According to IdentityForce, an identity theft protection company, in 2019 14.4 million consumers became victims of identity fraud. That’s about 1 in 15 people! That’s why fraud prevention is so important for companies that process payments.
Unfortunately, online donation forms are an appealing target for credit card testers, who will often make multiple small donations to test stolen credit cards (it’s a little fishy when multiple celebrities make $1.00 donations to your organization…).
Chances are, someone’s attempted an unauthorized purchase with your credit card. It happens. However, for fundraisers, you don’t just have to worry about your financial information falling into the wrong hands, you have to watch out for your donors, too! Luckily, Qgiv has a number of security measures in place to prevent online payment fraud and keep transaction information safe.
Qgiv designed its system to automatically recognize potential fraud. Therefore, if the system suspects fraud, CAPTCHA auto-enables on the donation form credit card testers are attempting to exploit.
What is CAPTCHA?
CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart – which sounds very complex and techy, right? However, it’s really a simple concept. In the simplest of terms, CAPTCHA is a test that determines if a human or robot (well, computer program) is using your form.
How auto-enabling CAPTCHA helps
Many card testers use automated programs to rapidly complete and submit forms. Thus, they can test tons of credit cards quickly.
How do you stop their automated programs from completing transactions? With a CAPTCHA test. CAPTCHA tests come in many forms from choosing which pictures contain street lights, to deciphering which random assortment of letters and numbers are in an image.
The test may seem pointless to humans, but a computer program won’t be able to pass it to submit the form. Why? A computer can’t decipher the letters and numbers in an image file. They also can’t determine what items are or aren’t in the assorted images used in the test.
When Qgiv auto-enables CAPTCHA, it disrupts card testers’ automated programs. Now, card testers will have to move on to another form or waste their time manually entering card information to continue testing.
Can Qgiv users proactively add CAPTCHA to their forms?
Yes! You can have CAPTCHA enabled on your donation forms. Our customer experience team turns this setting on for you.
To enable, send an email to firstname.lastname@example.org or give us a call! Our customer experience team will then be able to enable CAPTCHA on your forms for you for an added layer of protection from card testers.
Blacklisting IP addresses for fraud prevention
Another tool Qgiv employs for fraud prevention is blacklisting IP addresses card testers use for making fraudulent transactions. When blacklisted, card testers must either switch IP addresses and re-enable their card testing program, or move on to another way to test cards. Their blacklisted addresses won’t be able to access your donation form.
The best part is, this method of preventing fraud will only impact the card tester. You won’t see this security measure on your donation form. Thus, your ability to accept legitimate donations won’t be interrupted.
How blacklisting IP addresses helps
When someone uses a Qgiv donation form for card testing, the system will recognize the frequent attempts to make a donation from that address and will automatically blacklist it and deny them access to the donation form.
The automated card testing program can’t access the form from that address and process transactions once it’s been blacklisted.
When we blacklist the card tester’s address, they’ll either stop testing or will have to change addresses to regain access. Even if a tester changes their IP address, they can only attempt so many transactions before the system recognizes the fraud and blocks that address too.
Blacklisting is an effective method of fraud prevention that makes it frustrating for hackers to continue attempting fraudulent transactions.
Can Qgiv unblock a blocked IP address?
Yes! We understand that human error happens and sometimes a donor will attempt to give multiple times, which might mimic the attempts of a card tester. If a donor’s IP address is on Qgiv’s blacklist, we can quickly whitelist it with approval of an organization administrator so donors can regain access.
We designed the system to reduce the odds of blacklisting an actual donor’s IP address. False positives rarely happen, so most donors won’t experience their access to your form being blocked.
100% Compliance with PCI Data Security Standard
Qgiv is a level 1 merchant alongside giants like Amazon, Target, and other companies. Thus, Qgiv is held to the strictest standards of the Payment Card Industry. Major players in the payment card industry created the data security standard to standardize fraud prevention and protect consumers’ credit card information.
