Preparing for The Raiser’s Edge 7.91 and Blackbaud … · 2009. 4. 23. · Preparing for The Raiser’s Edge 7.91 and Blackbaud NetCommunity 6.10 Presenters: Bucky Wall, Kevin Brunson

Preparing for The Raiser’s Edge 7.91 and Blackbaud

NetCommunity 6.10

Presenters: Bucky Wall, Kevin Brunson & Aram Aghapour

4/21/2009

Bucky Wall | Page #2 © 2009 Blackbaud

Raiser’s Edge and NetCommunity PCI Upgrades

Logistics

Large number of attendees today

I’ve muted all lines but mine to avoid feedback

Please hold questions until the end

Submit via the Q&A feature of Live Meeting

This presentation is being recorded and will be sent to you at the conclusion of

the web seminar



Agenda Quick PCI Overview

PCI DSS

Merchant levels

Key dates

PA DSS

PCI Compliance

Self Assessment Questioners and options

Blackbaud applications and compliance

Blackbaud Payment Service (BBPS)

Interactions with

• The Raiser’s Edge

• NetSolutions

• NetCommunity

• BBPS & Raiser’s Edge demo

Upgrade process

What you should do now

Helpful links

Q&A



PCI DSS

Payment Card Industry Data Security Standard (PCI DSS)

Set of comprehensive requirements for enhancing payment account

data security…to help facilitate the broad adoption of consistent data

security measures on a global basis.

Developed by the major card brands (spearheaded by Visa)

All organizations that process, store, or transmit payment card data

must be PCI DSS compliant or risk losing their ability to process

credit card payments

The card brands refer to merchants by levels



Merchant Levels

Level / Tier 1 Merchant Criteria Validation Requirements

1

Merchants processing over 6 million Visa transactions annually (all

channels) or Global merchants identified as Level 1 by any Visa

region 2

Annual Report on Compliance

(“ROC”) by Qualified Security

Assessor (“QSA”)

Quarterly network scan by

Approved Scan Vendor (“ASV”)

Attestation of Compliance Form

2

Merchants processing 1 million to 6 million Visa transactions annually

(all channels)

Annual Self-Assessment

Questionnaire (“SAQ”)

Quarterly network scan by ASV


3

Merchants processing 20,000 to 1 million Visa e-commerce

transactions annually

Annual SAQ

Quarterly network scan by ASV


4

Merchants processing less than 20,000 Visa e-commerce

transactions annually and all other merchants processing up to 1

million Visa transactions annually

Annual SAQ recommended

Quarterly network scan by ASV if

applicable

Compliance validation requirements

set by acquirer

1. Compromised entities may be escalated at regional discretion

2. Merchant meeting Level 1 criteria in any Visa country/region that operates in more than one country/region is

considered a global Level 1 merchant.



Key Dates: General Guidelines

October, 1 2008:

Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA DSS

applications

Merchants must be PCI DSS complaint or use PA DSS validated applications to obtain

a NEW Merchant ID number

October, 1 2009:

VisaNet Processors (VNPs) must decertify all vulnerable payment applications.

Systems that have been subject to a security breech

July 1, 2010:

Acquirers must ensure their merchants, VNPs and agents use only PA DSS

applications

Applies to all organizations that process credit cards

You need to check with your acquirer or processor for their deadlines



Payment Application Data Security Standard

Payment Application Data Security Standard (PA DSS)

The goal of PA DSS is to help software vendors develop secure payment

applications that do not store prohibited data.

Blackbaud is modifying our applications to comply to the PA DSS

requirements.• A different assessment process than PCI DSS.

PA DSS only applies to commercial software vendors and not in-house built

applications.

Ask your vendor if the applications you are using are PCI Accepted.

• Are the applications they are using compliant?

Using a PA DSS validated application facilitates compliance with PCI DSS. It

does not ensure compliance.

The real impact is when you assess you exposure if you do not to use compliant

applications.



