Hackers and fraudsters are forever thinking up new ways to obtain credit card and payment information for personal profit, and merchants all too often make their jobs easy for them. For example, just a few weeks ago, two analysts discovered security flaws on Alibaba.com that may have exposed the personal data of millions of people. So why, after 30 years of B2C ecommerce activity, is payment fraud still so prevalent? And more importantly, what can be done to stop it?
Problem I: Security vs. User Experience
The biggest reason that this type of fraud continues seemingly unabated is because, in most cases, the more secure the transaction, the worse the customer experience. Merchants could make their transactions nearly 100% secure by requiring customers to input long series of personal details, but this time-consuming task would destroy the user experience and inevitably drive most shoppers to take their business elsewhere. Some merchants, like Uber, have argued that even simple two-factor authentication negatively affects their conversion rate.
Recent technological advances are helping to improve the user experience while also maintaining high security standards. To date, these advances are best represented in ApplePay, a very secure payment method that combines an improved two-factor authentication process with ‘tokenization,’ allowing customers to make credit card purchases without revealing their card number to the merchant. In fact, no credit card information is stored on the iPhone. Instead, it randomly generates a single-use, 16-digit number for each transaction – one that only the credit card network can map back to the corresponding account. Because it can only be used once, each number is worthless to hackers.
Problem 2: Globalization
It is much easier for an online retailer to provide secure transactions if it only conducts business within its own borders, but considering the massive revenue potential of global ecommerce, isolationism is not a recommended option. As such, merchants must understand that each country has its own payment methods and local banks, and that the fraud mitigation methods that work in its home nation may not apply to other regions.
Merchants cannot rely on their domestic acquiring bank if they want to take their business international. It is crucial that they establish relationships with providers based in each country where they want to conduct business – acquirers who are familiar with the region, the local e-wallets/payment methods and the security features of each.
Problem 3: Social Networking
A surprising number of people feel comfortable sharing nearly everything about themselves on social networks like Facebook and Twitter. Unfortunately, they don’t realize that the private information they post online can be used maliciously, sometimes in ways they would never suspect. For example, one of our customers recently encountered a fraudster who operated by placing deliveries to other peoples’ houses, waiting outside for the delivery trucks to arrive, and then stealing the packages off the porch! An experienced fraudster knows exactly how to find the information he needs, and sites like Facebook make it easy to learn the address, maiden name, roommate/living situation and daily schedule of a potential victim.
Merchants of course have no control over what their customers do on social networks. However, there are now companies that provide risk management for merchants, mitigating and evaluating risk for suspicious transactions. Companies like Riskified use analysis and fraud detection methods to review questionable orders, provide the merchant with an ‘Approve’ or ‘Decline’ recommendation, and then cover the chargeback fee for any fraudulent charges they fail to identify.
In conclusion, there is unfortunately no one security vendor that can solve all of these problems, so a combination may be a necessity. However, the best way that a merchant can protect itself and its customers from payment fraud is simply to be smart, dynamic and willing to evolve over time. Remember: nobody had even heard of Apple Pay two months ago, and now it’s in the news every day! We will likely see many other companies adding enhanced security capabilities to their merchant solutions over the next year.
Ronen Morecki is Founder and CTO of Zooz.