Online Tithing: Balancing Convenience with Security

Screen vendors and follow anti-fraud measures

As finances move more and more into the digital world, online giving has emerged as a convenient option for accepting donations. Just as ministries protect the tithes they receive in the offering plate on Sunday mornings, they should take care to protect online gifts and donors.

“Online giving can be done safely,” says Jason Lee, IT director at Northwoods Community Church in Peoria, Illinois. “We just have to be wise in the decisions we make and guard our organizations and our donors appropriately.”

The primary issue to consider is the storage of financial information. When a church stores its donors’ credit card numbers or bank information, it becomes responsible for guarding that information. If someone steals the information and runs up fraudulent charges, the church could be legally obligated to pay for the damages. The church also may be required to notify donors of the data breach, which takes time and money.

Choose a Reputable Vendor

Lee says his church pays a third-party vendor to process online donations, which helps keep sensitive data off the church’s computers. He says there are plenty of trustworthy options for securing donors’ financial data, from church management software programs to web-based services.

When searching for a reputable partner, be sure to look for:

• Data encryption. Ask each vendor how it guards customers’ data. A secure partner will use Secure Socket Layer (SSL) encryption, which protects information from online thieves. When a site has an SSL Certificate, a padlock appears on the donor’s Internet browser bar, indicating that the transaction is secure. Vendors should certify that they comply with Payment Card Industry (PCI) Data Security Standards, a set of guidelines that help keep financial information secure on the Internet. Request a certificate of compliance from vendors each year to verify that they continue to follow PCI standards. It’s possible that a ministry could be held responsible if it fails to ensure that online giving systems are PCI compliant.
• Security notifications. Online donations should always be routed directly into ministry bank accounts. If someone makes changes that route the donations elsewhere, your vendor should notify multiple people to verify that the changes are legitimate.
• Options for forms of payment. Some ministries choose not to accept donations via credit card, opting instead for e-checks and bank drafts, which do not involve debt. Choose a partner that gives your ministry options when it comes to the forms of payment it will accept.
• Donor access to their giving records. Some providers allow donors to view their online giving records on demand. This convenient feature adds a layer of transparency to the process.

As you weigh your options, ask colleagues from other ministries for referrals. You also may want to ask the vendor for referrals from its other ministry customers. These referrals can give you a better idea about the vendor’s reputation and work quality. Also, remember to evaluate any fees that the vendor will charge. Once you choose a vendor, ask your ministry attorney to review any agreement before signing.

Remember the Basics

Your ministry probably already takes steps to protect the checks and cash that come in the offering plate each Sunday. Many of these traditional anti-fraud measures can be applied to online donations, too. Consider these steps:

• Reconcile donation reports with banking statements. Your donations software should produce reports that detail the amounts given online. Compare this report with your banking statements to verify that all online donations are being deposited correctly.
• Send reports to multiple people. Keep several sets of eyes on the ministry’s financial records, including online donation reports. This can help you quickly respond to honest mistakes and suspicious activity.
• Use strong passwords. As with any banking or accounting technology, use strong passwords and keep them hidden to help prevent unauthorized access. If possible, use multi-factor authentication, which requires users to enter more information than just a username and password to gain access. Only share passwords with those who need them.

Check Your Insurance Coverage

High-profile data breaches serve as reminders that even major companies are not immune from cybersecurity threats. Review your ministry’s insurance policy and ask about cyber liability coverage. This coverage often includes protection against many of the expenses related to data breaches, such as notification expenses, credit monitoring costs, and potential fines. Some coverages even apply to third-party technology vendors who maintain your ministry’s website, but coverage generally does not extend to an online giving platform operated by a third party.

To test your knowledge on financial controls, take our Fraud Prevention Quiz.

Additional Links

• Financial Controls Checklist
• Offerings and Disbursements Checklist
• Evaluating Your Next Vendor