Best Practices Make Perfect

How to create a safe, secure online-giving environment

Oct. 11, 2005

By Jackie Christensen

When you think online giving, your first thoughts probably tend toward how accepting donations through your Web site will increase the dollars you raise. In all the excitement of creating compelling donation pages and working with vendors to get the technology you need, there are two key words that should stay in the forefront of your mind -- security and privacy.

Philanthropists are not the only people interested in your online-giving program. Cyber criminals have been known to use nonprofit donation sites to test the validity of guessed or stolen credit cards. If a fraudulent donation is processed, then the criminal knows the number is good and can be used for other charges.

Unfortunately the nonprofit organization is left with the administrative burden of administering refunds, removing fraudulent records from its database, and reassuring donors that its online-giving site is legitimate.

There are a few things you can do to protect your organization -- and the constituents who choose to support you via the Internet. First, make sure your online donation pages are SSL designed. The secure socket layer protocol encrypts all information typed into the forms on your Web pages so hackers can't read it as it travels across the Internet.

You also should require your donors to enter the CVV2 security code on their credit card before they can complete their gift transaction. Card verification value is an authentication process established by credit card companies to further efforts toward reducing fraud for Internet transactions. It consists of requiring a card holder to enter the three- or four-digit CVV2 number at transaction time to verify that the card is on hand. This enhances fraud protection by validating that the donor is in possession of the credit card and that the credit card number is legitimate. While not required by law, this extra layer of security is meant to thwart fraudulent activities and will help your donors feel even more confident about making financial transactions on your Web site.

Finally, you'll want to ensure that you and your partners meet the Payment Card Industry Data Security Standard. This standard, developed by Visa and MasterCard and endorsed by many other payment vendors, requires merchants and member service providers who store, process or transmit cardholder data to:

Build and maintain a secure network;
Protect cardholder data;
Maintain a vulnerability-management program;
Implement strong access-control measures; and
Regularly monitor and test networks.

In terms of privacy, best practices often come down to good ethical practices. Let your donors know you will not sell their e-mail address or continue to send them e-mail solicitation if they request to be removed from your list. Place a "permission to e-mail" or an "opt-in/opt-out" check box on the forms they complete so you can keep track of who wants to hear from you via e-mail, and who would rather not.

If you would like to make your organization's commitment to online best practices and ethical standards more public, you can join other nonprofit organizations and the ePhilanthropy Foundation in signing a petition that supports the secure, private and ethical use of the Internet for philanthropic purposes. You can find that petition online at www.petitiononline.com/Ethics/petition.html.

Jackie Christensen is the ePhilanthropy specialist at Campagne Associates. Reach her via www.campagne.com.