June 23, 2026 — Credit Card Fraud Prevention
============================================

Giving — Credit Card Fraud Prevention
--------------------------------------

.. note::
   This release strengthens **credit card fraud prevention** on the giving page by
   focusing the existing safeguards on first-time and guest givers while getting out
   of the way of your established donors. reCAPTCHA and the IP fraud-score check now
   key off of whether a person has a **previous successful contribution** rather than
   simply whether they are logged in, so a returning giver enjoys a smoother experience
   while bad actors still face the checks. A new setting also lets you block known
   disposable email domains to keep junk records out of your database.

.. release-notes::

   - Change: reCAPTCHA on the giving page is now based on giving history rather than just login status — guests and logged-in users who have never given before are still required to pass reCAPTCHA, while returning donors with a previous successful contribution no longer see it (enforced on both the giving page and the server)
   - Change: The IP fraud-score check is now bypassed for logged-in users who have at least one previous successful contribution, so trusted donors are not blocked by a flagged or shared IP address; velocity (consecutive failed gift) checks continue to apply to everyone
   - New: "Blocked Email Domains - Giving" setting (Settings → Security → Login) lets administrators configure a comma-delimited list of email domains to reject on giving forms, helping keep disposable/throwaway email addresses from creating junk person records; the domain match is case-insensitive and matches the full domain (blocking "mail.com" does not block "gmail.com"), and donors using a blocked domain receive a generic message that does not reveal the block list