Maintaining PCI Compliance for Remote Staff Handling Credit Card Info

Beckie Osterman

Hi everyone,

We currently use Luminate Online, and in the past, we’ve required our phone and finance staff to be in the office when taking credit card payments. This has been because we often need to write down credit card information — we’ve had occasional issues with things like applying gifts to the wrong donor record or the Luminate form not matching the donor’s wishes.

As we review our current process, I’m curious:
How are others allowing staff who take credit card information over the phone to work from home while maintaining PCI compliance?

If your team has found a secure way to handle this, I’d love to hear what tools, policies, or workflows have worked for you.

Alex Wong

We use LO as main donation form, for anyone who's taking cc info, we have them go to the donation form and make the online donation on behalf of the donor.

There is rare case where donor does not want to provide an email address, we don't current have a process for this since as it is rare and we always have phone transfer to someone that is in office to write it down and hand it to finance office for processing.

Will Hull

Hey there, @Beckie Osterman

Thanks for your question. You can follow the way that @Alex Wong described above or you can, on the backend admin side, go to Constituent360 > Constituents and once you have found the person who is seeking to make the gift or if you haven't found them, you set up a new constituent on the fly using the "Add one constituent" option at Constituent360 > Constituents to create a new constituent record, then you would go to the "Transactions" tab of that record. Once you are there, there should be a dropdown menu of donation forms to select that, when they were configured, they were set to an online/offline or just offline use on step 1. Identify Donation Form, number 7 on that step, the "Interaction Mode".

Once you have found the donation form you want use in the dropdown menu on the "Transactions" tab of the constituent record, select it and click the "Go" button and it will take you to the backend gift entry location where an admin can enter an "offline" gift through the Luminate Online platform.

I don't recommend ever allowing writing down credit card numbers and CVV numbers, but actually inputting them on the backend or on a front end donation form (like Alex described above) due to the sensitivity of handing that information. So, entry should be done at the time that the donor is calling in and not saved to input it at a later time/date.

If the donor is asking for the gift to not be processed until a future date and time, it might be best to ask the donor to contact your organization at that time or to have them visit one of your donation forms to make a gift when they are ready to do so. They could also mail in a check and post-date it to the date when they want the check to be cashed/processed with a letter with instructions on when to process the check.

If you have a call center and it is for an event like a fundraising event where people might be calling in in rapid succession, I recommend setting up a case with Blackbaud Support at https://support.blackbaud.com ahead of the event to ensure that your IP addresses are whitelisted where the call center is located as there are fraud detectors built into both the payment processor and Luminate Online that if too many entries come in too quick of a succession for gifts, it may decline transactions when they happen too frequently from the same IP address. Make sure to contact support at least seven days prior or earlier to the start date of the event to ensure the fraud settings can handle gift entries in quick succession at the time of the event. Here is some information about it in the Blackbaud Knowledgebase at https://kb.blackbaud.com/knowledgebase/articles/Article/57372.

I hope you find this information useful.

Thanks for stopping by,
Will