Credit card transactions include a tamper-proof seal (TPS) that the processor uses to validate the transaction. Hackers can use the TPS directly to submit fraudulent authorizations. Bloomerang has already made changes to severely limit the use of TPS on standard forms. However, these changes are not carried over to self-hosted forms.
This only concerns you if you are already experiencing fraudulent credit card authorizations in BluePay and
You have transaction forms that you started self-hosting before May 23, 2016.
Those self-hosted transaction forms use BluePay as the processor and allow EFT transactions.
OrYou have custom forms that use BluePay as the processor.
To stop a hacker from continuing to use the existing TPS, you need to do three things:
Contact Bloomerang and request a data service to delete all BluePay custom forms. These forms use the old TPS method that a hacker could use.
Change your BluePay key and add it to Bloomerang CRM.
Update self-hosted forms with the new BluePay key.
To change your BluePay key:
Log in to BluePay.
Navigate to the Account Admin page.
Click Create New Key.
Copy the secret key.
Log in to Bloomerang CRM.
Click Settings.
Click Payments.
Click your BluePay processor.
In the Secret Key field, paste in your new secret key.
Click Save.
To update your self-hosted forms that use BluePay and allow EFT transactions:
Click Communications.
Click Forms.
On the Online Giving or Event Registration tile, click Select.
Click the down arrow next to the form and select Get Code.
Search for Bloomerang.useProcessor(.
Copy the entire line. It should look something like:
Bloomerang.useProcessor('[processorId]', 'BluePay', '[AccountNumber]', true, '[TPS]', true);Go to your website and open the form's code.
Search for Bloomerang.useProcessor(.
Replace this line with the code you copied.
Publish the form.