There's no mistaking the buzz that cloud computing has created. From board rooms to break rooms, everyone these days is taking about "the Cloud". Let's face it, cloud services--whether they be software-as-a-service (SaaS), infrastructure as a service (IaaS), or platform-as-a-service (PaaS) offerings--are a compelling alternative to traditional IT functions. Cloud services offer increased collaboration, agility, scale, availability and cost reductions. They can simplify and accelerate compliance initiatives and provide for greater security. However, simply outsourcing traditional business and IT functions to cloud service providers is no guarantee that these benefits will be realized. Organizations must continue to take active participation in managing the risks associated with outsourcing such services, particularly those that involve highly-regulated information such as constituent data. Otherwise, those organizations might actually be increasing their business risks by outsourcing rather than transferring or mitigating them.
Outsourcing the processing and storage of constituent information doesn't make it inherently more secure. The nature of cloud services, by definition, lacks boundaries and therefore raises concerns with respect to privacy legislation. Regardless of what contractual obligations you may have negotiated with the provider, the requirement to protect your constituent information remains your responsibility regardless of where the data is located, including the cloud. Does your service provider outsource any data processing or storage functions to third-parties? Do those third-parties have adequate security programs? How do you know whether or not your service provider (and their service providers) have adequate security programs? While better than nothing at all, independent security assessments (such as those performed as part of a SAS70 or PCI audit) are point-in-time evaluations. Additionally, the scope of such assessments can be directed at the provider's discretion and may not provide accurate insight into the provider's ongoing security activities.
The bottom line is that many questions still remain with respect to Cloud Governance and Enterprise Risk. Non-profit organizations considering migrating their fundraising activities and solutions to cloud services should first evaluate its own practices, needs and restrictions in order to identify legal barriers and compliance requirements. The security of the cloud computing environment isn't mutually exclusive of your organization's internal policies, procedures, standards, guidelines, and processes. Security is a process, not a product and therefore the technical security of your constituent data is only as strong as your organization's weakest process. Comprehensive initial and ongoing due diligence audits of both your business practices as well as your provider's practices is required when making the decision to push sensitive constituent information to the cloud.
I want to thank you for all of your great questions and input concerning PCI DSS. These inquiries have allowed us to better plan for the releases of Blackbaud's compliant applications this summer and our related services. Many of your questions went straight to become Knowledge Base solutions or became listed in our PCI FAQs, both of which are being constantly updated.
It’s been my pleasure being your point of contact over these past months. However, I will be leaving Blackbaud at the end of this month and want to make sure you continue to receive prompt attention to your questions. Over the last few weeks I have been training our Support team on general and application-specific PCI content. I feel sure they are well-equipped to handle your questions.
You can also contact a couple of other people whio have been instrumental in Blackbaud's PCI efforts: Jake Marcinko, Blackbaud's Information Security Manager and Mary Beth Westmoreland, who has been leading our audit efforts.
My plans are to move to France with my family. It has always been a dream of ours. We plan to spend a the months of August and September travelling and then move to Eygalieres, a small town in Provence we have visited on several occasions.I hope to continue my work with non-profits in France.
I have enjoyed getting to know many of you through our “virtual” meetings and phone conversations. Blackbaud is a great company and will continue to be able stewards of your needs.
Please let me know how your PCI efforts are progressing. Feel free to drop me an email every now and then at buckywall@comcast.net.
Au revoir,
Bucky
On 4/21 & 22 web seminars were held to discuss PCI DSS, the Blackbaud Payment Service and the new versions of The Raiser's Edge and NetCommunity. You can download the presentation or view a recording of the web seminar or the new Raiser's Edge/Blackbaud Payment Service demo!
As part of their Site Data Protection program, MasterCard has listed Blackbaud as a service provider compliant with the PCI Standard.
A Service Provider reported to MasterCard to be compliant with the PCI Standard have been provided a Certificate of Validation (COV) by a Qualified Security Assessor (QSA.) Blackbaud’s COV was presented by our QSA, Trustwave. Check out MasterCard's list of compliant service providers.
