Frequently Asked Questions

How does PCI affect specific Blackbaud products?

Who regulates these standards?

The Payment Card Industry Data Security Standards are a set of requirements instituted and regulated by the https://www.pcisecuritystandards.org/. The PCI SSC is a consortium of major card brands including VISA, MasterCard, AMEX, DiscoverCard and JCB, created to enhance credit and debit card data security. All organizations that process, store, or transmit payment card data must comply with PCI DSS requirements or risk losing their ability to process credit card payments. The council also supports Payment Application (PA) security standards for software products that are installed and used locally by merchants to process, store or transmit credit card data. Software products that meet PA DSS standards have been validated as compliant with PCI DSS requirements and enable merchants to readily attain PCI compliance.

I’ve heard a lot of dates associated with PCI. What are the “real” ones?

Please visit the Official PCI Security newsroom.

Keep in mind that payment gateways are enforcing these dates independently. You need to check with your processor to find out if their dates are different that what has been published by the card brands.

What do I have to do?

It is the responsibility of each organization to comply with the PCI DSS by the dates prescribed by the PCI Security Council or by your acquiring bank. Blackbaud can help you comply by providing applications and solutions that meet these standards. You should review the standards provided by the security council and assess your PCI requirements

  • Download the PCI Quick Reference Guide from the PCI Library. Search for “PCI DSS Quick Reference Guide.”
  • Download and complete the appropriate Self-Assessment Questionnaire
  • Contact your acquiring bank or the agency that issued your merchant ID and ask for clarity on their dates for compliance.
  • Use compliant applications when they become available.

What resources are available to help me with PCI compliance?

To help promote the awareness of the security requirements for credit card and cardholder data, Blackbaud has developed Payment Application Data and Security Standards Implementation Guides about PCI DSS and how it impacts your organization.

Note: These guides provide only an overview of PCI DSS requirements and recommended best practices to ensure compliance. For complete details, visit the PCI Security Standards Council’s website. Blackbaud cannot fill out self-assessment questionnaires for our clients because PCI compliance encompasses the client’s environment and practices.

What are the merchant levels?

Visa and the other card brands distinguish “merchants” by levels depending on the number of transactions transmitted on an annual basis.

  • Level 1: Merchants processing over 6 million Visa transactions annually (all channels) or global merchants identified as Level 1 by any Visa region**. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
  • Level 2: Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.
  • Level 3: Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
  • Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

** A merchant meeting Level 1 criteria in any Visa country/region that operates in more than one country/region is considered a global Level 1 merchant. Exceptions may apply to global merchants if no common infrastructure exists or if Visa data is not aggregated across borders; in such cases the merchant validates according to regional levels.

Are these PCI regulations laws?

PCI DSS are a set of regulations developed by the PCI Security Council and the card brands. One of the goals is to achieve self-regulation and to avoid legal jurisprudence. There are, however a number of states that have implemented laws associated with data security that includes credit card security.

You should ask your legal counsel if there are laws in your state that are applicable to credit card security.

What has Blackbaud done to become PCI compliant?

One - Blackbaud has modified every application that processes, stores, transmits credit card numbers to become PCI DSS and PA-DSS compliant. We have implemented PCI standards regarding secure storage of data, strong access control, and other requirements. The list of PCI compliant applications includes:

  • Altru
  • BB Checkout (formerly BBSP)
  • Blackbaud CRM
  • Blackbaud Merchant Services
  • Blackbaud NetCommunity
  • Blackbaud Online Express
  • Blackbaud Payment Services
  • Blackbaud ID
  • Brennan IT
  • eTapestry
  • everydayhero
  • JustGiving
  • Luminate Online Services Suite (which includes CMS, Databases, LADAS, Mail -Bounce Handler, PMTA, Selenium, Service Bus, Splunk, Utilities, Weblog)
  • MFT-Linoma (Managed File Transfer).
  • Mobile Pay
  • Payments API (formerly APIM)
  • The Raiser's Edge
  • Raiser's Edge NXT
  • Smart Tuition and Smart Aid
  • Sphere

Two - Blackbaud developed a secure, PCI DSS compliant credit card gateway that facilitates processing via our products. This gateway has passed a Level 1 PCI DSS audit; compliance can be verified by Visa. This enables users to process credit card transactions as they do today without the burden of maintaining all card data locally.

