Disputed Fact
Unlike WinRed and most major e-commerce platforms, ActBlue reportedly did not consistently require Card Verification Value (CVV) entry for credit/debit donations during the 2020 cycle, removing a standard fraud-prevention control for card-not-present transactions.
Citations
John Solomon, ‘Questions mount about ActBlue’s security,’ Just the News, Aug. 14, 2023, https://justthenews.com/politics-policy/elections/questions-mount-about-actblues-security-after-complaints-unauthorized
ActBlue confirmed to Congress in 2023 that it “did not require a CVV in order to contribute on their website.” Congressional investigators noted this deviated from standard e-commerce fraud controls for card-not-present (CNP) transactions, where CVV is a core PCI DSS-recommended safeguard. https://cha.house.gov/_cache/files/4/5/453a1689-6471-4632-8874-2ea5018820a7/FEE0032E48BFF011537DA5927F7E9298.response-to-house-admin-committee-11-27-23.pdf
Visa Core Rules § 5.7.1; see also Mastercard Transaction Processing Rules ch. 3
“In knowing that foreign actors use fake accounts to exploit donation systems that do not have robust verification processes and systems in place, most individual campaigns and political action committees (PACs) require CVV numbers as part of making an online donation. However, in breaking with most organizations, ActBlue does not require CVV numbers as a requirement for donating, and thus lending itself as a facilitator of fraud.”