In an effort to fight and prevent online fraud, many laws and technologies have been implemented over the years. This fraudulent activity puts increased responsibility on both the business doing transactions and the individual engaging in them. From a business perspective, state and local authorities require store owners and operators to verify the identity of the customer they are doing business with. This information is either stored, shared, or validated with law enforcement agencies during or after the transaction and allows these agencies to track potentially illicit activities and even capture individuals involved in them.
One industry where this identity validation is needed is the gift card reselling space. Many individuals receive gift cards from family members or stores as part of a refund that they know they will not use. Rather than wait to either use the card or perhaps let it expire with funds still on it, many people choose to visit outlets that purchase these gift cards from them. These outlets then resell the gift cards on a secondary market. In order to make certain that the gift cards they are purchasing are legitimate and not the result of fraudulent activities, these outlets need to install point-of-sale (POS) systems that capture key information about individuals that are selling these cards.
The Challenge – Implementing Fingerprint Scanner
A recent client of ClearScale’s asked for a comprehensive solution to roll out an industry-setting system that would allow their outlet providers to buy gift cards from the public and then resell them on the secondary market. One of their greatest challenges was incorporating hardware that would scan the fingerprints of individuals selling gift cards to the outlet.
The fingerprint information would then be shared with the Regional Automated Property Information Database (RAPID) which was designed by Business Watch International. This database was implemented to support the pawn, second-hand, and metal recycling dealers and is used primarily to track stolen property. Because it acts as a centralized repository for all transactional information, investigators and law enforcement agencies can use the system to search for suspected individuals or stolen items.
Due to the sensitive nature of the fingerprint data, the client needed to find a method to incorporate the technology securely in their AWS instance and have it interface directly with not only the RAPID system but also the proprietary gift card purchase application that ClearScale had developed for them previously.
The application would need to collect fingerprint data using a USB fingerprint reader attached to the client workstation, securely transmit it to their server hosted on AWS, and then submit the fingerprint data along with the rest of the transactional information to the RAPID database. In addition, the fingerprint hardware the client chose to use required computer configurations that included Windows 7 or later, either the 32-bit or 64-bit, and SecuGen drivers and WebAPI installed.
The ClearScale Solution – AWS Security Services
ClearScale was able to extend the AWS architecture they had developed to support the application the client had originally requested to include integration of the fingerprint hardware and ultimate communication path to the RAPID system. By securing it within a VPC container and secured by AWS Identity Authorization Management (IAM), ClearScale was able to configure the hardware integration and modify the existing application UI to include a number of elements that would enable the feature.
Data Flow Diagram
Chief among these additions was the inclusion of a client-side module that allowed for the capture of the fingerprint from a fingerprint reader attached to a client machine.
Being a web application, our client’s application capabilities for communicating to hardware devices are limited by the features supported by a browser. At the moment, browsers do not support interfacing with fingerprint readers, which posed an immediate problem. Using a WebAPI we are able to provide integration with SecuGen’s locally attached fingerprint scanner device. The API is then available to web pages open in the local browser, which can use the API to capture fingerprint data.
The module provided the ability to review the fingerprint image prior to allowing the user to scan the fingerprint, save the information, and close the interface. This information would be presented visually to the user in the same window as the individual’s ID type and issuer for cross-reference.
If for some reason then capture of the fingerprint wasn’t possible due to technical issues, ClearScale also built in the ability to upload fingerprint images from existing files. The saved fingerprint information was not persisted to the customers’ account deployed in AWS but rather ultimately passed to RAPID for validation with each transaction.
Once captured, the fingerprint image is then securely transferred to the client’s application server running in a secure AWS VPC environment, then submitted to the RAPID database once the transaction is completed. Given the sensitive nature of fingerprint data, ClearScale made sure that the server deletes the fingerprint data immediately after the data has been submitted.
The implementation of this feature for ClearScale’s client took no more than two weeks from start to finish, but it enabled the client to adhere to strict local, regional, and state requirements and laws in areas where they sold their solution. Their customers gained peace of mind knowing that they were in compliance with applicable regulations where needed, while also providing accountability and auditability of transactional data with law enforcement agencies in an effort to reduce fraudulent activity or capture individuals who obtained gift cards through illegal means.
At ClearScale, the complexity of the request is secondary to the need to provide a comprehensive, scalable, and robust solution to our clientele. Whether it’s blazing a new path in an industry that needs disruption to an established business that simply needs to make certain they are complying with applicable regulations, ClearScale takes the time necessary to understand each requirement and designs implementations that address not just the immediate, but also the future needs.
Learn more about ClearScale’s cloud security services here.