New! Enhanced Security Setting For Custom Donation Forms 5807

New! Enhanced Security Setting For Custom Donation Forms

Published
Luminate Online version 19.5 introduced a new feature to enhance security for custom donation forms. In the event of fraudulent attempts on a donation form via API calls, the new option stops most fraudulent activity. This new option enables administrators to enforce collection of all required fields for validation of API requests to a donation form.

Who does this impact?
Organizations using custom donation forms that use our open APIs to push data into Luminate Online or TeamRaiser may benefit from activating the new “Enforce Validation on API Donation Requests” feature to enhance security and deter fraud.

Are there reasons not to activate this setting on a donation form?
This feature is not compatible with API integrations, such as Facebook Fundraising integration and Luminate CRM Offline donations. If you aren't sure whether your donation form is used for those integrations, contact Blackbaud Support. 

In most cases this option would be activated to suppress active fraudulent activity like carding runs rather than as a preventative measure. This option ratchets up the number of required fields donors must fill out, thereby deliberately increasing friction on API donation forms (that are often deliberately designed for speed and ease of use by donors).  

What is an API?  
An “application program interface” or API allows you to create custom applications of many types, including unique custom mobile donation forms and donation light boxes. The API “pushes” the gift captured via the custom form into a standard Luminate donation form for processing.

What is validation?
Historically, donations processed through the open API only required a small sub-set of fields, regardless of which fields were set as required on the donation form. This was by design, to simplify transaction processing for API-based donation forms, since often these were developed for mobile use and a “low friction” donor experience.
                
Now, to provide an enhanced validation and security option, we have added a checkbox to allow administrators to require that every request to a donation form be validated against that form’s default set of required fields and minimums.
  
88ece1155776cd5dcf0954a147691910-huge-ap
(click to enlarge screen shot of the Validate API Donation Requests checkbox)


Why do we need this?
We’ve added this feature for a couple of reasons: 
 
  • To allow you to enforce collection of required fields. Some organizations want to ensure that certain fields are filled out in a donation form, regardless of the method the gift is obtained. Now you have the option to require gifts processed via the API to include these required fields as well. The system will not allow a gift to be submitted for processing without these fields.
     
  • To prevent and block fraudulent transactions that may come through the API. 
    • When fraudulent actors attempt to use your donation form to process transactions, they tend to submit a great number of transactions in a short period of time. The fraudsters rotate through a list of credit cards, filling in only basic fields (name, email, amount). While the vast majority of fraudulent transactions get declined, they can still create lot of invalid constituents and cause payment gateways to start blocking your transactions!
        
    • By enabling this new feature, all fields set to required on your donation form will be required on your API-based form, including custom fields. You can also adjust the minimum donation amount to block gifts at the low transaction amounts that are common for these carding runs. So the feature accomplishes two goals: It stops fraudulent transactions from processing, and it prevents fake constituent records from being created.

Contact Blackbaud Support for help in determining whether you should enable this feature.

Note: Our open APIs are available to all Luminate Online customers. 

By John Miller, Senior Product Manager, Luminate Online

 
News Blackbaud Luminate Online® Blog 06/27/2019 2:25pm EDT

Leave a Comment

5 Comments
Hi David and Shannon - thanks for the questions, they compliment each other in a way.  This setting isn't visible or impactful to the user in any way as long as the API based transactions that are being processed request the fields that are required for the donation form to process.  This means that any example API based forms would look just like forms that don't have this setting enabled, but they would require all fields on the donation form that have been marked as required on Luminate Online, as opposed to without this setting enabled where it is possible to send requests without all of the required fields.
Hi,
Does enabling this feature change anything for the donor making a gift or is this seamless from their perspective?
Thanks,
Hi John,

Hope all is well.

Is there an organization that is currently using this? If so, can you provide an example?

-David Arocha
Hi Brian!

It actually is the same functionality - it's just that this requires validation for every API donation request.  In nearly all cases of fraudulent transactions this parameter is not sent, and the default value is "false".  In the case where an administrator wants to control the data that is submitted, this possibly would be useful if the administrator isn't also the developer (which I understand is often the case).
Interesting. How is this different from the Validate parameter in the donate and startDonation methods?

Share: