0

From my understanding, a QR code is just a static link which get opened up when I scan the code with my phone's camera.

Once opened, a customer can keep the browser tab even after he leaves the restaurant. If that's the case, my question is: How can I prevent a naughty customer from refreshing the page and placing an order when he's not physically at the restaurant?

One possible solution is to force the customer to pay online immediately everytime he submits an order. However, this solution doesn't work in countries where cash payment is still popular.

Another solution is to make the QR code work inside the restaurant WiFi network only. This solution makes it harder for customers to place an order which is not a good thing, especially if we have to serve older audience.

I tried to google this topic but all I found are links to QR ordering software. I wonder how people are solving this problem in those products. If you happen to know, I'd be very grateful if you could share it with me.

Update:
Someone mentioned a similar question in the comment. I find the answers/discussions there are not as engaging and fruitful as the ones I had here while the topic is the same. The author didn't even discuss any solutions he thought about in details. Yet, the question is not closed and mine is? What's the criteria for this?

JamesBoyZ
  • 245
  • 1
  • 7
  • Is this actually a serious risk to your business? – Philip Kendall Apr 12 '22 at 06:56
  • Have a timer on the session created from the QR scan? – Thorbjørn Ravn Andersen Apr 12 '22 at 07:07
  • 2
    This will probably be closed as it isn't a software engineering problem but a business decision, implementing the software would be pretty straightforward. I've written an answer anyway, maybe it's useful to you even if not generally interesting. – Hans-Martin Mosner Apr 12 '22 at 07:22
  • @PhilipKendall I want to implement this feature for my own coffee shop in Vietnam. The customers can be anyone from a teen to a naughty adult. I do consider it a business risk if I don't implement the feature properly. Imagine a customer complaining about a drink he didn't order. It'd affect both the bottom line of the coffee shop as well. – JamesBoyZ Apr 12 '22 at 11:19
  • @ThorbjørnRavnAndersen I thought about the same solution too. However, how can we stop a person from refreshing the static link he got from the QR code at home and get a new session? The customer also can take pictures of the QR code and scan at home. – JamesBoyZ Apr 12 '22 at 11:21
  • Why do you want QR codes in the first place? – Thorbjørn Ravn Andersen Apr 12 '22 at 11:26
  • @ThorbjørnRavnAndersen Good question. I want to replace the manual ordering process with a digitized experience in which I can collect data over time to implement more sophisticated features. For example, if users log in, I can remember their orders to give them quick suggetions next time they come back. Data points tied to specific people can be very useful in doing analytics and making decisions about advertisement as well. In the long run, I want to sell this software to other coffee shops, not just used for my own :D – JamesBoyZ Apr 12 '22 at 11:32
  • This already exists. You seem inexperienced so it may be a larger effort to create a nice customer experience than you think. Are you sure you want to build this yourself and not buy a tried and tested solution? – Thorbjørn Ravn Andersen Apr 12 '22 at 12:11
  • 1
    In some cases this will be actively unhelpful. I'm on the way to my local cafe and want my order to be ready to collect (I don't want to be hanging around, there's a pandemic on)? Sorry, you need to be _at the physical location_ to order _online_. – jonrsharpe Apr 12 '22 at 12:39
  • @ThorbjørnRavnAndersen: I agree with you. I'm a lead BE engineer at Grab. I have some exp building BE but relatively inexperienced in creating beautiful UI/UX. In the past, I built an e-com store using Shopify theme and I learned many tricks in making customers pay more using customized features that I built using JS alone. I looked for off-the-shelf coffee shop management products but they're all quite generic and I can't easily customize them to add my unique features. I'd like to give this a try on my small coffee shop :P. Won't take much to manage a small shop. – JamesBoyZ Apr 12 '22 at 13:33
  • @jonrsharpe I got what you mean bro. I believe I can leverage food delivery platform to sell online with delivery or self-collect options. My QR code is meant to serve on-premise customers :D. – JamesBoyZ Apr 12 '22 at 13:36
  • 1
    How do you currently deal with customers who walk away between ordering and getting their order delivered? – Bart van Ingen Schenau Apr 12 '22 at 13:43
  • 1
    for the record, where we have this QR thing around here you must pay before anything is actually happening. I would suggest you do the same. – Thorbjørn Ravn Andersen Apr 12 '22 at 15:16
  • @BartvanIngenSchenau good question. In my country, not everyone has a credit card or a digital wallet. It's actually not feasible to ask all customers to pay each time they submit an order unless they physically order at the counter. In traditional settings where waiters take order manually at the table and customers pay at the end of their visit, customers can still walk out while waiters are preparing their orders in the back or after enjoying their drinks without paying. We need to train waiters to watch out for these and accept a loss when it happens. Most customers dont do this though :D – JamesBoyZ Apr 12 '22 at 15:36
  • @ThorbjørnRavnAndersen thanks for the idea. I do hope digital wallets will become popular enough in my country that one day I can confidently make online payment mandatory for all orders without losing too many customers :D. – JamesBoyZ Apr 12 '22 at 15:39
  • Those who can’t or won’t, call a waiter. – Thorbjørn Ravn Andersen Apr 12 '22 at 16:15
  • 1
    There was a very similar question a few months ago: https://softwareengineering.stackexchange.com/questions/433149/qr-code-scanning-with-location-check – Vincent Savard Apr 12 '22 at 16:41
  • 1
    @Hans-MartinMosner It seems very relevant for SE to me. It is the kind of problems where business and software are closely interlinked: the business decision will depend on the alternatives that are feasible with software, and here it is about such alternatives to fulfill identified requirements. – Christophe Apr 12 '22 at 18:04

4 Answers4

5

A QR code is just a machine-readable representation of some string (in your case, an URL). Strings can be copied and kept using whatever mechanisms, you can't seriously protect against that.

