You are probably reading this document because you noticed a spike in the number of small donations made on your ShulCloud web site. Firstly, your site was not hacked. This is called fraudulent donations or donation spam, you can Google it and see it is a common practice across many, many web sites that accept donations.
Why are you getting all these fake or spammy donations? Good question. There are very bad people on the internet who buy and sell stolen credit cards. The vast majority of these credit cards are no longer valid and those bad people who buy these stolen credit cards want to test to make sure the credit cards they are stealing are still valid. The easy way to test to see if a card is valid is to give a small donation, something like $1 or so, on a charity web site. If the credit card works, the credit card thief knows the card is valid and can be used to make larger purchases.
These credit cards are NOT being stolen from your web site. These credit cards are NOT from your member accounts. In fact, we do not even store credit card data on ShulCloud. We take security incredibly seriously and are constantly adding security features to prevent people from accessing your data. One of the best ways to do this is to simply not store information that these bad people want. This is why we do not store credit data numbers on ShulCloud - we rely on your credit card processor (such as Authorize.net or Converge/Elavon) to store the credit card data.
How do you prevent people from testing credit cards on your web site? Well, the short answer is you cannot fully prevent it. But you can do certain things to lower the likelihood you will be a target of donation spam. We utilize an invisible captcha on all donations and payments processed by people not logged into your site - public site visitors. This captcha is maintained and monitored by Google, runs checks in the background, and only asks the web visitor to verify when they feel a threat looming or if it is another computer (bot) visiting your site.
In addition, we offer and encourage use of a feature named "Public Payments Enhanced Security." This feature is a switch available on most credit card gateways under Admin Menu -> My Lists -> Gateways. This feature restricts ALL payments received from people who are not logged in. If you enable this feature, ShulCloud will only process an authorization on the card, not the entire charge. You will have to approve the transaction to actually run the charge. This means that the credit card is not charged until you approve it. You will be emailed a link to the Pending Online Payments page (yourdomain/admin/online_payments.php?action=pending) on ShulCloud to Approve or Void these transactions. If you see or suspect a fraudulent payment, you can reject it and that card won't be charged and the payment won't show up on your site. If you do not have this feature on, we recommend you turn it on today!
We recommend you restrict your gateway to only allow transactions from a list of preapproved IP addresses. This includes your office, ShulCloud and other web systems that you may use. Here is a list of our current IP Addresses:
107.23.142.222
52.6.0.59
52.22.210.115
Last but not least, always restrict access to My Lists in ShulCloud and keep your API keys safe from prying eyes.