Security / PCI Compliance - Retail TouchPoints - Retail TouchPoints Sun, 17 Nov 2019 22:20:25 -0500 RTP en-gb Consumer Behavior Fuels Fraud And Retailers Need To Fight Back

0aaachargebacks911 2019Trying to provide customers with a simple, streamlined and frictionless interaction is a more-or-less universal goal. Every retailer wants to give customers a great experience that will have buyers coming back again and again. Unfortunately, the trend toward frictionless commerce has its downsides.

Consumers expect to receive products faster and pay less for them. In effect, we’ve created a culture of instant gratification surrounding online retail, and that fact holds consequences for consumers and retailers alike.

Entitlement And Lack of Education Mean More Risk

E-Commerce buyers have developed a disconnect between their expectations and their responsibilities as consumers. As a result, they often engage in unsafe behavior online, enabling fraudsters to carry out phishing attacks and other forms of fraud.

On the one hand, consumers are acutely aware of the risk online fraud represents. The average cardholder wants to be proactive about fraud risks. However, misunderstandings about the realities of online fraud, plus a lack of adherence to security best practices, means buyers are still vulnerable. They may be tricked into handing their sensitive information over to fraudsters via a phishing site, or someone impersonating a trusted individual like a family member or financial advisor.

We have a situation in which consumers feel entitled to a frictionless experience. Simultaneously, they’re very aware of online fraud, but don’t know how to protect themselves from it.

When consumers suspect fraud, they won’t hesitate to contact their bank to demand a chargeback. Of course, chargebacks exist as a form of consumer protection against fraud, so this isn’t a problem in theory. The issue is that consumers have little incentive to learn how to better secure their data.

We’re training customer expectations by reinforcing negative behaviors and fostering a culture in which consumers don’t understand the impact of their actions.

Simultaneously, customers expect to be entitled to a chargeback. This is a recipe for disaster…and merchants are the ones who end up paying the price.

Consumer Entitlement Fueling Friendly Fraud

So called “friendly fraud” occurs when a customer files a chargeback without the right justification. There could be numerous reasons for this; for instance, a buyer might want to return an item, but is unable to find the return policy on a merchant’s web site. Or, the buyer could simply experience buyer’s remorse, and misunderstand the difference between a return and a chargeback.

While it seems like an innocent mistake, friendly fraud is no joke. Friendly fraud is expected to cost upwards of $25 billion a year by 2020, through a combination of lost revenue and merchandise, added fees, administrative overhead and threats to sustainability. This affects other parties, too, as card networks see more fraud reports and banks are bogged down in dispute cases. Consumers ultimately pay when businesses are forced to raise prices to cover the added expense.

Friendly fraud is directly tied to our problem with consumer entitlement. Buyers are trained to expect that a chargeback will always be an option to recover money. This gives them the impression that they have no real responsibility to merchants, banks or other consumers. It’s a kind of feedback loop, which explains the rapid growth of friendly fraud in the last decade.

Plus, the more chargeback abuse persists, the harder it is to produce useful fraud data. Inaccurate data makes it hard to deploy fraud prevention tools effectively, opening the door for criminal fraudsters to strike.

The longer we allow consumers to take a lax attitude towards phishing and other online threats, while simply expecting to recover their money at a whim, the worse the situation will get. That’s why merchants need to take the lead.

Getting Proactive About Payment Threats

Commerce has changed dramatically since chargebacks first hit the scene in the mid-1970s. We’ve seen the rise of e-Commerce, mobile technology, same-day shipping, even voice-enabled commerce. How we address fraud hasn’t kept pace with the constant and rapid disruption in the retail sector, though.

The dual challenges of chargeback abuse and consumer entitlement are not unique to one vertical, payment model or card scheme. The current state of affairs calls for a coordinated approach to establish standard practices for consumer response to suspected fraud and dispute resolution.

We’re talking about revolutionizing divergent card scheme rules and processes, establishing how banks interpret those rules and how merchants respond. We also need to work toward redefining consumer expectations and ultimately modifying behaviors.

However, bringing all the players in the payments process together will be a massive undertaking. It’s going to require some time before we can muster the will throughout the payments industry to start this process. Until then, merchants will need to take a proactive approach.

Merchants are the party that interact directly with consumers during the transaction process. Thus, it’s up to merchants to help define customer expectations and respond to dispute cases appropriately.

All disputes originate from one of three key sources: merchant error, criminal fraud and friendly fraud. Each source calls for a unique response, though there are a few general pointers that can help minimize the impact of chargebacks:

  • Use Antifraud Tools: Fraud scoring, geolocation, AVS and 3-D Secure technology should be part of a broader, coordinated strategy to identify criminal attacks. This prevents fraudsters from using stolen information to complete transactions.
  • Optimize Service: Try to provide live customer service as many hours a day as possible. Answer all calls within three rings and respond to emails promptly. Great service reassures customers that you’re willing and able to help, dissuading them from turning to a chargeback.
  • Be Thorough and Accurate: Ensure all product descriptions and images are accurate, detailed, and lay out realistic expectations for the product. Also, be sure your return policies and other key information is clear and easily accessible from every page of your site.
  • Respond to Disputes When Appropriate: With post-transactional threats like friendly fraud and cyber shoplifting, the only way to recover your funds is through representment. You can manage representment internally or outsource to a chargeback management service.

Retailers are on the front line in the fight against increased fraud activity. They play a key role in reshaping customers’ behavior and expectations and, ultimately, turning the tide away from criminals and in favor of businesses and consumers.


Risk management and fraud prevention expert Monica Eaton-Cardone is co-founder and COO of Chargebacks911, a global chargeback mitigation company.

]]> (Monica Eaton-Cardone, Chargebacks911) Executive ViewPoints Mon, 22 Jul 2019 08:00:00 -0400
Minimizing Legal Risks For Retailers That Use Biometric Data Minimizing Legal Risks For Retailers That Use Biometric Data

Artificial intelligence (AI) tools offer retailers large chunks of data that are helpful in creating robust customer profiles, as well as curated and frictionless customer experiences. Many retailers are aware of the benefits offered by the subset of AI tools that involve biometric data. Facial recognition technology is automating and improving the customer experience in both the online (mobile try-on features) and brick-and-mortar (cashierless stores) sales environments. Some retailers use it as an asset protection measure (to identify known shoplifters). Fingerprinting employees is likewise automating retail timekeeping and jumpstarting wellness programs. Third-party vendors are out in the marketplace aggressively pitching retailers on the exciting benefits of cutting-edge technology tools.

Yet retailers’ use of biometric data in certain jurisdictions presents legal and compliance challenges distinct from other types of data. Select state privacy statutes and the European Union’s General Data Protection Regulation (GDPR) impose additional requirements on businesses that collect or utilize biometric data from either customers or employees. While no federal law preempts those state statutes, the Federal Trade Commission has issued guidance on facial recognition technology that cites its authority under Section 5 of the FTC Act to police unfair or deceptive biometric data practices.

As a result, retailers contemplating the use of technology that involves fingerprinting, facial recognition, voice prints and eye scans, for example, must be mindful of the landscape and the patchwork of state laws that govern biometric data privacy.

I.          The Legal Landscape

Illinois currently has the most robust law governing biometric data, in large part because it contains a private right of action allowing anyone “aggrieved” to sue for specified statutory damages. In 2008, the Illinois General Assembly passed the Biometric Information Privacy Act (BIPA) in response to the Pay By Touch bankruptcy, which approved the sale of the sensitive biometric data that entity had maintained. BIPA provides the most comprehensive set of restrictions on biometric data for any retailer with consumers or employees in Illinois.

BIPA applies to any “private entity” that possesses “biometric identifiers” and/or “biometric information.” It defines “biometric identifiers” to include “a retina or iris scan, fingerprint, voiceprint, or scan of hand and face geometry.” It defines “biometric information” as “any information, regardless of how it is captured, converted, stored or shared, based on an individual’s biometric identifier used to identify an individual.” It applies to companies in possession of this data and those that collect, capture, purchase, receive through trade or otherwise obtain biometric data about Illinois residents.

The requirements under the statute include: (1) developing a written “schedule and guidelines” for the retention and destruction of the data; (2) informing the subject “in writing” of the collection, the purpose, and the duration of storage, and obtaining a “written release”; (3) refraining from “sell[ing], leas[ing], trad[ing] or otherwise profit[ing]” from the data; (4) refraining from “disclos[ing]” or “disseminat[ing]” data without consent; and (5) taking reasonable measures to protect the data from disclosure.