NOTE: MasterCard does not endorse or make any representation of any kind as to the nature or quality of service or other performance of any QSA, or Service Provider. MasterCard disclaims any liability of any kind directly or indirectly resulting from the use of or reliance on information appearing or not appearing herein and makes no representation as to the accuracy of any such information.
SC Magazine is sponsoring an all-day virtual conference on PCI. Speakers include Steven Peltzman, CIO from the Museum of Modern Art and Troy Leach, Technical Director at the PCI Security Standards Council.
This is billed as " A completely virtual event where registrants can visit vendor booths, hear from industry experts and retrieve valuable information." Should be cool.
Registration was easy. Go to SC Magazine's site to sign up.
The PCI Security Standards Council has created The Prioritized Approach to help merchants and other organizations (including nonprofits) through their PCI DSS compliancy process. This web seminar will introduce the Prioritized Approach and how to put it to use. The Excel tool groups together the requirements of PCI DSS 1.2 into six key milestones to consider in their card data security strategy. The Prioritized Approach offers guidance on how to focus PCI DSS implementation efforts in a way that expedites the security of cardholder data. It also:
- Helps identify highest risk targets
- Creates a common language around PCI DSS implementation efforts
- Enables merchants to demonstrate progress on compliance process to key stakeholders – banks, acquirers, QSAs, others
If you want to learn more, check out one of these web seminars:
Blackbaud has established a partnership with Trustwave to provide discounted PCI services to Blackbaud customers. Trustwave is a leading provider of on-demand data security and solutions for payment card industry compliance management. Trustwave is conducting all of Blackbaud's PCI DSS and PA DSS audits.
This partnership allows Blackbaud customers discounted rates and a direct channel to obtain accurate and current PCI and other data security services.
Go to http://www.blackbaud.com/company/pci/trustwave.aspx to find out more!
Blackbaud Services has achieved full Payment Card Industry Data Security Standard (PCI DSS) compliance as a Level 1 Service Provider. Trustwave, the leading provider of on-demand data security and payment card industry compliance management solutions, performed the PCI DSS validation.
View Blackbaud Service's validation by clicking on the Trustwave Trusted Commerce seal!
Bucky Wall, Blackbaud's director of corporate readiness, and Jake Marcinko, our information security manager, were recently interviewed and quoted at lenghth in Nonprofit Technology News. The article discusses some the challenges PCI DSS compliance presents nonprofits with, as well as helpful tips for becoming compliant. Read the article.
On November 7, Blackbaud partnered with the Nonprofit Technology Network (NTEN) to provide an informational session entitled, “PCI: What’s All The Fuss?” If you missed the seminar, you can still check out Bob Russo's presentation on how these new requirements impact nonprofit organizations, and Mark Banbury's presentation on the approach to compliance at his organization and the importance of these measures to the security of both NPOs and their constituents. Future web seminars will be announced on this blog, our Support Newsletters, and in Alerts.
Blackbaud has teamed up with the Nonprofit Technology Network (NTEN) to provide a great FREE informational session entitled, “PCI: What’s All The Fuss?” We are very pleased that both Bob Russo, General Manager of the PCI Security Council, and Mark Banbury, Vice President and Chief Information Officer for Plan Canada, have agreed to speak about PCI compliance.
Bob will provide information on how these new requirements impact nonprofit organizations and Mark will discuss the approach to compliance at his organization and the importance of these measures to the security of both NPOs and their constituents.
You can register for FREE here: PCI: What's All the Fuss? If you are new to NTEN, create a visitor login by completing a short registration form. Then, select “Take A Webinar” from the LEARN menu (left nav bar), select the PCI session, click Register Today, and log in with your visitor account.
Select Blackbaud in the "How did you hear" field. Click Add to Cart to complete the registration process. (It will ring up as $0 for the webinar.)
Last week, Anne McDonell, Blackbaud’s Client Feedback Manager, Kevin Brunson, Sr. Product Support Lead for The Raiser’s Edge and I hosted a webinar on The Raiser’s Edge 7.86 beta. The webinar provided an overview of issues surrounding PCI compliance and a demo of the integration of The Raiser’s Edge and the new Blackbaud Payment Service.
