Online Express and PCI Compliance for embedded forms
Options
Hi,
I am wondering what other organizations are doing to ensure PCI compliance on their websites for Online Express donation forms. Our website is not PCI compliant, so we now have an issue that we cannot embed Online Express donation forms on the website for security issues. From my understanding, even though Online Express is PCI compliant, once the forms are embedded on your website to maintain compliance the website must be.
Thanks for any help with this!
Melissa
I am wondering what other organizations are doing to ensure PCI compliance on their websites for Online Express donation forms. Our website is not PCI compliant, so we now have an issue that we cannot embed Online Express donation forms on the website for security issues. From my understanding, even though Online Express is PCI compliant, once the forms are embedded on your website to maintain compliance the website must be.
Thanks for any help with this!
Melissa
Tagged:
1
Comments
-
Hi-
We encountered the exact same issue. Our website is so large that we have come to learn our IT will NOT secure a page for us to embed the OLX donation form (because they would have to secure the entire site to be PCI compliant). This, of course, has come as a surprise to us. When we upgraded to NXT and bought into the OLX concept, none of these potential issues were made known to us by Blackbaud. We feel a bit hoodwinked to say the least.
We are troubleshooting this now. One option we are looking into is to go onto a sub-domain for just the donation page (but costs and web development are a great concern). Another option we are exploring is finding a completely different vendor for just handing online donations (such as a web page with Square Space). Lastly, we are stuck with and must remain on NetCommunity indefinitely (which we are trying to get off of because of how antiquated the system is).
At this point, none of these options are ideal.
Hope this helps.
Jane
3 -
We also have experienced this issue with respect to PCI compliance. In order to mitigate this the best we can, we created a new site using https (which requires the purchase of an SSL certificate), do regular vulnerability scans and implemented file integrity monitoring (we have a system that ensures that the files are not being tampered with) on the files in question. We are trying to follow as many best practices as possible.
Depending on how aggressive your QSA is (if you're not just doing a self-assessment), this may or may not be enough.
I would highly agree that putting the onus on the the organization to follow PCI practices is both time- and money-consuming, and a real short-coming of Online Express. We migrated from the Sphere product which fully hosted the donation form and it makes PCI compliance a non-issue. The long-term solution should be hosting of the forms completely on the OLX platform.3 -
Paul,
Thanks for the info. We are currently looking to redesign a website and are hoping to implement OLX. We currenly have no issues with PCI Compliance as our donation page is hosted by a third party but we hoped to end that relationship in order to launch OLX. I apprerciate the heads up on the barriers we can expect to encounter. Good Luck.
Paul Sheen:
We also have experienced this issue with respect to PCI compliance. In order to mitigate this the best we can, we created a new site using https (which requires the purchase of an SSL certificate), do regular vulnerability scans and implemented file integrity monitoring (we have a system that ensures that the files are not being tampered with) on the files in question. We are trying to follow as many best practices as possible.
Depending on how aggressive your QSA is (if you're not just doing a self-assessment), this may or may not be enough.
I would highly agree that putting the onus on the the organization to follow PCI practices is both time- and money-consuming, and a real short-coming of Online Express. We migrated from the Sphere product which fully hosted the donation form and it makes PCI compliance a non-issue. The long-term solution should be hosting of the forms completely on the OLX platform.
0 -
I recommend SiteLock. They have non profit rates and provide PCI COMPLIANCE.0
-
Following - we are on the same page. Just found that we won't be able to embed donations forms on our webpage. @Katryn David mentioned SiteLock but wondering what other organizations are doing.Melissa Anderson:
Hi,
I am wondering what other organizations are doing to ensure PCI compliance on their websites for Online Express donation forms. Our website is not PCI compliant, so we now have an issue that we cannot embed Online Express donation forms on the website for security issues. From my understanding, even though Online Express is PCI compliant, once the forms are embedded on your website to maintain compliance the website must be.
Thanks for any help with this!
Melissa
1 -
Kathryn David:
I recommend SiteLock. They have non profit rates and provide PCI COMPLIANCE.Good morning Kathryn,
Would you have a few minutes this morning to talk about this option? We are facing this same issue and want to explore remotely hosted PCI Compliance options before we setup a physical server in our DMZ to handle these pages. If you are available, then please email me at standish.stewart@tri-c.edu so that we can setup a time to discuss.
Best,
Standish
0 -
Has anyone found a successful solution? This is an old thread, yet we were also unaware of the PCI issue with the embed code until recently (we're not even live yet). Now we're scrambling to find a solution. Any update would be much appreciated!0
-
We recently released the ability to configure Online Express donation forms to use Blackbaud Checkout for credit card processing. One important aspect of using Blackbaud Checkout is that the tech it uses to render the payment capture window is different than how Online Express functioned prior to this option being available.
Prior to BB Checkout being an option, a direct (secure) connection between the donor's browser and the OLX web application is how the entire OLX donation form was loaded...but the actual HTML elements of the forms themselves are inserted directly into the page HTML. This is done directly in the donor's browser (not ever touching the organization's web server)...but the PCI rules are pretty inflexible and the fact that the form that captures card info (i.e. the OLX form used before BB Checkout became an option) doesn't render from an external web page typically causes organizations to conclude that they need to step up one level in the PCI self-assessment questionnaire they need to follow (from SAQ-A to SAQ A-EP).
