Point-to-Point Encryption (P2Pe) is now available in 4.0 SP12

Point-to-Point Encryption (P2Pe) is a capability that that helps to reduce the number of applicable PCI DSS requirements for your cardholder data environment (CDE).  Our goal is to help limit your annual PCI assessment to the 35-question P2PE SAQ (Self-Assessment Questionnaire).  Blackbaud is partnering with a  preferred hardware provider, Bluefin, to provide a PCI-validated P2PE solution for Blackbaud CRM™ users processing payments with Blackbaud Merchant Services to assist in reducing your PCI burden.  For the SAQ-P2PE environment, you are no longer required to conduct penetration testing, network segmentation, or
vulnerability scans.                                                                 
The integration is supported through an Enhanced Revenue Batch only.  The card is entered and encrypted by the SRED device and the application passes the encrypted credit card string to Blackbaud Merchant Services.  BBMS calls the P2Pe API which decrypts and returns data securely allowing the credit card to be tokenized and returned to the batch row.  All existing features in the batch available to include as part of processing the piece of revenue.  Once the batch is completed, normal credit card processing should take place.

 

 
 
Frequent questions:
Does the integration work for Mail order/telephone order (MOTO) transactions/one-off payments as well as card present with the SRED Key Devices?
 For one-off payments that might be processed by a call center or other method, we recommend using BBIS which meets the current PCI compliance regulations.


How does the device connect to the internet?
The SRED key device used for this option is a POS peripheral that connects to your workstation via USB.  It uses that machines existing internet connection.

What version of BBCRM is supported for P2Pe?
P2Pe is supported on version 4.0 Service Pack 12 which is targeted to release March 30, 2017.

Is there any additional security beyond encryption?
 PCI P2PE Solutions only use newer PTS 3.x/4.x devices that are certified to a high level of hardware and software security. This includes a special set of PCI PTS requirements called SRED (Secure Reading and Exchange of Data). These devices are also designed to detect tampering. If malicious activity is detected, the device is automatically deactivated, preventing a breach. Finally, strong encryption, which is the major defense against malware and Man-in-the-Middle (MitM) attacks, is performed only in unchangeable firmware so that new applications and software placed on the device cannot affect the security of the device.
 
If our organization already has a  Bluefin SREDKey PCI Key can we use it with CRM?
If  the device has the correct firmware and version then it can be used. If the device is outdated (old firmware/version) then a new device will need to be purchased from Bluefin. 


What fees will be associated with using Blackbaud’s P2PE solution?
To learn more, visit http://www.bluefinpartner.com/blackbaud/.

For detailed guide, visit https://www.blackbaud.com/files/support/guides/enterprise/400/bbcrm40.pdf.