Blackbaud Online Giving Form - not secure?

Tom Klimchak

I'm not sure where else to post this... We're looking at different schools and their giving forms.  We found a school that says it is using Blackbaud's online giving, but the form is NOT secure.  


I would think Blackbaud would enforce security, wouldn't they? 


I guess if the giving form is hosted on the school's site, there's not much Blackbaud can do, is there?

Denise Covington

Blackbaud NetCommunity?  I know that has as donation part that is not secure, so we don't use that one.  The payment 2.0 part is secure and PCI compliant.  Also, I found the donation part/method on the personal giving pages is NOT secure in my book either.

 

Tom Klimchak

I'm not entirely sure if it's NetCommunity or not.  It has all the personal info and the credit card fields on a one page form, and Chrome says "This page is not secure, do not enter things like passwords and credit cards here..."  And then there's a link that reads "Payment Process By Blackbaud"... That probably isn't PCI compliant, is it?


We don't have NetCommunity (and we're looking at lots of different options for online giving right now) so I'm a little unclear about what needs to be secure and what doesn't....

Denise Covington

I'm not an expert on PCI, however, that does not sound secure.  At minimum, it should use a SSL certificate and be the URL should be prefixed with "https://"  Now their certificate may have just expired, so they should take care of that ASAP if that is it.

However, just because you use BBPS or BBMS to process credit cards, does not mean you are PCI compliant.


The idea is if you enter, transmit, or store credit cards on your network, the entire network would be brought into scope.   Even if you store paper credit card information, there are certain steps you need to take to be PCI compliant.


I try to have the credit cards processed on third-party servers, so that we are not bringing our network into scope.  More information on PCI in general can be found here: https://www.pcisecuritystandards.org/
I do recommend working with a PCI consultant to ensure PCI compliance for your organization.  Even if you use all third-party vendors you are required to fill out of these forms: https://www.pcisecuritystandards.org/document_library?category=saqs#results

 

Nicole McMorrow

We had the same issue when we switched to Online Express/BBMS. We had to have our web person secure our website. BB had nothing to do with it.

Michelle Tribe

I've seen this (and have had it happen to me). Usually it's due to a photo or logo being on the page that is externally hosted. 


For example, if I have a BBNC page (https://www.donatenow.com) but the layout points to an external logo (http://www.mycompany.com/logo.jpg) in the code, this will cause Chrome to say the page is not secure. In Chrome you can Ctrl+Shift+I to see the page's code, and search for "http://" to see where the bad links are.


I hope this explains it!  I have a head cold today so what I wrote may be gibberish.

 Michelle

Linda Allen

We had something similar come up and it had to do with our web address, people were typing www before the address so it was being redirected to our actual address making it appear as though the page wasn't secure. BB helped up put the verified by GEO Trust on each of our giving pages so visitors would know it was secure. I would check with support they can probably help you identify why it is being flagged and fix it.

 

Jennifer Lange

Nicole McMorrow:

We had the same issue when we switched to Online Express/BBMS. We had to have our web person secure our website. BB had nothing to do with it.

Same here - we switched to OLX and needed to buy the security for the page. No big deal - just wish someone other than a DONOR had told us!

 

Karen Stuhlfeier

You're right - it's no big deal, but it would be nice to get this information from Blackbaud. We also heard from a donor about this. 



Jennifer Lange:

Nicole McMorrow:

We had the same issue when we switched to Online Express/BBMS. We had to have our web person secure our website. BB had nothing to do with it.

Same here - we switched to OLX and needed to buy the security for the page. No big deal - just wish someone other than a DONOR had told us!

 

 

 

Jill Freidmutter

 

We also had this problem when we switch to OLX. I was surprised to discover that OLX wouldn't be secure with our current website. We couldn't buy a certificate for that website setup, but were within a couple of months of upgrading our site on a new host. We needed to switch the type of hosting we purchased, and needed the certificate. I was surprised that BB didn't share more of this info before selling us the software. And clearly like it wasn't only us. (Blackbaud, if you're listening, please give your customers more info about what they need to have in place to use OLX forms securely, before the purchase!)

John Heizer

Tom Klimchak:

I'm not sure where else to post this... We're looking at different schools and their giving forms.  We found a school that says it is using Blackbaud's online giving, but the form is NOT secure.  


I would think Blackbaud would enforce security, wouldn't they? 


I guess if the giving form is hosted on the school's site, there's not much Blackbaud can do, is there?

Though it doesn't directly affect this particular issue, with the recent change in regulations allowing ISPs to sell consumer browsing information now is a good time for all organizations to take a closer look at all your web security and consider forcing https for your entire web site.  Technology has advanced enough that the added overhead is minimal and the extra security also helps block 3rd party pop-ups (xfinity is notorius for adding content when using their open wifi).  https://en.wikipedia.org/wiki/HTTPS_Everywhere