tags:

views:

318

answers:

6

General Problem

How do retail establishments constrain activation for gift cards, or those pre-paid phone/debit cards?

They must have a system in place that only keeps you from calling in to activate cards that haven't scanned through the register, and I assume there must be a standard solution built into the retail ERP/accounting systems. It probably involves web services or EDI.

Specific Problem

I ask all this because one of my clients wants me to develop a product that you get into by purchasing a $30 card at a retail store. The card has a unique number on it. Once you've purchased a card and activated it via a web site, coupons for restaurants and so on are emailed to you periodically.

However, if someone were to steal a bunch of cards or figure out the numbering sequence, we don't want the cards to work.

Presumably, this is a solved problem because retailers are doing this with the products above (pre-paid phone cards, etc).

I can think of a number of ways to solve this problem, however I need to provide the "standard" solution that the retailers expect, so that the product will snap into their infrastructure in the normal way.

Thanks a lot!

A: 

You have to be careful, I have seen this played out in retailers..a customer in front of you is asked if they have a loyalty card by the cashier. The customer says no, but the customer behind them offers their card and it gets swiped hence collecting points for something that they did not buy...

Thus gets points at the expense of the customer in not having it thus skewing/distorting the results of the customer (the one who has a loyalty card)'s personal shopping experience and what they did not buy...on the appropriate system's database

In short, there is no foolproof way of getting around that other than asking for a retina scan or finger print that identifies the customer. Some customers would be cautious in joining a club in regards to their privacy...that is another thing to be kept in mind...not all of them would have a loyalty card...

Hope this helps, Best regards, Tom.

tommieb75
Thanks Tom, but my question isn't about a loyalty program. :) I will update the question to make it more clear.
Brian MacKay
@Brian MacKay: The number I guess is embossed on the card right? No way can it be picked because the next sequential number would not have been activated. You can strengthen this by requesting a verification code which only the cardholder knows about (by signing an application form) if they want to use it on-line. Actually as I typed this I realized what you meant...It's nearly like a VISA card where you punch in the pin...which I guess, it is not what you're looking for...it seems to be similar to what HalfBrian suggested...sorry I cannot answer further... :(
tommieb75
A: 

I found out through other sources that there are about eight card processing services that integrate with the various retail locations.

Each retail location uses one. When a card scans through the register, the retailer notifies the card processing service (unlocking the PIN so that it can be activated), and then presumably the card processing service notifies us via an API call.

Then, when the customer goes to activate their card, we can tell which ones have scanned through the register (because they are unlocked). In this way, we get around problems surrounding stolen cards or guessed pin numbers.

The names of a few of these networks are:

  • Blackhawk Networks
  • InCom
  • Coin Star
Brian MacKay
A: 

I believe that the most secure solution possible is to have a server that generates and prints (or exports) the card numbers. When a customer is interested in purchasing a gift card, it is scanned at the register and the register notifies the server that the card has been approved (probably with the credentials of the cashier).

Then when input on your website, the website checks with the card server to see if the card number is valid and approved.

Then, stolen cards are not approved. If someone figures out the numbering scheme, then you may be screwed so it is recommended that the numbers be random with enough digits to make guessing numbers unreasonable (perhaps with something similar to a CV2 code).

This is similar to how debit cards work: card number/CV2 generated ("server") -> shipped to customer -> customer activates via phone ("register", with the "credentials" being their SSN or similar) -> customer then uses at a store and the store contacts the card company's server

I know that Intuit Quickbooks Point of Sale offers a service like this (complete with an API), you could look them up.

HalfBrian
A: 

I like HalfBrain's solution. I'd also imagine they have certain pieces of security in mind, like a single IP address (or some other criterion) with more than some number of failed activation attempts getting flagged for apparently attempting to probe the system.

BigBeagle
+2  A: 

I've worked on a few of these types of systems and they all basically work the same way. The card has a # encoded into the magnetic strip (it could also be a barcode). That's usually all that's on the card itself. Cards are then activated at time of purchase.

Here's the basic flow:

Customer comes in and purchases a card:

  • The card is swiped and/or scanned.
  • A call is made to an on-line system (usually via some type of webservice call). It includes the card #, the amount they are activating with, and maybe a bit of additional information (ex. invoice #), and possible something like the previous transaction #.
  • If the call is successful, you get back a transaction ID #.
  • If the call fails, there is usually some protocol you are supposed to follow (sometimes handled during the daily settlement process). Things like retrying the activation, or running a query to determine if the last transaction went through.
  • If it was successful, the card is now active.

So basically, the card is worthless until it's activated. At that point it becomes "live" and has money associated with it. That is, back on some server somewhere is a database that has this card #, when/where it was activated, amounts, etc.

There is usually some functionality to generate an "end of day" transaction report to help you reconcile your numbers (what your system says vs what they have recorded).

Since cards are centrally managed it becomes easy for them to flag cards if they were stolen (not that it matters since they have $0 value until they have been activated).

Paul Mrozowski
Hey, that's really helpful Paul. So what about situations where, say, Wall Mart is selling a gift card for some other company like Chilli's? I assume that's where these third party processors like Blackhawk Networks come in?
Brian MacKay
I'd assume things are handled similarly - the card isn't active until checkout time. Walmart (or whoever) activates the card through those third party processors so they've only got to code to them instead of every card type. The 3rd part processor deals w/interfacing to everyone else.
Paul Mrozowski
+1  A: 

I had the joy of working on one of these systems right out of college. Depending on the way they handle their processing whether end of day batch or weekly report could cause quite a lot of problems. One of the things I saw was that if the person whom had the card, whether legit or not, if they managed to make a bunch of purchases that were < the day's starting balance but by the end of the day > greater than starting balance all the purchases would go through. Not very fun when the company had to swallow upwards of 100 dollars per user a day.

In terms of security, make the company that you interface with be held responsible for purchases. That is the best way of handling this in what I have seen, because that is what they are there for. Hope that helps in some roundabout way.

Woot4Moo
+1: interesting, thanks for the thoughtful response (although fortunately we are not actually doing debits!)
Brian MacKay