How being PCI compliant helps
PCI compliance ensures that Qgiv is doing everything we can to keep credit card information safe from hackers who would use that information to steal a donor’s identity. We adhere to strict security standards to remain in compliance. As a level 1 merchant, Qgiv follows every best practice detailed on the PCI compliance checklist.
Fraud prevention methods nonprofits can implement
Con artists are becoming sneakier and more tech savvy all the time. Therefore, no system is 100% foolproof. That said, with Qgiv’s fraud prevention measures and nonprofits implementing rigorous donor data security standards, we can put up some serious defense against hackers and card testers. Here’s what nonprofits can do to prevent fraud.
Actively monitor transactions for unusual activity
Qgiv designed its fraud prevention methods to prevent false positives. That means card testers may make some unusual transactions before the system blocks their access and auto-enables CAPTCHA on the form. If you see strange donations (usually in small donation amounts with weird addresses or donor names) reach out to us and let us know. This clues us in to potential card testers much earlier and we can intervene sooner to stop them.
Report and refund fraudulent transactions
If a card tester uses your form for fraudulent transactions, protect your organization by refunding any accepted transactions right away. In some cases, the victim will initiate a chargeback for the unauthorized use of their card. Thus, your nonprofit can incur chargeback fees from your merchant processor. Too many chargebacks can cost your organization hundreds of dollars and may impact your relationship with your merchant processor. Without a merchant processor, you may lose the ability to accept donations online altogether.
Enable CAPTCHA on forms, set minimum donation amounts, and test layouts
Once you’ve reported fraudulent activity, enable CAPTCHA on your donation forms if it hasn’t been auto-enabled already. Enabling CAPTCHA will deter automated card testing programs and should help stop the efforts of card testers.
A strategy that goes along with enabling CAPTCHA is establishing a minimum donation amount. Card testers usually use small donation amounts to avoid the cardholder catching on that their credit card information was stolen. If you set a minimum donation amount that exceeds a card tester’s testing amount they’ll either move on when the transactions fail or will have to up the donation amount, which could get them caught by the cardholder.
One reason donation forms are so appealing to card testers is that many are often a single page with one step, which is a big difference from the multistep process many online stores use. While a multistep donation form makes giving seem easier and more bite-sized for your donors, it can be a welcome deterrent for card testers looking for a one-step checkout process. Qgiv’s donation forms offer multistep and single-step options so your organization can test what works best for you and your donors.
Implement donor data security policies at your nonprofit
You may be surprised to learn that humans are the weakest line of defense against fraud. For example, writing down a donor’s credit card information to manually input a donation over the phone leaves that cardholder information vulnerable to those who may use it for their own gain. Storing this information either electronically or in a filing cabinet also creates opportunity for data theft.
Implementing security policies at your nonprofit can get every employee on the same page regarding fraud prevention.
For a good place to start, check out this blog post for security measures nonprofits need to implement now to protect donor data from fraud. If you’re guilty of any items on this list, create new policies that won’t leave donor data vulnerable.
Fraud prevention is important for protecting your donor data, reputation, finances, and sanity! Our nonprofit clients can rest assured that Qgiv is always monitoring transactions for signs of fraud.
With security protocols like auto-enabling CAPTCHA and IP blacklisting, we can stop card testers in their tracks quickly. With strict adherence to the PCI data security standard, Qgiv keeps cardholder information safe using best practices outlined by the payment card industry. That’s some serious security!
By combining Qgiv’s fraud prevention tools with security measures at your nonprofit, you can keep donor data secure. That added security means your donors can give with confidence knowing you’re safeguarding their information.
Want to do more to implement data security measures at your nonprofit? Watch this on-demand webinar by Dr. Heather Mark, Sphere’s Director of Compliance and Security. In the webinar, Dr. Mark teaches nonprofits how to protect themselves and their donors with top-notch data security tips.