Secure Payment Gateway for Nonprofits: What You Need to Know

What is a Secure Payment Gateway?

A payment gateway is a tool that protects donor data during the payment process. In particular, its role in the online payment process is to encrypt donor data and protect it from fraud.

The term "payment gateway" is often used interchangeably with the term payment processor. Essentially, the key difference is that the payment processor transmits data, while the payment gateway protects data.

For example, if a supporter makes a donation using their credit card, the payment processor transmits the credit card number to the bank to request a transfer. The payment gateway encrypts the data being transmitted to ensure that it is safe from fraud or other potential attacks. Then, when the request is approved, the payment gateway authorizes the transaction, letting the transfer proceed.

While this subtle distinction can be important when discussing the fine details of your payment processing system, most nonprofits will likely invest in a payment processing solution with both a processor and gateway. This means you will likely rarely need to distinguish between the two. 

Why Should My Nonprofit Invest in a Secure Payment Gateway?

While earning donations is important for your nonprofit, you likely spend less time thinking about how each donation is transferred. However, investing in a secure payment gateway is necessary for collecting online donations in the first place and essential for making sure those donations are sent securely.

 By investing in a secure payment gateway, your nonprofit will experience a number of benefits including:

• Fraud protection. Reports have shown that nonprofits are particularly vulnerable to a specific type of fraud: card testing. Essentially, when a credit card is stolen, the thief will test out whether the card works by making a donation to a nonprofit. If your organization ends up processing and then refunding these fraudulent charges, you will end up paying chargeback fees and potentially experience a hit to your reputation due to being linked to fraud.

• Secure donor information. A payment gateway’s encryption features prevent your donors’ payment information from being stolen. Keeping your donors’ information secure helps ensure that they will give to your donation again, and protects donors who have a debit or credit card number stored with your nonprofit for recurring donations.

• Increased trust. Donors will only give to nonprofits if they know their payment information will be safe. The presence of a secure payment processing system will make donors feel more secure about their decision to give, reducing potential cart abandonment and also creating a better giving experience.

When weighing if your organization will be vulnerable to fraud, remember that nonprofits are commonly targeted due to being thought of as small organizations with few protections. Investing in a secure payment gateway can stop thieves and fraudsters in their tracks, keeping your donors and your nonprofit safe. 

What Security Measures do Payment Gateways Have?

Your nonprofit’s secure payment gateway keeps your data safe, and it has several methods for doing so that account for potential vulnerabilities. While each payment processing provider will priortize different security methods or aspects of your gateway’s performance, the most effective gateways will have the following security measures in place:

Encryption

Encryption is the process of turning readable data, like a credit card number, into protected data that can only be deciphered by authorized parties. Payment gateways encrypt data received and use a unique key so only the buyer and the seller in a transaction, in this case your supporters and your nonprofit, will have access to their private data.

 Different payment gateways have different levels of sophistication when it comes to encryption. You can assess whether a payment gateway is actually secure by reviewing its PCI compliance rating.

PCI Compliance

To keep payments safe, the Payment Card Industry (PCI) created a checklist of security rules and requirements known as the Payment Card Industry Data Security Standard (PCI DSS). Organizations that meet these standards can receive a PCI compliance certification.

 Payment processors that are PCI compliant will have met the following requirements on the PCI DSS checklist:

1. Install and maintain a firewall. Firewalls prevent third-parties from accessing your payment processor’s network.
2. Disable default security settings. Default settings are often subject to vulnerabilities that can be targeted by hackers. Secure payment processors will allow you to create your own unique administrative settings to protect against external attacks.
3. Protect stored cardholder data. To protect donor data, your system should purge data after it has been used and encrypt key stored data, such as account numbers.
4. Encrypt data transmission across public networks. Data is vulnerable when it’s transmitted across public networks, and your payment gateway should protect it through encryption and tokenization.
5. Install and update anti-virus software. Anti-virus and anti-malware software is necessary for preventing against all sorts of attacks, and your system should regularly download the latest updates to remain secure.
6. Launch secure systems and applications. Your system provide will routinely perform risk assessments to identify and resolve vulnerabilities.
7. Restrict data access to essential personnel. Ensure only authorized employees have access to sensitive data, such as your supporters’ payment information, by creating permissions and restricting access as necessary.
8. Assign unique user IDs to those with data access. Your system should allow you to track the activities of those who do have access to sensitive data. Additionally, other security measures will be enacted such as complex password requirements and two-factor authentication.
9. Restrict physical access to data. Paper records, flash drives, and data servers can all also contain sensitive information. Implement physical security protocols and dispose of unnecessary physical records whenever possible.
10. Track access to networks and data. Activity logs allow you to monitor when attacks occurred, allowing you to identify the root cause and track user identities to prevent further damage.
11. Regularly test your security systems. Your payment gateway provider will routinely test their system against different types of attacks, helping identify vulnerabilities and inform the content of future security updates.
12. Make an information security policy. Many attacks happen due to system error, such as an employee clicking on a link in a suspicious email. Protect against scenarios like this by giving all of your employees basic training in online security.

