• Replies 10 replies
  • Subscribers 337 subscribers
  • Views 73 views
  • Users 0 members are here
Related

Encrypted card devices and recurring payments

Lou Ambrose
$organization
We are a RAMP client and are looking at our PCI scope. We thought that installing encrypted card readers and keypads would reduce our scope. I have just been in contact with support and found out that encrypted devices never store the credit card number in the Tessitura databese. It goes directly to Vantiv. This is great for PCI, but means that there is no credit card in Tessitura to use for monthly membership billing. A credit card has to be in the Tessitura database before it can be tokenized, so tokenization does not solve this problem either. Our IT guy wants to know what other organizations are doing about this. Any help? Thanks.
Parents
  • $organization

    Lou,

    We are also a RAMP client and when we manually enter a credit card for a gift or payment, the credit card information is stored on the constituent's record.

    We are able to create payment schedules which use the credit card on the constituent's record to process payments against a pledge on any kind of schedule.

    This is PCI compliant because six digits of the credit card number are anonymized in the Transactions tab -> Credit Cards radio button in Tessitura; plus, only authorized users accessing the database through a RAMP login, the RAMP token, and Tessitura login can get in.

    Let me know if I can better explain anything here.

    Thank you,

    Brian

  • $organization in reply to Brian Parker (Past Member)

    Brian,

    Having something certified as PCI-compliant is really about organizational processes and documentation as much as it is about technology. (Frankly, I think it is all too common for orgs to rely entirely on the technology to the detriment of their actual security.) Suffice to say, even if you are on RAMP, if you are storing credit card numbers in your DB instead of tokens you are increasing your PCI scope dramatically.

Reply
  • $organization in reply to Brian Parker (Past Member)

    Brian,

    Having something certified as PCI-compliant is really about organizational processes and documentation as much as it is about technology. (Frankly, I think it is all too common for orgs to rely entirely on the technology to the detriment of their actual security.) Suffice to say, even if you are on RAMP, if you are storing credit card numbers in your DB instead of tokens you are increasing your PCI scope dramatically.

Children
No Data