Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Essential Retail Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Comment: Can payment security and seamless shopping go hand in hand?

In retail it is important to know that when you accept an electronic payment, you are going to be paid. A critical part of this is knowing that the presenter of the payment is who they say they are and that they are able to authorise the debit from their account to pay for the good or services. Over the years banks have found ways to check that it is their customer at the other end of a transaction and, looking forward, must find ways to deal with the same issue in a connected digital world. It is this challenge that is rapidly becoming the hot topic as we try to find the right balance between security and convenience.

Looking back over the years before electronic payments, people faced each other across counters and your signature on a cheque or credit card voucher was good enough; all the sales assistant had to worry about was that the signature matched that of the example on the reverse of the cheque guarantee or credit card. Sadly this proved to be less than fool proof and we now employ alternative authentication methods based on use of secrets that only the genuine customer should know. For face-to-face transactions PIN replaced signature and in the world of electronic payments passwords and pass codes prevail.

The ever increasing level of electronic or remote payments places a greater burden on these authentication methods. To match the demand we adapted processes that worked well in a largely paper-based world. These might not necessarily fit the modern digital way. A good example is the current 3D Secure protocol which works well in authenticating customers but involves external procedures that adds time and effort to the transaction process. A feature of its early adoption was the high level of customer abandonment, where they chose not to go through the steps required to complete the sale.

Naturally, retailers don't want people to give up on a sale because the payment process is too hard to complete and many have found ways to reduce this friction with the ultimate experience being the one-click processes from the likes of Amazon and PayPal. These have proved so popular with consumers that everyone seems to want to find a way of replicating them. This would be fine if everyone took the same care screening transactions and getting to know their customers, but the fear is that in some cases too much attention is given to a seamless payment experience at the expense of security.

Fraudsters have increasingly found ways to exploit weaknesses in the processes we employ. The latest statistics from Financial Fraud UK show remote payment fraud reaching £331 million of which over £200 million was eCommerce. This is over half of the total fraud reported and represents a significant threat to the channels shoppers appear to want to use most. Still, it's important to put these figures in context – UK consumers spent £175 billion online in 2014.

It is in the best interests of all to address this fraud issue as quickly as possible and find ways to increase security in the digital channel. European industry regulators recognised this and have demanded protection through "strong customer authentication" defined as the use of any two of the following security factors. Something you have (a card or token), something you know (password or PIN) or something you are (biometric). One of the factors must be dynamic, must not be re-usable (except in the case of inherence) and must be protected from theft.

An authentication process based on the above is not difficult to imagine but most would agree that it is difficult to imagine a process that satisfies these requirements yet gives the customer the sort of friction free process that they are becoming used to in electronic commerce. This balance between security and fraud prevention and the desire for a seamless shopping experience must be addressed across the ecosystem and involve all of the parties that now have a part to play.

Looking at the emerging landscape we can see that established practices that prove popular with consumers set a benchmark for convenience but may lack the strong authentication process defined by regulators. Does this make them less secure?

The simple answer is that they follow a different path to the simple binary checks associated with banking authentication. It is likely that they look at a more holistic assessment of risk, based on other things that may be known about the transaction and the customer.

There are other factors to be assessed, like location and device identity or they may take into account an authentication process that sits outside of the payment. If the customer has a long standing relationship with the retailer, they can do the same sort of transaction profiling that card issuers deploy to flag suspect transactions. Many of these factors can be checked in the background and need not require additional processing steps, they can help us come closer to that seamless friction free shopping process.

Looking beyond the traditional eCommerce transaction and into the world enabled by mobile devices, there are perhaps other opportunities to utilise someone else's authentication processes to support a payment. Why shouldn't it be possible to use the biometric authentication steps used to unlock the latest Apple and Samsung devices?

The use of these alternatives factors cannot be ignored and may give opportunities to develop processes that are secure, in the sense that they go a long way to prove that the customer is who they say are yet still allow a seamless, friction free check out process.  Fully developed and used correctly, they can contribute to an authentication process that is as strong as those defined in regulation.

If combining a broader range of authentication factors results in the reduction in fraud that we are all looking for, then we may just be able to balance that equation between security and convenience.

David Baker is head of the payment innovations unit for The UK Cards Association. He writes a regular column for Essential Retail on the evolving payments landscape and its impact on the retail industry.

Click below for more information:

The UK Cards Association