Raiser's Edge NXT, PCI, validated P2PE integration for significant scope reduction and cost savings - anyone interested?
Options
Hi all,
Our Advancement offices recently signed a contract to implement Raiser's Edge NXT. Upon review by our PCI Compliance Team, we realized that Blackbaud CRM had integrated a validated P2PE solution, however, Raiser's Edge NXT had not. We have enquired about a validated P2PE integration date and have been told this will be on the 2018 roadmap. We are looking for a definitive date when the RE integration will take place so we can plan our project timeline.
Are any other institutions struggling with PCI compliance, specifically securing the workstations used to enter payment card data? It is extremely expensive to provision dedicated purpose computers, perform File Integrity Monitoring, Logging, Alerting, Vulnerability scans and penetration tests for these workstations. We have implemented validated P2PE solutions, across our campuses, for all card-present and card not-present transactions. If we implement Raiser's Edge NXT without P2PE, it will cost us several thousands of dollars per year to secure.
I'm wondering if other institutions are in this same situation? If so, have you received a definitive date (and commitment) from BB to integrate Raiser's Edge NXT with a validated P2PE solution?
Best regards,
Jane Aube
Loan Programs & PCI Compliance Specialist
Middlebury College
Our Advancement offices recently signed a contract to implement Raiser's Edge NXT. Upon review by our PCI Compliance Team, we realized that Blackbaud CRM had integrated a validated P2PE solution, however, Raiser's Edge NXT had not. We have enquired about a validated P2PE integration date and have been told this will be on the 2018 roadmap. We are looking for a definitive date when the RE integration will take place so we can plan our project timeline.
Are any other institutions struggling with PCI compliance, specifically securing the workstations used to enter payment card data? It is extremely expensive to provision dedicated purpose computers, perform File Integrity Monitoring, Logging, Alerting, Vulnerability scans and penetration tests for these workstations. We have implemented validated P2PE solutions, across our campuses, for all card-present and card not-present transactions. If we implement Raiser's Edge NXT without P2PE, it will cost us several thousands of dollars per year to secure.
I'm wondering if other institutions are in this same situation? If so, have you received a definitive date (and commitment) from BB to integrate Raiser's Edge NXT with a validated P2PE solution?
Best regards,
Jane Aube
Loan Programs & PCI Compliance Specialist
Middlebury College
Tagged:
0
Comments
-
Jane, most people here, including me, don't know what P2PE is and have been led by BB to believe RE is fully PCI compatible in all regards it could be. Could you please explain what P2PE is, why it matters, and if you can, how BB CRM has this and RE NXT does not? Thank you.1
-
Bill,My apologies for assuming members were
familiar with PCI acronyms.I want to note that I am not a
Qualified Security Assessor (QSA) and the information provided
below is my understanding of the Payment Card Industry Data
Security Standards (PCI DSS). My experience comes from managing the
PCI compliance at our institution and working with industry
professionals for the past few years.Blackbaud -Internet Services (Hosting
Provider) and Blackbaud Payment Services (gateway/switch, payment
processing) are PCI Service Provider Level 1 validated. This means
that the solution itself is compliant to the Payment Card Industry
Data Security Standards (PCI DSS). The card brands and the
Payment Card Industry Security Standards Council (PCI SSC) require
the solution to be implemented, and utilized, in accordance with
the PCI DSS.For e-commerce transactions
(constituents making a charitable donation or registering for an
event), the solution is compliant. The constituent is performing
the transaction in Raiser's Edge-hosted by Blackbaud which is
compliant (*does not include Online Express which is embedded on
the client's website).For mail order, telephone order and
card present transactions (staff entering payment card data into
Raiser's Edge) the client must secure, to the PCI DSS, the
workstation(s) they are entering payment card data on. This is
where it gets complex and very expensive=
PCI Scope. The workstations need to be segmented off the campus
network with firewall and switches, locked down (dedicated purpose)
to only allow access to specific URL/IP addresses (no email, no web
browsing), all traffic monitored, logged, alerted and alerts acted
on, Anti-virus, security updates, internal and external
vulnerability scans and penetration testing. Not only is the
workstation in PCI scope (known as the Cardholder Data Environment