SAQ Validation

TypeDescription SAQ: V1.2

1Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder

data functions outsourced. This would never apply to face-to-face merchants. A

2 Imprint-only merchants with no electronic cardholder data storage B

3 Stand-alone terminal merchants, no electronic cardholder data storage B

4Merchants with POS systems connected to the Internet, no electronic cardholder

data storage C

5All other merchants (not included in Types 1-4 above) and all service providers

defined by a payment brand as eligible to complete an SAQ. D

Self-Assessment Questioners (SAQ)

PCI DSS Security Council has self assessment questionnaires (SAQ) that takes merchants

through a series of questions to assess weaknesses.

There are multiple versions of the questionnaire which are specific to how you handle your

credit card information.

http://meebee/BBSites/Products/SharedServices/Training/Supporting documentation/pci_saq_a.doc

http://meebee/BBSites/Products/SharedServices/Training/Supporting documentation/pci_saq_b.doc

http://meebee/BBSites/Products/SharedServices/Training/Supporting documentation/pci_saq_b.doc

http://meebee/BBSites/Products/SharedServices/Training/Supporting documentation/pci_saq_c.doc

http://meebee/BBSites/Products/SharedServices/Training/Supporting documentation/pci_saq_d.doc



Your PCI assessment: Host the payment card data within

your own organization.

Typical Blackbaud customer storing credit cards in The Raiser’s Edge

No wireless, in house developed credit card customizations, or secure data center

storing “sensitive” information

Type 5/SAQ D

80% Compliance

Items in Scope

20% Compliance

Items Out of Scope



Your PCI assessment: Remove all payment data from your

system & outsource the storage of the payment card info.

30% Compliance

Items in Scope

70% Compliance

Items Out of Scope

Same user as before minus stored credit card numbers, using PA DSS apps.

Type 4/SAQ C: Merchants with Payment Application Systems Connected to the

Internet (do not store cardholder data on any computer system)

Dramatically reduces the scope of assessment



How PCI impacts Blackbaud applications

In light of these new standards

After assessing the impact on our customers to allow keeping credit cards in The

Raiser’s Edge

On the advice of our PCI consultants and auditors, Trustwave

Blackbaud will no longer allow the storage or retrieval of credit cards in our

databases.

So how will customers continue to process credit card donations?



Blackbaud Payment Service

Credit Card

Numbers

Credit Cards

TokenizedTokens

Credit Card

Numbers

Tokens

Tokens

Credit Card

Numbers

Tokens

Credit Card

Numbers

A secure, PCI compliant tokening

service for Blackbaud

applications.

Replaces credit card

numbers with unique tokens

that can be used again for

recurring gifts.



Blackbaud Payment Service

Certified PCI compliant as a Level 1 Gateway

Stored information

• Credit card number

• Valid from date

• Expiration date

• Merchant account info (Gateway ID)

• Cardholder name

• Card type

What is returned to The Raiser's Edge

• Card type

• Cardholder name – This is a new field.

• Expiration date

• Token which represents the card in BBPS

• Displayed as truncated credit card number



Upgrading to Raiser's Edge 7.9x

Tokens created from

Credit Cards

Credit Cards &

Tokens stored

Only tokens remain



Upgrading to NetCommunity 6.x

Tokens

Stored Credit Cards

Credit Cards

Tokenized



Recurring Gifts via Raiser’s Edge 7.9x

Process Recurring Batch

(Tokens & Amount)

Resolves Credit

Card

Credit Card

Numbers

Bank/ Acquirer

Status &

Confirmation



One-Time Donations via NetCommunity 6.x & NetSolutions

Truncated Credit Card

Numbers downloaded to

Batch

Credit Card

Numbers

Pass-Thru

Only

Truncated Numbers -

Not Tokens

Credit Card Numbers

PCI DSS does not

permit storage of

credit cards in

BBPS for one-time

donations.



Credit Card Numbers

Recurring Donations via NetCommunity 6.x & NetSolutions

Tokens downloaded to

Batch and then Bio2

Tokens

Credit Cards

Tokenized



Processors currently support by BBPS

NetCommunity

IATS, PayflowPro, Sage/Verus, Moneris, BeanStream and Authorize.Net.