Significantly, the private right of action under BIPA — with its accompanying damages calculus of $1000 up to $5000 per violation with no cap on aggregate damages — has sparked a wave of class action lawsuits in the Illinois courts. Many such lawsuits allege purely technical BIPA violations (i.e., no concrete harm such as leaked biometric data). The Illinois Supreme Court recently blessed such violations as sufficient to make a person “aggrieved” and therefore able to sue under BIPA in Rosenbach v. Six Flags Entm’t Corp.(Ill. Jan. 25, 2019). As a result of the significant litigation risk for companies that run afoul of BIPA, and the ease with which a plaintiff can pursue a claim following Rosenbach, the Illinois law should be top of mind for any retailer using or considering technology implicating biometric data.


Yet it is not only retailers with consumers or employees in Illinois that need to be mindful of biometric data. Europe’s GDPR and biometrics laws in Texas and Washington State, for example, impose similar requirements to BIPA, though there is no threat of class action exposure under these laws. Proposals and amendments also have been percolating through the legislatures in Arkansas, Delaware, New York and New Jersey, and Congress is considering comprehensive privacy legislation involving biometric information. Also, the California Consumer Privacy Act (“CCPA”), which will be effective in January 2020 and includes a limited private right of action, expressly includes biometric information. Other states may soon seek to replicate the CCPA, which reflects a significant shift in the privacy landscape in the U.S.

II.        Practical Steps

The retail industry is experiencing a transformation in large part because of unprecedented access to rich data and exciting technology tools. When deploying tools implicating biometric information, it is important for businesses to be aware of the legal landscape and to ensure compliance with the relevant state laws. Some practical tips for retailers to consider include:

  • Conducting a privacy assessment or audit in a privileged manner;
  • Educating internal clients on the general issues so that pertinent contracts are flagged for the legal department;
  • Conducting substantial diligence with respect to third-party vendors;
  • Drafting favorable contracts with third-party vendors, including robust indemnification provisions;
  • Requiring third-party vendors to obtain insurance coverage that includes BIPA claims and names the retailer as a secondary insured;
  • Documenting written consent;
  • Developing, implementing and maintaining clear policies;
  • Implementing a compliant and publicly available written retention schedule;
  • Addressing biometric data in written incident response plans for data breaches;
  • Drafting a privacy policy that accurately reflects the retailer’s practices;
  • Interposing arbitration agreements with class action waivers in the consumer and/or employment context;
  • Collecting only what the retailer actually requires;
  • Carving out Illinois of biometric technology programs;
  • Saving data only for so long as it is needed; and
  • Ensuring data is adequately protected.


Gregory Knopp is partner in charge of the Los Angeles office at Akin Gump Strauss Hauer & Feld LLP, a member of the firm-wide management committee and co-chair of the retail industry group. Knopp defends companies in class and collective actions and other complex disputes. He has argued successfully before state and federal courts across the country and has obtained dismissals of class actions in dozens of high-profile, highly consequential matters.

Geoffrey Derrick is an associate of the firm’s Washington D.C. office. Derrick focuses his practice on high-stakes, complex litigation, including challenging employment and consumer class actions in emerging areas such as biometrics. He develops creative ways to solve his clients’ problems based on his unique perspective as a former state and federal public defender, as well as a former state and federal law clerk.

]]> (Gregory W. Knopp and Geoffrey J. Derrick, Akin Gump Strauss Hauer & Feld LLP) Executive ViewPoints Wed, 05 Jun 2019 09:30:49 -0400
Identity Theft Can Even Make Shopping Stressful

0aaaPaige Schaffer GeneraliAs online and mobile shopping continues to gain in popularity, identity thieves have more opportunities than ever to steal sensitive financial information from unsuspecting consumers. Customers expect retailers to take extra steps to keep their data safe, but with record-setting data breaches constantly in the news, it’s no surprise that nearly half of respondents to Generali Global Assistance’s recent Cyber Barometer indicated that companies are not doing enough to protect their personal information.

