Fighting fraudulent test donations is an on-going cat and mouse game. The good news is that Donorbox and Stripe have made great strides in cutting down the number of scam donation significantly. Stripe has a native fraud blocking solution based on machine learning called Stripe Radar. Radar is highly effective at auto-blocking most fraudulent donations. However, scam donations can still pass through. There are additional fraud detection measures that Donorbox does to complement Radar.
Billing Zipcode Validation
Donorbox has the ability to utilize zipcode validation. To enable this, please go to your account settings (https://donorbox.org/org/edit) and check the Verify billing zip / postal code checkbox.
Collecting billing zipcode is the best practice in the U.S. For other countries, billing postal code may not be common practice. If a lot of your donors are from countries that don't use postal code verification, it is better to keep this disabled.
Donorbox does not collect a billing address because it produces too many false positives. Some donors may forget which address that they used for the card or there could be a typo in the address on file with their bank. Plus, making the donor type in their full address can potentially lower your conversion. When it comes to donation checkout, less is better.
Block Scammers who Frequently Test Cards
Even with the zipcode check, some cards can still bypass the validation process. Scammers buy a massive number of stolen cards and may attempt to test them by charging various amounts on them to see if they work. To mitigate this, we have just come out with auto-blocking for scammers who try to donate frequently in a short period of time. Please see: https://donorbox.org/nonprofit-blog/block-fraudulent-test-donations/.
Furthermore, we are working on improving our fraud blocking by permanently blacklisting frequent offenders in our network. We believe that these measures will significantly cut down on the number of scam donations.
That being said, there is not a lot that can prevent a scammer from successfully donating with a valid card on his first few attempts. For that reason, organizations should monitor all donations that they receive. Donorbox's donation details page lists the country that the donation comes from. The location of the donor's IP address and any weird formatting of the the donor name / email can be an indication that the donation is fraudulent. Please continue to refund donations that are clearly fraudulent.