Nonprofit Payment Security Practices: The Essential Guide

Online fundraising has been on the rise for a while, accounting for 8.7% of total giving during 2019. Now, with a global pandemic requiring social distancing guidelines and most in-person donor engagements are on a pause, your online fundraising is more essential than ever and your best bet to filling the gaps in your nonprofit revenue.

As your virtual fundraising efforts become more of a priority and the top way your organization can sustain itself, it’s worth it to look over your current processes to maximize every opportunity. This means taking a look at the online strategies you have in place and the tools you utilize to pull it off. One of your most fundamental tools is your payment processor, especially in terms of security.

Nonprofit payment security is a topic that not many organizations have explored, but it’s critical to increase your online fundraising and set your nonprofit up for growth. After all, your donors go out of their way to give and support your mission; the least you can do is protect their data.

In this guide, you’ll be learning just why security is crucial in nonprofit payments through the following questions:

  1. What does nonprofit payment processing involve?
  2. Why is nonprofit payment security important?
  3. What are the top nonprofit payment security features?

With a solid knowledge of nonprofit payment security, your organization is better able to engage donors and provide them with an enjoyable and seamless experience. Let’s begin!

1. What does nonprofit payment processing involve?

To best understand nonprofit payment security, let’s first go over what the payment process involves. Nonprofit payment processing has specific caveats that differentiate it from other online transactions, mostly because of the very nature of donating. Sometimes a donor might want to enroll in a recurring payment program, and a dedicated nonprofit payment processor is your best bet towards that.

Before we dive into the process steps, let’s review some common terms:

  • Online Donation Tool. This is not your payment processor, but rather the tool that lets you accept online gifts. With a donation form, your online donation tool records your donors’ information and works with your payment processor to ensure your organization collects the funds.
  • Merchant Account. This is where your nonprofit funds are held and processed before you have access to them. From here, the funds can be transferred to your organization’s main bank account. Your merchant account is either set up between you and a merchant-acquiring bank or by your payment processor.
  • Third-Party Payment Processor. This tool is the middleman between the merchant and the donors’ banks/funds. It works to authorize each online gift and connects the nonprofit to a merchant account. Third-party payment processors describe both large aggregators and more dedicated tools.
  • Aggregator. This is a large company that processes online transactions for a variety of organizations. A popular example is PayPal or Venmo. Aggregators are convenient for anyone to use, but all of your funds will be stored in a shared merchant account. This means other funds are stored with your nonprofit’s, and you might only be paid out once a month instead of more immediate access. Because the merchant account is shared, you might also run into security issues if one of the other merchant’s data is compromised.
  • Dedicated payment processor. There’s a common payment processing myth that these are the same as aggregators, but there are very key differences. Opposite of an aggregator, a dedicated payment processor allows you to have your own merchant account and is equipped with capabilities specifically made for nonprofits.
  • ACH payment. This refers to any online transaction made through the Automated Clearing House network and accounts for both debit and credit payments. While those processes differ, ACH payments generally help move funds between accounts and keep records of these transactions.

You’ve likely picked up most of this information when you started your nonprofit, but it’s always a good idea to get a refresher and remind yourself of the most critical points.

2. Why is nonprofit payment security important?

As you can see, your donors’ funds actually go through several phases before they’re available for use by your nonprofit. From the online donation tool to the merchant account to your nonprofit’s bank account, there are also more opportunities for fraud.

To better understand just exactly why nonprofit payment security is so important, let’s explore the following examples of common scams that are used to take advantage of donors:

  • ACH fraud describes one of every nonprofit’s biggest nightmares: A hack into their donor database. This way, scammers can easily find your donors’ financial information. They often make a substantial donation to your nonprofit with the stolen funds and request a refund from you and the bank. The scammer then receives double the stolen money, from the nonprofit and the bank, and your donor’s information is still compromised.
  • Donation form fraud is a common scam that involves stolen credit card numbers. These numbers can often be obtained through email phishing scams or a database hack, which scammers then use to submit a donation and then request a refund.
  • Card tumbling involves testing out randomly generated credit card numbers until one works. Scammers would test these numbers within your online donation form, and if one works, they make a large donation and then request a refund.

If any of the above situations happen to your organization, it can come with many consequences. According to iATS Payments, a dedicated nonprofit payment processor, there’s a big risk in losing your donors’ trust and tarnishing your organization’s reputation. That can be hard to bounce back from for any size nonprofit. The quality of your nonprofit payment security lies in the tools that you use. For a list of qualified online donation tools, check out this article.

3. What are the top nonprofit payment security features?

We’ve gone over the basics of nonprofit payment processing and the various fraudulent scams that can plague your organization without dedicated security features. Now, let’s explore exactly what those security features are:

  • VPN (Virtual Private Network). VPNs work to prevent fraudulent payments and unauthorized users. With a series of connections, the VPN encrypts your data, ensures your connection is secure and protects that data.
  • Payment Gateway. As the information from your online donation tool goes through your payment processor, it also goes through a payment gateway. The payment gateway simply helps transfer the data, protecting sensitive information, and preventing any fraudulent activity until it reaches the merchant account.
  • PCI compliance. The Payment Card Industry group’s series of official safety protocols is something that each organization processing online transactions should know. All payment tools should follow PCI standards for data storage, processing, and transmission in order to prevent fraud.
  • PCI certification. While PCI compliance is necessary for online payment tools, to get the most security and protection, you should find a tool that is PCI certified. PCI certification is more and more common as scammers and data breaches become more invasive. For a tool to become PCI certified, it requires an intensive PCI DSS audit performed by a qualified security assessor. These security experts validate the payment process and tool to ensure that it upholds its security standards.

There’s no excuse for your nonprofit payment processor not to take the steps above to protect your donors. Make sure to do your research carefully and invest in a tool that is as committed to security as you are. As soon as users enter their information on your online donation page, they should be assured that their payment safely and quickly makes it to your organization.

To better understand how these security features fit into the entire payment process, let’s break down the payment processing order with security in mind:

  1. A donor submits an online gift through your donation tool.
  2. Your payment gateway either verifies the transaction or flags it for fraud.
  3. If the transaction is approved, it is sent to the payment processor.
  4. Your payment processor submits a fund transfer request through the ACH network, where it is either approved or rejected.
  5. Depending on if it’s debit or credit, the ACH payment request is then sent to a credit card network or processed as a payment directly with the donor’s bank account.
  6. Once that transaction is also approved, the funds are then sent back through the ACH network.
  7. From there, the funds should be placed in your merchant account. If you use a payment aggregator, you will share the account with others and the funds will likely be sent to your main bank account at a later time. With your own merchant account, you have more immediate access and less risk of compromise from others.
  8. The funds are then transferred from your merchant account to your organization’s bank account.

As you can see, your security features actively protect your donors’ data and ensure that the funds safely make it into your bank account. Invest in a dedicated nonprofit payment processor to maximize success and improve security.

Nonprofit payment security may seem like a daunting topic, but hopefully, this guide walked you through the essential points to help you move forward with confidence. Just remember, your donors are some of the most influential people to the success of your organization! Protecting donor data does just as much for you as it does for them.


This was a guest post contributed by iATS Payments.

Robbie Bernstein, an iATS Payments Account Executive, uses her wealth of payment processing knowledge to help nonprofits thrive. Robbie puts her heart into fundraising for Cancer research, the Make a Wish Foundation and the Heart and Stroke Foundation.

Comments are closed.