According to IdentityForce, an identity theft protection company, in 2019 14.4 million consumers became victims of identity fraud. That’s about 1 in 15 people! That’s why fraud prevention is so important for companies that process payments.
Unfortunately, online donation forms are an appealing target for credit card testers, who will often make multiple small donations to test stolen credit cards (it’s a little fishy when multiple celebrities make $1.00 donations to your organization…).
Chances are, someone’s attempted an unauthorized purchase with your credit card. There’s also a chance you’ve fallen victim to a phishing scam before. It happens to everyone. However, for fundraisers, you don’t just have to worry about your financial information falling into the wrong hands, you have to watch out for your donors, too! Luckily, Qgiv has a number of security measures in place to prevent online payments fraud and keep your donors’ data safe.
Qgiv designed its system to automatically recognize potential fraud. Therefore, if the system suspects fraud, CAPTCHA auto-enables on the donation form credit card testers are attempting to exploit.
What is CAPTCHA?
CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart – which sounds very complex and techy, right? However, it’s really a simple concept. In the simplest of terms, CAPTCHA is a test that determines if a human or robot (well, computer program) is using your form.
How auto-enabling CAPTCHA helps
Many card testers use automated programs to rapidly complete and submit forms. Thus, they can test tons of credit cards quickly.
How do you stop their automated programs from completing transactions? With a CAPTCHA test. CAPTCHA tests come in many forms from choosing which pictures contain street lights, to deciphering which random assortment of letters and numbers are in an image.
The test may seem pointless to humans, but a computer program won’t be able to pass it to submit the form. Why? A computer can’t decipher the letters and numbers in an image file. They also can’t determine what items are or aren’t in the assorted images used in the test.
When Qgiv auto-enables CAPTCHA, it disrupts card testers’ automated programs. Now, card testers will have to move on to another form or waste their time manually entering card information to continue testing.
Can Qgiv users enable CAPTCHA prematurely?
Yes! For security-minded users, you can have CAPTCHA enabled on your donation forms. Our customer experience team turns this setting on for you.
To enable, send an email to firstname.lastname@example.org or give us a call! Our customer experience team will then be able to enable CAPTCHA on your forms for you for an added layer of protection from card testers.
Blacklisting devices for fraud prevention
Another tool Qgiv employs for fraud prevention is blacklisting devices card testers use for making fraudulent transactions. When blacklisted, card testers must either switch devices and re-enable their card testing program on it, or move on to another way to test cards. Their blacklisted devices won’t be able to access your donation form.
The best part is, this method of preventing fraud will only impact the card tester. You won’t see this security measure on your donation form. Thus, your ability to accept legitimate donations won’t be interrupted.
How blacklisting devices helps
Each device has unique digital fingerprints. We use those clues to single out a specific device among thousands of other visitors to a website. When a hacker uses a Qgiv donation form for card testing, the system will recognize the frequent attempts to make a donation from that device and will automatically blacklist it and deny them access to the donation form.
The automated card testing program can’t access the form and process transactions once it’s been blacklisted.
When we blacklist the card tester’s device, they’ll either stop testing or will have to change devices to regain access. Even if a tester changes their device, they can only attempt so many transactions before the system recognizes the fraud and blocks that device too.
Blacklisting is an effective method of fraud prevention that makes it frustrating for hackers to continue attempting fraudulent transactions.
Can Qgiv unblock a blocked device?
Yes! We understand that human error happens and sometimes a donor will attempt to give multiple times, which might mimic the attempts of a card tester. If a donor’s device is on Qgiv’s blacklist, let us know. We can quickly whitelist it so donors can regain access.
That said, we designed the system to reduce the odds of blacklisting an actual donor’s device. False positives rarely happen, so most donors won’t experience their access to your form being blocked.
100% Compliance with PCI Data Security Standard
Qgiv is a level 1 merchant alongside giants like Amazon, Target, and other companies. Thus, Qgiv is held to the strictest standards of the Payment Card Industry.
Major players in the payment card industry created the data security standard to standardize fraud prevention and protect consumers’ credit card information.
How being PCI compliant helps
PCI compliance ensures that Qgiv is doing everything we can to keep credit card information safe from hackers who would use that information to steal a donor’s identity.
We adhere to strict security standards to remain in compliance.
