When the pandemic began to take shape last spring, many organizations were forced to hastily restructure their retail operations. Brick-and-mortar stores quickly set up online shops, and organizations offered new services such as online checkout, payout or purchasing options. The result was substantial: all North American online retail orders increased by 126% by May 3, 2020.
However, in the rush to embrace digital solutions and improve their online presence to maintain business operations, many retailers opened themselves up to unseen security risks by quickly adding new technologies, processes, suppliers and offerings without first conducting a proper security and risk assessment. This is a crucial process, as it identifies gaps that could be harmful to both the business and customers.
For others, risks were invited in via third parties. While the supply chain attempted to manage shortages and delays, retailers found their business continuity plans were not prepared for a pandemic of this magnitude. This meant they had to react quickly to find alternate suppliers, which could possibly require modifications to not only their POS systems but also business operations, resiliency and third-party management.
Retail organizations that had to quickly create an online presence or embrace new technologies might have introduced some security risks to the organization and their customers. While there are several security priorities organizations should consider as they digitally transform to meet the demands of ecommerce, two places to start are internal infrastructure and customers.
What to Keep in Mind When Embracing Innovative Solutions for Retail Infrastructure
With much uncertainty around a return to “normal,” numerous retailers have already upgraded or optimized their digital storefronts, POS, CX or retail management systems to keep pace with the uptick in online demand. Others have plans to make these changes. But these new solutions often lack a seamless integration with existing infrastructure, which can lead to security blind spots, while outsourced systems (such as POS) can be a weak link to malicious third-party access and data leaks if not implemented properly.
Furthermore, new services offered via mobile app downloads and transactions can present inroads for fraud if security resources aren’t correctly allocated to scale with new consumer adoption patterns. Therefore, even when under an accelerated timeline, it is still crucial to conduct proper security and risk assessments to identify gaps that could be harmful to internal infrastructure or customers.
Fortunately, there are several best practices retailers can adopt to help mitigate the security threats associated with digital transformation while still accelerating innovation:
- Explore ways to evolve security and risk management strategies: Conduct a fresh risk assessment to adapt your business continuity and resiliency plans with the new reality of the pandemic. This could include evaluating your modified digital footprint, how services changed, or the impact of a new mobile app or contactless beacon. It also encompasses assessing third-party risk, such as any recently added vendors, and confirming that strong due diligence was conducted during their onboarding process.
- Align compliance, customer privacy and data security: Many retailers are having employees work remotely. This may lead to a massive shadow IT situation, causing a lack of visibility into what applications are now accessing your environments, where your data is and who is doing what with it. It is important to gain visibility into this data so that you can inventory your compliance programs, to ensure that new technologies do not inadvertently invalidate or impact compliance. This also includes taking time to understand how the regulatory and privacy landscape may have changed during COVID-19, and its impact on existing data policies, so you can move towards the goal of continuous compliance.
- Don’t forget the Board Room or C-Suite: Security often isn’t on the C-Suite’s radar until something negative happens, so these disruptions are a prime opportunity to bring the conversation to the C-level for organizational alignment.
What This Means for Your Consumer
In addition to recognizing technical opportunities, fraudsters capitalize on rapid shifts in organizational and customer behavior. Throughout the pandemic we have seen fraudsters prey on emotions, knowing that people are more vulnerable and distracted than ever.
Consumers are also changing their purchasing habits and using new technology and channels. Take hand sanitizer as an example: as COVID-19 spread, hand sanitizer became scarce in stores and consumers began searching for the product online. Fraudsters saw an opportunity and started using phishing schemes to lure customers to scam websites “selling” discounted hand sanitizer to steal their credit card numbers from fraudulent transactions. Similarly, RSA has seen an uptick in card-not-present fraud and stolen credit card numbers utilized locally, which can present challenges for user authentication, especially considering the uptick in curbside pickup due to social distancing.
Exposure to your new technologies or functionality can also welcome consumer fraud as companies engage with shoppers in different ways than before. For example, a consumer may receive fraudulent emails or coupons but assume they are legitimate because they were received in a new format, thus presenting an opportune cover for phishing or ransomware campaigns. For this reason, it’s important to consider psychology over solely technology when making any adjustments to customer-facing digital channels.
With the holidays around the corner and ecommerce anticipated to see another increase in demand, there are a couple of things retail organizations can do to protect customers:
- Educate your customer: It is important to ensure your customers aren’t confused about how your organization will provide updates, promotions or purchase information, so establish these expectations now and moving forward. Knowing that criminals often try to mimic retailers’ customer communications, educating customers on what they can expect will help prevent successful phishing attacks.
- Adopt internal customer protections: Internally, consider monitoring for phishing attacks along with fake mobile apps, and investigate how to improve the ecommerce shopping cart experience by securely minimizing risk and friction without customer disruption. If you have experienced an uptick in card-not-present transactions, consider participating in a secure ecosystem such as 3-D Secure, which analyzes card transactions to add another layer of frictionless security. Offering high fraud detection rates of up to 95% with a low customer intervention rate, these types of security protocols enable a secure online shopping experience for cardholders while mitigating the risk of chargeback losses. In turn, these solutions can increase transaction approval rates while lowering cart abandonment rates to ultimately support merchant and card issuer revenues.
- Update your omnichannel fraud strategy: With many retailers offering a new combination of brick-and-mortar, online and mobile engagement, this is a great time to prioritize your omnichannel fraud prevention. Ensure there are no silos so that customers engage with a centralized fraud model, which also prevents fraudsters from using one channel to manipulate the others.
While the coming months may be unpredictable regarding COVID-19, this is a prime time for retailers to evaluate their technologies and identify the security gaps and digital risks they may be open to following the shift to digital. This will help ensure the business is prepared and customers are kept safe.
Angel Grant is CMO, RSA Fraud and Risk Intelligence at RSA Security and a current member of the Board of Advisors at the PCI Security Standards Council. Before that, she served as the Director of Product Marketing for the Identity, Fraud and Risk Intelligence at RSA. Grant has more than 20 years of experience in the security, ecommerce and financial services industries and is a visionary leader with a passion for developing security solutions to protect against cybercrime and make our digital world a safer place. She attended Bentley University and holds the CISSP certification.