One of the primary goals for your nonprofit website is to gain the confidence and trust of your donors. The best way to build that trust is to show them you take their online privacy and security seriously. Security should not be underestimated.
Many nonprofits underestimate the likelihood and magnitude of an attack on their website, often presuming that if they’re not a large enough, they’re not a target. This couldn’t be further from the truth. Industry surveys show that upwards of 90 percent of organizations experience some form of security incident, with nearly half involving the loss of sensitive data. The costs, fines, and brand damage resulting from these attacks range from thousands to millions of dollars. As a site administrator or developer, you need to consider security as a top level priority to protect your organization and your customer’s personally identifiable information (PII).
Each state/country has their own definition of what falls into PII, but it normally includes a lot of information you would expect like credit card number, social security numbers, and sometimes other data that some would not think be considered confidential. But, what are the best ways to make sure you are protecting your user and online donations? Check out these top five ways to secure your site against hackers and persons wanting to misuse data:
“When thinking about nonprofit security best practices, always remember what is being protected: valuable donor relationships. Donor trust – or lack thereof – directly impacts a nonprofit’s ability to fundraise successfully.“ Bill Sayre, Nonprofit Marketing Guide
1. Only Collect Information You Need
This may seem obvious, but many organizations collect countless amounts of data because they think the more data they have the better. However, the more data you collect, the more you are at risk to lose and puts your customers and your organization at a larger risk.
Hackers cannot steal what you don’t have. There is no reason to store thousands of unnecessary records on your customers, taking on additional risk and liability. At no time should you store, even temporarily, full credit card numbers, expiration dates, and CVV2 codes. This directly violates PCI regulations and can cause significant fines and even the loss of ability to process payment cards.
Think of it this way, only store the minimal sensitive data you need for chargebacks and refunds. The risk of breach outweighs the convenience for you and your customers at checkout.
2. Encrypt All Communications To and From Your Website
This one is a MUST for all sites receiving and sending any sensitive information. ALWAYS encrypt communications to and from your website with an SSL certificate purchased from a trusted certificate authority. It’s also now recommended to protect your entire site, not just pages with forms on them, with SSL.
Though commonly all referred to as SSL (Secure Sockets Layer), it is important to make sure you are using the more updated sibling TLS (Transport Security Layer) as recent vulnerabilities have rendered old versions of SSL insecure. If you are unsure you are using TLS, check with your hosting provider or check by inspecting the certificate with a scanning tool. These certificates are relatively inexpensive solutions that keep the hacker from listening in on private communications between the browser (customers) and the server (your organization).
“Hackers target the nonprofit community because they are mindful that you are probably understaffed and ill prepared to combat their attacks.” Renata Poe Massie, Jitasa Nonprofit Blog
3. Limit Your Risk By Using A Modern Payment Gateway API
The Payment Card Industry Data Security Standard (PCI DSS) is a set of standards for organizations that handle credit card payments from all major credit cards. This standard was created to increase controls and guidelines around cardholder data to reduce fraudulent activity, protecting both customers and organizations.
Organizations that process credit card payments, even through payment processors, must be audited annually to prove they meet the latest version of PCI DSS. Most organizations taking online payments can do this through a SAQ (Self Assessment Questionnaire). Based on what payment gateway your organization uses, it can change the level of audit necessary.
Luckily, popular payment gateways are staying up-to-date with the latest standards and provide ways to limit the level of audit necessary. If possible, it is best to be covered under SAQ A, which is the minimal level of regulations, which applies to sites not directly handling credit card data. This was traditionally done by having a hosted payment page, but the user experience is often lacking with these pages. Instead, many modern payment gateways offer a direct post API which allows the form to remain on the organization’s site, but post the information directly to the gateway as if on a hosted page.
The PCI council has recognized this and created a sub-category of SAQ A-EP for this scenario. There are several providers offering this nowadays including: Stripe, Authorize.net, and Braintree, among others.
4. Manage Your Keys Outside Your Codebase
More and more, websites are connected to numerous external systems and services which handle sensitive information of customers and critical business functionality. To mitigate the risk of an unauthorized person accessing these systems and walking away with your customer’s sensitive information, there is a major need to secure the keys and tokens used by these APIs.
This is done by removing them from application code repositories and databases, encrypting them, and securely storing offsite. If a site is compromised, this limits the damage possible, as it doesn’t expose all connected systems. Look for easy to implement and configure key management solutions that work with your existing platforms.
5. Update Everything
This may seem like system administration 101, but keeping your code up to date and patched regularly is the easiest, cheapest, and most efficient way to keep your site secure. Developers release updates regularly to launch new features, but many times the update is to fix known security holes. Whether it is core, or additional plugins, updates for security reasons should be done as soon as possible.
In the most urgent of cases, you have only a few hours before automated attacks can compromise sites. Many mainstream hacks and breaches are noted to have occurred on websites running out-of-date versions of their core or additional plugins. Luckily, WordPress has a core function that allows for automatic updates for minor releases. While the risk exists for a small automatic update to cause an issue, It’s better to be protected with security releases, as a minor error in a page is better than a total breach of your entire site.
“You may not be able to protect against every possible threat to your nonprofit’s data, but an estimated 90% of data breaches are preventable. And preventing them is not rocket science; it’s policies, procedures, and people!” Adam White, National Council of Nonprofits
The Bottom Line is Trust
One of the primary goals for your website is to gain the confidence and trust of your customers. The best way to build that trust is to show them you take their online privacy and security seriously. With these five simple steps you will be taking a defense in-depth approach to protecting their data, your organization and the community at large.
Donating online gives organizations the opportunity to reach a global audience and launch campaigns in real time, impacting people and causes immediately. With donations and giving continuing to rise and at an all time high, it’s an exciting time for organizations to continue growing and building stronger relationships with donors. Emphasizing online security will lead to happier customers, and most importantly, more online donations!