Gift Card/Debit Card Activation

Question

General Problem

How do retail establishments constrain activation for gift cards, or those pre-paid phone/debit cards?

They must have a system in place that only keeps you from calling in to activate cards that haven't scanned through the register, and I assume there must be a standard solution built into the retail ERP/accounting systems. It probably involves web services or EDI.

Specific Problem

I ask all this because one of my clients wants me to develop a product that you get into by purchasing a $30 card at a retail store. The card has a unique number on it. Once you've purchased a card and activated it via a web site, coupons for restaurants and so on are emailed to you periodically.

However, if someone were to steal a bunch of cards or figure out the numbering sequence, we don't want the cards to work.

Presumably, this is a solved problem because retailers are doing this with the products above (pre-paid phone cards, etc).

I can think of a number of ways to solve this problem, however I need to provide the "standard" solution that the retailers expect, so that the product will snap into their infrastructure in the normal way.

Thanks a lot!

Answer 1

I've worked on a few of these types of systems and they all basically work the same way. The card has a # encoded into the magnetic strip (it could also be a barcode). That's usually all that's on the card itself. Cards are then activated at time of purchase.

Here's the basic flow:

Customer comes in and purchases a card:

• The card is swiped and/or scanned.
• A call is made to an on-line system (usually via some type of webservice call). It includes the card #, the amount they are activating with, and maybe a bit of additional information (ex. invoice #), and possible something like the previous transaction #.
• If the call is successful, you get back a transaction ID #.
• If the call fails, there is usually some protocol you are supposed to follow (sometimes handled during the daily settlement process). Things like retrying the activation, or running a query to determine if the last transaction went through.
• If it was successful, the card is now active.

So basically, the card is worthless until it's activated. At that point it becomes "live" and has money associated with it. That is, back on some server somewhere is a database that has this card #, when/where it was activated, amounts, etc.

There is usually some functionality to generate an "end of day" transaction report to help you reconcile your numbers (what your system says vs what they have recorded).

Since cards are centrally managed it becomes easy for them to flag cards if they were stolen (not that it matters since they have $0 value until they have been activated).

Answer 2

I found out through other sources that there are about eight card processing services that integrate with the various retail locations.

Each retail location uses one. When a card scans through the register, the retailer notifies the card processing service (unlocking the PIN so that it can be activated), and then presumably the card processing service notifies us via an API call.

Then, when the customer goes to activate their card, we can tell which ones have scanned through the register (because they are unlocked). In this way, we get around problems surrounding stolen cards or guessed pin numbers.

The names of a few of these networks are:

• Blackhawk Networks
• InCom
• Coin Star