Knowledge Base Best Practices

E-Commerce Balance Inquiry

Hosting a balance inquiry feature on your website may seem like a quick and easy way to provide information to your customers on their gift card balances, but it may also open your website to unanticipated malicious attacks. Allowing unchecked requests against your website in any form opens the door to brute-force attacks that, if left unaddressed, can cause significant problems for your website and your customers.

To stay ahead of any attacks TSYS has implemented monitoring and alerts that will trigger if a suspicious number of failed balance inquiries are presented to us in a set amount of time. We can then use this to take corrective action depending on the type of suspected access (e.g. locking out an account or contacting the merchant).

Consider your need for a balance inquiry
Instead of offering a balance inquiry on your website, consider implementing a simple sale function that will redeem any available funds on the card. This ensures that your customers will be able to redeem their gift cards during a sale while protecting you from the vulnerabilities an open balance inquiry presents.

Best practices when implementing balance inquiry
If you decide that a balance inquiry is required for your website, we recommend the following best practices to mitigate any malicious behavior:
  • Implement rate limiting and/or throttling on the balance inquiry request page.
  • Require the user to complete a CAPTCHA alongside the balance inquiry to slow attackers down.
  • Place the balance inquiry behind a login form, so that you can lock out abusive accounts if necessary.