58% of individuals that abandon donation pages do so because of security concerns. To ensure your organization can keep its donor data safe, you want to develop good online habits that will provide visitors to your website the confidence they need to make a secure online donation.
One of the increasing cybersecurity issues among nonprofit websites is called ‘Carding Attacks’. Hackers use automated systems to parse website data and attempt donations to a charity website for a small dollar amount. The bot then reports back to the hackers to let them know if the transaction was successful. Each card that cybercriminals can validate online is worth good money on the black market and is quickly used to obtain other goods and services with higher value.
Nonprofits can be susceptible given they often have simple online forms to make it easy to collect donations and just like buying any kind of digital good, no shipping address is required to complete a purchase. Unfortunately, this kind of fraud impairs organizations with chargeback fees, lost sales or donations, administrative time and damaged reputation.
Preventing Carding Attacks
Serial hackers seek security-weak, cardable websites and share URLs on pages dedicated to showing other hackers how to pull off the carding fraud. So, what can a nonprofit do to protect itself?
First, take inventory of where your weaknesses may lie. Processes like manually storing credit card numbers in hard copy or in a computer in clear text or other non-encrypted, human readable accessible form have left organizations vulnerable to cybercriminals costing them significant time and money.
Second, only use credit card payment processors that uphold the highest security standards. PCI Level 1 DSS is the industry’s highest standard for payment processors and demonstrates that they have submitted and passed a rigorous and comprehensive process involving a full-scale audit to validate all areas of a business that encounter credit cardholder data.
The Visa Global Registry of Service Providers is a source that organizations can use to verify their payment processors of choice. Visa encourages educating your stakeholders about protecting their data and suggests organizations only use certified payment processors.
3 SECURITY PRACTICES TO ADDRESS DURING CYBERSECURITY MONTH AND BEYOND
1. EDUCATE YOUR DONORS
Educate and remind donors to monitor their online activities including checking their debit and credit card statements so they can notify you and their banks if any unusual activities show up.
2. SELECT A PCI LEVEL 1 CERTIFIED PAYMENT PROCESSOR
A qualified vendor will ensure that once a card is entered onto a form it is immediately tokenized. This means that the number is turned into a form that is not human readable. The unreadable number is still encrypted in transit (as it goes through the internet) and at rest (when it is stored).
3. DEVELOP A CONTINGENCY PLAN
Have a response plan in place in the event of an attack that includes alerting donors about the breach and providing clear instructions about what they need to do. Be open and transparent about what exactly happened and let them know about any steps you are taking to resolve the issue to minimize the negative impact and prevent further damage.
While nonprofit organizations are most vulnerable to carding attacks, they can quickly follow these three necessary steps to protect their data management systems against potential cyber threats. Download the 3 Steps to Protecting Your Nonprofit from Carding Attacks infographic for further details.
Nonprofits are a hackers primary target because most charitable organizations often lack adequate fraud controls.
Download this infographic to help prepare your organization against data breaches.
MobileCause is one of the few fundraising software providers that have achieved the highest industry standard for data security. Our PCI DSS level 1 certification gives nonprofit organizations confidence that their donor data will remain secure.
Did you like this post? Never miss a beat on fundraising tips and trends by subscribing to our blog.