Search blog

How to securely accept donations on your website

hands holding credit card and typing on laptop

Gaining the trust and confidence of your donors should be one of your nonprofit website’s primary goals. The easiest way to do this is to make sure they know that their privacy and security are important to you. In the desire to get a donation, it’s all too easy to overlook just how important this reassurance is.

You know how important communication is to your organization, but another major issue is the personal and financial information of your donors being exposed to cybercriminals.

In my career as a security professional, I’ve seen too many nonprofit organizations fail to appreciate just how likely and damaging a cyberattack on their websites would be. They often make the mistake of assuming that, as they’re not as large as many for-profit businesses, they won’t be a target. This is a grave error.

In this article, we’ll discuss the reasons why cybersecurity is so important and the steps you can take to securely accept donations.

Why your donors’ security is at risk

Studies have repeatedly shown that over 90 percent of all organizations experience a security incident in some way or another—with half of them losing sensitive information. This loss comes with enormous repercussions in the form of customer reputation and fines that can potentially cost your organization millions.

As you know, donor trust directly affects your nonprofit’s ability to fundraise. This is only one of many trends affecting nonprofits for 2020 and beyond.

To prevent cybertheft from happening to your organization, you have to make security a top priority, so that your information is secure, and your customers’—or donors’—personal information isn’t at risk of being stolen in a data breach.

Each country has unique laws regarding how customers’ personal information has to be stored and secured, but there are commonalities across borders. There are also rules as to what is considered personal information; this category almost always includes Social Security numbers, credit card numbers, addresses, phone numbers, and bank account details.

Here are some of the best ways to  securely accept donations on your website and protect against bad agents and ensure that your donors enjoy a safe donation experience.

Keep data collection to a bare minimum

One of the easiest ways you can protect your donors is to limit the amount of personal information you collect about them. Use the If it isn’t essential, don’t collect it,” rule. This might seem like a no-brainer, but many nonprofit organizations actively collect huge quantities of data to assist their marketing and donor retention.

In doing so, these organizations not only put themselves at risk of losing huge quantities of donor information but, by the very fact they hold so much data, they make themselves appetizing targets to hackers. Hackers aren’t interested in you if you don’t possess data—they can’t steal information you don’t have. To do otherwise puts you at unnecessary risk.

Don’t store credit card CVV2 numbers, expiration dates, or even full card numbers. Simply doing so is a PCI (payment card industry) violation. Aside from any hacker-related problems, storing this data can land you with heavy fines.

When you store the minimum amount of data you need to securely accept donations, there is no risk of fines, and you greatly reduce the risk of suffering a data breach. Although storing information might hasten your donor’s checkout, it is far outweighed by the risk (and cost) of a breach.

Use a modern payment gateway API to dissolve risk

There are standards for any organization that processes payments using major credit cards. These are typically set by the PCI DSS (Payment Card Industry Data Security Standard). These standards were created to protect cardholder data and restrict the level of credit card fraud committed against customers and organizations.

When you use a payment processor, you must pass audits to prove you’re using a processor that meets the latest standards. In the United States, these are dictated by the Office of Foreign Assets Control (OFAC) and the Department of the Treasury (USDT), as well as the major credit card companies. In many cases, you complete an online questionnaire for your audit. The level of audit required may vary depending on your processor, however.

That said, most popular payment processors keep up to date with all required standards and regulations, helping you to minimize your level of audit required.

Invest in encryption

Encryption is one of the most important ways of securely accept donations and protecting sensitive information that you send and receive. You want to make sure that you are always encrypting communications between your website and other parties with an SSL (secure sockets layer) certificate obtained by a reputable source. You also want to make sure your entire site is protected by an SSL, not just pages designed to receive information (such as donation payment information).

SSL is an important form of protection, but you want to make sure you are also using its more updated partner, the Transport Layer Security, which makes your domain HTTPS (secure) rather than HTTP. This is because SSL, although largely secure, has vulnerabilities in its older versions.

To make sure you are using TLS to secure your website, double-check with your web hosting provider whether it is in place. If you aren’t using SSL/TLS, correct the problem immediately. SSL/TLS certificates are cheap security measures that stop hackers from intercepting sensitive information as it is sent between donors and your organization.

Update, update, update

This step might sound obvious, but you’d be amazed how often it is overlooked. Keeping your code up to date helps to keep it free from security vulnerabilities that hackers can exploit.

It’s an incredibly cheap solution as most (if not all) updates are free, with many developers providing updates to specifically counter new security vulnerabilities as they are discovered. You’d be amazed how often the simple mistake of not updating, coupled with a poor network, can lead to an enormous data breach.

If you are running your website on a platform like WordPress, then you may be using third-party themes or plug-ins that are often going out of date.

By staying on top of your administration, however, you can typically use the update panel to keep plug-ins and themes in line with the latest version of your platform (and, if not, delete them).


One of the most important things  your nonprofit can do is to build it as a brand your donors can trust. By building a website for your nonprofit that prioritizes security and privacy and takes the necessary steps to ensure they are upheld, you’ll show your donors that their trust is well placed.


Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.