Security and Compliance

Phone Number Verification (Recommended Primary):
  Method: One-time password (OTP) via SMS
  Security Level: Medium-High
  Use Cases:
    - New account enrollment
    - Login from new device
    - Password reset
    - High-value transactions
  Implementation:
    - Generate 6-digit OTP
    - Validity: 5 minutes
    - Maximum attempts: 3
    - Rate limiting: 5 OTPs per hour per number

Email Verification:
  Method: Verification link via email
  Security Level: Medium
  Use Cases:
    - Account recovery
    - Email address confirmation
    - Secondary verification
  Implementation:
    - Unique token in email link
    - Validity: 24 hours
    - One-time use only

Password-Based Authentication:
  Security Level: Low-Medium (depends on password strength)
  Requirements:
    - Minimum 8 characters
    - Mix of letters, numbers, symbols
    - Not in common password lists
    - Cannot reuse last 5 passwords
  Enhancement:
    - Two-factor authentication (2FA) option
    - Biometric authentication (fingerprint, Face ID)

Biometric Authentication (Mobile App):
  Method: Fingerprint or facial recognition
  Security Level: High
  Use Cases:
    - Mobile app login
    - In-app redemptions
    - High-value transactions
  Implementation:
    - Device-level biometric
    - Fallback to PIN/password

MFA Triggers:
  - Tier 3+ members (high point balances)
  - Login from new device or location
  - High-value redemptions (>5,000 points)
  - Account detail changes (email, phone)
  - Password reset requests

MFA Implementation:
  Factor 1: Something you know (password, PIN)
  Factor 2: Something you have (phone for OTP, email)
  Factor 3: Something you are (biometric)

Example Flow:
  1. Member enters password (Factor 1)
  2. System sends OTP to registered phone (Factor 2)
  3. Member enters OTP within 5 minutes
  4. Access granted if both factors correct

Session Creation:
  - Unique session ID for each login
  - Cryptographically random session tokens
  - Secure cookie flags (HttpOnly, Secure, SameSite)
  - Bind session to IP address (with geo-flexibility)

Session Timeout:
  Mobile App:
    - Idle timeout: 30 minutes
    - Absolute timeout: 24 hours
    - Biometric: Extend to 7 days

  Web Browser:
    - Idle timeout: 15 minutes
    - Absolute timeout: 4 hours
    - Remember me: 30 days (lower privilege)

  In-Store Kiosk:
    - Idle timeout: 3 minutes
    - Absolute timeout: 10 minutes
    - Auto-logout on navigation away

Session Invalidation:
  - User logout: Immediate
  - Password change: All sessions invalidated
  - Email/phone change: All sessions invalidated
  - Suspicious activity: Automatic logout

Device Registration:
  - First login from device: Register and verify
  - Store device fingerprint
  - Track: OS, browser, IP, location
  - Member can view registered devices

New Device Detection:
  - Detect login from unrecognized device
  - Send alert to registered email/phone
  - Require additional verification (OTP)
  - Option to block device

Suspicious Activity:
  - Multiple failed logins: Lock account temporarily
  - Login from unusual location: Require MFA
  - Rapid device changes: Flag for review
  - Impossible travel (login from different continents within hours): Block

Earning Velocity Limits:
  - Maximum 3 transactions per member per day (configurable)
  - Maximum points earned per day: 10,000 (configurable by tier)
  - Alert if member earns 50% above normal pattern in single day
  - Flag accounts with consecutive maximum transactions

Redemption Velocity Limits:
  - Maximum 2 redemptions per day
  - Maximum redemption value: 50% of available balance per day
  - Cooling period: 24 hours between large redemptions (>5,000 points)
  - Alert if redemption pattern deviates from history

Store-Level Limits:
  - Maximum points issued per store per day (detect insider fraud)
  - Alert if store exceeds threshold by 20%
  - Flag stores with high adjustment frequency

Adjustment Approval Workflow:
  Amount < 500 points:
    - Staff member can adjust
    - Reason code required
    - Member notification
    - Audit log entry

  Amount 500-2,000 points:
    - Supervisor approval required
    - Detailed justification
    - Member verification (phone call)
    - Email notification to member

  Amount > 2,000 points:
    - Manager approval required
    - Written justification document
    - Member identity verification
    - Headquarters notification
    - Fraud team review

Adjustment Monitoring:
  - Daily report of all adjustments
  - Flag staff with high adjustment frequency
  - Alert on pattern of small adjustments (salami attack)
  - Monthly audit of adjustment rationale

