There's some truth to the incentives angle.

The program manager is responsible for retail placement and packaging. Their share of the revenue is small, but their liability for fraud is high.

Retailers (POS card sellers e.g. Safeway, as opposed to the card-branded merchant e.g. Apple), bear zero risk for fraud. Safeway can't police card validity -- if a customer brings the card to the cashier, they will scan it and the POS will attempt to activate it according to the program manager's backend rules. If it's a new unactivated card, it will get activated. The PM knows which serial numbers were distributed to each retailer, so they will not activate a card at a different retailer (and in some cases, a different location of the same retailer).

Moving the 100+ square feet of unactivated card displays to a retail cashier would destroy sales and impose a burden on retail staff that many can't handle, and none are incentivized to create a process for handling.

FWIW, program managers have gone through a few rounds of tamper-proof packaging upgrades. Obviously, their work is not done. But it is legitimately difficult to mass produce a tamper-proof package that is also consumer-friendly and not exorbitantly expensive.

If cost of packaging were no issue, or if customer friction could be disregarded, then the problem becomes more soluble. But we do not live in that world. And, in the extreme case, the criminals could just produce identical packaging including holograms etc. This is obviously within their capabilities, and if the cost of packaging can be absorbed in the multi-party legitimate sale chain, it will also be low enough for a counterfeiter.

...

More importantly, I agree that _some_ regulation or law should prevent Apple|Google|Amazon|etc from parlaying a minor financial dispute into total lockdown of customer data! But the approach for that is not to inject the requirement into the problem of closed loop prepaid debit card management.

I think this is the only interesting problem here. The card management stuff is well-known and evolving, but also mature and ultimately just some accounting math of risk against cost.

Screwing up a customer's digital life should not be a consequence of the imperfect-by-design card management schemes. FinCEN should regulate the latter. CFPB should regulate the former. The agency doesn't matter of course, but those two groups have very different mandates, and right now merchants are letting the stronger FinCEN regulations dictate their consumer policies in ways they should not.