It’s the regulators’ own holiday tradition: warning consumers about bogus deals and various holiday shopping scams. One scam making the news is “gift card draining,” which the California Attorney General describes as follows: “a scam in which bad actors record pin numbers and other information from unpurchased gift cards. Once those cards are purchased by unsuspecting consumers, and money is loaded into the card, the scammer immediately uses the numbers to make purchases, leaving buyers with worthless gift cards.”  According to ProPublica, this scam escalated dramatically during the pandemic due to organized crime rings, and has continued unabated, resulting in consumer losses in the billions.  Talk about Scrooge! 

As a result, one state has already passed legislation requiring gift card sellers to put more security measures in place for retail sales of gift cards. Although Maryland’s Gift Card Scams Prevention Act of 2024 will not prevent gift card draining this holiday season since the law doesn’t go into effect until next year, it will require sellers to start getting an action plan in place.  And what will that action plan have to include? A LOT.

First, the Act distinguishes between “open-loop” gift cards, cards branded with a payment card network, like Visa or Amex, that can be used at any merchant that accepts them, and “closed-loop” gift cards, which are usable only with a specific retailer, like Target. For both types of cards, sellers must post a conspicuous notice, substantially in the form of the to-be-published model notice, both in-store and online, that warns consumers of gift card scams; instructs them on what to do if they’re victims of gift card fraud; and advises consumers that gift cards cannot be used to pay debt. 

In addition, gift card sellers, of both types of cards, must also create packaging that both conceals or covers the activation codes and that also includes the warning “Do not sell or purchase if packaging has been broken or indicates tampering.”  Open-loop cards must be sealed in tamper-evident packaging and the packaging for closed-loop cards must conceal or cover the activation code in a manner that is tamper-evident. A merchant can sell a gift card that is not in secure packaging only if the gift card is a chip-enabled, numberless card that is activated by a consumer after registering the card on the card issuer’s website; or the gift card is (1) exclusively sold by a merchant for use only at the retail establishment of the merchant (or a group of affiliated merchants) and it is (2) secured in a physical location within the merchant’s retail establishment that is accessible only by an employee of the merchant.  

In addition, for sales of either type of card in a retail establishment, if the cards are displayed for sale, the merchant must train those employees whose duties include selling the cards to consumers how to identify and respond to gift card fraud.

Third party gift card resellers (defined as merchants who, without authorization from, or affiliation with, the gift card issuer, are engaged in the business of (1) buying open- or closed-loop gift cards on behalf of consumers or (2) reselling open- or closed-loop gift cards to consumers) are subject to extensive record keeping requirements: they must record and maintain in a secure database, for at least three years, a description of each purchased gift card, including the date of the transaction, the name and identification of the person who conducted the transaction, the specific amount issued on the gift card and its number, the consumer’s driver’s license number or other identification and signature, and more. The information recorded pursuant to these requirements must be open to inspection by any duly authorized law enforcement officer. (Not addressed in this law, but I’m wondering what the impact could be on a seller’s escheat obligations since apparently no gift card purchase from a “third party gift card reseller” can be made anonymously.)

Violation of the law is an unfair, abusive, or deceptive trade practice under the Maryland Consumer Protection Act (MCPA), generally subject to MCPA’s civil and criminal penalty provisions. However, a violator is not subject to specified MCPA penalty provisions related to private causes of actions for damages. The law generally takes effect June 1, 2025; however, provisions that apply to closed-loop gift cards take effect October 1, 2025. 

Although this law is limited to gift card sales in Maryland, it seems likely that it will have a much wider impact. Gift card sellers are not likely to create packaging for just one state. Also, other states are likely to follow suit.  Indeed, New York’s SB 9900, the New York Gift Certificate Scam Prevention Act, which (among other things) also requires security measures for in-store sales of gift cards, is wending its way through committee.  Other states have introduced similar legislation.  In the meantime, consumers – and merchants – will have to deal with rampant gift card draining.