Nonprofit Data Security

What Nonprofits Need to Know About Data Security: Protecting Your Donor’s Data

Headlines are rife with wide-scale data breaches from large retailers, banks, credit bureaus and thousands of other businesses affected by cyber-security attacks.

Following such a breach, cybercriminals test stolen credit card data to validate the information, in a process called credit card number testing that is dramatically on the rise and Nonprofits are hackers primary target.

nonprofit data security

Did you know that nearly one-half of all U.S. entities experience two or more carding attacks? Nonprofits are a hackers primary target because most charitable organizations often lack adequate fraud controls. Download our 3 Steps to Protect Your Donor Data Infographic and follow these steps to help prepare your organization against data breaches.

Protecting Nonprofits Against Carding Attacks

Card testing was up 200% in 2017 alone, according to Radial’s recent report. The tactic can be manual or automated and is used by fraudsters to test stolen credit card numbers and check their validity. The automated systems parse the data and attempt donations to a charity website for a small dollar amount. The bot then reports back to the hackers to let them know if the transaction was successful. Each card that cybercriminals can validate online is worth good money on the black market and is quickly used to obtain other goods and services with higher value.

This ability to verify small amounts from tens of thousands of different types of cards in many different countries seems to work more reliably with nonprofits than larger entities, probably because these targets often lack adequate fraud controls. Nonprofits seem particularly susceptible given they often have simple online forms to make it easy to collect donations and just like buying any kind of digital good, no shipping address is required to complete a purchase.

Unfortunately, this kind of fraud impairs organizations with:

Chargeback fees

Lost revenue or donations

Lost administrative time

Damaged reputation

DID YOU KNOW: MobileCause meets PCI DSS Level 1 attestation, the highest standard in data security. View certificate.

How MobileCause Keeps Your Donor Data Secure

All nonprofits, in particular small and medium-sized organizations, often make perfect targets for hackers because they typically are not protected by security teams like many large nonprofits. If you collect donations via your website or social media channels without proper protection, it can be penetrated using software that scavenges the internet and sends out automated attacks.

Donors, volunteers, employees, and any other stakeholders whose personal information your nonprofit stores are trusting that their data will be kept safe. And depending on what type of information your organization collects, it may be required to meet specific security regulations.

MobileCause can help you keep your data secure. As a certified PCI DSS Level 1 security provider, we adhere to the highest industry standards for data protection. Our comprehensive security measures include:

Donation Fraud Protection

Unfortunately, credit card verification testing has become commonplace in the nonprofit community. We are committed to preventing any credit card testing attacks in its tracks. Our systems automatically analyze data activity, detects suspicious activity and blocks attacks.


Bank Account Security

Your organization’s bank account information is secured using the same bank-level, encryption technology that financial institutions use. Payouts are typically made within 48 hours (via ACH) directly into your account and always made from FDIC insured settlement accounts managed by licensed US financial institutions.

Credit Card Security

The safety and security of your payment information is our highest priority at MobileCause. Every piece of user data held by MobileCause is guarded by 100% PCI compliant systems. Credit card data is never stored on the MobileCause platform. From our online donation forms to our live call center operators, your data is protected by the highest standard for credit-debit card security on the web. To see basic steps you can take to combat card attacks, click here.

2-Factor Authentication

MobileCause provides two-factor authentication to protect against password theft fraud. When enabled, we require an additional step of identity verification when logging into your account to protect from unauthorized login attempts.

Blocking International User Gateways

We see increasing trends in carding attempts from countries like Russia and China. When a donation attempt is originated in these (and other high-risk countries), MobileCause admins block transactions and geolocations from your account.


Privacy & Encryption

Mobilecause is committed to protecting the privacy of our customers’ donors. We use industry-leading Secure Sockets Layer (SSL) technology to keep your personal information as secure as possible. Mobilecause does not sell, trade or rent personal information about our donors with third-party organizations. The donor data belongs to our customers and stored on our servers on their behalf. To learn more, please review our privacy policy.

Our data centers maintain several layers of security, including keycard access for controlled access. Security cameras monitor all locations 24/7 and there are on-site staff members to protect against unauthorized entry. Additional security safeguards are in place to ensure only permitted technicians gain access.

So, what can a nonprofit do to protect itself?

First, understand where your nonprofit’s data security weaknesses may lie

Factors like manually storing credit card numbers in hard copy or in a computer in clear text or other non-encrypted, human readable accessible form have left organizations vulnerable to cybercriminals costing them significant time and money.

Second, work only with credit card payment processors that uphold the highest security standards.

The Visa Global Registry of Service Providers is another way that organizations can verify their payment processors of choice. Visa advocates educating your stakeholders about protecting their data and encourages organizations to only use certified payment processors, while also developing a contingency plan in the event of a fraudulent carding attack in the form of:

1. Cyber security education:

Provide a basic understanding of cyber security and the role your staff and donors play in it. For example, remind donors to monitor their online activities including checking their debit and credit card statements so they can notify you and their banks if any unusual activities show up.

2. PCI Level 1 certified payment processor:

The best practices are to guarantee that the third-party payment processor does not store credit card numbers. A qualified vendor will ensure that once a card is entered onto a form it is immediately tokenized. This means that the number is turned into a form that is not human readable. The unreadable number is still encrypted in transit (as it goes through the internet) and at rest (when it is stored).

3. Contingency planning:
Have a response plan in place in the event of an attack that includes alerting donors about the breach and providing clear instructions about what they need to do. Be open and transparent about what exactly happened and let them know about any steps you are taking to resolve the issue to minimize the negative impact and prevent further damage.

While nonprofit organizations are most vulnerable to carding attacks, they can quickly follow these three necessary steps to protect their data management systems against potential cyber threats.

Pin It on Pinterest

Share This