What about fraud?
As with any gift card program, consideration needs to be made for fraud. There are three main types of possible fraudulent behaviour:
- Payment fraud - using stolen credit cards to purchase gift cards
- Card testing attacks
- Gift card codes being guessed successfully, and then used
Payment fraud
This is the more obvious fraud vector for most sellers. Because you attach your own payment provider to Gift Up!, that means we use your payment provider to accept payment for the gift cards you sell, and therefore you are ultimately liable for any fraud.
It is in fact reasonably rare, but it does occur occasionally. If you feel that this is a risk for your business, we recommend that you consider doing one or more of the following:
- Use Stripe as your payment processor. We follow all their best practice to ensure that their "Radar fraud detection tool", built into every Stripe account, is fully operational. You can even create a Stripe Radar rule that places certain transactions you nominate as "under review" automatically, and ask Gift Up to delay processing and sending a gift card until you manually accept a transaction: Using Stripe's fraud review system with Gift Up.
- Decline all transactions that are not "3D Secured", this ensures that all card transactions are liability shifter to the cardholder's bank, not you
- Opt-in for Stripe's Chargeback protection. If you do receive a chargeback, the cost to you will be zero.
- Consider setting a valid from date on your gift cards, so they cannot be used straight away, giving the actual cardholder the chance to spot the charge and issue a chargeback.
- Add a fraud protection rule to block payments that may:
- Originate from a specific continent
- Originate from a specific IP address
- Have a particular email address
If you are in the EU, then as all our payments are PSD2 compliant, you can rest assured that all transactions will be covered by the new regulation known as SCA meaning all transactions will be authorized by the cardholder, meaning fraud will be very low indeed, and probably liability shifted as well.
Card testing attacks
Sometimes fraudsters use a publicly available checkout system to test which cards are still working by placing a transaction and attempting to pay with a card, then repeating this for all the cards they have on file. Stripe talks about this here: https://stripe.com/docs/card-testing.
Your Gift Up checkout is constantly monitored for potential card testing attacks by our monitoring systems, and if we detect a potential attack, we automatically enable a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). This is a type of security measure known as challenge-response authentication. CAPTCHA helps protect you from spam and password decryption by asking you to complete a simple test that proves you are human and not a computer trying to test card details.
We use 2 different systems you can choose between:
1) A stricter, always visible human check using hCaptcha. They are a leading privacy focussed CAPTCHA and show this just before payment can be submitted:
2) A typically invisible human test using Cloudflare Turnstile. This is the Gift Up account default and it is usually invisible, but for some users, a visible challenge is presented that looks like this:
The anti-bot mode can be selected, or turned off, in your checkout settings page:
Gift card code fraud
We take the security of the data we hold very seriously and do our best in design and implementation to ensure the integrity of the data. We are, after all, holding money not dissimilar to a bank.
To combat gift card fraud, we have a two-pronged defence:
- We monitor unusual activity on all accounts at a database level to ensure that data intrusion does not happen, including this type of activity (where an automated bot tried to discover valid gift card codes, called an 'enumeration attack')
- We issue gift card codes that are 5 characters long made up of letters and numbers, giving rise to a 1 in 17,100,720 chance of guessing a code. With our rate limits on balance checking and speed of the balance checker, it would take about 3 years to guess a code (at the very quickest), by which time the gift card will almost certainly have been used up.
We feel that this is a reasonable balance between ease of reading and typing a gift card code, and the security of it.
However, to go further, you can in fact set a much longer code length if this feels uncomfortable to you. We support codes up to 50 characters in length, and you can change this easily in your Gift Up! dashboard.
For example, if you set your codes to be 10 characters long, it would be a 1 in 109,027,350,432,000 chance to guess it… or roughly 17 million years to guess.