v7.20 — November 2025

Released: November 2025

Authentication & Security

Two-Factor Authentication — Email OTP

A second authentication layer is added to the login flow:

After 6 invalid OTP attempts: account locked for 24 hours (“Too many invalid OTP attempts. Try again after 24 hours”)
After 6 OTP resend clicks: locked for 30 minutes (“OTP limit reached. Please try again after 30 minutes”)
A user locked in one program can still log in to other programs via 2FA
A user locked in all programs cannot log in, but still receives the OTP
Username and email are masked on the 2FA screen for privacy
OTP expiration timer and resend limit are both visible to the user

Inactivity-Triggered Password Reset

Users are redirected to a forced password change screen after N days of inactivity (default: 30 days)
The inactivity threshold is configurable per client
Users access the dashboard immediately after changing their password

PII Encryption Toggle (Irreversible)

The PII encryption toggle is now one-way — once enabled, it cannot be disabled
PI attribute visibility throughout the platform is controlled by the toggle state

CAPTCHA Configuration

A HideCaptcha flag controls whether CAPTCHA appears on the login page
When the flag is true, CAPTCHA is skipped; otherwise, the existing CAPTCHA flow applies

LDAP: Password Reset Hidden

When LDAP authentication is enabled, the Change Password and Reset Password options are hidden across all areas: Manage Team, Profile, Login screen, and Dashboard

Member Management

Membership Blocked Status

A new Membership Blocked status provides complete program restriction:

Login restricted
Point accrual restricted (transactions, referrals, campaigns, peer-to-peer, API, bulk uploads, SFTP)
Redemption restricted
Differs from the existing Login Blocked status, which restricts login and redemption but still allows accrual

Member Fetch via Any Attribute

The frontend (storefront or admin panel) can now retrieve member details using any member attribute — custom or global
Enables a consolidated view of all accounts under a single CIF (same person, multiple cards)

Available Offers API

A new API returns active Rule Groups filtered to only those where the member belongs to an associated segment
Rule Groups without active rules are excluded
Rule Groups whose date range is outside the validity window are excluded, even if they contain active rules

Auto-Activate New Members on Upload

Setting AUTO_ACTIVATE_NEW_MEMBERS: true in the program configuration automatically activates new members during CPD file uploads
Member status in the file must be N (New)
This setting applies to file uploads only — not to API-based member creation

Campaigns & Engage

Occasion Reward Campaigns

A new Occasion Reward campaign type is available alongside existing campaign types:

Supported occasions: Birthday and Program Anniversary
Anniversary sub-types: Activation Date or Enrolment Date
Target audience selection is not required — eligibility is determined automatically based on milestone dates
Only editable after creation: Campaign name and bonus points
Members with Membership Blocked status do not receive points
Occasion reward points appear under the “credit by bonus” filter in transaction reports
One birthday bonus and one anniversary bonus are issued per member per calendar year
Failed deliveries are logged and automatically retried

WhatsApp Integration (Twilio / Infobip)

WhatsApp is now a supported communication channel:

Supports both transactional and promotional text-only templates (Phase 1)
Submission status is Pending for Approval until Meta approves the template via Twilio Content API
Approved templates are displayed in the UI; approved templates cannot be edited
Templates with unapproved WhatsApp variants are blocked from campaign selection
WhatsApp appears as a filter in Communication Reports alongside Email and SMS
Note: Delivery status tracking and retry handling require a full developer account to test

Rule Engine

Voucher Issuance as a Reward Action

Rule Groups can now issue vouchers instead of points:

Two reward action types at Rule Group level: Points and Voucher
Reward action type is selected at the Rule Group level and cannot be modified later
Voucher availability requires a configured Marketplace (Plum) integration
Country, voucher category, and voucher name are fetched dynamically from the Marketplace API during rule creation
If a member has an empty email address, no voucher is issued; only 0-point accrual is recorded
If a voucher becomes inactive after the rule is set up, the transaction proceeds but no voucher is issued
Voucher reward groups cannot be exported in the module export
Plum Marketplace API supports Gift Cards only

Description Stamping Control

A new checkbox on each rule controls whether the rule name is stamped as the transaction description
When enabled, the rule name always overrides the transaction description
When disabled, the transaction description is blank
Can be toggled on or off via the edit rule option
Applies only to rules with Reward Action = Points — not to Voucher reward types

Rule Engine Attribute Setup Revision

Creating a new Rule Engine redirects the user to the mandatory attribute setup page first
During initial setup, the following are disabled: product code edit, search, enable/disable
Attribute groups cannot be created during initial setup

Zero-Point Transaction Elimination

When a transaction passes through a Rule Group but no rules are applicable, no transaction record is created
If a rule matches and the result is 0 points, a transaction record is still created
If a rule matches and the result is >0 points, a normal transaction is created

Rule Group Description Field

A description field is now available during Rule Group creation and updates
Descriptions are saved, displayed, and remain editable at any time

First Transaction Qualification Fix

The “first transaction” definition now applies a filter for loyalty_transaction_type = 1
Only rule engine or manual point allocations are considered — bonus, tier, and campaign points are excluded