The correct solution would be to give each customer a customer-specific or time-limited QR code, for example by showing it not on a printed medium but on a changeable display (big screen in the restaurant, small e-paper displays on the table whose content is updated after a customer leaves.)

However, such a solution is potentially costly, and the risk of being defrauded should be weighed against the cost of implementing such a scheme, as @Philip-Kendall noted.

This is actually not a software engineering problem but a business process decision. Implementing the software solution once you have a good understanding of the business process that you want to perform is pretty straightforward.

Hans-Martin Mosner
  • 14,638
  • 1
  • 27
  • 35
  • Thank you for the suggestion. It actually makes sense. However, I humbly disagree with the statement that this is not an engineering problem :). IMHO, a good engineer doesn't sit and wait for business users to come up with a business process for him to implement. Instead, he should aim to understand the limitations of a framework/technique and then help drive business decisions taking into account those limitations. I cannot speak for everyone but that's how I choose to work as an engineer and it has worked well for me personally so far :D. – JamesBoyZ Apr 12 '22 at 11:29
  • I added my own solution below. I look forward to hearing your inputs :) – JamesBoyZ Apr 12 '22 at 11:41
4

If your QR code is printed out, I can walk from restaurant to restaurant, take photos of QR codes, print them out, and use them at any time.

You can prevent this by having a changing QR code on a screen. The QR code contains the time, and if you receive a QR code and it’s time is off, you reject it.

Simpler, but less effective, you could have a QR code on each table containing the table number so at least you can check if there’s anyone sitting at that table.

gnasher729
  • 42,090
  • 4
  • 59
  • 119
  • Thank you for the suggestion. I learned something from it. I added my own solution below. I look forward to hearing your inputs :) – JamesBoyZ Apr 12 '22 at 11:42
2

Thank you all for providing very insightful inputs. What I learned from the comments and other answers is that I need an ever-changing QR code. I cannot print a static QR code, stick it on the table forever and expect it to be safe.

Taking this into account. I think the best solution is to change the workflow of my QR code ordering system a little bit. Instead of having waiters bring a menu to the customers when they enter the coffee shop, the waiter should open the table the customer chooses and print a new QR code on a piece of paper for the customer to scan to start ordering. When the customer gets the bill and pays, the waiter can then close the table and invalidate the printed QR code.

This way, noone can reuse the QR code nor reuse the session they created when they first scanned the QR code. In addition, once generated, the same QR code can be used by all customers at the same table. Their sessions can also live for the whole duration when the customers are still inside the coffee shop. They will not have to rescan the short-lived QR code on a TV screen every 5 minutes to order new stuff or see the menu. We can save the TV screen for advertisement, etc. which makes more sense economically.

Please let me know if you find any problems with this approach.

JamesBoyZ
  • 245
  • 1
  • 7
  • 1
    That's a reasonable implementation of the customer-specific QR code variant. Printing on paper might not be as environment-friendly as one could wish, but constant-on display aren't either :-) – Hans-Martin Mosner Apr 12 '22 at 12:02
  • 1
    A benefit of this approach is that the QR code is linked to the physical table. A restaurant near me does this and its quite nice as it means the kitchen knows which table places the order and can bring my food out directly to me. – Graham Apr 12 '22 at 13:31
1

You could be tempted to use geolocalisation but the accuracy would not prevent someone outside the restaurant to make a fake order. Moreover some regions of the globe are tough on personal data protection, which makes this solution a suboptimal fit.

The local wifi is another option. But this seems a bad idea: it might discourage some customers, since it is an additional cumbersome step to do and might moreover be perceived as diverting a part of user trafic to a network bearing the risk of being potentially insecure.

The simplest solution seems to be to have a new one-time QR code brought at the table when the customer arrive, and the waiter would disable this code when the customer leaves the restaurant.

Another way could be to display a temporary qr code on a screen in the restaurant for the checkin, use it to feed a session token? and subsequently use the table qr code (or just a table id) until the session expires.

There are a lot of other solutions as well.

Christophe
  • 74,672
  • 10
  • 115
  • 187
  • Thanks for the suggestions. I added an answer right above along the same line of bringing a new one-time QR code to the table when customers arrive. From your answer, I might be on the right track :D. I didn't want to go for short-lived QR codes on TV screen because customers would have to re-scan the QR code every 5 min or so to view menus or place new orders. Instead, multiple customers at the same table can share one QR code for the whole visit with the other solution. We can save the TV screen for advertisement, etc. which makes more sense economically :D. – JamesBoyZ Apr 12 '22 at 17:28
  • 1
    @JamesBoyZ indeed, I didn’t read your answer because it started like a comment and you were the author of the question, and I was afraid of close votes that could stop me answering. But indeed, you are on a user experience journey: making things cumbersome will lead to lost sales. Moreover this approach brings flexibility, considering that sometimes people order and change place or join another table if they realise their friends are here as well. They just take their qr code with them. And waiters anyway have to open/close a table. I have yet another idea and may edit if’s viable. – Christophe Apr 12 '22 at 18:00