Mcommerce: How can your purchasing process be both simple and secure?

With one in seven European smartphone users having completed a retail transaction on their mobile phone, and this number set to rise further in 2014, organisations are increasingly aware of the importance of mcommerce.

Indeed, in a study of 2,000 brands by Kount, the mobile channel accounted for an average of 20% of their business – double that of the previous year.

However, engaging consumers through mobile is very different to traditional ecommerce, and has a very different set of requirements – and this is especially true when it comes to payment.

“Clearly mobile commerce is a source of tremendous opportunity for online retailers and their focus on this channel has grown considerably each year,” said Don Bush, vice president of marketing at Kount. “Merchants also realise that fraud follows opportunity, and there may be no greater opportunity for fraud today than in mobile.”

It’s a double-edged sword for retailers, because overly prescriptive security measures can serve to discourage consumers from continuing with their purchase, yet there is understandably great concern about the potential for fraudulent attacks.

The latest findings from the 2nd Annual Mobile Payments and Fraud Survey demonstrate how businesses view the mobile channel as an opportunity and a challenge due to the security risks. In a survey of 1,000 merchants, the survey found:

• 66% of merchants surveyed now actively support mobile – up by 30% year-to-year.
• 32% see mobile as riskier than standard ecommerce – up from 24% the previous year.
• Merchants that believe standard ecommerce fraud processes are enough for managing mobile channel risk fell from 37 to 26% since the inaugural survey.
• 32% say fraud prevention specific to mobile is increasingly necessary – nearly double the sentiment of the previous year’s responses.

So, what can organisations do to make sure they get their mobile payment strategy right? How can they ensure they strike the right balance between making it easy for consumers to purchase, while reducing the risk of fraud?

James Hunt, associate principal in CyberSource’s managed risk services team, shares the following eight tips:

1. Understand new trends in customer behaviour

Historically, ecommerce transactions have been made during core business hours but the widespread use of tablets and smartphones has seen a radical change in consumer buying patterns, with the peak buying time for these types of devices taking place between 8pm and 9pm. 

Applying rigid fraud rules outside of normal business hours may impede your mobile strategy and needs to be assessed appropriately. Consumers now use multiple devices at home, and often switch between smartphones, tablets and PCs when purchasing goods. Once you understand your customer, you can then adapt your rules to take into account new personal habits and behaviours.

2. Understand what data isn’t available

Technologies such as IP geolocation have traditionally worked well to track a consumer’s physical location at the time of a purchase but they can become completely redundant when a mobile device is not connected to a Wi-Fi network.  In this instance, the device’s location would show as the mobile operator’s which isn’t much help if you are attempting to confirm the owner’s location.

3. Understand the device

Device fingerprinting is an incredibly useful way of identifying the PC or laptop that the purchase is being made from. It collects a range of information that can help to determine whether the customer is legitimate, including installed applications, software updates, the time zone of the device and whether things such as java script are turned on for the device.

But device fingerprinting is not as reliable when it comes to mobile devices. Unlike PCs and laptops, limited information can be collected from smartphones and tablets – which makes it difficult to collect the most valuable data.  Ensure that you amend and adapt your fraud rules accordingly to account for this. 

4. Understand the location

Given the nomadic nature of mobile devices, it can be difficult to pinpoint exactly where a purchase originates from. Capturing the GPS location will certainly help when it comes to comparing details such as billing and shipping address proximities. Wherever possible try to collect GPS data to enhance your fraud screening rules.

5. Use all data available

If possible, also capture the IMEI and UUID numbers of the mobile device (which is a phone’s unique identity number). These can be another useful tracking element to compare against addresses or credit card numbers. If you have a device that has made multiple purchases with the same card, then this can represent much lower risk. However a device that has attempted to use six different cards to conduct a purchase will need further investigation.