Well, we believe that the use of the BB Checkout option changes things. When the little BB Checkout window that captures card info appears, it's actually being rendered from an external Blackbaud (PCI-compliant) page. You'll want to confirm with whoever advises your organization on PCI compliance matters, but we believe that this difference in how BB Checkout functions will allow organizations who use OLX donation forms configured this way to qualify for the "easy" PCI self-assessment questionnaire (SAQ-A).
You can "upgrade" any existing OLX form to use BB Checkout by editing the form and on the step where you choose whether to allow credit card processing, you'll see a new option to process using Blackbaud Checkout.
Note that this option is coming to OLX Event and Membership forms in the next few weeks as well.
Thanks!
Chris Martin
Blackbaud Product Management0 -
Hi Chris,
Thanks for this. We are one of the customers who were advised by our compliance colleagues that we could not use OLX payment forms without stepping up to SAQ A-EP. I'm hoping this change will mean that I can go back to them for a review on their decision. I'd love to be able to stop using additional third party workarounds like Eventbrite/Stripe.
However, I will need more detail on how the implementation differs from old OLX form to Checkout forms in order to satisfy IT and Finance colleagues. Can someone at BB provide a technical description of how the form renders from BB servers? Also maybe an explanation of why this script approach has been implemented rather than the more common iFrame solution used by other SAQ A compliant form suppliers.
Keith0 -
Hi Keith Scott. The short explanation is that Blackbaud Checkout actually renders form content in an iframe. The original OLX solution inserted form elements directly onto the page in the donor/supporter's browser. That subtle difference is the primary reason most organizations have concluded that the latter requires SAQ A-EP and why our compliance team believes most organizations using OLX configured for BB Checkout will fall under SAQ A.
The reason we chose an implementation that relies on embedding code snippets is that this allows our customers to take that code snippet and insert a PCI-compliant web form onto any page of their website. Other solutions that have the payment form living on a separate web page outside of the organization's main website have the challenges of how to ensure donor confidence that they can trust a donation page with a URL that's different than that of the site they navigated to and whose look and feel doesn't quite match all of the other pages they're familiar with.
Hopefully that helps. Thanks!
Chris Martin
Blackbaud Product Management1
Categories
- All Categories
- Shannon parent
- shannon 2
- shannon 1
- 21 Advocacy DC Users Group
- 14 BBCRM PAG Discussions
- 89 High Education Program Advisory Group (HE PAG)
- 28 Luminate CRM DC Users Group
- 8 DC Luminate CRM Users Group
- Luminate PAG
- 5.9K Blackbaud Altru®
- 58 Blackbaud Award Management™ and Blackbaud Stewardship Management™
- 409 bbcon®
- 2.1K Blackbaud CRM™ and Blackbaud Internet Solutions™
- donorCentrics®
- 1.1K Blackbaud eTapestry®
- 2.8K Blackbaud Financial Edge NXT®
- 1.1K Blackbaud Grantmaking™
- 527 Education Management Solutions for Higher Education
- 1 JustGiving® from Blackbaud®
- 4.6K Education Management Solutions for K-12 Schools
- Blackbaud Luminate Online & Blackbaud TeamRaiser
- 16.4K Blackbaud Raiser's Edge NXT®
- 4.1K SKY Developer
- 547 ResearchPoint™
- 151 Blackbaud Tuition Management™
- 1 YourCause® from Blackbaud®
- 61 everydayhero
- 3 Campaign Ideas
- 58 General Discussion
- 115 Blackbaud ID
- 87 K-12 Blackbaud ID
- 6 Admin Console
- 949 Organizational Best Practices
- 353 The Tap (Just for Fun)
- 235 Blackbaud Community Feedback Forum
- 55 Admissions Event Management EAP
- 18 MobilePay Terminal + BBID Canada EAP
- 36 EAP for New Email Campaigns Experience in Blackbaud Luminate Online®
- 109 EAP for 360 Student Profile in Blackbaud Student Information System
- 41 EAP for Assessment Builder in Blackbaud Learning Management System™
- 9 Technical Preview for SKY API for Blackbaud CRM™ and Blackbaud Altru®