Customers are right to be concerned. Online shopping has caused an increased level of consumer data that’s ripe for the taking, and it seems as though every day another major company is falling victim to a cyberattack. These attacks are having a real impact on consumer sentiment and trust. For example, a Generali Global Assistance survey conducted around the holiday shopping season found that 83% of consumers felt uncomfortable making a purchase at a retailer that experienced a data breach in the past.

Though we are seeing some retailers take action by heightening their defenses, the same survey found that 48% of shoppers still feel unsure about whether businesses are doing enough to protect their data. This is reinforced by the fact that 55% of American shoppers said they would feel more confident that a business is actively trying to protect their data if they offered identity protection services.

As customer-facing businesses, retailers should always put the safety of their customers’ sensitive data first, and if they take proactive steps to protect sensitive data, they can ease consumer anxiety.

Accounting For Human Error

Many organizations understand that they need to have sufficient technology in place to combat cyberattacks; however, one of the most commonly overlooked risks to a company is human error. This can encompass anything from an employee misplacing a company laptop; sending confidential data to an unsecured home system; or an employee falling victim to a phishing email. Retailers can build a culture of cybersecurity amongst their employees by holding educational lunches, posting relevant tips around the store and office and conducting cybersecurity tests on an ongoing basis.

Also, employees who carry devices connected to company systems should be wary about connecting them to new and unsecured networks, and retailers should establish clear protocols for using work devices outside the office.

Countering A Disgruntled Employee

Another potential threat for retailers is disgruntled employees looking to get back at their former employer by either taking or leaking sensitive customer data. Situations like this can be especially damaging for employers, since almost 60% of all cybersecurity attacks on companies are carried out by insiders. This should be an alarming statistic for any retailer, as retail employees are often the ones dealing directly with customers and their data. All it takes is one disgruntled employee to cause a breach, which can have a longstanding impact on the confidence consumers have in that retailer.

To help avoid issues with disgruntled employees, one simple solution retailers can take is to update passwords regularly, especially when a high-ranking employee with access to important systems leaves the organization.

Preventing Identity Theft

Identity thieves who are able to gain access to employee credentials may pose an even bigger threat than attacks carried out by insiders. While an identity thief getting hold of an employee’s data isn’t the same as a massive breach of consumer data, if the right employee is targeted, the identity thief can gain access to more information than they could ever get from outside the organization.

Training employees to spot suspicious messages and making sure there are monitoring services in place in the event of a breach are important steps all retailers should take if they hope to uphold their customers’ trust.

Proactive Measures

In addition to putting some of protocols outlined above in place, there are also some proactive steps retailers can take themselves. One method is gauging how data is collected at each touch point. Being a good custodian of data means having proper collection, handling, tracking and sharing protocols. As a retailer, it’s important to understand how you are taking in data and to evaluate your intake forms and assess how that data is stored.

Of course, the biggest piece of advice for retailers is to educate themselves on the potential scams and methods identity thieves employ when trying to steal data — as understanding the risks is often the first step in preventing them.

While shopping is usually a pleasant experience, it is not without risks. Reducing the risks that come with identity theft requires a proactive approach from retailers, which can help their customers avoid one of those dreaded calls to their bank or credit card provider.

Paige Schaffer is President & COO of the Identity and Digital Protection Services Global Unit for Generali Global Assistance. Schaffer leads sales and marketing strategy and revenue growth initiatives, managing operations as well as global expansion. She began her tenure with Generali Global Assistance in 2007 and led North America Operations for both the emergent Travel Assistance business and the Medical Claims division, working with insurers, medical providers and government contractors. Schaffer is a thought leader on identity theft protection, prevention and victimization.

]]> (Paige Schaffer, Generali Global Assistance) Executive ViewPoints Wed, 20 Mar 2019 09:18:18 -0400
Fraud Report Reveals Importance Of ID Verification In Delivering A Seamless And Secure Customer Experience

0aaaChristina Luttrell IDologyWith the rise of e-Commerce and prevalence of mobile devices, shopping has reached a new level of ease for consumers. Expectations for fast and easy experiences are higher today than they were just a few years ago, and while the growth of these convenient channels equals higher sales, it also opens the door for fraud.

