PCI Compliance Blog : Credit Card Security

Merci & Au Revoir

Bucky Wall — Fri, 24 Apr 2009 14:48:00 GMT

I want to thank you for all of your great questions and input concerning PCI DSS. These inquiries have allowed us to better plan for the releases of Blackbaud's compliant applications this summer and our related services. Many of your questions went straight to become Knowledge Base solutions or became listed in our PCI FAQs, both of which are being constantly updated.

It’s been my pleasure being your point of contact over these past months. However, I will be leaving Blackbaud at the end of this month and want to make sure you continue to receive prompt attention to your questions. Over the last few weeks I have been training our Support team on general and application-specific PCI content. I feel sure they are well-equipped to handle your questions.

You can also contact a couple of other people whio have been instrumental in Blackbaud's PCI efforts: Jake Marcinko, Blackbaud's Information Security Manager and Mary Beth Westmoreland, who has been leading our audit efforts.

My plans are to move to France with my family. It has always been a dream of ours. We plan to spend a the months of August and September travelling and then move to Eygalieres, a small town in Provence we have visited on several occasions.I hope to continue my work with non-profits in France.

I have enjoyed getting to know many of you through our “virtual” meetings and phone conversations. Blackbaud is a great company and will continue to be able stewards of your needs.

Please let me know how your PCI efforts are progressing. Feel free to drop me an email every now and then at buckywall@comcast.net.

Au revoir,
Bucky

"Preparing for the Raiser's Edge 7.91 and NetCommunity 6.10 upgrade" web seminar files

Bucky Wall — Wed, 22 Apr 2009 20:22:00 GMT

On 4/21 & 22 web seminars were held to discuss PCI DSS, the Blackbaud Payment Service and the new versions of The Raiser's Edge and NetCommunity. You can download the presentation or view a recording of the web seminar or the new Raiser's Edge/Blackbaud Payment Service demo!

Blackbaud Listed by MasterCard as a compliant service provider

Bucky Wall — Fri, 20 Mar 2009 17:59:00 GMT

As part of their Site Data Protection program, MasterCard has listed Blackbaud as a service provider compliant with the PCI Standard.

A Service Provider reported to MasterCard to be compliant with the PCI Standard have been provided a Certificate of Validation (COV) by a Qualified Security Assessor (QSA.) Blackbaud’s COV was presented by our QSA, Trustwave. Check out MasterCard's list of compliant service providers.

NOTE: MasterCard does not endorse or make any representation of any kind as to the nature or quality of service or other performance of any QSA, or Service Provider. MasterCard disclaims any liability of any kind directly or indirectly resulting from the use of or reliance on information appearing or not appearing herein and makes no representation as to the accuracy of any such information.

March 24 Virtual Conference on PCI

Bucky Wall — Thu, 19 Mar 2009 20:07:00 GMT

SC Magazine is sponsoring an all-day virtual conference on PCI. Speakers include Steven Peltzman, CIO from the Museum of Modern Art and Troy Leach, Technical Director at the PCI Security Standards Council.

This is billed as " A completely virtual event where registrants can visit vendor booths, hear from industry experts and retrieve valuable information." Should be cool.

Registration was easy. Go to SC Magazine's site to sign up.

PCI SSC Prioritized Approach for DSS 1.2 Webinar

Bucky Wall — Mon, 16 Mar 2009 13:56:00 GMT

The PCI Security Standards Council has created The Prioritized Approach to help merchants and other organizations (including nonprofits) through their PCI DSS compliancy process. This web seminar will introduce the Prioritized Approach and how to put it to use. The Excel tool groups together the requirements of PCI DSS 1.2 into six key milestones to consider in their card data security strategy. The Prioritized Approach offers guidance on how to focus PCI DSS implementation efforts in a way that expedites the security of cardholder data. It also:

Helps identify highest risk targets
Creates a common language around PCI DSS implementation efforts
Enables merchants to demonstrate progress on compliance process to key stakeholders – banks, acquirers, QSAs, others

If you want to learn more, check out one of these web seminars:

Wednesday, March 18, 2009 at 11:30 a.m. ET (register) or 7:30 p.m. ET (register)
Monday, March 23, 2009 at 11:30 a.m. ET (register) or 7:30 p.m. ET (register)

Webinar: Beta Program for The Raiser’s Edge 7.86

Bucky Wall — Wed, 15 Oct 2008 16:55:00 GMT

Last week, Anne McDonell, Blackbaud’s Client Feedback Manager, Kevin Brunson, Sr. Product Support Lead for The Raiser’s Edge and I hosted a webinar on The Raiser’s Edge 7.86 beta. The webinar provided an overview of issues surrounding PCI compliance and a demo of the integration of The Raiser’s Edge and the new Blackbaud Payment Service.

You can see a recording of the webinar and download the presentation. If you are interested in joining The Raiser’s Edge 7.86 beta program, please fill out the Application Survey or email Anne McDonell. We’re holding a repeat of the webinar on Thursday and Friday, October 23 and 24. If you would like to attend, register now!

