How Nonprofits Can Avoid Online Credit Card Fraud | npENGAGE

How Nonprofits Can Avoid Online Credit Card Fraud

By on Jan 20, 2011


Nonprofit organizations are a big target for online credit card fraud. But there are some things that organizations can do to protect themselves and donors. Here’s a couple of things to note about online credit card fraud:

There are primarily two types of online credit card fraud: computer-based and human-based social engineering.

Computer-based social engineering are things like phishing schemes, pharming, and automated programs that attempt to run a transaction. These can be thwarted by IP address blocking, enabling Address Verification System (AVS), possible using reCAPTCHA, and following some best practices about online giving. There are certainly pros and cons to using these but they work.

Human-based social engineering is just what it sounds like – people at a computer entering stolen credit card information to process a transaction. Just about everyone in law enforcement will tell you that this is the hardest type of online credit card fraud to prevent.

There is no way to completely prevent all types of online fraud, but nonprofits can protect themselves and donors. Here are steps organizations can take:

1. Don’t use a blank gift amount on your donation forms.
Most fraud starts with $1 gifts so that the criminals can test the numbers. Setting a minimum gift amount or using that in combination with a specific ask string will help. I’ve seen this simple change dramatically reduce fraud.

Nonprofits can set a minimum donation level provided they are not differentiating credit cards from other forms of payments provided. For example, if your donation form includes the ability to accept eChecks, the minimum would need to apply to both credit card and eCheck.

The debate over ask strings vs. open amounts vs. a combination often comes up in these discussions. There is some research on the subject, but it is always a good idea to test and optimize. One size never fits all. The only best practice is to test.

2. Make the 3-digit Card Security Code (CSC) required.
The CSC is pretty standard these days, but I’m amazed to sometimes seeing it not used. Look for 3-D Secure and newer security measures to become more widely used. If you want to know what’s on the horizon for increased security methods, then look to Europe. Many of their innovations eventually make their way to the United States and Canada.

3. Enable Address Verification System (AVS) on the card processing.
This may cause problems with donors in non-US countries. It’s recommended that you create a separate donation form for overseas donors. This can reduce certain types of credit card fraud.

4. Enable reCAPTCHA on the donation forms.
Using reCAPTCHA helps with computer-based fraud. It’s just a speed bump for human-based fraud. Nonprofits with high volume or are common targets will often use it. I recommend testing this before applying it across the board.

5. Use IPs throttling, blocking, or other more technical measures.
Some processors will offer you different options and you should ask about what’s available. It’s also a very good best practice to review your security measures and the rate of fraud or attempted fraudulent transactions periodically.

And certainly make sure that you are PCI compliant and using PA-DSS compliant software for processing credit cards. These steps can help you manage and mitigate risk.


Steve MacLaughlin is the Vice President of Data & Analytics at Blackbaud and bestselling author of Data Driven Nonprofits.

MacLaughlin has been featured as a fundraising and nonprofit expert in many mainstream publications, including The New York Times, The Washington Post, The Los Angeles Times, The Boston Globe, The Chronicle of Philanthropy, USA Today, The NonProfit Times, Stanford Social Innovation Review, Bloomberg, and has appeared on NPR.

He is a frequent speaker at events including the Association of Fundraising Professionals (AFP), Association for Healthcare Philanthropy (AHP), American Marketing Association (AMA), Council for Advancement and Support of Education (CASE), Direct Marketing Fundraisers Association (DMFA), Giving Institute Summer Symposium, National Association of Independent School (NAIS), Nonprofit Technology Conference (NTC), Institute of Fundraising National Convention (United Kingdom), Civil Society Conference (Netherlands), International Fundraising Congress (Netherlands), Ask Direct Fundraising Summer School (Ireland), and a keynote speaker at several conferences across the social good sector.

Steve previously served on the Nonprofit Technology Network (NTEN) Board of Directors and is currently an adjunct faculty member at Columbia University.

He is a frequent blogger, published author of a chapter in the book People to People Fundraising: Social Networking and Web 2.0 for Charities, and is a co-editor of the book Internet Management for Nonprofits: Strategies, Tools & Trade Secrets. His latest book, Data Driven Nonprofits, became a bestseller in 2016.

Steve earned both his undergraduate degree and a Master of Science degree in Interactive Media from Indiana University.

Comments (2)

  • Thanks for sharing your insights. I cannot really imagine why people are doing these things. Hopefully, it will be stopped as soon as possible.

  • Thank you for sharing your tips on how to avoid getting victimized by fraud. Whether online or offline transaction, we should be vigilant in checking the legitimacy and security features of the company that we wish to conduct business with. In this way, we are certain that our private information can be safeguarded at all times.

Leave a Reply to ann @ merchant services Cancel Comment

Your email address will not be published. Required fields are marked *