Security and privacy in the online world of data and donor management, payment processing and child sponsorship is a critical issue. We understand its importance and are dedicated to addressing it through as many means as possible.

REACH includes many built-in features and methods to address security and privacy. We encourage you to read our Security and Privacy page.

Unfortunately, card testing is a common activity for fraudsters. If this occurs, you will likely receive a number of failed, fraudulent donations.

What is card testing?#

These transactions frequently take the form of many failed transactions with nonsense names, and occur when fraudsters attempt to charge a stolen card number in order to see if it is a valid number—a type of fraud known as card testing.

In order to ensure that your organization does not incur any fees or penalties from your payment gateway, we recommend preventing these transactions and refunding any transactions like this that have succeeded.

How can we tell if our REACH account has had any of these types of transactions?#

The easiest way to check for this type of fraud is to examine the “Incomplete” and “Error” tabs of the Donations module in the REACH Admin Console. These transactions will typically take the form of many failed donations for small amounts ($0–$5) with strange names and emails.

How can we prevent these kinds of transactions?#

To mitigate the issue, hCaptcha can be enabled for all organizations to provide further fraud protection. 

To customize your hCaptcha and Security options, please go to Settings > Account Rules > Security tab. Refer to this article for more information on your Security Account Rules.

By monitoring how the user interacts, hCaptcha is able to distinguish bot and human traffic through various prompts, such as entering squiggly letters in a box or identifying images, such as traffic lights or cross walks. Generally, these prompts are supposed to be something that’s easy for humans to do but hard for bots and machines.

Is my REACH account data in danger from these transactions?#

No, your REACH account data is safe. It is not possible for fraudsters to access any sensitive data by doing this, as their efforts are focused on testing card numbers. However, it is in your best interest to prevent these kinds of transactions, as they may incur penalties from your payment gateway if they are not mitigated.

It is strongly recommended that you have hCaptcha enabled. You can do so by going to Settings > Account Rules > Security tab.