--- Server: Bb Community System(?) | Client: ?(?) ---

We are in the process of performing a PCI Compliance Self-Audit and we have both a Community Server and a Transaction Server. When a consumer credit card is used to add funds to a students ID Card account, is any credit card information stored on either of these servers at any time? If so, what data is being stored?

Additionally, what cardholder verification data is stored in the user profile on the Community Server?

Thanks for any input.

Angie

Angie -- Thanks for your post. Here are my initial responses to your questions. If you have additional questions or need further assistance, please let us know.

* Community System: This application does not store track data or credit card account information in the database. The Community System utilizes the Blackboard Payment Gateway to process and settle these transactions. The Community System stores the credit card authorization data it receives from the Payment Gateway, but not sensitive cardholder data.

* Transaction System: Currently, this application does store credit card account information in the database in an encrypted format. In 2006, Blackboard contracted with a third party service provider (Ambiron Trustwave) to conduct a complete assessment of this application related to PCI and PABP compliance and to make the appropriate recommendations for bringing this application in line with the standards for certification. This process is well underway and is a long-term development effort being headed up by the Blackboard Commerce Suite Product Management organization. Additional information on timelines for this development will be forthcoming.

I hope this information is helpful to you & your efforts.

Kind regards,
Michele Neyers, Sr. Solutions Engineer, Blackboard Commerce Suite

Angie -- In my first post I neglected to mention the Blackboard Payment Gateway, which is a critical component to a comprehensive PCI assessment.

Blackboard utilizes a third party payment processor or gateway application for processing external card payments. This payment gateway application is ClearCommerce (v5.9) from eFunds and is hosted by Blackboard in our Virginia Data Center. The Community System application, as well as the latest release of the Transaction System Universal Edition (v2.7), use the ClearCommerce gateway to process and settle credit card transactions. The ClearCommerce application, as well as its overall hosting and network environments, are PCI compliant and certified. As required by the standards, this application/environment is scanned on a regular basis by our third party service provider (Ambiron Trustwave) and was once again certified on April 11, 2007. This information can also be found at http://www.visa.com/cisp under the heading 'CISP List of Compliant Service Providers'.

Again, if you have additional questions or if we can provide further assistance, please let us know.

Kind regards,
Michele Neyers, Sr. Solutions Engineer, Blackboard Commerce Suite

Hi -

You replied:* Transaction System: Currently, this application does store credit card account information in the database in an encrypted format.

Are enycryption key protection and key management processes managed by Blackboard?

Thanks

Angela Duff

Angela -- Yes they are.

I am currently getting conflicting information from several sources regarding the Blackboard Community System. Has the product and services been evaluated for PCI Compliance and are they deemed compliant? If so, will Blackboard issue a formal statement to users of the system regarding this? If they haven't been deemed compliant, is there a target date to achieve compliance?

Thank You.

Hey guys

if you wanna know more about PCI Compliance and some current issues which are related to this discussion then-

PCI Compliance online Thought Leadership: http://bit.ly/3rc5OW

Thought leaders from Visa Group, KPMG, bwin Group & Qualys discuss Best Practices in implementing a PCI compliant Security Strategy
-----------------------------------------
What?
Industry Thought Leaders -

Overall Impact of PCI Compliance on Your Businesses & Key Steps to implementing PCI Compliant strategy.

Provide Thought Leadership, Best Practices and Case Studies.

Enable vibrant exchange of ideas between thought leaders and viewers.

Who?

Head of Corporate Security, bwin Entertainment

Principal Adviser, KPMG

Chief Scientist, Certichron

Vice President, Visa Inc

Partner, SecurityCurve

Principal, Qualys Inc.