New! Enhanced Security Setting For Custom Donation Forms

Luminate Online version 19.5 introduced a new feature to enhance security for custom donation forms. In the event of fraudulent attempts on a donation form via API calls, the new option stops most fraudulent activity. This new option enables administrators to enforce collection of all required fields for validation of API requests to a donation form.

Who does this impact?

Organizations using custom donation forms that use our open APIs to push data into Luminate Online or TeamRaiser may benefit from activating the new “Enforce Validation on API Donation Requests” feature to enhance security and deter fraud.

Are there reasons not to activate this setting on a donation form?

This feature is not compatible with API integrations, such as Facebook Fundraising integration and Luminate CRM Offline donations. If you aren't sure whether your donation form is used for those integrations, contact Blackbaud Support. 

In most cases this option would be activated to suppress active fraudulent activity like carding runs rather than as a preventative measure. This option ratchets up the number of required fields donors must fill out, thereby deliberately increasing friction on API donation forms (that are often deliberately designed for speed and ease of use by donors).  

What is an API?  

An “application program interface” or API allows you to create custom applications of many types, including unique custom mobile donation forms and donation light boxes. The API “pushes” the gift captured via the custom form into a standard Luminate donation form for processing.

What is validation?

Historically, donations processed through the open API only required a small sub-set of fields, regardless of which fields were set as required on the donation form. This was by design, to simplify transaction processing for API-based donation forms, since often these were developed for mobile use and a “low friction” donor experience.

                

Now, to provide an enhanced validation and security option, we have added a checkbox to allow administrators to require that every request to a donation form be validated against that form’s default set of required fields and minimums.

  



Why do we need this?

We’ve added this feature for a couple of reasons: 

 

• To allow you to enforce collection of required fields. Some organizations want to ensure that certain fields are filled out in a donation form, regardless of the method the gift is obtained. Now you have the option to require gifts processed via the API to include these required fields as well. The system will not allow a gift to be submitted for processing without these fields.
  
   
• To prevent and block fraudulent transactions that may come through the API. 
  • When fraudulent actors attempt to use your donation form to process transactions, they tend to submit a great number of transactions in a short period of time. The fraudsters rotate through a list of credit cards, filling in only basic fields (name, email, amount). While the vast majority of fraudulent transactions get declined, they can still create lot of invalid constituents and cause payment gateways to start blocking your transactions!
    
      
  • By enabling this new feature, all fields set to required on your donation form will be required on your API-based form, including custom fields. You can also adjust the minimum donation amount to block gifts at the low transaction amounts that are common for these carding runs. So the feature accomplishes two goals: It stops fraudulent transactions from processing, and it prevents fake constituent records from being created.

Contact Blackbaud Support for help in determining whether you should enable this feature.


Note: Our open APIs are available to all Luminate Online customers. 

By John Miller, Senior Product Manager, Luminate Online