CDE) but also the system components that have controlled access to
the CDE. These system components could provide security services,
can initiate inbound connection to the CDE, can receive a
connection from the CDE etc. Examples are system management console
for a log management server, active directory, antivirus.This is where Point
to Point Encryption (P2PE) validated solutions come into
play. A validated
P2PE solution can reduce the PCI scope from the work
station, network, connected system components to the P2PE device
and staff entering the payment card data. Middlebury has saved over
$50,000 per year by replacing legacy solutions and implementing
only validated P2PE solutions on our campuses. We have worked with
our service providers over the years to integrate P2PE validated
solutions; including iModules,
Ruffalo Noel Levitz Campus Call and MBS Books.If/when Blackbaud integrates a
validated P2PE solution with Raiser's Edge, clients will be able to
purchase an IDTECH
SRED P2PE device that plugs into a workstation with a USB
cord. This device is the CDE, the workstation and campus network is
no longer in PCI scope. The staff would still log into Raiser's
Edge as they do now, however, the field they currently enter
payment card data into would only accept encrypted data from the
IDTECH SRED device.Blackbaud has already integrated
Bluefin's validated P2PE solution with Blackbaud
CRM. Blackbaud has let us know that Raiser's Edge
NXT P2PE integration is being looked at for the 2018 roadmap- no
definitive commitment or specific timeline. We are hopeful that
Blackbaud will integrate Raiser's Edge NXT and Bluefin's P2PE
validated solution prior to our go live in the fall of 2018. If
not, we will need to make the decision of whether to delay our go
live or spend a significant amount of money (and staff resources)
to secure, and maintain, this secure solution to the PCI
DSS.Hopefully this makes sense and doesn't
cause further confusion. I'm happy to discuss further (via this
forum or offline) if anyone has questions, comments,
concerns.Best regards,
Jane
Jane Aube | Loan Programs and Compliance Specialist | Student
Financial Services | Middlebury College | 802.443.5790
Sent from my iPad0 -
Jane - I'd be happy to talk to you (and anyone else in this situation) more about this as our campus just completed its submission at the end of May. Since we are looking at a 2-yr timeline for switching to NXT, we worked out a "workaround". We use First Data cellular swipers to take one-time donations over the phone - in our Development office and the Call Center - and we have Bluefin P2PE keypads going through a Bluefin-built gateway for all other needs (multi-payment pledges, recurring gifts etc). Gift entry for these credit card gifts is not as seamless as it could be but is no worse than entering checks or stocks, for example. For the Call Center, we use RNL software, so we get a data feed from them and just use the credit card machines' tapes for reconciliation purposes; so the only manual entry is for gifts over the phone in our Development office or the recurring payments coming through the Bluefin solution (of which we have none yet).
Marijana Boone | Director, Advancement Services | College of Charleston0 -
Hi Marijana,
Thanks so much for the kind offer! I truly appreciate the willingness to help other institutions.
At this time, Middlebury is all set as we have implemented all P2PE validated solutions. We replaced all of our cellular swipe terminals with either Bluefin PAXS500's (stand-alone swipe terminal) or IDTECH SRED devices. We had worked with RNL (CampusCall SaaS Phonathon) and iModules (charitable donations) to integrate Bluefin's P2PE solution and IDTECH SRED devices-- a huge win for their clients. We currently do all of our recurring gifts in iModules, so the P2PE integration was key. This will all change when Advancement switches to RE.
My issue is when we implement RE NXT, without P2PE, staff will be entering CHD into RE from workstations. Our Advancement Office will not want to implement non-integrated work around as they are used to having real-time transactions show in our system. This is especially true at calendar and fiscal year end when they are sending email solitications and want to make certain they aren't soliciting a donor that just gave a gift.
My quandary is the resources it will take to install dedicated work worstations and secure to the PCI DSS. Our PCI scope will go from only being the P2PE devices and staff, to a segmented network that has to be managed to the standards = several thousand dollars.
0 -
Hi all,
The Blackbaud Idea's Board has a post on this subject. If you are interested in Raiser's Edge NXT integrating with a validated P2PE solution, please go to https://re7.ideas.aha.io/ideas/RE7-I-2423, to vote and enter a comment if you choose to.
Thanks all, have a great weekend!
