Online donation website security

Australians donate generously to charities. Results from the Australia Giving 2019 report, produced by Good2Give and the CAF (Charities Aid Foundation) Global Alliance, indicated that 68% of Australians had made a financial donation within the previous 12 months.
While giving cash was the most common way of making a donation, completing an online transaction with a bank or credit card was the second most popular method.
With this in mind, it is extremely important that not for profit organisations make sure their online donation platform and all website data remain well-secured.

What can be targeted?
Unlike most commercial e-commerce websites that have complex shopping carts and multiple layers of security through their check out process, NFP donation websites tend to be more straightforward and have easy to navigate donation forms.
Unfortunately, while these types of ‘donate now’ pages are extremely user-friendly for a potential donor to complete, they can also be targeted by hackers seeking to harvest personal information. This is where you need to have a sharp focus on security and minimise the possibility of donors’ information being compromised.

Keeping data secure
If you are unsure about the security of your online donation platform, then the first step is to speak with your IT service provider and potentially conduct a risk assessment. Once you understand where you are vulnerable, you can put processes in place to improve your cybersecurity.
It’s imperative that you meet all the compliance requirements of the Payment Card Industry Data Security Standards (PCI DSS). If you don’t meet these standards you could experience a range of repercussions.
These include financial losses, damage to your brand reputation, downtime caused by online attacks, legal risks associated with privacy infringements and, ultimately, the termination of your ability to process card transactions.
You need to make sure your data protection solution provider is PCI DSS-compliant. Features such as multifactor authentication, donor fraud protection, credit card and bank account security, and IP security should all be incorporated into your system to protect it from both local and international online threats.

Encryption is essential
If you store or transfer personal information, it is mandatory for you to encrypt your data. It is your responsibility to make sure that your donors are protected from data breaches. Encryption converts original data into an unreadable form or ‘ciphertext’ and keeps it safe from unauthorised access. This is an integral part of your website security.
An SSL or TLS Certificate is central to this security as it establishes encrypted links between your website server and the internet browser being used to visit your site.
The inclusion of the certificate’s details or specific security icon on your donation page will give your donors peace of mind when they are preparing to input their confidential information.
If you do not have an SSL or TLS Certificate on your website it is likely to be flagged by Google or other search engines as an unsecure site. Online visitors will be notified before they enter the site and in some instances will be restricted from accessing your webpages.

Other best practices
In addition to making sure you have optimal website security, there are also some other best practices that should be followed. These include:
- collecting as little information as possible. Not only does this reduce the potential for privacy violations, but it also makes the donation process easier for your donor
- limiting the number of staff members that have access to confidential donor data. It is recommended that organisations following the ‘principle of least privilege’, where individuals only have access to information relevant to the tasks they perform.
- having unique credentials for each individual accessing the donor database so that you can define permissions accordingly and also easily identify any unauthorised activity associated with those credentials
- updating plug-ins and checking payment gateways. This should be a regular part of website administration as developers will often release updates that fix recognised security issues.

Don’t forget to say thank you
In 2020, the ability to receive donations via your website has become more important than ever, with many regular fundraising activities being postponed due to COVID-19 restrictions. Your website is one of the best ways to connect with potential donors and helps to build their trust with your non-profit organisation.
You need to show them that you are serious about data privacy and online security. Plus, don’t forget to say thank you when they go through the process and make their valuable donation.
Learn about our not for profit accounting services or read more not for profit governance articles.