preparing for the raiser’s edge 7.91 and blackbaud … · 2009. 4. 23. · preparing for the...
TRANSCRIPT
Preparing for The Raiser’s Edge 7.91 and Blackbaud
NetCommunity 6.10
Presenters: Bucky Wall, Kevin Brunson & Aram Aghapour
4/21/2009
Bucky Wall | Page #2 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
Logistics
Large number of attendees today
I’ve muted all lines but mine to avoid feedback
Please hold questions until the end
Submit via the Q&A feature of Live Meeting
This presentation is being recorded and will be sent to you at the conclusion of
the web seminar
Bucky Wall | Page #3 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
Agenda Quick PCI Overview
PCI DSS
Merchant levels
Key dates
PA DSS
PCI Compliance
Self Assessment Questioners and options
Blackbaud applications and compliance
Blackbaud Payment Service (BBPS)
Interactions with
• The Raiser’s Edge
• NetSolutions
• NetCommunity
• BBPS & Raiser’s Edge demo
Upgrade process
What you should do now
Helpful links
Q&A
Bucky Wall | Page #4 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
PCI DSS
Payment Card Industry Data Security Standard (PCI DSS)
Set of comprehensive requirements for enhancing payment account
data security…to help facilitate the broad adoption of consistent data
security measures on a global basis.
Developed by the major card brands (spearheaded by Visa)
All organizations that process, store, or transmit payment card data
must be PCI DSS compliant or risk losing their ability to process
credit card payments
The card brands refer to merchants by levels
Bucky Wall | Page #5 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
Merchant Levels
Level / Tier 1 Merchant Criteria Validation Requirements
1
Merchants processing over 6 million Visa transactions annually (all
channels) or Global merchants identified as Level 1 by any Visa
region 2
Annual Report on Compliance
(“ROC”) by Qualified Security
Assessor (“QSA”)
Quarterly network scan by
Approved Scan Vendor (“ASV”)
Attestation of Compliance Form
2
Merchants processing 1 million to 6 million Visa transactions annually
(all channels)
Annual Self-Assessment
Questionnaire (“SAQ”)
Quarterly network scan by ASV
Attestation of Compliance Form
3
Merchants processing 20,000 to 1 million Visa e-commerce
transactions annually
Annual SAQ
Quarterly network scan by ASV
Attestation of Compliance Form
4
Merchants processing less than 20,000 Visa e-commerce
transactions annually and all other merchants processing up to 1
million Visa transactions annually
Annual SAQ recommended
Quarterly network scan by ASV if
applicable
Compliance validation requirements
set by acquirer
1. Compromised entities may be escalated at regional discretion
2. Merchant meeting Level 1 criteria in any Visa country/region that operates in more than one country/region is
considered a global Level 1 merchant.
Bucky Wall | Page #6 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
Key Dates: General Guidelines
October, 1 2008:
Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA DSS
applications
Merchants must be PCI DSS complaint or use PA DSS validated applications to obtain
a NEW Merchant ID number
October, 1 2009:
VisaNet Processors (VNPs) must decertify all vulnerable payment applications.
Systems that have been subject to a security breech
July 1, 2010:
Acquirers must ensure their merchants, VNPs and agents use only PA DSS
applications
Applies to all organizations that process credit cards
You need to check with your acquirer or processor for their deadlines
Bucky Wall | Page #7 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
Payment Application Data Security Standard
Payment Application Data Security Standard (PA DSS)
The goal of PA DSS is to help software vendors develop secure payment
applications that do not store prohibited data.
Blackbaud is modifying our applications to comply to the PA DSS
requirements.• A different assessment process than PCI DSS.
PA DSS only applies to commercial software vendors and not in-house built
applications.
Ask your vendor if the applications you are using are PCI Accepted.
• Are the applications they are using compliant?
Using a PA DSS validated application facilitates compliance with PCI DSS. It
does not ensure compliance.
