Making Gift Cards A Little More Secure

With online gift cards riding a wave of popularity, gift card fraud is also increasing. Is adding an additional verification number the answer?

The ease of use of a gift card is making them popular, with e-commerce sites expecting a tidal wave of gift card redemptions next week.

The question is whether they will be met with a similarly enthusiastic number of thieves hoping to use replicas of the cards in brick-and-mortars and the numbers themselves online.

The fraud risk online is simple: The cards follow predictable patterns, and thieves can throw lots of numbers at the sites until it accepts one. All of a sudden, Aunt Martha will be in for a surprise when she finds that the gift card in her stocking has no value left.

In the physical world, it requires a more sophisticated ability to copy the card, but if a store employee is an accomplice, the theft again becomes easy. The employee declares that the magstripe doesnt work and manually inputs the cards number, which might have been software-guess-generated and then verified on the Web.

A Colorado credit-card processing firm—Mercury Payment Systems—wants to borrow one method from the traditional credit-card: the card validation value (CVV), which is the number written—but not raised—on the card.

The premise is that the CVV would make guessing the numbers much more difficult because the thief would first have to guess the card number and then have to guess a matching CVV number. Most systems wont permit a lot of tries for the CVV, so the software guessing method would be much less effective.

"Were trying to mimic the features you would have on a credit card," said Jenna Hutt, Mercurys director of developer support.

Retail security rules prohibit merchants from storing the CVV for credit cards, but some still do. Todays gift cards are in a gray area, depending in part on its issuer. A Wal-Mart gift card would not be considered PCI-relevant, for example, but an AmericanExpress, MasterCard or Visa gift certificate/giftcard would likely fall within PCI jurisdiction. With some retailers co-branding credit cards, the distinctions can easily blur.

But even if its not required, is it good security practice for retailers to add CVVs?

Mark Rasch, a former federal prosecutor for high-tech crimes, said he thinks its probably a good idea, but more for hand-holding and perception than actual security.

Adding CVV "does make it a lot more secure, but this is not about security. Its about consumer confidence," said Rasch, who today serves as SVP and chief security counsel for Solutionary, a Maryland-based managed security services firm.

Rasch argues that a retailers decision to add CVV has to be made like any other security decision, with an examination of the true risk versus the likely cost. In this instance, Rasch said, neither side of the balance is especially heavy. The cost of adding the numbers is trivial and the amount of giftcard fraud reported today is also very light.

Rasch added that gift cards are typically not that attractive to thieves. "Gift cards are relatively discreet. They have a predetermined limit and I can only use it at a certain place. That means they are not as attractive a target," he said.

But in that retail balancing act, the other factor is that gift cards are enormously attractive to the retailer in that they lock in purchases and give the retailer usage of the money long before a purchase is made. Also, they strongly encourage upsells and they bring the customer into the store to make other purchases.

From that perspective, anything that encourages gift card usage is a great thing for retailers and, Rasch argues, making consumers feel more confident about using them removes a potential customer hurdle.

Next Page: Gift cards have some security advantages compared with credit cards.