Fundraising tech documentation is migrating to mediawiki.org
. This documentation may be outdated.
The fundraising infrastructure is made up of quite a few different components to facilitate online user contributions and tracking/storing donor information.
WMF Donation Pipeline overview
Fundraising Engineering Documentation Fundraising On-Call documentation
Someone in the Fundraising Tech department can usually be reached in IRC, on the channel #wikimedia-fundraising.
For Fundraising Engineers
We have the ability to use several payment processors for online donations. Currently, we route most credit card donations to GlobalCollect.
- Ingenico: http://www.ingenico.com/
Ingenico has the ability to handle payments from multiple international systems including: credit card, direct debit, real time bank transfer, eWallets and more.
- Amazon: A widget on our page, integrated using Login and Pay with Amazon.
- Adyen: https://www.adyen.com/, documentation
- WorldPay An alternate credit card processor that we use primarily for France and RTL languages. We can do other methods through them, too, if we want.
See also, "Ways to Give
" for our recommended donation methods according to country.
Payment processor capabilities:
Notification failure policies:
When we don't respond to an IPN message from a payment processor with a successful HTTP code, they usually resend it.
Adyen: back-off algorithm from 5 minutes to 8 hrs, then every 8 hrs for a week
Amazon: every hour for 14 days
- ↑ See GlobalCollectAdapter::getCurrencies
- ↑ http://www.adyen.com/platform/all-countries-all-currencies/
- ↑ DE, IT, NL (todo: AT, BE, CH, ES, FR, GB)
- ↑ Pending roll-out
- ↑ See GlobalCollectAdapter::getAvailableLanguages. Our code must find a fallback language if the donor's native tongue is unsupported.
- ↑ See PaypalAdapter::stage_locale. For unknown reasons, we have to specify language *by country*.
This describes the WMF fundraising systems configuration. See the MediaWiki.org page on payments message queues
for a discussion of how message queues are used to buffer and decouple fundraising infrastructure, and to read about the format and content of normalized messages
The limbo queue *WILL SOON BE* stored in Redis on the payments cluster, which is important for PCI certification. We cannot afford to have our queue servers in scope.
All queues feeding into services outside the fr-cluster live on a single ActiveMQ instance. This is a SPOF.
The DonationInterface frontends set and delete messages on localhost's queue. Nice to have: if record to delete is not found, try the other masters.
Orphan slayer pops messages off of available masters in round-robin order. Set and delete are to the same queue the message came from.
Redis masters on payments1-3 replicate to three slaves on payments4.
codfw holds (three or) six replicas of the queues on eqiad payments1-4.
Port all STOMP queuing to high-availability Redis instead.
We should clean up any unused queues, and overly narrowly defined ones.
Replace Jenkins with cron jobs.
When a potential donor visits the Wikimedia donation page, a tracking record is created in the drupal.contribution_tracking table. This record includes the user's language, referrer, donation comment, opt-out status, a timestamp, and various other data. The tracking is handled on the MediaWiki side by the DonationInterface
extensions. If the user makes a successful donation, a contribution record is passed to CiviCRM via ActiveMQ. The queue2civicrm module then inserts the contribution record into the CiviCRM database and updates the tracking record with the id given to the contribution by CiviCRM.
Banner Impression/Landing Page Stats Collection
Contribution tracking data is surfaced through a stats portal
on foundation wiki. All entries have to be white listed under wgAllowedTemplates
so that we don't surface any doctored banners.
This is a tracking variable which is supposed to collect information about the transaction. Currently, it is a period-separated concatenation of three components. One interpretation of the components is, 1) banner name, 2) landing page name, and 3) payment method. We are currently in the process of standardizing (see FR #965
and FR #673
In theory, each component may be a tilde-concatenation of a sequence of landing pages, for example. That code is badly dysfunctional.
Donor was referred by this type of site: sitenotice, spontaneous, sidebar, socialmedia.
Seems unuseful at this broad granularity.
The parent campaign for the banner where this donation was initiated.
(Redundant) applies the contribution_tracking table schema. This should be done using the MediaWiki extension instead.
This module handles converting foreign currencies into US Dollars. It consists of two major components. One function handles doing the conversions based on exchange rates stored in the drupal.exchange_rates table. This function is called from the queue2civicrm module when it is processing donations from the queue. Another function, which is activated by a cron job, looks up the exchange rates on the web and updates the exchange_rates table. The exchange rates are currently pulled from oanda.com, with http://www.ecb.int/stats/eurofxref/eurofxref-daily.xml
used as a back-up source.
(Theoretically) exposes per-gateway throughput counts.
Compares automatically-downloaded nightly audit files against the CRM database, and logs discrepancies.
Send an email to the Major Gifts team when any online donation exceeds a configured dollar amount threshold.
(Theoretically) audits nightly PayPal IPN logs against CRM database.
Some weird convenience for development schema alters.
Import check and chargeback spreadsheets into the CRM.
(Deprecated) audits Payflow Pro logs.
