The degree to which COVID-19 has converted consumers to digital channels is very visible with a quick glance at the data. Tim Horton, head of global merchant security and fraud solutions at Fiserv, told a recent PYMNTS Masterclass that online purchases have more than doubled year on year in the general retail segment, while online grocery sales have surged by 250 percent.
A plethora of new digital shoppers are driving such numbers, Horton said, and many of them are older consumers who had been sitting out digital commerce until COVID-19 hit but are now pivoting decisively toward it. “We’re expecting to see more than 8 million new digital buyers over the age of 45 by the end of 2020,” Horton said.
He called that “an astonishing number” that represents a massive opportunity for merchants who are themselves making eCommerce pivots and designing their digital engagement strategies. But Horton said it presents a big challenge as well, as the great surge of online consumers has come with an equally great surge of online fraudsters looking to lift the newbies’ data.
He added that the bad guys aren’t just looking for the card numbers that cybercriminals of yesteryear sought. Instead, they’re looking for the vast troves of personally identifiable information (PII) that merchants are building up as their client bases become more digital.
Protecting all of that data requires a multilayered core competency that every merchant must develop, Horton said. The fraudsters will keep coming, and merchants who can’t provide protection will find themselves on the wrong side of their legitimate customers (and facing fines from regulators).
The New Data Black Market
When consumers simply go into stores and pay cash, they exchange almost no information with merchants, Horton noted. Consumers inject little data into the transaction when they pay in-store with cards.
But put the same consumer online and the story is very different. “Online, they are providing payment credentials, a delivery address and very likely have created an account with the retailer,” he said. “That has an account name and password that includes an email address and information like when their birthday is. This added information is sought after by criminals and is becoming increasingly valuable in a digital-first world.”
In fact, it’s becoming more valuable than card information itself. Horton said that on the dark web, PII goes for five times more than stolen card numbers do because there are many ways for hackers to use the information.
For example, the bad guys can use it to impersonate good consumers and undertake account takeover fraud, or they can trick systems entirely and create synthetic identities that can open cards, take out loans and even start mortgages.
Consumers Demand Fraud Protection
That’s bad for consumers — and bad for merchants. Fiserv has found that consumers view merchants’ ability to protect personal data as a key differentiator when deciding what companies they’ll do business with.
“We have data that shows 40 percent of consumers feel that they would not continue to do business with merchants who they have deemed irresponsible with data collection and storage,” Horton said. “Businesses must prioritize security of personal customer data not only to prevent financial loss, but to preserve the trust of their consumer as businesses work to keep personally identifiable information out of the hands of cybercriminals.”
What’s Needed: A Multilayered Approach
The problem is that fraud isn’t just a single-source issue, particularly in the rapidly evolving digital-first era. Instead, it tends to come in from all sides, affecting every part of the commerce journey.
Horton said that means merchants need technology partners who understand how new threats are forming on the horizon and have multilayered approaches to stop cyberattacks before they start.
“A multilayered approach to security is protecting data in motion, at rest and in use,” he said. “The common technologies to accomplish this are really a combination of encryption and tokenization.”
He said those are approaches that merchants need to adopt not only to secure their customers’ trust, but to remain compliant as governments become more and more strict regulating how consumer information is harvested and protected.
The costs of getting it wrong are big, Horton said. For instance, Europe’s GDPR law can see firms fined up to 4 percent of gross revenues for not properly protecting data. And while America doesn’t have a national law of similar force, California’s new statewide privacy law carries steep consequences for those who don’t properly shepherd Golden State residents’ data.
There’s No Time To Waste
Merchants have had to rush to catch up to a world that’s suddenly digitizing much faster than expected, Horton said. But he added that part of that has to involve securing customer data with multilayer approaches.
“The world isn’t going to go backward,” Horton said. “Merchants need to upgrade their security for today — [and] with an eye toward what’s coming next.”