How to Stop Buddy-Punching at Multi-Location Stores

Most operators do not know their buddy-punching number. They know it happens — the manager covers for the late opener, the closing crew clocks each other out at 11 when the store closed at 10:30 — but the cumulative cost is invisible until someone runs the math.

Here is the math. At a $15/hr wage floor, 10 minutes of unauthorized time per shift per employee, one location, five employees, six shifts per week:

• 10 minutes × $15/hr = $2.50 per event
• 5 employees × 6 shifts = 30 events per week
• 30 × $2.50 = $75/week per location
• $75 × 52 weeks = $3,900/year per location

That is the conservative number. It does not include overtime that tips because of padded hours, payroll taxes on the phantom labor, or the compliance exposure if a wage-and-hour audit catches clock records that do not match actual work performed.

At 10 locations, this is $39,000 per year in labor that never produced a shift. That is a part-time manager's salary walking out the door in 10-minute increments.

The 6 AM phone call version of this problem is the ghost shift: an employee who is scheduled, clocked in by a buddy, and never showed up. The manager only discovers it when a customer complains or a health inspection is violated because nobody opened the sanitizer logs. That is the high-stakes version of the same underlying failure.

Replacing shared timecards with per-employee PINs was the right move in 2015. It stopped the most obvious abuse — an employee logging in under the manager's credentials — and it created individual accountability on the time record.

But PINs are four digits. They are written on sticky notes. They are texted in group chats. "Hey can you punch me in I'm 5 minutes out" is a text that gets sent every morning in multi-unit stores across the country. The PIN controls the timecard system. It does not control geography.

The PIN problem is not a technology problem — it is a human behavior problem. The fix requires adding a layer that the employee cannot delegate to someone else: their physical location at clock-in time. That is GPS.

A PIN verifies identity. GPS verifies location. Together, they verify that the right person is in the right place at the right time. Missing either one leaves a meaningful gap.

A geofence is a virtual boundary drawn around your store. The default in DohOps is 150 meters — roughly half a block in each direction. When an employee tries to clock in, the system checks the device's GPS coordinates against that boundary. If the device is not inside the fence, the clock-in is rejected or flagged for manager review.

The 150 m default works for most standalone stores. It is tight enough to reject a punch from the parking lot across the street but loose enough to allow for GPS drift on older phones. Operators can adjust it per location: tighten to 50 m for kiosk-only stores, widen to 300 m for hotel campuses with multiple detached buildings, or 500 m for gas stations with large lot footprints.

The GPS layer eliminates the texted-PIN problem entirely. It does not matter if someone else knows your PIN — they cannot use it from their couch at home. The geofence requires physical presence.

DohOps also supports Kiosk Mode, where a single shared tablet at the back of the store handles all clock-ins. Employees enter their PIN on the tablet, and the tablet's GPS — fixed to the store — provides the location stamp. This is the most common setup for QSR and gas stations and removes the employee's personal phone from the equation entirely.

GPS confirms location. A PIN confirms account. Photo capture at clock-in confirms the person. The combination of all three makes buddy-punching a nearly impossible sustained behavior.

Here is how it works in DohOps: when an employee clocks in, the system optionally prompts for a selfie. The photo is timestamped, GPS-stamped, and stored with the clock event. Managers do not need to manually review 40 photos every morning — the exception report surfaces anomalies: a photo that does not match the employee's file photo, a photo taken from a different angle than usual, or a clock-in that triggered a flag for other reasons (off-geofence, unusual time, etc.).

This is not facial recognition in the biometric sense. It is a photo audit trail that creates accountability: employees know the photo is there, managers can pull it on demand, and any dispute about whether someone was actually present has a timestamped record attached.

Most operators find that the existence of photo capture — even without anyone reviewing every photo every day — changes behavior. The crew knows it is there. The plausible-deniability window closes.

Buddy-punching is a labor compliance issue, not just an operational one. When a Department of Labor audit or a wage-and-hour lawsuit requires you to produce clock records, those records need to be immutable and complete. A system where managers can edit time records without a log — or where clock-in data can be deleted — is a compliance liability regardless of whether buddy-punching is happening.

DohOps stores every clock event — clock-in, clock-out, breaks, GPS coordinates, device ID, and photo if applicable — with a 7-year immutable retention. You can pull a PDF audit report for any date range, location, or employee in under 30 seconds. Every edit to a time record is logged with a timestamp and the manager who made the change.

This is the documentation a franchise audit wants to see. 7-Eleven's store audit process, for example, requires that time records match labor cost calculations in the weekly report. An immutable audit trail makes that reconciliation automatic rather than manual.

The audit trail is also the first thing that changes employee behavior. When crews understand that every exception is logged and visible to the owner, the casual buddy-punch stops being casual. The risk calculation changes.

DohOps's Time & Attendance module was designed specifically for multi-unit operators who have already been burned by every failure mode above.

The setup is straightforward. You add a location, draw a geofence on the map, add employees with their PINs, and decide whether to require photo capture. That is it. The first exception report runs automatically the next morning and surfaces anything unusual from the previous 24 hours: off-geofence punches, double clock-ins, ghost clock-outs (employee clocked in, never clocked out), and clock events outside the scheduled window.

The daily exception report goes to whoever you designate — the owner, the area manager, or both. It is filterable by location, by employee, and by exception type. The manager does not need to dig through raw time logs. The system flags what matters and lets the manager deal with people, not spreadsheets.

Payroll runs from the same system. Clean hours, with overtime flagged by state rules, export to CSV for ADP, Gusto, Paychex, or QuickBooks in one click. The buddy-punching cleanup does not create new payroll work — it reduces it.

Start the 30-day free trial and have geofences live across all your locations before your next shift starts. Or book a 15-minute demo to see the exception report live.