Secure Donations via Bloomerang
On March 16th, Bloomerang will be releasing additional functionality to improve the security of information sent by donors to their organizations using Bloomerang’s Online Giving Forms (previously called donation widgets). For organizations that do not have an SSL certificate, the donation form will be replaced by this button:
Clicking on the button will take the donor to the online giving form hosted on Bloomerang’s servers (and secured using our own SSL certificate).
Frequently Asked Questions
What is an SSL Certificate?
It’s a way for visitors to confirm the identity of your website and transfer data securely using encryption from their browser. SSL (Secure Sockets Layer) Certificates are issued by third party authorities (Comodo, Symantec, Go Daddy, GlobalSign, DigiCert) and can be purchased from your website vendor or hosting provider. Most people recognize a valid SSL certificate by identifying the lock icon in their browser’s address bar (and that the website has an “s” after http like this: https://)
Why the change?
There are three places where an online donation needs to be secured:
- Loading the donation form
- Submitting credit card information to your credit card processor (Stripe or BluePay)
- Recording the donation in Bloomerang
The second and third steps have always been secure because the Bloomerang form encrypts data sent to the processor and Bloomerang using SSL.
The first step, however, is what we’re addressing here. Adding an SSL certificate to the page on which the form is displayed ensures that only the code from the Bloomerang Online Giving form is present (and no malicious code has been injected). This ensures the donor’s credit card information is only known to the donor and your credit card processor. Finally, you get the added benefit of displaying the https: and “lock” icon to increase donor confidence on your form.
So if I do nothing, what will my page look like?
Once the update is rolled out, clicking on the “Donate” button will take the visitor to your donation form hosted at https://crm.bloomerang.co. This will contain the lock in the browser and ensure the donor’s information is safe.
There are a few special areas on this page that let the donor know what they’re giving to:
- Secure Donation via Bloomerang logo – This links to a Bloomerang page that explains to the donor why they left your organization’s site (hint: it’s for their security).
- Organization Name – At the top of your form, your organization’s name is large and proud.
- Contact information – To the right of the form, there is a block of contact information. If a donor has any questions about giving online, they can contact you via mail, email, or phone.
- Logo – You can upload a logo inside your Bloomerang database so that it will display at the top of all your hosted forms.
I can’t buy an SSL certificate for my site. What can I do to make the hosted form look more like my site?
In Bloomerang, you have a few customization options to brand the hosted form to look like your website. You will be able to find these under Settings -> Website Integration in Bloomerang once this feature goes live on March 16th.
- Upload your organization’s logo – This is displayed at the top of the donation form to reinforce your organization’s brand when potential donors are entering their donations.
- Upload your organization’s CSS (cascading style sheet) – This will allow your webmaster to configure the look and feel of the hosted page to more closely resemble what colors and layout your website use.
- Make sure your Organization’s contact information is correct in Bloomerang (Name, address, email, & phone number – all done in Bloomerang Settings -> My Organization).
I don’t want my website to change. What can I do?
This change only affects customers who do not have an SSL certificate on their website. Contact your website hosting company or provider and ask about adding an SSL certificate to your account for your entire domain.
I have an SSL certificate, but donors are seeing the “Donate via Bloomerang” button. Why?
Your site is probably not set up to automatically redirect visitors to the https:// address for your site. Your website provider should be able to help you change that configuration.