So, you’ve been asked to implement single-use vouchers in the system - Sounds easy, doesn’t it? Before going straight to implementation, check out these tips, they might save you several hours you’d probably have spent on vouchers maintenance and issues coming at you from frustrated customers. Oh, and we have a small gift for you.
Let’s start with the most obvious - you clearly don’t want your vouchers to be easily forgeable. The key to generating hard-to-guess coupon codes is a large set of possible codes where only a small fraction of them are actually valid. Let's take 8 character long strings for example:
charset = 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ - 63 characters
In this case, there are 63^8 = 248155780267521 possible codes. This means that if you issue a billion codes, the probability of guessing a code is 10^9/63^8 = 0.000004... - 4 in a million.
Caution: In theory, even this approach doesn't prevent you from running a brute force attack that keeps trying until it figures out a valid code. Learn how Voucherify prevents this as well.
Once you make your codes un-guessable, you should think about customer experience. First of all, keep in mind there’s a trade-off between codes security (particularly length) and ease of use for the end user. It’s you who decides how to compromise these issues in your business reality. There are, however, a few general tips that should cut down on customer complaints without substantial security trade-off or too much development effort:
Don’t make it too long - Usually, an 8-12 chars string should be un-guessable and unique enough.
Avoid ambiguous characters - It’s difficult to see the difference between O and 0 in the random string. I (upper case i) and l (lower case L) is even more tricky. We all recall the feelings when forced to try different combinations over and over again. So, you’d better prevent this before it hits your customer service team. Just exclude them from the charset.
Cut the code into a few small parts, e.g. ABCD-1234-XYZ - It’s a subtle change but it simplifies typing at the checkout view. This adds up to the overall buying experience and customer satisfaction.
It’s often the case that you run different voucher campaigns at the same time. Once they’re finished, the marketing team asks you for the performance reports. How many vouchers have been redeemed, what’s the number of failed redemptions, how many new customers have been acquired and so on. To handle different campaigns separately and to help further data crunching, it’s reasonable to extend your codes with a proper prefix or suffix from the first campaign. For example: XMAS-ABCD-1234.