OnlineExpress and PCI Compliance
In response to the latest PCI guidelines, our IT Department has requested the removal of our embedded OnlineExpress Giving Form from our website. Instead, they're suggesting a transition to an NXT form that can be launched from its URL due to compliance concerns with embedded credit card information on our organization website. Are others navigating this change as well? I'd be interested in how you working through this change and any alternatives to NXT Forms that you are exploring. The NXT forms currently only allow one designation, can be difficult to spot duplicate constituents, and are just slow and cumbersome to process.
Thank you!
Ryan
Comments
-
@Ryan York - Take a look at Knowledgebase there are a few articles that talk about how credit card information is used within an OLX - while it's embedded on your website, no cc information is being stored there.
Also, it is possible to allow multiple designations (funds) on an NXT form, and managing the potential duplicates is easy enough to add into your process for reviewing online gifts - the system lets you know within batch which constituent records it added. I recommend you take a look at the post linked below for the steps involved within merging your online review process with duplicate management:2 -
@Ryan York
Hi, wasn't aware there is a new PCI guideline on embedded forms that does credit card transaction. Any link you can point me to for this?2 -
@Ryan York I'm with @Alex Wong. I'm not aware of any PCI guidelines that would impact the embedded OLX forms. Moving to the NXT form is a definite change of process and will have a significant effect on the gift entry workflow.
2 -
@Alex Wong @Dariel Dixon @Austen Brown
Thank you all for responding. We continued the conversation with our IT team and they provided a little more detail. If you have any additional insights/advice – I'd greatly appreciate it!
The main concern from IT is about changes to the scripts involved in the page that has the payment frame on it.
Here is the support provided:
PCI DSS Version 3.2.1 ends March 31, 2024. One major change in PCI 4.0 relates to websites collecting payment information, requires that all scripts must be inventoried, authorized with written justification as to why each is necessary, and have methods to ensure the integrity of each script.
https://www.humansecurity.com/learn/blog/pci-dss-v4.0-is-coming-and-how-to-achieve-compliance
Section 6.4.3 of PCI DSS v4.0 establishes the following requirements for all payment page scripts that are loaded and executed in the consumer’s browser.
· A method implemented to confirm that each script is authorized
· A method implemented to assure the integrity of each script
· An up-to-date inventory of all scripts, maintained with written justification as to why each is necessary
1 -
@Ryan York Thank you for this. There is some contradictory language here though. I think you say that support version 3.2.1 ends March 2024, but it actually ends on March 2025.
This link to the actual standards here gives more information. The section in question is on page 15.
I wouldn't suggest reading the entire document per se unless you're really interested or really bored.
I'll copy Section 6.4.3 here to save some time. Emphasis in the document is carried over here.
New requirement for management of all payment page scripts that are loaded and executed in the consumer’s browser. This requirement is a best practice until 31 March 2025.
The way I read this is kind of confusing. Does this mean that embedded payment solutions have to go away? I'm not a lawyer nor did I stay at a Holiday Inn last night, so I'm not really sure, but this does not implicitly say that. TBH, it's vague at best. I do think your concerns are valid. I don't know how long it will take the industry to evolve to meet the new standards, but I would expect a new version of almost all payment methods over the next year or so.
0 -
@Ryan York
Thanks for the information.So from reading this, it does not sounds like not a “hard requirement” that script and embed cannot be on the site, but rather, it needs to be vetted, and explicitly approved. I found this article which talks about how to handle these 3 bullets point
0
Categories
- All Categories
- Shannon parent
- shannon 2
- shannon 1
- 21 Advocacy DC Users Group
- 14 BBCRM PAG Discussions
- 89 High Education Program Advisory Group (HE PAG)
- 28 Luminate CRM DC Users Group
- 8 DC Luminate CRM Users Group
- Luminate PAG
- 5.9K Blackbaud Altru®
- 58 Blackbaud Award Management™ and Blackbaud Stewardship Management™
- 409 bbcon®
- 2K Blackbaud CRM™ and Blackbaud Internet Solutions™
- donorCentrics®
- 1.1K Blackbaud eTapestry®
- 2.8K Blackbaud Financial Edge NXT®
- 1.1K Blackbaud Grantmaking™
- 527 Education Management Solutions for Higher Education
- 21 Blackbaud Impact Edge™
- 1 JustGiving® from Blackbaud®
- 4.6K Education Management Solutions for K-12 Schools
- Blackbaud Luminate Online & Blackbaud TeamRaiser
