5/3/2013 Footer 1

MANAGE A RECURRING GIFT PROCESS AND IMPLEMENT PCI COMPLIANCE WITH THE RAISER’S EDGE PRESENTED BY KAINE COSTELLO

5/3/2013 Footer 2

• Set of comprehensive requirements for credit card data security to

help facilitate the broad adoption of consistent data security measures

on a global basis.

• Established by the major card brands and the Payment Card Industry

Security Standards Council (PCI SSC).

• All organisations that process, store, or transmit payment card data

must be PCI DSS compliant or risk losing their ability to process credit

card payments.

• Consequences vary depending upon the merchant level, but can

extend from fines to loss of merchant ID and the ability to process

credit cards as a form of payment.

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

(PCI DSS)

5/3/2013 Footer 3

PCI SECURITY STANDARDS COUNCIL MEMBERS

PCI DSS is developed to encourage and

enhance cardholder data security

5/3/2013 Footer 4

WHO MUST COMPLY?

• Everyone who stores, processes or transmits cardholder data must

comply with PCI DSS

- PCI compliance is mandatory NOW

- PCI applies to all parties in the payment process

- You cannot be partially compliant: Compliance is PASS/FAIL

• If you outsource components of your PCI process to Service Providers,

they must comply

- Either they are included in your scope

- Or they must provide evidence to demonstrate their compliance

5/3/2013 Footer 5

PAYMENT APPLICATION MANDATES

• Vulnerable payment applications that store sensitive authentication

data post authorisation have proven to be the leading cause of

compromise incidents, particularly among small merchants

• Merchants must not use known vulnerable payment applications that

store sensitive authentication data post authorisation

• Merchants and Service Providers that use PA-DSS compliant Payment

Applications reduce the overhead of PCI Compliance

5/3/2013 Footer 6

CHALLENGES FOR NONPROFIT SECTOR

• Fundraising through multiple channels

• Therefore typically the PCI DSS triggers apply: storage, transmission and

processing of Card Holder Data

• Various Service Providers;

- Telemarketing

- Campaign Management

- Face to Face Marketing

- Outsourced IT Management Services

- Donor Management

- Gateway/Processing Services

• Recurring Transactions (regular giving)

• Online systems

• Printed Card Holder Data

5/3/2013 Footer 7

REDUCING COMPLIANCE OBLIGATIONS

• Reduce your exposure and risk

• Reduce upfront & ongoing compliance obligations

• Review the PCI DSS Triggers: storage, transmission and processing of

Card Holder Data

• Securing Stored Card Holder Data is one of the more difficult attributes of

PCI DSS to comply with

• Therefore not storing Card Holder Data alone will reduce PCI Compliance

work effort

5/3/2013 Footer 8

YOUR PCI ASSESSMENT: HOST THE PAYMENT CARD DATA

WITHIN YOUR OWN ORGANISATION.

• Typical Blackbaud customer storing credit cards in The Raiser’s Edge

- No in house developed credit card customisations, or secure data center storing

“sensitive” information

• Type 5/SAQ D

80% Compliance

Items in Scope

20% Compliance

Items Out of Scope

5/3/2013 Footer 9

YOUR PCI ASSESSMENT: REMOVE ALL PAYMENT DATA FROM

YOUR SYSTEM & OUTSOURCE THE STORAGE OF THE

PAYMENT CARD INFO.

30% Compliance

Items in Scope

70% Compliance Items

Out of Scope

Dramatically reduces the scope of assessment

• Same user as before minus stored credit card numbers, using PA DSS apps

• Type 4/SAQ C: Merchants with Payment Application Systems Connected to

the Internet (do not store cardholder data on any computer system)

5/3/2013 Footer 10

• Acts as an intermediary between the database and credit card

processing gateway.

• Securely stores credit card information that is entered into Blackbaud

applications.

• Integrates with PA DSS compliant versions The Raiser’s Edge,

eTapestry, NetSolutions, Blackbaud NetCommunity, Blackbaud

Enterprise CRM.

• Makes it possible to adhere to the PCI DSS and process credit card

transactions.

