December 21, 2005
Making Gift Cards A Little More Secure
By Evan Schuman, Ziff Davis Internet
The ease of use of a gift card is making them popular, with e-commerce sites expecting a tidal wave of gift card redemptions next week.
The question is whether they will be met with a similarly enthusiastic number of thieves hoping to use replicas of the cards in brick-and-mortars and the numbers themselves online.
The fraud risk online is simple: The cards follow predictable patterns, and thieves can throw lots of numbers at the sites until it accepts one. All of a sudden, Aunt Martha will be in for a surprise when she finds that the gift card in her stocking has no value left.
In the physical world, it requires a more sophisticated ability to copy the card, but if a store employee is an accomplice, the theft again becomes easy. The employee declares that the magstripe doesn't work and manually inputs the card's number, which might have been software-guess-generated and then verified on the Web.
A Colorado credit-card processing firm—Mercury Payment Systems—wants to borrow one method from the traditional credit-card: the card validation value (CVV), which is the number written—but not raised—on the card.
The premise is that the CVV would make guessing the numbers much more difficult because the thief would first have to guess the card number and then have to guess a matching CVV number. Most systems won't permit a lot of tries for the CVV, so the software guessing method would be much less effective.
"We're trying to mimic the features you would have on a credit card," said Jenna Hutt, Mercury's director of developer support.
Retail security rules prohibit merchants from storing the CVV for credit cards, but some still do. Today's gift cards are in a gray area, depending in part on its issuer. A Wal-Mart gift card would not be considered PCI-relevant, for example, but an AmericanExpress, MasterCard or Visa gift certificate/giftcard would likely fall within PCI jurisdiction. With some retailers co-branding credit cards, the distinctions can easily blur.
But even if it's not required, is it good security practice for retailers to add CVVs?
Mark Rasch, a former federal prosecutor for high-tech crimes, said he thinks it's probably a good idea, but more for hand-holding and perception than actual security.
Adding CVV "does make it a lot more secure, but this is not about security. It's about consumer confidence," said Rasch, who today serves as SVP and chief security counsel for Solutionary, a Maryland-based managed security services firm.
Rasch argues that a retailer's decision to add CVV has to be made like any other security decision, with an examination of the true risk versus the likely cost. In this instance, Rasch said, neither side of the balance is especially heavy. The cost of adding the numbers is trivial and the amount of giftcard fraud reported today is also very light.
Rasch added that gift cards are typically not that attractive to thieves. "Gift cards are relatively discreet. They have a predetermined limit and I can only use it at a certain place. That means they are not as attractive a target," he said.
But in that retail balancing act, the other factor is that gift cards are enormously attractive to the retailer in that they lock in purchases and give the retailer usage of the money long before a purchase is made. Also, they strongly encourage upsells and they bring the customer into the store to make other purchases.
From that perspective, anything that encourages gift card usage is a great thing for retailers and, Rasch argues, making consumers feel more confident about using them removes a potential customer hurdle.
One key potential security advantage of gift cards is that the issuer has much more freedom in establishing the number and making it as long—and as changeable—a string as possible.
Traditional credit card numbers, on the other hand, are much more restrained, with as many as a dozen of the credit card number digits being predetermined.
"Some of the initial digits have to tell you whether it's a Visa or AmericanExpress. The next will tell you the issuing bank," Rasch said. "The next will tell you the type of card, such as whether it's an affinity card. The next will say the branch where the card was issued. This means that if I'm doing a random credit card generator, the odds are pretty good if I start guessing numbers that I can try them on a merchant account until one works. But on a gift card, I can create a gift card that has a 100-digit number and there needs to be no (processor-dictated) pattern to it."
Some in the payment space have even questioned whether some of these authentication techniques are severely undermined by making them required so often. For years, privacy advocates have complained of businesses using Social Security numbers as employee/customer identification. This associates the SS# with that person in so many places to make it an ineffective means of authentication.
A similar concern has been raised about the CVV. With almost every online site now requiring the CVV to process any e-commerce purchase, that number is associated with the credit card number in so many databases as to make it a weak verification means. Merchants are not supposed to retain the CVVs, but some do and procedures are not always strictly followed with smaller specialized merchants.
No matter how much the CVV may be diluted, Mercury's Hutt argues, something needs to be done to secure gift cards and a CVV program is a good first step.
"The whole (giftcard) market is starting to explode. You're putting hundreds of thousands of giftcards into the market every day," Hutt said. "It's potentially a large problem for merchants, who are opening themselves up."
Not taking any gift card authentication process "is reckless for the retailer's overall liability," she said.
Rasch stressed that security procedure adherence will ultimately determine whether adding CVV improves a retailer's security and reduces its fraud rate.
"CVVs only work if they are logically separated from the first authentication number. If I lose the card, I've lost the card number and the CVV and the magstripe," Rasch said.
He added that fraudulent sites set up to trick consumers into revealing their information—the so-called phishing sites—are still a gift card danger. "Adding CVV does nothing about phishing. In fact, it encourages phishing," he said, referring to the greater feeling of security, which could lead to consumers buying gift cards with larger cash value.