- 16.4K Blackbaud Raiser's Edge NXT®
- 4.1K SKY Developer
- 547 ResearchPoint™
- 151 Blackbaud Tuition Management™
- 1 YourCause® from Blackbaud®
- 61 everydayhero
- 3 Campaign Ideas
- 58 General Discussion
- 115 Blackbaud ID
- 87 K-12 Blackbaud ID
- 6 Admin Console
- 949 Organizational Best Practices
- 353 The Tap (Just for Fun)
- 235 Blackbaud Community Feedback Forum
- 124 Ninja Secret Society
- 32 Blackbaud Raiser's Edge NXT® Receipting EAP
- 55 Admissions Event Management EAP
- 18 MobilePay Terminal + BBID Canada EAP
- 36 EAP for New Email Campaigns Experience in Blackbaud Luminate Online®
- 109 EAP for 360 Student Profile in Blackbaud Student Information System
- 41 EAP for Assessment Builder in Blackbaud Learning Management System™
- 9 Technical Preview for SKY API for Blackbaud CRM™ and Blackbaud Altru®
- 55 Community Advisory Group
- 46 Blackbaud Community Ideas
- 26 Blackbaud Community Challenges
- 7 Security Testing Forum
- 1.1K ARCHIVED FORUMS | Inactive and/or Completed EAPs
- 3 Blackbaud Staff Discussions
- 7.7K ARCHIVED FORUM CATEGORY [ID 304]
- 1 Blackbaud Partners Discussions
- 1 Blackbaud Giving Search™
- 35 EAP Student Assignment Details and Assignment Center
- 39 EAP Core - Roles and Tasks
- 59 Blackbaud Community All-Stars Discussions
- 20 Blackbaud Raiser's Edge NXT® Online Giving EAP
- Diocesan Blackbaud Raiser’s Edge NXT® User’s Group
- 2 Blackbaud Consultant’s Community
- 43 End of Term Grade Entry EAP
- 92 EAP for Query in Blackbaud Raiser's Edge NXT®
- 38 Standard Reports for Blackbaud Raiser's Edge NXT® EAP
- 12 Payments Assistant for Blackbaud Financial Edge NXT® EAP
- 6 Ask an All Star (Austen Brown)
- 8 Ask an All-Star Alex Wong (Blackbaud Raiser's Edge NXT®)
- 1 Ask an All-Star Alex Wong (Blackbaud Financial Edge NXT®)
- 6 Ask an All-Star (Christine Robertson)
- 21 Ask an Expert (Anthony Gallo)
- Blackbaud Francophone Group
- 22 Ask an Expert (David Springer)
- 4 Raiser's Edge NXT PowerUp Challenge #1 (Query)
- 6 Ask an All-Star Sunshine Reinken Watson and Carlene Johnson
- 4 Raiser's Edge NXT PowerUp Challenge: Events
- 14 Ask an All-Star (Elizabeth Johnson)
- 7 Ask an Expert (Stephen Churchill)
- 2025 ARCHIVED FORUM POSTS
- 322 ARCHIVED | Financial Edge® Tips and Tricks
- 164 ARCHIVED | Raiser's Edge® Blog
- 300 ARCHIVED | Raiser's Edge® Blog
- 441 ARCHIVED | Blackbaud Altru® Tips and Tricks
- 66 ARCHIVED | Blackbaud NetCommunity™ Blog
- 211 ARCHIVED | Blackbaud Target Analytics® Tips and Tricks
- 47 Blackbaud CRM Higher Ed Product Advisory Group (HE PAG)
- Luminate CRM DC Users Group
- 225 ARCHIVED | Blackbaud eTapestry® Tips and Tricks
- 1 Blackbaud eTapestry® Know How Blog
- 19 Blackbaud CRM Product Advisory Group (BBCRM PAG)
- 1 Blackbaud K-12 Education Solutions™ Blog
- 280 ARCHIVED | Mixed Community Announcements
- 3 ARCHIVED | Blackbaud Corporations™ & Blackbaud Foundations™ Hosting Status
- 1 npEngage
- 24 ARCHIVED | K-12 Announcements
- 15 ARCHIVED | FIMS Host*Net Hosting Status
- 23 ARCHIVED | Blackbaud Outcomes & Online Applications (IGAM) Hosting Status
- 22 ARCHIVED | Blackbaud DonorCentral Hosting Status
- 14 ARCHIVED | Blackbaud Grantmaking™ UK Hosting Status
- 117 ARCHIVED | Blackbaud CRM™ and Blackbaud Internet Solutions™ Announcements
- 50 Blackbaud NetCommunity™ Blog
- 169 ARCHIVED | Blackbaud Grantmaking™ Tips and Tricks
- Advocacy DC Users Group
- 718 Community News
- Blackbaud Altru® Hosting Status
- 104 ARCHIVED | Member Spotlight
- 145 ARCHIVED | Hosting Blog
- 149 JustGiving® from Blackbaud® Blog
- 97 ARCHIVED | bbcon® Blogs
- 19 ARCHIVED | Blackbaud Luminate CRM™ Announcements
- 161 Luminate Advocacy News
- 187 Organizational Best Practices Blog
- 67 everydayhero Blog
- 52 Blackbaud SKY® Reporting Announcements
- 17 ARCHIVED | Blackbaud SKY® Reporting for K-12 Announcements
- 3 Luminate Online Product Advisory Group (LO PAG)
- 81 ARCHIVED | JustGiving® from Blackbaud® Tips and Tricks
- 1 ARCHIVED | K-12 Conference Blog
- Blackbaud Church Management™ Announcements
- ARCHIVED | Blackbaud Award Management™ and Blackbaud Stewardship Management™ Announcements
- 1 Blackbaud Peer-to-Peer Fundraising™, Powered by JustGiving® Blogs
- 39 Tips, Tricks, and Timesavers!
- 56 Blackbaud Church Management™ Resources
- 154 Blackbaud Church Management™ Announcements
- 1 ARCHIVED | Blackbaud Church Management™ Tips and Tricks
- 11 ARCHIVED | Blackbaud Higher Education Solutions™ Announcements
- 7 ARCHIVED | Blackbaud Guided Fundraising™ Blog
- 2 Blackbaud Fundraiser Performance Management™ Blog
- 9 Foundations Events and Content
- 14 ARCHIVED | Blog Posts
- 2 ARCHIVED | Blackbaud FIMS™ Announcement and Tips
- 59 Blackbaud Partner Announcements
- 10 ARCHIVED | Blackbaud Impact Edge™ EAP Blogs
- 1 Community Help Blogs
- Diocesan Blackbaud Raiser’s Edge NXT® Users' Group
- Blackbaud Consultant’s Community
- Blackbaud Francophone Group
- 1 BLOG ARCHIVE CATEGORY
- Blackbaud Community™ Discussions
- 8.3K Blackbaud Luminate Online® & Blackbaud TeamRaiser® Discussions
- 5.7K Jobs Board