Update on CVV (CSC) Requirement for Credit Card Transactions within Raiser’s Edge NXT

Maria-Felix Baldelomar Alvarado · April 9

We have significant concerns about this change as it relates to Canadian privacy laws, best practices, and donor accessibility, which we believe must be addressed before moving forward.

Our organization operates under Canadian privacy legislation and industry guidelines that explicitly advise against collecting CVV information through mailed or paper-based forms. The CVV is intended solely for use at the point of transaction, meaning it should be entered only by the donor to authorize a payment in real time. It should never be recorded, mailed, or handled by a third party. As a result, we have already removed CVV fields from all our paper-based and mail-in donation forms to remain compliant with these standards.

Requiring CVV for back-office credit card entry workflows creates a direct compliance conflict for our organization. Under Canadian guidelines, collecting CVV outside of a live, donor-authorized transaction is not simply discouraged — it is contrary to recommended practice. This requirement does not appear to account for organizations operating under Canadian regulatory frameworks.

We also have serious concerns about donor accessibility. Many of our donors — particularly seniors and those who are not comfortable with technology — rely on mailed forms as their primary and preferred way to give. Blackbaud's suggestion to redirect donors to QR codes or online donation forms is neither realistic nor equitable for this segment of our donor base. Donors should be able to give in the way that is most convenient and familiar to them, without unnecessary barriers. Placing additional friction on paper-based giving risks excluding some of our most loyal supporters and disproportionately impacts those who are already underserved by digital-first approaches.

We would ask that Blackbaud:

Review and acknowledge the specific privacy and security guidelines that govern Canadian charitable organizations before implementing this requirement universally.
Provide an exemption or alternative workflow for organizations that cannot collect CVV through back-office or paper-based processes under Canadian guidelines.
Clarify how this requirement aligns with PCI DSS obligations for organizations that do not and cannot collect CVV at the point of data entry.
Reconsider the suggestion that QR codes and online forms are adequate alternatives, and engage with the accessibility implications of this change for diverse donor populations.

We are committed to protecting our donors' payment information and to maintaining an inclusive, accessible giving experience. How will Blackbaud support Canadian organizations in meeting both your new requirements and our own regulatory and ethical obligations?

Bill Connors · April 9

What a thoughtful, articulate post! I think all your points could be made for U.S. organizations as well. I'm scratching my head trying to understand why this change is necessary and who really benefits from it. We're talking "back office" credit card processing. How much fraud has BB encountered in such transactions that this change is necessary? More importantly, how much fraud has occurred that justifies the security risks to our organizations and our donors by such a change? Is Blackbaud just watching out for themselves or are they watching out for us, too?

"Requiring CVV aligns with industry best practices and helps strengthen the protection of donor payment information" is not a rational explanation for this change and doesn't even really make sense — again, this is "back office" entry, how is making us get on paper or over the phone CVV information that we then have to type into the system strengthening the protection of donor payment information? This seems to be either a well-intentioned but misinformed attempt to do the right thing, or there is some benefit to BB in this that they're not disclosing for some reason.

Either this change needs further explanation and justification, or it should be rescinded.

Morgan Bakerman · April 9

Hello, please forgive the ignorance, but my org is currently migrating into RENXT and are trying to decide on a payment gateway/processor. Is what you all are referring to a change in the database itself or in the Blackbaud integrated payment platform. Thank you.

Maria-Felix Baldelomar Alvarado · April 9

https://community.blackbaud.com/discussion/comment/312712#Comment_312712

Thank you, Bill and I completely agree with everything you've raised here. Your points absolutely apply to Canadian organizations as well, and honestly, to any nonprofit handling back-office donations regardless of where they operate.

The "industry best practices" line was particularly frustrating to read. It's actually against best practice to require CVV collection through back-office workflows. Best practice is that the CVV should be entered only by the donor in real time to authorize a transaction. Collecting it over the phone or on a paper form and then manually entering it into a system is exactly the kind of handling that privacy and security guidelines tell us to avoid. Framing this change as strengthening donor protection is, at best, misleading.

You've asked exactly the right questions: who benefits from this, and how much fraud has actually occurred in back-office entry that justifies the added risk? If Blackbaud has data supporting this change, they should be transparent about it. If they don't, that raises serious questions about whether this is truly donor-focused or driven by something else entirely.

Like you, I believe this either needs a much clearer, more credible explanation—one that actually accounts for the real-world implications for organizations and their donors—or it should be pulled entirely.

Vanessa Wilson · April 9

I also have questions/concerns: Does this apply to existing recurring online gifts? Or does it only apply to new setups, and manual/in-office credit card payments? Why would a CVV matter if only for in-office use? Please advise. Thanks!

Maria-Felix Baldelomar Alvarado · April 9

https://community.blackbaud.com/discussion/comment/312716#Comment_312716

No need to apologize at all, it's a great question, especially as you're in the middle of a migration!

From what we understand, this change applies to Blackbaud's integrated payment platform (BBMS), specifically, it's a requirement being introduced at the payment processing level for back-office credit card entry. So when a staff member manually enters a donor's credit card information directly into RE NXT (for example, processing a mailed-in donation), the CVV would be required to complete the transaction.

This is actually very relevant to your decision on a payment gateway. If you're considering using Blackbaud Merchant Services as your integrated processor, this change would affect your back-office workflows. If you're evaluating third-party processors, it's worth asking those vendors directly how they handle CVV requirements for manual/back-office entry and whether their approach aligns with the privacy and security guidelines in your region.

