PCI Compliance
When a donor calls to update their cc or bank info for a recurring gift, the fundraising office currently writes the information down and takes it to the accounting office to update in RE or RENXT. When appeal cards come in through the mail, they are also taken to the accounting office to enter and then have the cc info blacked out.
I understand that this is not PCI compliant, but I am not sure exactly how to change it to be compliant. How does everyone else handle this? Do you enter the information directly into RE? If so, who does this? Do you use a third-party software to safely transfer this information from the person answering the call to the person who has access to edit the information on the constituent record?
I have read about people using a small portable white board to write down the info instead of paper, but I fail to see how that is any better.
Thank you in advance for your help!
Comments
-
@Michelle Harper So are you stating that no one in your fundraising office has access to gifts in RE? That seems very strange to me. If that is the case, why not just forward the calls to the accounting office?
In regards to the appeal cards, it makes sense that there needs to be should be a way to process these things in the office. I've seen times where these cards are simply typed into the online donation forms to process so there is no longer any need for the card number to be visible.
0 -
@Michelle Harper - Every org is set up differently, but in my experience DBAs and other data entry support staff have permissions to directly update payment information within RE NXT. This eliminates the need to write down sensitive information, as it is going directly into the system where it is immediately encrypted.
0 -
@Dariel Dixon the fundraising office enters gifts, but they do not have access to credit card and bank account information. They do not process the payments, jut entered them into RE. This is something that has been done this way for many years, but I think this is something we need to change.
0 -
@Michelle Harper
It does depend on your finance/accounting processes and how they charge these “offline” credit card. If everything is to go through BBMS, You can have the credit card info stored in RE constituent record, but a PROCESS must be define so that your finance/accounting team know what to do to charge AND record the gift in RE constituent record. If they don't use BBMS and use something else, then this won't work as credit card info stored in RE cannot be retrieved for outside use.@Dariel Dixon sometime the issue is that online donation form (almost all) requires email addresses, and there are going to be donor that do not have or do not give you their email address.
0 -
@Michelle Harper: It's not surprising that the fundraising office doesn't process the payments, but the fact that they don't have access to entering the information seems like a disconnect between departments. By this definition, this is a massive security red flag. Even if you use a third party processor there has to be a better way, but both the accounting department and the fundraising office have to agree that things must change.
@Dariel Dixon the fundraising office enters gifts, but they do not have access to credit card and bank account information. They do not process the payments, jut entered them into RE. This is something that has been done this way for many years, but I think this is something we need to change.
There's more here to unpack, but this is a change that needs to happen as soon as possible.
0 -
the fundraising office enters gifts, but they do not have access to credit card and bank account information. They do not process the payments, jut entered them into RE. This is something that has been done this way for many years, but I think this is something we need to change.
in our org, that's a huge no-no. we do not let fundraising staff entering gift for 2 reasons (1) they have a hard time learning how to handle constituent info, let alone learning how to enter gifts and all its rule around it so it post properly in FE (2) we have 25 fundraising chapters, we do not want one chapter “taking” credit where not appropreiate due to their rights to enter and edit gifts.
Also, I think entering gift record before the actual transaction happens is a problem in itself
0 -
@Michelle Harper Though card # being send by mail is decreasing, there are still the calls when a donor wants to give by credit card. I may be totally off base here but I was not under the impression it is not PCI compliant to write a card # down. Is is more about what happens to that document. Is it left on a desk? Put in a mail slot? Is it handled securely, stored securely when necessary and protected? Those are the policies that are required as I understood the requirements.
From the 12 PCI Compliance Requirements summary:
0 -
@Alex Wong
We are a small organization with only one fundraising office. There is one person in that office that enters gifts after the accounting office has deposited the checks. I (the accountant) look at all gifts before I post them in both RE and FE.0 -
@JoAnn Strommen
I read online (and heard at a recent conference) that writing the CC or bank info down is not PCI compliant and that we have to be cautious with this because your writing can leave an impression on anything underneath it, especially notebooks or sticky notes.0 -
@Michelle Harper The biggest thing is to have a good checks and balances. Right now, you're entering all credit card gifts and posting those same gifts. That's not cool at all. I'd say that your organization should consider all of these things with all the changes you're considering. I would consider having someone in the gift entry side enter ALL GIFTS, and another person posting ALL GIFTS. When in a small shop, that's the biggest thing you can do. If the fundraising office received the mail and were able to enter the gifts, and you were able to post them or process the credit cards, you could potentially resolve both issues.
