Fraud Management
To protect your organization from fraudulent activity, Blackbaud Merchant Services uses several risk-mitigating measures.
Admins can configure industry-standard fraud management settings — such as Card Security Code (CSC) checks and Address Verification Service (AVS) settings — within the Blackbaud Merchant Services Web Portal. For more information, see Account Configurations.
Card Security Code (CSC) check
The CSC or Card Verification Value (CVV or CVV2) is a three- or four-digit number printed on the credit card. It ensures the submitter possesses the physical credit card. The CSC check occurs before the payment is processed.
Tip: Find the Visa, Mastercard, and Discover CSC in the signature area on the back of the credit card. It is the three-digit number following the signature stripe. Find the American Express four-digit CSC imprinted on the front of the card.
Security levels include:
-
None — Performs no CSC check.
-
Full — Accepts transactions only when the CSC value matches with the issuing bank. This is the default setting.
-
Light — Accepts transactions only when the CSC value matches with the issuing bank. If the issuing bank does not participate in CSC checks, transactions pass the check.
Note: The CSC recommendations may vary based on your solution and your legal or security requirements for credit card processing.
Address Verification Service (AVS) check
Used in the United States, United Kingdom, and Canada, AVS matches the cardholder’s credit card billing address with the address on file at the credit card company.
The AVS check completes before the transaction processes. There are four possible levels:
-
Full — Accepts transactions only when both the numeric part of the street address and zip code match.
-
Medium — Accepts transactions when either the numeric part of the street address or zip code match. This is the most common option for accounts processing in USD.
-
Light — Accepts transactions when either the numeric part of the street address or zip code match or when either aren't checked/verified.
-
None (recommended) — Accepts all transactions regardless of incorrect data. Address Verification Service (AVS) account configurations now default to None. With this criteria, legitimate transactions process without increasing the risk of fraud and improve conversion rates. Previously, the AVS level defaulted to Light.
Tip: Experiencing high failure rates from your non-US donors? Try reducing your AVS level to Light or None, as some banks outside of the United States may not support AVS.
For example, if the cardholder’s address is 65 Fairchild St, Charleston, SC 29492, AVS performs as follows:
| Address entered by cardholder | AVS level | Result |
|---|---|---|
| 65 Fairchild St, Charleston, SC 29492 | Full, Medium, Light or None | Pass |
| 65 Fairchild Drive, Charleston, SC 29492 | Full, Medium, Light or None | Pass |
| 64 Fairchild St, Charleston, SC 29492 | Light, Medium, None | Pass |
| 64 Fairchild St, Charleston, SC 29492 | Full | Fails numeric check |
| 64 Fairchild St, Charleston, SC 29490 | None | Pass |
reCAPTCHA
Blackbaud Checkout uses various versions of reCAPTCHA from Google to fight bots and malicious attacks against your forms. With v3, advanced machine learning identifies threats and verifies that a human is trying to transact. With v2, the payer confirms they are a human in order to complete the transaction.
If the transaction is suspicious, Blackbaud Checkout may display reCAPTCHA v2. This provides added security while ensuring legitimate payers can complete their transactions.
Note: For Blackbaud Raiser's Edge NXT, Blackbaud eTapestry, and Online Express forms, Blackbaud Checkout manages the reCAPTCHA version for you.
Tip: Some forms allow you to add reCAPTCHA manually. If you're using an additional version of reCAPTCHA on a form that also processes transactions through Blackbaud Checkout, we recommend you modify the reCAPTCHA version to v3 to reduce donor complaints and drop-offs.
Additional fraud prevention measures
Risk score
In addition to industry-standard features, Blackbaud Merchant Services generates a default risk score. Transactions with the greatest risk get the highest score and those that exceed the risk threshold are automatically rejected.
Blackbaud Merchant Services rejects transactions based on certain risk factors, such as when:
-
The transaction comes from an anonymous proxy. Anonymous proxies help cybercriminals hide their true locations.
-
The Bank Identification Number (BIN) or Issuer Identification Number (IIN) doesn’t match the cardholder’s billing address on file with the issuing bank.
Note: The BIN or IIN is an international standard, used to identify the banking institution, the cardholder's billing address and validate the intended payment.
-
The transaction comes from a high-risk country. For more information, see what countries are blocked by Blackbaud.
-
The credit card number, card type, and expiration date occur frequently within a short duration — also known as account velocity.
Tip: To receive an email when fraudulent transactions occur, subscribe to notifications. For more information, see Notifications.
Three Domain Secure (3DS or 3D Secure)
Necessary in Europe, 3DS authentication acts as an added layer of security when taking card payments online. Major credit card brands — such as Visa® (Visa Secure) and Mastercard® (Mastercard SecureCode) — use 3DS. It requires cardholders use two-factor authentication to verify their transaction.
3DS is automatically enabled for all Blackbaud Merchant Services configurations.