Some of these standards are:
- Encrypting every transaction made on our platform
- Never storing full credit card or eCheck details in Qgiv
- Using secure webpages to prevent hackers from acquiring a donor’s personal information or payment details.
These are just some of the steps taken to safeguard donors, and our clients, from fraud. As a level 1 merchant, Qgiv follows every best practice detailed on the PCI compliance checklist.
Fraud prevention methods nonprofits can implement
Con artists are becoming sneakier and more tech savvy all the time. Therefore, no system is 100% foolproof. Just look at this list of fifteen companies that have fallen victim to data breaches for evidence of that. That said, with Qgiv’s fraud prevention measures and nonprofits implementing rigorous donor data security standards, we can put up some serious defense against hackers and card testers. Here’s what nonprofits can do to prevent fraud.
Actively monitor transactions for unusual activity
Qgiv designed its fraud prevention methods to prevent false positives. That means card testers may make some unusual transactions before the system blocks their access and auto-enables CAPTCHA on the form. If you see strange donations (usually in small donation amounts with weird addresses or donor names) reach out to us and let us know. This clues us in to potential card testers much earlier and we can intervene sooner to stop them.
Report and refund fraudulent transactions
If a card tester uses your form for fraudulent transactions, protect your organization by refunding any accepted transactions right away. In some cases, the victim will initiate a chargeback for the unauthorized use of their card. Thus, your nonprofit can incur chargeback fees from your merchant processor. Too many chargebacks can cost your organization hundreds of dollars and may impact your relationship with your merchant processor. Without a merchant processor, you may lose the ability to accept donations online altogether.
Enable CAPTCHA on forms, set minimum donation amounts, and test layouts
Once you’ve reported fraudulent activity, request to enable CAPTCHA on your donation forms if it hasn’t been auto-enabled already. Enabling CAPTCHA will deter automated card testing programs and should help stop the efforts of card testers.
A strategy that goes along with enabling CAPTCHA is establishing a minimum donation amount. Card testers usually use small donation amounts to avoid the cardholder catching on that their credit card information was stolen. If you set a minimum donation amount that exceeds a card tester’s testing amount they’ll either move on when the transactions fail or will have to up the donation amount, which could get them caught by the cardholder.
One reason donation forms are so appealing to card testers is that many are often a single page with one step, which is a big difference from the multistep process many online stores use. While a multistep donation form makes giving seem easier and more bite-sized for your donors, it can be a welcome deterrent for card testers looking for a one-step checkout process. Qgiv’s donation forms offer multistep and single-step options so your organization can test what works best for you and your donors.
Implement donor data security policies at your nonprofit
You may be surprised to learn that humans are the weakest line of defense against fraud. For example, writing down a donor’s credit card information to manually input a donation over the phone leaves that cardholder information vulnerable to those who may use it for their own gain.
Storing this information either electronically or in a filing cabinet also creates opportunity for data theft.
Implementing security policies at your nonprofit can get every employee on the same page regarding fraud prevention.
Your security policy can involve:
- Regular, required security training
- Not storing sensitive donor details anywhere, ever
- Locking any valuable donor data securely until they can be shredded
- Never leaving items like checks or paper donation forms in plain view
- Always locking your computer screen when leaving your desk
- Requiring strong passwords that change on a regular basis
For a good place to start, check out this blog post for security measures nonprofits need to implement now to protect donor data from fraud. If you’re guilty of any items on this list, create new policies that won’t leave donor data vulnerable.
Fraud prevention is important for protecting your donor data and your nonprofit’s reputation (not to mention your finances!). Our nonprofit clients can rest assured that Qgiv is always monitoring transactions for signs of fraud.
With automated security protocols like auto-enabling CAPTCHA and automatic device blacklisting, we stop card testers in their tracks quickly. Plus, with strict adherence to the PCI data security standard, Qgiv keeps cardholder information safe using best practices outlined by the payment card industry. That’s some serious security!
By combining Qgiv’s fraud prevention tools with security measures at your nonprofit, you can keep donor data secure. That added security means your donors can give with confidence knowing you’re safeguarding their information.
Want to do more to implement data security measures at your nonprofit? Watch this on-demand webinar by Dr. Heather Mark, Sphere’s Director of Compliance and Security. In the webinar, Dr. Mark teaches nonprofits how to protect themselves and their donors with top-notch data security tips.