Embedded Optimized forms and PCI Compliance

Ben Regier
Ben Regier
Sixth Anniversary Kudos 5 Name Dropper Participant
in Blackbaud Raiser's Edge NXT®: General Discussions

We're looking into using the embedded Optimized donation forms on our website, which I think look really good and provide a good donor experience.

Looking through the PCI 4.0 documentation, though, it looks like using embedded forms means that you will need SAQ A-EP instead of just SAQ A.

I'm curious if others have gone down this path, and if so, what procedures (if any) they put in place for script monitoring, etc.

Comments

  • Dariel Dixon
    Dariel Dixon Community All-Star
    Seventh Anniversary Kudos 5 First Reply PowerUp Challenge #3 Gift Management

    @Ben Regier I feel like there's been a couple of posts on this issue, but that was almost a year ago. I'm not sure if much has changed then, but I do feel like I've had this exact conversation before… I can't remember which posts those were.

  • Ben Regier
    Ben Regier
    Sixth Anniversary Kudos 5 Name Dropper Participant

    Everything I'm seeing makes it look like embedding a form bumps you up to SAQ A-EP, which means you'd be responsible for monitoring any scripts on the page with the embed so you know if/when they change, as well as quarterly scans. It's kind of a lot!

Categories