How is Blackbaud NetCommunity impacted by PCI 3.1 and TLS 1.2 requirements?

In April 2015, Payment Card Industry Data Security Standard (PCI DSS) 3.1 was released and addresses security concerns with all SSL and early TLS cryptography. PCI 3.1 defines these levels of cryptography as weak and mandates a transition to TLS 1.2 by June 2018.

How does this mandate impact Blackbaud NetCommunity?
The impact and any subsequent actions necessary are dependent upon your hosting situation for Blackbaud NetCommunity.

If you are hosted by Blackbaud:

In October 2014, Blackbaud disabled SSL 3.0 for all hosted Blackbaud NetCommunity clients. PCI 3.1 states that TLS 1.0 can remain enabled as long as a mitigation plan is in place to disable the protocol by June 30, 2018. While TLS 1.0 is currently enabled on our servers, Blackbaud maintains a mitigation plan to disable TLS 1.0 by the cutoff date. 

If you receive a failed PCI compliance scan for your hosted Blackbaud NetCommunity website during this time, please chat with support and provide a full copy of the PCI scan. Blackbaud will work directly with the scanning service to provide our mitigation plan and certify the scan as a false positive. 

If you are not hosted by Blackbaud:

System administrators should work directly with their security team to confirm the correct way to address the requirements of PCI 3.1. In order to enable and utilize TLS 1.2, you will need to be on at least version 7.0 of Blackbaud NetCommunity and your Blackbaud NetCommunity web server will need Microsoft .NET Framework 4.5.2 installed.

.NET Framework 4.5.2 is compatible with Windows Server 2012, which is the recommended server for Blackbaud NetCommunity. For a full list of supported servers and the minimum configuration, see our system requirements guide. 

If you are still using Windows Server 2003, please see our considerations for Windows Server 2003 and Blackbaud NetCommunity along with the current necessary protocol and cipher configuration for Windows Server 2003 with Blackbaud hosted services.
Warning: By disabling certain protocol and cipher suite combinations, your connection to Blackbaud hosted services, such as Email (BBNC) Services and Payment Services, could be impacted. Your connection to these services can be tested by navigating to your website's testconfig page and checking the BBNC Service and BBPS WS lines towards the bottom of the page. 
Note:
If NetCommunity is on version 7.0 and below, review [netcommunityURL]/testconfig.aspx. 
If NetCommunity is on version 7.1 and above, refer to Knowledgebase

If Blackbaud NetCommunity is hosted by Blackbaud and your organization hosts The Raiser's Edge Web Services server (REWS):

System administrators should work directly with their security team to confirm the correct way to address the requirements of PCI 3.1 for the REWS. The same considerations for the Blackbaud NetCommunity version and the Microsoft .NET  Framework 4.5.2 as described above apply when attempting to enable TLS 1.2 on REWS. 

If you are still using Windows Server 2003 for REWS, the same considerations apply as described above for
Windows Server 2003 and Blackbaud NetCommunity.
Warning: By disabling certain protocol and cipher suite combinations, your REWS connection to your hosted Blackbaud NetCommunity website could be impacted.  Your REWS connection to Blackbaud NetCommunity can be tested by navigating to your website's testconfig page and checking the RE7 WS lines towards the top of the page.
Note:
If NetCommunity is on version 7.0 and below, review [netcommunityURL]/testconfig.aspx. 
If NetCommunity is on version 7.1 and above, refer to Knowledgebase
Note: Throughout this article, we have provided links to third-party websites. We provide links to third-party websites in an effort to help you resolve your issue. We are not responsible for the information on third-party websites, and we cannot assist in implementing the solutions on these websites.


 
  Mitigation Document.docx

Environment

 Blackbaud NetCommunity

Was this article helpful?