For Retailers, Guarding The Consumer (Data)


Account takeovers are on the rise, and retailers face the dual challenge of keeping consumer data safe while making sure authentication processes are not so daunting that those same consumers leave in the middle of a transaction. Vesta CMO Tom Byrnes offered thoughts on logins, fraud and shopping cart abandonment.

Online fraud is no small problem for merchants, but a significant number of retailers do not spend enough time on the dual goals of streamlining the consumer data experience while weeding out possible fraudulent transactions. PYMNTS asked Tom Byrnes, chief marketing officer at Vesta, to weigh in on the battleground of account takeovers and what can be done to protect sales and boost customer loyalty.

Fewer than half of merchants have taken additional steps for account authentication solutions beyond standard login details.  Why? Is there lack of awareness of security risks? Are they concerned that additional steps in authentication will result in shopping cart abandonment?

While not all merchants are alike, most are increasingly interested in delivering as frictionless a consumer data experience as possible.

But differing consumer expectations around the issue of security present a challenge for retailers. Consumers can be happy to have multiple factors of authentication for their 401k or bank account in the belief that they are “protecting” their hard-earned assets. But when an eCommerce retailer can’t facilitate a purchase in a simple flow of one or two clicks, consumers become frustrated and may abandon purchases.

Variable product mixes can make that simple, low-friction checkout experience a challenge for merchants to engineer correctly. One merchant may offer low-risk physical goods (like basketball or baseball gear) and simultaneously offer high-risk physical (consumer electronics) or digital goods (eTickets).

Processing an order for a physical good can offer a buffer of a few hours for order review, even with a promise of same-day fulfillment, but a digital good requires sub-second decisioning and fulfillment. And once you press “send” on fulfilling a digital goods order, it’s gone. Given this disparity, it’s hard for merchants to build or find a one-size-fits-all approach to ensure the integrity of these diverse transactions.

Still other merchants focus on narrower product mixes, offering strictly physical or digital goods to their customers. Though they may not contend with the challenges posed by multiple product categories, these merchants remain concerned about revenue loss stemming from friction in customer/user flows.

While many merchants are taking steps toward increased authentication to protect against the growing sophistication of fraudsters’ attacks, they must also balance those safeguards against the realities of consumers’ high expectations.

What are the consumer behaviors that should be monitored most closely online — and might signal fraudulent transactions?  How can merchants be more vigilant on the watchfulness front?

A sound fraud fighting system monitors and learns from behavioral dynamics in consumer data purchase patterns.

For instance, if a merchant receives a completed order form in a few seconds, there’s a strong chance that a bot (operated by a fraudster) is attempting a fraudulent purchase. Depending on the complexity and detail of the order form, it should take a competent, authentic user a longer period of time to complete and submit said form. This is particularly true for customers who may need to check the FAQs section, double-check a product or pause mid-order to go get their wallet.

In addition, when fraud actors attack, they realize that they may only get one shot to grab the golden goose before they’re locked out forever. As such, in addition to placing orders of reasonable volume and ticket size to blend in, they’ll frequently place high-volume orders, especially when attempting to order higher-risk goods, like fashion items, consumer electronics, jewelry or expensive digital goods (like high-value gift cards or eTickets). So, if you see an order for 15 $700 handbags, that’s a clear signal that it’s probably not a “real” customer.

Other behavioral indicators or questions that a solid fraud fighting system should ask, is the user attempting to access the account from an unrecognized device? Is there inconsistency between the IP address or geo-location of the purchasing device and account billing or residential address? Is the user purchasing a good from a category he or she has never viewed before?

Merchants can protect themselves by closely monitoring these behavioral dynamics across their platforms and adjusting their fraud filters to flag transactions accordingly.

Why the discrepancy between “worth” on the black market between compromised accounts at $3 and credit cards at $0.22? We’ll assume longevity in the account versus the card as cyberthieves look to commit fraud. But could you give a sense of the scope of damage that can be done with a compromised account?

Think of a compromised account as a Trojan horse. It’s a “guaranteed in” for fraudsters and could contain a host of consumer data that could be misused, because the account already has a proven track record of reliable purchases and payments. While a single credit card number provides one payment method (and could even be cancelled at or before the time of the black market purchase), a compromised account could contain other identifiers, like phone numbers or answers to secret questions, that could be misused toward additional fraudulent purchases or activity. In cases like this, fraudsters can even “add” a new, stolen payment device and change the “ship to” field to leverage the “good” customer identity for illegal purchases.

What’s more, an account in good standing is trusted by merchants and likely to receive very favorable purchase decisions with limited scrutiny, opening the floodgates for fraudsters looking to go on a shopping spree. And if the host site of the account in question utilizes any social aspect or facilitates P2P transactions between users, that account’s previous standing on the platform could be abused by fraudsters looking to make a buck.

What is the awareness level of merchants when it comes to tokenization and authentication? What misconceptions might be out there about adopting this technology in terms of additional hardware/software/processes? How can Vesta and others go about educating merchants and allaying their concerns — and how can this be shown as a useful solution as mobile devices increasingly grab a slice of the commerce/eCommerce pie?   

Merchant tokenization and authentication knowledge is growing, and speaking broadly, the sophistication and depth of that understanding scales proportionately with the size of the merchant in question.

While everyone understands the basic concept of masking credit card information, some merchants aren’t aware that tokenization is handled “upstream,” by payment processors or ISOs who bundle the technology of other service providers and ultimately bear responsibility for protecting cardholder data. And some merchants don’t understand the different forms of tokenization employed today, as they can differ by channel, permanence and other factors.

Vesta is the only company to offer an integrated payments/risk solution that fully guarantees accepted transactions, eliminating fraud and chargebacks for merchants. We aim to be a “one-stop shop” for our clients’ payments and risk management needs. As payment threats increase in sophistication, complexity and frequency, it can be difficult for in-house fraud departments to keep up. We include PCI support in our comprehensive offering to reduce compliance burdens on merchants and enable them to focus on growing their business.

To Download: Account Takeovers: The Next Big Retailer Threat, fill out the form below:

    First Name*

    Last Name*



    Work Email*