Skip to main content

Giving Form & Platform Security

Funraise is a PCI Level 1 Service Provider, the highest standard possible for payment processing service providers.

Written by Tony Sasso

Data Security

Funraise is deployed to Amazon Web Service (AWS). Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:

  • ISO 27001

  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)

  • FISMA Moderate

  • Sarbanes-Oxley (SOX)

Additionally, all Funraise data is managed in a premium Postgres cluster with hot standby which benefits from geo-redundancy, point-in-time recovery, priority service restoration on disruptions, and automatic encryption-at-rest of all data written to disk.

Funraise employs modern ciphers and hashing algorithms for data encryption and password hashing. Communications to and from Funraise servers are encrypted by TLS 1.2+.

DDoS Mitigation

For DDoS Mitigation, Funraise is protected by AWS Shield, a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage Funraise Support to benefit from DDoS protection.

AWS Shield defends against most common, frequently-occurring network and transport layer DDoS attacks and provides comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks.

Additionally, Funraise employs a Content Delivery Network and Web Application Firewall for its front-end services to help mitigate higher protocol attacks.

OWASP

Funraise coding guidelines are integrated with OWASP best practices. These practices are enforced through static code analysis and peer review of every change made to the Funraise codebase. Funraise also employs a dedicated QA team as well as independent security specialists that test our software for bugs and potential vulnerabilities.

Fraud

Funraise employs several internal and external protocols to mitigate the risk of online payment fraud. It should be noted that payment fraud is unrelated to the security of your data, but is within the realm of bad actors on the internet. You can learn more about payment fraud here. We utilize and enable the following interventions to mitigate fraud:

  • Anti-Fraud Machine Learning Models

  • WAF Request Filtering

  • reCAPTCHA

  • Gateway-level fraud features such as AVS, CVV Validation, and Risk Scoring

  • Human monitoring

Internal Security Policies

Funraise maintains internal security policies and guidelines and conducts annual security training with all employees. Employees are required to use multi-factor authentication for all critical systems and employ our enterprise password manager for generation and storage of secure passwords. All employees are trained to use GPG encryption tools for sensitive data. Funraise performs its own internal penetration tests in addition to PCI-mandated annual penetration audits.


Giving Form & Payments

PCI Level 1 Service Provider

Funraise is a PCI Level 1 Service Provider, the highest standard possible for payment processing service providers. Funraise is partnered with Sikich as our QSA and independent security assessor. The Funraise Attestation of Compliance (AOC) can be found attached to the bottom of this page.

What is PCI?

The Payment Card Industry Data Security Standard, or PCI DSS, is a proprietary information security standard for organizations that handle branded credit cards from the major card including Visa, MasterCard, American Express, Discover, and JCB. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. Validation of compliance is performed annually.

SSL

The Funraise Giving Form transmits donor information through an encrypted SSL connection. SSL, or Secure Sockets Layer, is the standard security technology employed globally to protect sensitive information by e-commerce, financial, and media institutions like Amazon, Paypal, and Facebook. 

Does my website need to be SSL secured?

Funraise Giving Forms transmit information over SSL and retain security best practices and standards even if a Giving Form is embedded on a website which is not protected by SSL. Whether or not, your website is secured by SSL - every donation through a Funraise Giving Form is SSL secured. Although, we do encourage every organization to deploy their website over an SSL connection as it enhances brand trust and improves search engine optimization.


Attestation of Compliance (AOC)

Did this answer your question?