You can see a recording of the webinar and download the presentation. If you are interested in joining The Raiser’s Edge 7.86 beta program, please fill out the Application Survey or email Anne McDonell. We’re holding a repeat of the webinar on Thursday and Friday, October 23 and 24. If you would like to attend, register now!
Bucky Wall, Director of Corporate Readiness
Posted on behalf of Bucky Wall:
Last week, Jake Marcinko, Blackbaud's Data Security Manager, and I attended the PCI Security Standard Council's (PCISSC) annual community meeting in Orlando, FL (You may recall from an earlier press release that Blackbaud joined the PCISSC this past summer.) The main focus of this year's meeting was the roll-out of the PA & PCI DSS Standards 1.2.
In general, it was a bit of an eye-opener. This was mostly because it's fairly clear that the non-profit space is not on the Security Council's RADAR. You would think it should, since charitable giving topped 300 billion last year in the US alone (and while I don't have stats as to the amount donated via credit cards, you can bet it's a sizable number).
Why is the non-profit community a bit of an afterthought? A few things come to mind….
- We haven't seen a serious breach of security resulting in the loss of a large number of credit card information. And, unfortunately, many organizations don't have self-auditing processes and wouldn't know if there was a breach.
- Most non-profits have a relatively small number of credit cards in their databases, so any loss would be relatively small in comparison to a large merchant (can you say, "TJ-MAX?")
- General credit card security concerns have been slow to arise in the non-profit space.
- The unique relationship between donor and the receiving organization is fundamentally different than that between merchant and purchaser. Donors don't complain as much as purchasers…
Why should we want to be on the Council's RADAR?
Decisions have been made and will continue to be made over the next few years that will impact the way non-profits accept credit card donations. You will want a say in these decisions. You might even consider joining the council (see: https://www.pcisecuritystandards.org/participation/join.shtml)
By joining you will be able to:
- Vote for Participating Organization representatives on the PCI Security Standards Council Board of Advisors.
- Nominate a representative to stand for election to the PCI Security Standards Council Board of Advisors.
- Comment on drafts of all revisions to the DSS specification, and on any new specifications, prior to public release.
- Attend Community Meetings hosted by the PCI Security Standards Council.
- Recommend new initiatives for consideration to the PCI Security Standards Council.
I plan to push for a special interest group within the council focusing on the needs of non-profits, but it may take some politicking to get this approved.
What were my main take-aways?
- Look for the "touch points" regarding credit card data. Who sees or touches credit card information and why? If you don't need this information, then get rid of it.
- Self-assess. Contact a Qualified Assessor to help if needed, but take some time to see how vulnerable your data environment is, keeping in mind you will probably need change some of your business practices based on what you discover.
- Requirements are not absolute. There is a lot of grey area associated with these requirements, look at the best practices and see what makes sense to your organization.
Our encore web seminar regarding PCI DSS compliance was held yesterday, September 17. If you have any questions regarding the web seminar, leave a comment below. If you are interested in taking part in an early adopter program for The Raiser’s Edge or any of our other products, contact Bucky Wall at bucky.wall@blackbaud.com.
If you missed yesterday's seminar, check out the recording, or download the presentation.
Yesterday afternoon, Blackbaud’s Director of Corporate Readiness Bucky Wall and Accounting and Education Solutions Program Manager Wanda Mahon facilitated our first web seminar regarding PCI DSS compliance.
The seminar covered the impact of the new PCI DSS regulations on all Blackbaud customers as well as specific changes to versions 7.77 of The Financial Edge, The Education Edge, and Blackbaud Student Information System. These changes had been shared previously in the email sent to the primary contacts and site administrators for all organizations who use Accounts Receivable 7, Cash Receipts 7, and Student Billing 7.
If you have any questions regarding the web seminar, leave a comment below. If you are interested in taking part in an early adopter program for The Raiser’s Edge or any of our other products, contact Bucky Wall at bucky.wall@blackbaud.com.
If you missed yesterday's seminar, check out the recording, or sign up for Credit Card Changes That Impact You on September 17 at 2:00 p.m. ET.
More Posts
Next page »