Return Detection:
  - Track purchase-return cycles per member
  - Flag members with return rate >20%
  - Alert on returns without corresponding purchase in system
  - Block returns on different payment method than original

Points Reversal on Returns:
  - Automatic point deduction on confirmed return
  - Prevent negative balance (flag for review)
  - Reverse tier progression if return causes drop
  - Alert member of point adjustment

Fraud Patterns:
  - Buy-return-rebuy cycle (same items, different stores)
  - Returns at different locations than purchase
  - High-value returns without original receipt
  - Returns after tier qualification (to retain tier but get refund)

Actions:
  - Warning after 3 suspicious returns
  - Account review after 5 suspicious returns
  - Account suspension after confirmed fraud

Voucher Generation:
  - Unique cryptographic code per voucher
  - QR code with embedded security token
  - Barcode with check digit
  - Expiry date prominently displayed
  - Member ID embedded (invisible to member)

Voucher Validation:
  - Real-time validation against database
  - One-time use only
  - Check expiry date
  - Verify member account active
  - Confirm voucher not reported stolen
  - Log all validation attempts

Fraud Prevention:
  - Cannot screenshot and reuse (rotating QR with timestamp)
  - Cannot share (tied to member account)
  - Cannot forge (cryptographic verification)
  - Invalidate on first scan
  - Alert on multiple scan attempts

Redemption Validation:
  - Member must be identified before redemption
  - Real-time balance check
  - Validate redemption limits (min/max)
  - Confirm member authorized the redemption
  - Receipt must show redemption clearly

Staff Controls:
  - Cannot redeem to staff member accounts during shift
  - Manager override required for large redemptions
  - Alert on high redemption frequency by cashier
  - Random audit of redemption transactions

Offline Mode:
  - Disable redemption in offline mode (earning only)
  - Queue redemption requests for online approval
  - Alert member that redemption pending online verification

Database Encryption:
  - Full database encryption (AES-256)
  - Encrypted backups
  - Key rotation: Quarterly
  - Key management: HSM or cloud KMS

Field-Level Encryption (Sensitive Fields):
  - Phone numbers: Encrypted
  - Email addresses: Encrypted
  - Addresses: Encrypted
  - Dates of birth: Encrypted
  - Payment information: Encrypted (PCI-DSS)

Encryption Keys:
  - Separate encryption keys per environment
  - Keys stored in hardware security module
  - Access to keys strictly controlled
  - Key rotation without downtime

Transport Security:
  - TLS 1.2 or higher for all connections
  - Strong cipher suites only
  - Certificate pinning for mobile apps
  - No mixed content (HTTP/HTTPS)

API Security:
  - API authentication tokens
  - Token expiry and refresh
  - Rate limiting
  - IP whitelisting for partner APIs

Staff Role Definitions:

Cashier:
  - View member information
  - Process points earning
  - Process redemptions <500 points
  - Cannot adjust balances
  - Cannot view other stores' data

Store Manager:
  - All cashier permissions
  - Process redemptions <2,000 points
  - Adjust balances <500 points (with reason)
  - View store-level reports
  - Cannot access headquarters data

Program Administrator:
  - View all member data
  - Configure program rules
  - Generate reports across all stores
  - Adjust balances <2,000 points (with approval)
  - Cannot directly access database

System Administrator:
  - Full system access
  - Database access
  - Configuration changes
  - Must follow change management process
  - All actions logged and reviewed

Fraud Analyst:
  - View all transactions
  - View fraud alerts
  - Investigate suspicious activity
  - Recommend account actions
  - Cannot modify balances directly

Events to Log:

Authentication Events:
  - Successful login (user, time, location, device)
  - Failed login attempts
  - Password changes
  - MFA events
  - Account lockouts

Transaction Events:
  - Points earned (member, amount, location, staff)
  - Points redeemed (member, amount, location, staff)
  - Manual adjustments (staff, amount, reason, approval)
  - Tier changes
  - Account status changes

Access Events:
  - Staff accessing member data (who, when, which member)
  - Report generation (report type, parameters, user)
  - Configuration changes (what changed, who, when)
  - Export of member data

Security Events:
  - Suspicious activity detected
  - Fraud alerts triggered
  - Account lockouts
  - Permission changes

Log Retention:
  - Transaction logs: 7 years (legal requirement)
  - Security logs: 3 years
  - Access logs: 2 years
  - System logs: 1 year

Log Protection:
  - Append-only storage
  - Tamper-evident (cryptographic hash chain)
  - Separate log server
  - Regular backup
  - Restricted access (security team only)