0 -
More to think about… What I am not seeing anywhere in this thread is having a PCI compliant keyboard. At a former organization the auditors insisted that we have PCI compliant hardware for entering cc information.
0
Categories
- All Categories
- Shannon parent
- shannon 2
- shannon 1
- 21 Advocacy DC Users Group
- 14 BBCRM PAG Discussions
- 89 High Education Program Advisory Group (HE PAG)
- 28 Luminate CRM DC Users Group
- 8 DC Luminate CRM Users Group
- Luminate PAG
- 5.9K Blackbaud Altru®
- 58 Blackbaud Award Management™ and Blackbaud Stewardship Management™
- 409 bbcon®
- 2K Blackbaud CRM™ and Blackbaud Internet Solutions™
- donorCentrics®
- 1.1K Blackbaud eTapestry®
- 2.8K Blackbaud Financial Edge NXT®
- 1.1K Blackbaud Grantmaking™
- 527 Education Management Solutions for Higher Education
- 1 JustGiving® from Blackbaud®
- 4.6K Education Management Solutions for K-12 Schools
- Blackbaud Luminate Online & Blackbaud TeamRaiser
- 16.4K Blackbaud Raiser's Edge NXT®
- 4.1K SKY Developer
- 547 ResearchPoint™
- 151 Blackbaud Tuition Management™
- 1 YourCause® from Blackbaud®
- 61 everydayhero
- 3 Campaign Ideas
- 58 General Discussion
- 115 Blackbaud ID
- 87 K-12 Blackbaud ID
- 6 Admin Console
- 949 Organizational Best Practices
- 353 The Tap (Just for Fun)
- 235 Blackbaud Community Feedback Forum
- 124 Ninja Secret Society
- 32 Blackbaud Raiser's Edge NXT® Receipting EAP
- 55 Admissions Event Management EAP
- 18 MobilePay Terminal + BBID Canada EAP
- 36 EAP for New Email Campaigns Experience in Blackbaud Luminate Online®
- 109 EAP for 360 Student Profile in Blackbaud Student Information System
- 41 EAP for Assessment Builder in Blackbaud Learning Management System™
- 9 Technical Preview for SKY API for Blackbaud CRM™ and Blackbaud Altru®
- 55 Community Advisory Group
- 46 Blackbaud Community Ideas
- 26 Blackbaud Community Challenges
- 7 Security Testing Forum
- 1.1K ARCHIVED FORUMS | Inactive and/or Completed EAPs
- 3 Blackbaud Staff Discussions
- 7.7K ARCHIVED FORUM CATEGORY [ID 304]
- 1 Blackbaud Partners Discussions
- 1 Blackbaud Giving Search™
- 35 EAP Student Assignment Details and Assignment Center
- 39 EAP Core - Roles and Tasks
- 59 Blackbaud Community All-Stars Discussions
- 20 Blackbaud Raiser's Edge NXT® Online Giving EAP
- Diocesan Blackbaud Raiser’s Edge NXT® User’s Group
- 2 Blackbaud Consultant’s Community
- 43 End of Term Grade Entry EAP
- 92 EAP for Query in Blackbaud Raiser's Edge NXT®
- 38 Standard Reports for Blackbaud Raiser's Edge NXT® EAP
- 12 Payments Assistant for Blackbaud Financial Edge NXT® EAP
- 6 Ask an All Star (Austen Brown)
- 8 Ask an All-Star Alex Wong (Blackbaud Raiser's Edge NXT®)
- 1 Ask an All-Star Alex Wong (Blackbaud Financial Edge NXT®)
- 6 Ask an All-Star (Christine Robertson)
- 21 Ask an Expert (Anthony Gallo)
- Blackbaud Francophone Group
- 22 Ask an Expert (David Springer)
- 4 Raiser's Edge NXT PowerUp Challenge #1 (Query)
- 6 Ask an All-Star Sunshine Reinken Watson and Carlene Johnson
