
Quick answer: gift card apps may use BVN or NIN to confirm identity, match a withdrawal account, reduce impersonation and duplicate accounts, apply transaction limits, and support anti-fraud or compliance controls. The request is not automatically legitimate: verify the operator, read the privacy notice, and submit identity data only inside the official encrypted app or website.
What KYC is trying to establish
| Control | Why a platform uses it | What it cannot guarantee |
|---|---|---|
| Identity match | Connect the account to a real person and matching bank details | That every card submitted is valid or lawfully owned |
| Duplicate-account control | Reduce repeated abuse under many email addresses | That no attacker can take over a verified account |
| Transaction monitoring | Investigate unusual value, frequency, or card patterns | That legitimate users will never face manual review |
| Complaint trail | Link orders, wallet movement, and support to one customer | That a dispute will always be resolved in the user’s favour |
| Withdrawal matching | Reduce third-party payment and beneficiary risk | That bank networks will settle every transfer instantly |
BVN, NIN, and app passwords are not the same
BVN is an identity reference used across the Nigerian banking system; NIN is a national identity number. Neither is your bank PIN, app password, card PIN, or OTP. A platform that knows your BVN should not need your internet-banking password or one-time transaction code.
Prestmit’s current KYC help states that Nigerian users verify with BVN and that the account name must match. Cardtonic’s current help and privacy pages describe BVN and other identity elements for verification tiers. These are platform-published procedures, not a blanket instruction to give BVN to anyone claiming to represent them.

Why Nigerian financial controls matter
CBN customer-due-diligence guidance requires regulated financial institutions to identify and verify customers, understand relevant activity, and monitor risk. A gift card company may also rely on regulated payment providers whose account and wallet controls affect the user experience. The precise legal role of each app depends on its service and partners; marketing itself as “compliant” is not enough evidence.
Run a privacy check before KYC
- Type the official domain and follow its verified app-store link.
- Identify the legal operator and check it independently, including at CAC where relevant.
- Read what data is collected, why, who receives it, how long it is retained, and how to correct or delete it.
- Check whether the privacy policy names a contact and the applicable Nigerian data-protection rights.
- Ask support inside the authenticated app when the requested document exceeds the published policy.
- Stop if the flow moves to a personal account, form on an unrelated domain, or remote-support session.
Data-minimisation questions
Nigeria’s data-protection framework includes principles around lawful, fair, transparent, and limited processing. Ask whether the app needs a full document image, only a verification response, a selfie, or proof of address for your account tier. More data is not automatically better security.
Redact unrelated information only when the official process permits it. Do not alter identity fields or submit someone else’s BVN/NIN to bypass a mismatch.
When verification fails
- Check that your legal name and date of birth match the identity record.
- Correct the app profile through official support rather than opening duplicate accounts.
- Use clear, current documents in the permitted format.
- Do not pay a third party to “upgrade” or rent a verified account.
- Ask for the specific failed field and a ticket reference without demanding exposure of anti-fraud logic.
If your identity data may have been exposed
Change account and email passwords, revoke unknown sessions, notify the real platform through official support, and watch for unfamiliar verification or bank activity. Preserve the phishing page, message, and submission time for a cybercrime report. Do not send more identity documents to a person claiming they can delete the first upload.
What KYC does not prove
A verified badge does not prove that the account holder will send a valid gift card or that a social-media buyer is safe. Likewise, an app collecting BVN is not automatically legitimate. KYC is one control inside a broader system of identity, code custody, transaction monitoring, support, withdrawal security, and privacy governance.
BVN and NIN FAQ
Can a gift card app withdraw money with my BVN alone?
BVN is not a bank password or transaction authorisation. Still, protect it as sensitive identity data and report any suspicious account activity.
Should I send BVN to support on WhatsApp?
No. Complete verification only through the official authenticated flow unless the verified privacy and support process clearly provides another secure route.