As we come to the close of the holiday season, retailers will be experiencing an uptick in gift card sales, whether for their own store brand or for others. Almost half of all consumers received a gift card last Christmas, and 62 percent of consumers said they would like to receive a gift card. Along with welcome sales growth in stored value cards, however, comes the inevitable intrusion of fraud.
While gift card fraud happens to represent a small percentage of overall losses from leaks in digital security, it's very often linked to credit card fraud and can hit your bottom line. National retailers experience average losses of around $72,000 from gift card fraud alone, and fraudsters are finding more and more ways to exploit small gaps in digital security. Aside from the aggravation that this causes — piled on top of holiday stress — gift card fraud represents a breach of trust for employees and customers alike. Store employees are responsible for nearly two-thirds of all gift card fraud. While this may come as a bit of an eye-opener, we want to help surface some of the ways gift card fraud happens. And we won't leave you in suspense — there are also lots of ways you can minimize it so as to keep it from darkening your holiday outlook.
Types of Gift Card Fraud
Here are several known methods of committing gift card fraud:
- Skimming: A fraudster takes a gift card off the rack and uses an electronic reader (aka skimmer) to read all the data, go home and make a counterfeit card. The perpetrator then waits for somebody to load that particular card in the store, and uses the fake card to make purchases. It’s estimated that 13 percent of gift card fraud is due to counterfeit or skimmed cards.
- Dialing for dollars: Using an automated phone dialing system, a fraudster randomly goes through card numbers, eventually finding one that has money on it. Then he finds a retailer that doesn't require a PIN, and uses it, for example, online.
- Returning stolen goods: Often when people come in with stolen merchandise and no receipt, the retailer will give them a gift card in exchange.
- Timing attacks: Fraudsters will determine times throughout the day when retailers are running maintenance on their systems or when there are other possible weaknesses within their IT infrastructure. This can happen, for example, when there's a two-step process for removing the funds from a card for a purchase.
- Employee theft: Stolen cards, both physical and electronic, represent a significant source of loss — estimates are around 13 percent.
- Data leaks: There are many third parties within the gift card process (marketing firms, B-to-B sellers, resellers, etc.) that share card information between parties. This creates a gap where data leaks can occur. In some cases, employers distribute bonuses and awards via an emailed electronic gift card. The files those numbers are pulled from can be breached by an employee or outsider.
What Can Retailers Do? Best Security Practices
Much of the growth in gift card fraud is due to the shift to e-commerce. Any time a physical card isn't present and people aren't face-to-face, it opens up a great opportunity for fraud. Here are some things smart retailers can do to minimize it:
1. Require a PIN. For anything you do online or over the phone, use a security code. If a fraudster has been lucky enough to come across a card with some value on it, it’s unlikely that they’ll also have the PIN.
2. Require receipts and IDs on returns. The more you can link a purchase or a merchandise return card with the person who bought or received it, the less room you leave for fraud.
3. Review gift card trading sites. There are people who obtain cards fraudulently, for example with a stolen credit card, then sell them on a gift card trading site at full value. Savvy brands monitor these sites because they don't want their brand misrepresented. Sometimes, after a brand owner has pushed them, a web organizer will put up a disclaimer saying that it won’t accept that brand’s gift cards. Monitor those websites.
4. Encrypt files and store them securely. While this would appear to be an obvious IT function, retailers are wise to take extra precautions with file storage, whether internally or through a third party.
5. Implement post-tender activation. Train your cashiers to save the gift card activation for last when scanning a basket of, say, groceries. Here’s why: if it’s scanned while it’s still in the middle of the basket, there’s an opportunity for a fraudster, working with a partner in a remote location, to redeem the activated card during the transaction. Then at the end of the transaction, the shopper says, “I really don't want that gift card; take it off.” The money has already been used. Fraudsters will go out to stores and test that functionality to find the gaps.
6. Develop stringent reconciliation processes aimed at employee fraud/theft. Make sure your point-of-sale system matches your till. Question big changes and anomalies.
7. Secure your gift cards. Cards with a preloaded value are a huge target for internal theft. Implement systems and processes that don’t require the storage and distribution of hot cards. If that’s not possible in the short term, put them in a place where whoever has access to them needs to self-identify. That way, if you’re suddenly missing a thousand gift cards, there’s a way to track them down.
Even More Precautionary Measures
By implementing the above best practices, a retailer forms a solid security strategy. However, sometimes a part of the organization — e.g., a franchise — won't have that system of checks and balances in place. Here’s where retailers can go deeper and engage professional help to find and stop fraudsters from eating into their bottom lines. Gift card companies that track data are in a unique position to help retailers understand the fine points of where the money is going. Retailers can obtain reports that help them look for specific trends — e.g., tracking incorrect PIN entries, total store debits and credits, manual transactions, and even reconfiguring customer phone interfaces — to minimize fraud. For the retailers that have a handle on these precautions, this holiday season could be their cleanest one yet.
Mark Willis is head of technology and innovation at Stored Value Solutions (SVS), a consultancy that works with top retail brands worldwide to optimize secure mobile gift card programs. Mark can be reached at mwillis@storedvalue.com.
Related story: Want to Stop Cybercrime? Focus on People