Hi Lou,
Tokenization is what you need and that can be done without the card ever hitting Tessitura; dealing with recurring payments is one key use case for tokenization.
This image provides a good visual on how it works (source: http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/03/PoSRAMScrapers4.png):
In a nutshell, Vantiv receives the encrypted cardholder data (and they hold the key to unlock it), they issue a token, and then that token is returned and stored in the Tessitura database. I hope this helps!
Thanks,
David
From: Tessitura Technical Forum [mailto:forums-technical@tessituranetwork.com] On Behalf Of Lou Ambrose Sent: Wednesday, February 8, 2017 2:56 PM To: David Frederick <DFrederick@scfta.org> Subject: [Tessitura Technical Forum] Encrypted card devices and recurring payments
We are a RAMP client and are looking at our PCI scope. We thought that installing encrypted card readers and keypads would reduce our scope. I have just been in contact with support and found out that encrypted devices never store the credit card number in the Tessitura databese. It goes directly to Vantiv. This is great for PCI, but means that there is no credit card in Tessitura to use for monthly membership billing. A credit card has to be in the Tessitura database before it can be tokenized, so tokenization does not solve this problem either. Our IT guy wants to know what other organizations are doing about this. Any help? Thanks.
This message was sent automatically to you by www.tessituranetwork.com because you subscribed to the Tessitura Technical Forum. You may reply to this message to post to the Technical forum or visit the site to search, read and post to the forums. In the interest of keeping the forum posts from becoming cluttered, we encourage you to delete previous message text from your reply before sending. Thank you!
Hi Lou, Tokenization is what you need and that can be done without the card ever hitting Tessitura; dealing with recurring payments is one key use case for tokenization. This image provides a good visual on how it works (source: http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/03/PoSRAMScrapers4.png): In a nutshell, Vantiv receives the encrypted cardholder data (and they hold the key to unlock it), they issue a token, and then that token is returned and stored in the Tessitura database. I hope this helps! Thanks, David From: Tessitura Technical Forum [mailto:forums-technical@tessituranetwork.com] On Behalf Of Lou Ambrose Sent: Wednesday, February 8, 2017 2:56 PM To: David Frederick <DFrederick@scfta.org> Subject: [Tessitura Technical Forum] Encrypted card devices and recurring payments We are a RAMP client and are looking at our PCI scope. We thought that installing encrypted card readers and keypads would reduce our scope. I have just been in contact with support and found out that encrypted devices never store the credit card number in the Tessitura databese. It goes directly to Vantiv. This is great for PCI, but means that there is no credit card in Tessitura to use for monthly membership billing. A credit card has to be in the Tessitura database before it can be tokenized, so tokenization does not solve this problem either. Our IT guy wants to know what other organizations are doing about this. Any help? Thanks. This message was sent automatically to you by www.tessituranetwork.com because you subscribed to the Tessitura Technical Forum. You may reply to this message to post to the Technical forum or visit the site to search, read and post to the forums. In the interest of keeping the forum posts from becoming cluttered, we encourage you to delete previous message text from your reply before sending. Thank you! This message was sent automatically to you by www.tessituranetwork.com because you subscribed to the Tessitura Technical Forum. You may reply to this message to post to the Technical forum or visit the site to search, read and post to the forums. In the interest of keeping the forum posts from becoming cluttered, we encourage you to delete previous message text from your reply before sending. Thank you!
Lou,
We are also a RAMP client and when we manually enter a credit card for a gift or payment, the credit card information is stored on the constituent's record.
We are able to create payment schedules which use the credit card on the constituent's record to process payments against a pledge on any kind of schedule.
This is PCI compliant because six digits of the credit card number are anonymized in the Transactions tab -> Credit Cards radio button in Tessitura; plus, only authorized users accessing the database through a RAMP login, the RAMP token, and Tessitura login can get in.
Let me know if I can better explain anything here.
Thank you,
Brian
Brian,
Having something certified as PCI-compliant is really about organizational processes and documentation as much as it is about technology. (Frankly, I think it is all too common for orgs to rely entirely on the technology to the detriment of their actual security.) Suffice to say, even if you are on RAMP, if you are storing credit card numbers in your DB instead of tokens you are increasing your PCI scope dramatically.
Thank you to Nick and Gloria for illustrating the limits of my PCI understanding haha.
FYI…when you add a credit card to a customer’s account, you are not “storing credit card data” in PCI terms. That affects your scope. But the biggest thing that affects the scope is the method of sale. The PCI questionnaires are determined by HOW you process credit cards. There are questionnaires for online only, phone and mail only, but not one that is for both. That means you have to do Questionnaire D which is the longest one. However, if you are using tokens AND not storing any credit card data, then you can skip a lot of those questions.
From: Tessitura Technical Forum [mailto:forums-technical@tessituranetwork.com] On Behalf Of Brian Parker Sent: Thursday, February 09, 2017 1:55 PM To: Gloria Ormsby <gormsby@flynncenter.org> Subject: Re: [Tessitura Technical Forum] Encrypted card devices and recurring payments
From: Lou Ambrose <bounce-louambrose6123@tessituranetwork.com> Sent: 2/8/2017 5:41:06 PM
Typo…first sentence should say
when you add a credit card to a customer’s account, you are “storing credit card data” in PCI terms
I had inserted the word “not” but you actually are storing when you enter the card in manually. Unless you then tokenize them with the utility.
From: Gloria Ormsby Sent: Thursday, February 09, 2017 3:35 PM To: 'Tessitura Technical Forum' <forums-technical@tessituranetwork.com> Subject: RE: [Tessitura Technical Forum] Encrypted card devices and recurring payments
We were in the exact same place as you a few months ago. We decided to put EMV readers in our box office for specific transactions. Since we really only need to save cards for donors and subscribers, we've set in place business rules for out ticket sellers. Any single ticket purchases go through the EMV readers, any subscription purchases they type the card number in the Tessitura payments window. Our gifts processor doesn't use a card reader at all.
Eventually we will go to tokenization for the donor and subscriber cards we are saving, but at the moment there's some work on our custom website that needs to happen first. We're also waiting on v.14 because it seems that the payment updates may integrate with tokenization a little better.
Hope this helps,
Dorothy
Thanks for everyone's replies. Greg Stickney from support reached out to me and clarified my confusion. Enrypted devices can be used to enter a credit card which can be converted to a token and stored on the constituent's record. We will go that route for our recurring payments. We can have encryption and recurring payments! That is what I wanted to hear.