The Spotlight
The Official Blog for Arts and Cultural Organizations

Important announcement regarding Patron Edge 3.340

Posted: Sep 03, 2008 by Nicholai Burton | with 2 comment(s) |
Filed under: , ,

We are making several important changes to the next version of Patron Edge in an effort to meet PA-DSS rules. These changes are required in order for your organization to reach compliance with Payment Card Industry standards and continue to process credit cards. The most important changes are these:

Credit card storage - Patron Edge 3.340 will no longer store credit card data. In the event that your database is compromised, you can now be assured that no one will be able to manipulate or decrypt the credit card numbers of your patrons.

SQL upgrades - Patron Edge 3.340 will no longer be compatible with MS SQL Server 2000. This is required for our new key management policy, which is the encryption key that your organization will set so that credit cards in transit (waiting to be authorized) cannot be compromised. This change will increase security as only your database administrator will know your encryption key. If someone were to obtain the older, Blackbaud-generated encryption key, your Patron Edge 3.340 database will not be vulnerable. So if your organization is not already running SQL 2005, now is the best time to start planning for an upgrade.

More details will be coming related to our compliance measures as the next release approaches, both on The Spotlight and on the Patron Edge documentation page.

Has your organization started planning for PCI compliance? Share your thoughts or best practices in the comments.


Please log in to leave comments. If you don't have an account, join the community.

Comments

John Holm said:

The lack of credit-card info in the database is a big step for security, but My ticket-sales department will see this as a step-backwards for customer service and functionality.  We allow managers to see the full card number on orders so that we can verify with customers what card was charged for an order.  Sometimes we don't know who placed the order, and have to do a refund to the same card.  We also offer a split-payment service, where we charge the same card for the other half of the total a couple months later.

Is it really true that all credit card info will not exist in the database?  If so, that means we will have to store card numbers in a seperate place. Is there a plan to have an option to store the info if PE users wish to (which we do...)?

# November 4, 2008 6:09 PM

Nicholai Burton said:

It is true that the info will only exist during the authorization process and will be wiped afterwards. While it is the most secure, I agree that it can potentially put a strain on customer service. As a workaround, there is still the ability in PCCharge to enter the TroutD number to retrieve credit card number and expiration. This number can be gotten from a Credit Card Detail report in PCCharge.

I understand this is not an ideal solution, but removing cards was the path that Blackbaud chose to take in order to reach PA-DSS compliance in time for the PCI-mandated deadline without significantly affecting performance.

# November 4, 2008 7:40 PM