I had my site scanned by SecurityMetrics and the results say it is non-compliant with the PCI scan validation requirement.
Title: Web Application Potentially Vulnerable to Clickjacking
Synopsis: The remote web server may fail to mitigate a class of web application vulnerabilities.
What does this mean? Is my site not PCI compliant?
This finding is what's known as a "false positive," i.e. not a true vulnerability. Blackbaud prevents clickjacking by setting frame response to same-origin.