While mobile phones are quickly becoming the preferred option for anything from surfing the web to checking email, there’s still one problem that remains worrisome for a lot of people: transactions on a mobile device. But with the abundance of headlines about recent security breaches, who can blame them?
Fortunately it does appear that people are comfortable with online donations, at least when the transaction is completed on a desktop—a fact evident according to Blackbaud’s 2014 Charitable Giving Report. Based on data collected from 3,724 nonprofit organizations, online giving grew 8.9% in 2014 compared to 2013, with small organizations growing 10.6% on a year-over-year basis. This increase, along with the 2015 trend up to this point, suggests that online represents the future of nonprofit fundraising success.1
This information isn’t brand new. Online statistics over the past few years have shown better growth compared to traditional fundraising channels, and a digital fundraising future has already been predicted. But just imagine how online donations would increase if donors were comfortable with the security aspect of completing transactions on mobile devices and had an easy, convenient means of doing so.
With an increase in online transactions comes a huge responsibility in security matters. Statistics from a case study conducted by IACIS in 2013 shows that nonprofits aren’t necessarily storing, transmitting, and processing their donor data in a safe and secure manner.
In a research survey of Illinois nonprofits (78 of which completed it), less than half of the organizations had employees specifically handling information security. In addition, only 56.4% reported having an information security policy.2
Ask yourself: Is your organization taking proactive steps to reduce risks of a security breach?
It’s easy to feel like security is out of your hands. If a hacker is determined to get my donors’ information, how can I stop it from happening, right? However, rest assured that there are some measures—completely within your control—that you can take to ensure you are protecting your donors and their donations.
We have three ways you can protect your donors’ information:
Before jumping into our top tips, we recommend you check out our password security guide to get an in-depth look at why online security is essential.
Let’s get started with the first tip or jump to our bonus prevention tips.
Be transparent: clearly define what information can be released and under what circumstances. Any third party that requests access to personal information should be presented with and held accountable to the same policy.
Limit access to who can and cannot view information. There is no reason that EVERYONE in your organization needs access to donor data. Ensure you have clear policies set and include security measures so that only designated staff can view donor information.
Additionally, anyone that does need access to your donor database should have a separate set of credentials. When each employee is using a different account, you can not only dictate the types of permissions each user has but also detect unauthorized activity easier.
How you store your donors’ sensitive information is just as important. Passwords, payment information, and other account data should never be stored in plain text. Instead, information should be encrypted or tokenized to keep it protected.
Simply put, tokenization is a data security measure where sensitive data is replaced with a “token,” or a non-sensitive unique equivalent that cannot be mathematically reversed like encryption. Typically, tokens replace credit card or account numbers with a series of numbers that are randomly generated using proprietary algorithms. Tokens only keep a small portion of the sensitive information (usually the last four digits) as a means of accurately matching the card owner to the token.
Benefits of using card tokenization include:
- Reduced risk and increased difficulty for attackers to gain access to donor data.
- Using tokens means holding smaller volumes of sensitive information, which simplifies the PCI requirements that must be met.
Since credit card numbers are replaced with randomly generated numbers, you can use tokens repeatedly. Also, since tokens do not contain sensitive data, a hacker gains nothing by accessing a token.4
It’s a complex topic, but if increasing security interests you and you’re willing and able to make the investment, consider hiring a security consultant (or even an in house expert) to help determine an action plan that fits your organization’s needs. But if now is not the right time, bookmark this blog for future use.
To read a complete, simple explanation on tokenization, check out CyberSource’s whitepaper on Tokenization.
Chances are you’ve heard of PCI and are aware you must comply with it. Still, you may feel intimidated or confused by all the requirements. Meeting the PCI Compliance requirements is a necessary step for ANY organization holding credit card information. The size of your organization will determine what specific standards must be met. It’s important to adhere to these guidelines 1) because it’s the law, and 2) because failing to do so means putting your donors at unnecessary risk and jeopardizing their trust & support in your organization and your mission.
So how do you make sure you are, and remain PCI compliant?
- Set aside time each month and designate someone to evaluate where you stand. Make it a priority and a routine.
- Visit a site such as Compliance 101 and complete a Self-Assessment Questionnaire specific to your organization size to learn what requirements you must meet, and whether or not you are meeting them.
- Consider using software to replace missing or outdated patches in your security system that create vulnerabilities.
- Always check your settings within whatever software you use to make sure you aren’t on any default settings by accident, as many default settings may weaken your system.3
For a complete resource on all the guidelines, check out Qualys’ PCI Compliance Guide. (It’s easy to read!)
A data breach or compromised account is often the result of poor password security. Since users have so many accounts to manage, security has taken a back-seat to convenience. As a result, passwords are becoming easier to crack. Implementing a password alternative internally for employees and externally for donors offers a safe way to access account information.
There are several different types of passwordless login systems, but the two most popular options are:
- Email authentication. To put it simply, email authentication allows donors to authorize payments via their primary email accounts—no password necessary. @Pay’s email authentication technology uses three layers of security measures to ensure that the email request came from an authorized user.
- Biometrics. Instead of a using a password, biometrics uses a donors’ biological characteristics to authorize gifts. You’re probably familiar with some form of this login method. For instance, smart phones users can scan their fingerprints to unlock their phone screens.
It’s important that you look into the pros and cons of each passwordless option to determine which solutions will best fit your needs. For example, email authentication can be used by anyone with an email account and the system is inexpensive to implement. However, it works best when donors have a secure email account.
Alternatively, while biometrics is very secure, donors will need a special device with scanning capabilities in order to use this method, meaning that it won’t be accessible to every donor.
Make sure to assess your data security plan regularly and make necessary updates. If you don’t assess your system, how do you know in which ways you’re putting yourself at risk? It’s also not a bad idea to have a plan written out for measures to take if your donors’ information becomes compromised.
If you feel like your organization doesn’t have the resources to make security a priority, you may want to reconsider and MAKE it one. Data security is a legal matter and is also necessary for building the confidence and trust of your donors. Don’t make the mistake of assuming your organization won’t be targeted. In 2014, charitable giving totaled more than $16 billion.5 Data and statistics like this are exciting for the future of nonprofits—but cyber criminals will undoubtedly take notice too.
About @Pay’s Security:
All @Pay information is handled under strict PCI Compliance, and customers’ full payment information is stored in the merchant’s gateway account, NOT @Pay’s servers. @Pay only uses secure HTTP connections for all services we provide. Data is encrypted with industry standard SSL certificates when in transit over public networks. Customer information is stored in a secure database on a network with no public Internet access.
If someone accesses your email account and finds an @Pay enabled donation or bill payment email, NONE of the credit card information is held within that email. The worst that can happen is that a payment or donation is completed for you…but the hacker won’t find any personal information, other than what charity you support or what company is billing you.