AASP: Avoiding credit card fraud

Steve MacLaughlin from Blackbaud is covering online fraud. Nonprofits are increasingly targets, as online giving increases. Credit card fraud committers use online giving sites to test stolen card numbers and validate their authenticity by charging low donation amounts like $1. Sources of fraud: stolen cards, compromised accounts, BIN attacks or carding (generating and testing mass amounts of credit card numbers), social engineering (e.g. phishing or Nigerian mail scams), charge-back schemes (asking for a refund to a different card).

Steve says the number one bad practice is letting donors fill in any gift amount with an open box. This is a leading contributor to fraudulent transactions. Steve recommends using an array. You can include an "other" option, which also has a blank. But set a minimum gift amount. Fraudsters commonly use $1 contributions (which fly under the radar of fraud detectors) to validate a card so that it can be re-sold or used for other transactions.

Another good practice: require the three or four-digit CID/CVV code in addition to the credit card number and expiration date.

AVS (Address Verification System) -- most credit card processors allow you to turn on high, medium or low settings to verify credit cards against address data. If most of your gifts are coming from the U.S. and Canada, higher AVS settings are acceptable. If you have a higher percentage of gifts (over 10% or so) from outside the U.S./Canada, AVS verification becomes more difficult, creating a barrier to giving. Consider creating separate webforms for domestic vs. international donors.

What about CAPTCHA or reCAPTCHA ("prove that you are a human")? Steve does not recommend putting CAPTCHA on the form unless you are dealing with egregious levels of fraud. These technologies tend to present more barriers to giving than barriers to fraud.

Another advanced practice -- IP throttling can be used to restrict traffic from specific locations. But fraudsters will return the favor with IP masking.

Watch out -- new PCI (payment card industry) standards are coming out soon. These standards will address new types of banking information, e.g. debit, in addition to credit cards. Steve believes we'll see a lot more regulations and guidelines around payment processing.

What about crowd funding? We may start seeing more people using an organization's name to raise money fraudulently.

Changes in security practices and consumer expectations will likely change our ability to accept credit card gifts through the mail and over the phone. Restrictions might increase (e.g. callers need some sort of certification) and donor discomfort with handing out credit card numbers is likely to increase also.

Steve recommends implementing fraud prevention measures now. One-third of online gifts will be given between now and December 31, and fraudsters pay attention to these things too, so fraud will be on the rise during these months too.

Amanda Jarman1 Comment