Nonprofit organizations are a big target for online credit card fraud. But there are some things that organizations can do to protect themselves and donors. Here’s a couple of things to note about online credit card fraud:
There are primarily two types of online credit card fraud: computer-based and human-based social engineering.
Computer-based social engineering are things like phishing schemes, pharming, and automated programs that attempt to run a transaction. These can be thwarted by IP address blocking, enabling Address Verification System (AVS), possible using reCAPTCHA, and following some best practices about online giving. There are certainly pros and cons to using these but they work.
Human-based social engineering is just what it sounds like – people at a computer entering stolen credit card information to process a transaction. Just about everyone in law enforcement will tell you that this is the hardest type of online credit card fraud to prevent.
There is no way to completely prevent all types of online fraud, but nonprofits can protect themselves and donors. Here are steps organizations can take:
1. Don’t use a blank gift amount on your donation forms.
Most fraud starts with $1 gifts so that the criminals can test the numbers. Setting a minimum gift amount or using that in combination with a specific ask string will help. I’ve seen this simple change dramatically reduce fraud.
Nonprofits can set a minimum donation level provided they are not differentiating credit cards from other forms of payments provided. For example, if your donation form includes the ability to accept eChecks, the minimum would need to apply to both credit card and eCheck.
The debate over ask strings vs. open amounts vs. a combination often comes up in these discussions. There is some research on the subject, but it is always a good idea to test and optimize. One size never fits all. The only best practice is to test.
2. Make the 3-digit Card Security Code (CSC) required.
The CSC is pretty standard these days, but I’m amazed to sometimes seeing it not used. Look for 3-D Secure and newer security measures to become more widely used. If you want to know what’s on the horizon for increased security methods, then look to Europe. Many of their innovations eventually make their way to the United States and Canada.
3. Enable Address Verification System (AVS) on the card processing.
This may cause problems with donors in non-US countries. It’s recommended that you create a separate donation form for overseas donors. This can reduce certain types of credit card fraud.
4. Enable reCAPTCHA on the donation forms.
Using reCAPTCHA helps with computer-based fraud. It’s just a speed bump for human-based fraud. Nonprofits with high volume or are common targets will often use it. I recommend testing this before applying it across the board.
5. Use IPs throttling, blocking, or other more technical measures.
Some processors will offer you different options and you should ask about what’s available. It’s also a very good best practice to review your security measures and the rate of fraud or attempted fraudulent transactions periodically.
And certainly make sure that you are PCI compliant and using PA-DSS compliant software for processing credit cards. These steps can help you manage and mitigate risk.