Nonprofit Data Security
What Nonprofits Need to Know About Data Security: Protecting Your Donor’s Data
Headlines are rife with wide-scale data breaches from large retailers, banks, credit bureaus and thousands of other businesses affected by cyber-security attacks.
Following such a breach, cybercriminals test stolen credit card data to validate the information, in a process called credit card number testing that is dramatically on the rise and Nonprofits are hackers primary target.
Protecting Nonprofits Against Carding Attacks
Card testing was up 200% in 2017 alone, according to Radial’s recent report. The tactic can be manual or automated and is used by fraudsters to test stolen credit card numbers and check their validity. The automated systems parse the data and attempt donations to a charity website for a small dollar amount. The bot then reports back to the hackers to let them know if the transaction was successful. Each card that cybercriminals can validate online is worth good money on the black market and is quickly used to obtain other goods and services with higher value.
This ability to verify small amounts from tens of thousands of different types of cards in many different countries seems to work more reliably with nonprofits than larger entities, probably because these targets often lack adequate fraud controls. Nonprofits seem particularly susceptible given they often have simple online forms to make it easy to collect donations and just like buying any kind of digital good, no shipping address is required to complete a purchase.
Unfortunately, this kind of fraud impairs organizations with:
Lost revenue or donations
Lost administrative time
How MobileCause Keeps Your Donor Data Secure
All nonprofits, in particular small and medium-sized organizations, often make perfect targets for hackers because they typically are not protected by security teams like many large nonprofits. If you collect donations via your website or social media channels without proper protection, it can be penetrated using software that scavenges the internet and sends out automated attacks.
Donors, volunteers, employees, and any other stakeholders whose personal information your nonprofit stores are trusting that their data will be kept safe. And depending on what type of information your organization collects, it may be required to meet specific security regulations.
MobileCause can help you keep your data secure. As a certified PCI DSS Level 1 security provider, we adhere to the highest industry standards for data protection. Our comprehensive security measures include:
Donation Fraud Protection
Unfortunately, credit card verification testing has become commonplace in the nonprofit community. We are committed to preventing any credit card testing attacks in its tracks. Our systems automatically analyze data activity, detects suspicious activity and blocks attacks.
Bank Account Security
Your organization’s bank account information is secured using the same bank-level, encryption technology that financial institutions use. Payouts are typically made within 48 hours (via ACH) directly into your account and always made from FDIC insured settlement accounts managed by licensed US financial institutions.
Credit Card Security
The safety and security of your payment information is our highest priority at MobileCause. Every piece of user data held by MobileCause is guarded by 100% PCI compliant systems. Credit card data is never stored on the MobileCause platform. From our online donation forms to our live call center operators, your data is protected by the highest standard for credit-debit card security on the web. To see basic steps you can take to combat card attacks, click here.
MobileCause provides two-factor authentication to protect against password theft fraud. When enabled, we require an additional step of identity verification when logging into your account to protect from unauthorized login attempts.
Blocking International User Gateways
We see increasing trends in carding attempts from countries like Russia and China. When a donation attempt is originated in these (and other high-risk countries), MobileCause admins block transactions and geolocations from your account.
Privacy & Encryption
Our data centers maintain several layers of security, including keycard access for controlled access. Security cameras monitor all locations 24/7 and there are on-site staff members to protect against unauthorized entry. Additional security safeguards are in place to ensure only permitted technicians gain access.
So, what can a nonprofit do to protect itself?
First, understand where your nonprofit’s data security weaknesses may lie
Factors like manually storing credit card numbers in hard copy or in a computer in clear text or other non-encrypted, human readable accessible form have left organizations vulnerable to cybercriminals costing them significant time and money.
Second, work only with credit card payment processors that uphold the highest security standards.
The Visa Global Registry of Service Providers is another way that organizations can verify their payment processors of choice. Visa advocates educating your stakeholders about protecting their data and encourages organizations to only use certified payment processors, while also developing a contingency plan in the event of a fraudulent carding attack in the form of:
1. Cyber security education:
Provide a basic understanding of cyber security and the role your staff and donors play in it. For example, remind donors to monitor their online activities including checking their debit and credit card statements so they can notify you and their banks if any unusual activities show up.
2. PCI Level 1 certified payment processor:
The best practices are to guarantee that the third-party payment processor does not store credit card numbers. A qualified vendor will ensure that once a card is entered onto a form it is immediately tokenized. This means that the number is turned into a form that is not human readable. The unreadable number is still encrypted in transit (as it goes through the internet) and at rest (when it is stored).
3. Contingency planning:
Have a response plan in place in the event of an attack that includes alerting donors about the breach and providing clear instructions about what they need to do. Be open and transparent about what exactly happened and let them know about any steps you are taking to resolve the issue to minimize the negative impact and prevent further damage.
While nonprofit organizations are most vulnerable to carding attacks, they can quickly follow these three necessary steps to protect their data management systems against potential cyber threats.
Request a Demo and Receive a Free Security Audit
Feeling insecure about your security measures? We can help you understand any potential vulnerabilities and ways that you can protect your donor’s information.