TLS changes may spell trouble for your donors & CRM

On June 30th the rules for taking credit card payments get tightened up. This means extra security, but also problems for some of the people who make donations to you. It may also mean that changes are needed to your CRM. Eeek.

People who take credit card payments - us - have to keep to a set of standards called PCI DSS (Payment Card Industry Data Security Standard). On 30th June 2018, the PCI folks are tightening these rules.

The new rules say that TLS 1.0 (what does this mean? More on that below) is no longer considered a secure way to move credit card data. Instead one has to use on TLS 1.1 or higher. Everyone who moves credit card data has to change the method of encryption they use. This affects all of us, from Amazon to Willen Hospice.

Let me give you a real-world example. At the University of Oxford we use Blackbaud software for our fundraising CRM and CMS systems. We also pay Blackbaud to handle credit card data securely for us. This means that on step 3 of our online donation process we send our users to a payment page on Blackbaud’s servers to enter their credit card details.

When a donor, let’s call her Lucy,  uses this payment page credit card data is moving from her web browser to Blackbaud's server. From the start of July the rules say that this data transfer is only permitted using TLS1.1 or higher. So:

1. Blackbaud need to change their system to support TLS 1.1 and to stop working with TLS 1.0
2. Lucy needs to use a web browser that supports TLS 1.1 in order to make payments.

Your provider, like Blackbaud, is pretty professional, so they’re on top of 1. You need to think about 2.

In our case, we think 0.5%-0.9% of our users are going to have a problem making payments. That’s not a huge number, but the user experience they receive is terrible. The message is generic and of little meaning to the typical layperson. For example, in the case of Internet Explorer 7 and error message is given which says

“Internet Explorer cannot display the web page”

Lucy, our example user, will get a similar message on other websites. So I imagine she’ll take the hint and upgrade. But, if you’re the first website she comes across like this, then she might not understand the issue.

But wait! You, like us, may have a bigger problem. Blackbaud are updating all their software to meet this change in PCI standards.  That’s lots of work for my department because CRM systems tend to have hands in many pies.


Next steps
1. If you use a third-party to handle your credit card data then find out their plans. Look at their website and see that they’re saying about the change.

Here is some example info from a few well-known providers:

Blackbaud
Stripe
Worldpay

2. Talk to your server operations people. Does your website currently accept TLS 1.0? Do they plan to change that in the next few months? They don't have to - the rule change relates to credit card data specifically - but it's wise to check you have a shared understanding.

3. Look at your website stats. How many of your potential donors will be impacted? I've found the following browsers stop working when TLS 1.1 is used:

• Internet Explorer 8-10 (unless Lucy has updated a setting in her browser)
• Inernet Explorer 7 and under
• Safari 6 and under
• Chrome 21 and under
• Firefox 26 and under
• Android 4 and earlier (the native browser breaks, and they can't use Chrome instead)
• iOS 4 and under

From my stats that's 0.5%-0.9% of users. The range is because the stats don't tell me if the setting in IE8, IE9 & IE10 is switched on.


What’s TLS then?

The internet is all about conversations, conversations between different devices. When Lucy visits a website, her phone/tablet/laptop has a conversation with the computer that hosts the website. There’s a back and forth exchange while each page loads.

Now this conversation gets relayed across the internet via various devices. That’s brilliant - it’s a robust approach - and worrying - someone can intercept the conversation and listen in.

Many moons ago companies started using encryption to make this exchange of data more secure. Essentially Lucy’s device talks in code to the website concerned. Good, eh? No one can intercept that conversation and learn that Lucy’s password happens to match the name of her cat.

Except... criminals are always hunting for ways to crack the code. Periodically they succeed and the PCI people decide we all need to use a more secure code.

TLS 1.1 is simply a better code than TLS 1.0. I imagine in 4-5 years time TLS 1.1 will be cracked. And we’ll all start moving to TLS 1.2.

Really, it’s all about safeguarding Lucy’s money.