The Blackbaud Payment Service (BBPS), a secure vaulting and tokening service to make being PCI compliant easier for our customers.

Three - Blackbaud has upgraded our entire Blackbaud Application Hosting environment to ensure PCI DSS compliance and data security.

Four - Blackbaud has passed all audits conducted by our 3rd-party Qualified Security Assessor.

Five - For existing Blackbaud customers, we have created Knowledgebase articles to explain in detail the changes to each of the applications. We have also included Implementation Guides for the applications that have completed their audit process, system requirements and upgrade procedures.

Where can I validate Blackbaud’s PCI compliance?

Blackbaud provides secure storage of clients’ credit card data and is currently registered and maintains it services as Level 1 PCI Compliant Service Provider. Blackbaud’s applications are also certified DSS compliant, as follows:

The Blackbaud Payment Service (BBPS)

What is the Blackbaud Payment Service (BBPS)?
In order to make The Raiser's Edge, NetSolutions, Blackbaud NetCommunity, and Blackbaud Enterprise CRM compliant with PCI DSS and PA DSS, we have developed the Blackbaud Payment Service (BBPS). BBPS integrates with the PA DSS compliant versions of our software and stores credit card and merchant account information in a secure environment. Credit card numbers will no longer be visible in our software and will be replaced with reference tokens. When you process credit card transactions, the reference token in your database will summon the stored credit card number from BBPS to be used in the transaction.

Download the BBPS Overview for more information

How does the BBPS work?
When you migrate to the next version of The Raiser’s Edge, Blackbaud NetCommunity and Blackbaud CRM, you will connect to the BBPS which will scan your Raiser’s Edge or CRM database for credit card numbers and upload them to the service. BBPS will communicate to your credit card processor, validate your credit cards and return a unique token to your database that will always reference that credit card. Users will see this token as the last four digits of the credit card number.

What credit card processor is supported by BBPS?
BBPS supports many processors.  Additionally, Blackbaud has partnered with several payment processors to provide multiple options for payment processing.

Are there any additional charges for the PA DSS versions of these applications?
No. These are considered regular upgrades and are covered in your maintenance contract.

Can we use the token to add new donations or do we need to get the credit card again?
You do not need to get a credit card number again from the donor once the original number has been saved and tokenized. The token is stored in your database and will appear to users as a truncated credit card number. You just reference the token and the new donations are attributed to the credit card.

If I use these new versions of Blackbaud software will I be PCI compliant?
Using PA DSS Blackbaud’s certified applications will help you become PCI compliant by no longer storing credit card information in the databases, but you will still need to assess if your organization and network complies with PCI DSS requirements.

However, each organization is responsible for validating their compliancy with the PCI standards. We suggest you review the self-assessment at the PCI Security Council’s website.

If we are not using The Raiser’s Edge and use a 3rd party vendor to process our credit cards, how do we know if they are PCI compliant?
You should contact your vendor and request a copy of their Report on Compliance (ROC) and ask who did the assessment. You may want to contact the assessing body for additional information.

The Raiser's Edge

What changes are being made to The Raiser's Edge?
In order to make The Raiser's Edge compliant with PCI DSS and PA-DSS, we have developed the Blackbaud Payment Service (BBPS). BBPS will integrate with The Raiser's Edge and store credit card and merchant account information in a secure environment.

During the update to PA-DSS version of The Raiser's Edge, you will be prompted to choose whether to store your credit cards in BBPS or to delete them. If you choose to use BBPS, credit card numbers will no longer be visible in The Raiser's Edge and will be replaced with reference tokens; users will see these token as the last four digits of the credit card number. When you process credit card transactions, the reference token in your database will summon the stored credit card number from BBPS to be used in the transaction.

If you choose not to use BBPS, back up your credit card data before updating to the PA DSS version of our software as all credit card information will be removed. Contact a Qualified Security Assessor for advice on how to secure this credit card information in accordance with PCI DSS.

