PCI Compliance

What is PCI compliance?

The Payment Card Industry (PCI) Data Security Standards are a set of requirements instituted and regulated by the PCI Security Standards Council (PCI SSC). The PCI SSC is a consortium of major card brands including Visa, MasterCard, American Express, Discover, and JCB, created to enhance credit and debit card data security. All organizations that process, store, or transmit payment card data must comply with PCI DSS requirements or risk losing their ability to process credit card payments. The council also supports Payment Application (PA) security standards for software products that are installed and used locally by merchants to process, store, or transmit credit card data. Software products that meet the Payment Application Data Security Standard (PA-DSS) have been validated as compliant with PCI DSS requirements and enable merchants to readily attain PCI compliance.

How does Blackbaud manage PCI compliance?

Blackbaud acknowledges our responsibility for compliance with PCI requirements and protection of any cardholder data that we, as a service provider, possess, store, process, or transmit on behalf of the customer. A detailed listing of these responsibilities can be found here. Validated as a Level 1 Service Provider and Payment Gateway, Blackbaud demonstrates compliance with 12 security requirements through an annual review of the IT environment and information security policies and procedures.

Blackbaud has modified the applications below that processes, stores, or transmits credit card numbers to become PCI DSS and PA-DSS compliant. We have implemented PCI standards regarding secure storage of data, strong access control, and other requirements.

Blackbaud developed a secure, PCI DSS-compliant credit card gateway that facilitates processing via our products. This gateway has passed a Level 1 PCI DSS audit and compliance can be verified by Visa or MasterCard. This enables users to process credit card transactions as they do today without the burden of maintaining all card data locally.

Blackbaud monitors the entire Blackbaud Application Hosting environment for PCI DSS compliance and data security. Blackbaud has passed all audits conducted by our third-party Qualified Security Assessor for the solutions below. If your organization uses a hosted Blackbaud product or service (including Blackbaud Merchant Services and Blackbaud Payment Service), you may need a yearly compliance report for auditing purposes. To learn more about audit reports and how to request one, click here.

What is the customer’s responsibility regarding PCI?

It is the responsibility of each Blackbaud customer to comply with PCI DSS requirements by the dates prescribed by the PCI Security Standards Council or by your acquiring bank. Blackbaud can help you comply by providing applications and solutions that meet these standards. You should review the standards provided by the Security Standards Council and assess your PCI requirements. Here are other actions that you can take:

  • Download the PCI Quick Reference Guide from the PCI Library. Search for “PCI DSS Quick Reference Guide.”
  • Download and complete the appropriate Self-Assessment Questionnaire.
  • Contact your acquiring bank or the agency that issued your merchant ID and ask for clarity on their dates for compliance.
  • Use compliant applications when they become available.

Blackbaud has developed the solutions below, which process, store, and/or transmit cardholder data, to become PCI DSS and PA-DSS compliant:

  • Blackbaud Altru
  • Blackbaud Checkout (formerly Blackbaud Secure Payments)
  • Blackbaud CRM
  • Blackbaud eTapestry
  • Blackbaud Luminate Online
  • Blackbaud Merchant Services
  • Blackbaud Mobile Pay
  • Blackbaud NetCommunity
  • Blackbaud Online Express
  • Blackbaud Payment Service
  • Blackbaud Raiser’s Edge
  • Blackbaud Smart Tuition and Smart Aid
  • Blackbaud Sphere
  • everydayhero
  • Blackbaud ID
  • JustGiving
  • MFT-Linoma
  • Payments API
  • Blackbaud Raiser's Edge NXT