Making Gift Cards A Little More Secure

Written by Evan Schuman
December 22nd, 2005

The ease of use of a gift card is making them popular, with e-commerce sites expecting a tidal wave of gift card redemptions next week.

The question is whether they will be met with a similarly enthusiastic number of thieves hoping to use replicas of the cards in brick-and-mortars and the numbers themselves online.

The fraud risk online is simple: The cards follow predictable patterns, and thieves can throw lots of numbers at the sites until it accepts one. All of a sudden, Aunt Martha will be in for a surprise when she finds that the gift card in her stocking has no value left.

In the physical world, it requires a more sophisticated ability to copy the card, but if a store employee is an accomplice, the theft again becomes easy. The employee declares that the magstripe doesn’t work and manually inputs the card’s number, which might have been software-guess-generated and then verified on the Web.

A Colorado credit-card processing firm?Mercury Payment Systems?wants to borrow one method from the traditional credit-card: the card validation value (CVV), which is the number written?but not raised?on the card.

The premise is that the CVV would make guessing the numbers much more difficult because the thief would first have to guess the card number and then have to guess a matching CVV number. Most systems won’t permit a lot of tries for the CVV, so the software guessing method would be much less effective.

“We’re trying to mimic the features you would have on a credit card,” said Jenna Hutt, Mercury’s director of developer support.

Retail security rules prohibit merchants from storing the CVV for credit cards, but some still do. Today’s gift cards are in a gray area, depending in part on its issuer. A Wal-Mart gift card would not be considered PCI-relevant, for example, but an AmericanExpress, MasterCard or Visa gift certificate/giftcard would likely fall within PCI jurisdiction. With some retailers co-branding credit cards, the distinctions can easily blur.

But even if it’s not required, is it good security practice for retailers to add CVVs?

Mark Rasch, a former federal prosecutor for high-tech crimes, said he thinks it’s probably a good idea, but more for hand-holding and perception than actual security.

Adding CVV “does make it a lot more secure, but this is not about security. It’s about consumer confidence,” said Rasch, who today serves as SVP and chief security counsel for Solutionary, a Maryland-based managed security services firm.

Rasch argues that a retailer’s decision to add CVV has to be made like any other security decision, with an examination of the true risk versus the likely cost. In this instance, Rasch said, neither side of the balance is especially heavy. The cost of adding the numbers is trivial and the amount of giftcard fraud reported today is also very light.

Rasch added that gift cards are typically not that attractive to thieves. “Gift cards are relatively discreet. They have a predetermined limit and I can only use it at a certain place. That means they are not as attractive a target,” he said.

But in that retail balancing act, the other factor is that gift cards are enormously attractive to the retailer in that they lock in purchases and give the retailer usage of the money long before a purchase is made. Also, they strongly encourage upsells and they bring the customer into the store to make other purchases.

From that perspective, anything that encourages gift card usage is a great thing for retailers and, Rasch argues, making consumers feel more confident about using them removes a potential customer hurdle.

One key potential security advantage of gift cards is that the issuer has much more freedom in establishing the number and making it as long?and as changeable?a string as possible.

Traditional credit card numbers, on the other hand, are much more restrained, with as many as a dozen of the credit card number digits being predetermined.

“Some of the initial digits have to tell you whether it’s a Visa or AmericanExpress. The next will tell you the issuing bank,” Rasch said. “The next will tell you the type of card, such as whether it’s an affinity card. The next will say the branch where the card was issued. This means that if I’m doing a random credit card generator, the odds are pretty good if I start guessing numbers that I can try them on a merchant account until one works. But on a gift card, I can create a gift card that has a 100-digit number and there needs to be no (processor-dictated) pattern to it.”

Some in the payment space have even questioned whether some of these authentication techniques are severely undermined by making them required so often. For years, privacy advocates have complained of businesses using Social Security numbers as employee/customer identification. This associates the SS# with that person in so many places to make it an ineffective means of authentication.

A similar concern has been raised about the CVV. With almost every online site now requiring the CVV to process any e-commerce purchase, that number is associated with the credit card number in so many databases as to make it a weak verification means. Merchants are not supposed to retain the CVVs, but some do and procedures are not always strictly followed with smaller specialized merchants.

No matter how much the CVV may be diluted, Mercury’s Hutt argues, something needs to be done to secure gift cards and a CVV program is a good first step.

“The whole (giftcard) market is starting to explode. You’re putting hundreds of thousands of giftcards into the market every day,” Hutt said. “It’s potentially a large problem for merchants, who are opening themselves up.”

Not taking any gift card authentication process “is reckless for the retailer’s overall liability,” she said.

Rasch stressed that security procedure adherence will ultimately determine whether adding CVV improves a retailer’s security and reduces its fraud rate.

“CVVs only work if they are logically separated from the first authentication number. If I lose the card, I’ve lost the card number and the CVV and the magstripe,” Rasch said.

He added that fraudulent sites set up to trick consumers into revealing their information?the so-called phishing sites?are still a gift card danger. “Adding CVV does nothing about phishing. In fact, it encourages phishing,” he said, referring to the greater feeling of security, which could lead to consumers buying gift cards with larger cash value.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.