Key Requirements:

Consent:
  - Explicit, informed consent for data collection
  - Separate consents for different purposes
  - Easy to withdraw consent
  - Record of consent maintained

Data Protection:
  - Security controls to prevent unauthorized access
  - Encryption of sensitive data
  - Access controls
  - Regular security audits

Data Retention:
  - Retain data only as long as necessary
  - Delete upon request (right to erasure)
  - Legal retention (7 years for financial records)

Data Subject Rights:
  - Right to access data
  - Right to correct data
  - Right to withdraw consent
  - Right to deletion
  Response within 21 days

Compliance Requirements:
  - Never store full card numbers (use tokens)
  - Never store CVV
  - Encrypt cardholder data
  - Maintain secure network
  - Regular vulnerability scans
  - Quarterly compliance reports

Fair Trading Act:
  - Clear terms and conditions
  - No misleading representations
  - Honor advertised benefits
  - Fair point expiry policies
  - Transparent tier qualification rules

Consumer Protection:
  - Point value clearly stated
  - Expiry warnings provided
  - No unreasonable redemption restrictions
  - Complaint handling process
  - Member dispute resolution

Points Liability Accounting:
  - Outstanding points = financial liability
  - Value points at redemption value
  - Adjust for expected breakage (unredeemed points)
  - Monthly liability calculation
  - Financial statement disclosure
  - External audit trail

Breakage Estimation:
  - Analyze historical redemption patterns
  - % of points never redeemed
  - Expiry rate
  - Industry benchmarks (20-30% typical)
  - Conservative estimates for financial reporting

Severity Levels:

Critical:
  - Data breach affecting >1,000 members
  - System compromise with data access
  - Widespread fraud affecting program integrity
  - Payment system breach
  Response: Immediate, 24/7 team activation

High:
  - Data breach affecting <1,000 members
  - Significant fraud pattern detected
  - Unauthorized access to admin functions
  - Service disruption affecting redemptions
  Response: Within 4 hours, business hours escalation

Medium:
  - Individual account compromise
  - Isolated fraud incidents
  - Data quality issues
  - Minor configuration errors
  Response: Within 24 hours, normal priority

Low:
  - Individual member complaints
  - Small point discrepancies
  - General inquiries
  Response: Within 72 hours, standard process

1. Detection and Reporting:
  - Automated alerts from fraud detection
  - Member reports of suspicious activity
  - Staff observation of anomalies
  - Security monitoring alerts

2. Initial Assessment:
  - Verify incident occurred
  - Classify severity level
  - Identify scope and impact
  - Activate response team

3. Containment:
  - Lock affected accounts
  - Disable compromised access
  - Isolate affected systems
  - Prevent further damage

4. Investigation:
  - Review audit logs
  - Identify root cause
  - Determine full extent
  - Collect evidence

5. Remediation:
  - Fix vulnerability
  - Restore affected accounts
  - Reverse fraudulent transactions
  - Update security controls

6. Communication:
  - Notify affected members
  - Regulatory notification if required
  - Internal stakeholder update
  - Public disclosure if appropriate

7. Post-Incident:
  - Document incident fully
  - Update response procedures
  - Implement preventive measures
  - Staff training on lessons learned

Notification Triggers:
  - Confirmed unauthorized access to member data
  - Suspected compromise of >100 accounts
  - Regulatory requirement (PDPA: within 72 hours)

Notification Content:
  - What happened (clear explanation)
  - What data was affected
  - What we're doing about it
  - What members should do
  - How to get help
  - Apology and commitment

Notification Channels:
  - Email to affected members
  - In-app notification
  - SMS for critical breaches
  - Public statement if widespread
  - Media notification if required

Support Resources:
  - Dedicated hotline
  - FAQ document
  - Account security review
  - Credit monitoring (if severe)

Continuous Monitoring:
  - Real-time fraud detection alerts
  - Anomaly detection on transactions
  - Failed login attempt tracking
  - Unusual redemption pattern alerts
  - Data access monitoring

Regular Testing:
  Quarterly: Penetration testing of web/app
  Bi-Annual: Fraud scenario testing
  Annual: Comprehensive security audit
  Continuous: Automated vulnerability scanning

Security Metrics:
  - Fraud incident rate (target: <0.1% of transactions)
  - Account takeover incidents (target: <0.01% of accounts)
  - Average detection time (target: <1 hour)
  - Average remediation time (target: <24 hours)
  - Member data access violations (target: zero)