Most consumers are aware that data breaches and digital fraud are increasing at a rapid rate, and that their personal information is potentially already available on the dark web, yet their tolerance for adding friction to the authentication process for fraud prevention only goes so far: research from IDology’s Consumer Digital Identity Study showed that one in three consumers will abandon creating an account if the process is too cumbersome.

According to new data released in IDology’s Sixth Annual Fraud Report, this is understood by businesses that express concern that fraud prevention steps have the potential to create customer friction. In fact, the IDology report found that striking a balance between fraud prevention and limiting friction in the customer experience is the number one fraud prevention challenge for businesses.

An Inside Look At Fighting Fraud

IDology’s annual report surveys hundreds of executives and analysts in risk, fraud, compliance, product and operations, to capture the impact, incidence rate and perception of fraud on leading companies. Rather than focusing on specific incidents and transactions, the report is based on first-hand feedback from professionals working to fight fraud.

Among the key findings in this year’s report:

Chronic Data Breaches Lead To Increased Fraud Threats: 58% of businesses experienced an overall increase in fraud. With the frequency and depth of data breaches in recent years, a large amount of personal information has become available on the dark web. This abundant access to usernames and passwords, social security numbers, addresses, phone numbers and account information has made it easier and cost-effective for criminals to commit fraud in customer-not-present environments, such as mobile and online. It’s easy to see why 67% of companies reported that fraud increased online and 63% in mobile.

Mobile Fraud Is Booming: The majority of Americans own a mobile phone, so it isn’t surprising that it’s one of the fastest growing threats to businesses and consumers. In fact, the prevalence of mobile fraud increased 117% compared to last year. In addition, IDology’s consumer digital identity study revealed that mobile malware is also a concern among 80% of consumers.

Mobile devices are direct pathways to the type of personal information that fraudsters want to compromise. As mobile fraud continues to rise, businesses must consider the risks presented by mobile malware that can steal personal information and intercept text messages right off a consumer’s smartphone.

While smartphones can serve as an effective means for businesses to offer an immediate and accessible channel for e-Commerce, as well as quickly identify and verify customers, they also represent a prime fraud target. The mobile market is enormous and highly fluid. Each year in the U.S., 30 million phone numbers are recycled, 130 million new smartphones are activated and 80 million mobile users switch providers. Within the last 12 months, 47% of consumers (an estimated 100.6 million mobile phone owners) experienced at least one mobile change event. These frequent change events make establishing and maintaining a digital device identity difficult and complex.

Of the mobile fraud techniques that increased in 2018:

  • Porting, which occurs when a criminal takes possession of a customer’s phone number and ties it to their own device, increased 27%
  • Intercepting inbound SMS communication, such as two-factor authentication messages, increased 24%
  • Device cloning, in which SIM values from a victim are copied by fraudsters, allowing them to impersonate a subscriber and obtain all incoming communication, increased 23%
  • Recycling phone numbers, in which deactivated/disconnected numbers get reassigned, increased 20%.

Fraud Prevention Increasingly Challenging, Businesses Less Prepared For Certain Fraud Schemes

Many businesses share that they don’t feel prepared to address certain fraud schemes. When asked which fraud schemes they are least prepared to detect and prevent:

  • 32% reported mobile device attacks such as malware and hacking, up from just 12% in 2017
  • 32% reported synthetic identity fraud, up from 26% in 2017
  • 25% reported account takeover, up from 19% in 2017

They’re also finding identity verification more challenging. When asked how identity verification has changed in the last three years, 75% of companies agree it has become more complicated and complex.

Retailers are looking for new strategies and technologies to improve identity verification and prevent fraud in a way that won’t negatively impact the customer experience. The report shows that the biggest trends in identity verification over the next three to five years will be verifying identities using mobile device attributes, artificial intelligence, machine learning and submitting ID documents via mobile devices.

Finding ways to keep fraud out and make transactions easier for customers is becoming one of the most important elements of fraud prevention. In fact, the vast majority of businesses surveyed, 85%, said identity verification can be a strategic differentiator. The opportunity exists for retailers to leverage advancements in identity verification to build trust, increase efficiency and improve the customer experience.

For more insights on the current threats facing the retail industry, fraud prevention trends and the rising importance of identity verification, you can download IDology’s Sixth Annual Fraud Report here.

