9 Tips for Maximum Security When Processing Credit Card Payments For Your 501c3
Credit card processing for nonprofits, whether online or an in-person swipe, is a daily occurrence. When you have the tools for donors and members to process online donations, fees, and other ad hoc payments, safety is by far the largest concern. So how do you ensure that you provide your community the type of security that will put them at ease?
One option is to utilize a reputable third-party payment processor like Square, Stripe, or Paypal with security measures built into their standard operating procedures. If you choose not to use a third party, however, you can still make your online transactions extremely secure. It just takes a little more legwork on your part. If you are up for the workout, you will surely have to thank yourself later, when months and years go by with no outstanding incidents concerning the processing of debit cards.
Many nonprofits feel as though their small size makes them an unlikely target for any sort of online attack, but the truth is quite the opposite. Losing sensitive data to hackers is a massive problem for any online payment platform and, in the long run, will cost you in both monetary fines and damage to the social perspective of your brand. This makes it incredibly important for you to consider your safety measures.
- Online Payment Safety
- #1: Ensure PCI Compliance
- #2: Encrypt All Data
- #3: Employ Payment Tokenization
- #4 Use 3D Security
- #5: Address Verification
- #6: Request the CVV
- #7: Use Two-Factor Authentication
- #8: Updates to Operating Systems
- #9: Require Strong Passwords
- Final Thoughts
No time to read this article now? Download it for later.
Online Payment Safety
Safety is a matter of concern for everyone involved in the processing of online transactions. That firstly means you, the nonprofit organization, since your database holds a lot of sensitive information. Given the number of actions that pass online in our digital age, your customers or donors are also most likely concerned with the safety of their information. They know that if their personal information falls into the wrong hands, the issues could range from a falsified transaction to complete identity theft.
Matthew is ready to learn about secure payment processing!
This is the main reason why credit card processing companies exist in the first place. Committing fraud is unfortunately commonplace on the internet, and the crime can hurt so many people. That is why they do everything they can to help keep payment processes secure with a variety of different methods. To name a few examples:
Tokenization: This is the process of replacing sensitive data with a randomly generated string of characters. This ensures that the cardholder’s data never actually gets entered into your servers, since the payment gateway had already encrypted the sensitive information into randomized characters before it got to you.
SSL protocol: Using SSL (secure sockets layer) encrypts the information a little differently. It acquires the information from the customer or donor by scanning their IP address and other valuable information. It then either verifies the user as legitimate or classifies them as a threat and denies access. The websites usually begin with HTTPS if the site is protected, and the general public is usually aware of this method of protection.
PCI: The Payment Card Industry Data Security Standards give merchants a guideline as to how to secure important information during payment processing. Each credit card payment processor strictly adheres to these guidelines, and there are different levels of verification. PCI standards are some of the highest and most reliable certifications you can ask for in terms of data encryption, and it is a must to follow any rules these standards outline.
If you still choose not to use a payment processor for donations, there are some practices you can employ to make sure you remain on the right side of security. If something happens to sensitive data when you use a payment processor, a large portion of the fault lies in them, since you trusted the payment gateway to be secure. If you go it alone, that heavy responsibility falls squarely on your shoulders. Be sure to read up and educate yourself completely on all the requirements, and you should be ready to move forward with confidence.
Nonprofit credit card processing fees can sometimes be pretty steep in pricing. Explore the possibility of requiring your donors to cover the extra cost associated with a credit card when they make donations. This is called the "transaction fee," and regardless of whether you are using PayPal, Square, or Stripe, you will have to pay them otherwise. You can easily factor the addition of these fees into the final cost. Just notify them that you will be doing so.
Pro Tip: Do whatever you can to keep fraud at the forefront of your organization’s priorities, as it is by far the most common issue faced. Meet with your board and define your limits when it comes to fraud. Ensure you have a process in place to identify situations that require swift action. If you are not prepared, the downsides will become obvious as you end up with extra cost of much higher pricing in the long run.
#1: Ensure PCI Compliance
The PCI is the most important regulatory body to comply with. Your primary focus when it comes to online payment security is to ensure that the credit card processing methods you use are in total compliance with all privacy and data security standards set by all the relevant regulatory bodies.
The standards set by the PCI are dependent on the size of your organization. That means you must be prepared to be in serious review of your regulations in the event that your organization grows substantially over time.
It does not matter if you are processing payments for churches, small businesses, or a nonprofit organization, you must comply with these regulations.
#2: Encrypt All Data
Whether you are dealing with payments or any other personal information from someone who supports you, encryption is a very valuable and commonly employed tactic for protection. Confirm any card payment machines for charities that you utilize have an appropriate level of encryption.
When you use SSL certificates, your data is safe. Be sure to purchase SSL certificates from a trusted certificate authority. Consider checking their BBB rating. For example, SSL.com, a provider of SSL certificates, is a BBB accredited business.
Purchasing an SSL certificate is simple, and you can do it in a few different ways. The way you acquire this certificate is going to depend on the level of security you need. If your organization is expects to see a lot of data traffic on the site, you should not go with a free option. More than likely, you will want to get an EV certificate (Extended Validated certificate) since they provide the highest level of security, capable of handling financial transactions.
