Over the past several months, retailers have experienced challenges and changes they thought they would never see in 2020. Even before the pandemic completely upended the world economy, how consumers shopped had been changing — and mobile devices were at the forefront of that change.
Mobile devices have become powerful payment instruments, on the way to replacing traditional cards for in-store purchases in many markets around the globe. Prior to the pandemic, retailers and financial institutions had been reimagining experiences for consumers to enable quick, seamless transactions. Then the shuttering of many stores made online shopping a necessity, while social distancing measures turned contactless payments from a convenient option to a safer alternative. And it’s clear that these shifts are here to stay.
Publix and Target, for example, are completing nationwide rollouts of tap-to-pay registers, while Burger King has aired ads about making its drive-thrus contactless for both payments and pickups. Buy now, pay later provider Afterpay has seen a surge of more than one million new users since the start of the lockdown in the U.S., and PayPal announced that it has rolled out QR code payments to 28 markets worldwide.
While these new developments aim to create physically safe, simple and convenient payment experiences for consumers, one can’t help but think of the potential risks that come with them.
Retailers Need to Anticipate Fraud Schemes
COVID-19 has caused consumer behavior similar to that of the holiday shopping season. In fact, in June, non-store retailers saw a 23.5% growth compared to June 2019, as consumers continued to take to the web to shop for items for their patios and gardens, outdoor recreation, work-from-home needs, arts and crafts and more.
However, fraudsters are hyper-aware of consumers’ online activities. The increase in online transactions has presented fraudsters with more channels and opportunities to disguise their online presence and take down their targets. This behavior, as it continues to evolve, warrants the need for increased investments in securing digital channels.
One of the new channels offered by retailers is buy online, pick up-in-store (BOPIS) which offers customers added convenience to drive increased customer service and loyalty. BOPIS has become hugely popular for customers who don’t want to have to wait for items to be delivered, or for those who want to avoid shopping in-store for essential items like groceries. However, the introduction of this shopping channel has enabled fraudsters to use stolen credit card information to make purchases online and then simply arrive at the store to pick up the item.
When the fraudsters pick up their items, their only obligation is to show a receipt or QR code, not a driver’s license or other proof of identification, meaning the burden of fraud detection resides at the time of purchase, not at pickup. This means that retailers and issuers have to ensure that online payment solutions meet the highest security standards in order to protect their customers from fraud.
Many retailers also have begun to use buy now, pay later services as an alternative to a single payment on a credit card, allowing consumers to receive instant access to financing. With this service, consumers have the option to order the item and pay for it in installments or at a later date altogether. But fraudsters have also been exploiting these payment options.
When they do, they create accounts and pass credit checks using stolen consumer information. They then order and intercept items before these can be delivered to the unsuspecting victim, who is mostly unaware of accounts opened in their name or goods purchased on their account. When consumers do open these accounts and store card information they are also vulnerable, as fraudsters can take over their accounts and steal the unprotected information to make fraudulent purchases.
Tokenized Data is Useless to Fraudsters
One security measure that protects sensitive information like credit card numbers from being accessible to fraudsters is tokenization. It’s a measure that retailers can take to keep their customers’ payment information more secure. The process of tokenization makes use of secure, randomly generated tokens in place of a primary account number (PAN). These tokens are then used to provision payment cards into both issuer wallets and third-party wallets, without compromising the physical card or linked account. This enables consumers to turn their mobile phone into a payment tool at a kiosk, or easily choose a card when completing a transaction on their favorite retail site.
One of the main advantages of tokenization is that tokens cannot be decrypted — the only way to get the original information is to have access to the database, which is stored in a secured cloud token vault. Outside this vault, there is no way to connect the token to the original data. So if a hacker does manage to infiltrate a retailer’s system, there is no useful information to steal.
The Fraud-Fighting Expertise of Fintechs
Another well-known security protocol that focuses on reducing e-commerce fraud is 3-D Secure. 3-D Secure was developed with the best intentions: to reduce card-not-present fraud that accompanied the growth of ecommerce sales by adding an extra layer of security. Even though its first version was not adopted widely in the U.S., many role players in the payments ecosystem have since joined forces to overcome challenges associated with the initial protocol.
Now, leading 3-D Secure providers offer implementations to retailers and issuers that prioritize user experience along with security. By leveraging the customer’s mobile device as an authentication device, for example, the customer can enjoy a balanced sense of freedom and control. This helps online retailers capitalize on the added benefits of reduced cart abandonment and customer frustration during checkout that impacts brand loyalty.
As the world — and the ecommerce landscape — continues to readjust to a new normal of increased digital activity, retailers can be sure that fraudsters are doing the same. In order to keep customers coming back and doing so safely, security should never become an afterthought. With the right partnerships in place, security measures can be triggers for innovation — something that benefit retailers, fintechs and customers alike.
Steve Bledsoe is Pre-Sales Solutions Lead at Entersekt. He has been a software security champion for over 13 years. With a strong focus on sales and solutioning, he leads the technical sales arm of Entersekt North America with a breadth of expertise in payments and authentication. Prior to Entersekt, Bledsoe was a solution architect and sales engineer at VMware, working extensively on security and data loss prevention products. He is an active member of the U.S. Payments Forum and KinderGuardin, a non-profit internet safety organization providing online security education for children and young adults.