Bucky Wall, Director of Corporate Readiness

On the Road With Bucky Wall

Douglas Clinton — Thu, 02 Oct 2008 19:16:00 GMT

Posted on behalf of Bucky Wall:

Last week, Jake Marcinko, Blackbaud's Data Security Manager, and I attended the PCI Security Standard Council's (PCISSC) annual community meeting in Orlando, FL (You may recall from an earlier press release that Blackbaud joined the PCISSC this past summer.) The main focus of this year's meeting was the roll-out of the PA & PCI DSS Standards 1.2.

In general, it was a bit of an eye-opener. This was mostly because it's fairly clear that the non-profit space is not on the Security Council's RADAR. You would think it should, since charitable giving topped 300 billion last year in the US alone (and while I don't have stats as to the amount donated via credit cards, you can bet it's a sizable number).

Why is the non-profit community a bit of an afterthought? A few things come to mind….

We haven't seen a serious breach of security resulting in the loss of a large number of credit card information. And, unfortunately, many organizations don't have self-auditing processes and wouldn't know if there was a breach.
Most non-profits have a relatively small number of credit cards in their databases, so any loss would be relatively small in comparison to a large merchant (can you say, "TJ-MAX?")
General credit card security concerns have been slow to arise in the non-profit space.
The unique relationship between donor and the receiving organization is fundamentally different than that between merchant and purchaser. Donors don't complain as much as purchasers…

Why should we want to be on the Council's RADAR?
Decisions have been made and will continue to be made over the next few years that will impact the way non-profits accept credit card donations. You will want a say in these decisions. You might even consider joining the council (see: https://www.pcisecuritystandards.org/participation/join.shtml)

By joining you will be able to:

Vote for Participating Organization representatives on the PCI Security Standards Council Board of Advisors.
Nominate a representative to stand for election to the PCI Security Standards Council Board of Advisors.
Comment on drafts of all revisions to the DSS specification, and on any new specifications, prior to public release.
Attend Community Meetings hosted by the PCI Security Standards Council.
Recommend new initiatives for consideration to the PCI Security Standards Council.

I plan to push for a special interest group within the council focusing on the needs of non-profits, but it may take some politicking to get this approved.

What were my main take-aways?

Look for the "touch points" regarding credit card data. Who sees or touches credit card information and why? If you don't need this information, then get rid of it.
Self-assess. Contact a Qualified Assessor to help if needed, but take some time to see how vulnerable your data environment is, keeping in mind you will probably need change some of your business practices based on what you discover.
Requirements are not absolute. There is a lot of grey area associated with these requirements, look at the best practices and see what makes sense to your organization.

Web Seminar Redux

Douglas Clinton — Thu, 18 Sep 2008 15:58:00 GMT

Our encore web seminar regarding PCI DSS compliance was held yesterday, September 17. If you have any questions regarding the web seminar, leave a comment below. If you are interested in taking part in an early adopter program for The Raiser’s Edge or any of our other products, contact Bucky Wall at bucky.wall@blackbaud.com.

If you missed yesterday's seminar, check out the recording, or download the presentation.

Web Seminar: Recap and Feedback

Douglas Clinton — Fri, 12 Sep 2008 14:55:00 GMT

Yesterday afternoon, Blackbaud’s Director of Corporate Readiness Bucky Wall and Accounting and Education Solutions Program Manager Wanda Mahon facilitated our first web seminar regarding PCI DSS compliance.

The seminar covered the impact of the new PCI DSS regulations on all Blackbaud customers as well as specific changes to versions 7.77 of The Financial Edge, The Education Edge, and Blackbaud Student Information System. These changes had been shared previously in the email sent to the primary contacts and site administrators for all organizations who use Accounts Receivable 7, Cash Receipts 7, and Student Billing 7.

If you have any questions regarding the web seminar, leave a comment below. If you are interested in taking part in an early adopter program for The Raiser’s Edge or any of our other products, contact Bucky Wall at bucky.wall@blackbaud.com.

If you missed yesterday's seminar, check out the recording, or sign up for Credit Card Changes That Impact You on September 17 at 2:00 p.m. ET.

PA-DSS Compliance for Patron Edge

Nicholai Burton — Fri, 05 Sep 2008 14:22:00 GMT

We are making several important changes to the next version of Patron Edge in an effort to meet PA-DSS rules. These changes are required in order for your organization to reach compliance with Payment Card Industry standards and continue to process credit cards. Patron Edge and Patron Edge Online will not be using the Blackbaud Payment Service, but will reach compliance using a different method. Please refer to this article from The Spotlight for full details:

Important announcement regarding Patron Edge 3.340

More details will be coming related to our compliance measures as the next release approaches, both on The Spotlight and on the Patron Edge documentation page.

