Digital contributions make up a growing proportion of the total donations nonprofit organizations collect. According to research published in 2017 by the Stanford Social Innovation Review, the amount of individual donor revenue raised from online giving grew from 17 to 24 percent in just two years.
With about one in four donations coming from online sources, nonprofits need to ensure that they are protecting donors’ information and data and combating fraudulent donations.
As Sean Chisholm, vice president of Classy, a crowdfunding platform designed specifically for nonprofits, writes in a company blog post, malicious actors who use stolen credit card information target nonprofits for several reasons. First and foremost, nonprofits tend to have simple and static donation forms and checkout pages that are not sophisticated compared to e-commerce websites.
There’s no dynamic shopping cart functionality to contend with, which means that it’s a lot easier for credit card rings to write automated scripts that can churn hundreds or thousands of stolen cards through a page every day. Plus, visitors can input any donation amount that they want on a nonprofit checkout form. This lets fraudsters easily test transaction limits on stolen cards. In short, the very features that make nonprofit donation pages easy to use for legitimate donors also make them attractive targets for credit card rings.
Fraudulent donations force nonprofits to offer donors refunds, pay fees to financial institutions, lose staff time to dealing with the issue and, perhaps most significantly, suffer a loss of reputation. Given that dynamic, nonprofits need to take steps not only to defend against fraudulent donations but to protect donor information from being harvested by hackers.
Fortunately, there are several best practices and technologies nonprofit IT leaders can use to guard against these threats.
Nonprofits Can Use Policies and Tech to Battle Fraudulent Donations
The first step any nonprofit should take is to conduct a risk assessment. Simply because an organization has never experienced a breach does not mean that it will not.
As Paul Arnpriester, a national nonprofit business development manager with CDW, notes in a blog post, “a professional risk assessment can help IT and other organizational leaders better understand the ways in which their nonprofit is vulnerable, leading to insights that will inform security improvements, user training and incident response plans.”
Once a nonprofit knows its vulnerabilities, it can take steps to plug any gaps in its cybersecurity defenses. Many nonprofits do not have large IT teams or dedicated IT security staff, and turn to outside help on these fronts.
There are several security vendors that can offer strong data protection technologies, including Forcepoint, McAfee, Palo Alto Networks and Trend Micro, among others. Some vendors cater specifically to nonprofits. MobileCause notes that it is a certified Payment Card Industry Data Security Standard Level 1 security provider, and adheres “to the highest industry standards for data protection.”
Nonprofits should ensure that their data protection solution provider is PCI DSS-compliant, and can offer multifactor authentication, donor fraud protections, credit card and bank account security, and IP security — especially from international threats.
Another key tool nonprofits should turn to is encryption. Chris Teitzel, CEO of encryption key management firm Lockr, notes that nonprofits should “encrypt communications to and from your website” with certificates purchased from a trusted certificate authority. Writing on the blog of GiveWP, a leading Wordpress donation plug-in, he says that nonprofits should look to use Transport Layer Security technology.
Best Practices to Keep Nonprofit Donor Data Secure
In terms of protecting donor data, nonprofit fundraising platform Snowball Fundraising offers several best practices to follow.
Nonprofits should “clearly define what information can be released and under what circumstances,” the firm notes in a blog post, and “any third party that requests access to personal information should be presented with and held accountable to the same policy.”
Nonprofits should also limit which staff members can access donor data, since not everyone needs to. Nonprofits need to practice the principle of least privilege and have clear policies and technologies in place to ensure that only those who need to access donor data can do so.
“Additionally, anyone that does need access to your donor database should have a separate set of credentials,” the Snowball blog notes. “When each employee is using a different account, you can not only dictate the types of permissions each user has but also detect unauthorized activity easier.”
Donors’ sensitive data, including their credit card information, should also be encrypted or tokenized. “Typically, tokens replace credit card or account numbers with a series of numbers that are randomly generated using proprietary algorithms,” the Snowball blog adds. “Tokens only keep a small portion of the sensitive information (usually the last four digits) as a means of accurately matching the card owner to the token.”
Tokenization makes it more difficult for attackers to gain access to donor data. And it means nonprofits are holding smaller volumes of sensitive information, which simplifies the PCI requirements that must be met, the blog adds. Tokens can also be used repeatedly, and even if tokens are accessed by a hacker, they will not get access to donor data.