Hopefully, others in this thread can weigh in, too, but I'd encourage you to raise this specific question with Blackbaud during your migration conversations so you have a clear picture before committing to a payment solution. Good luck with the migration!

Rachel Kulsdom · April 10

This is also relevant for UK organisations, we removed CVV collection from paper forms a number of years ago to comply with best practice

Patty Driscoll · April 10

This discussion is taking place in several posts. This is the one that I have been taking part in CVV number on a remit envelope I have been bringing this to the attention of my BB customer success mgr and account rep, but this needs a permanent solution. It really seems that BB is doing this to cover themselves as a payment service providers but not considering the impact to all of their customers. Mail order transactions are specifically exempt from requiring the CVV and in fact prohibit the collection of it in written form. Visa.ca

There is also a second part to this issue, in that if we have to figure out a workaround by processing credit cards in another system or using a bank POS where CVV is not required, we will be unable to enter them as credit card transaction in an RE gift batch. Selecting credit card as a payment type brings up the screen to actually process the credit card and you can’t bypass it. We would have to enter these gifts as cash and then have a reconciliation nightmare for Finance.

Andrea Wilson · April 13

We have the same concern about this.

Blackbaud’s plan to require CVV for all transactions creates a clear issue for charities handling postal donations.

Visa rules (section 5.4.3.1 - see image/link below) treat CVV as sensitive data that must not be stored and is not intended to be collected via insecure channels like paper forms. Requiring it effectively means asking donors to send full card details, including CVV, through the mail.

(link:

https://www.visa.co.uk/content/dam/VCOM/download/about-visa/visa-rules-public.pdf?fbclid=IwZXh0bgNhZW0CMTEAAR0ajPmvDL227Y0Z7DS2y86xRIXF1gAcCiRs5p6Rp6nppWub_gDczQO9uUU_aem_3XzyCTqrEQrJq-ZpIAXSQg

)

This is insecure, increases fraud risk, and puts charities in a difficult position between compliance and protecting their supporters.

A blanket CVV requirement should not apply to postal donation workflows.

Nyree Henderson · April 14

How is it safe to store a security code (CVV) with the credit-card number? In Australia all credit-card providers have the CVV on the opposite side of the credit-card from the credit-card number, to avoid both sets of numbers being seen at the same time (eg; to avoid a quick photocopy or photo being taken). If Blackbaud force us to collect the CVV on a paper form then it will be written down next to the credit-card number. How is this secure?

Bryan Young · April 16

Commenting to keep this thread active especially for us Canadian NXT users. It appears some of the other CVV related threads are being marked as completed despite us having no answers or resolution from Blackbaud as of yet.

Rachel Cavalier · April 17

https://community.blackbaud.com/discussion/comment/312943#Comment_312943

I think they just say "Answered" because they have received at least one comment, I don't think I have seen any with the "Answered" plus the tick to show the answer has been accepted but could be wrong.

Victoria Gare · April 22

I know I'm commenting a bit late on this but I also have questions about this. I am with a Canadian based organization. Has any one heard of a response from BlackBaud on these concerns?

Patty Driscoll · April 22

I've heard nothing further on this outside of BB's email stating that they would 'temporarily' roll this back but we must all have the CVV by Feb 2027. I've escalated this through my BB account rep and customer success mgr. and I would suggest that we all do the same, as we are hearing no response towards a resolution of this feature that is critical to running a mail campaign

Louise Lawrence · April 22

Hi everyone, did you get the email from Blackbaud: - yes this is causing us issues in New Zealand

Note: This is an operational email about upcoming changes with credit card processing requirements within Blackbaud Raiser’s Edge NXT. Please share this information with those in your organisation who need to be aware of this change.

We’re writing to share an update regarding the use of Card Verification Values (CVV) for credit card transactions in Blackbaud Raiser’s Edge NXT.

We recently updated payment checkout to require CVV for certain back‑office credit card entry workflows. Based on your feedback and to avoid any disruption to current campaigns you may have in process, on 27 March 2026 we rolled back this change. No immediate action is needed.

Looking ahead, CVV will be required for all credit card transactions beginning 2 February 2027. This date gives your organisation time to plan and update internal processes as needed.

Requiring CVV aligns with industry best practices and helps strengthen the protection of donor payment information. As you plan for this change, we encourage you to consider more secure alternatives to collecting card details, such as using QR codes or online donation forms. Your organisation should ensure your internal processes for collecting and handling CVV meet PCI compliance guidelines. Both your organisation and Blackbaud are bound to comply with our respective obligations under PCI.

Our goal is to be clear, transparent, and supportive as we move toward this standard together. We will share reminders and resources in advance of February 2027 to ensure a smooth transition. Please reference Knowledgebase article: What are the CVV or CSC requirements for Raiser's Edge NXT batch transactions?

Thank you for your continued partnership and for the important work you do every day.

Sincerely,

The Blackbaud Raiser’s Edge NXT Team

Ange Scott · April 22

@Louise Lawrence Yes, that email came through, but it doesn't do anything to explain or help us deal with postal appeals and CVV… we are also NZ, and we probably won't be asking people to put this code onto paper donation forms through the post, it's not secure.

Bryan Young · April 23

https://community.blackbaud.com/discussion/comment/313121#Comment_313121

Also in Canada and we have heard nothing more.

Ryan Uhler · April 23

Following. We have all the same concerns and would like some guidance as to what this will require.

Update on CVV (CSC) Requirement for Credit Card Transactions within Raiser’s Edge NXT

Answers

Categories