Tag: payment processors

Have you ever paid for a cup of coffee with your phone? Or gotten out of a taxi without touching your wallet? If so, you’ve seen firsthand how far payment processing technology has come in the past few years. The future is here: Pretty soon, we’ll be able to pay for absolutely everything using little computers we keep in our pockets. That’s convenient for consumers, but what opportunities does this technology present to nonprofits?

As consumer-side advancements like Apple Pay and Google Pay have grown in popularity, vendors like Stripe have also made it easier and more secure to implement these payment methods on platforms. Recently, Amazon even introduced the ability to donate to nonprofits just by asking Alexa.

With payment flows more flexible than ever, your organization can dream up whatever you think will be most effective and most enjoyable for your donors.

Benefits of new payment technologies for fundraisers

Vendors like Democracy Engine or Stripe take care of all the tough parts of accepting a payment, which allows fundraisers to focus on building a compelling front-end experience. With the right setup, spinning up a new fundraising page for a new location, cause, or campaign can be as easy as creating a new entry in your CMS.

We recently put this concept to work for an organization raising money for progressive candidates, helping them create a platform that allows donors to give to a bundle of candidates united under one issue. Using a Drupal eCommerce module and Democracy Engine as a payment processor, we were able to create a unified donation experience across their 100+ candidates.

Nonprofits like Action Against Hunger use services like PayPal to streamline the donation experience.

Another client, a large humanitarian aid organization, tasked us to find a payments platform solution that would fit into their global fundraising ecosystem. Built in Drupal, the platform used the customizability of a CMS to serve a Stripe-based payment module. This solution allowed non-technical users to quickly spin up new donation pages that supported their local language (including right-to-left languages), currency, and preferred payment method across multiple countries. The organization was then able to promote a single URL globally on email, social, and paid media, rather than targeting audiences by language or location. Plus, individual country offices had the ability to “fork” a page and take control of the content their audiences would see.

Differing currencies aside, regulations on charitable donations vary across countries—for example, some countries need to comply with GDPR, and some require a donor’s social security or ID number to complete a transaction. Partnering with a payment processor simplified the logistics of deploying a donation page, allowing our donation CMS to standardize the branding and security of donation pages around the world.

The increase in sophistication of payment processors has led to a new round of product innovation in software providers that nonprofits use on their websites. You may have seen ActBlue’s Express Lane, or Blue State Digital’s own QuickDonate, both of which provide one-click donations across many organizations for their millions of members. These tools are an easy way to create a seamless experience for your donors, and can even help strengthen your recurring donation program, bringing in a steady stream of revenue outside of large fundraising moments.

Payment methods you should have on your radar

It may feel like Apple Pay has been around for a while, but it hasn’t even been four years since the service was introduced to the public. While businesses and consumers increasingly warmed to the concept of using a smartphone instead of a credit card over the past few years, Google has quietly bolstered their proprietary payment product as well.

So how do these popular payment services differ?

Apple Pay

Apple’s mobile payment and digital wallet service allows users to make payments using an iPhone or Apple Watch at brick-and-mortar stores that support the service, or on the web using Safari (on either desktop or mobile). More to the point, Apple Pay’s simplified payment flow makes it significantly easier for donors to complete their contribution.

Google Pay

Google recently unified Google Wallet and Android Pay into one service that allows mobile device payments (similar to Apple Pay), peer-to-peer payments (think Venmo or Square), and web purchases (kind of like Amazon Checkout). Google Pay lets users store their payment information in Chrome and loads a payment window as a module native to Chrome on mobile and desktop—not a pop-up, not a new window. Not only is it convenient for donors, but it’s incredibly easy to implement a Google Pay button.

Takeaway: Payment processors are crucial to today’s fundraising landscape

These digital payment technologies seem to be here to stay. In fact, some fundraising best practices now revolve around the use of these smarter payment technologies. By using the latest technology to streamline your donation flow, you can make supporting your cause even easier for your donors—and that makes a real difference in your revenue.

One of the questions I often hear in my work is from organizations unsure whether they should get or increase their cybersecurity insurance.

There are no one-size-fits all answers to this dilemma, but this article is meant to provide some guidance to help you make the decision.

What’s the risk?

The answer starts with gaining a clear understanding of risk. A common term in the risk management field is “risk mitigation.” For many years I found the word “mitigation” annoying in this context because I was taught by my father to never deploy the word “utilize” when “use” would do just fine, and “mitigate” seemed, to me, synonymous with “reduce,” a simpler word everyone understands. I’ve since changed my mind.

You can’t eliminate risk

There’s a cliché in sports about a great player that goes like this, “You can’t stop him, you can only try to contain him.” I’m not sure of the origin, but I first heard the phrase spoken about Michael Jordan. This applies to risk.