Replicates incoming donations into an anonymized database suitable for a public analysis server.
This module pulls online contributions from the ActiveMQ queue 'donations' and writes them to the CiviCRM database via the CiviCRM API. It is activated by a periodic Jenkins job, which fires an included Drush command (found in queue2civicrm/queue_consume.drush.inc) to replace the former cron method. Output from the execution is captured in the Jenkins console logs.
Queue2civicrm also contains a hook (queue2civicrm_import) which is invoked at the end of a singular transaction, passing transactional information on to other modules that will perform other actions on the transaction. The following modules make use of this hook:
It also contains a hook which is invoked at the end of processing a batch of messages, which allows for other modules to perform batch processing. This hook is made use of in the following modules:
The settings for queue2civicrm can be configured at http://<web root for drupal>/admin/settings/queue2civicrm. You can configure the connection information to ActiveMQ, what queue to consume from and the number of messages to consume at once. Also, you can test the ActiveMQ connection and test pushing messages into the queue.
Formerly, this module interacted directly with the PayflowPro gateway to validate transactions and passed queued items ready for consumption to a custom API for inserting them into CiviCRM. This module no longer performs any gateway-specific actions and uses the built-in CiviCRM API for inserting contributions.
There are a number of ways to execute queue consumption with queue2civicrm and queue2civicrm/recurring. The easiest way is with Drush
. From the Drupal root,
This executes the queue2civicrm Drush script, located in queue2civicrm/queue_consume.drush.inc
The recurring module is a sub-module to queue2civicrm and shares much of the functionality. As is it is right now, it is built particularly to handle raw IPN messages sent from PayPal pertaining to recurring (or in PayPal's language, 'subscription') contributions. Because CiviCRM does not have an API for recurring contributions and due to the immaturity of some aspects of the Civi APIs, this module performs a lot of custom queries to both the CiviCRM and Drupal databases.
This module can be configured from the queue2civicrm
It processes messages out of its own queue (as configured in the interface). Queue consumption is invoked by making use of the hook at the end of batch processing in queue2civicrm
GlobalCollect does not actively recur subscriptions. This module is run daily, and will query the database for GC recurring donations which should be charged that day.
This module sends a thank you message to online donors. It is called via a drupal hook from the queue2civicrm module every time a contribution is successfully recorded in the database. The contents of the thank you message are set from Administer » Site configuration » Thank you settings in CiviCRM.
Compatibility and utility layer on top of the CiviCRM API.
Shared convenience library.
Generalized mailing job management and templating. Wraps the sendmail library (currently PHPMailer).
(Unused) Create an tax receipt listing all of a donor's contributions for that year.
Provides custom CiviCRM reports and export methods.
Perform donor mailing list opt-out.
Read from the queue and call opt-out routines from wmf_unsubscribe.
The following Mediawiki extensions related to fundraising are installed on the payments wiki
This module handles all of the payment gateway specific functionality for the fundraising system at the point the user makes a donation. Other handling (secondary verification, queue managing) is handled on Fundraising.wikimedia.org
. DonationInterface It is made up of the following components:
Contains the Stomp library and provides a mechanism for correctly formatting a message for storage in ActiveMQ. This could probably be refactored a bit to allow the other extension pieces to more flexibly rely on this to communicate with ActiveMQ. As it is right now, the functionality exposed by activemq_stomp.php is very limited, however the included Stomp library exposes whatever you might need to communicate with the queue.
This directory contains several different hooks that can be used as needed at various points in a gateway's donation workflow. Extras include conversion_log, custom_filters (used for fraud prevention), minfraud (which also exists as a custom filter), and recaptcha.
Generally, the gateway_common directory contains gateway adapter code written to be gateway-agnostic, but which all the gateway-specific classes are descended from.
Forms and form classes that are not written to be gateway-specific should be kept here.
All gateway-specific code can be found here.
In the course of a normal globalcollect hosted credit card transaction, a small percentage of donors will complete a transaction on the globalcollect hosted credit card form, and not manage to come back to the globalcollect ResultSwitcher page. The function of the ResultSwitcher page is to both filter and finalize the pending transaction and record it in the case of a successful conversion, so the donor not returning to the ResultSwitcher would effectively strand the otherwise successful transaction in a sort of limbo state. The code contained in the globalcollect scripts directory was written to address the problem of these stranded transactions.
This maintenance script is currently running on a Jenkins job, and uses data pulled from the 'cc-limbo' queue in ActiveMQ.
Generally speaking, all modules that could be said to be gateway-agnostic should live in this directory. These modules will be loaded as-needed with resource loader.