Christina Luttrell is the senior vice president of operations including product, client solutions and marketing for IDolgy, a leader in multi-layered identity verification and fraud prevention. In her 10 years at IDology, Luttrell has significantly advanced the company's technology, forged close relationships with IDology customers and driven the development of product innovations that help organizations stay ahead of constantly shifting fraud tactics without impacting the customer experience. Luttrell was recently recognized as one of the Top 100 influencers in identity by One World Identity.  

]]> (Christina Luttrell, IDology) Executive ViewPoints Mon, 11 Mar 2019 09:23:02 -0400
PCI Isn’t Enough — How Retailers Can Truly Protect All Sensitive Data

0aaajim-barkdollWhen many of us think of sensitive data, we automatically think about credit card information. But what about all the rest? As recent data breaches taught us, hackers and bad actors can do quite a bit with other types of personal information, such as user names, passwords, addresses, phone numbers, birth dates and so on. As more retailers embark on a truly hybrid sales strategy that encompasses an online presence as well as a brick-and-mortar store, they find themselves with a wealth of sensitive information. So how can retailers keep that information safe?

Payment Card Information (PCI) regulations cover credit card data during transactions, but do nothing to protect that information after a business has stored it in its IT systems. When PCI regulations were introduced, they were hailed as a great leap forward in ensuring that businesses maintained stringent levels of safety around payment cards. But since that time, we’ve seen an explosion in the online marketplace, which has made existing security regulations like PCI confusing to implement because they’re usually either limited or too broad.

This issue is further compounded by the fact that while existing security technology can offer some support, both expertise and software come at a very steep price.

Better Security In An Age Of Low Margins

It has been just over five years since the infamous Target breach, which was, at the time, one of the largest breaches of customer data in history. Though promises have been big, in reality, little has changed in terms of how retailers protect their sensitive data.

Most retailers would protect their customers’ data if it were free and easy. However, brick-and-mortar stores especially tend to be low-margin businesses, and data security solutions are expensive and do nothing to increase revenue. The result: Security is not usually a high priority until a breach occurs.

That’s why, when it comes to data protection, many retailers are forced to ask themselves, “How good is good enough? How can I maintain my margins, yet keep my data safe?”

Others think they are covered because they implemented an advanced security solution six or eight years ago. The reality is that six or eight years ago is a lifetime for technology, so most solutions considered advanced back then are, at best, now barely adequate or, at worst, obsolete. Most retailers hold on to outdated or very basic technology for as long as they can to minimize costs; however, these systems can make them even more vulnerable. The vendors that sold these systems rarely continue to provide security or support for systems so long in the tooth. In addition, cybercrime has gotten more and more sophisticated, far surpassing the protections of early security solutions and even unlocking specific protections in some cases. The result: Information on these systems is woefully secured, meaning it’s a matter of “when” and not “if” a data breach will occur.

Consumer Demand Forces Modernized Regulations

Another challenge is that the retail sector lacks modernized, industry-specific regulations for information handling like those implemented in other industries, such as the financial or health care sectors. Stringent security procedures are now built-in and expected for financial, health care and manufacturing organizations, yet not for retail.

The General Data Protection Regulation (GDPR) and state-specific regulations are a good start and resulted from a powerful place — consumer demand. While years ago consumers did not seem as concerned about the protection of their personal information online, the Equifax breach and the scandal involving Facebook and Cambridge Analytica brought about a significant shift in consumer attitudes toward how their data is managed, secured and stored. Brands that have suffered data breaches or, more recently, have been fined because of their failure to adhere to GDPR or other regulations may face consumer backlash, which can be difficult to recover from.

Next Steps To Right The Ship

There are a few key steps for retailers to move from being on the verge of a data breach to feeling confident in how sensitive data is stored and protected.

