Software Development
How to Prevent Duplicate Voucher Redemption in a Loyalty or Prize Programme
Duplicate voucher and QR code redemption is a database problem, not a UX one, and most systems get the fix wrong by checking status in the app instead of the transaction. Here is what actually stops it, drawn from a real South African prize platform build.
How to Prevent Duplicate Voucher Redemption in a Loyalty or Prize Programme
To prevent duplicate voucher redemption, the check has to happen inside the database transaction that redeems the voucher, not in the app layer that displays it. A lock written at the moment of redemption, enforced server-side, is the only version that survives two staff members scanning the same code at once, or a user replaying an old request.
Why Vouchers and QR Codes Get Redeemed Twice
Most duplicate redemptions are not fraud in the dramatic sense. They are a race condition. Two staff members at a busy checkout or gate scan the same QR code within a second of each other, both devices show "valid," and both mark it redeemed before either syncs back to a shared record. A voucher redemption system that checks validity by reading a "used" flag on the client, or on a device that only syncs periodically, cannot see the other scan happening in parallel. It approves both.
The same failure shows up without any bad intent at all. A user refreshes a page mid-checkout, a flaky connection retries a redemption call automatically, or a QR code redemption system caches a "not yet used" state for a few seconds to keep the interface responsive. Any of these can let a legitimate voucher get redeemed twice, which costs real money on giveaways, competitions and loyalty rewards the same way fraud does.
The fix is a data problem, not a UX one. A voucher can only have one true state, "redeemed" or "not redeemed," and every device checking or changing that state has to agree on the same record at the same instant. That only works if the record lives in one place and the write that changes it is atomic.
The Trade-off Most Guides Get Wrong
Most advice on this topic focuses on the code itself, a QR format, an expiry timestamp, a one-time token. Those help, but they do not stop duplicate redemption on their own, because a token can still be read twice before either reader reports back. What actually matters is where the "has this been redeemed" check runs and how it locks.
An app-layer "mark as used" checkbox looks like it works in every demo, because demos do not have two staff members redeeming the same code within the same second, or a spotty stadium Wi-Fi connection retrying a request. In production those conditions are common, and that is precisely when a soft, client-side check fails. South Africa recorded the highest suspected digital fraud rate of any African country TransUnion tracked in 2025, 3.0% of transactions flagged, down from 4.3% the year before as fraud tactics got more targeted rather than fraud actually declining. That is a general digital fraud figure, not a voucher-specific one, but it signals how much attack surface any consumer-facing redemption flow sits on in this market.
We saw the honest version of this trade-off building a sports prediction and prize platform for a client running a prize competition, as part of a wider custom software build that also handled entries and winner notification over WhatsApp. Winners could redeem a prize two ways: a staff member scanning a QR code at a stadium, or a reference code looked up remotely on a laptop. Both paths had to write to the same record without either one being able to double-redeem it. We built the lock at the database level: the moment a redemption is confirmed, that entry is locked against any further claim, immediately, through a tamper-proof event log rather than a status field either interface could quietly overwrite. A staff member at the stadium cannot redeem the same ticket twice, and a remote claim through the reference code goes through the exact same lock, so there is one unambiguous record of who was paid and when, no matter which channel got there first.
What to Ask Before You Build or Buy a Redemption System
If you are running a competition, giveaway, loyalty programme or ticketed event, ask whoever is building your redemption flow one direct question: where does the "has this been used" check happen, and does it run inside a database transaction or in the app? If the honest answer is "the app checks a status field," that system will eventually double-pay a prize, especially with more than one redemption point.
This matters most the moment you have two ways to redeem the same thing, in-person and remote, one app and a website, a till and a self-service kiosk. A single redemption channel can sometimes get away with a weaker check because only one place is ever looking at the record at a time. Two or more channels writing to the same voucher pool cannot, and that is exactly the setup most real competitions and loyalty schemes run.
Small, single-channel, low-value promotions can reasonably start simple and fix this later if volume grows. Anything with real prize value, a public competition, or more than one redemption point should treat the transaction-level lock as a day-one requirement, not a fix after the first double-payout. If entrants also have to prove who they are before a redemption counts, that identity check deserves equal scrutiny, a side of this same build covered separately in our piece on identity verification and lead generation software in South Africa. A redemption system also usually sits next to other customer data, so it is worth checking the wider security posture too, covered in our cybersecurity guide for Cape Town SMEs.
A voucher, ticket or prize system is only as trustworthy as its worst-case redemption path, the moment two people try to claim the same thing at once. Get that path right at the database level and the rest of the system, the QR codes, the app, the notifications, is just interface. Anyone building or buying a redemption system for a competition, loyalty programme or ticketed event should treat this as the one non-negotiable requirement, and be willing to walk away from a vendor who cannot explain how their lock works.
Questions about voucher redemption systems
How do I stop a voucher or QR code being redeemed twice?
Enforce the redemption check as an atomic database transaction, not an app-layer flag. The record must lock immediately at the data level the moment it is redeemed, so no second scan on any device or channel can succeed afterwards. A tamper-proof event log, not a status field, is what makes this hold.
Can a QR code coupon be scanned more than once?
Yes, if the system checks a "used" status stored on the device or app rather than locking the record in the database at redemption. Two scans arriving close together can both read "not yet used" before either write is recorded, the most common cause of duplicate redemption.
What is a voucher redemption system?
A voucher redemption system is a unique code (QR, reference number or token) paired with backend logic that verifies and locks it when claimed. Its core job is not generating codes, it is guaranteeing each code can be redeemed exactly once, across any number of staff, devices or channels.
What software prevents duplicate coupon or voucher redemption?
No off-the-shelf feature alone prevents it. What prevents it is an architecture where redemption is a single atomic database transaction with row-level locking, so simultaneous requests cannot both succeed. On a prize platform we built for stadium and remote redemption, this ran as a tamper-proof event log, not a status field.
Does POPIA apply to running a competition or promotion in South Africa?
Yes. Any competition or promotion that collects personal information, names, ID numbers, phone numbers or entries, falls under POPIA, and that data must be processed lawfully, stored securely and used only for the stated purpose of the promotion.
What are South Africa's legal requirements for running a prize competition?
Prize competitions in South Africa must comply with the Consumer Protection Act's rules on promotional competitions, including clear terms, no unreasonable entry restrictions, and prompt prize payout, alongside POPIA for any personal data collected during entry or verification.
How common is voucher and coupon fraud?
There is no South Africa-specific figure for voucher fraud alone, but the country recorded the highest suspected digital fraud rate TransUnion tracked across Africa in 2025, at 3.0% of transactions flagged. That is general fraud context, not a voucher-specific number, but it points to real exposure for any redemption flow.
Arnaud Brunel
Founder, Brunel Studios
Arnaud Brunel is the founder of Brunel Studios, a software product studio based in Cape Town. He has spent the last 8 years building digital products for founders and SMEs across South Africa and Africa, working across mobile, web and AI-native platforms.
LinkedIn ↗