Has your organization started planning for PCI compliance? Share your thoughts or best practices in the comments.

Brave New World: Introducing the Blackbaud Payment Service

Douglas Clinton — Wed, 03 Sep 2008 17:20:00 GMT

Blackbaud can help you comply with the Payment Card Industry Data Security Standard (PCI-DSS) by providing software solutions that meet the Payment Application Security Standards (PA-DSS). The goal of the PA-DSS is to help software vendors like Blackbaud develop secure payment applications that comply with the requirements of the PCI-DSS. In order to make our software PA-DSS compliant, Blackbaud has opted to remove credit card data from all applications.

In order to make The Raiser's Edge, NetSolutions, Blackbaud NetCommunity, and Blackbaud Enterprise CRM compliant with PCI-DSS and PA-DSS guidelines while still allowing you to process transactions, Blackbaud is pleased to announce The Blackbaud Payment Service (BBPS). BBPS will integrate with the PA DSS compliant versions of our software applications.

With BBPS, credit card numbers will no longer be visible in the software applications and storage of credit card information will be transitioned to the BBPS. Within each application, credit card numbers will be replaced with reference tokens. When you process credit card transactions, your software will connect to the BBPS service. The reference token in your database will summon the stored credit card number to be used in the transaction.

If you have an existing Merchant ID or get one before October 1, 2008, you may be able to postpone updating to a PA-DSS compliant version until October 1, 2009. You should contact your processor or acquiring bank ASAP to determine your compliance requirements and timelines - they may require immediate compliance.

If you choose not to use the BBPS, you should back up your credit card data before updating to the PA-DSS version of our software. You will need to contact a Qualified Security Assessor for advice on how to secure this credit card information in accordance with PCI DSS.

If you have any questions about BBPS, or anything else related to PCI-DSS and PA-DSS requirements, please leave a comment below.

Sign Up for Our Web Seminar

Douglas Clinton — Wed, 20 Aug 2008 17:59:00 GMT

Sign up for Credit Card Changes That Impact You on either September 11 at 2:00 p.m. ET or September 17 at 2:00 p.m. ET to learn more about the new Payment Card Industry Data Security Standard (PCI DSS) and how it will impact the way your organization handles credit cards. This session will highlight changes being made within Accounts Receivable 7, Cash Receipts 7, and Student Billing 7. Blackbaud is committed to making these changes within our products in order to help your organization become PCI DSS compliant.

Straight Off the Press: We've Joined the PCI Security Standards Council

Sarah McBride — Tue, 01 Jul 2008 09:12:00 GMT

Yesterday we joined the Payment Card Industry (PCI) Security Standards Council as a new participating organization. For the full story, read the press release. The Council's goal is to ensure everyone involved with consumer payments protects their data. As a participating organization, we have the opportunity to work directly with them in the development of the PCI Data Security Standard (DSS) and other payment card data protection standards.

This also means we will have access to the latest payment card security standards so we can share our feedback, keep you informed, and make sure our products are in line with the standards. In the coming months, we'll continue to keep you in the loop via this blog, our support newsletters, and our new PCI-DSS forum.

New - PCI-DSS Forums!

Douglas Clinton — Fri, 20 Jun 2008 20:27:00 GMT

We have added a new Forum dedicated to PCI-DSS to Nonprofit Topics in the Nonprofit Industries Forums. You can subscribe to this forum to receive every post by clicking Edit Profile on the Forums or Blog page, and selecting the Email tab to first set the following options:

If you want to receive emails from other forum participants, select Yes to Receive Emails.
If you want to receive emails in HTML format, select Yes to Receive rich (HTML) emails.
If you want to be notified by email of new posts to forums/threads you have subscribed to as well as of any replies to one of your posts, select Yes to Enable Email Notifications of forum/thread subscriptions and replies to my posts.

Once you have done this, click Forum Subscriptions in the right sidebar Shortcuts section to receive emails from the PCI-DSS. Click No next to the PCI-DSS Forum to change the option to Yes to receive emails.

Join the discussion today!

Payment Card Industry Data Security Standards Overview

Douglas Clinton — Fri, 13 Jun 2008 14:36:00 GMT

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements developed by the major credit card companies to enhance credit card data security. All organizations that process, store, or transmit payment card data must be PCI DSS compliant or risk losing their ability to process credit card payments.

When is it happening?

Beginning in October 2008, any organization that requires a new merchant ID from credit card companies must be PCI DSS compliant. Beginning in October 2009, all organizations must be PCI DSS compliant to process credit cards.

How can I learn more?

For more information about PCI DSS compliance, visit www.blackbaud.com/PCI. General information regarding PCI DSS, including a PCI DSS self-assessment questionnaire, can be found at www.pcisecuritystandards.org.

In the coming months, we will provide additional information about how you can become PCI DSS compliant on this blog and in our newsletters. We encourage you to subscribe to both:

PCI Compliance blog RSS feed
Support newsletters