Manage a Recurring Gift Process and Implement PCI Compliance with The Raiser’s Edge
-
Upload
blackbaud-pacific -
Category
Technology
-
view
886 -
download
1
description
Transcript of Manage a Recurring Gift Process and Implement PCI Compliance with The Raiser’s Edge
5/3/2013 Footer 1
MANAGE A RECURRING GIFT PROCESS AND IMPLEMENT PCI COMPLIANCE WITH THE RAISER’S EDGE PRESENTED BY KAINE COSTELLO
5/3/2013 Footer 2
• Set of comprehensive requirements for credit card data security to
help facilitate the broad adoption of consistent data security measures
on a global basis.
• Established by the major card brands and the Payment Card Industry
Security Standards Council (PCI SSC).
• All organisations that process, store, or transmit payment card data
must be PCI DSS compliant or risk losing their ability to process credit
card payments.
• Consequences vary depending upon the merchant level, but can
extend from fines to loss of merchant ID and the ability to process
credit cards as a form of payment.
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD
(PCI DSS)
5/3/2013 Footer 3
PCI SECURITY STANDARDS COUNCIL MEMBERS
PCI DSS is developed to encourage and
enhance cardholder data security
5/3/2013 Footer 4
WHO MUST COMPLY?
• Everyone who stores, processes or transmits cardholder data must
comply with PCI DSS
- PCI compliance is mandatory NOW
- PCI applies to all parties in the payment process
- You cannot be partially compliant: Compliance is PASS/FAIL
• If you outsource components of your PCI process to Service Providers,
they must comply
- Either they are included in your scope
- Or they must provide evidence to demonstrate their compliance
5/3/2013 Footer 5
PAYMENT APPLICATION MANDATES
• Vulnerable payment applications that store sensitive authentication
data post authorisation have proven to be the leading cause of
compromise incidents, particularly among small merchants
• Merchants must not use known vulnerable payment applications that
store sensitive authentication data post authorisation
• Merchants and Service Providers that use PA-DSS compliant Payment
Applications reduce the overhead of PCI Compliance
5/3/2013 Footer 6
CHALLENGES FOR NONPROFIT SECTOR
• Fundraising through multiple channels
• Therefore typically the PCI DSS triggers apply: storage, transmission and
processing of Card Holder Data
• Various Service Providers;
- Telemarketing
- Campaign Management
- Face to Face Marketing
- Outsourced IT Management Services
- Donor Management
- Gateway/Processing Services
• Recurring Transactions (regular giving)
• Online systems
• Printed Card Holder Data
5/3/2013 Footer 7
REDUCING COMPLIANCE OBLIGATIONS
• Reduce your exposure and risk
• Reduce upfront & ongoing compliance obligations
• Review the PCI DSS Triggers: storage, transmission and processing of
Card Holder Data
• Securing Stored Card Holder Data is one of the more difficult attributes of
PCI DSS to comply with
• Therefore not storing Card Holder Data alone will reduce PCI Compliance
work effort
5/3/2013 Footer 8
YOUR PCI ASSESSMENT: HOST THE PAYMENT CARD DATA
WITHIN YOUR OWN ORGANISATION.
• Typical Blackbaud customer storing credit cards in The Raiser’s Edge
- No in house developed credit card customisations, or secure data center storing
“sensitive” information
• Type 5/SAQ D
80% Compliance
Items in Scope
20% Compliance
Items Out of Scope
5/3/2013 Footer 9
YOUR PCI ASSESSMENT: REMOVE ALL PAYMENT DATA FROM
YOUR SYSTEM & OUTSOURCE THE STORAGE OF THE
PAYMENT CARD INFO.
30% Compliance
Items in Scope
70% Compliance Items
Out of Scope
Dramatically reduces the scope of assessment
• Same user as before minus stored credit card numbers, using PA DSS apps
• Type 4/SAQ C: Merchants with Payment Application Systems Connected to
the Internet (do not store cardholder data on any computer system)
5/3/2013 Footer 10
• Acts as an intermediary between the database and credit card
processing gateway.
• Securely stores credit card information that is entered into Blackbaud
applications.
• Integrates with PA DSS compliant versions The Raiser’s Edge,
eTapestry, NetSolutions, Blackbaud NetCommunity, Blackbaud
Enterprise CRM.
