What about fraud?
As with any gift card program consideration needs to be made for fraud. There are two main types of possible fraudulent behaviour:
- Gift card codes being guessed successfully, and then used
- Payment fraud (i.e. stolen credit card details)
Gift card code fraud
We take the security of the data we hold very seriously and do our best in design and implementation to ensure the integrity of the data. We are, after all, holding money not dissimilar to a bank.
To combat gift card fraud, we have a two-pronged defence:
- We monitor unusual activity on all accounts at a database level to ensure that data intrusion does not happen, including this type of activity (where an automated bot tried to discover valid gift card codes, called an 'enumeration attack')
- We issue gift card codes that are 5 characters long made up of letters and numbers, giving rise to a 1 in 17,100,720 chance of guessing a code. With our rate limits on balance checking and speed of the balance checker, it would take about 3 years to guess a code (at the very quickest), by which time the gift card will almost certainly have been used up.
However, to go further, you can in fact set a much longer code length if this feels uncomfortable to you. We support codes up to 50 characters in length and you can change this easily in your Gift Up! dashboard: https://help.giftupapp.com/article/118-changing-the-format-of-the-codes-generated-on-your-gift-cards
For example, if you set your codes to be 10 characters long, it would be a 1 in 109,027,350,432,000 chance to guess it... or roughly 17 million years to guess.
This is the more obvious fraud vector for most sellers. Because you attach your own payment provider to Gift Up!, that means we use your payment provider to accept payment for the gift cards you sell and therefore you are ultimately liable for any fraud.
It is in fact reasonably rare, but it does occur occasionally. If you feel that this is a risk for your business we recommend that you consider doing one or more of the following:
- Use Stripe as your payment processor, we follow all their best practice to ensure that their "Radar fraud detection tool" built into every Stripe account is fully operational
- Decline all transactions that are not "3D Secured", this ensures that all card transactions are liability shifter to the cardholder's bank, not you
- Opt-in for Stripe's Chargeback protection. If you do receive a chargeback, the cost to you will be zero.
If you are in the EU, then as all our payments are PSD2 compliant, you can rest assured that all transactions will be covered by the new regulation known as SCA meaning all transactions will be authorized by the cardholder, meaning fraud will be very low indeed, and probably liability shifted as well.