Is Online Express PCI compliant?
Online Express is PCI compliant, but the webpage where the Online Express form is embedded may not be PCI-compliant.  Because of this, we highly encourage Online Express customers to take appropriate security measures on the webpages where their Online Express forms will be embedded.  

How can I confirm my webpage is PCI compliant?
For further information regarding how your organization can  ensure your website is PCI compliant, please refer to the
PCI Security Standards Council.

Why is there a "Security Warning" on my donation form dashboard in the Online Express plugin?
This means that your organization has one or more Online Express forms embedded on a webpage where SSL is not enabled.

Am I required to enable SSL?  If so, which vendor should I use?
While enabling SSL is not “required”, this is suggested as a means of adding an additional layer of security so that visitors to your website are assured that the webpage they are accessing is secure. 

How will embedding my forms in a non-SSL enabled webpage impact my donors?
If your Online Express form is embedded on a webpage where SSL is not enabled, visitors who navigate to the webpage where your Online Express form is embedded will see an "Insecure" warning in their web browser.  While donors will be able to successfully and securely make donations to your forms, the "Insecure" warning might deter potential donors from submitting a donation to the form. 

Which vendor should I use when purchasing my SSL certificate?  How do I enable SSL on my webpage(s)?
If your organization has questions regarding which vendor to use when purchasing your SSL certificate or how to enable SSL, 
this is beyond Blackbaud’s scope of support, so we recommend contacting a qualified IIS professional

Are there any other security measures I should take with my Online Express forms?
For further information regarding what to consider before embedding your Online Express form into your website, please visit our
Blackbaud Online Express Tips for protecting your donor page, which further discusses the following topics:
  • Enable Secure Sockets Layer (SSL)
  • Comply with the Payment Card Industry Data Security Standard (PCI DSS)
  • Limit page content
  • Do not render editable data
Does Blackbaud have a security badge we can add to show that our Online Express form is secure?
Blackbaud does not provide security badges for your website.

Does Blackbaud offer reCAPTCHA with Online Express forms?
Yes, Blackbaud does offer reCAPTCHA with Online Express forms. For information regarding how to configure reCAPTCHA with Online Express forms, please visit 
How to configure reCAPTCHA for Online Express.

How do Online Express forms function with my website and Blackbaud's servers? Is it secure?
  • The webpage where the Online Express JavaScript is embedded is considered the OLX donation/event registration/membership/sign-up page
  • The JavaScript is the Online Express form
The donation/event registration/membership registration/sign-up page lives on the web server where your organization's website is hosted, but the Online Express form doesn’t technically live there. All that lives on the web server/page related to Online Express is a small script. When the donor/registrant/member navigates to the donation/event registration/membership registration/sign-up page, all of the page content, including the Online Express script, is sent from the server to the donor’s browser.
 
Then, the Online Express script runs in the donor’s browser and its job it to establish the secure connection between the donor’s browser and the secure Blackbaud server where the Online Express form details live. When that connection is made, the Blackbaud server responds by sending the HTML and JavaScript required for the OLX form to render and function back to the donor’s browser and then the Online Express form shows up on-screen.
 
The connection between the donor’s browser and the Blackbaud server is encrypted via SSL; even if the page where your organization embeds the Online Express script isn’t protected by a valid SSL certificate. So the important data connection is secured anyway, but donors have no way of knowing that and if they see an “insecure” warning in their browser, this might deter potential donors from submitting a donation to the form. This is one of the main reasons why we highly encourage all Online Express customers to have an SSL certificate enabled on any page where they embed an Online Express form. This is also why we say “While Online Express IS PCI compliant, the webpage where you’re embedding your Online Express form may not be compliant.”

Where does the information typed in the Online Express form live prior to submitting their donation?
The data typed into the form prior to clicking “Submit” lives in the donor’s browser using an encrypted connection between the donor’s web browser and Blackbaud’s servers using SSL. 
 
What is a web server?
This is the server where the organization’s website is hosted.This server is not controlled by Blackbaud (unless Blackbaud hosts your website). 
 
What information remains on the web server?
The only data that is stored on the web server is the Online Express script, which looks like this:
<div id="bbox-root"></div>
<script type="text/javascript">
       window.bboxInit = function () {
           bbox.showForm(‘[The System Record ID of the form on the Online Express server]');
       };
       (function () {
           var e = document.createElement('script'); e.async = true;
           e.src = 'https://bbox.blackbaudhosting.com/webforms/bbox-min.js';
           document.getElementsByTagName('head')[0].appendChild(e);
       } ());
</script>
When the donor navigates to the webpage where the script is embedded, the web server sends all the page contents on the webpage to the donor’s browser. The script runs in the donor’s browser, which establishes a secure connection between the donor’s browser and Blackbaud’s server (where the form details live).
 
Once a secure connection is made, Blackbaud’s server sends the HTML and JavaScript required for the OLX form to render to the donor’s browser. The connection between the donor’s browser and the Blackbaud server is encrypted via SSL, so all data between the donor’s browser and Blackbaud’s servers is secure; even if the webpage on the website is not secured by SSL.
 
Any information the donor types into the form is stored in the donor’s browser until they click “Submit” on the form.
 
Once the donor clicks “Submit” the encrypted data is sent directly to Blackbaud’s server. At this point, the encrypted data typed into the form now lives on Blackbaud’s server.
 
Is there any point in time where the credit card information is stored on my website?
No, the connection is strictly between the donor's browser and Blackbaud's server. No donor information will ever be stored on the website's server.