Is Online Express PCI compliant?
Online Express is PCI compliant, but the webpage where the Online Express form is embedded may not be PCI-compliant.  Because of this, we highly encourage Online Express customers to take appropriate security measures on the webpages where their Online Express forms will be embedded.  

How can I confirm my webpage is PCI compliant?
For further information regarding how your organization can  ensure your website is PCI compliant, please refer to the PCI Security Standards Council.


Why is there a "Security Warning" on my donation form dashboard in the Online Express plugin?
This means that your organization has one or more Online Express forms embedded on a webpage where SSL is not enabled.


Am I required to enable SSL?  If so, which vendor should I use?
While enabling SSL is not “required”, this is suggested as a means of adding an additional layer of security so that visitors to your website are assured that the webpage they are accessing is secure. 

How will embedding my forms in a non-SSL enabled webpage impact my donors?
If your Online Express form is embedded on a webpage where SSL is not enabled, visitors who navigate to the webpage where your Online Express form is embedded will see an "Insecure" warning in their web browser.  While donors will be able to successfully and securely make donations to your forms, the "Insecure" warning might deter potential donors from submitting a donation to the form. 

Which vendor should I use when purchasing my SSL certificate?  How do I enable SSL on my webpage(s)?
If your organization has questions regarding which vendor to use when purchasing your SSL certificate or how to enable SSL, this is beyond Blackbaud’s scope of support, so we recommend contacting a qualified IIS professional

Are there any other security measures I should take with my Online Express forms?
For further information regarding what to consider before embedding your Online Express form into your website, please visit our Blackbaud Online Express Tips for protecting your donor page
which further discusses the following topics:
  • Enable Secure Sockets Layer (SSL)
  • Comply with the Payment Card Industry Data Security Standard (PCI DSS)
  • Limit page content
  • Do not render editable data

Does Blackbaud have a security badge we can add to show that our Online Express form is secure?
Blackbaud does not provide security badges for your website.


How do Online Express forms function with my website and Blackbaud's servers? Is it secure?
  • The webpage where the Online Express JavaScript is embedded is considered the OLX donation/event registration/membership/sign-up page
  • The JavaScript is the Online Express form
The donation/event registration/membership registration/sign-up page lives on the Media Template web server where your organization's website is hosted, but the Online Express form doesn’t technically live there. All that lives on the Media Temple web server/page related to Online Express is a small script. When the donor/registrant/member navigates to the donation/event registration/membership registration/sign-up page, all of the page contents, including the Online Express script, get sent from the Media Temple server to the donor’s browser.
 
Then, the Online Express script runs in the donor’s browser and its job it to establish the secure connection between the donor’s browser and the secure Blackbaud server where the Online Express form details live. When that connection is made, the Blackbaud server responds by sending the HTML and JavaScript required for the OLX form to render and function back to the donor’s browser and then the Online Express form shows up on-screen.
 
The connection between the donor’s browser and the Blackbaud server is encrypted via SSL; even if the page where your organization embeds the Online Express script isn’t protected by a valid SSL certificate.  So the important data connection is secured anyway, but donors have no way of knowing that and if they see an “insecure” warning in their browser, this might deter potential donors from submitting a donation to the form. This is one of the main reasons why we highly encourage all Online Express customers to have an SSL certificate enabled on any page where they embed an Online Express form.  This is also why we say “While Online Express IS PCI compliant, the webpage where you’re embedding your Online Express form may not be compliant.”

Where does the information typed in the Online Express form live prior to submitting their donation?
The data typed into the form prior to clicking “Submit” lives in the donor’s browser using an encrypted connection between the donor’s web browser and Blackbaud’s servers using SSL. 
 
There is mention of a media template web server. What is this web server?
This is the server where the organization’s website is hosted.This server is not owned by Blackbaud (unless Blackbaud hosts your website). 
 
What information remains on the media template web server?
The only data that is stored on the Media Template web server is the Online Express script, which looks like this:
<div id="bbox-root"></div>
<script type="text/javascript">
       window.bboxInit = function () {
           bbox.showForm(‘[The System Record ID of the form on the Online Express server]');
       };
       (function () {
           var e = document.createElement('script'); e.async = true;
           e.src = 'https://bbox.blackbaudhosting.com/webforms/bbox-min.js';
           document.getElementsByTagName('head')[0].appendChild(e);
       } ());
</script>
When the donor navigates to the webpage where the script is embedded, the Media Template server sends all the page contents on the webpage to the donor’s browser. The script runs in the donor’s browser, which establishes a secure connection between the donor’s browser and Blackbaud’s server (where the form details live).
 
Once a secure connection is made, Blackbaud’s server sends the HTML and JavaScript required for the OLX form to render to the donor’s browser. The connection between the donor’s browser and the Blackbaud server is encrypted via SSL, so all data between the donor’s browser and Blackbaud’s servers is secure; even if the webpage on the website is not secured by SSL.
 
Any information the donor types into the form is stored in the donor’s browser until they click “Submit” on the form.
 
Once the donor clicks “Submit” the encrypted data is sent directly to Blackbaud’s server. At this point, the encrypted data typed into the form now lives on Blackbaud’s server.
 
Is there any point in time where the credit card information is stored on my website?
No, the connection is strictly between the donor's browser and Blackbaud's server. No donor information will ever be stored on the website's server.