• Makes it possible to adhere to the PCI DSS and process credit card
transactions.
BLACKBAUD PAYMENT SERVICE (BBPS)
5/3/2013 Footer 11
BLACKBAUD PAYMENT SERVICE (BBPS)
• Certified PCI compliant as a Level 1 Gateway
- Stored Information:
• Credit card number
• Valid from date
• Expiration date
• Issue ID (first six digits of the CC number)
• Merchant account info (Gateway ID)
• Cardholder name
• Card type
- What is returned to The Raiser's Edge:
• Card type
• Cardholder name
• Expiration date
• Token which represents the card in BBPS
– Displayed as truncated credit card number (last 4 digits)
5/3/2013 Footer 12
• Go to the PCI Security Standards Council website.
• Review the PCI Quick Reference Guide.
• Complete the appropriate Self-Assessment Questionnaire (SAQ).
• Review the PCI DSS v2.0.
• Contact their acquiring bank or agency that issued their merchant ID
and ask for clarity on their dates for compliance.
• Upgrade to compliant versions of Blackbaud applications.
• Verify compliance with the PCI DSS and obtain report on compliance.
HOW DOES AN ORGANISATION ATTAIN PCI COMPLIANCE?
5/3/2013 Footer 13
• Acts as an intermediary between the database and credit card
processing gateway.
• Securely stores credit card information that is entered into Blackbaud
applications.
• Integrates with PA DSS compliant versions The Raiser’s Edge,
eTapestry, NetSolutions, Blackbaud NetCommunity, Blackbaud
Enterprise CRM.
• Makes it possible to adhere to the PCI DSS and process credit card
transactions.
BLACKBAUD PAYMENT SERVICE (BBPS)
5/3/2013 Footer 14
WORKFLOW
BBNC
The Raiser’s
Edge
BBPS
Tokens
NAB IPP
Bank
5/3/2013 Footer 15
BBNC
The Raiser’s
Edge
BBPS (creates unique
TokenID)
Payment
gateway
Tokenizer Utility (third party tokenization plugin)
Import
Raw CHD
(.csv)
Outputs
Tokenized
file (.csv)
Import-o-matic
Send CHD to
tokenize in BBPS
Returns tokenized
CHD
Third Party Supplier
TOKENISER
5/3/2013 Footer 16
RAISER’S EDGE 7.91+ GIFT PROCESSING
5/3/2013 Footer 17
BATCH
• Use batch to auto generate transactions/payments (Recurring Gifts)
- In the batch go to Tools Automatically Generate Transactions/Payments
• Use batch to enter one off credit card payments directly into Batch
• EFT? box must be ticked on the gift record (circled above)
5/3/2013 Footer 18
BATCH
• Sending donations to Processing Gateway
- In the batch go to Tools Create EFT Transmission Files
5/3/2013 Footer 19
CREATE TRANSMISSION FILES – V7.91+
• Select your
processing account
and click “Create
now”
5/3/2013 Footer 20
BATCHING
• IP Payments will send back Authorisation Code or Rejection Code
• If batch is not committed and batch has received authorisation code or
rejection code from processor, user can choose to commit batch or if
needed add more transactions to batch. RE will only process transactions
that do not have an authorisation code or rejection code.
5/3/2013 Footer 21
COMMITTING BATCH
• It is recommended to ‘Create a new batch of exceptions’ when committing
the batch. Rejected transactions will copied to this exception batch
5/3/2013 Footer 22
CLEAR DECLINED AUTHORISATION AND REJECTION CODES
• In an exception batch – user can clear declined authorisation and rejection
codes by clicking on Tools – Clear Declined Authorisation and Rejection
Codes
• NOTE: This will clear ALL the values out of the Rejection Code column.
• To ONLY reprocess specific transactions, the specific rejection codes will
need to be deleted for those transactions. (see next page)
5/3/2013 Footer 23
CLEAR DECLINED AUTHORISATION AND REJECTION CODES
• If user only wants to clear one particular group of rejection codes, user can
sort batch by Rejection Code and delete the specific values.
5/3/2013 Footer 24
QUESTIONS?
?
?
?
?
?
?
? ?
?
? ?
?
?
? Kaine Costello
Enterprise Account Manager