Must-Have Security Features When Choosing Auction Software

Your donors may (rightfully) have some questions about security when accessing your online auction:

• “Can my personal information get leaked?” 
• “Can you delete my credit card info if I don’t win any bids?” 
• “Are my payments safe?”

Your team may also have some questions, including,

• “What if a bidder tries to scam us? Are we protected?”

Being able to answer these types of questions will help you maintain trust with your donors and your team.

So how can you confidently assure everyone that they’re safe to use your online software? By verifying that your auction software has essential security features. We’ll cover which features to look out for and explain how all these features work to protect you.

In this article, you’ll find:

• An explanation of nonprofit software security
• A list of essential security features
• A quick reference checklist

About Protecting Donor Data

No matter how small or new your organization is, you have a responsibility to keep your donors’ data safe. Any information shared online is at risk of being stolen or used by criminals.

A few potential threats include:

• Identity theft using personal information
• Phishing scams targeting your donors
• Unauthorized charges on stolen credit cards
• Selling donor lists on the dark web

So taking the time to check for online security is crucial, even if it may feel like a hassle.

Also check your organization’s privacy policy before starting your auction. It will tell you what information you’re allowed to collect and how to handle data. If you don’t have a privacy policy, consider writing one! A policy for online privacy ensures your whole team knows how to handle donor data.

About Scammers Targeting Charity Auctions

Scammers don’t hesitate to target nonprofits and schools, no matter how charitable your cause is. Many scammers use stolen credit cards to target online auctions, including charity auctions, like in the example below.

Example:

Your organization offers up a luxury watch at your online auction. Someone bids $3,000 on the watch and wins.

The payment shows up as a success, so you ship the watch. 

But a week later, you receive an alert—the payment used a stolen credit card. The real card holder has disputed the charge, and the $3,000 is sent back to the card holder.

You lose both the watch and the $3,000.

Fraud may be a rare scenario, but it still happens, especially with online auctions. Your organization can lose a lot of money (and upset your item donors).

Another scenario that’s actually more common is a straightforward failed credit card payment. Many times it’s not intentional, but there is the occasional donor who may dispute the payment. Having precautions in place can save you from those kinds of issues.

What are Essential Security Features for Online Charity Auction Platforms?

Look for these features on your platform’s help page to verify the security of your software. Or make a call to ask about any features that aren’t listed. A quick call can be worth it to keep you and your donors safe.

PCI DSS Compliance

PCI compliance means meeting the Payment Card Industry Data Security Standard. This includes standards for…

• Firewalls
• Proper encryption
• Monitoring access to data
• Anti-virus software
• Etc.

…for payment information specifically.

There are 4 different levels of PCI compliance. These correspond to how many transactions are being processed, not necessarily how secure the software is.

Most reputable charity auction platforms will be PCI compliant, but knowing about PCI compliance can reassure your donors.

HTTPS Encryption

Look for URLs that start with HTTPS. Some browsers have a little lock icon for HTTPS encrypted pages.

HTTPS encryption helps prevent interception of data in transit.

Database Encryption

Database encryption protects stored donor data (as opposed to data in transit, which HTTPS encrypts). 

Verify that your platform encrypts sensitive data in their databases.

Strong Password Requirements

If you’re using best security practices, you should already be using strong passwords. But you can’t keep an eye on the passwords your staff or volunteers are making.

Make sure your software asks for strong passwords when creating an account—like a certain number of characters, or a mix of numbers, letters, and symbols.

Two-Factor or Multi-Factor Authentication

This step prevents unauthorized access even if passwords are compromised. It’s not foolproof, as any security feature is, but it adds an extra layer of security.

Strong multi-factor methods like text messages and device prompts (“Is this you?”) were found to be 76% - 100% effective against certain attacks. But methods like asking for a secondary email address or your phone number were not effective.

The drawback is making login more difficult. The same study found that 38% of users didn’t have their phone during login.

Off-Platform Payment Processing

Charity auction software will store basic donor information like names, phone numbers, and emails on their platform. 

But when it comes to credit card numbers, your platform should use certified payment processors that specialize in thorough security. 

When using third party payment processors, the auction platform does not store full credit card information. That information is only accessed by the payment provider, which has much more robust security than your auction platform.

Regular Security Updates

One security study found that 60% of data breaches involved unpatched vulnerabilities.

Most platforms will handle security patches and updates automatically in the background.

Data Retention/Deletion Policies

Privacy laws like GDPR give donors the right to request deletion of their personal information—including names, emails, phone numbers, addresses, and donation history.

Your platform should have a clear process for handling these requests and be able to delete donor data within 30-45 days. 

Payment processors may keep some transaction records for tax or legal purposes, but card details are already tokenized and separated.

Automatic Fraud Monitoring 

With fraud monitoring, you’ll be able to detect suspicious activity before you ship items to winners.

Payment providers monitor for suspicious activity automatically—multiple failed payments, high-risk transactions, or previous suspicious activity from a buyer. You'll be notified if your platform detects potential fraud.

Chargeback Protection

Chargebacks happen when a cardholder disputes a charge with their bank—either because the card was stolen, they don't recognize the charge, or they're claiming they didn't receive what they paid for.

When a chargeback occurs, the bank pulls the funds back from your account, and you're out both the money and the item. Good auction platforms help protect you with:

• Holding periods - Funds may be held for a few days or weeks after your auction closes before being transferred to your bank account. This gives time to catch fraudulent transactions or disputed charges.
• Dispute management - The payment processor handles the chargeback process, gathering transaction details and fighting illegitimate disputes on your behalf.
• Documentation - Platforms automatically collect proof of the transaction (bid records, checkout confirmation, item descriptions) which can be used as evidence if you need to contest a chargeback.

Admin Permission Controls

Not everyone on your team needs access to all donor information. Even volunteers and staff with good intentions can fall victim to phishing scams. Around 60% of data breaches involve insider threats, and within this 60%, a large majority is linked to error, carelessness, or negligence.

Permission controls let you assign different access levels—controlling who can view full donor contact details, export donor lists, or process refunds. For example, administrators might have full access while volunteers can only check in guests and process payments without viewing donor history.

Real-Time Invoice Monitoring

Look for real-time invoice statuses like “Paid,” “Pending,” “Failed,” etc.

Beyond seeing payment statuses, good platforms give you tools to manage outstanding invoices efficiently. Look for features that let you filter unpaid invoices, send automated payment reminders to winning bidders, or export invoice data for your accounting records.

Quick-Reference Security Checklist

Here’s a quick reference list of questions you may want to ask your platform (or use this as your security checklist):

• Are you PCI compliant?
• Is all data encrypted?
• Do you have password controls?
• Do you have two-factor authentication?
• What payment processor do you use?
• How often do you update your security?
• Do you have data retention policies?
• Do you monitor for fraud?
• Do you have chargeback protections?
• Do you have admin permission controls?
• How do I track invoices?

Trusted Charity Auction Software

CharityAuctions has been trusted by over 50,000 organizations and over one million bidders.

Our software is PCI compliant, uses Stripe for secure payments, offers automatic fraud and chargeback protections, and we have strict security standards. 

Create your account today and explore our features for free.

Or read our complete Nonprofit’s Guide to Auction Software Security.

Tom Kelly

Tom Kelly, TEDx speaker and CEO of CharityAuctions.com, helps nonprofits raise millions through auctions and AI. He hosts The Million Dollar Nonprofit podcast and inspires leaders to live their legacy, not just leave it.