no longer be visible in our software and will be replaced with reference tokens. When you process credit card transactions, the reference token in your database will summon the stored credit card number from BBPS to be used in the transaction.

How does the BBPS work?
When you migrate to the next version of The Raiser’s Edge, Blackbaud NetCommunity and Blackbaud CRM, you will connect to the BBPS which will scan your Raiser’s Edge or CRM database for credit card numbers and upload them to the service. BBPS will communicate to your credit card processor, validate your credit cards and return a unique token to your database that will always reference that credit card. Users will see this token as the last four digits of the credit card number.

What credit card processor is supported by BBPS?
BBPS supports many processors.  Additionally, Blackbaud has partnered with several payment processors to provide multiple options for payment processing.

Are there any additional charges for the PA DSS versions of these applications?
No. These are considered regular upgrades and are covered in your maintenance contract.

Can we use the token to add new donations or do we need to get the credit card again?
You do not need to get a credit card number again from the donor once the original number has been saved and tokenised. The token is stored in your database and will appear to users as a truncated credit card number. You just reference the token and the new donations are attributed to the credit card.

If I use these new versions of Blackbaud software will I be PCI compliant?
Using PA DSS Blackbaud’s certified applications will help you become PCI compliant by no longer storing credit card information in the databases, but you will still need to assess if your organisation and network complies with PCI DSS requirements.

However, each organisation is responsible for validating their compliancy with the PCI standards. We suggest you review the self-assessment at the PCI Security Council’s website.

If we are not using The Raiser’s Edge and use a 3rd party vendor to process our credit cards, how do we know if they are PCI compliant?
You should contact your vendor and request a copy of their Report on Compliance (ROC) and ask who did the assessment. You may want to contact the assessing body for additional information.

The Raiser's Edge

What changes are being made to The Raiser's Edge?
In order to make The Raiser's Edge compliant with PCI DSS and PA DSS, we have developed the Blackbaud Payment Service (BBPS). BBPS will integrate with The Raiser's Edge and store credit card and merchant account information in a secure environment.

During the update to PA DSS version of The Raiser's Edge, you will be prompted to choose whether to store your credit cards in BBPS or to delete them. If you choose to use BBPS, credit card numbers will no longer be visible in The Raiser's Edge and will be replaced with reference tokens; users will see these token as the last four digits of the credit card number. When you process credit card transactions, the reference token in your database will summon the stored credit card number from BBPS to be used in the transaction.

If you choose not to use BBPS, back up your credit card data before updating to the PA DSS version of our software as all credit card information will be removed. Contact a Qualified Security Assessor for advice on how to secure this credit card information in accordance with PCI DSS. Blackbaud has a partnership with Trustwave to provide discounted PCI services to our customers.

When will the PA DSS version of The Raiser's Edge become generally available?
The PA DSS version of The Raiser's Edge is available today.

Blackbaud CRM

The Payment Card Industry Data Security Standards (PCI DSS) and Payment Application Data Security Standards (PA DSS) were created by the Payment Card Industry Security Standards Council to help facilitate the broad adoption of consistent payment card data security measures on a global basis. In order to meet the requirements as defined in these standards, we have opted to remove credit card and merchant account data from all applications that process, store, or transmit payment card data.

What changes are being made to Blackbaud CRM?
In order to make Blackbaud CRM compliant with PCI DSS and PA DSS, we have developed the Blackbaud Payment Service (BBPS). Beginning in version 2.0, Blackbaud CRM is integrated with BBPS to securely store credit card and merchant account information and facilitate credit card processing in a PCI-compliant environment.

If you are a customer who processes credit card transactions within Blackbaud CRM, upon upgrade to version 2.0, full credit card numbers will no longer be visible in the product and will be replaced with reference tokens; users will see these token as the last four digits of the credit card number. When you process credit card transactions, the reference token in your database will summon the full credit card number that will be stored in BBPS to be used in the transaction.  You will be able to continue to process credit card transactions as you do today and no other functionality is affected by the change.

When will the PA DSS version of Blackbaud CRM become generally available?
The PA DSS version of Blackbaud CRM is available today.

The Financial Edge and The Education Edge

The Payment Application Data Security Standards (PA DSS) were created by the Payment Card Industry Security Standards Council to help software vendors develop secure payment applications in compliance with PCI DSS. To make our software PA DSS compliant, we have opted to remove credit card and merchant account data from all applications that process, store, or transmit payment card data.

What changes are being made to The Education Edge and The Financial Edge?
Earlier versions of The Education Edge and The Financial Edge stored the entire credit card number in the Credit Card Number field on payments. Beginning in version 7.77, only the last four digits of the credit card number are displayed. For new payments, users cannot enter the entire credit card number. For existing payments, on which the entire credit card number was previously displayed, the rest of the credit card number will be removed.

When will the PA DSS versions of The Financial Edge and The Education Edge become generally available?
The PA DSS versions of The Financial Edge and The Education Edge are available today.

Blackbaud NetCommunity

The Payment Application Data Security Standards (PA DSS) were created by the Payment Card Industry Security Standards Council to help software vendors develop secure payment applications in compliance with PCI DSS. To make our software PA DSS compliant, we have opted to remove credit card and merchant account data from all applications that process, store, or transmit payment card data.

What changes are being made to Blackbaud NetCommunity?
In order to make Blackbaud NetCommunity compliant with PCI DSS and PA DSS, we have developed the Blackbaud Payment Service (BBPS). Blackbaud NetCommunity integrates with BBPS to store credit card and merchant account information in a secure environment. This change should not affect existing Blackbaud NetCommunity functionality.

How does the integration with BBPS work?
For one-time donations, there is no change from a user perspective between the current payment service and BBPS. Your data will move from the existing service to the BBPS.

If you accept recurring debit or credit card gifts through Blackbaud NetCommunity, you will need to upgrade to a compliant version of The Raiser’s Edge to continue processing new gifts in your usual manner. If you do not download credit card information into The Raiser’s Edge, you will not notice a difference between the current version of Blackbaud NetCommunity and the compliant version. However, if you do not upgrade to the compliant version of The Raiser's Edge, you will no longer have the option to download credit card numbers/tokens into The Raiser’s Edge.

When will the PA DSS version of Blackbaud NetCommunity become generally available?
The PA DSS version of Blackbaud NetCommunity is available today.

eTapestry

All eTapestry services are fully PCI compliant. PCI compliance is a set of security requirements endorsed by the PCI Security Standards Council, founded by a consortium of major credit card brands to enhance credit and debit card data security. The consortium includes Visa Inc., MasterCard Worldwide, American Express, Discover Financial Services and JCB.

All organisations that process, store, or transmit payment card data must comply with PCI standards. All existing merchant organisations must comply with PCI standards or risk losing their ability to process credit card payments.

 
 

Serving the nonprofit, charitable giving, and education communities for more than 30 years, Blackbaud (NASDAQ:BLKB) combines technology solutions and expertise to help organizations achieve their missions. Blackbaud works in over 60 countries to support more than 30,000 customers, including nonprofits, K–12 private and higher education institutions, healthcare organizations, foundations, and other charitable giving entities, and corporations.

Privacy Policy Safe Harbor Notice Terms of Use Acceptable Use Policy Sitemap
© 2017 Blackbaud, Inc. All Rights Reserved