Protect Your Web Payment Forms from Credit Card Abuse

Picture this: You walk into the office one morning and log into CiviCRM to check on the latest contributions you received and you are taken aback by the hundreds (maybe even thousands) of failed contributions that were submitted over night! You received a large number of annoying "junk" form payment submissions, many of which have been made with irrelevant credit card numbers. Public forms that accept credit card information are often targeted by robots attempting to process stolen credit card numbers in order to check their validity, and since most credit card processors charge an 'authorization fee' for these transactions, failed or not, this could leave you liable for a hefty bill at the end of the month!

Since these robots are relentless and continuously adapt to new security measures as they are put into place, there is no 100% fool-proof method of stopping them, but here are some ways to limit their activity:

1- Payment Processor Fraud Protection
Contact your payment processor to find out what type of fraud protection options they have to offer. These features may carry additional fees, and you'll need to be careful about how you configure these filters so that you do not disrupt processing of real transactions from your constituents.

2- IP Address Blocking
You can block specific IP address and/or regional IP address via your payment processor as well as directly through your Content Management System. 

3- Add ReCAPTCHA to your online payment form (Profile in CiviCRM)
ReCAPTCHA gives an added layer of protection by challenging anonymous users (those who aren't logged in) to prove they are not robots by entering specific values or selecting certain images. To use reCAPTCHA, you must first sign up at Google's reCaptcha site to get your public and private keys. Cividesk clients should submit a support ticket requesting configuration of these keys in your environment.

In CiviCRM, ReCAPTCHA must then be enabled in any profile embedded in public-facing pages such as event registration or online donation page as follows:

  • Go to Administer > Customize Data and Screens > Profiles
  • Click on the Settings hyperlink to the right-hand side of the profile
  • Scroll to the bottom of the Settings screen and click to expand the Advanced Settings section
  • Toggle Include ReCAPTCHA?*
  • Click the Save button
    *Click the Help bubble next to the ReCaptcha checkbox to read about certain limitations regarding this feature.

If you become (or already are) a victim of one of these robots, cleaning up the aftermath can be a bit daunting, so you will want to contact your CiviCRM database administrator for help with deleting not only the failed contributions, but any spam event registrations and contacts that were created in the process. 

Once the contact, contribution and registration records have been deleted, we suggest disabling the event or contribution pages from which the spam submissions originated and replace them with new pages. Or, better yet, if no real contributions or registrations are associated with the offending event or contribution pages, delete them altogether.

If you are a Cividesk customer, simply submit a support ticket and we will be happy to assist you with this process.