Associations: Preventing credit card fraud, Lesson #2 “Internal Fraud

Authors: Laura Tester Meyer, CPA, CGMA; Julie Duncan, Association Industry Practice Leader, U.S. Transactions Corp.; Wade Tetsuka, CPA

  • Internal fraud can cause mistrust in the association’s ability to manage resources, and troubling losses for nonprofits that reduce future contributions.
  • Every dollar lost to fraud represents a lost ability to provide needed public services to your members and communities at large.
  • By taking proper steps for PCI Compliance, you can protect against the risks of internal fraud.

In this 2nd article in a series on credit card fraud for Associations, we address internal fraud and embezzlement. Internal fraud may be the type of fraud that undermines an Association the most, creating a lack of faith or mistrust in the ability of the Association to responsibly manage the resources entrusted to it. Internal fraud results in losses that are especially troublesome for nonprofits because they come from tax-exempt funds earmarked for special purposes and may reduce future contributions and grants if an organization’s fiduciary practices are questioned by those being asked to make contributions. Every dollar lost to fraud represents a lost ability to provide needed public services, both to your members and communities at large.

According to data provided by Certified Fraud Examiners, fraud within nonprofit organizations can be prevented and/or loss can be mitigated by the implementation of important controls.

How is Internal Fraud related to Credit Card data?

It is an unfortunate reality that the more exposed your members/customers credit card data is, the more likely it is that an employee, either deeply in debt or deeply disgruntled may use the opportunity to steal credit card information. Those numbers can either be used by the employee directly or sold on the dark web. Either way, you are held liable for not protecting your customers data. Taking steps to reduce the exposure of credit card data will help mitigate the risk of internal fraud.

What are Internal Control Best Practices for Managing Sensitive Credit Card Data?

Strong internal controls can help reduce the risk of theft, fraud, and embezzlement in your Association. There are practical steps every Association can take (even those with very few staff members) to guard against theft and embezzlement in the nonprofit workplace.

What can your association do to protect credit card data from falling into the wrong hands?

The following best practices provide a comprehensive solution for protecting data.

  • Save Credit Card Data on a PCI Compliant Gateway1– a PCI compliant gateway ensures that the data you collect is housed in a PCI certified In fact, the best way to store credit card data for recurring billing is by utilizing a third party credit card vault and tokenization provider. By utilizing a vault, the card data is removed from your possession and you are given back a “token” that can be used for the purpose of [recurring or subsequent customer/member] billing .

All vaulted card data held in the gateway’s vault becomes the responsibility of the gateway. Your organization/employees will no longer see the full credit card number on customers/members but will only see a masked credit card number. If a customer or member makes a repeat purchase, your staff should not be asking again for full credit card data (instead ask for only the last 4 digits of the card for verification) because this exposes your staff repeatedly to sensitive customer data. Instead a repeat customer should have their card charged through the PCI compliant gateway using the “masked” card on file so that there is no need for the employee to have exposure to seeing the full credit card data.

You may notice many mom-and-pop or small business service providers ask you to give your full credit card data every time you make a repeat purchase under the premise that they don’t store credit card data for security purposes. This is factually a poor business practice for the reason stated above.

You can determine if your 3rd party gateway is PCI Compliant by going to the Visa International Website – The Visa Global Registry of Service Providers — and entering the name of the gateway that you currently use.

  • Use a Payment Link that is connected to a secure Hosted Payment Page – using a Hosted Payment Page (HPP) allows your members/customers access to a payment link where they enter their personal credit card The credit card data is captured directly by the 3rd party PCI Compliant gateway so that this sensitive data does not travel across your server environment. Once the transaction is processed, your staff will only see a masked credit card number, never the full data.
  • Tokenization of CC information, especially when changing processors or gateways – storing data in the gateway vault tokenizes the The same is true when using API credentials between your AMS and your Processor. Your AMS should be storing only tokens of the actual credit card number which your AMS system receives back from the 3rd party PCI Compliant gateway.

