Secure payment gateways: What nonprofits should know

When it comes to shielding donor data, payment security is a top priority—but have you ever wondered what part of your nonprofit payment processing system actually protects your donors’ information? If you don’t familiarize yourself with the crucial steps in a payment transaction, you might end up overlooking a key security feature: the payment gateway.

A secure payment gateway makes it safe to give your nonprofit online. Given that the revenue from online donations continues to grow each year, nonprofits must ensure they can securely facilitate these payments.

What is a secure payment gateway?

A payment gateway is a tool that protects donor data during the payment process. More specifically, its role in the online payment process is to encrypt donor data, protect that data from fraud attacks.

The term "payment gateway" is often used interchangeably with the term “payment processor,” but the two aren’t identical. Essentially, the key difference is that the payment processor transmits data while the payment gateway protects data.

For example, if a supporter donates using their credit card, it’s the payment processor that transmits the credit card number to the bank to request a transfer. Simultaneously, it’s the payment gateway that encrypts the data being transmitted, helping ensure it’s safe from fraud or other potential attacks. When the transfer request is approved, the payment gateway authorizes the transaction, letting the transfer proceed.

While this subtle distinction can be important when discussing the fine details of your payment processing system, most nonprofits will likely invest in a payment processing solution with both a processor and gateway.

Why should nonprofits invest in secure payment gateways?

Investing in a secure payment gateway is necessary for collecting online donations and is essential for making sure those donations are sent securely. By investing in a secure payment gateway, your nonprofit can experience a number of benefits including:

• Fraud protection: Due to the nature of donations, nonprofits are particularly vulnerable to a specific type of fraud: donation form fraud, also known as card testing. Essentially, when a credit card is stolen, the thief will test whether the card works by donating to a nonprofit. If your organization ends up processing and then refunding these fraudulent charges, you are left paying chargeback fees, potentially experiencing a hit to your reputation due to being linked to the attack.
• Secure donor information: The encryption features in a payment gateway prevent your donors’ sensitive information from being stolen. Keeping your donors’ information secure helps ensure they will give again and protects donors who have debit or credit card numbers stored with your nonprofit for recurring donations.
• Increased trust: Donors will only share their payment information if they feel it is safe to do so. The presence of a secure payment processing system will help make donors feel more secure about their decision to give, reducing potential cart abandonment and creating a better experience.

When weighing if your organization will be vulnerable to fraud, remember that nonprofits are commonly targeted due to being thought of as small organizations with few protections. Investing in a secure payment gateway can help stop thieves and fraudsters in their tracks, keeping your donors and your nonprofit safe. 

What security measures do payment gateways have?

A secure payment gateway keeps data safe thanks to several methods built to defend against potential vulnerabilities. While each payment processing provider prioritizes different security methods or performance aspects, the most effective gateways will have the following security measures in place:

Encryption

Encryption is the process of turning readable data (like a credit card number) into protected data that can only be deciphered by authorized parties. Payment gateways encrypt data received and use a unique key only the buyer and the seller (in this case, your supporters and your nonprofit) have access to the confidential data.

Different payment gateways have various levels of sophistication when it comes to encryption. You can assess whether a payment gateway is secure by reviewing its PCI compliance rating.

PCI compliance

To keep payments safe, the Payment Card Industry (PCI) created a checklist of security rules and requirements known as the Payment Card Industry Data Security Standard (PCI DSS). Organizations that meet these standards can receive a PCI compliance certification.

Payment processors that are PCI compliant will have met all requirements on the PCI DSS checklist. The right payment processing system for your organization will be PCI compliant, and your provider should be able to answer any questions you have about their system and credentials.

SSL

Identifying if a web page has secure socket layer (SSL) protection is easy. The URL will begin with “HTTPS” and there will be a padlock symbol in the URL bar. The presence of these features will help reassure your supporters that their private information is safe on your website.

SSL protocol protects and encrypts data when it is transferred publicly, such as the transfer from a web browser to a server. Secure payment gateways use SSL to help protect data when it is transferred between third-parties. 

Anti-fraud protocols

Fraud happens through a variety of methods, including phishing emails and faulty passwords. As mentioned, payment gateways can help you spot and prevent donation form fraud, a common scheme used on nonprofits wherein thieves use donation forms to test whether their stolen credit card information works. It’s important that your payment gateway protects against this type of fraud by encrypting donors’ data. That way, even if the data is hacked, thieves will not be able to decipher it.

You can also help reduce fraud by enabling CAPTCHA codes on your donation form, requiring donors to enter their credit card’s security code and setting minimum donation requirements. Setting donation minimums may seem odd, but many hackers testing credit card numbers will attempt to enter low, seemingly random amounts to verify if the credit card works—setting a minimum threshold can discourage them from attempting to use your donation form.

Tokenization

Similar to encryption, tokenization hides sensitive information by replacing it with an unreadable series of randomly generated characters. During transactions with tokenization, credit card numbers are stored in a secure central database and a randomly generated token is used in their place.

This helps protect both your supporters and your nonprofit, as donor information can’t be decoded if there is a security breach and sensitive payment information will not be stored directly on your servers.

What is the best secure payment gateway for nonprofits?

Nonprofits have a variety of secure payment gateways to choose from, but investing in a payment partner that understands the unique needs of nonprofit organizations helps ensure both you and your donors stay safe. Look for features like:

Level 1 PCI compliance

Level 1 is the highest PCI compliance level achievable, meaning that the payment processor must meet certain standards such as maintaining a firewall, encrypting data transmission across public networks and regularly testing security systems.

Advanced fraud protection tools

Your payment processor should go the extra mile to help your organization protect itself against fraud, featuring anti-fraud tools like bank identification number blocking and card verification code requirements. Other security features include:

AVS

AVS, or address verification service, is a fraud detection tool used by secure payment services to check whether a payment’s billing address matches what the issuing bank has on file for the card being used. Secure payment services with AVS can help identify potential fraudulent donations and stop them from being approved.

Tumbling limits for card numbers and names

Credit card tumbling is a type of fraud where thieves have some, but not all, of the payment information needed to complete an online transaction. This means they must guess the missing information, which is why having a ceiling to the number of times information can be entered incorrectly is important to protect against this type of scheme.

Velocity checking and IP blocking

A common sign of fraud is multiple transactions happening in very quick succession from the same IP address. Often, credit card numbers are stolen in bulk through online methods, and the thieves never actually have the physical card. Again, this is where donation form fraud comes into play: To check if a card works, fraudsters will test each number by making a small payment to a nonprofit organization, typically checking many credit card numbers in quick succession. This is why secure payment services check for what is known as IP velocity. If the same IP address is making many payments in a brief period of time, the payment provider can block the IP, preventing potential fraudsters from taking advantage of your nonprofit’s donation form and racking up chargeback fees.

Flexible payment processing

One drawback some payment gateways have is their inability to accept multiple types of payments. Look for a payment gateway that can process credit, debit and ACH payments so your organization can maximize its fundraising efforts.

Payment gateways are an essential aspect of the payment processor, ensuring the information your donors entrust you with stays secure. Before investing in a payment processor, be sure to take a look at the gateway offered and ask questions about its security features. After all, a well-protected gateway can be the difference between losing public and confidence or establishing trusting relationships with your supporters.