CRM Magazine had a great articlein their recent e-newsletter concerning online security and the concerns that people have in transacting business on the internet. According to a Gartner survey quoted in the article, nearly $2 billion in online sales will be lost in 2006. To quote:
Nearly half of online U.S. adults, or 46 percent of more than 155 million people, say that concerns about theft of information, data breaches, and/or Internet-based attacks have affected their purchasing payment, online transaction, or email behavior. Of all the behaviors affected, online commerce . . . is suffering the highest toll.
You can also find the full article here. But non-profits typically don’t sell items on the internet. So how does that affect the trust relationship in this context?
Most of the time, non-profit organizations have an advantage over traditional e-commerce entities in that people who are coming to our websites to make a gift already know something about us and feel there is a level of trust already established. However we need to make sure that we do not violate that level of trust. Here are some things that you can do to ensure you keep the trust of your donors:
- Make sure your giving page has a valid encryption security certificate. Thawt and Verisign are two examples.
- If you are accepting credit card gifts, you must be Payment Card Industry (PCI) Data Security Standard compliant. The PCI standards specify how you collect and store credit card numbers. The fines for non-compliance are significant. (The fines from Visa: up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident.) Give serious thought to #4 below. Hereis the PCI License Agreement for review.
- If you are hosting your own giving page, designed and implemented by your web-development team, ensure that you have adequate hardware and software security and fraud detection systems in place.
- If you are utilizing a third-party hosting service, make sure that they have adequate security in place so that your donors’ information cannot be compromised. Ask about Payment Card Industry (PCI) Data Security Standard compliance. This is the credit card industry’s security protocol standard. I recommend Cashlinq because I have had great success with them in the past with various clients but there are others out there.
- Work with your merchant account provider and your gateway to implement address verification and security code verification systems. These two systems alone will help to eliminate the bulk of fraudulent charge attempts. If you are utilizing a third-party vendor as in #4 above, they will likely take the stress out of this process for you.
- Avoid additional security levels that will frustrate your donors. Actions like site registration and additional data entry fields (“type in the characters you see above”) will serve to frustrate your donors. While they are visible processes that do work, they tend to take longer than donors want to put up with. If your systems in #5 are established correctly, they will be unnecessary.
- Make sure you have an internal process established to handle dispute issues when they arise. A donor may press the “submit” button twice and double the charge on their card. How will you handle the duplicate transaction?
Remember, security does not have to be intrusive, but it does need to provide your donors with confidence. Putting these basic systems in place will help to protect your donors and protect the integrity of your organization.