June 23, 2026 — Credit Card Fraud Prevention¶
Giving — Credit Card Fraud Prevention¶
Note
This release strengthens credit card fraud prevention on the giving page by focusing the existing safeguards on first-time and guest givers while getting out of the way of your established donors. reCAPTCHA and the IP fraud-score check now key off of whether a person has a previous successful contribution rather than simply whether they are logged in, so a returning giver enjoys a smoother experience while bad actors still face the checks. A new setting also lets you block known disposable email domains to keep junk records out of your database.
Change reCAPTCHA on the giving page is now based on giving history rather than just login status — guests and logged-in users who have never given before are still required to pass reCAPTCHA, while returning donors with a previous successful contribution no longer see it (enforced on both the giving page and the server)
Change The IP fraud-score check is now bypassed for logged-in users who have at least one previous successful contribution, so trusted donors are not blocked by a flagged or shared IP address; velocity (consecutive failed gift) checks continue to apply to everyone
New “Blocked Email Domains - Giving” setting (Settings → Security → Login) lets administrators configure a comma-delimited list of email domains to reject on giving forms, helping keep disposable/throwaway email addresses from creating junk person records; the domain match is case-insensitive and matches the full domain (blocking “mail.com” does not block “gmail.com”), and donors using a blocked domain receive a generic message that does not reveal the block list