Online marketing techniques have revolutionized the world of nonprofit organizations. As more people move online and integrate the Internet into their lives, fundraisers and nonprofits alike need to recognize the advantages of using Internet technology to streamline donation processing.

Online donation processing is an excellent way to reduce costs and manual tasks associated with direct fundraising. However, using the Internet for donation processing requires stringent security processes. Here are a few key issues to consider:

SSL Does Not Necessarily Make It Secure
Many people talk about their “secure” Web sites when they actually mean that the communication between the Web browser (such as Microsoft Internet Explorer® and Netscape®) and the Web server is encrypted using the Secure Sockets Layer (SSL), a standard set of Internet communication rules, for managing the security of message transmissions over the Internet. While using SSL is essential, it is one minor element of an overall security architecture.

People who hack, or break into, Web servers typically do not do it by tapping into connections from browsers. Instead, they do it by attacking other weak points, including the human element. In fact, about 80 percent* of successful online “break-ins” involve simply stealing passwords to gain access. Therefore, any organization should carefully consider end-to-end security processes before offering online donation processing on its Web site. 

Storing Credit Card Numbers
Another key concern is securing credit card numbers once the Web site has accepted them. Smaller e-commerce software providers are often lax about this aspect of security, so organizations should be careful to understand a provider’s security policies before using the company’s services for online transactions.

In addition, many organizations encrypt their Web databases, mistakenly believing that this protects the data. However, a hacker who breaks into a server gets not only the encrypted data, but also the decryption keys and software, enabling the hacker to obtain the card numbers. There is also the risk of a security breach if credit card data is available to staff members.

The only truly safe solution is both simple and bulletproof: Do not store credit card numbers at all. Watch for companies with donation processing capabilities that authorize credit cards in real time, and then immediately discard the card number. Follow-up transactions, including refunds or monthly donations, are processed using one-time reference codes that are tied to the nonprofit's account and useless to a fraudster. Card numbers are only stored by the payment gateway, or the system that manages transactions and connects the Internet to banking networks, whose systems are highly secure.

Fraud is Not the Issue; It’s Carding
A practice known as “carding” is a major concern for nonprofits.  Fraudsters use a low-dollar online donation to test the validity of guessed or stolen card numbers.  Although carding does not defraud the nonprofit, the organization is burdened by the administrative work required to issue a refund to the real credit card holder. Until recently, the only solution was for an organization to use software that monitored the Web site for failed transactions. Today, however, use of additional CVV2 security codes (the 3-4 digit additional numbers on credit cards) is a promising alternative. Unlike the old Address Verification System (AVS), CVV2 was designed for automated fraud protection, and is gaining ground in the United States.

In summation, strict credit card security is critical for any organization offering online donation processing on its Web site. By keeping in mind key issues when creating security strategy, organizations can help to ensure safe transactions for their online donors.

* Data from Carnegie-Mellon CERT advisory centre.

About the author:

David Crooke

Founder, Chief Technology Officer

Convio, Inc. 

David Crooke founded and acts as the chief technology officer for Convio, Inc., the leading provider of software and services to help nonprofit and individual-supported organizations use the Internet to become more effective at fundraising, mobilizing support and managing constituent relationships.