NetSolutions

IATS, and PayflowPro

Raiser’s Edge

IATS and ICVerify



Demo of the Blackbaud Payment Service

and

The Raiser’s Edge

http://www.blackbaud.com/bb/democenter/pci.aspx

http://www.blackbaud.com/bb/democenter/pci.aspx



BBPS Credentials

Changes to NetCommunity: Configuration



Gateway Specific Settings

Changes to NetCommunity: New Merchant Account



Additional Password Security

Changes to NetCommunity: System Options



Who should upgrade upon release?

Organizations

Being pressured by processing gateways or banks

Undergoing a PCI audit

Wish to reduce liability of credit card storage

Use IATS or ICVerify to process credit cards

Have fixes in Raiser’s Edge 7.91 or NetCommunity 6.10

Use NetSolutions to solicit recurring gifts



Who can wait to upgrade?

Organizations

Don’t store credit cards in The Raiser’s Edge

Process recurring gifts and use a processor not current supported by The Raiser Edge

If you decide to wait

Self-assess to better understand your exposure



Upgrade requirements Authenticate to the Blackbaud Payment Service via the Support Download Site

http://www.blackbaud.com/support/downloads

Accept or decline use of BBPS

• Accept: Sends you through to authenticate your organization to BBPS

• Requires: Site ID and email currently on file with Blackbaud Support

• Your credit cards will be replaced with tokens

• Decline: Sends you through the normal download process

• Your historical credit card numbers in your database will be truncated.

If you are a Raiser’s Edge customer (including NetSolutions)

Requires and internet connection and SQL 2000 SP4, 2005 or 2008

• Process via IATS – do nothing BBPS takes care of it

• Process via ICVerify – upgrade to v4.03 SP3

If you are a NetCommunity customer

Upgrade NetCommunity before The Raiser’s Edge

• Requires SQL 2005 SP1 – Compatible with SQL 2008

• (Raiser’s Edge can still be on SQL 2000 SP4 , 2005 or 2008)

http://www.blackbaud.com/support/downloads



What you should do now

Collection

Understand what information your organization collects and why.

Only collect information you need.

Make sure you can justify why you collect certain data.

Use

Only use the information for the purpose it was collected.

Access

Limit the number of people who have access to sensitive data.

Remove parts of the data that are not needed.

Don’t allow sensitive data to be in view of all staff or publically on your website.

Storage

Only store the data your organization uses. If you don’t need it – delete it.

Self-Assess to better understand their exposure



Helpful links

PCI Overall information: http://www.pcisecuritystandards.org

PCI Quick Reference Guide from the PCI Security Council

https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf

Self-Assessment Questionnaire:

https://www.pcisecuritystandards.org/saq/index.shtml

Find a QSA: http://www.pcisecuritystandards.org/qsa_asv/find_one.shtml

• Trustwave - Blackbaud’s preferred QSA:

http://www.blackbaud.com/company/pci/trustwave.aspx

Visa timeline mandates:

http://usa.visa.com/merchants/risk_management/cisp_key_dates.html

Blackbaud sites:

PCI Landing page: http://www.blackbaud.com/pci

• Learn more about BBPS and other Blackbaud applications

PCI Blog: http://forums.blackbaud.com/blogs/pci/default.aspx

http://www.pcisecuritystandards.org/

https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf

https://www.pcisecuritystandards.org/saq/index.shtml

http://www.pcisecuritystandards.org/qsa_asv/find_one.shtml

http://www.blackbaud.com/company/pci/trustwave.aspx

http://usa.visa.com/merchants/risk_management/cisp_key_dates.html

http://www.blackbaud.com/pci

http://forums.blackbaud.com/blogs/pci/default.aspx



Questions???

?

?

?

?

?

?

??

?

?

?

?

?

?

Documents

Preparing for The Raiser’s Edge 7.91 and Blackbaud … · 2009. 4. 23. · Preparing for The Raiser’s Edge 7.91 and Blackbaud NetCommunity 6.10 Presenters: Bucky Wall, Kevin Brunson