6. Segregate orders, but don’t isolate them

Transactions made through mobile devices provide a goldmine of useful information. However, being able to compare these transactions alongside those from your call centre or website is where the real value lies. It can help you spot fraudsters migrating between different channels more quickly.

Take all the data available – or not available – and create a set of rules specific to mobile transactions. Your mobile fraud screening should then feed into the other orders being placed across the business. This will help you to compare their mobile purchasing information against other known data (such as the website or call centre) to detect further discrepancies.  

7. Monitor your data

How do you know if you are rejecting too many orders? You can’t manage what you can’t measure.  You need to be able to collect and analyse your data to make sure your rules are performing to the best of their ability. For instance, are the majority of your rejected transactions coming from mobile devices or call centre transactions? If they are from mobile devices, then perhaps your current rule set needs to be tweaked. Monitor your screening processes and don’t be afraid to make changes.

8. Be flexible, and accept more orders

Historically, the more changes in the data, the riskier the transaction. For instance, if a consumer makes a transaction on three or four different laptops, then further investigation should be carried out. But with consumers now using on average six devices at home, you will need to accommodate changing consumer habits.

Other advice

In addition to these tips, the importance of reassuring the customer cannot be overestimated. It is not only businesses that are concerned by the security implications of mobile, and if consumers don’t feel a mobile site is safe, they will not make a purchase.

“If a retailer has simply set up responsive payment pages to allow for mobile purchases, the risk of fraud is no greater.  However, it’s all about perception and consumers can feel less secure paying via a mobile device,” warns Chris Wade, head of marketing at Sage Pay.

“It's more important than ever to reassure them at each stage of their purchase. This can be done by including security logos and accreditations where possible. It’s also important to make sure your branding is consistent at every customer touch point.2

Gareth Mackown, mobile leader for IBM Global Business Services UK & Ireland, echoes these sentiments.

“Perception is really important,” he suggests. “Giving your customer the confidence that you are secure and that if there are any issues then you will deal with it, is a big part of it. That needs to be visible to customers in the way they interact with you through the mobile, as much as it is through any other channel.”

Guy Chiswick, managing director at Webloyalty Northern Europe, says:  “A simple piece of advice would be to use a proven service provider with fully tested systems, and then ensure that all staff are trained on how to use them so as to allay any customer concerns that may arise. Furthermore, it is also important to make the payment process clear and straightforward, with as few clickthroughs as possible, and perhaps even look into introducing digital wallet technologies.”

He adds: “Ensuring the highest quality of secure third party payment mechanisms can be costly - but not as costly as a data breach.”

In today’s mobile society the risk of fraud cannot be taken lightly, and organisations are now fully aware that the mobile site or app needs just as rigorous a security strategy as the website. Important steps such as those highlighted above can provide valuable guidance, and there are plenty of measures that organisations can take to keep themselves and their customers as safe as possible.

And in the longer-term, the good news is that the industry continues to evolve and security is becoming more robust.

“Particularly for a lot of retailers now, they’re not necessarily even taking the payment directly themselves, they’re using various plugins and third parties that will take the payments, so managing the fraud and risk in that situation is actually contained,” notes Mackown.

“I was at Wired Money last week, and if you look at some of the start-ups in the space, and some of those who are innovating and disrupting the space, they’re actually looking at solutions that can help retailers and merchants take away the pain of fraud and risk. There’s a huge amount of opportunity there, because retailers are currently turning down businesses because of the worry of fraud and they’re losing a lot of good business as a result of it. So there are evolving models in the space which are making it increasingly easier for retailers to focus on their core business, and not have to worry about some of the details around payments.

“Having said all of that, you should look at security all the way through, from the very point where you’re starting to design and think about things like implementation and testing and deployment. When you’re delivering mobile solutions you have to have that mindset as you’re building, particularly if there’s any transactional or financial information being exchanged, or even personal information. You really do need to make sure that you’re very security and privacy-conscious in your build on mobile. And as platforms change and evolve on mobile, so do these security standards.”