Protect Your Web Payment Forms from Credit Card Abuse

Picture this: You walk into the office one morning and log into CiviCRM to check on the latest contributions you received and you are taken aback by the hundreds (maybe even thousands) of failed contributions that were submitted over night! Public forms that accept credit card information are often targeted by robots attempting to process stolen credit card numbers in order to check their validity, and since most credit card processors charge an 'authorization fee' for these transactions, failed or not, this could leave you liable for a hefty bill at the end of the month! 

Since these robots are relentless and continuously adapt to new security measures as they are put into place, there is no 100% fool-proof method of stopping them, but here are some ways to limit their activity:

1. Payment Processor Fraud Protection
Contact your payment processor to find out what type of fraud protection options they have to offer. These features may carry additional fees, but these will offset the fees generated by 'testers'. These filters have varying levels of strictness - the stricter the filter, the higher the chance that a transaction will be rejected, even if legitimate. You'll need to be careful about how you configure these filters so that you do not disrupt processing of real transactions from your constituents.

2. IP Address Blocking
You can block specific IP address and/or regional IP address via your payment processor as well as directly through your Content Management System. 

3. Add ReCAPTCHA to your online payment form (Profile in CiviCRM)
ReCAPTCHA* gives an added layer of protection by challenging anonymous users (those who aren't logged in) to prove they are not robots by entering specific values or selecting certain images. 

To enable ReCAPTCHA in any profile embedded in public-facing pages such as event registration or online donation page:

  • Go to Administer > Customize Data and Screens > Profiles
  • Click on the Settings hyperlink to the right-hand side of the profile
  • Scroll to the bottom of the Settings screen and click to expand the Advanced Settings section
  • Toggle Include ReCAPTCHA?*
  • Click the Save button
    *All configuration required to enable this feature on profiles is done automatically for Cividesk clients - non-Cividesk clients should click the Help bubble next to the ReCaptcha checkbox to read about additional configuration requirements.

If you become (or already are) a victim of one of these robots, cleaning up the aftermath can be a bit daunting, so you will want to contact your CiviCRM database administrator for help with deleting not only the failed contributions, but any spam event registrations and contacts that were created in the process. If you are a Cividesk customer, simply submit a support ticket and we will be happy to assist you with this process.

Once the contact, contribution and registration records have been deleted, we suggest disabling the event or contribution pages from which the spam submissions originated and replace them with new pages. Or, better yet, if no real contributions or registrations are associated with the offending event or contribution pages, delete them altogether.