ChurchTrac Data Security Checklist
At ChurchTrac, we've taken a "Security First" approach that prioritizes protecting your account and data. We do everything we can to ensure your data remains safe and is not compromised. However, there are some security responsibilities that fall to you, the ChurchTrac Admins and Users. The following is our list of recommendations to help you secure your account and keep your data safe.
Scammers will go to great lengths to gain access to your Church Connect online directory or online giving portal. They will even pretend to be a member of your church or community. We recommend that you do not approve or match a registrant unless you (or another leader) have met or personally know the individual.
When someone registers for Church Connect, we will tell you the geographical location of the signup. Never approve or match a registration if the signup comes from a location you don't expect. Scammers may also use the name of a member or leader in your church when they register (but with a fake email address). Be sure you double-check the registrant's name as well as email address before approving the registrant.
If you use the online directory in Church Connect or any other online directory, limit access to only those members you know and trust. Do not enable the online directory unless you need it. If you do, we recommend that you don't give online directory access to everyone in your church. Don't give anyone "Full Directory Access" unless they really need it. The default option for new registrants is "No Directory Access" and no one can access the directory before you approve their registration and grant them access to the directory.
Everyone wants to make it easy for donors to give online. Unfortunately, it also becomes easier for scammers and criminals, who will target your online giving page to test stolen credit card or bank account numbers. We recommend that you require donors to log in to Church Connect, and that you don’t allow unmatched donors to give. By requiring donors to sign in and first be matched to a People screen profile, you are preventing these scammers from being able to have access to your online giving form.
Not everyone who goes to your church is there to worship. Some may be there only for what they hope to get or steal from others. Some churches will hand out directories, roll sheets, or other printed reports that contain information about people in the church. A nefarious person attending your church could easily intercept and abuse a printed list.
Think long before handing out a printed church directory. Once you give out a directory, you can't predict where it will go or who will have access to it. If you must print a list or directory, make sure only authorized people have access to the list, and shred it when the information is no longer needed.
Some churches are like big families, and like families they think that personal information should be shared freely with all other family members. This information often includes birthdays, anniversaries, phone numbers, email addresses, physical addresses, and more. In fact, we frequently get a request from churches to include more information in directories and reports.
You should never share a person's information unless they explicitly allow you to do so. We recommend getting written permission from new members before publishing their information. Even better, ask them to opt-in or opt-out of sharing and allow each person or family to choose what information they are willing to share with others. Some people just do NOT want to share their information, and you have to be okay with that.
Predators could use information in your directory to identify potential targets. We strongly recommend that you do not include any photos or information about children in your online directory. In fact, in some countries, it is illegal to do so.
This goes without saying (but we're going to say it anyway): You should thoroughly vet every person who works with children and teenagers. This process should include a comprehensive background check. Make sure your children's areas are secure and that no unauthorized person has access to these areas at any time. A tool like ChurchTrac's Check-In feature can be used as part of your overall strategy to help secure your nursery and children's areas.
Create as many user accounts as you need, and no more. Don't share ChurchTrac user accounts between multiple people, even if their roles are similar. We give you ten user accounts to start, but if you need additional users, just ask.
Establish rules that prohibit a user from sharing their credentials with others. If you suspect an account has been compromised, an administrator can remove that account or re-add it with new credentials. We also have a built-in user audit trail that allows an administrator to view actions taken by users when logged into the database. We recommend that you review this information regularly, especially for any user account that has access to giving or financial information.
Configure account and role-based permissions for each user to prevent them from accessing screens they will not use. Configure user permissions for each user to prevent the risk of exposing sensitive or confidential information, or to prevent them from making modifications to data they should not have access to.
Limit the number of user accounts with administrator privileges to two or three at most. Admin users will be able to make global changes to the application, have full control of user account permissions, and manage payment information.
Delete any user account that should no longer have access to the application or data. If a former user also had access to an email associated with the church and that email will be used for a new user account, be sure to change the password to the email and reset the password in ChurchTrac.
You should also have a policy that a high-quality anti-malware application be installed on each system that accesses the service, particularly when using Windows-based computers. For further protection, avoid using browsers with known security vulnerabilities, like Internet Explorer, and keep your computers and browsers up to date with the latest security patches.
Keep in mind that even a secure browser running on a secure computer can be compromised by third-party browser add-ons, such as browser toolbars and search bars. These add-ons often provide little to no benefit, and can cause your web experience to degrade, and they may even have access to data you enter on secure sites like churchtrac.com. We recommend that you disable and remove any third-party browser add-ons and use a native browser that is fully patched with the latest security updates.
Finally, here's a list of some other general things you should do (or NOT do) to help protect your data:
- Always use a strong password. Don't reuse the same password on multiple sites.
- Do NOT store your credentials in a spreadsheet or on a sticky note. Use a password manager to help you generate and remember strong passwords.
- Do NOT collect or store information in any database that you don't really need.
- Do NOT keep data for longer than you need it.
- Do NOT install software you don't know or trust.
- Always use antivirus and malware protection.
- Delete suspicious emails or text messages. Never respond to (or unsubscribe from) suspicious emails.
- Dispose of old equipment securely.
- Update your software regularly.
Scammers are actively targeting churches and church members. Scammers will do things like pretend to be the pastor and ask people for money or gift cards. Make sure your congregation knows that the pastor will never reach out to them privately to make a request like this.
Make sure you don't have any of your members' information on your church's public website or any public Church Connect pages. If you have an About Us page or Staff page, we recommend that you do not include any email addresses or phone numbers of your leaders and staff. And again, secure your online directory so only people who you know and trust have access to this resource.
Senior adults are especially vulnerable to online scams. It's a good idea to regularly spend some time educating them about different types of internet scams and how to protect themselves.