Credit Card Changes that Impact You!

1
Corporate Readiness
Credit Card Changes that Impact You!
Changes to Accounts Receivable, Cash Receipts and
Student Billing 7.77
Wanda Mahon Bucky Wall
2
Agenda

• PCI/PA DSS overview
• Visa mandated deadlines
• Impact of regulations
• Application changes
• Q A

3
PCI DSS PA DSS

• Payment Card Industry Data Security Standard (PCI
  DSS)
• Set of requirements developed by the major credit
  card companies to enhance credit card data
  security
• All organizations that process, store, or
  transmit payment card data must be PCI DSS
  compliant or risk losing their ability to process
  credit card payments
• Payment Application Data Security Standard
  (PA-DSS)
• Designed to help software vendors develop secure
  payment applications that do not store prohibited
  data
• Payment applications that are sold, distributed
  or licensed to third parties are subject to the
  PA-DSS requirements
• Formerly under the supervision of the Visa Inc.
  program known as the Payment Application Best
  Practices (PABP)

4
Visa Mandated Deadlines

• October, 1 2008
• Newly boarded Level 3 and 4 merchants must be PCI
  DSS compliant or use PABP-compliant applications.
• Merchants must be PCI DSS complaint or use PA DSS
  validated applications to obtain a NEW merchant
  ID number
• Level 3 Any merchant processing 20,000 to
  1,000,000 Visa e-commerce transactions per year.
• Level 4 Any merchant processing fewer than
  20,000 Visa e-commerce transactions per year, and
  all other merchants-regardless of acceptance
  channel-processing up to 1,000,000 Visa
  transactions per year.
• October, 1 2009
• VisaNet Processors (VNPs) and agents must
  decertify all vulnerable payment applications.
• Systems that have been subject to a security
  breech
• July 1, 2010
• Acquirers must ensure their merchants, VNPs and
  agents use only PABP-compliant applications
• Applies to all organizations that process credit
  cards

5
Impact of Regulations on Blackbaud customers

• You can continue as normal until July 1, 2010 if
• you have an existing merchant ID
• your processor or acquiring bank doesnt require
  immediate compliance
• and you are not using known vulnerable
  applications
• Contact your processor or acquiring bank now to
  determine their compliance requirements
• You should strive to become PCI compliant as soon
  as possible to
• Protect your donor data
• Remove liability from your organization
• Compliancy will change your business practices
• You are responsible for becoming PCI compliant
• Review self-assessment at the PCI Security
  Council Organizations website

6
Impact of Regulations on Blackbaud

• We need to remove credit card data from our
  applications to make them PA-DSS compliant
• We need to develop and implement process changes
  that will allow our hosting facilities and our
  development, support and services environments to
  achieve PCI-DSS compliance

7
Changes to Accounts Receivable, Cash Receipts
and Student Billing 7.77

• Removal of the ability to store full credit card
  numbers
• Store only the last 4 digits

8
Helpful links

• PCI Overall information
• http//www.pcisecuritystandards.org/index.shtml
• Self-Assessment Questionnaire https//www.pcisecu
  ritystandards.org/saq/index.shtml
• Find a QSA http//www.pcisecuritystandards.org/qs
  a_asv/find_one.shtml
• Blackbaud sites
• PCI Landing page http//www.blackbaud.com/pci
• PCI Blog http//forums.blackbaud.com/blogs/pci/de
  fault.aspx
• Sign up for the PCI Compliance blog RSS feed at
  blogs.blackbaud.com

9

• Questions