Risk is part of existence. You can’t stop it. But there are things you can do to manage or mitigate risk.

Consider the consequences

First, let’s think about the kinds of bad things that can happen in a cybersecurity context. If we think about things like ransomware, account breaches, data loss, and fraud, there are different consequences that may apply.

  • Downtime: We can’t work or we have to spend time fixing (or “remediating” in risk management parlance) the incident.
  • Reputation damage: Our organization’s reputation may suffer damage from the incident.
  • Financial loss: We may literally lose money through fraud or theft or we may have to spend money on resources to help us contain and manage the incident.

Four things you can do with risk

Let’s break it down into four basic actions you can take in regard to risk. All of these together are where the word “mitigate” comes in. Risk mitigation is looking at your risks and deciding which of these actions to take.


Avoiding risk is the first option and generally the best if it’s available. Let’s say you are collecting social security numbers (SSNs) of clients and you identify that as a risk because it’s sensitive information you are collecting and keeping. But you also realize that you don’t use the SSNs for anything and don’t need to collect or keep them. You can easily avoid this risk by ceasing collection of SSNs and deleting the ones you have. Risk avoided.


This is where most cybersecurity work happens. If you are concerned about the risk of your email account being breached, you can’t easily avoid this risk because it would mean not having an email account. But you can reduce this risk by having a strong password and employing two-factor authentication (also known as 2FA) to increase the security of your account.

If I am concerned about data loss if my email account is breached and the attacker deletes all my emails, I can implement a backup solution to automatically back up my email account. Cybersecurity measures or safeguards such as backups, passwords, two-factor authentication, encryption, training, and incident response are all measures to reduce the risk of various incidents.


This is where cybersecurity insurance fits in. Transferring risk means moving the consequences of a bad thing happening to someone else. It’s making it someone else’s problem.

One example is credit card processing. Most small organizations have a third-party processor handle the credit card transactions on their website. They understand that collecting credit cards comes with risk and that they can’t avoid this because they need to accept credit cards. Reducing the risk of accepting credit cards can be quite intensive, so many organizations choose to transfer this risk to a credit card processor (such as PayPal or Stripe).

It’s the third consequence listed above, financial loss, where cybersecurity most often applies. What cybersecurity insurance can do is transfer the financial risk of various cybersecurity incidents to the insurer. You pay the insurer an annual fee, say $2,000, and in exchange they accept the transfer of $1,000,000 of your financial risk.

It’s important to understand that you are only transferring the financial consequences of an incident. You can’t meaningfully transfer the downtime consequences or the reputational damage consequences. That’s not to say the money reimbursed by your insurer couldn’t be used to limit the downtime and reputational damage consequences, but you still haven’t tranferred those risks. You keep those yourself (lucky you).


Which takes us to the last thing we can do with risk: Accept it. Going back to our email example. I can’t avoid the risk of using email because it’s a critical business tool. I have already reduced the risk of a breach by using a strong password and two-factor authentication. I have transferred the financial risk of an email breach by purchasing cybersecurity insurance.

Even with all these “mitigations” in place, I still have risks of downtime if my account is breached or I forget my password. I still have risk of reputational damage if my email account is breached and sensitive communications are exposed to people I didn’t intend to see them.

At this point, I choose to accept those remaining risks. And here’s a key point: We are all accepting all kinds of risks right now, all the time. I could get hit by a meteor or stray piece of space garbage at any minute. I could reduce this risk by living underground, but I’m not going to do that. I accept that risk. What I think is most important is understanding the risks you face, and what options you have to mitigate those risks—and then continuing on with life.

Life is risky. That’s what makes it fun, right?

So, should we get cybersecurity insurance or not?

If you look at your risks and see a lot of financial risk that could be effectively transferred to an insurance company through cybersecurity insurance, then the answer is a resounding YES. But please check with your existing insurance carrier to see what cybersecurity insurance you already have.

If, on the other hand, you look at your risks and see mostly risks of downtime, data loss, and damage to your reputation, my opinion is that you’d be better served investing time and resources in seeing how much effort would be required to meaningfully reduce or avoid those risks.

If your nonprofit takes payments of any kind, then you need to be familiar with a scary, yet vital protocol called PCI.

PCI (payment card industry) compliance is a set of rules and regulations ensuring that payments are secure, and no cardholder data is at risk to hackers and scammers.

Nonprofits must abide by these rules, or face fines between $5,000 and $500,000. PCI compliance is a necessary part of your nonprofit’s security plan.

If you use an e-commerce package or online donation tool, PCI compliance is often already done for you by the company providing the platform, but you should know how it works.

For now, we’re going to focus on the two most likely scenarios: those who outsource all of their payment processing to a third party and organizations who outsource most of their payment processing. All of the below solely applies to web transactions.

