It’s sad and confusing. But I’d like to hope that there are some teachings we take away from this that aren’t all about risk and security. An overused phrase seems somehow appropriate for the situation - “Necessity is the mother of invention.” Because while this has been a difficult experience for many, there are situations where some organizations have taken the opportunity to once again, differentiate and demonstrate that they can rise above the chaos and confusion to do what they do best - focus on their customers.
Focus on the customer. For some institutions, this is not an easy concept to grasp, because the customer wants many things. As a consumer, I want to be protected, but I also want convenience. I want to have easy access to my account, but I don’t want anyone else to have it. I want to use it anytime, anywhere from any device, but please don’t ask me to remember a gazillion different numbers or make it harder to use or change my behavior in an extreme way. I like value. I’m willing to make trade-offs, but it needs to be obvious that it’s worth it.
After spending the past few days with a multitude of friends and family, it became clear to me that many institutions were not prepared to focus on the customer when she needed their help most. This was a confusing and perplexing situation. “Just because a card was used at Target, does that mean it was the subject of fraud?” “Should I panic?” “What should I do?” Horror stories. Cards cancelled and reissued. Cardholders not clear on why the card was reissued - “Was my card actually compromised?” “Is my bank just being proactive? “I don’t understand.” Customers not being clear on the situation. They didn’t think any fraud happened; yet they received a new card in the mail - from their issuer. Best case - some confusion. Worst case - massive frustration out of changing an account number, automated billing information and other inconveniences when they weren’t aware anything had gone wrong with their account - and no good explanation from their bank.
And then one of the worst situations. “I went online to look at my account and transactions would just disappear - pending transactions would be there one day, then go away. Several days later they would reappear. Sometimes I couldn’t log in - I assumed it was because of the heavy volume. Couldn’t get through to anyone to explain it to me. When I did get through, even the rep was confused. It’s a nightmare.”
A nightmare. The last thing you want to happen when you are worried that your card number could be stolen. Now, I understand that when 40 million card numbers are stolen, that will stress almost everyone’s system - call volumes, online transactions, inquiries, you name it. The systems are stressed. But guess what? Good teams also plan for peak volumes. They test for what it takes. They plan for emergencies and contingency plans. They have fraud monitoring that jumps into action - they aren’t figuring this stuff out for the first time. Or - they shouldn’t be. Every one of the mentioned cases was a large issuer, big bank. Banks that you think should have been prepared. They process massive volumes and service millions of customers through multiple channels. Massive failures are part of their planning process - not an afterthought.
But, not everyone had this experience. I know of another situation that was just the opposite, a “moment of truth” that became a moment of reassurance and confidence. The cardholder was able to log in from multiple devices - laptop, iPad, iPhone - all with ease and in a matter of seconds. Saw every transaction and no issues. Multiple times. No problems. She also needed to call customer service and expected long wait times - but was pleasantly surprised. She barely waited for a friendly representative to answer the phone. After expecting someone to be a little frazzled, perhaps frustrated or ready to end a long day, the customer service associate was helpful, answered every question and reassured her about the account - yes they were actively monitoring it, no need to worry, you aren’t liable for any charges, thanks for calling. What do you think her impression was of the current situation? Calm, confident, completely ready to keep using her card again and again and, of course, told everyone how well she was treated. And yes, this issuer prides itself on customer service as well as fraud protection (hint, begins with a D and sponsors the Orange Bowl).
What an amazing comparison! From fear and frustration to actual calm and confidence. I don’t believe the issuer that gave outstanding customer service took on any additional risk compared to the poor customer service banks. In fact, they have long-held industry-leading ratios for loan losses and received awards for fraud mitigation. I’m sure they were deluged with calls and online inquiries just as much as everyone else. They just chose to do whatever it took to handle the customer. Keep them for life. Make sure to address the risk while simultaneously helping the customer. It’s a fine line, but one that can be managed with finesse, appropriate investment and focus.
Another “customer” that has been long forgotten in this equation is the merchant. The small merchant. The sole proprietor who has poured their life into their business and works hard everyday providing valuable goods and services. Without them, we wouldn’t even need a payment device. There are examples where the industry chooses to make it difficult for this customer. We tend to want to thrust more rules, regulations, restrictions and penalties upon him - making it increasingly more expensive to run his business. It might not be the intent - we do it in the name of risk management - but it is the result. PCI compliance, EMV mandates, etc. etc. all require new equipment, more cost, new understanding - all with little payback for the small merchant who is rarely, if ever, the target of a large security breach.
However, once again, there are multiple examples of thriving innovations that exist because they solved crucial risk problems for small businesses. One of the most notable, and valuable, entities is Braintree. When it was difficult for online and digital merchants to deal with credit cards due to these compliance or other risk complexities, Braintree provided an elegant solution. They didn’t make their life harder - they allowed the merchant to focus on what they do best - selling stuff.
The U.S. is a massively diverse payment ecosystem unlike any other. We can’t do anything in a “one-size-fits-all” approach. If we try, opportunity arises for something to fill the gaps - whether it’s an innovator with a new idea, or a hacker trying to break the system in the hole that isn’t protected.
So, my hope for the new year is that the industry takes stock of what matters most and finds a way to reinvent solutions that continue to focus on the customer. I don’t believe we have to sacrifice ease of use and convenience for security. Or make things difficult to feel “safe.” Or fail to quantify retention and loyalty so that serving customers when they need us most becomes nearly impossible. I know it’s possible because some of the best and brightest companies are already delivering outstanding service and security and innovative solutions, despite the same challenges as their competitors.
This requires working together. Companies that focus on the customer don’t have risk and marketing operating in their separate corners. They partner together and collaborate with maniacal focus on how to quantify and qualify the impact to the customer in the short term and long term. Likewise, as an industry, we need to bring multiple solutions together to address fraud and security risk, optimizing for the situation at hand. Looking to our customers - consumers and merchants - as the ultimate endpoints to rapidly implement the answers. The longer it takes, the worse the solution.
Sound naÃ¯ve? Like a marketer advocating for new products to the head of risk? Maybe. But, I think it’s where the leaders will ultimately emerge. As an industry, we can work together on multiple fraud reduction tools and technologies, or continue to stand in our corners and fight it out. No one wins, except the ones committing fraud who take advantage of the constant weaknesses in the system. No one solution will fix everything - not EMV, not tokenization, not encryption. Nothing is 100 percent for an omnichannel world with rapidly changing technology. Fewer points of compromise (in other words, fewer hardware points to intercept) and less parties involved will help, but multiple solutions need to coexist to address what consumers and merchants need in our dynamic environment. I think the belief that one solution will address all channels or fraud is the naÃ¯ve POV. We can stick our heads in the sand, or do what we do best. Innovate and create, allowing multiple solutions to flourish.