Mitigating fraud in the age of BOPIS: Where retailers can make a change

Study: Consumers Rely on Context when Sharing Information/information security, personal information theft, consumer trust, retail security

December 7, 2020

The world of retail has changed drastically over the past few months, and with that how retailers worked to ensure their customers were protected when making purchases online became an even higher priority.

Before the pandemic, buy online, pickup in store (BOPIS) became hugely popular to consumers who didn’t want to have to wait for items to be delivered, pay for shipping or for those that wanted to avoid shopping in store altogether. And, as COVID took over the world, retailers shifted their focus to ensure BOPIS was something they could capitalize on. In fact, data from Rakuten Intelligence found that for grocery orders, BOPIS saw an 82.8% growth surge. However, as retailers adopted BOPIS, its rise flipped a switch and increased opportunities for fraudsters, enabling them to use stolen credit card information to make purchases online and then simply arrive at the store to pick up the item.

So what can retailers do to ensure their customers are staying safe? Here are a few things to consider:

Retailers need to anticipate fraud schemes & put in extra measures for proof of identification in-store

The increase in online transactions has given fraudsters more opportunities to disguise their online presence, which warrants the need for increased investments in securing digital channels and proving identities once in-store.

At first, retailers introduced BOPIS to help align with consumer preferences such as not wanting to wait for delivery or pay for shipping, but as the number of COVID cases in the U.S. spiked, BOPIS also helped retailers limit the number of patrons shopping in a store at any given time. Now as the country reopens and retailers make plans to ensure the safety of the shoppers in their community, BOPIS will continue to be utilized widely.

It is important that retailers have security measures in places that allow them to either stop fraudsters in the act when making online purchases, or at least be able to catch them when attempting to pick up a purchase in-store. In order for a retailer to ensure the trust of their customers when shopping online, they need to provide the highest standard in online payment solutions, which will hopefully be able to mitigate fraud off the bat. However, this isn’t always the case.

When fraudsters use stolen credit card information to make purchases online, most times they are able to arrive at the store to pick up the item, only obligated to show a receipt or QR code, not a driver’s license or other proof of identification. With the amount of online fraud increasing nearly 20%, retailers need to ensure that proof of identification measures are in place for in-store pickups. This could be by showing a driver’s license that matches the name on the credit card receipt or securely registering a proxy to pick up the items, with the understanding that that individual would also have to provide identification when picking up the item.

Utilize tokenization for online purchases so that fraudsters can’t get ahold of credit card numbers

As the world phases into its new normal, it’s important that those working with retailers understand what is critical from a security perspective. The first line of managing fraud is to make sure that fraudsters can be caught when trying to initiate a transaction.

To that end, a significant security measure that could be adopted more widely is tokenization. Tokenization is a measure that protects sensitive information like credit card numbers from being accessible to fraudsters. Using randomly generated tokens in place of a primary account number (PAN), this method prevents fraudsters from extracting credit card numbers and other sensitive data from online payment portals. The tokens are then used to provision payment cards into both issuer and third-party wallets without compromising the physical card or linked account. This then enables consumers to use their cell phones for payment when shopping in store or choose safely between cards that are linked to accounts (think Amazon) when making online purchases. A signification thing to note about tokenization is that tokens cannot be decrypted. The only way that fraudsters would be able to obtain the original information is if they had access to the information database, which is stored in a secured cloud token vault. From a security executive perspective, this is highly recommended security mechanism that should be applied. Even if a hacker does manage to work their way into a retailer’s system, there is nothing useful to steal.

Ensure that online payment solutions meet the highest security standards while balancing customer experience

In addition to tokenization, another security measure that retailers can look to incorporate into their businesses to reduce fraud is 3-D Secure. In 1999, 3-D Secure was developed as an authentication protocol for online credit card payments, and since its inception, it has been the de facto authentication standard. While initially it wasn’t adopted widely in the U.S. due to high cart abandonment from increased friction, it is now used by leading payments companies to ensure that retailers can prioritize security in tandem with user experience.

When consumers look to make a purchase, they are able to use their desktop or mobile device as an approved authentication device to ensure that the purchase is legitimate. By utilizing this measure, consumers are able to enjoy a sense of control over their purchases (wherever they may be) knowing that they can approve and monitor their purchases through their financial institution’s payment company (think Visa, Mastercard or American Express). This, in turn, helps online retailers capitalize on the added benefits of reduced cart abandonment and customer frustration during checkout that impacts brand loyalty.

As we continue to watch the ecommerce landscape adapt to a new normal, retailers need to be increasingly aware of the levels of digital activity and the mounting fraud attempts that come associated with that. Protecting customers should be considered a key element of customer experience, and in order to ensure customer loyalty, retailers and brands need to ensure their security measures are up to the standards of any other high priority customer experience initiative.

Praveksha Maharaj is the Digital Banking Product Manager at Entersekt, focused on mobile authentication and the omni-channel customer experience. Prior to working at Entersekt, she specialized in mobile banking and payments at BPC Banking Technology and ACI Worldwide, an international payments provider. She was instrumental in launching developing mobile and internet banking products for over 50 financial institutions internationally and launching an agent banking solution for underbanked markets.

In this webinar, we review the rise of cloud access control and access control as a service, its advantages and disadvantages, and how to select the optimal cloud access control solution for your company.

Security leaders need to accept and act on this reality and take measured and thoughtful steps to mitigate the risk and train staff about the growing likelihood of such violent incidents in their facilities and workplaces.