 The right payment processing system for your organization will be PCI compliant, and your provider should be able to answer any questions you have about their system and credentials.

SSL

Identifying if a web page has secure socket layer (SSL) protection is easy. The URL will begin with HTTPS and there will be a padlock symbol in the URL bar. The presence of these features will help reassure your supporters that their private information is safe on your website.

SSL protocol is what protects and encrypts data when it is transferred publicly, such as the transfer from a web browser to a server. Secure payment gateways use SSL to help protect data when it is transferred between third-parties. 

Anti-Fraud Protocols

Fraud can happen through several means, such as phishing emails and faulty passwords. As mentioned, payment gateways can help you spot and prevent a common type of fraud, which is when thieves use nonprofits to test whether their stolen credit card information works.

Your payment gateway should protect against this type of fraud by encrypting donors’ data, so even if it is hacked, the thieves will not be able to read it.

You can also reduce fraud by enabling CAPTCHA codes on your donation form, requiring donors to enter their credit card’s security code, and setting minimum donation requirements. Setting donation minimums may seem odd, but many hackers testing credit card numbers will attempt to enter very low, seemingly random amounts to verify if the credit card works, and setting a minimum threshold can discourage them from attempting to use your donation form.

Tokenization

Similar to encryption, tokenization hides sensitive information by replacing it with an unreadable series of randomly generated characters. During transactions with tokenization, credit card numbers are stored in a secure central database and a randomly generated token is used in their place.

This helps protect both your supporters, as their information cannot be decoded if there is a security breach, and your nonprofit, as the sensitive payment information will not be stored directly on your servers.

What is the Best Secure Payment Gateway for Nonprofits?

Nonprofits have a variety of secure payment gateways to choose from, but to protect your donors and meet the unique needs of a nonprofit organization, we recommend investing in a solution that caters to nonprofits, like iATS Payments.

Among other payment gateways, iATS Payments stands out, as its designed specifically for nonprofits. Our system fights against the assumption that nonprofits have weak security systems, instead providing a secure payment processor complete with:

• Level 1 PCI compliance. Level 1 is the highest PCI compliance level around, and iATS is certified with this top standard.
• Advanced fraud protection tools. iATS goes the extra mile to help nonprofits protect themselves against fraud. We offer free and flexible anti-fraud tools, including our address verification system, bank identification number blocking, card verification code requirement capability, card number and limit name tumbling, and IP blocking and velocity checking.
• Flexible payment processing. One drawback some payment gateways have is their inability to accept multiple types of payments. With iATS’s ability to process credit, debit, and ACH payments, your organization won’t have to worry about whether you can accept a donation.

Additionally, because the iATS secure payment gateway is designed just for nonprofits, our security measures are affordable without sacrificing quality or reliability. Get in touch with our team and learn more about how iATS Payments can keep your donors’ information safe.

Additional Resources

Payment gateways are an essential aspect of the payment processor, ensuring the information your donors entrust your nonprofit with stays secure. Before investing in a payment processor, be sure to take a look at the gateway offered and ask questions about its security features. After all, a well-protected gateway can be the difference between losing public and confidence or establishing trusting relationships with your supporters.

Of course, a payment gateway is also just one aspect of a nonprofit payment processor. Before investing in payment processing software for your organization, take the time to understand the basics of each part of this new technology. Here are a few resources to get your research started:

• Payment Fraud Protection for Nonprofits. Protecting your nonprofit against fraud is essential for cultivating trust with your donors. Make sure you’re doing everything possible to protect against fraud with this guide.
• PCI Compliance: Your Guide to Total Payment Security. PCI compliance has several requirements, each of which helps your payment processor stay secure. Learn more about what goes on behind the scenes of PCI compliant software with this complete guide.
• Accept Donations Online: The Ulimate Guide (& 11+ Tools). Ready to start investing in an online donation processor? Learn more about accepting payments online and explore these 11 tools.