Gift Card Fraud: How to fight the fraud battle
By Ashley Girsch, VP, Operations, and Kelly Solko, Senior Global Print Buyer
More than ever, gift card fraud is top of mind for merchants and brands. Preventing fraud in the gift card space is complex due to the ever-changing tactics of fraudsters. Both physical gift cards and e-gift products are targeted, but in different ways. Topps Digital Services and other leaders in the gift card industry have teams dedicated to fighting fraud. Continuous innovation in fraud prevention must be on our to-do lists in order to detract fraudsters from gift cards.
Fraud Prevention in the Online Redemption Flow
The leading cases of fraud we are seeing in the gift card marketplace include: fraudsters writing scripts to guess active pins, bots creating new user accounts, and the desire for fraudsters to obtain codes to resell online. There are some best practices and preventative measures you can put in place to thwart this activity from occurring on your platform.
To start with the basics, secure values such as codes or pins need to be kept secure. They should not be exposed or passed around in an insecure fashion like via email, included in reporting, or sitting in files on people’s desktops. Codes or pins should be treated as securely as cash and should be encrypted during transmission and deleted from locations where they are not needed. Also consider restricting access to codes on the customer service side, by requiring an escalation or only full time employees to handle this sensitive data; as opposed to allowing thousands of contracted agents to view these values.
The key to prevent fraudulent redemptions is to know your user and to provide little to no information to those who are not logged in to your platform. It is best practice to require login prior to allowing a redemption attempt. If authentication is not required, then you have little information on this individual and no ability to remove or freeze this person’s account, aside from attempting to block their ever-changing IP addresses. The more info you have on a person the better you can track their activity and patterns. Capturing user data including IP address, lat/long, user agent and other relevant data will help you block repeated requests with high error rates.
Partners should have metrics and monitoring in place on their side so they can see when they are receiving a lot of invalid pin guesses, how many times a pin has been guessed, who is guessing this pin, where the pin entry came from, etc. All of this info will allow the partner to put business rules in place around this activity. Throttling is a good place to start on limiting fraudulent activity. A partner should only allow so many redemptions and redemption attempts a day/week/month and have a cap on overall value load into a user’s account. A session variable or a CSRF token can also be used to slow brute force guessing of gift cards through an automated means. Additionally, partners should log the redemption interface and location in your system to identify potential vulnerabilities, such as a browser compatible redemption option that doesn’t have all the safeguards (e.g. promo codes boxes).
In order to get in front of fraudsters that create bots to generate new user accounts, we have found something as simple as implementing reCAPTCHA into your redemption flow (CAPTCHA stands for: Completely Automated Public Turing test to tell Computers and Humans Apart) has thwarted these attempts.
Lastly, years ago when it was best practice to provide as much info as possible and surface up the most specific error codes to lighten the load on customer service teams, now we have found the less info provided to users the better, especially if they are not logged in. For closed loop, one time redemption cards, a balance inquiry is not really necessary and just provides information like value and status to a fraudster who will then resell this code they successfully guessed. This will result in the end user becoming a victim of fraud as their code will be redeemed by someone else before they can use it and now they are having a bad user experience on your site/app. It is best to not to provide balances or statuses and to serve up very generic error codes like “invalid pin.” If a good user has run into an invalid pin error they can reach out to your customer service team who should have more insight into why they received the error they did and can resolve the problem with this customer. The only error that should be shown to a user with specifics is an already redeemed error, if the user is logged into an account in which they have already redeemed that specific code.
If you have a great service, fraudsters are going to want to take advantage of it. Your job is to make it very difficult to become their victim. Throw every hurdle and pain point in front of them possible so they start to look elsewhere, and stay up on the latest best practices as things are always changing in this advancing world of technology and payments.
Fraud Prevention Using Print Tactics
One bare-minimum requirement for security purposes on all gift cards at retail, is to have a security label covering the PIN code. There are two main types of security labels that are in the market today (1) scratch off labels and (2) peel off labels.
Scratch off labels cannot be easily peeled by fraudsters to view the pin. Peeling, by design, may cause the pin to be damaged. For example, fraudsters would like an easy way to remove the label, document the pin, and re-apply the label. They could then sit back and wait for cards to be activated. However, this is not easy with scratch off labels thus deterring fraudsters. Scratch off labels easily crack/flake if peeling and re-applying is attempted. While scratch off labels are considered the most fraud resistant labels for gift cards, there are always ways to get around any label (example: scratch off label and replace with a new label).
Fraudsters can go into a store and peel off the labels, write the codes down to try to redeem later (mostly during holiday when the purchase to redemption time is longest), and put the label back over the pin without customers or retailers noticing. When the fraudster redeems before the intended recipient, this creates a bad user experience for the intended recipient. The intended recipient will have to call customer service, the issue will be researched and the brand will determine if a credit will be provided. Therefore, the fraudster and intended recipient will receive the credit when only one credit has been paid for. Note: the scenario of providing a credit to the intended recipient would be up to the discretion of the brand’s CS department.
Another option for brands is to implement secure packaging. Typically secure packaging has been used for more secure prepaid products like open loop and general purpose reloadable. However, there are a few brands starting to implement secure packaging where the package has to be ripped open to access the card and PIN code. This printing method does come at a higher cost to brands as there are more elements to print, affix and package.
Topps Digital Services print team helps brands review the pros and cons of all printing options. Brands can then discuss internally and make an informed decision for their brand based on the size of your program, use of internal resources (i.e. customer service), costs, etc.
Fraud Prevention at the Store
Fraud prevention is also being addressed by the retailers and brands at the store level. Some brands like Apple have their employees ask gift card purchasers if someone has asked them to purchase the gift card for them. Scammers have been known to urgently send someone into a store to have them purchase gift cards.
Some retailers also train their cashiers to be aware when selling gift cards to watch out for cards that appear to be tampered with. For example, if the security label covering the PIN code appears to be altered or damaged, they should have the customer select a replacement card.
Fraud Prevention Using Changing Tactics
Simply said: keep them guessing. Making money is a fraudsters full time job. They will only quit when we make it too hard for them to continue targeting gift cards. Keep innovating and keep them guessing.
Want to know more about how to protect your gift card program? Drop us a line at firstname.lastname@example.org.
Ashley Girsch is the Vice President of Operations at Topps Digital Services. She leads engineering integration projects and oversees all day-to-day operational aspects including creative, client support, reporting and print production for Topps Digital Services.
Kelly Solko is the Senior Global Print Buyer at Topps Digital Services. Leads sourcing, global print production and marketing. Kelly has been in the gift card space for 10+ years with experience in both 1st party and 3rd party programs.