The Nonprofit’s Guide to Auction Software Security

In 2020, hackers got access to the data of millions of donors when they breached Blackbaud—a software used by nonprofits for fundraising, donor management, and more. 

They accessed sensitive donor data like financial information and social security numbers. This was used in attempted identity theft of victims and was a huge scare for many nonprofits and organizations.

What led to such a severe data breach? Here’s what we know from the FTC report:

• The site had poor encryption.
• They failed to monitor for suspicious activity.
• Blackbaud had poor password controls.
• They didn’t have proper data deletion practices.
• They fell behind on security updates.

In short, best security practices weren’t followed. 

So as a customer, how can you verify that your fundraising software or charity auction software actually has proper security? How can you avoid putting your donors and your team at risk?

In this article, we’ll cover what to look for in your software (with an emphasis on auction platforms). And if you’re a customer with us here at CharityAuctions.com, we’ve listed our security features at the end of this article so you know how you’re protected.

1. Software Security Features That Protect Donors

To protect donor data as a customer, your nonprofit can look for certain security features:

• Encryption - Look for URLs that start with HTTPS. Some browsers have a little lock icon for HTTPS encrypted pages. Also verify that the platform encrypts stored data in their databases.
• PCI compliance - Being PCI complaint means meeting strict security standards for handling payment info.
• Two-factor authentication (or multi-factor authentication) - This extra step prevents unauthorized access even if passwords are compromised.
• Off–platform data processing: Look for platforms that use third-party payment providers like Stripe or PayPal. With these services, credit card information is processed and stored by the payment provider—not on the auction platform itself. This reduces security risks. More about this in Section 3 below.

2. Software Security Features That Protect Your Nonprofit 

While rare, your nonprofit may run across scammers or bidder fraud at your auction.

Fraud happens when someone places bids with no intention of paying, uses stolen credit cards, or disputes charges after winning items (AKA a chargeback).

For example: Someone bids $3,000 on a luxury watch using a stolen credit card. They win the item, you ship it, and two weeks later the real cardholder disputes the charge. You lose both the watch and the $3,000.

A more common scenario that you may run into is a failed credit card payment. This can still cause issues for your nonprofit if the winner doesn’t resolve the payment.

Here's what good platforms provide to protect your nonprofit:

• Automatic fraud monitoring 
• Chargeback prevention measures- This might involve waiting periods to withdraw funds or dispute management. 
• Real-time transaction monitoring - Look for real-time invoice statuses like “Paid,” “Pending,” “Failed,” etc.

3. Most Secure Payment Methods for Auction Platforms

The most secure payment method for your auction software is any certified third party payment provider.

With third party payment providers, donors still pay directly on the auction platform, but payment data is processed off-platform. Auction platforms using processors do not store full credit card information.

Using third party processors that have much more robust security reduces risk. It's a great way to keep sensitive donor information protected from attacks like the Blackbaud ransomware attack. 

Here are some trusted payment providers that protect your payments:

• Authorize.net
• Stripe
• Square
• PayPal
• Apple Pay
• Google Pay

4. Donor Privacy Controls

Security and privacy go together. Make use of any controls your platform gives you to keep donor information private:

• Anonymous donations - Look for options that allow donors to remain anonymous to the public while you track contributions internally. Some donors love public recognition, others prefer to give quietly. 
• Admin permission controls - Only give authorized staff the ability to view sensitive donor info.
• Easy data deletion - Privacy laws give people the right to request deletion of their personal information. This includes names, email addresses, phone numbers, mailing addresses, and donation history.

5. Security Questions to Ask Before You Buy Your Auction Software

Find your platform’s security features on their help page or support page. If they don’t list every security protocol, the quickest way to get answers is to simply ask!

Questions to Ask About Payment Security:

• Are you PCI compliant? 
• Do all payments go through a certified payment provider?
• How do you handle chargebacks and payment disputes?

Questions to Ask About Data Protection:

• Can we control who on our team has access to donor information?
• Can donors donate anonymously?

Questions to Ask About Security Protocols:

• How often do you update the platform’s security?
• What are your data deletion protocols?
• Do you encrypt stored data in your databases?

CharityAuctions Security Features

We’ve served nonprofits for almost 20 years and keeping our customers safe has always been a priority.

At CharityAuctions, we keep you secure with:

• PCI DSS compliance
• Credit card payments secured via Stripe
• Mobile wallet payments secured via Stripe
• Automatic fraud monitoring via Stripe
• Admin permission controls
• Refund management
• Automatic chargeback prevention measures
• Follow up tools for unpaid invoices
• Donor visibility settings 

If you have any questions about security or run into a security issue, please reach out to us. Our customer service team is available 24/7.

Tom Kelly

Tom Kelly, TEDx speaker and CEO of CharityAuctions.com, helps nonprofits raise millions through auctions and AI. He hosts The Million Dollar Nonprofit podcast and inspires leaders to live their legacy, not just leave it.