Define who you are

One of the first steps of PCI Compliance is determining where your nonprofit falls into the PCI Compliance spectrum. There are eight different classifications that are given confusing titles such as “SAQ B-IP.” The SAQ stands for Self-Assessment Questionnaire, and the vast majority of our lovely readers will fall into the first two categories: SAQ-A and SAQ A-EP.


This is for the group of nonprofits that outsource all of their payment processing to a third party.

Examples of organizations that fall into this category:

  • Donations made on a third-party site such as DonorBox or Classy.org.
  • Donations made on your nonprofit’s site, but using a PCI-compliant solution such as Formstack with Stripe integration.
  • Events payments made on sites such as EventBrite.
  • E-commerce done on sites such as Shopify, or payments made on PayPal.com.

In these scenarios, you never touch the cardholder data, because these sites/services are doing the heavy lifting. This is the simplest way to go.

SAQ-A: What you should do

  1. Destroy all paper copies of cardholder data, if you’ve received it.
  2. Ask questions of your vendors to ensure they’re PCI compliant. Get it in writing, or take a screenshot on their site. It’s been known that some vendors have stated they’re compliant, but then oscillated to a “whoops, we weren’t compliant.” Not good.
  3. Monitor/ check-in with the vendors to ensure they’re maintaining PCI compliance.


This is for the group of nonprofits that outsource most of their payment processing, but at some point during the payment process, the nonprofit’s site/ server is touched. The main difference between SAQ-A and SAQ A-EP is that SAQ A-EP controls how the information is passed to the PCI-compliant vendor.

Examples of organizations that fall into this category:

  • Donations and other transactions made on your nonprofit’s site are using a gateway such as Authorize.net (non-hosted solution).
  • Transactions made are using a solution such as PayPal’s PayFlow.

SAQ-EP: What you need to do

Well, my first and obvious suggestion would be to change your processes so you can fall into the SAQ-A category. But, if that’s not an option, let’s continue.

There are 12 requirements that you’ll need to pursue. Please note there’s a lot more to these, but here’s a good primer:

  1. Install a firewall. Get a solid hosting provider, and they should be able to do this for you.
  2. Be careful with your passwords. Don’t use vendor-supplied passwords, and don’t use “password123” or your dog’s name. You catch my drift.
  3. Protect cardholder data. Getting technical pretty quickly here, but you’re here because you’re smart! Ensure the stored data is fully encrypted, and be sure the encryption keys are protected. There are cases where the encryption keys are laying around, or are in a spreadsheet—that’s not protected. Also, ensure the cardholder data isn’t laying around in a spreadsheet somewhere or on physical paper. This requirement item also requires a flowchart of cardholder data.
  4. Protect how cardholder data is transmitted. Before, we were talking about stored data. This item is all about protecting how the data is transmitted.
  5. Say no to the viruses! Ensure you have anti-virus software on any system and application that touches cardholder data (phones, tablets, computers, servers, etc.).
  6. Be current. Many, many breaches are due to outdated software installed on your machines or server. Ensure you’re constantly on the latest, most stable versions.
  7. Be choosy with who gets access. Not everybody needs access to your sensitive data. Be particular with who gets access to what.
  8. Be a fortress with your usernames and passwords. Ensure you have a solid policy for usernames/ passwords, and have logic in place to disallow usernames/ passwords that aren’t secure. Set password lockouts (such as “You’ve entered your password incorrectly 3 times, therefore I’m not letting you in”), as well as enabling multi-factor authentication (your password in addition to something only you have, such as your fingerprint or a hardware token).
  9. Your physical space must also be a fortress. Having all of the above in place is for naught if someone can walk into your office and change everything.
  10. Monitor all access to the data. Keep detailed logging of who’s accessing what information, as well as how and where they’re accessing it.
  11. Regularly test. How often does your technology seem to break for no reason? For a secure environment, regular testing controls are imperative.
  12. Have a policy. All of this is confusing, and your staff will find it equally confusing. Ensure you have a policy in place that clearly addresses security standards and procedures.

Limiting your PCI compliance scope

As you have deduced, SAQ-EP is a massive task and one that can consume energy, resources, and budget. If you’re completely overwhelmed by everything that’s needed to be accomplished to be fully compliant in this, consider what’s needed to move from SAQ-EP to SAQ-A.

In conclusion

I’m not a PCI Compliance specialist, just someone who knows enough to raise awareness on this important topic. For a comprehensive overview, please head over to the PCI Security Standards Council site.

Becoming PCI compliant is imperative, especially as more organizations’ data practices are under increased scrutiny. While all of this sounds extremely technical, PCI compliance is not just an IT function. Instead, it involves buy-in from your entire organization and support from the top.

Go forth, good people, and take these steps to ensure a better, more secure web!