If your Association changes processors or AMS systems, and this requires you to use a new 3rd party gateway, you can request your current 3rd party gateway to transfer the credit card data from their vault to the vault of your new 3rd party gateway. A service fee may apply. Once this is done, your new 3rd party gateway will send you a data file with new “tokens” for the underlying credit card data of each customer/member.

  • Complete a PCI Compliance SAQ at least annually and conduct your quarterly scans if Most processors require an annual SAQ (Self-Assessment Questionnaire) and will charge you additional monthly fees for non-compliance. Keeping your SAQ up-to-date ensures that you are mindful of best practices regarding PCI compliance. PCI rules require that you update your SAQ at least once per year. In addition, if you have significant credit card volume, you will be required to perform scans of your network. PCI scanning seeks and identifies vulnerabilities in your network and operating systems, enabling you to find and fix problems and improve security.
  • Limit your employee user privileges for The refund function in your gateway is a way internal credit card fraud can occur. Limiting/restricting access to refunds or limiting amounts that employees can refund will assist in protecting you against falsified refunds. A falsified refund could occur, for example, when an employee uses a personal credit card to have a refund or credit applied to their credit card at the expense of the organization.
  • Reconcile your batches to your settlements daily. Your daily batch should match your deposit. Daily reconciliation allows you to quickly monitor for any discrepancies.
  • Credit Card numbers should never be transmitted via email nor stored on your hard Emails and hard drives can be breached. Credit card information should only be provided verbally over the phone, faxed over an analog phone line (not voice over IP line or a phone number tied to a electronic fax delivery service), or through a hosted secure check out page. If full credit card information is received, it should never be stored on the hard drive of any computer. It should be input immediately into a PCI compliant payment gateway for vault storage.
  • Do not store the three-digit CVV/CSC code. PCI Compliance rules strictly prohibit anyone from storing the 3 digit CVV/CSC code (4 digits in the case of AMEX). That also means that PCI Compliant gateways which do store the full credit card data are not allowed to store the corresponding CVV/CSC code. As a result, should a hack occur and credit card information is compromised, the hacker will not receive the 3 digit security code which will make it more difficult for fraudsters to make online purchases using stolen credit card data since the 3 digit security code is often required for the credit card purchase to be successfully completed.

Associations bear the burden of convincing the public that they have the right systems and policies in place to ensure that contributions and other resources are being judiciously maintained and managed. The fiduciary responsibility to use donated funds in the manner intended is of utmost importance for Not for Profit organizations and Associations. The above steps will go a long way in ensuring that Associations are doing all they can to protect their organization from internal credit card fraud.

Talk with your team and consult with your credit card processing representative. See what solutions they recommend. A coordinated, proactive approach will ensure your Association will be in a better position to weather potential threats.

A final note to readers who are officers of nonprofit organizations and Associations, for personal identity protection and to prevent unintended comingling of personal banking account data with Association banking data, be sure to use your Driver’s License or Passport for identification purposes when it comes to your Association’s banking information, in lieu of your Social Security number. This will help to prevent your organization’s bank accounts from being associated with your personal bank accounts.

If you would like more information about how US Transactions Corporation helps Associations with credit card processing, please contact us directly at or



1 Examples of PCI Compliant gateways include 3rd party services such as Authorize .net, PayFlow Pro (PayPal), CardPointe (CardConnect), MXMerchant , Cybersource, Network Merchants , PayTrace, and many ot hers.

2 Source: PCI



Blog0 comments

  • U.S. Transactions Corporation

    44044 Riverpoint Drive,
    Leesburg, VA 20176
    Phone: (866) 442-3327
    Fax: (866) 511-0935

  • Key Points About Services

    - Over the last 7 years, we have a client retention rate of 97.5% (vs. industry average of 67.4%).

    - Three consecutive years (2012, 2011, and 2010) in President’s Club

    - We prove and validate your success by providing an initial 6-month fee/savings analysis, and thereafter annually.