I'm a volunteer webmaster for canyoncrestfoundation.org . We want to take donations by credit card over the internet. Currently we are using a form that I made, with viaklix to process the transactions. We'd like to change for a couple of reasons:
1. we can't do recurring transactions automatically this way
2. we have had many problems with phishing attempts-- someone keeps using our account to run through many bogus transactions for small amounts, and we have been unable to stop it. ViaKlix has a different explanation every time for what we should do differently.

Can someone recommend a setup for us that would be easy to use and prevent phishing attempts?

You can use the PayPal donation button which is processed by PayPal. The people making online donations can simply click the button, be sent to PayPal's site and type the amount and payment info there. You will set up the PayPal information for the nonprofit organization which will appear in the PayPal transaction. I have made donations to various organizations such as Rock Against Diabetes this way.

As for reoccurring donations, do you mean a monthly contribution? You can set up a script to process on a specific day of each month (like the mortgage is the first day of each month). You can use a cron job or store a date and check it to know when the script should process monthly donations. You would need a database and I don't recommend storing credit card data in an online database.

It is best to send a monthly reminder. This is especially good in case someone decides to update or switch payment methods. For example, I have two checking accounts and use one or the other depending on the amount.

You can use a secure URL for your form and data input validation in a script (not just JavaScript) to reduce spam or phishing attempts. You can also require humans to input an answer to a question to make sure a human is reading the form. Do NOT use CAPTCHA image verification or your form may become inaccessible to some users but still be abused.

I would suggest PayPal as well. I've never set it up for donations, and I'm not sure if it can do recurring payments, but they are very credible and at least you won't have to worry about storing the people's credit card information

Might I suggest send me the money? I'll make sure it's distributed fairly and honestly. :)

Doc may be honest, but he is only good for one-time transactions not reoccurring ones. :D

:) Thanks for the suggestions. Would everyone who donates have to have a paypal account? And we'd like the site to have suggested donation levels so that people are "inspired" to pay more. Can I do that with paypal, or will I need a shopping cart too. The problem with doing much with scripts is that I only actually know html (and I'm not that great at that).

Viaklix told me today that they think the phishing attempts are coming in from somewhere that has set up an emulation site, somehow. There were 1700 attempts at putting through a fake transaction today even though there were only 59 visits to our site in the last day, and then when I blocked that IP address which they came from, they were still coming in. So we had to shut the whole terminal off.

Would everyone who donates have to have a paypal account?

At this time, only the organization needs a PayPal account. PayPal can process payments from people who do NOT have a PayPal account.

And we'd like the site to have suggested donation levels so that people are "inspired" to pay more. Can I do that with paypal, or will I need a shopping cart too.

You can have suggested donation levels and "other" where the amount can be typed. You can do that in a form or PayPal shopping cart. PayPal has the form button submission code you need on their website.

Thank you, this is sounding like what I need to do. I had suggested it earlier in the year, but people in charge didn't want to do it for some reason. This is what the current donation page looks like:
http://metzgerl.powweb.com/fundanitem.html
Do you see any problems with doing something similar for paypal?

Create a new donation form and give it a name other than form. Tell robots not to index or follow links from your form. If you use a form script, give the script an unusual name that does not use the word form. Use robots.txt file to tell robots not to index your form pages or form processing scripts. If you link to the form, include rel=nofollow to prevent your form from being listed.

Include in the HEAD of your form source code.
<meta name="robots" content="noindex,nofollow">

<a rel="nofollow" href="http://www.example.com/yourform.htm">Click here to donate.</a>

Use .htaccess to block known ip addresses and bad bots found in your access logs excessively.

This is what the current donation page looks like:
http://metzgerl.powweb.com/fundanitem.html
Do you see any problems with doing something similar for paypal?


I viewed your source code which is supposedly protected. Big deal. If your page is LISTED and/or found, it can be exploited. The form is not even using a secure URL! Does the form data get stored in a database? You must use and store credit card information as dictated by your local laws. I certainly hope the data is not stored and not encrypted. And I hope the data is not sent via email!

As for PayPal, this is MUCH safer. This should be simple to do. Does your client have their own domain name? The URL you provided is simply username.webhostdomain.com/formname.html and not clientdomain.com/formname.html which is really strange when asking for money.

I'm a volunteer, learning as I go along. Powweb told me that this was the way to do the URL for this, and I thought that it was secure. The domain name is just canyoncrestacademy. I do see the lock, indicating that the page is secure when I go to the url listed above.

Whoops, meant to say canyoncrestacademy.org.

Payment processing is powered by viaKlix, a member of the NOVA Financial Network, and information collected is protected by the latest in SSL encryption, so you can make a transaction with confidence.

Okay, I know who NOVA is and looked up viaKlix. Why do they allow you to use a nonsecure form to accept credit card data, THEN submit it to them? Ask all questions BUT the credit card name, number, verification number and expiration date on YOUR form. If you are not directed to a secure area for the credit card data, you should not enter it. You are being directed to https://www.viaklix dot com/process.asp only AFTER you typed your data in a nonsecure area. Scary!

Private message me if you want more info. I don't want to post sensitive info here.

canyoncrestacademy.org with and without www dot in front will not appear for me. It is not listed on Google, either. Is this correct? Similar names are associated with spam! Okay, I see this domain name is AVAILABLE. It is NOT registered.

gosh, no. I'm in the middle of something else, and making mistakes now. The correct URL is canyoncrestfoundation.org. Sorry.

I will private message a little later, since I need to work on some other things here.

Okay, new domain works. Form currently gone (to prevent false submissions). Got it.

I think that we are just going to switch to paypal, but I'm going out of town for a few days and didn't have time to get back to dealing with this. Thanks for the help so far, and maybe I'll have questions next week.

I've done this before, so if you need help, just ask. Have a nice trip out of town. ;)

I recently discovered that PayPal allows the creation of accounts for organizations. It used to be that you had to create the account with a specific individuals name and informatnion. It looked like you needed to provide some additional information, but to me it is a much better option. It is hard to tell who will still be in the organization 2-5 years from now.

I have the link around here somewhere, but a search of PayPal's knowledge base with the term "organization" might find it for you too.