How Luminate Online supports you in taking secure donations online

Online donation processing is an excellent way to reduce costs and manual tasks associated with direct fundraising. However, using the Internet for donation processing requires stringent security processes. Here are a few key issues to consider:

SSL Does Not Necessarily Make It Secure

Many people talk about their "secure" Web sites when they actually mean that the communication between the Web browser (such as Microsoft Internet Explorer® and Netscape®) and the Web server is encrypted using the Secure Sockets Layer (SSL), a standard set of Internet communication rules, for managing the security of message transmissions over the Internet. While using SSL is essential, it is one minor element of an overall security architecture.

People who hack, or break into, Web servers, typically do not do it by tapping into connections from browsers. Instead, they do it by attacking other weak points, including the human element. In fact, about 80 percent* of successful online "break-ins" involve simply stealing passwords to gain access. Therefore, any organization should carefully consider end-to-end security processes before offering online donation processing on its Web site.

Storing Credit Card Numbers

Another key concern is securing credit card numbers once the Web site has accepted them. Smaller e-commerce software providers are often lax about this aspect of security, so organizations should be careful to understand a provider"s security policies before using the company"s services for online transactions.

In addition, many organizations encrypt their Web databases, mistakenly believing that this protects the data. However, a hacker who breaks into a server gets not only the encrypted data, but also the decryption keys and software, enabling them to obtain the card numbers. There is also the risk of a security breach if credit card data is available to staff members.

The only truly safe solution, which Luminate Online's online software uses, is both simple and bulletproof: Do not store credit card numbers at all. Luminate Online's donation processing capabilities authorize credit cards in real time, and then immediately discard the card number. Follow-up transactions, including refunds or monthly donations, are processed using one-time reference codes that are tied to the nonprofit's account and useless to a fraudster. Card numbers are only stored by the payment gateway, or the system that manages transactions and connects the Internet to banking networks, whose systems are highly secure.

When Fraud is Not the Issue; It's Carding Runs

Most online transactions are e-commerce purchases, where a company ships goods or other items of value in response to a purchase. So, anti-fraud measures typically are designed to prevent the fraudster from receiving the merchandise. A fraudster has nothing to gain from a counterfeit donation, however, so these measures typically are not useful to nonprofits.

A practice known as "carding runs," though, is an issue for nonprofits. Fraudsters use a low-dollar online donation to test the validity of guessed or stolen card numbers. Although carding runs do not defraud the nonprofit, the organization is burdened by the administrative work required to issue a refund to the real credit card holder. Use of additional CVV2 security codes (the 3-4 digit additional numbers on credit cards) is a promising alternative. Unlike the old Address Verification System (AVS), CVV2 was designed for automated fraud protection.


Strict credit card security is critical for any organization offering online donation processing on its Web site. By keeping in mind key issues when creating security strategy, organizations can help to ensure safe transactions for their online donors.

* Data from Carnegie-Mellon CERT advisory centre.