Guest Columnist: Marc W. Halpert, egiving
Online donations are designed to be easy for donors to use. Unfortunately they can be easy targets for thieves too, seeking a testing place for stolen credit card data to make false donations, hundreds of them in a flash. There is an upswing in nonprofits being attacked online. When you discover your donation site has been compromised, you feel vulnerable, lacking full control, and worst of all, have to explain to your management and Board why this happened.
Here’s what can happen:
The thief purchased thousands of stolen credit card records on the internet and blasted that data at your website donation page, hoping some would succeed. Then knowing which few credit cards actually did work, he goes off to another website and uses them again, for a higher amount, perhaps this time for electronics or other items. The game is over when the cardholder’s bank notices the card has been used irregularly and cancels it. Thieves seem to start with small dollar donations at nonprofits, under bank radar screens for meaningful fraud transactions. They are hoping nonprofits are not as aware of their bank account activity and cash flow as are for-profits. Wrong assumption, but this is the mentality.
In retrospect, when you are tested with fraudulent donations, your online donation mechanism functioned fine; you didn’t set the controls on your gateway and donation page tightly enough. (A gateway is the online service that links a donation page to the merchant accounts. It’s also the place where the current day and historic donation data is stored for bank account reconciliation and statistical purposes.)
Before this happens to your organization, consider procedures to prevent and control future abuse (easily accomplished with the assistance of your merchant account and/or gateway vendors). Give careful forethought to implement some, if not all, of these:
- Set a minimum dollar threshold on your gateway to preclude small bogus transactions (in recent cases, 7 cents or $1.03) from slipping through.
- Address verification service (AVS) must be enabled on your gateway. You want the combined house number AND the 5 digit zip code of the cardholder to match the AVS algorithm used by the card brands to successfully process a card.
- Some well-regarded gateways allow you to block computer IP addresses in selected foreign countries. As an option you can set the gateway to reject all but those in the USA, if appropriate for your donor base.
- Ask your web developer to identify the thief’s IP address. Set the cart to recognize that IP address in the future and automatically direct him to a government website (like FBI.gov).
- Think about including a CAPTCHA or “I am not a robot” challenge-response test as well. You want a human to make a donation, and these block fraudulent robo-processing.
- Be sure donations are reported to multiple email boxes so at least one of your fellow staff will notice immediately if a vulnerability occurs. If staffers work outside of the office, be sure transaction notifications buzz on their cellphones. Thieves assume you are not watching and can work their mayhem on weekends and in the middle of the night.
- Some strong gateways use artificial intelligence and report to you anything that seems awry. They work 24x7x366. Be sure you can heed their warning to multiple staff cellphones at any time.
- Manually reverse every successful transaction that doesn’t belong to you via the gateway refund function (immediately!). Your fee for a chargeback (when a consumer declines a purchase by starting a documentary process with his bank to reverse the card transaction) is usually $25. Prevent being hit with $25,000 in charge-back fees if you receive 1,000 7-cent fraudulent transactions!
- If you have a concern, contact your merchant account salesperson immediately so he/she can advise you how to best notify the fraud experts of the online payment vendors you use. There are established fraud protocols that card processors and gateways follow.
- Finally, review your transactions at least daily. Pay attention to which ones failed, look for patterns of odd transactions and report them immediately by phone, not via an online service ticket, for fastest servicing.
I hope you never need to use these controls, after the fact. Heed this advice to tighten controls now, align with best-in-class service vendors who have your ongoing security top of mind, and ask them to help you become better protected. Nothing is foolproof but you need a procedure in place to be able to react quickly if this does indeed happen to your nonprofit.
For 15 years, Marc W. Halpert has made a point of providing nonprofits the customized design and service for secure online donations, gala ticketing, membership dues payments, event registration and specialized payment technologies that make sense for YOUR organization’s particular needs, with expert attention to detail. For more information or to contact Marc, click here.