Blackbaud Online Express
The Raiser's Edge remains PCI DSS and PA-DSS compliant when using the Blackbaud Online Express plugin for The Raiser's Edge. The Blackbaud Online Express web service is also included in Blackbaud's annual Internet Services PCI DSS Level 1 audit.

When will the PA DSS version of The Raiser's Edge become generally available?
The PA-DSS version of The Raiser's Edge is available today.

Altru

The Payment Card Industry Data Security Standards (PCI DSS) and Payment Application Data Security Standards (PA DSS) were created by the Payment Card Industry Security Standards Council to help facilitate the broad adoption of consistent payment card data security measures on a global basis. In order to meet the requirements as defined in these standards, we have opted to remove credit card and merchant account data from all applications that process, store, or transmit payment card data.

What changes are being made to Altru?
In order to make Altru compliant with PCI DSS and PA DSS, we have developed the Blackbaud Payment Service (BBPS). Beginning in version 2.0, Altru is integrated with BBPS to securely store credit card and merchant account information and facilitate credit card processing in a PCI-compliant environment.

If you are a customer who processes credit card transactions within Altru, upon upgrade to version 2.0, full credit card numbers will no longer be visible in the product and will be replaced with reference tokens; users will see these token as the last four digits of the credit card number. When you process credit card transactions, the reference token in your database will summon the full credit card number that will be stored in BBPS to be used in the transaction.  You will be able to continue to process credit card transactions as you do today and no other functionality is affected by the change.

When will the PA DSS version of Altru become generally available?
The PA DSS version of Altru is available today.

Blackbaud CRM

The Payment Card Industry Data Security Standards (PCI DSS) and Payment Application Data Security Standards (PA-DSS) were created by the Payment Card Industry Security Standards Council to help facilitate the broad adoption of consistent payment card data security measures on a global basis. In order to meet the requirements as defined in these standards, we have opted to remove credit card and merchant account data from all applications that process, store, or transmit payment card data.

What changes are being made to Blackbaud CRM?
In order to make Blackbaud CRM (BBEC) and its component Blackbaud Internet Solutions (BBIS) compliant with PCI DSS and PA-DSS, we have developed the Blackbaud Payment Service (BBPS). Beginning in version 2.0, Blackbaud CRM is integrated with BBPS to securely store credit card and merchant account information and facilitate credit card processing in a PCI-compliant environment.

If you are a customer who processes credit card transactions within Blackbaud CRM, upon upgrade to version 2.0, full credit card numbers will no longer be visible in the product and will be replaced with reference tokens; users will see these token as the last four digits of the credit card number. When you process credit card transactions, the reference token in your database will summon the full credit card number that will be stored in BBPS to be used in the transaction. You will be able to continue to process credit card transactions as you do today and no other functionality is affected by the change.

When will the PA DSS version of Blackbaud CRM become generally available?
The PA-DSS version of Blackbaud CRM, which includes Blackbaud Internet Solutions (BBIS), is available today.

Blackbaud Internet Services

The Payment Application Data Security Standards (PA DSS) were created by the Payment Card Industry Security Standards Council to help software vendors develop secure payment applications in compliance with PCI DSS. To make our software PA DSS compliant, we have opted to remove credit card and merchant account data from all applications that process, store, or transmit payment card data.

What changes are being made to Blackbaud Internet Solutions?
In order to make Blackbaud Internet Solutions compliant with PCI DSS and PA DSS, we have developed the Blackbaud Payment Service (BBPS). Blackbaud Internet Solutions integrates with BBPS to store credit card and merchant account information in a secure environment. This change should not affect existing Blackbaud Internet Solutions functionality.

How does the integration with BBPS work?
For one-time donations, there is no change from a user perspective between the current payment service and BBPS. Your data will move from the existing service to the BBPS.

If you accept recurring debit or credit card gifts through Blackbaud Internet Solutions, you will need to upgrade to a compliant version of Blackbaud CRM to continue processing new gifts in your usual manner. If you do not download credit card information into Blackbaud CRM, you will not notice a difference between the current version of Blackbaud Internet Solutions and the compliant version. However, if you do not upgrade to the compliant version of Blackbaud CRM, you will no longer have the option to download credit card numbers/tokens into Blackbaud CRM.

