September/October 2004

Ask the Expert: Your Questions Answered

Question:
We’d like to add online donation processing to our organization’s Web site. What do we need to know about credit card security?

Answer:
by David Crooke, Founder and Chief Technology Officer, Convio

Online donation processing is an excellent way to reduce costs and manual tasks associated with direct fundraising. However, using the Internet for donation processing requires stringent security processes. Here are a few key issues to consider:

SSL Does Not Necessarily Make It Secure
Many people talk about their “secure” Web sites when they actually mean that the communication between the Web browser (such as Microsoft Internet Explorer® and Netscape®) and the Web server is encrypted using the Secure Sockets Layer (SSL), a standard set of Internet communication rules, for managing the security of message transmissions over the Internet. While using SSL is essential, it is one minor element of an overall security architecture.

People who hack, or break into, Web servers, typically do not do it by tapping into connections from browsers. Instead, they do it by attacking other weak points, including the human element. In fact, about 80 percent* of successful online “break-ins” involve simply stealing passwords to gain access. Therefore, any organization should carefully consider end-to-end security processes before offering online donation processing on its Web site. 

Storing Credit Card Numbers
Another key concern is securing credit card numbers once the Web site has accepted them. Smaller e-commerce software providers are often lax about this aspect of security, so organizations should be careful to understand a provider’s security policies before using the company’s services for online transactions.

In addition, many organizations encrypt their Web databases, mistakenly believing that this protects the data. However, a hacker who breaks into a server gets not only the encrypted data, but also the decryption keys and software, enabling them to obtain the card numbers. There is also the risk of a security breach if credit card data is available to staff members.

The only truly safe solution, which Convio's online software uses, is both simple and bulletproof: Do not store credit card numbers at all. Convio’s donation processing capabilities authorize credit cards in real time, and then immediately discard the card number. Follow-up transactions, including refunds or monthly donations, are processed using one-time reference codes that are tied to the nonprofit's account and useless to a fraudster. Card numbers are only stored by the payment gateway, or the system that manages transactions and connects the Internet to banking networks, whose systems are highly secure.

Fraud is Not the Issue, It’s Carding
Most online transactions are e-commerce purchases, where a company ships goods or other items of value in response to a purchase. So, anti-fraud measures typically are designed to prevent the fraudster from receiving the merchandise. A fraudster has nothing to gain from a counterfeit donation, however, so these measures typically are not useful to nonprofits.

A practice known as “carding,” though, is an issue for nonprofits.  Fraudsters use a low-dollar online donation to test the validity of guessed or stolen card numbers.  Although carding does not defraud the nonprofit, the organization is burdened by the administrative work required to issue a refund to the real credit card holder. Until recently, the only solution was for an organization to use software that monitored the Web site for failed transactions. Today, however, use of additional CVV2 security codes (the 3-4 digit additional numbers on credit cards) is a promising alternative. Unlike the old Address Verification System (AVS), CVV2 was designed for automated fraud protection, and is gaining ground in the USA. (Note: Convio's September product release will offer CVV2 support for all transaction types.)

Conclusion
Strict credit card security is critical for any organization offering online donation processing on its Web site. By keeping in mind key issues when creating security strategy, organizations can help to ensure safe transactions for their online donors.

* Data from Carnegie-Mellon CERT advisory centre.

Have a colleague who might be interested in this topic? Why not forward this article?