The Credit Fraud Problem
It goes without saying that credit card fraud in this day and age is a significant problem. With the numerous breaches (Target, Equifax and Capital One, to name a few) that have occurred recently, it comes as no surprise that this type of fraud is occurring more frequently these days. According to Market Watch, The Nilson Report estimates credit card fraud to exceed $35 billion in 2020.
But did you know that one type of credit card fraud, card testing, is seeing exponential growth and often targets nonprofit organizations? That's right. When fraudsters get their hands on stolen credit cards they have to test them to determine which ones have not been reported as stolen and therefore can be exploited. They test them by making small transactions on unsuspecting e-commerce sites. One of their favorite places to test these stolen cards is on donation pages found on a nonprofit's website.
Why are Nonprofits a Target?
There are a number of reasons why nonprofit donation pages are a common target for card testing.
Nonprofits commonly offer simple donation pages – Because nonprofits want to offer a quick and easy way for donors to contribute to support their organization, they often offer an easy donation solution. These simple donation pages collect a minimal amount of information and typically have no mimimum limits for giving. Unfortunately, this simplicity makes it easy for fraudsters to automate card testing to test numerous cards over a short amount of time.
Card consumers often won't flag a donation – Fraudsters keep each card test small – usually less than $10 – so as not to raise any red flags. But even when consumers discover a small charge to a charity or nonprofit, they are less likely to report the activity or challenge the charge.
- Nonprofits might not be following best-practices – Nonprofits are more likely to offer a simple donation solution without taking the proper steps to protect themselves (and their donors) from the risk of credit card fraud. This can be a result of utilizing a less than secure, but cheap, donation solution on their website or not turning on security verifications through their payment gateway to limit successful fraudulent transactions.
What is at Risk for Your Nonprofit?
So what exactly is at risk if your nonprofit doesn't take steps to minimize fraudulent card testing?
Lost staff time – Reviewing hundreds of attempted charges associated with a card testing event takes significant time. The investigation will likely involve your IT staff reviewing logs and transaction records before they can explain what happened. In addition, any successful fraudulent charges must be found so a refund can be issued through your payment gateway provider. This will require hours of time and expense.
Lost transaction and chargeback fees – Refunding successful fraudulent charges will return the money to the rightful cardholders, but the transaction fees are non-refundable and are therefore a loss for the nonprofit. In addition, some vendors will assess a chargeback fee for each fraudulent transaction to the nonprofit. These are typically between $10 and $25 per transaction.
- Damaged credibility – Perhaps the worst damage is what these events do to your organization's credibility. When an unsuspecting cardholder has their credit card compromised and it started with a card test on your nonprofit's website, they might not be very forgiving. With plenty of platforms to share their story through social media and/or review sites, they might be tempted to share their story and sully your organization's reputation in the process.
What Can You Do to Minimize Your Nonprofit's Risk to Card Testing?
Unfortunately, there is no definitive way to prevent your nonprofit's donation page from being used for card testing. However, if you take the following steps you can minimize the likelihood that your site will be targeted by fraudsters or at least minimize the impact that such an event will have on your organization.
Form obfuscation – It's a big word, but a simple concept. Form obfuscation is a tactic to obscure or hide forms to make it more difficult for bots to find and exploit them. Form obfuscation is critical on your giving forms, but it is a good practice to have form obfuscation in place for any form that collects sensitive information (i.e., personal identifiable information, credit card information, etc.).
Use a CAPTCHA – A CAPTCHA is a system or method used to distinguish human from machine input. Using a quality CAPTCHA on your donation form will help to ensure that a human-being is behind each donation form submission.
Require CVV/CVC verification – A card verification value/code is that 3 or 4 digit number on the back of your credit card. Check with your payment gateway to make sure that a donation transaction is not allowed through unless the CVC associated with the credit card has been verified. This is usually a setting you can verify/change directly on your payment gateway's dashboard.
Require address verification – Another useful requirement is address verification. When this is required by your payment gateway, the numeric portion of the cardholder's address and/or their postal code is verified before the transaction is approved. This verification often trips up card testers who don't have this information.
- Require a minimum donation – Setting a minimum donation amount of $15 will deter many card testers, since they typically test cards with very small transactions to avoid being noticed. This obviously means that legitimate donors who would like to make a small contribution to your organization will also have to follow this requirement. One distinction that can be made is to only require this minimum amount for one-time donations, allowing for smaller recurring donations.
Credit card fraud targeting nonprofits is a significant, growing problem. Being proactive and following these simple guidelines will help to protect your nonprofit from this type of abuse.
To learn more about what you can do to protect your nonprofit from this type of fraud or inquire about a security audit for your website, contact the experts at The A Group.