Secure Online Donations
What makes your donation on ucc.org secure?
1. Well one thing to look for is a web address beginning with https:// instead of http:// (The s being for secure)
2. A padlock icon appears in the Status Bar (bottom of browser)
Some of you may see a ! or ? next to the padlock icon on UCC donation pages, this only means that some items (in our case the videos) on the page are loaded from a “unsecure” location – but this does not affect the security of the donation form in any way.
3. The “Norton Secured” logo under the Section Menu on the right is a symbol of a secured website, clicking on the logo will give you the details of the active security certificate covering this site:
In newer versions of internet explorer this confusing message may pop-up:
The answer you want to click is “no” for the reason listed above, some items (in our case the videos) on the page are loaded from a “unsecure” location – but this does not affect the security of the donation form in any way. But clicking either yes or no will still allow you to continue on to the page and complete your donation.
How Convio supports us in taking secure donations online (Convio is the provider of our internet services)
Online donation processing is an excellent way to reduce costs and manual tasks associated with direct fundraising. However, using the Internet for donation processing requires stringent security processes. Here are a few key issues to consider:
SSL Does Not Necessarily Make It Secure
Many people talk about their “secure” Web sites when they actually mean that the communication between the Web browser (such as Microsoft Internet Explorer® and Netscape®) and the Web server is encrypted using the Secure Sockets Layer (SSL), a standard set of Internet communication rules, for managing the security of message transmissions over the Internet. While using SSL is essential, it is one minor element of an overall security architecture.
People who hack, or break into, Web servers, typically do not do it by tapping into connections from browsers. Instead, they do it by attacking other weak points, including the human element. In fact, about 80 percent* of successful online “break-ins” involve simply stealing passwords to gain access. Therefore, any organization should carefully consider end-to-end security processes before offering online donation processing on its Web site. (note: The UCC gives very few people
Storing Credit Card Numbers
Another key concern is securing credit card numbers once the Web site has accepted them. Smaller e-commerce software providers are often lax about this aspect of security, so organizations should be careful to understand a provider”s security policies before using the company”s services for online transactions.
In addition, many organizations encrypt their Web databases, mistakenly believing that this protects the data. However, a hacker who breaks into a server gets not only the encrypted data, but also the decryption keys and software, enabling them to obtain the card numbers. There is also the risk of a security breach if credit card data is available to staff members.
The only truly safe solution, which Convio’s online software uses, is both simple and bulletproof: Do not store credit card numbers at all. Convio”s donation processing capabilities authorize credit cards in real time, and then immediately discard the card number. Follow-up transactions, including refunds or monthly donations, are processed using one-time reference codes that are tied to the nonprofit’s account and useless to a fraudster. Card numbers are only stored by the payment gateway, or the system that manages transactions and connects the Internet to banking networks, whose systems are highly secure.
Fraud is Not the Issue, It’s Carding
Most online transactions are e-commerce purchases, where a company ships goods or other items of value in response to a purchase. So, anti-fraud measures typically are designed to prevent the fraudster from receiving the merchandise. A fraudster has nothing to gain from a counterfeit donation, however, so these measures typically are not useful to nonprofits.
A practice known as “carding,” though, is an issue for nonprofits. Fraudsters use a low-dollar online donation to test the validity of guessed or stolen card numbers. Although carding does not defraud the nonprofit, the organization is burdened by the administrative work required to issue a refund to the real credit card holder. Until recently, the only solution was for an organization to use software that monitored the Web site for failed transactions. Today, however, use of additional CVV2 security codes (the 3-4 digit additional numbers on credit cards) is a promising alternative. Unlike the old Address Verification System (AVS), CVV2 was designed for automated fraud protection, and is gaining ground in the USA. (Note: Convio’s September product release will offer CVV2 support for all transaction types.)