All in Good Time
The new mobile gift cards being promoted in the market certainly have an allure. The ability to electronically transmit gift cards that consumers can store in their smartphones has a lot of appeal to retailers and could be a way to revitalize a category whose growth has stalled in the last few years.
But the security of mobile or “virtual” gift cards remains something of a mystery because the payment system is new and the associated risks unknown. On the surface, the cards actually appear to be more secure than regular mag-stripe gift cards. The problem is that, with any new technology, unanticipated security issues can arise at any time.
“The challenge is that it is an unchartered world for security,” says Brian Riley, senior research director of bank cards for Needham, Mass.-based TowerGroup. “There is no doubt that there is high potential for growth in this market, but we won’t know what the security risks are until consumers start to use them for a while.”
With these programs, customers purchase a “virtual” card from a retailer’s website. The card is then e-mailed to the recipient’s phone and can be used immediately online or at retail locations that are equipped with special readers. In addition to storing account information, many of the programs allow consumers to use their phones to check their mobile gift card balance. Retailers that have implemented such programs include SpaFinder, Lobster Gram, FragranceNet.com, Champs Sports, Zales, NFLShop.com and Sports Authority.
Riley says that retailers intrigued by the potential of mobile gift cards should begin to explore their use cautiously. Early adopters should be retailers whose products have a relatively small ticket size ($25 or less) and who begin with limited rollout to loyal customers. That way if there is fraud, it can be detected early and the damage will be minimal.
“I don’t think retailers should suddenly blast these things out and send them to everyone who requests one,” he says. “It might be better to start with regular customers who you have a history with and know how they use your product.”
One of the earliest pilots of a mobile gift card involved gourmet ice cream shop chain Cold Stone Creamery. “A lot of the early issuers of mobile cards will be the same retailers that were first to try out contactless payment cards — industries where there is not a lot of payment fraud already,” Riley says. “Fast-food outlets and movie theaters are good places to start testing these, and the other retailers can follow.”
A mobile card is less risky than a mag-stripe card because “you know it is going to a legitimate customer,” he says. “With mag-stripe cards, anyone can buy one and you usually don’t know who” the intended recipient is.
Other payment experts believe that mobile cards are actually one of the most secure payment forms in the market — particularly if near field communication (NFC) technology is involved. NFC is wireless high-frequency communication between devices: In the case of payments, a smartphone transmits payment data to a POS terminal in an encrypted format.
“NFC is very secure, certainly more secure than existing card technology,” says Bart Narter, senior vice president of the bank group for Boston-based Celent. The encryption is nearly impossible to penetrate, he says.
Less secure, however, are mobile gift cards for which a bar code number is stored in the phone and scanned at POS. In such cases, the security of the mobile gift card is the same as with the mag-stripe card.
“It is possible to photocopy the bar code from the phone the same way you can copy information stored on a mag-stripe through skimming or other systems,” Narter says. “NFC is more secure. The data is stored in an encrypted chip in the phone and is impossible to duplicate.”
The risk with NFC? “The biggest concern I would have with [NFC] gift cards is if the phone goes missing,” says Ben Jackson, senior analyst with Maynard, Mass.-based Mercator Advisory Group.
Retailers’ need to have a way to “lock down the program” if a customer reports the phone is missing, Jackson says. But that means customers need to alert the stores to a missing phone. Additionally, the use of passwords can reduce the risk — if someone finds a phone with a virtual gift card, he would need to know the password in order to use the card.
As for decoding the encryption in the phone, Narter explains the security is in the phone’s SIM card, an extremely secure device. “If someone finds a way to duplicate the SIM card, the cell phone companies are in deep trouble — there is a lot more at stake than gift cards,” he says. They “have done everything they can to make those SIM cards bulletproof.”
NFC technology is still in its infancy, however: Few retailers have NFC readers on their terminals, and few cell phones are capable of storing the data.
“The issue is not so much security as it is the logistics of getting the technology moving,” says Narter, who estimates it might be two years before a sufficient number of NFC-capable readers and phones will be in the market.
Retailers investigating NFC-based systems should be sure prospective vendors have a good understanding of how the technology works and its security issues. Merchants should also invest in employee training about these cards, Jackson says, particularly as pertains to their proper redemption.
Despite any possible early risks, most experts think there will be strong growth in the use of mobile gift cards. “I think the growth will follow traditional gift cards,” which got off to a slow start, Riley says. “Then about three to four years ago, we saw hockey stick growth.
“This will take a little while for retailers to try out. Then once we know more about what the risks are, the growth will take off.”