When you turn on a light in your home, chances are the lamp meets the nationally recognized UL Standards, and says so on the tag. UL Marks are an industry standard that sellers and consumers know they can trust, as products that bear the Mark have been rigorously tested to ensure the greatest possible safety.
But lamps aren’t the only thing that’s safe with UL. The company, through its UL Transaction Security division, also helps acquirers, merchants, card brands and gateways scale faster and reduce time to market by eliminating the complexity of new interconnected and cashless technologies.
Like the UL Mark on lamp tags, an EMV-enabled point of sale lets customers know they’re safe – a concern that’s top of mind for many, as major data breaches continue to pile up. Consumers are more aware and anxious than ever, knowing how easy it would be for a fraudster to snap up their sensitive payments and identifying information without them ever noticing.
Top retailers realize they must give consumers peace of mind by enabling EMV. Ninety-six percent of the top 200 U.S. retailers are EMV-enabled, compared to only half of all other U.S. retailers.
Yet there is also a downside to the liability shift. Consumers may be safer from fraudsters when they shop in stores, but equivalent protections are not always in place online – and as EMV makes fraudulent activity more difficult in the physical world, online is exactly where criminals are taking their nefarious schemes.
Global commercial director Paul Provenzano at UL Transaction Security said this has been an unintended consequence of an otherwise positive development in payments.
Now, in a post-EMV world, the industry must navigate the complexities of protecting customers and their information in stores, on websites and in mobile apps. Provenzano spoke with PYMNTS about how fraudsters are finding chinks in the armor, and what it will take for consumers to be protected no matter where or how they shop.
The Path of Least Resistance
Small to medium-sized businesses (SMBs) and online channels continue to provide an easier route for fraudsters, Provenzano said.
He noted that many online retailers take the “it won’t happen to me” view – until it actually happens to them. It’s so easy for bad guys to get stolen credentials these days, he said; they no longer have to go on the Dark Web to acquire them. Merchants can’t afford to take such a cavalier view of online security.
In addition to classic phishing attacks, Provenzano added that fraudsters are constantly coming up with new ways to commit fraud online. There are many creative methods through which these players can convince customers to enter their credentials in places where they shouldn’t.
The new and improved online payments security protocol, 3-D Secure 2.0, will definitely help solve online fraud issues, he said – as long as merchants are willing to adopt it.
But mom-and-pop shops may have a harder road ahead. These businesses may not have (and may not be able to afford) EMV chip readers. They also may not have the resources to attain better visibility into the incidents occurring within their own systems.
Provenzano said UL helps these SMBs make the best use of their resources by revealing gaps or blind spots in the system, both from a consumer standpoint and from a back-end infrastructure perspective.
Retail’s Balancing Act
The question every merchant is trying to answer is how to balance security with convenience. An essential ingredient in the commerce value orchestration is the ability to authenticate consumers by deploying state-of-the-art solutions.
An organization, said Provenzano, can have the most secure system in the world – absolutely airtight against fraudsters – but if it’s not consumer-friendly, no one will use it. The more rigorous the security, he said, the more complexity required on the backside, which can translate into a cumbersome user experience.
Conversely, if the system is easy to access and use, but there’s no confidence that data entered into the system is protected or secure, that too will discourage adoption. There’s a lot of pressure on merchants to create a frictionless path to purchase, yet actually delivering an experience that’s truly devoid of friction may be antithetical to delivering one that’s secure.
In short, delivering either security or convenience across channels is complex enough; delivering both is a nut that the retail industry is still trying to crack.
Provenzano noted that providing customers with a smooth omnichannel experience is a key component of meeting evolving customer demand. However, seamlessness takes work. The challenge for retailers, he said, is to manage that complexity – across channels and throughout the supply chain.
The Future of Authentication and ID Verification
Part of engaging an omnichannel strategy is understanding the different protocols, said Provenzano. EMV offers effective card protection at in-person points of sale, while 3-D Secure does the same online.
But it’s also about understanding different form factors, and how authentication and identity verification methods play on different channels.
For instance, he said, biometrics can be an advantageous method on mobile because the user’s thumb is already next to the button that can scan his fingerprint. This creates an experience that is both simple – placing few obstacles between the customer and a purchase decision – and secure, introducing confidence by leveraging a tactic that most consumers have come to embrace as secure.
However, this would not feel natural to use on a desktop website. Finding a way to scan someone’s fingerprint on a computer would introduce an additional challenge rather than simplifying the experience, while going a different route (such as scanning the user’s retina) could feel invasive.
That’s why Provenzano said online retailers must turn to 3-D Secure to validate and protect. Cobbling together their own solutions can make things easier for fraudsters, he said, because organizations can easily lose sight of their true vulnerabilities or mentally place channels in silos, leading to an emphasis on one channel over the rest.
“Fraud hits the segments that are most vulnerable,” Provenzano said, and the data shows “there are still channels and opportunities to tighten security down.”