Fraud Management
To protect your organization from fraudulent activity, Blackbaud Merchant Services uses several risk-mitigating measures.
Admins can configure fraud management settings within the Blackbaud Merchant Services Web Portal. For more information, see Manage Account Configurations.
Note: Forms and solutions using Blackbaud's new checkout experience, such as Blackbaud Donation Forms and Luminate Online, apply industry best practice settings for AVS levels, CSC levels, and supported card types.
Card Security Code (CSC) check
The CSC or Card Verification Value (CVV or CVV2) is a three- or four-digit number printed on the credit card. It ensures the submitter possesses the physical credit card.
Tip: Find the Visa, Mastercard, and Discover CSC in the signature area on the back of the credit card. It is the three-digit number following the signature stripe. Find the American Express four-digit CSC imprinted on the front of the card.
The CSC check occurs before the payment is processed. Possible levels include:
-
None (recommended) — Performs no CSC check. This is the default, recommended setting. When set to None, conversion rates improve for legitimate transactions without increasing the risk of fraud.
-
Full — Accepts transactions only when the CSC value matches with the issuing bank.
-
Light — Accepts transactions only when the CSC value matches with the issuing bank. If the issuing bank does not participate in CSC checks, transactions pass the check.
Address Verification Service (AVS) check
Used in the United States, United Kingdom, and Canada, AVS matches the cardholder’s credit card billing address with the address on file at the credit card company.
The AVS check completes before the transaction processes. Possible levels include:
-
None (recommended) — Accepts all transactions regardless of incorrect data. This is the default, recommended setting. When set to None, conversion rates improve for legitimate transactions without increasing the risk of fraud.
-
Light — Accepts transactions when either the numeric part of the street address or zip code match or when either aren't checked/verified.
-
Medium — Accepts transactions when either the numeric part of the street address or zip code match.
-
Full — Accepts transactions only when both the numeric part of the street address and zip code match.
Tip: Experiencing high failure rates from your non-US donors? Try reducing your AVS level to None, as some banks outside of the United States may not support AVS.
For example, if the cardholder’s address is 65 Fairchild St, Charleston, SC 29492, AVS performs as follows:
| Address entered by cardholder | AVS level | Result |
|---|---|---|
| 65 Fairchild St, Charleston, SC 29492 | Full, Medium, Light or None | Pass |
| 65 Fairchild Drive, Charleston, SC 29492 | Full, Medium, Light or None | Pass |
| 64 Fairchild St, Charleston, SC 29492 | Light, Medium, None | Pass |
| 64 Fairchild St, Charleston, SC 29492 | Full | Fails numeric check |
| 64 Fairchild St, Charleston, SC 29490 | None | Pass |
reCAPTCHA
Blackbaud Checkout uses various versions of reCAPTCHA from Google to fight bots and malicious attacks against your forms. With v3, advanced machine learning identifies threats and verifies that a human is trying to transact. With v2, the payer confirms they are a human in order to complete the transaction.
If the transaction is suspicious, Blackbaud Checkout may display reCAPTCHA v2. This provides added security while ensuring legitimate payers can complete their transactions.
Note: For Blackbaud Raiser's Edge NXT, Blackbaud eTapestry, Blackbaud Luminate Online, and Online Express forms, Blackbaud Checkout manages the reCAPTCHA version for you.
Tip: Some forms allow you to add reCAPTCHA manually. If you're using an additional version of reCAPTCHA on a form that also processes transactions through Blackbaud Checkout, we recommend you modify the reCAPTCHA version to v3 to reduce donor complaints and drop-offs.
Additional fraud prevention measures
Risk score
In addition to industry-standard features, Blackbaud Merchant Services generates a default risk score. Transactions with the greatest risk get the highest score and those that exceed the risk threshold are automatically rejected.
Blackbaud Merchant Services rejects transactions based on certain risk factors, such as when:
-
The transaction comes from an anonymous proxy. Anonymous proxies help cybercriminals hide their true locations.
-
The Bank Identification Number (BIN) or Issuer Identification Number (IIN) doesn’t match the cardholder’s billing address on file with the issuing bank.
Note: The BIN or IIN is an international standard, used to identify the banking institution, the cardholder's billing address and validate the intended payment.
-
The transaction comes from a high-risk country. For more information, see what countries are blocked by Blackbaud.
-
The credit card number, card type, and expiration date occur frequently within a short duration — also known as account velocity.
Tip: To receive an email when fraudulent transactions occur, subscribe to notifications. For more information, see Manage Notification Settings.
Three Domain Secure (3DS or 3D Secure)
Necessary in Europe, 3DS authentication acts as an added layer of security when taking card payments online. Major credit card brands — such as Visa® (Visa Secure) and Mastercard® (Mastercard SecureCode) — use 3DS. It requires cardholders use two-factor authentication to verify their transaction.
3DS is automatically enabled for all Blackbaud Merchant Services configurations.