Consumers have somewhat of a fickle relationship with security when it comes to transactions. Most report that they want security, and they are sincere in their reporting. However, as Kount Chief Customer Experience Officer Richard Stuppy noted, when it comes to their actual commitment in policing their own transactional security and letting it drive their decisions, it doesn’t have all that much of an effect.
“Consumers know that, for most payment types, they aren’t going to be liable for the fraud if it happens, so it isn’t acting as a major inhibitor or influence on their thinking,” Stuppy said.
What moves the consumer, he explained, is the experience — what will work fastest, smoothest and with the least number of inconvenient clicks or data-entry stutter steps between them and their goal. It is why, he noted, we see stats like the latest data in the January edition of the Kount and PYMNTS Mobile Order-Ahead Tracker, which found that only 32 percent of customers are using mobile order-ahead, and only 28 percent are paying in-app. This isn’t so much of a security gap as a convenience gap.
Customers like mobile order-ahead, but only when the quick-service restaurants (QSRs) in question have optimized it for their use.
For example, many payment options favored by consumers have not been implemented by QSRs, which “have instead been sticking with a long-standing tradition that a few big players put into place of only using a reloadable card to pay for mobile orders,” he said. “It is only recently that we’ve seen more going multi-tender over [the] top of that reloadable gift card embedded in the app, and it was hard to get there.”
The real lesson, he added, is that mobile order-ahead — and all its functionality — has the potential to be a transformative force in the QSR space, but there is still quite a bit to be done on the security and experience side for it to live up to that potential.
The Three Main Challenges
When it comes time to think about building out functionality around mobile order-ahead, and making it secure and functional, Stuppy said, there are three main questions that are critical. The first is the technical question, like whether the cybersecurity element is placed correctly, and designed so that the app will function in a stable and secure manner. The second is the experience question — what it will be like for a consumer to use this secure system, and whether it will be the “fantastically delightful” journey through digital space that the firm is hoping to build.
The final question is the hardest one: Are we bringing a future-oriented security mindset to make steps one and two sufficient for the challenges ahead? That last step, aside from being the hardest, is also the most critical and determinative of what the future will look like from both a security and consumer experience point of view.
“What firms have to realize is that the bad guys don’t think the way that they do, and no matter how much technology and process you put in place, fraudsters will try to use that exact infrastructure against you to steal from you,” he said. “And you have to say the same thing to the customer experience teams — the smoother and easier you make this for a good customer, the more tempted a bad one is going to be to try to leverage it against you.”
The fraud mindset is simple, he noted. How do we bring all these elements together and put controls in place so that firms can protect the investments they are making in adding order-ahead experiences, and not have them be ruined and destroyed by fraud?
As Kount has increasingly seen, fraud comes on many fronts, and QSRs have reason to be concerned about protecting themselves.
Power A Holistic Approach
One would be surprised, Stuppy noted, at just how many law-abiding people out there are willing to be accessories to fraud when it comes to their next QSR orders. Kount is seeing an increasing wave that involves what he called “plugs,” which are often referred to under the umbrella term of coupon fraud.
The idea is that consumers can head to a “plug” site and be offered the ability to pay a small amount of money — maybe $10 or so — for an order of $50 worth of food from DoorDash, Grubhub or a local restaurant. The plug is paid for by some other fraudulent activity — maybe there is a stolen credit card powering the account, maybe it is a hacked account that has been taken over or maybe it is a fraudster who has figured out how to crack and exploit a loyalty offer to maximum resale effect.
The point is that these aren’t hidden QSR fraud hangouts buried on the dark web, accessible only with a bitcoin wallet and the will to commit cybercrime. These are sites findable by search, and paid for with the standard payment methods people would have used to order legitimately.
“People are blindly participating in this, and it is a real challenge,” Stuppy said.
A challenge, but one that Kount believes can ultimately be defeated with a fraud mindset, trained to look for the loopholes that exploiters and crooks use to turn security and engagement tools back on those who put them into place. The goal, though, isn’t to throw the baby out with the bathwater — or for QSRs to start unplugging mobile ordering en masse.
It does mean, however, that it is time to start rethinking how to secure those orders, end to end, in the context of that smoothed-out customer journey.