Your math is wrong.
The merchant wants you to use the card, in all cases, always. Because statistically, you are likely to spend 30-40% more than the card face value, when you do.
The unused portion of the card sits on the merchant's balance sheet as a liability, for years, until they decide to recognize it as revenue ("breakage"). They prefer this over NOT selling a GC, of course, and some merchants (e.g. Starbucks, high volume, low ticket) make a ton of money on breakage. But in all cases, merchants greatly prefer their cards to be used.
You're also wrong about how the fraud works. Usually, the card is not purchased but sniffed prior to legitimate sale. The mechanisms for this vary, but a common method is to literally pull armloads of cards off of display shelves, open and repackage the carriers, then surreptitiously return to shelves for legitimate sale. This is purportedly the process for large organized crime rings based in Asia, mostly China.
And you're wrong about how easy it would be to fix. Packaging costs money, retailers have to be on board for activation, this has to be integrated into POS systems, and it all has to be very easy for consumers.
This is a hard problem at scale, and smart and motivated people on the merchant side, the program manager side, the bank side, and the law enforcement side, would love a simple solution.
...
What is not a hard problem, though, is that Apple should separate "AML investigation in process" from the user's ability to access their own data. This would turn a very large problem (for all involved) into an annoying inconvenience (for the customer).
Packaging costs money. Gift cards make money. Easy fix.
Stopping the theft you describe is very easy. Don't have actual gift cards just sitting around. Require customers to get them from the cashier at the time of purchase. Have dummy cards on display if you want them to have something to hold, or make them ask.
Of course these solutions aren't free. Adding friction to the purchase process will reduce sales. Retails have clearly concluded, I assume correctly, that it's not worth the cost. Nothing wrong with that.
Don't confuse something being difficult to fix with something not being worth the cost of fixing. We can put a solid upper limit on the impact of fraud by looking at what it would cost to stop it, and conclude that the impact of this sniffing fraud is less than the impact of having cashiers exchange dummy cards for real ones at the time of purchase.
Note that this isn't a "this is easy, they must be idiots not to do this" sort of thing. The current approach is probably the smartest one, given how things currently work. If the incentives changed to make retailers bear more of the cost of fraud (say, legally putting the burden of proof on the retailer to show the card was used legitimately, otherwise they have to refund it if the customer alleges fraud), things would change quickly.
There's some truth to the incentives angle.
The program manager is responsible for retail placement and packaging. Their share of the revenue is small, but their liability for fraud is high.
Retailers (POS card sellers e.g. Safeway, as opposed to the card-branded merchant e.g. Apple), bear zero risk for fraud. Safeway can't police card validity -- if a customer brings the card to the cashier, they will scan it and the POS will attempt to activate it according to the program manager's backend rules. If it's a new unactivated card, it will get activated. The PM knows which serial numbers were distributed to each retailer, so they will not activate a card at a different retailer (and in some cases, a different location of the same retailer).
Moving the 100+ square feet of unactivated card displays to a retail cashier would destroy sales and impose a burden on retail staff that many can't handle, and none are incentivized to create a process for handling.
FWIW, program managers have gone through a few rounds of tamper-proof packaging upgrades. Obviously, their work is not done. But it is legitimately difficult to mass produce a tamper-proof package that is also consumer-friendly and not exorbitantly expensive.
If cost of packaging were no issue, or if customer friction could be disregarded, then the problem becomes more soluble. But we do not live in that world. And, in the extreme case, the criminals could just produce identical packaging including holograms etc. This is obviously within their capabilities, and if the cost of packaging can be absorbed in the multi-party legitimate sale chain, it will also be low enough for a counterfeiter.
...
More importantly, I agree that _some_ regulation or law should prevent Apple|Google|Amazon|etc from parlaying a minor financial dispute into total lockdown of customer data! But the approach for that is not to inject the requirement into the problem of closed loop prepaid debit card management.
I think this is the only interesting problem here. The card management stuff is well-known and evolving, but also mature and ultimately just some accounting math of risk against cost.
Screwing up a customer's digital life should not be a consequence of the imperfect-by-design card management schemes. FinCEN should regulate the latter. CFPB should regulate the former. The agency doesn't matter of course, but those two groups have very different mandates, and right now merchants are letting the stronger FinCEN regulations dictate their consumer policies in ways they should not.