Here is what you need to do:
Verify your page info with ICANN. In addition, you can use OpenNIC or InterNIC, but ICANN is the most common.
Generate your CSR (Certificate Signing Request). You can do this with an online generator, as other options can be a little confusing.
Submit the CSR to a certificate authority to validate your domain.
Install the certificate on your website, which will change the beginning of the site name to HTTPS and encrypt user information the second they visit your site.
#3: Employ Payment Tokenization
Payment tokenization, as we discussed before, is an extremely valuable method of encrypting sensitive information. The string of random numbers and characters is the only thing that ever hits your system, while the important data is hidden deep within the virtual highway between your nonprofit website and your donor or customer.
Even in the event that a hacker gets ahold of the information, they would have to go through a rigorous method to decrypt it. Your website will assign a specific string of data for your customer, and they will be able to pay with one click in the future, without compromising their information in the charity credit card processing process.
Pro Tip: Assigning customer data strings is highly effective for recurring donations. Similar to e-commerce (think of Amazon), every step you remove for a customer when they are looking to make a purchase increases the likelihood of that purchase occurring. If your website "remembers" a previous donor’s information, a second (or third, or fourth) donation will be that much easier for them to make in the future!
#4 Use 3D Security
First used by Visa with card-present transactions, credit card readers for nonprofits provide an extra layer of security for online debit card transactions. It is also referred to as 3DS, and it stands for 3 Domain Server. Each 3DS transaction that passes through credit card readers for churches, or other organizations, goes through three different servers as it is being processed in order to conceal any sensitive information.
Corinne is loving these security tips!
First is the acquirer domain, which is the bank accepting card payments on the merchant’s behalf. You will likely already be familiar with the bank and its processes.
Next is the issuer domain, which is the organization that issued the card that the consumer is using for the transaction. This is the bank that holds the funds that are actually accessed with the card.
Lastly, the information goes through an interoperability domain. This is a set of payment systems which connect the previous two domains, effectively creating an extra layer of protection for everyone involved in the payment process.
#5: Address Verification
When you use an address verification service, you can double-check that the billing address the consumer entered is the same as the one you have on file in a matter of seconds. Fees for this service are very low, and are often included in third-party transaction fees. The billing address protects you in the event that the consumer wrongfully cancels the charge, or something else goes wrong with the transaction.
Address verification protects you not only from fraudulent transactions but also from human error. There are plenty of situations in which people do not intend for there to be issues with their purchase, yet still, there are. Double-checking addresses creates yet another additional layer of protection for your transaction.
#6: Request the CVV
By requesting the CVV, which is the tiny number printed typically on the back of the card, you are ensuring that the user has the relevant bank card. It can sometimes be easier for hackers to get ahold of simply the name and the card number used for a transaction, but the CVV is a little harder to come by, creating important reliability around transactions with the three digit number present.
This way is arguably the best for nonprofits to make sure the person behind the transaction actually has the debit cards in their hand. People know not to mention this number to anyone, and typically it is only used for online purchases, so it should not be mentioned over the phone in most cases, preventing the likelihood of fraud even further.
#7: Use Two-Factor Authentication
Two-factor authentication requires people to provide an additional piece of information to verify that they are who they say they are. This increasingly popular verification method is used for VPN services, banking, and even email services. You can set it up for transactions through Square, Stripe, Paypal, and most log-in features on your site.
Sam is setting up 2FA right now!
Just like requesting that CVV, two factor authentication provides multiple layers of security for the transaction process. When you add this to your various other methods of security measures, it provides a huge amount of protection for your online store or donations.
#8: Updates to Operating Systems
It is important to update your computer’s operating system to ensure that all of these different features are functioning properly. The operating system will inherently be responsible for the smooth execution of each process, and gaps in the system can leave you vulnerable to attack.
This safety measure often goes without due consideration, and it can potentially have a significant impact on your organization. If left unchecked for too long, and something goes wrong, the fault will ultimately fall on your end, and that is to be avoided at all costs!
#9: Require Strong Passwords
The more variation there is among your passwords, the harder it is to guess them in the event that someone attempts to. Make sure passwords are long and make it mandatory for them to hold special characters that would be even more difficult to decrypt.
This measure can prevent people from making payments in someone else’s name, simply because they were able to guess the password associated with an email or username. Surprisingly, this is more common than you would think. Do not allow users to make their password PASSWORD, their name, or any less than 8 or 9 characters.
Pro Tip: Remember to include a "forgot your password" option. The more complicated a password is, the more likely they are to forget it. You need to encourage complicated passwords, so make it easy for guests to retrieve or change their password in the event that they need to. Be mindful here that you utilize two-factor and/or 3DS authentication, just to ensure you do not send a "reset password" link to a hacker somewhere far away.
Credit card processing is often necessary for organizations of all sizes. By ensuring your nonprofit, or the third party you employ, maintains PCI compliance, encrypts and authenticates users’ data, you will maintain the trust of your donors and members. This will allow your community to feel safe transacting with you and will allow you and your team to focus on furthering your mission.
Enjoyed the article? Download it to keep or share with others!