HTML Email Editor

GrapeJS Drag-and-Drop Editor

A full HTML email editor is now available in the Email Template section:

Drag-and-drop components: text, image, link, button
Pre-built branded blocks: header, body, footer
Multilingual support enabled
Dynamic placeholders (e.g., member_name, points_balance) are replaced in real-time
Preview and test-send capabilities available
HTML upload is available via the Add HTML section
Existing templates are migrated to GrapeJS (some alignment adjustments may be needed)
Variables are available in the Available Variables section and must be copied manually

Points & Transactions

Session-Based Column Configuration

Users can select which attributes are visible in the Accrual section
Selections persist until logout or program change (session-based, per user persona)
A Reset to Default option is available

Automated 3-Year Transaction Housekeeping

Transactions older than 3 years are automatically deleted via a scheduled cron job:

Eligible for deletion: Standard accrual (transaction_type = 1) and debit (transaction_type = 2) records only
Excluded: Pending transactions (transaction_type = 5)
After deletion, summary records are created and displayed as: “Accrual Housekeeping”, “Expiry Housekeeping”, “Redemption Housekeeping”
A Monthly Housekeeping Summary Report is generated after each run, showing the transaction classification, cumulative points deleted, execution date, and the user (System)

Manual Bonus Upload Limit Increase

Maximum file size increased from 1,000 records to 30,000 records per upload

Debit/Credit Card Block Code Mapping

Cards are mapped to colour-coded block categories that determine member access:

Green (full access): Members can accrue rule engine points, access D-Point, and points expire normally
Yellow / Orange (partial debit restriction): Varying accrual and D-Point access depending on the specific code
Pink (partial restriction): Members can accrue points for some codes; cannot access D-Point; points do not expire; member status is unchanged
Red (full restriction): No rule engine accrual; no D-Point access; points expire; member status set to Cancelled

Mixed card scenarios:

Green card + any pink/red card: D-Point access retained with the active card; points do not expire; status unchanged
Green → Pink transition: D-Point access removed; points do not expire; status unchanged
Green → Red transition: D-Point access removed; points expire; status becomes Cancelled

BigInt for Custom Number Attributes

Transaction and member custom attributes with number/integer data types are now stored as BigInt, supporting up to 16-digit values
Applies only to newly created attributes

Card/Account Number Uniqueness Removed

The uniqueness constraint on the last six digits and sub-relation identifier has been removed
CRD insertion is still rejected if both fields are null or empty

Reporting

Custom Report Headers

Standardised headers added to: Monthly Housekeeping Summary, Monthly Customer Tiering, Customer Outstanding, Monthly/Daily Custom Reports (Transaction Type/Points/Amount), Monthly Cancelled Points, and Monthly GL+1 Approval Summary

Transaction API Rule Metadata

The member transaction summary API now exposes: rule_group_id, rule_group_name, rule_name, and rule_id in both API responses and reports

Custom Reports for BDI

Six specialised reports added for BDI clients:

Monthly Transaction/Points/Amount (Accruals, Reversals, Redemptions)
Customer Outstanding Points Report
Monthly Cancelled Points Report
GL+1 Approval Summary with Workflow
Miles Exchange Report (JAL Miles)
Daily Transaction/Points/Amount Report

Audit & Compliance

User reactivation now captured in the Audit Trail for locked and archived accounts
Tier Retention Period configuration changes are now logged with user, action, and timestamp
Referral Module audit trail now captures changes to Referral Conditions and the Code Generation Toggle
Report file transfer to Azure blob storage now includes folder structure configuration and a minimum file size check (>1KB)

Access Control

A configurable security disclaimer can be displayed on the login screen
The feature is disabled for public cloud deployments and only available for on-premise or private cloud clients

​v7.20 — November 2025

​Authentication & Security

​Two-Factor Authentication — Email OTP

​Inactivity-Triggered Password Reset

​PII Encryption Toggle (Irreversible)

​CAPTCHA Configuration

​LDAP: Password Reset Hidden

​Member Management

​Membership Blocked Status

​Member Fetch via Any Attribute

​Available Offers API

​Auto-Activate New Members on Upload

​Campaigns & Engage

​Occasion Reward Campaigns

​WhatsApp Integration (Twilio / Infobip)

​Rule Engine

​Voucher Issuance as a Reward Action

​Description Stamping Control

​Rule Engine Attribute Setup Revision

​Zero-Point Transaction Elimination

​Rule Group Description Field

​First Transaction Qualification Fix

​HTML Email Editor

​GrapeJS Drag-and-Drop Editor

​Points & Transactions

​Session-Based Column Configuration

​Automated 3-Year Transaction Housekeeping

​Manual Bonus Upload Limit Increase

​Debit/Credit Card Block Code Mapping

​BigInt for Custom Number Attributes

​Card/Account Number Uniqueness Removed

​Reporting

​Custom Report Headers

​Transaction API Rule Metadata

​Custom Reports for BDI

​Audit & Compliance

​Access Control

​Security Warning on Login (On-Premise / Private Cloud)