When will the PA DSS version of Blackbaud Internet Solutions become generally available?
The PA DSS version of Blackbaud Internet Solutions is available today.

The Financial Edge, Blackbaud Student Information System, The Education Edge

The Payment Application Data Security Standards (PA DSS) were created by the Payment Card Industry Security Standards Council to help software vendors develop secure payment applications in compliance with PCI DSS. To make our software PA DSS compliant, we have opted to remove credit card and merchant account data from all applications that process, store, or transmit payment card data.

What changes are being made to Blackbaud Student Information System, The Education Edge, and The Financial Edge?
Earlier versions of Blackbaud Student Information System, The Education Edge, and The Financial Edge stored the entire credit card number in the Credit Card Number field on payments. Beginning in version 7.77, only the last four digits of the credit card number are displayed. For new payments, users cannot enter the entire credit card number. For existing payments, on which the entire credit card number was previously displayed, the rest of the credit card number will be removed.

When will the PA DSS versions of The Financial Edge, Blackbaud Student Information System, The Education Edge become generally available?
The PA DSS versions of The Financial Edge, Blackbaud Student Information System, The Education Edge are available today.

Blackbaud NetCommunity

The Payment Application Data Security Standards (PA DSS) were created by the Payment Card Industry Security Standards Council to help software vendors develop secure payment applications in compliance with PCI DSS. To make our software PA DSS compliant, we have opted to remove credit card and merchant account data from all applications that process, store, or transmit payment card data.

What changes are being made to Blackbaud NetCommunity?
In order to make Blackbaud NetCommunity compliant with PCI DSS and PA DSS, we have developed the Blackbaud Payment Service (BBPS). Blackbaud NetCommunity integrates with BBPS to store credit card and merchant account information in a secure environment. This change should not affect existing Blackbaud NetCommunity functionality.

How does the integration with BBPS work?
For one-time donations, there is no change from a user perspective between the current payment service and BBPS. Your data will move from the existing service to the BBPS.

If you accept recurring debit or credit card gifts through Blackbaud NetCommunity, you will need to upgrade to a compliant version of The Raiser’s Edge to continue processing new gifts in your usual manner. If you do not download credit card information into The Raiser’s Edge, you will not notice a difference between the current version of Blackbaud NetCommunity and the compliant version. However, if you do not upgrade to the compliant version of The Raiser's Edge, you will no longer have the option to download credit card numbers/tokens into The Raiser’s Edge.

When will the PA DSS version of Blackbaud NetCommunity become generally available?
The PA DSS version of Blackbaud NetCommunity is available today.

eTapestry

All eTapestry services are fully PCI compliant. PCI compliance is a set of security requirements endorsed by the PCI Security Standards Council, founded by a consortium of major credit card brands to enhance credit and debit card data security. The consortium includes Visa Inc., MasterCard Worldwide, American Express, Discover Financial Services and JCB.

All organizations that process, store, or transmit payment card data must comply with PCI standards. All existing merchant organizations must comply with PCI standards or risk losing their ability to process credit card payments. 

MobilePay

As the number one provider in the Software-as-a-Service market for non-profit organizations, we work hard to ensure Information Security is a serious priority. As a result, Blackbaud has been PCI-DSS compliant for the past several years, thanks to a strict approach to security. We have been audited by one of the strongest QSA providers for two years in a row with great success. Additionally, Blackbaud Hosting audits under the SOC2 standard for the security, confidentiality, and availability principles, and SOC1 (SSAE-16) for selected applications. Our standards demand regular risk assessments, vulnerability scanning, penetration testing, monitoring, and other security controls that customers expect from a world-class Hosting provider.

Our Blackbaud MobilePay™ application was built under the same Information Security umbrella. The Blackbaud MobilePay™ device provides end-to-end encryption of cardholder data upon swipe, utilizes Blackbaud SecurePay (BBSP) forms to ensure customer data is encrypted during transmission, and combines Blackbaud Payment Service (BBPS) to tokenize the credit card data, adding an extra layer of security to sensitive information. All under Blackbaud’s strict commitment to continue adhering by best-in-class type of security policies.