Visa and IBM’s recent announcement about their “Genius of Things” initiative highlighted their intention to make some 30 billion connected devices a point-of-sale (POS) opportunity over the next three years, while also reminding us of the importance of securing the data and privacy of those transactions for consumers, businesses and other relying parties.
That broad topic — keeping data safe and private — was the topic of last week’s PYMNTS Topic TBD, a conversation that Melissa Townsley, CEO of GIACT, described as a “blessing for consumers but potentially a curse for merchants that enable commerce through their app or online.”
The Authentication Balancing Act
Just based on the number of breaches in the U.S. in 2015 alone, Townsley said 29 million personal records were breached and approximately 858 breaches were made public. That, she said, means that there are a lot of fraudsters that have consumers’ and businesses’ personal information and can use that data to create and use synthetic identities in the pursuit of commerce at the legitimate accountholder’s expense.
“I think it’s really the greatest challenge that’s facing our marketplace today, but yet, it’s a basic prerequisite for anybody that’s doing business via an app or online — being able to recognize a good customer without creating friction and offending that good customer,” she said.
Townsley went on to say that the challenge for merchants in securing so many distributed devices is knowing both the device and the associated identity, as well as recognizing different events through the lifecycle from the time a person signs on to a website or an app to the time they log out.
“That provides both traditional and non-traditional information that, we like to say, covers the floor with traps so the fraudsters don’t know where the real authentication happens,” she explained.
More Data, More Problems
As fraudsters continue to gain access to more personally identifiable information, it becomes more complicated to safeguard against account takeovers and synthetic identities, Townsley continued, creating an even bigger challenge when the right tools aren’t in place to keep that data from being breached, stolen and sold.
“I think that it even becomes more complicated, and it really makes the single point of authentication almost obsolete because no longer can you just tie that identity to a device. You’re going to have to use alternative data and non-traditional information to stay ahead of the curve of fraud,” Townsley said.
That is especially true when it comes to using connected devices that are focused on providing a convenient experience — re-authenticating an identity on a device is a friction that merchants can’t afford to pass onto their consumers.
“It’s more important now than ever to do business online, be competitive and not to lose consumers to your competitor by having a process where the consumer is not even aware that the checks and balances are being done and that the fraud and risk is being controlled,” Townsley explained.
In this type of process, a merchant would only issue additional authentications to confirm a consumer’s identity if the fraud and risk solution observes several red flags.
Townsley noted the importance of a multi-faceted process that looks at multiple points to help a merchant authenticate and build a triangle of trust around that consumer.
“You can’t build your solution on a device or a card; you have to build it around that consumer,” she pointed out.
Powering Alternative Data
More than one-third of Americans have three or more devices and multiple email addresses that they are tied to, which is why Townsley said building a solution around the customer is key.
It allows that customer to seamlessly move from device to device but also seamlessly through different platforms and merchants to do business.
Townsley shared her own first-hand experience of what happens when that is not the case. She was declined while shopping with a merchant on an iPad that is typically used to make purchases by her husband. Despite the fact that the device is registered to her, the retailer didn’t use any alternative fact-based information to authenticate that she was tied to the device and issued a false decline.
By building out the identification of the device around Townsley’s husband’s information, the merchant declined her and lost out on what would have been a good transaction.
“You have to be able to bring in other information — alternative and non-traditional data that most people have not used in the past — to really know that a consumer is who they say they are, and you have to build multiple components,” she explained.