- 55 Community Advisory Group
- 46 Blackbaud Community Ideas
- 26 Blackbaud Community Challenges
- 7 Security Testing Forum
- 1.1K ARCHIVED FORUMS | Inactive and/or Completed EAPs
- 3 Blackbaud Staff Discussions
- 7.7K ARCHIVED FORUM CATEGORY [ID 304]
- 1 Blackbaud Partners Discussions
- 1 Blackbaud Giving Search™
- 35 EAP Student Assignment Details and Assignment Center
- 39 EAP Core - Roles and Tasks
- 59 Blackbaud Community All-Stars Discussions
- 20 Blackbaud Raiser's Edge NXT® Online Giving EAP
- Diocesan Blackbaud Raiser’s Edge NXT® User’s Group
- 2 Blackbaud Consultant’s Community
- 43 End of Term Grade Entry EAP
- 92 EAP for Query in Blackbaud Raiser's Edge NXT®
- 38 Standard Reports for Blackbaud Raiser's Edge NXT® EAP
- 12 Payments Assistant for Blackbaud Financial Edge NXT® EAP
- 6 Ask an All Star (Austen Brown)
- 8 Ask an All-Star Alex Wong (Blackbaud Raiser's Edge NXT®)
- 1 Ask an All-Star Alex Wong (Blackbaud Financial Edge NXT®)
- 6 Ask an All-Star (Christine Robertson)
- 21 Ask an Expert (Anthony Gallo)
- Blackbaud Francophone Group
- 22 Ask an Expert (David Springer)
- 4 Raiser's Edge NXT PowerUp Challenge #1 (Query)
- 6 Ask an All-Star Sunshine Reinken Watson and Carlene Johnson
- 4 Raiser's Edge NXT PowerUp Challenge: Events
- 14 Ask an All-Star (Elizabeth Johnson)
- 7 Ask an Expert (Stephen Churchill)
- 2025 ARCHIVED FORUM POSTS
- 322 ARCHIVED | Financial Edge® Tips and Tricks
- 164 ARCHIVED | Raiser's Edge® Blog
- 300 ARCHIVED | Raiser's Edge® Blog
- 441 ARCHIVED | Blackbaud Altru® Tips and Tricks
- 66 ARCHIVED | Blackbaud NetCommunity™ Blog
- 211 ARCHIVED | Blackbaud Target Analytics® Tips and Tricks
- 47 Blackbaud CRM Higher Ed Product Advisory Group (HE PAG)
- Luminate CRM DC Users Group
- 225 ARCHIVED | Blackbaud eTapestry® Tips and Tricks
- 1 Blackbaud eTapestry® Know How Blog
- 19 Blackbaud CRM Product Advisory Group (BBCRM PAG)
- 1 Blackbaud K-12 Education Solutions™ Blog
- 280 ARCHIVED | Mixed Community Announcements
- 3 ARCHIVED | Blackbaud Corporations™ & Blackbaud Foundations™ Hosting Status
- 1 npEngage
- 24 ARCHIVED | K-12 Announcements
- 15 ARCHIVED | FIMS Host*Net Hosting Status
- 23 ARCHIVED | Blackbaud Outcomes & Online Applications (IGAM) Hosting Status
- 22 ARCHIVED | Blackbaud DonorCentral Hosting Status
- 14 ARCHIVED | Blackbaud Grantmaking™ UK Hosting Status
- 117 ARCHIVED | Blackbaud CRM™ and Blackbaud Internet Solutions™ Announcements
- 50 Blackbaud NetCommunity™ Blog
- 169 ARCHIVED | Blackbaud Grantmaking™ Tips and Tricks
- Advocacy DC Users Group
- 718 Community News
- Blackbaud Altru® Hosting Status
- 104 ARCHIVED | Member Spotlight
- 145 ARCHIVED | Hosting Blog
- 149 JustGiving® from Blackbaud® Blog
- 97 ARCHIVED | bbcon® Blogs
- 19 ARCHIVED | Blackbaud Luminate CRM™ Announcements
- 161 Luminate Advocacy News
- 187 Organizational Best Practices Blog
- 67 everydayhero Blog
- 52 Blackbaud SKY® Reporting Announcements
- 17 ARCHIVED | Blackbaud SKY® Reporting for K-12 Announcements
- 3 Luminate Online Product Advisory Group (LO PAG)
- 81 ARCHIVED | JustGiving® from Blackbaud® Tips and Tricks
- 1 ARCHIVED | K-12 Conference Blog
- Blackbaud Church Management™ Announcements
- ARCHIVED | Blackbaud Award Management™ and Blackbaud Stewardship Management™ Announcements
- 1 Blackbaud Peer-to-Peer Fundraising™, Powered by JustGiving® Blogs
- 39 Tips, Tricks, and Timesavers!
- 56 Blackbaud Church Management™ Resources
- 154 Blackbaud Church Management™ Announcements
- 1 ARCHIVED | Blackbaud Church Management™ Tips and Tricks
- 11 ARCHIVED | Blackbaud Higher Education Solutions™ Announcements
- 7 ARCHIVED | Blackbaud Guided Fundraising™ Blog
- 2 Blackbaud Fundraiser Performance Management™ Blog
- 9 Foundations Events and Content
- 14 ARCHIVED | Blog Posts
- 2 ARCHIVED | Blackbaud FIMS™ Announcement and Tips
- 59 Blackbaud Partner Announcements
- 10 ARCHIVED | Blackbaud Impact Edge™ EAP Blogs
- 1 Community Help Blogs
- Diocesan Blackbaud Raiser’s Edge NXT® Users' Group
- Blackbaud Consultant’s Community
- Blackbaud Francophone Group
- 1 BLOG ARCHIVE CATEGORY
- Blackbaud Community™ Discussions
- 8.3K Blackbaud Luminate Online® & Blackbaud TeamRaiser® Discussions
- 5.7K Jobs Board