Almost 30 percent of adults in the United States are reported to hold a loyalty card. The use of such cards is growing worldwide. There are two main incentives for businesses to encourage the use of loyalty cards: retaining customers and learning more about them. Customers, on the other hand, like the price promotions, discounts, and points redeemable for awards that these cards provide, but do not like the privacy risks that may be involved in businesses building their profiles based on their transaction data. The aim of this paper is to develop a scheme that will not allow a business to link customer transactions through the loyalty program, but will still enable a business to keep an accurate record of the points awarded to each of the customers. In addition to protecting customers’ privacy, the requirements of a privacy-enhanced loyalty program should be unforgeability (points credit cannot be forged), double-spending detection (points cannot be redeemed more than once), and pooling prevention (distinct customers cannot pool their points together).

Loyalty points may be issued as tokens that the customers collect before redeeming them for an award, or a points counter that is increased every time a point is issued to the customer. In both cases, it is desirable that the serial number of the token or the points counter not be linkable to the customer, thereby preventing the business from building customer profiles. The privacy-friendly schemes suggested for both cases, the tokens and points counter approach, are based on Chaum’s blind signature protocol. The details of the protocol for each of the two cases are clearly described in the paper.