Fraud Management
To protect your organization from fraudulent activity, Blackbaud Merchant Services uses several risk-mitigating measures.
Admins can configure fraud management settings within the Blackbaud Merchant Services Web Portal. For more information, see Manage Account Configurations.
Note: Solutions that use new checkout (such as Blackbaud Donation Forms, Luminate Online, and Raiser's Edge NXT) follow industry best practice settings for AVS levels, CSC levels, and supported card types. As a result, new checkout overrides these settings you configure in the web portal. This practice reduces fraud risk while increasing payment acceptance rates for your organization.
Card Security Code (CSC) check
The CSC or Card Verification Value (CVV or CVV2) is a three- or four-digit number printed on the credit card. Requiring the CSC helps ensure that the card details are accurate and that the person entering them has physical access to the card.
Tip: Find the Visa, Mastercard, and Discover CSC in the signature area on the back of the credit card. Find the American Express four-digit CSC imprinted on the front of the card.
The CSC check occurs before the payment is processed. Possible levels include:
-
None — Performs no CSC check.
-
Full — Accepts transactions only when the CSC value matches with the issuing bank.
-
Light — Accepts transactions only when the CSC value matches with the issuing bank. If the issuing bank does not participate in CSC checks, transactions pass the check.
Address Verification Service (AVS) check
Used in the United States, United Kingdom, and Canada, AVS matches the cardholder’s credit card billing address with the address on file at the credit card company.
The AVS check completes before the transaction processes. Possible levels include:
-
None — Accepts all transactions regardless of incorrect data.
-
Light — Accepts transactions when either the numeric part of the street address or zip code match or when either aren't checked/verified.
-
Medium — Accepts transactions when either the numeric part of the street address or zip code match.
-
Full — Accepts transactions only when both the numeric part of the street address and zip code match.
For example, if the cardholder’s address is 65 Fairchild St, Charleston, SC 29492, AVS performs as follows:
| Address entered by cardholder | AVS level | Result |
|---|---|---|
| 65 Fairchild St, Charleston, SC 29492 | Full, Medium, Light or None | Pass |
| 65 Fairchild Drive, Charleston, SC 29492 | Full, Medium, Light or None | Pass |
| 64 Fairchild St, Charleston, SC 29492 | Light, Medium, None | Pass |
| 64 Fairchild St, Charleston, SC 29492 | Full | Fails numeric check |
| 64 Fairchild St, Charleston, SC 29490 | None | Pass |
reCAPTCHA
Blackbaud Checkout uses various versions of reCAPTCHA from Google to fight bots and malicious attacks against your forms. With v3, advanced machine learning identifies threats and verifies that a human is trying to transact. With v2, the payer confirms they are a human in order to complete the transaction.
If the transaction is suspicious, Blackbaud Checkout may display reCAPTCHA v2. This provides added security while ensuring legitimate payers can complete their transactions.
Note: For Blackbaud Raiser's Edge NXT, Blackbaud eTapestry, Blackbaud Luminate Online, and Online Express forms, Blackbaud Checkout manages the reCAPTCHA version for you.
Tip: Some forms allow you to add reCAPTCHA manually. If you're using an additional version of reCAPTCHA on a form that also processes transactions through Blackbaud Checkout, we recommend you modify the reCAPTCHA version to v3 to reduce donor complaints and drop-offs.
Additional fraud prevention measures
Risk score
In addition to industry-standard features, Blackbaud Merchant Services generates a default risk score. Transactions with the greatest risk get the highest score and those that exceed the risk threshold are automatically rejected.
Blackbaud Merchant Services rejects transactions based on certain risk factors, such as when:
-
The transaction comes from an anonymous proxy. Anonymous proxies help cybercriminals hide their true locations.
-
The Bank Identification Number (BIN) or Issuer Identification Number (IIN) doesn’t match the cardholder’s billing address on file with the issuing bank.
Note: The BIN or IIN is an international standard, used to identify the banking institution, the cardholder's billing address and validate the intended payment.
-
The transaction comes from a high-risk country. For more information, see what countries are blocked by Blackbaud.
-
The credit card number, card type, and expiration date occur frequently within a short duration — also known as account velocity.
Tip: To receive an email when fraudulent transactions occur, subscribe to notifications. For more information, see Manage Notification Settings.
Three Domain Secure (3DS or 3D Secure)
Necessary in Europe, 3DS authentication acts as an added layer of security when taking card payments online. Major credit card brands — such as Visa® (Visa Secure) and Mastercard® (Mastercard SecureCode) — use 3DS. It requires cardholders use two-factor authentication to verify their transaction.
3DS is automatically enabled for all Blackbaud Merchant Services configurations.