Request for Pitch: Fraud-free Digital Gift Code Delivery

The team at CL finds problems we know need solving, but we have no idea how to solve them. We publish our thoughts on these problems as a Request for Pitch, soliciting conversation and/or pitch decks related to the issue. If you think you have the answer we’re looking for, head to and select “Submit a Pitch.” We look forward to hearing from you.

No matter your role in e-commerce, fraud is a huge problem. Vendors deal with a deluge of fraudulent transaction attempts each day. Banks and payment gateways work to protect their respective customers in the event of lost or stolen credit cards. Even delivery services deal with fraud: stolen packages, packages misreported as not received, and false insurance claims.

In the end, it’s the end-user who suffers most with less-than-great user-experiences and higher prices.


As an e-commerce entrepreneur, fraud management has become part of my daily routine — I’ve had more than a few up-close looks at how this goes. Early last year, I wrote Your Bank Tried to Kill My Company, which detailed a Chinese carding attack on my company that cost us $60,000.

Like I said: yuck.

Lots of lessons along the way, none bigger than this: digital gift codes are the #1 target for these carding attacks.

Here’s how it goes down: first, an individual (or group, herein referred to as a “carder”) acquires a pile of credit cards from unsuspecting victims. These often come from big data breaches you read about. Sometimes, the carder receives a file with a 16-digit credit card number, the expiration date, CCV, and full address. Other times, some of that information is missing. This is an important detail we’ll circle back to.

Armed with a pile of credit card numbers, the carder looks for an e-commerce channel or store to hit up. Operating online is (obviously) a lower-risk proposition than committing fraud in-store— they can execute from thousands of miles away, there are no chip readers, and no security cameras. Generally, you can execute an e-commerce transaction without leaving fingerprints.

Along those same lines, physical items carry added risk. If a carder buys ten televisions, there are challenges — how does a carder receive them, trace-free? How does a carder transport and then sell ten televisions? Tough thing to figure out.

Know what isn’t tough? Digital gift codes.

Digital gift codes are the ideal candidate for a carder. They’re lightweight, easily transferrable, and most importantly, there’s often a large secondary market and high re-sale value.

A carder finds an e-commerce outlet offering digital gift codes, purchases the codes with a stolen credit card number, receives the codes at a burner e-mail address, and flips them on eBay/Craigslist/whatever for quick cash.

The original credit card owner (whether in minutes or weeks) sees the transaction, calls their bank, reports the transaction as fraudulent, and files a chargeback. In most cases, the bank will credit their money back and the bank is tasked with getting to the bottom of the matter with the vendor.

Weeks later, the vendor receives a notice through their payment gateway: order X was reported as fraudulent. The payment gateway asks for more information about the transaction, like whether it was delivered and if there are records to prove it.

Here’s the rub: once the vendor provides the requested information, it’s up to the payment gateway and bank to figure out who is at fault. The bank (who, remember, represents the customer) is the judge, jury, and executioner. 99% of the time, the bank wins.

Even in a transaction where the vendor did nothing wrong — it received and filled an order, often with no signs there’s something amiss — they’re left eating the cost of the item (and a chargeback fee) while the carder earned a profit, the original credit card owner gets their money back, and the bank lost nothing but a few minutes of time pretending to go through the motions of a chargeback investigation.

Did I say yuck yet? Yuck.

It’s easy to lean back and point fingers. I’ve done it plenty of times. Surely some responsibility lies in the hands of the payment processor or bank, right? I’ve seen carding attacks where a payment processor allowed a single card to be used for twenty identical transactions in a row at what would be 3:30 AM local time (for the card owner), without verifying the CCV (code on the back of the card) or billing ZIP code. Seems like an easy control point to tighten.

Instead, we’re stuck with makeshift solutions: time-consuming manual verifications of orders between the vendor and wholesaler, delivery delays (to give the original card holder time to contest the charge before the delivery is made), and the like.


We’ve got more thoughts and plenty of stories but we’ve made our point.

This is a problem for everyone who transacts on the internet — vendors, banks, payment gateways, and users.

Do you know how to solve it? We’d like to help.

Submit your pitch at

Andrew J. Chapin is the Founder & Director of Chapin Labs, a San Francisco-based startup foundry. You can find him on Twitter: @andrewjchapin.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store