OnlineExpress and PCI Compliance
In response to the latest PCI guidelines, our IT Department has requested the removal of our embedded OnlineExpress Giving Form from our website. Instead, they're suggesting a transition to an NXT form that can be launched from its URL due to compliance concerns with embedded credit card information on our organization website. Are others navigating this change as well? I'd be interested in how you working through this change and any alternatives to NXT Forms that you are exploring. The NXT forms currently only allow one designation, can be difficult to spot duplicate constituents, and are just slow and cumbersome to process.
Thank you!
Ryan
Comments
-
@Ryan York - Take a look at Knowledgebase there are a few articles that talk about how credit card information is used within an OLX - while it's embedded on your website, no cc information is being stored there.
Also, it is possible to allow multiple designations (funds) on an NXT form, and managing the potential duplicates is easy enough to add into your process for reviewing online gifts - the system lets you know within batch which constituent records it added. I recommend you take a look at the post linked below for the steps involved within merging your online review process with duplicate management:2 -
@Ryan York
Hi, wasn't aware there is a new PCI guideline on embedded forms that does credit card transaction. Any link you can point me to for this?2 -
@Ryan York I'm with @Alex Wong. I'm not aware of any PCI guidelines that would impact the embedded OLX forms. Moving to the NXT form is a definite change of process and will have a significant effect on the gift entry workflow.
2 -
@Alex Wong @Dariel Dixon @Austen Brown
Thank you all for responding. We continued the conversation with our IT team and they provided a little more detail. If you have any additional insights/advice – I'd greatly appreciate it!
The main concern from IT is about changes to the scripts involved in the page that has the payment frame on it.
Here is the support provided:
PCI DSS Version 3.2.1 ends March 31, 2024. One major change in PCI 4.0 relates to websites collecting payment information, requires that all scripts must be inventoried, authorized with written justification as to why each is necessary, and have methods to ensure the integrity of each script.
https://www.humansecurity.com/learn/blog/pci-dss-v4.0-is-coming-and-how-to-achieve-compliance
Section 6.4.3 of PCI DSS v4.0 establishes the following requirements for all payment page scripts that are loaded and executed in the consumer’s browser.
· A method implemented to confirm that each script is authorized
· A method implemented to assure the integrity of each script
· An up-to-date inventory of all scripts, maintained with written justification as to why each is necessary
1 -
@Ryan York Thank you for this. There is some contradictory language here though. I think you say that support version 3.2.1 ends March 2024, but it actually ends on March 2025.
This link to the actual standards here gives more information. The section in question is on page 15.
I wouldn't suggest reading the entire document per se unless you're really interested or really bored.
I'll copy Section 6.4.3 here to save some time. Emphasis in the document is carried over here.
New requirement for management of all payment page scripts that are loaded and executed in the consumer’s browser. This requirement is a best practice until 31 March 2025.
The way I read this is kind of confusing. Does this mean that embedded payment solutions have to go away? I'm not a lawyer nor did I stay at a Holiday Inn last night, so I'm not really sure, but this does not implicitly say that. TBH, it's vague at best. I do think your concerns are valid. I don't know how long it will take the industry to evolve to meet the new standards, but I would expect a new version of almost all payment methods over the next year or so.
0 -
@Ryan York
Thanks for the information.So from reading this, it does not sounds like not a “hard requirement” that script and embed cannot be on the site, but rather, it needs to be vetted, and explicitly approved. I found this article which talks about how to handle these 3 bullets point
0
Categories
- All Categories
- 6 Blackbaud Community Help
- 209 bbcon®
- 1.4K Blackbaud Altru®
- 395 Blackbaud Award Management™ and Blackbaud Stewardship Management™
- 1.1K Blackbaud CRM™ and Blackbaud Internet Solutions™
- 15 donorCentrics®
- 359 Blackbaud eTapestry®
- 2.5K Blackbaud Financial Edge NXT®
- 646 Blackbaud Grantmaking™
- 564 Blackbaud Education Management Solutions for Higher Education
- 3.2K Blackbaud Education Management Solutions for K-12 Schools
- 934 Blackbaud Luminate Online® and Blackbaud TeamRaiser®
- 84 JustGiving® from Blackbaud®
- 6.4K Blackbaud Raiser's Edge NXT®
- 3.7K SKY Developer
- 243 ResearchPoint™
- 118 Blackbaud Tuition Management™
- 165 Organizational Best Practices
- 238 The Tap (Just for Fun)
- 33 Blackbaud Community Challenges
- 28 PowerUp Challenges
- 3 (Open) Raiser's Edge NXT PowerUp Challenge: Product Update Briefing
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Standard Reports+
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Email Marketing
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Gift Management
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Event Management
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Home Page
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Standard Reports
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Query
- 779 Community News
- 2.9K Jobs Board
- 53 Blackbaud SKY® Reporting Announcements
- 47 Blackbaud CRM Higher Ed Product Advisory Group (HE PAG)
- 19 Blackbaud CRM Product Advisory Group (BBCRM PAG)