This exposes the credit card donation form (as opposed to the PayPal stuff) and handles the communication between the donation page and PayflowPro. It negotiates the entire process from the point the user submits the donation to insertion of a donation into ActiveMQ - if a donation is considered valid at the point of submission, it is placed in the 'donation' queue. Otherwise, it is either rejected or placed in the 'pending_pfp' queue for review. Further handling happens on pending messages by Fundraising.wikimedia.org#PayflowPro_Pending_Transaction_Verification
There are a series of extra sub-extensions, or filters, for payflowpro_gateway that perform analysis on credit card transactions to determine the likelihood that a transaction is fraudulent. Each of the filters helps determine the 'risk score' for a transaction. Actions to take based on certain risk scores can be configured for payflowpro_gateway (reject, review, challenge, accept). The filters currently available include:
- MaxMind/MinFraud - a third party solution that helps analyze the transaction. They return their own 'risk score' for a transaction which heavily influences our own internal scoring.
- Referrer - Regular expressions can be configured to be run on a transaction's 'referrer', and each regex can be configured to apply a different score in the event that the referrer is a match.
- utm_source - Same as referrer, but for the utm_source bit in the tracking fields.
Our configuration of payflowpro_gateway causes two local logfiles to be generated:
The 'minfraud' log logs more than just 'minfraud' related information. It tracks a user's transaction through our fraud prevention filters, and if their transaction is considered safe enough to be sent off to PayflowPro, Payflow's response object also gets logged here. This log also gets used to help us determine patterns in fraudulent transactions, analyze more general patterns in our transactions and determine why or why not a certain transaction was accepted/rejected.
The 'payflow' log logs more than just payflow related information. It's more of a debug log, tracking a transactions progress through the different parts of the payflowpro_gateway experience. The only piece of transactional data that actually gets recorded in the log is our internal 'trxn_id', which is considered the 'invoice id' by PayPal/Payflow (this makes it possible to line up transactional information either later on our end [eg from CiviCRM] or from the PayPal manager with the information contained in this log). We primarily use this log to keep track of timing information - how long it takes to communicate with the various third party services (MaxMind and PayflowPro), timeouts, retries, etc.
It is important to note that for our purposes, these log files actually get aggregated and later archived - more details can be found on the documentation for the payments cluster
Handles the redirect from the Wikimedia site to PayPal for donations.
The ContributionTracking extension provides an unlisted special page for logging online donations. When the donation process is initiated, the extension stores some basic information in the Drupal contribution_tracking table and the transaction is assigned a unique, internal ID. This ID is used to track the contribution through the process of being validated and ultimately consumed in CiviCRM.
This extension also exposes a function contributionTrackingConnection() which will allow you to connect to the database containing the contribution_tracking table.
This extension makes it possible to provide a user-facing link that will direct the user to n possible URLs x% of the time. For instance, this is useful for doing randomized A/B testing - you can configure the module to send 50% of clicks to one URL, and the other 50% to another URL. The percentages are completely configurable as are the URLs. This was used extensively to make the 'Donate' sidebar link on Wikipedia point to a number of different donation landing pages for testing purposes.
The best public fundraiser stats are now found on samarium
The public reporting data is stored in the civicrm.public_reporting table on db9
. This data gets replicated to the slave database, db10
, which is where the public reporting pages actually pull the data from.
The code that manages the public reporting data lives in /srv/org.wikimedia.civicrm/sites/all/bin/public_reporting on the grosley server (donate.wikimedia.org).
- table.sql - Creates the public_reporting table
- trigger.sql - Sets up the database triggers for updating the table
- synchronize.sql - Can be used to manually sync the public reporting data with the existing contribution records
The reporting pages are created through the ContributionReporting mediawiki exntension
Wikimedia Foundation sends a limited number of bulk emails to donors over time. I believe that each donor receives at most three solicitations each year [Citation needed].
Following the data flow, the donor's email address gets onto our subscription list either by entering their address while donating, or at a "remind me" prompt. This email is entered into our CRM, and then a nightly export job stores in a CSV file. This file is uploaded to Silverpop and imported into their database, where segmentation and other queries can be run to cut multiple lists per experiment. Emails are templated using this data, and contain links back to our servers, which include Contact ID and other tracking information about the mailing. Donatewiki landing page views are instrumented, and we do analysis on the results and use the tracking information to correlate with donations, to inform future emails.
There are some miscellaneous scripts to help with things like Paypal Verification, queue handling, etc. Details of which can be found on Fundraising.wikimedia.org
High-level Overview of Donation Pipeline
Click the images for further explanation.
Some tips for a successful Fundraising deployment. FIXME: this is not as useful as it should be, due to hostname obfuscation.
CentralNotice is the only extension we commonly deploy to the main MediaWiki production cluster. Please put your schedule on the Deployments
calendar, and follow the usual instructions
Log into mwlog1001 and watch /a/mw-log/hhvm.log for any fatal errors you might be causing with your deployment.
- Donatewiki translations go out regularly on the l10n cache
- TYs need to be manually deployed - make a task for this and put it in pending review in the current sprint
- Subject line needs to be manually deployed - make a task for this and put it in pending review in the current sprint
- Payments needs to be manually deployed - make a task for this and put it in pending review in the current sprint
Last edited on 24 March 2020, at 14:29
Content is available under CC BY-SA 3.0
unless otherwise noted.