How Online Donations Affect Your Payment Strategy

Part Two

The Most Common Nonprofit Donation Formats

Credit Cards

Credit cards are one of the most common ways for individuals to give to nonprofits online. Most people regularly use their credit cards to pay for online purchases, so making an online donation with a credit card is a natural way to contribute.

However, the fees associated with credit card payments can be complicated and varied. Usually, a credit card company will charge a flat fee plus a percentage.

Direct Debit

ACH (Automatic Clearing House) direct debit payments are donations made from a donor’s bank account. The donor uses their bank account and routing numbers to make a donation.

This method is great for recurring donations, since the funds are automatically deducted from a donor’s bank account (similar to automatic online billing).

ACH payments are also cheaper to process than credit card payments, making ACH an affordable option for nonprofits.

That said, many donors are hesitant about using ACH direct debit payments because the process can seem intimidating or not secure, resulting in fewer ACH direct debit donations for nonprofits. (Even though this assumption is incorrect!)

Understanding the Payment Process for Your Customers

Credit Card Processing Steps

First, donation information is sent to the payment gateway, which checks for potential fraud. 

Second, the payment gateway flags suspicious transactions. If the card is good to go, it proceeds to the payment processor.  

Third, the processor sends the transaction to the credit card network, i.e. Visa or Mastercard. 

Fourth, the credit card network sends the transaction to the donor's credit card bank for approval.

Fifth, the bank approves or denies the charge and lets the donor and nonprofit know.

Sixth, the donor's bank sends the money to the nonprofit's bank, completing the process!

Direct Debit Processing Steps

First, the donor’s bank enters the ACH entry, signaling to their bank, the Originating Depository Financial Institution or ODFI, that a payment is about to take place.

Second, the ODFI transmits payments in batches. The donor’s bank sends groups of ACH payments to an ACH Operator (either the Federal Reserve or the Clearing House).

Third, the ACH Operator sorts and processes the batches before making payments available to the nonprofit’s bank. It usually takes one to two business days for the entire process to take place.

Protecting Your Customers From Fraud

How does credit card fraud occur?

There are essentially two types of credit card fraud: application fraud and account takeover. Application fraud occurs when someone applies for a credit card under a false name and address. For our purposes, we’ll just be talking about account takeover.

When a credit card account is hacked, the fraudster can use the stolen credit card information to buy large purchases. However, in order to make sure that the card will actually work, many fraudsters will test it by making a small donation on a nonprofit’s donation form.

Because nonprofit donation pages are often less complicated than online retailer shopping cart pages, they are easier for hackers to test stolen credit cards on.

How should you advise your customers?

Credit card fraud can affect your nonprofit customers in a number of ways, so it's important that you educate your customers on the steps they can take to prevent it.

While working with a secure, PCI-compliant payment processor is always the first step, there are additional internal measures that your customers can take to limit their susceptibility to fraud.

Let's look at three internal measures you can advise your customers to take.

Look for conspicuous donation amounts.

This internal process will help you detect possible fraudulent transactions, since many fraudsters will try to make a small donation in a random amount (i.e., $1.73). If you see a series of these types of donations, it should raise a red flag.

Set a minimum donation amount.

Some donation forms automatically have this feature. Requiring donors to give at least $10 or $20 will discourage fraudsters from using your donation form to test stolen credit card information.

Require a credit card security code.

A credit card’s security code is a 3 or 4 digit number found on the back or top right corner of the credit card. By requiring that donors use this security code when making a donation, your customers can minimize credit card fraud.

iATS Includes All of These Fraud Prevention Tools as Part of Our Solution.

Learn more about how iATS combats fraud and works to ensure your customers' security.

Common Terms That May Come Up With Customers


ACH Direct Debit

ACH direct debit is a form of online donating that allows a donor to give directly from their bank account as opposed to with their credit card. It requires donors to input their bank account number and routing number (found on the bottom of their paper checks).

Address Verification System

An address verification system (AVS) is a fraud-protection method that compares the billing address a donor uses to make a donation and the address that is on file with their credit card company. If the two don’t match or are suspicious in any way, the nonprofit will receive an AVS decline that they can then review.


An aggregator is a payment processor that handles multiple transactions from nonprofits and/or businesses. All of these transactions go through the aggregator’s own merchant account. These organizations are part of the aggregator’s “portfolio.” PayPal, Stripe, and Square are examples of payment processing aggregators.

Credit Card Processing

Credit card processing is a common and easy way for donors to give to nonprofits. Most credit card processors will take a percentage of the donation plus a flat rate per transaction, while ACH direct debit processing normally only takes a flat fee.


Encryption is a form of fraud protection that uses special algorithms to convert sensitive data (known as “plaintext”) into “cyphertext.” This cyphertext can only be read if it is decrypted using the correct “key.” Encryption and tokenization usually go hand in hand.

Merchant Account

A merchant account is essentially a type of bank account that allows nonprofits (and businesses) to accept credit cards online. The fees associated with credit card donations are taken from the money that gets deposited into the merchant account. The remaining balance of the donation then goes to the nonprofit.

Payment Gateway

The payment gateway is the first point of contact after the donor hits the “Submit Donation” button. A credit card donation is sent to the payment gateway to verify that the numbers used are not fraudulent and that the donation is secure. If the donation is flagged as being suspicious, the nonprofit is notified immediately. If all goes well, the payment continues to be processed.

PCI Compliance

PCI compliance speaks to the standards set by the Payment Card Industry for payment processing. PCI’s data security standards (PCI DSS) help keep donor data safe and limit the liability that nonprofits incur when processing donations. Payment processors will usually charge nonprofits a yearly PCI compliance fee in order to keep all of their systems in line with the standards.


Tokenization is a form of online fraud protection that takes a donor’s credit card number and other sensitive information and replaces it with a string of alphanumeric characters. Payment processors issue these “tokens” and are responsible for keeping donor data safe.

Get Started With iATS Today!

Learn how you can partner with iATS and have access to all of our payment processing services.