Is your donation page as simple as the competition?

I spend a lot of time thinking about online donation forms. They’re a key part of the supporter journey - the place where an engaged individual becomes a donor and provides financial support to an organisation.

These forms are also a place of complexity. Our desire to be flexible, and concerns about fraud, call for the donor to invest time and energy in making their gift. Consequently, momentum can be lost. I’ve seen donation pages where only 10% of people complete the process.

You can spend a lot of time and money studying and optimising the performance of your donation form. But what if you have no budget?

One way to look at a donation form is in terms of the effort it requires from the person using it. A form that takes longer to fill in is more likely to be abandoned by a donor in a hurry. A form with more options to complete is more complex, and more likely to leave the user confused.

This got me thinking… can we measure the simplicity of our forms? Wouldn’t it be useful to benchmark our performance in this area?

A simple way to measure form simplicity is this: how many boxes do we ask a user to fill in? It’s crude, I know. In the real world complexity is determined by a variety of factors such as language, layout, accessibility and typography. But this approach captures something of the effort required from the user.

So I picked a smattering of website donation forms... and I counted the fields. It was refreshingly primitive. Here are the results:

Organisation	No. fields on donation forms
Sheffield University	45
Comic Relief	26
Cardiff University	24
Just Giving	22
UCCF (via CAF)	21
MQ	19

(Tests conducted in June/July 2015. The details of my approach are at the end of this post)

What can we learn from these results?

It seems that there’s a lot to you can do to impact the complexity of a donation form. Sheffield University asks for twice as much information as UCCF!

It’s oh-so-easy to let your donation form grow.

“Our Canadian donors want a tax receipt”
“Can we collect a phone number in case of problems?”
“Let’s get them on our mailing list while we have their attention”

I’ve had those conversations. They’re driven by admirable motivations: to help supporters, to aid efficiency, etc.

These fields all have value. But what we forget is that their absence has value as well.


--

The boring details

I counted all fields, even those that were not required. Why? Well I think the presence of the field adds complexity - a user has to read it to check if the information is required. Also required fields are often denoted in a subtle way, which makes them harder to scan
For practical reasons I only assessed the pathway for a single credit card donation, not the pathway for setting up a regular gift.

I counted the fields seen by a user without an existing account, as I anticipate that’s the most common situation. I’m aware that some websites, such as Just Giving, will be handicapped by this approach.

There’s probably room for some sort of metric here: allocating each type of field a difficulty score, and giving rewards where autocomplete and default fields are used.

Thanks to Jon and Edgar for form recommendations.

A perfect match

Heard of matched funding? It’s when an organisation or person offers to match gifts that donors make with their own donations. When we give £10 to a cause they also give £10 to the cause.
A number of non-profit organisations have made use of matched funding, for example:

• UK universities
• Action Aid
• Water Aid

I have a digital fundraising idea that puts a twist on matched funding. I want to focus on a perspective that we rarely hear about: the view of the matcher. They gain satisfaction from inspiring others in philanthropy and from seeing their resources multiplied.
But why do we only offer this opportunity to a few? What if we could all lead others in giving?
That’s the core of my idea. I see four stages to it:

Stage 1 - a need arises

Imagine we work for a charity with a focus on global poverty. Zimbabwe is suffering in drought. Farmers are struggling to grow crops for food. Our charity has enough irrigation expertise to help, but needs financial resources to act.

Stage 2  - a donor becomes a leader

Karim has been a donor to our organisation for many years. He gives £50 per month via direct debit. We email Karim, and many others like him, with a question - will they make a donation? Their gift will help these farmers, and provide matched funds that inspire others to give.
It’s March -  one of the months when council tax isn’t due. Karim has some spare money. He is inspired by the need and makes a donation of £300 to our fund for matching gifts.

