All contribution payments on ConnectionPoint’s platforms are safe and secure.
ConnectionPoint does not store credit card data. This is done intentionally to eliminate the potential for a security breach, either through internal employee misconduct or internet hacker attacks. We work with payment processing partners who offer mechanisms to process payment transactions without requiring us to manage the card data.
With this approach, we can rely on the payment processors’ highest levels of Payment Card Industry (PCI) data security compliance.
Despite this approach, we still follow PCI compliance standards as best practices for maintaining customer data security.
Payment Transaction Data Flow #
The payment processing industry is complex and intentionally obscure. This next section will explain how data security is maintained as payments are processed in cooperation with our partners: PayPal and Stripe.
There are two main flavours of payment transactions:
1) Payments via credit cards
3) Payments via a PayPal account
ConnectionPoint processes credit card transactions via one or both of our payment processing partners, depending on what the campaign owner has connected. We can also process transactions using a PayPal account. These will be discussed separately.
Credit cards via Stripe #
Processing credit cards require you (the supporter) to enter your name, billing address, credit card number, expiry date and CVV number into an online form. This form is hosted on the ConnectionPoint product page when paying with Stripe. The form’s contents are encrypted and delivered to the supporter’s browser using Secure Sockets Layer (SSL) technology. This encryption is done in case hackers are monitoring traffic on the wireless network and trying to intercept this important data.
The data entered into this form is encrypted and “tokenized” to make it harder to intercept. It is then sent from ConnectionPoint’s servers to the payment processor’s Application Programming Interface (API) over SSL. The payment processor creates a transaction requesting payment that is securely transferred to the credit card Interchange Network – the massive global system run by banks and credit card processing companies.
The bank or credit card company that issued the credit card checks the availability of credit on the card. After appropriate anti-fraud security checks are done and the transaction is approved, they debit the card for the value of the transaction. The completed transaction confirmation message is returned via the Interchange Network, and the payment processing account of ConnectionPoint’s customer is credited with the value of the transaction less any agreed processing fees. It is important to note that at no time in this process did ConnectionPoint hold or have access to the value of the transaction.
Paying with PayPal Account #
The process is slightly different when paying via PayPal as the payment processor.
If you have a PayPal account and click to confirm you want to contribute, you are transferred to a secure PayPal webpage. You will be prompted to log into your PayPal account with your email and password to complete the transaction. You can select any funding source attached to the PayPal account, including previously registered credit cards, connected bank accounts, or a PayPal account balance.
If you do NOT have a PayPal account, you can click on the ‘Pay as a guest’ option, which prompts for credit card information as described above. But there is an easier way to get here!
*NEW FEATURE* – those with PayPal Marketplace accounts will now be able to have supporters contribute via credit or debit card directly on the platform without having to sign in or checkout as a guest! Everything will happen the same way as described above with Stripe, it will just happen through PayPal instead.
As with Stripe, at no time are the internal details of the funding payment account (such as the bank account number, credit card number or even credit card type) shared with ConnectionPoint.
Recurring Payment Transaction Data Flow #
As mentioned above, ConnectionPoint does not store credit card data. Instead, we are provided with a secure “token”, which we store in our database. When we want to process a recurring contribution or pledge payment, we submit the token to the payment processor instead of the contributor’s payment card data. This token presentation authorizes the payment processors to create a transaction according to the parameters the contributor agreed to (i.e. the value and frequency of the contribution), and the transaction is executed using the Interchange Network.
This process is very secure because even if the preauthorized tokens are stolen from our database, they cannot be processed by anyone other than ConnectionPoint and to any other beneficiary besides the organization originally identified as the recipient of funds in the authorization transaction.
Summary #
ConnectionPoint cares deeply about the security of our customers’ information and the integrity of our payment processing activities. We have implemented industry best practices to help us achieve a very high level of security. However, we are always interested in further improvements to our system and welcome feedback on perceived vulnerabilities and suggested enhancements.