Data Security & Donor Privacy: 7 Questions to Ask Online Giving Providers
We don’t have to tell you that the risks to data security are real. Just ask any of the hundreds of organizations (even ones like yours) that have suffered crushing data breaches. Most breaches are attributed to hacking or malware attacks, but insider leaks, payment card fraud, physical loss or theft of hard drives or files, and human error also play a significant role. (Source). Human error alone causes 23 percent of data breaches (Source).
This is why it’s never been more important to make sure your online giving platform protects your nonprofit or church AND your donors from all types of fraud.
You may not understand all the technical aspects of data security and privacy. But if you compare giving vendors’ answers to these questions about potential points of risk, vital insights will emerge.
1. Does your platform follow GAAP standards for handling funds?
Your accounting system follows Generally Accepted Accounting Principles (GAAP), a collection of commonly followed accounting rules and standards for financial reporting. But if your donation system doesn’t, it’s an exploitable weak link in the chain of fund transfers. A GAAP-based system will also include an audit trail that does not allow any transaction to be altered, protecting your staff, donors and church or organization. (Vision2 is GAAP-based.)
2. Does your system use encryption to protect data in transit as well as at rest?
Encryption scrambles data so that even if an unauthorized person or entity gains access to it, they won’t be able to read it. Vision2 goes beyond database encryption, uniquely encrypting each individual credit card and bank account before givers have even input their expiration date and CCV number.
All data transmitted between givers’ devices and our server is encrypted using Secure Socket Layer (SSL) technology so that it cannot be intercepted by anyone other than us. Download our Security Measures checklist. Or ask to see our detailed, comprehensive security document to share with your IT team.
3. Does your company use a separate payment processor?
With every donation, givers will encounter 1) your website 2) an online giving vendor and 3) a payment processor. (Here’s how that works.) Often this becomes obvious to donors only when they are taken to the payment processor’s site to complete their gift, a practice that can cause gift abandonment because it increases concerns about security. Keeping donors on your site helps keep their information safe from additional third parties. (Vision2 operates invisibly and is its own payment processor so your givers encounter ONLY your church or organization.)
4. Who owns our data if we decide to switch solutions?
A giving vendor and/or payment processor has the right to withhold, use or sell donor data, refuse refunds, and even check your donors’ credit reports. Find out in advance how each giving provider – and their payment processor of choice – handles data. (Vision2 does not use, sell or retain donor data for any purpose. If you decide to leave, your data goes with you. And we issue refunds upon request!)
5. Do our donors have to share their bank credentials in order to process ACHs?
This is not uncommon, but Vision2 givers do not have to surrender personal and private bank information. They can complete their ACH gifts in 4 easy, privacy-protecting steps without exposing sensitive bank details.
6. How do you control who can access sensitive data?
This is an important consideration as 34% of data breaches in 2018 involved internal actors (Source). Not only does Vision2 software contain role-based permissions to let your church or nonprofit determine who gets what access to givers’ information, but neither your staff nor Vision2 personnel can access payment method information in any readable, usable format. Passwords are encrypted and we use two-factor authentication to prevent catastrophic data loss.
7. In the event of a data breach, what is your policy and how will you help us?
No legitimate organization intentionally puts data at risk. But even when a giving vendor is confident in the security of their solution, they should plan for the unthinkable by carrying insurance to cover loss due to data breach. We’ve actually seen a giving vendor contract with an indemnity clause absolving themselves of any data loss responsibility. (Vision2 does carry data loss insurance protection.)
Vision2 is 100% committed to protecting your members’ information.
It’s not enough to know just your online giving provider; you must also be aware of your payment processor’s policies. As both, Vision2 is dedicated to maintaining the highest data security measures. In our 10 years in business, we’ve transacted over $2 billion in gifts with no data compromised.
To ask us these and other questions, reach out to us here.