- 4 Raiser's Edge NXT PowerUp Challenge: Events
- 14 Ask an All-Star (Elizabeth Johnson)
- 7 Ask an Expert (Stephen Churchill)
- 2025 ARCHIVED FORUM POSTS
- 322 ARCHIVED | Financial Edge® Tips and Tricks
- 164 ARCHIVED | Raiser's Edge® Blog
- 300 ARCHIVED | Raiser's Edge® Blog
- 441 ARCHIVED | Blackbaud Altru® Tips and Tricks
- 66 ARCHIVED | Blackbaud NetCommunity™ Blog
- 211 ARCHIVED | Blackbaud Target Analytics® Tips and Tricks
- 47 Blackbaud CRM Higher Ed Product Advisory Group (HE PAG)
- Luminate CRM DC Users Group
- 225 ARCHIVED | Blackbaud eTapestry® Tips and Tricks
- 1 Blackbaud eTapestry® Know How Blog
- 19 Blackbaud CRM Product Advisory Group (BBCRM PAG)
- 1 Blackbaud K-12 Education Solutions™ Blog
- 280 ARCHIVED | Mixed Community Announcements
- 3 ARCHIVED | Blackbaud Corporations™ & Blackbaud Foundations™ Hosting Status
- 1 npEngage
- 24 ARCHIVED | K-12 Announcements
- 15 ARCHIVED | FIMS Host*Net Hosting Status
- 23 ARCHIVED | Blackbaud Outcomes & Online Applications (IGAM) Hosting Status
- 22 ARCHIVED | Blackbaud DonorCentral Hosting Status
- 14 ARCHIVED | Blackbaud Grantmaking™ UK Hosting Status
- 117 ARCHIVED | Blackbaud CRM™ and Blackbaud Internet Solutions™ Announcements
- 50 Blackbaud NetCommunity™ Blog
- 169 ARCHIVED | Blackbaud Grantmaking™ Tips and Tricks
- Advocacy DC Users Group
- 718 Community News
- Blackbaud Altru® Hosting Status
- 104 ARCHIVED | Member Spotlight
- 145 ARCHIVED | Hosting Blog
- 149 JustGiving® from Blackbaud® Blog
- 97 ARCHIVED | bbcon® Blogs
- 19 ARCHIVED | Blackbaud Luminate CRM™ Announcements
- 161 Luminate Advocacy News
- 187 Organizational Best Practices Blog
- 67 everydayhero Blog
- 52 Blackbaud SKY® Reporting Announcements
- 17 ARCHIVED | Blackbaud SKY® Reporting for K-12 Announcements
- 3 Luminate Online Product Advisory Group (LO PAG)
- 81 ARCHIVED | JustGiving® from Blackbaud® Tips and Tricks
- 1 ARCHIVED | K-12 Conference Blog
- Blackbaud Church Management™ Announcements
- ARCHIVED | Blackbaud Award Management™ and Blackbaud Stewardship Management™ Announcements
- 1 Blackbaud Peer-to-Peer Fundraising™, Powered by JustGiving® Blogs
- 39 Tips, Tricks, and Timesavers!
- 56 Blackbaud Church Management™ Resources
- 154 Blackbaud Church Management™ Announcements
- 1 ARCHIVED | Blackbaud Church Management™ Tips and Tricks
- 11 ARCHIVED | Blackbaud Higher Education Solutions™ Announcements
- 7 ARCHIVED | Blackbaud Guided Fundraising™ Blog
- 2 Blackbaud Fundraiser Performance Management™ Blog
- 9 Foundations Events and Content
- 14 ARCHIVED | Blog Posts
- 2 ARCHIVED | Blackbaud FIMS™ Announcement and Tips
- 59 Blackbaud Partner Announcements
- 10 ARCHIVED | Blackbaud Impact Edge™ EAP Blogs
- 1 Community Help Blogs
- Diocesan Blackbaud Raiser’s Edge NXT® Users' Group
- Blackbaud Consultant’s Community
- Blackbaud Francophone Group
- 1 BLOG ARCHIVE CATEGORY
- Blackbaud Community™ Discussions
- 8.3K Blackbaud Luminate Online® & Blackbaud TeamRaiser® Discussions
- 5.7K Jobs Board