The real impact is when you assess you exposure if you do not to use compliant
applications.
Bucky Wall | Page #8 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
SAQ Validation
TypeDescription SAQ: V1.2
1Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder
data functions outsourced. This would never apply to face-to-face merchants. A
2 Imprint-only merchants with no electronic cardholder data storage B
3 Stand-alone terminal merchants, no electronic cardholder data storage B
4Merchants with POS systems connected to the Internet, no electronic cardholder
data storage C
5All other merchants (not included in Types 1-4 above) and all service providers
defined by a payment brand as eligible to complete an SAQ. D
Self-Assessment Questioners (SAQ)
PCI DSS Security Council has self assessment questionnaires (SAQ) that takes merchants
through a series of questions to assess weaknesses.
There are multiple versions of the questionnaire which are specific to how you handle your
credit card information.
Bucky Wall | Page #9 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
Your PCI assessment: Host the payment card data within
your own organization.
Typical Blackbaud customer storing credit cards in The Raiser’s Edge
No wireless, in house developed credit card customizations, or secure data center
storing “sensitive” information
Type 5/SAQ D
80% Compliance
Items in Scope
20% Compliance
Items Out of Scope
Bucky Wall | Page #10 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
Your PCI assessment: Remove all payment data from your
system & outsource the storage of the payment card info.
30% Compliance
Items in Scope
70% Compliance
Items Out of Scope
Same user as before minus stored credit card numbers, using PA DSS apps.
Type 4/SAQ C: Merchants with Payment Application Systems Connected to the
Internet (do not store cardholder data on any computer system)
Dramatically reduces the scope of assessment
Bucky Wall | Page #11 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
How PCI impacts Blackbaud applications
In light of these new standards
After assessing the impact on our customers to allow keeping credit cards in The
Raiser’s Edge
On the advice of our PCI consultants and auditors, Trustwave
Blackbaud will no longer allow the storage or retrieval of credit cards in our
databases.
So how will customers continue to process credit card donations?
Bucky Wall | Page #12 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
Blackbaud Payment Service
Credit Card
Numbers
Credit Cards
TokenizedTokens
Credit Card
Numbers
Tokens
Tokens
Credit Card
Numbers
Tokens
Credit Card
Numbers
A secure, PCI compliant tokening
service for Blackbaud
applications.
Replaces credit card
numbers with unique tokens
that can be used again for
recurring gifts.
Bucky Wall | Page #13 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
Blackbaud Payment Service
Certified PCI compliant as a Level 1 Gateway
Stored information
• Credit card number
• Valid from date
• Expiration date
• Merchant account info (Gateway ID)
• Cardholder name
• Card type
What is returned to The Raiser's Edge
• Card type
• Cardholder name – This is a new field.
• Expiration date
• Token which represents the card in BBPS
• Displayed as truncated credit card number
Bucky Wall | Page #14 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
Upgrading to Raiser's Edge 7.9x
Tokens created from
Credit Cards
Credit Cards &
Tokens stored
Only tokens remain
Bucky Wall | Page #15 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
Upgrading to NetCommunity 6.x
Tokens
Stored Credit Cards
Credit Cards
Tokenized
Bucky Wall | Page #16 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
Recurring Gifts via Raiser’s Edge 7.9x
Process Recurring Batch
(Tokens & Amount)
Resolves Credit
Card
Credit Card
Numbers
Bank/ Acquirer
Status &
Confirmation
Bucky Wall | Page #17 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
One-Time Donations via NetCommunity 6.x & NetSolutions
Truncated Credit Card
Numbers downloaded to
Batch
Credit Card
Numbers
Pass-Thru
Only
Truncated Numbers -
Not Tokens
Credit Card Numbers
PCI DSS does not
permit storage of
credit cards in
BBPS for one-time
donations.
