FundSvcs Community

Β View Only

  • 1.  GiveCampus/Stripe Fraud Checks

    Posted 02-12-2024 03:45 PM

    Good evening!  We are current GiveCampus customers who are using their platform to host a student led dance marathon, where they are using personalized pages to do peer-to-peer fundraising.

    We started getting really strange output files and so did a few tests, to discover it doesn't appear there is any validation happening between Stripe (the GC payment processor) and what the user is entering.  So the student enters Aunt Sally as the "donor name" and that is being carried through on the payment form as the Card Name, and any zip code will work to process the gift.

    Has anyone else has run into these issues?  We have compliance concerns that because the name of the donor, the name on the card, and the basic zip code checks aren't happening, that we have issued tax receipts to people who are not the card holders/hard credit donor.  My constituent team is catching the Aunt Sally ones (hopefully!) but we have found things like dog names and others random things being carried all the way through to processing, and it's very difficult to figure out after the fact who the actual donor is.

    Thanks!



    ------------------------------
    Aimee Fitzgerald
    Assistant Vice President
    Advancement Services
    University of Louisville
    aimee.fitzgerald@louisville.edu
    ------------------------------


  • 2.  RE: GiveCampus/Stripe Fraud Checks

    Posted 02-12-2024 04:28 PM
    Hi Aimee,

    While Stripe performs an address verification checks (AVS) for every payment, all that check does is report back a code based on whether there is a match, or if not, then what type of mismatch might exist. The default setting in many Stripe payment products is to block payments that fail AVS, but GiveCampus may have chosen to change this setting, since mismatches do not necessarily mean the payment is not legitimate. GiveCampus is likely relying more on the CVC/CVV verification to keep fraudulent transactions under control. 

    Stripe, and most payment processors, generally don't use name-checking for card verification, for lots of reasons. Name verification is more common in card-present transactions, eg the store asking to see ID that matches your card. 

    Credit card transactions do not offer watertight evidence of who is truly the donor. The name on the card simply means that the person is authorized to obligate the account-holder to pay, it does not mean that the person on the card is the actual donor. For example, my son holds a credit card with his name, but my account. We've run into similar issues with other clients, and the guidance we've developed is to rely on the donor's representation of who the donor is, regardless of the name on the credit card. If you're getting truly weird stuff, like Boaty McBoatface, coming through, it's worth addressing the data input side and making sure that the payment forms are communicating clearly to donors that they need to put in their actual names to receive a tax receipt. Keep in mind, too, that you're not actually required to issue receipts for most of these payments, and that most donors are not itemizing. If a donor isn't providing you enough information to issue a reasonable receipt, you can simply not issue one, and record the gift to a 'unknown donors' account.


    Thank you,
    Isaac Shalev
    Data Strategy Expert
    Sage70, Inc.
    (917) 859-0151
    isaac@sage70.com

    Schedule a 30-minute consultation now:




    Original Message


  • 3.  RE: GiveCampus/Stripe Fraud Checks

    Posted 02-13-2024 09:12 AM

    Thanks Isaac – yes to the Boaty McBoatface!   That's the kind of garbage coming in.  I guess my concern is that it did not appear that security checks were happening at all based on what was coming back, so your response is somewhat reassuring.  It is concerning that GiveCampus can turn off that AVS check and rely solely on the CVC/CVV verification.  I'm not sure I have made any other online transactions that would accept my card without a valid zip.

     

    The receipting/data integrity issues in many cases boil down to all of the manual work having to look at each transaction and fix, which would be much simpler if the data forms provided the correct information to begin with! 

     

    Thanks for the response!

     




    Original Message


  • 4.  RE: GiveCampus/Stripe Fraud Checks

    Posted 02-13-2024 09:15 AM

    Interesting. 

    I assume you've inquired with GC. What was their response? 



    ------------------------------
    Jeff Baynham
    NC State University
    jtbaynha@ncsu.edu
    ------------------------------

    Original Message


  • 5.  RE: GiveCampus/Stripe Fraud Checks

    Posted 02-13-2024 09:30 AM

    GC's initial response was to "check with Stripe" and a link Stripe for my security concerns – since that's the payment processor.  My annual giving person is scheduling a call with our client service manager to see if there are changes we can make to the forms, but that is not yet scheduled, and the dance marathon is going on right now.

     

    My question for this group is how do you all handle this stuff – it would seem as though we can't be the only ones having this problem, because our students can't be the only ones creatively entering their sponsors. 😊

     

     

     




    Original Message


  • 6.  RE: GiveCampus/Stripe Fraud Checks

    Posted 02-14-2024 09:01 AM

    We use GC as well and have this issue when we do our athletics giving day.  Students (and sometimes alumni) can be very creative.  We often get the actual name in the paid_name field vs the donor_name field, but not always.  When we get "Schnitzel Barnes' Cat" (not joking), we can often identify the actual donor by their email.  When that fails, we simply record it under the Anonymous donors record.  It's annoying, but we haven't had a gift like this sizeable enough to be overly concerned about.



    ------------------------------
    Courtney Sims
    Bucknell University
    courtney.sims@bucknell.edu
    ------------------------------

    Original Message


  • 7.  RE: GiveCampus/Stripe Fraud Checks

    Posted 02-13-2024 10:47 AM
    One last point regarding the zip code verification. AVS checks the street number and the zip code and returns a code to indicate whether there was a full match, a partial match (and what type of partial match), or no match. How the payment processor is set up to respond to those codes varies, but often partial matches are allowed. If you were testing with the correct street number, but an incorrect zip, it's not unreasonable for that transaction to be put through. I would test to see if the transaction goes through when both zip and street are incorrect. That should fail, and if it did not, it would indicate a more substantial concern. 


    Thank you,
    Isaac Shalev
    Data Strategy Expert
    Sage70, Inc.
    (917) 859-0151
    isaac@sage70.com

    Schedule a 30-minute consultation now:





    Original Message


Related Content