Stage 3 - a leader inspires others

In October we run a major campaign highlighting the drought and subsequent food shortages in Zimbabwe. We articulate a key message: matched funding is available, so every donation you make is doubled.
Rissa is touched by what she sees. She’s also impressed by how far her money will stretch. She makes a donation of £50, which she sees become £100 thanks to Karim.

Stage 4 - a leader rewarded

We send Karim an automated update about Rissa’s gift. It uses striking graphics to illustrate the impact of his donation. So far £250 of his gift has been used, inspiring gifts of £250 more from nine other people. He’s found this immensely rewarding - he never realised he could lead others in generosity.

That’s the idea: a group of regular donors who discover another dimension to giving, and a group of new supporters who follow their example.

Adopting this approach to matched funding clearly requires more administrative effort than the established model. However, this work can be avoided by building a reusable engine to track the funds and automate the donor updates.

What do you think? Leave a comment below or tweet me.

10 Twitter/Facebook ideas for Coffee Shops

Facebook and Twitter are great ways to connect with your customers. Here are ten ideas that you could use.
1. Tweet your opening
How many people know when you open for the day? How many could do with a reminder when they’re tired in the morning?
Example: ‘We’re up and running for the day. Need something to wake you up before work?’
2. Ask your friends what they think of your latest innovation
Don’t panic If you get negative comments. But do look for a grain of truth in them.
Example: ‘Last month we switched our milkshake recipe. Do you love it or loath it?’
3. Tweet a fresh pot of coffee
People know if they hurry along, they’ll get a better-tasting brew. Or when your pastries are fresh from the oven. Or when your chips are freshly fried. Yum.
Example: ‘New coffee pot’s brewed. Roll up, roll up.’

Image: Yagan Kiely

4. Post your music options. Ask customers which they’d like to hear.
Example: ‘Counting Crows, Coldplay or Adele? Which would you like to hear in Ethical Cafe today?’
5. Announce a happy hour when your prices are vastly reduced
Do this when you have produce you’d otherwise throw away. Followers are rewarded with the possibility of a bargain.
Example: ‘Until 5pm pastries are half-price. There’s only 3 left, so move fast.’
6. Ask for customer comments via Facebook/Twitter
People are more likely to be honest when they’re out of the shop. Do highlight the option on the suggestion box.
Example: ‘Tweet your suggestions to @ethicalcafe or send us a Facebook message’
7. Allow regulars to order via social media (or even - gasp - email)
This saves customers time if they’re in a hurry, and grows your relationship with them. Here’s a story of the guy who pioneered this.
They might say: '@ethicalcafe Tall skinny latte to takeaway for 5 mins time please.'
8. Share your bestsellers
If people made the same purchase they’ll feel more connected with you.
Example: ‘This week our customers are lapping up the new Gingerbread latte. Are you a fan?’
9. Post when a regular arrives
They’ll feel valued, and their friends may decide to drop in. Example:
‘It’s early afternoon, and @barnstormed has rolled up. He’s looking productive in the corner’
10. Tweet a 30 minute warning before closing time
It’s your version of the ‘last orders’ bell. Gives people the chance to grab a coffee/cake on their way home.
Example: ‘We close up in 30mins. Fancy a takeaway expresso to aid your journey home?’

And 3 things to remember

Don’t sell
This is about informing, reminding, and interacting with your customers. A sales pitch will jar amongst the updates of their other friends.
We all need friends
It’s all about followers. If no one follows or 'friends you', then you’re talking to an empty room. So, put your Facebook/Twitter details on signs in the coffee shop, on napkins, coasters, etc. Add a plug to your receipts. Whatever you like.
Example: Do you like the coffee? Please like us on Facebook.
How often do I update?
Anything is better then nothing. And nothing is better than spamming.
Do bear in mind the conventions of the channel. Twitter moves a lot faster than Facebook, so you can get away with greater frequency without bugging people. As a general rule I’d say no more than:

• Twitter - every 1-2 hours
• Facebook - every couple of days

To go

That's it, go forth and be social. And try to keep the nutmeg away from the IPad.