Jane2 -
Hi all,
Blackbaud is moving along with the PCI validated Point-to-Point Encrypted (P2PE) solution integration, with RE NXT/BB Checkout single gift entry and recurring gift entry. Mobile Pay is not currently on the Roadmap for P2PE integration. If you are interested in reducing your PCI scope (potentially saving thousands of dollars in security and compliance costs), please comment on the Blackbaud Idea Bank.
Jane Aube:
Hi all,
The Blackbaud Idea's Board has a post on this subject. If you are interested in Raiser's Edge NXT integrating with a validated P2PE solution, please go to https://re7.ideas.aha.io/ideas/RE7-I-2423, to vote and enter a comment if you choose to.
Thanks all, have a great weekend!
Jane
0
Categories
- All Categories
- Shannon parent
- shannon 2
- shannon 1
- 21 Advocacy DC Users Group
- 14 BBCRM PAG Discussions
- 89 High Education Program Advisory Group (HE PAG)
- 28 Luminate CRM DC Users Group
- 8 DC Luminate CRM Users Group
- Luminate PAG
- 5.9K Blackbaud Altru®
- 58 Blackbaud Award Management™ and Blackbaud Stewardship Management™
- 409 bbcon®
- 2.1K Blackbaud CRM™ and Blackbaud Internet Solutions™
- donorCentrics®
- 1.1K Blackbaud eTapestry®
- 2.8K Blackbaud Financial Edge NXT®
- 1.1K Blackbaud Grantmaking™
- 527 Education Management Solutions for Higher Education
- 1 JustGiving® from Blackbaud®
- 4.6K Education Management Solutions for K-12 Schools
- Blackbaud Luminate Online & Blackbaud TeamRaiser
- 16.4K Blackbaud Raiser's Edge NXT®
- 4.1K SKY Developer
- 547 ResearchPoint™
- 151 Blackbaud Tuition Management™
- 61 everydayhero
- 3 Campaign Ideas
- 58 General Discussion
- 115 Blackbaud ID
- 87 K-12 Blackbaud ID
- 6 Admin Console
- 949 Organizational Best Practices
- 353 The Tap (Just for Fun)
- 235 Blackbaud Community Feedback Forum
- 55 Admissions Event Management EAP
- 18 MobilePay Terminal + BBID Canada EAP
- 36 EAP for New Email Campaigns Experience in Blackbaud Luminate Online®
- 109 EAP for 360 Student Profile in Blackbaud Student Information System
- 41 EAP for Assessment Builder in Blackbaud Learning Management System™
- 9 Technical Preview for SKY API for Blackbaud CRM™ and Blackbaud Altru®
- 55 Community Advisory Group
- 46 Blackbaud Community Ideas
- 26 Blackbaud Community Challenges
- 7 Security Testing Forum
- 3 Blackbaud Staff Discussions
- 1 Blackbaud Partners Discussions
- 1 Blackbaud Giving Search™
- 35 EAP Student Assignment Details and Assignment Center
- 39 EAP Core - Roles and Tasks
- 59 Blackbaud Community All-Stars Discussions
- 20 Blackbaud Raiser's Edge NXT® Online Giving EAP
- Diocesan Blackbaud Raiser’s Edge NXT® User’s Group
- 2 Blackbaud Consultant’s Community
- 43 End of Term Grade Entry EAP
- 92 EAP for Query in Blackbaud Raiser's Edge NXT®
- 38 Standard Reports for Blackbaud Raiser's Edge NXT® EAP
- 12 Payments Assistant for Blackbaud Financial Edge NXT® EAP
- 6 Ask an All Star (Austen Brown)
- 8 Ask an All-Star Alex Wong (Blackbaud Raiser's Edge NXT®)
- 1 Ask an All-Star Alex Wong (Blackbaud Financial Edge NXT®)
- 6 Ask an All-Star (Christine Robertson)
- 21 Ask an Expert (Anthony Gallo)
- Blackbaud Francophone Group
