This article is focused on important updates that Neon CRM is making to payment forms in order to remain PCI compliant. These changes will go into effect with the September 21st, 2024 Neon CRM update.
What is PCI DSS/"PCI Compliance"?
PCI DSS stands for Payment Card Industry Data Security Standard. It is a series of robust security requirements that must be followed by any entity which handles cardholder data. It's most commonly shortened to "PCI compliance".
Neon CRM must comply with these continually-updating security requirements in order to provide you with the ability to process payments.
PCI DSS v4 Requirement 6.4.3
Requirement 6.4.3 of PCI DSS v4 dictates the following:
All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:
- A method is implemented to confirm that each script is authorized.
- A method is implemented to assure the integrity of each script.
- An inventory of all scripts is maintained with written justification as to why each is necessary.
What does this mean for Neon CRM?
By "payment page scripts", they're referring to code which is present in the background on web pages which process payments. This requirement is intended to prevent security risks which may be caused by unreviewed or malicious scripts running in the background.
It is not possible for Neon CRM to maintain an inventory of all scripts present on all of our users’ websites (or any other websites on which you may have embedded the pop-up form buttons).
Therefore, in order for Neon CRM to remain PCI compliant, we must ensure that payments are only being processed on Neon CRM-controlled pages.
This requires us to make adjustments to the payment form experience in certain situations, which are outlined below.
Specific Impacts to Neon CRM Forms
Pop-Up Donation and Membership Forms
If you are using the embeddable pop-up buttons for new donation and membership forms, you can continue to do so.
However, these new security requirements mean that we will need to redirect donors to a Neon CRM-hosted payment page.
Here's what the new experience will look like:
- A donor or member clicks the embedded button on your website.
- They fill out the beginning of the form within the pop-up window, like they currently do.
- Once the payment section is reached, the pop-up will display a message explaining that they are being redirected to a secure payment page.
- Then, the payment page will automatically load in the same browser tab on a Neon CRM-hosted page. This is where the donor or member will enter their payment information and complete the transaction.
- After submitting their payment, they'll be shown the exit page for the form. If you are using the standard Neon CRM exit page builder, they will be automatically redirected to the original website after a few seconds, or they can click the "Back to Site" button.
Web Template Copies, Uploaded Themes, and Dynamic Sync Themes
-
Web Template Copies: A service through which the appearance of your organization's website was applied to your Neon CRM forms & pages. This was also sometimes referred to as "navigation forms", "hero forms", "scraping your website", or similar phrases.
- Note: We no longer create new Web Template Copies, but can make minor updates to existing ones.
- Uploaded Themes: A file that your organization uploaded to Neon CRM for use as a Theme. Sometimes also referred to as Custom Themes.
- Dynamic Sync Themes: A setting available to Neon Websites clients on WordPress-powered sites. It allows the appearance of your website to be automatically synced to Neon CRM and applied to your forms & pages.
If you fall into any of the groups above, these new security requirements mean that the payment pages of relevant forms will need to have a separate Theme applied. The rest of your forms' content will still retain the overall appearance.
A new Global Settings page called Set Payment Theme will be available for you to apply to the appearance of payment pages in this situation.
- If you do not specifically use the Set Payment Theme option to designate a Theme for the payment page, then we will automatically use the Theme created with your branding and colors during Onboarding if it is available.
- If this is not available in your system, then the Neon CRM-created Theme titled "Modern" will be automatically applied.
Since your donors will be taken to a page that likely looks different than the previous form page(s), they'll be shown a message "Taking you to a secure payment page..." so they know that this is expected.
Or, if you'd prefer, you could create a different Theme. This will allow all pages of your form to have the same appearance.
FAQ
What is PCI DSS/"PCI Compliance"?
PCI DSS stands for Payment Card Industry Data Security Standard. It is a series of robust security requirements that must be followed by any entity which handles cardholder data. It's most commonly shortened to "PCI compliance".
As a software platform that allows payments, Neon CRM must adhere to these continually-updating requirements and maintain PCI compliance.
Why are these changes happening now?
Currently, PCI DSS v4 is a "best practice" recommendation, and it becomes mandatory in March 2025.
Neon CRM must complete the work necessary to comply with requirement 6.4.3 of PCI DSS v4 in Q3 2024 due to other items on our product development roadmap.
Why are Neon CRM's changes different than what other software providers are doing?
The changes that Neon CRM is implementing are based on the interpretation of Neon One's Chief Architect as well as an external cybersecurity firm.
The specific updates we're making are intended to ensure the security of your organization's Neon CRM forms and your constituents' payment information. Our goal was to minimize the disruption to you and your constituents while still ensuring that Neon CRM is fully PCI compliant.
We recognize that we're early to make these security updates. As the March 2025 deadline approaches, you will see more changes to payment form behavior across the web as other providers become compliant with this requirement.
It is possible that other software platforms may implement different changes based on their personal interpretation of requirement 6.4.3. For example, some platforms may attempt to maintain an inventory of all users' website scripts, but this is not feasible for Neon CRM.
Will this affect forms that don't process payments, like account forms?
No, these changes will only impact transaction forms.
What should I tell my donors if they ask about these changes to our forms?
You might find it helpful to use the following language:
Our forms have been slightly updated to ensure that your information continues to be stored securely. You may see a message stating "Taking you to a secure payment page", or "Redirecting you to a secure payment page", which opens a new browser tab. This is expected due to these security updates.
Will this affect any Neon CRM integrations?
No, these changes should not impact any third-party integrations with Neon CRM.
I've previously contacted Neon CRM Support about adding tracking scripts to my Neon CRM Themes. What's happening with that?
Existing scripts (such as Google Tag Manager or Meta Pixel) which have been submitted in a Neon CRM support ticket, reviewed by our Development team, and added to a Neon CRM Theme will continue to be supported. This existing process for adding these common, universally-known scripts will remain in place.
After the release of this setting, you will need to contact crmsupport@neonone.com to request that any desired scripts also be added to your newly-designated Payment Theme.