BLACKBAUD PAYMENT SERVICE (BBPS)

5/3/2013 Footer 11

BLACKBAUD PAYMENT SERVICE (BBPS)

• Certified PCI compliant as a Level 1 Gateway

- Stored Information:

• Credit card number

• Valid from date

• Expiration date

• Issue ID (first six digits of the CC number)

• Merchant account info (Gateway ID)

• Cardholder name

• Card type

- What is returned to The Raiser's Edge:

• Card type

• Cardholder name

• Expiration date

• Token which represents the card in BBPS

– Displayed as truncated credit card number (last 4 digits)

5/3/2013 Footer 12

• Go to the PCI Security Standards Council website.

• Review the PCI Quick Reference Guide.

• Complete the appropriate Self-Assessment Questionnaire (SAQ).

• Review the PCI DSS v2.0.

• Contact their acquiring bank or agency that issued their merchant ID

and ask for clarity on their dates for compliance.

• Upgrade to compliant versions of Blackbaud applications.

• Verify compliance with the PCI DSS and obtain report on compliance.

HOW DOES AN ORGANISATION ATTAIN PCI COMPLIANCE?

5/3/2013 Footer 13

• Acts as an intermediary between the database and credit card

processing gateway.

• Securely stores credit card information that is entered into Blackbaud

applications.

• Integrates with PA DSS compliant versions The Raiser’s Edge,

eTapestry, NetSolutions, Blackbaud NetCommunity, Blackbaud

Enterprise CRM.

• Makes it possible to adhere to the PCI DSS and process credit card

transactions.

BLACKBAUD PAYMENT SERVICE (BBPS)

5/3/2013 Footer 14

WORKFLOW

BBNC

The Raiser’s

Edge

BBPS

Tokens

NAB IPP

Bank

5/3/2013 Footer 15

BBNC

The Raiser’s

Edge

BBPS (creates unique

TokenID)

Payment

gateway

Tokenizer Utility (third party tokenization plugin)

Import

Raw CHD

(.csv)

Outputs

Tokenized

file (.csv)

Import-o-matic

Send CHD to

tokenize in BBPS

Returns tokenized

CHD

Third Party Supplier

TOKENISER

5/3/2013 Footer 16

RAISER’S EDGE 7.91+ GIFT PROCESSING

5/3/2013 Footer 17

BATCH

• Use batch to auto generate transactions/payments (Recurring Gifts)

- In the batch go to Tools Automatically Generate Transactions/Payments

• Use batch to enter one off credit card payments directly into Batch

• EFT? box must be ticked on the gift record (circled above)

5/3/2013 Footer 18

BATCH

• Sending donations to Processing Gateway

- In the batch go to Tools Create EFT Transmission Files

5/3/2013 Footer 19

CREATE TRANSMISSION FILES – V7.91+

• Select your

processing account

and click “Create

now”

5/3/2013 Footer 20

BATCHING

• IP Payments will send back Authorisation Code or Rejection Code

• If batch is not committed and batch has received authorisation code or

rejection code from processor, user can choose to commit batch or if

needed add more transactions to batch. RE will only process transactions

that do not have an authorisation code or rejection code.

5/3/2013 Footer 21

COMMITTING BATCH

• It is recommended to ‘Create a new batch of exceptions’ when committing

the batch. Rejected transactions will copied to this exception batch

5/3/2013 Footer 22

CLEAR DECLINED AUTHORISATION AND REJECTION CODES

• In an exception batch – user can clear declined authorisation and rejection

codes by clicking on Tools – Clear Declined Authorisation and Rejection

Codes

• NOTE: This will clear ALL the values out of the Rejection Code column.

• To ONLY reprocess specific transactions, the specific rejection codes will

need to be deleted for those transactions. (see next page)

5/3/2013 Footer 23

CLEAR DECLINED AUTHORISATION AND REJECTION CODES

• If user only wants to clear one particular group of rejection codes, user can

sort batch by Rejection Code and delete the specific values.

5/3/2013 Footer 24

QUESTIONS?

?

?

?

?

?

?

? ?

?

? ?

?

?

? Kaine Costello

Enterprise Account Manager

Kaine.Costello@Blackbaud.com.au