- 22 Ask an Expert (David Springer)
- 4 Raiser's Edge NXT PowerUp Challenge #1 (Query)
- 6 Ask an All-Star Sunshine Reinken Watson and Carlene Johnson
- 4 Raiser's Edge NXT PowerUp Challenge: Events
- 14 Ask an All-Star (Elizabeth Johnson)
- 7 Ask an Expert (Stephen Churchill)
- 2025 ARCHIVED FORUM POSTS
- 322 ARCHIVED | Financial Edge® Tips and Tricks
- 164 ARCHIVED | Raiser's Edge® Blog
- 300 ARCHIVED | Raiser's Edge® Blog
- 441 ARCHIVED | Blackbaud Altru® Tips and Tricks
- 66 ARCHIVED | Blackbaud NetCommunity™ Blog
- 211 ARCHIVED | Blackbaud Target Analytics® Tips and Tricks
- 47 Blackbaud CRM Higher Ed Product Advisory Group (HE PAG)
- Luminate CRM DC Users Group
- 225 ARCHIVED | Blackbaud eTapestry® Tips and Tricks
- 1 Blackbaud eTapestry® Know How Blog
- 19 Blackbaud CRM Product Advisory Group (BBCRM PAG)
- 1 Blackbaud K-12 Education Solutions™ Blog
- 280 ARCHIVED | Mixed Community Announcements
- 3 ARCHIVED | Blackbaud Corporations™ & Blackbaud Foundations™ Hosting Status
- 1 npEngage
- 24 ARCHIVED | K-12 Announcements
- 15 ARCHIVED | FIMS Host*Net Hosting Status
- 23 ARCHIVED | Blackbaud Outcomes & Online Applications (IGAM) Hosting Status
- 22 ARCHIVED | Blackbaud DonorCentral Hosting Status
- 14 ARCHIVED | Blackbaud Grantmaking™ UK Hosting Status
- 117 ARCHIVED | Blackbaud CRM™ and Blackbaud Internet Solutions™ Announcements
- 50 Blackbaud NetCommunity™ Blog
- 169 ARCHIVED | Blackbaud Grantmaking™ Tips and Tricks
- Advocacy DC Users Group
- 718 Community News
- Blackbaud Altru® Hosting Status
- 104 ARCHIVED | Member Spotlight
- 145 ARCHIVED | Hosting Blog
- 149 JustGiving® from Blackbaud® Blog
- 97 ARCHIVED | bbcon® Blogs
- 19 ARCHIVED | Blackbaud Luminate CRM™ Announcements
- 161 Luminate Advocacy News
- 187 Organizational Best Practices Blog
- 67 everydayhero Blog
- 52 Blackbaud SKY® Reporting Announcements
- 17 ARCHIVED | Blackbaud SKY® Reporting for K-12 Announcements
- 3 Luminate Online Product Advisory Group (LO PAG)
- 81 ARCHIVED | JustGiving® from Blackbaud® Tips and Tricks
- 1 ARCHIVED | K-12 Conference Blog
- Blackbaud Church Management™ Announcements
- ARCHIVED | Blackbaud Award Management™ and Blackbaud Stewardship Management™ Announcements
- 1 Blackbaud Peer-to-Peer Fundraising™, Powered by JustGiving® Blogs
- 39 Tips, Tricks, and Timesavers!
- 56 Blackbaud Church Management™ Resources
- 154 Blackbaud Church Management™ Announcements
- 1 ARCHIVED | Blackbaud Church Management™ Tips and Tricks
- 11 ARCHIVED | Blackbaud Higher Education Solutions™ Announcements
- 7 ARCHIVED | Blackbaud Guided Fundraising™ Blog
- 2 Blackbaud Fundraiser Performance Management™ Blog
- 9 Foundations Events and Content
- 14 ARCHIVED | Blog Posts
- 2 ARCHIVED | Blackbaud FIMS™ Announcement and Tips
- 59 Blackbaud Partner Announcements
- 10 ARCHIVED | Blackbaud Impact Edge™ EAP Blogs
- 1 Community Help Blogs
- Diocesan Blackbaud Raiser’s Edge NXT® Users' Group
- Blackbaud Consultant’s Community
- Blackbaud Francophone Group
- 1 BLOG ARCHIVE CATEGORY
- Blackbaud Community™ Discussions
- 8.3K Blackbaud Luminate Online® & Blackbaud TeamRaiser® Discussions
- 5.7K Jobs Board