3 steps to protect retail gift cards from attack
How retailers can prevent gift card theft
INSIGHT ARTICLE |
Retailers that sell gift cards know that gift card theft comes in many shapes and sizes. Whether it’s hacking e-codes or cloning cards, stealing gift card numbers and data has proven lucrative for calculating criminals. Moreover, these attacks are on the rise, especially via cyberattack. Companies who create, distribute, sell or broker gift cards are increasingly targeted.
The perfect target
Gift cards present an enticing target for a variety of reasons. They are essentially cash so their security is notoriously weaker as their activity is not monitored closely. For instance, if the cards are unbranded (i.e., not associated with Visa or MasterCard), there are no requirements or regulations that mandate the protection of these cards. This leaves companies without the primary reason why many organizations adopt a security program. Secondly, there is a huge market for the resale of gift cards, so once the cards have been stolen or hacked, it’s easy for criminals to offload them to unknowing consumers. Furthermore, it’s extremely difficult to trace stolen cards back to the original thieves, so law enforcement cannot pursue these crimes as effectively as credit card crime. Unfortunately, these combined factors create the perfect environment for gift card theft.
Through our work with retail clients and contacts over the past year, our RSM consultants have noticed an increase in gift card breaches nationwide. Some of the trends and incidents we’ve observed include the following:
- Breaches are not just aimed at obtaining credit card data or personal information. Hackers target gift card numbers as well. These hackers target gift card fulﬁllers as well as retailers who sell their own gift cards. If these organizations store loaded gift card numbers anywhere (whether in electronic form or the actual plastic cards), you can bet that thieves will try to break in. In fact, one of our clients works with a hosting provider who was recently breached. The hosting provider conﬁrmed that the hackers targeted gift card organizations in the hopes of ﬁnding gift card numbers.
- In another incident we investigated, hackers breached a retailer (speciﬁcally targeted at the gift card department) and used that access to launch phishing attacks against one of their gift card fulﬁllment partners. These attackers were intended to convince the gift card partner to activate various gift cards for signiﬁcant amounts. This way, the hackers did not need to directly obtain the gift cards themselves; they simply needed to wait until a well-meaning employee gave them the codes they wanted.
- We’ve also seen a trend of attackers using stolen credit card numbers to purchase gift cards, which can then be resold for cash. Eurocard, MasterCard and Visa (EMV) rules hold retailers, not banks, liable for losses incurred from credit card fraud if the retailer does not utilize EMV technology. While the thieves pocket the cash, the retailers pay the price.
Call to action: Assess and revise
Clearly, retail organizations that handle gift cards face signiﬁcant risks regarding gift card breaches. Below are key steps you can take to mitigate threats and guard against this kind of abuse.
As with any risk, retailers need to determine what level they can accept and what kind of risk they need to mitigate; however, you can’t make this determination if you do not understand this risk and its impact. The amount of risk your organization holds will depend on a number of factors, such as if and how gift card numbers are stored, processed and transmitted. Determine whether security has been integrated into business processes. Clients and vendors can also introduce risk into your environment, so review these professional relationships to determine whether they are handling gift card data properly and who is liable if a breach occurs. Having a clear picture of the type and severity of risk in your environment can allow you to develop a more cost-effective plan for protecting data and preventing an attack.
Don’t make it easy for thieves by emailing gift card codes. Any attacker who could access email accounts could then also easily get these codes. Examine the procedures your organization uses to handle gift card data to ensure this data is protected at every step. Additionally, train all users on security awareness to prevent the successful use of phishing as a means of accessing gift card data. This may involve rethinking and overhauling processes that have become engrained in the company, but doing so could save your organization a major headache in the long run.
In addition to looking at organizational procedures, assess your systems for technical vulnerabilities. Web applications and web services are common attack surfaces. Since these applications and services handle gift card data, any security ﬂaws could result in major breaches. Sound technical controls should be in place across your network, and all systems should be properly hardened to protect information. Additionally, review network segmentation to keep sensitive gift card data separate from the rest of your network. This will ensure that access to one area of the network does not automatically provide access to other areas.
Manage third-party risk
Retailers often outsource gift card fulfillment to third parties. While they are outsourcing the process, they are not outsourcing the reputational and legal risks associated with protecting the gift card data and personal data of their customers. Retailers should understand the risks associated with those third parties, design security requirements to which those third parties must comply, assess those third parties on a regular basis, and ensure proper contractual language and indemnifications.
With these basic steps, your organization can be better prepared to prevent and respond to an attack against gift card data.
you may also be interested in
RSM's industry insiders provide insight into the challenges and opportunities ahead for middle market retailers this holiday season.
Retailers should assess gift card procedures including an annual review of reporting, sales tax, unclaimed property and more.