Bucky Wall | Page #18 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
Credit Card Numbers
Recurring Donations via NetCommunity 6.x & NetSolutions
Tokens downloaded to
Batch and then Bio2
Tokens
Credit Cards
Tokenized
Bucky Wall | Page #19 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
Processors currently support by BBPS
NetCommunity
IATS, PayflowPro, Sage/Verus, Moneris, BeanStream and Authorize.Net.
NetSolutions
IATS, and PayflowPro
Raiser’s Edge
IATS and ICVerify
Bucky Wall | Page #20 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
Demo of the Blackbaud Payment Service
and
The Raiser’s Edge
http://www.blackbaud.com/bb/democenter/pci.aspx
Bucky Wall | Page #21 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
BBPS Credentials
Changes to NetCommunity: Configuration
Bucky Wall | Page #22 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
Gateway Specific Settings
Changes to NetCommunity: New Merchant Account
Bucky Wall | Page #23 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
Additional Password Security
Changes to NetCommunity: System Options
Bucky Wall | Page #24 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
Who should upgrade upon release?
Organizations
Being pressured by processing gateways or banks
Undergoing a PCI audit
Wish to reduce liability of credit card storage
Use IATS or ICVerify to process credit cards
Have fixes in Raiser’s Edge 7.91 or NetCommunity 6.10
Use NetSolutions to solicit recurring gifts
Bucky Wall | Page #25 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
Who can wait to upgrade?
Organizations
Don’t store credit cards in The Raiser’s Edge
Process recurring gifts and use a processor not current supported by The Raiser Edge
If you decide to wait
Self-assess to better understand your exposure
Bucky Wall | Page #26 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
Upgrade requirements Authenticate to the Blackbaud Payment Service via the Support Download Site
http://www.blackbaud.com/support/downloads
Accept or decline use of BBPS
• Accept: Sends you through to authenticate your organization to BBPS
• Requires: Site ID and email currently on file with Blackbaud Support
• Your credit cards will be replaced with tokens
• Decline: Sends you through the normal download process
• Your historical credit card numbers in your database will be truncated.
If you are a Raiser’s Edge customer (including NetSolutions)
Requires and internet connection and SQL 2000 SP4, 2005 or 2008
• Process via IATS – do nothing BBPS takes care of it
• Process via ICVerify – upgrade to v4.03 SP3
If you are a NetCommunity customer
Upgrade NetCommunity before The Raiser’s Edge
• Requires SQL 2005 SP1 – Compatible with SQL 2008
• (Raiser’s Edge can still be on SQL 2000 SP4 , 2005 or 2008)
Bucky Wall | Page #27 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
What you should do now
Collection
Understand what information your organization collects and why.
Only collect information you need.
Make sure you can justify why you collect certain data.
Use
Only use the information for the purpose it was collected.
Access
Limit the number of people who have access to sensitive data.
Remove parts of the data that are not needed.
Don’t allow sensitive data to be in view of all staff or publically on your website.
Storage
Only store the data your organization uses. If you don’t need it – delete it.
Self-Assess to better understand their exposure
Bucky Wall | Page #28 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
Helpful links
PCI Overall information: http://www.pcisecuritystandards.org
PCI Quick Reference Guide from the PCI Security Council
https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
Self-Assessment Questionnaire:
https://www.pcisecuritystandards.org/saq/index.shtml
Find a QSA: http://www.pcisecuritystandards.org/qsa_asv/find_one.shtml
• Trustwave - Blackbaud’s preferred QSA:
http://www.blackbaud.com/company/pci/trustwave.aspx
Visa timeline mandates:
http://usa.visa.com/merchants/risk_management/cisp_key_dates.html
Blackbaud sites:
PCI Landing page: http://www.blackbaud.com/pci
• Learn more about BBPS and other Blackbaud applications
PCI Blog: http://forums.blackbaud.com/blogs/pci/default.aspx
Bucky Wall | Page #29 © 2009 Blackbaud
Raiser’s Edge and NetCommunity PCI Upgrades
Questions???
?
?
?
?
?
?
??
?
?
?
?
?
?