The security of credit card payments has changed significantly over the last few years, thanks to the introduction and widespread implementation of chip-based credit cards and their respective card readers starting in 2011. This is because credit cards with chips embedded in them are dynamic and change data with every time they are used, while their predecessors with the traditional magnetic strip are significantly easier to copy in their static state.
While it is true that these special, encrypted cards have led to a 70 percent drop in counterfeit fraud in the United States (according to Visa), this increase in safety is mostly seen only in those in-store payments. Unfortunately, these cards do nothing to protect against online fraud.
Online donations and fraud
With an increased number of consumers making financial transactions online combined with numerous security breaches in recent years online fraud is more prevalent than ever.
This is important to note if your nonprofit encourages donors to make their gift online. For example, a credit card hacker may use stolen credit card information to contribute a gift on your donation or e-commerce page for various malicious reasons. They may also be card testing, which is often automated via a bot that spams your donation page with donations every few seconds, looking for a credit card hit. Sometimes, these numbers are not even from stolen cards; just random number combinations and sequences.
In the case of card testing, attackers are looking for information pending the acceptance of the card payment. If the credit card payment is accepted, in other words, the attacker knows the card number is valid and they then can sell it to other malignant individuals or groups or use it in other fraud schemes.
Another common fraud scenario that can plague nonprofits is refund fraud, when an attacker makes a large online donation using a stolen card, then calls the nonprofit claiming that the donation was made in error (aka, “I accidentally donated $2,000 when I meant to give $200), then demands a refund paid to a different account or card.
“Why am I at greater risk than other organizations for this type of fraud?”
It’s really quite simple: many nonprofits are unaware of these types of issues and may not be monitoring their credit card processing closely enough (if at all). This is especially true for nonprofits with smaller, more limited staff and funding. Furthermore, cardholders rarely question a donation on their bank statement so oftentimes it is reported long after the fact, if ever. Additionally, many nonprofit directors don’t feel the need for fraud safeguards because they usually aren’t selling physical goods.
Fraudulent activity can cause a lot of problems for your nonprofit—costing you the time and money you don’t have, with the manpower that has plenty of other tasks they want to be doing to help your team stay afloat. But there are ways you can prevent it and protect all your hard work.
1. Configure rules in your payment gateway to detect and prevent fraud
Be sure to use payment systems that allow you to monitor and decline suspicious transactions. For example, 4aGoodCause clients can (and do) use the Advanced Fraud Detection Suite from Authorize.net for this exact purpose.
Ask for the card’s security code (aka the CVV), which is the three or four-digit number on the front or back of major credit cards. This helps to show that the cardholder is actually physically possessing the card at that moment.
Use an address verification system (aka AVS), which will verify that the person who is using the card knows the address on file for the card. One important thing to note: while this is a good safeguard, it is not sufficient by itself. In other words, legitimate donors can make mistakes, and AVS doesn’t work well for addresses outside of the United States. Make sure that your donation page has error messaging specific to AVS issues to help mitigate this issue.
Limit the number of transactions that can come from any one computer in a certain time period (say, an hour). This “rate throttling” can help prevent card testing, as bots will submit multiple donations from the same computer quickly in succession.
Set a minimum donation amount. Many automated bots try to submit just $1 donations. Even setting the minimum at $2 per donation can help offset this.
Hold transactions for review. Stop giving card testers what they want by holding transactions for review. If you limit the number of transactions per hour from the same computer, make a rule to hold any transactions that exceed that number. Display an on-screen message to the user/thief that the transaction will be “held for review.” This prevents the card testers from knowing if the card they are trying to use is accepted or declined, valid or invalid. This will normally encourage them to give up.
2. Vigilantly monitor your account
If you are able (if you aren’t, prioritize this in future planning), monitor your credit card processing as closely as possible. Set up email alerts to alert your organization of all suspicious transactions taking place. Appoint yourself or a specific member of your staff to take responsibility for these alerts and what action you should take if they occur. A word of caution: make sure to respect the balance between vigilance and paranoia, as you do not want to frustrate your legitimate, innocent donors.
3. Deploy reCaptcha
If your nonprofit has been targeted by heavy automated card testing that doesn’t stop after a handful of attempts, deploy reCaptcha as another safety measure. This forces users to prove their legitimacy and humanity, thereby stopping automated, robotic submissions. 4aGoodCause clients have the opportunity to turn this tool on and off as they see fit for their donation pages.
Credit card fraud is serious, confusing and can be detrimental to organizations and nonprofits everywhere. Thankfully, the good guys learn more and more every day about this kind of activity, and that’s where 4aGoodCause comes in. Get in touch with us if your nonprofit is experiencing issues with fraudulent activity – we are here to help.
Keep reading
Once a week or so we send an email with our latest article on online fundraising, nonprofit marketing and more. We never bug you; we just send you our latest piece of content. Subscribe now >