  1. Modernize existing regulation mandates. Unfortunately, regulation continues to drive most security behavior rather than a desire to simply be good data stewards. So first and foremost, industry regulations such as PCI need to be improved to help ensure continued and consistent adherence to security policies and practices. In addition, nations and states that have not yet passed data privacy laws need to investigate developing such legislation. Regulation ensures a continued and consistent adherence to security policies and practices. Once businesses become aware of the potential risks of noncompliance — severe fines, damage to their brand, liability to customers — they will be more willing to implement data protection strategies.
  2. Prioritize data security investments. Investing in security must be a priority for retailers, despite the expense. Implementing effective data protection solutions is critical. Businesses need a clear understanding of what their sensitive data is, where it resides within their systems and if/how it is currently protected. They need to understand who has access to which information, both internally and externally.
  3. Understand current technology investments. An audit of existing security investments is another critical step toward true data protection. Perhaps a retailer has a firewall. Great. Maybe they also have a data loss prevention (DLP) solution. But are these technologies working together? Or are they sitting in silos? Digital data security solutions can help integrate all elements in a data protection system across an organization, providing checks and balances and ensuring that nothing slips through the cracks.

Consumer Pressure Will Induce Change

Aside from the steps above, there’s one other group with the power to demand greater data security — consumers. With the ever-increasing number of data breaches today, a strong security strategy may offer a competitive advantage and help draw in new customers. Customers who are confident their personal information is safe may be willing to pay extra for goods or services, which would help defray the costs of implementing security technologies. But the benefits need to be made clear. Consumers must understand that PCI regulations protect their information only during transactions. They need to know that without added data protection, their information is vulnerable to cybercrime.

Undoubtedly, we will reach a point where enough breaches occur and enough customers sound the alarm, and governments will be forced to develop stronger retail regulations. And stronger regulations will go hand in hand with integrated data protection solutions that help the industry comply with them.


Jim Barkdoll is the CEO of TITUS. He leads the overall vision, growth strategy and go-to-market initiatives of the company. He most recently served as TITUS’ chief revenue officer where he led the global sales operations, marketing and customer success teams. Barkdoll has over 20 years of business development and executive leadership experience with an established track record of successfully growing teams and revenues within channel, SMB, midmarket and enterprise accounts. Prior to TITUS, Barkdoll was EVP of Sales at Toushay Inc. Prior to Toushay, he served as VP, Americas with BlueCat Networks, Inc. and spent 10 years with Quest Software in a variety of senior management roles.

]]> (Jim Barkdoll, TITUS) Executive ViewPoints Thu, 07 Mar 2019 10:14:01 -0500
Retailers Are Turning To Face Recognition To Thwart Growing Fraud And Shoplifting Threats

0aaaPeter Trepp FaceFirstAn increasingly large number of retailers are waking up to an unfortunate fact: despite loss prevention and asset protection professionals’ best efforts, organized retail crime and return fraud continue to rise. In order to combat these rising concerns, forward-thinking retailers have started employing facial recognition solutions to protect merchandise, employees and customers from threats. And while this technology is relatively new for retail, it just might prove to be the secret sauce for preventing shrink.

Why More Retailers Are Using Face Recognition

Global retail shrink is a massive problem, and it’s easy to see why retailers are eager to employ new tools. External shrink (i.e. shoplifting and ORC) costs retailers roughly $35.5 billion each year according to the 2018 Sensormatic Global Shrink Index. External shrink is likely to increase over 2019. Last year, an annual ORC study from the National Retail Federation (NRF) reported that 71% of companies experienced a year-over-year increase in ORC incidents.

Most major retailers agree that hiring in-store loss prevention professionals helps reduce external shrink. But even the best loss prevention professionals can’t remember the names and faces of every documented shoplifter that has ever stolen from the store location — let alone neighboring ones.

Retailers also routinely employ a range of security technologies, including electronic article surveillance (EAS), CCTV and pushout prevention to reduce shoplifting. These technologies can alert loss prevention teams during crimes in progress. While this can lead to apprehensions and merchandise recovery, these solutions still put employees in at risk-situations. Unfortunately, as The D&D Daily regularly reports, hundreds of people die violently each year in retail stores.

However, facial recognition flips the loss prevention script by allowing in-store loss prevention to proactively prevent crimes from occurring.

How Facial Recognition Works

Using facial recognition to prevent crime begins by assembling a database of documented shoplifters, organized retail crime associates, disgruntled ex-employees and other individuals that pose a risk. They can be enrolled from video footage or following an apprehension. Then, the moment that a documented shoplifter returns to a store, a camera enabled with a face recognition algorithm can match that individual’s face against the database of images on file.

In the event of a potential match, in-store security professionals can be alerted instantly. This allows them to either observe the suspected individual or proactively offer customer service. Numerous loss prevention executives have told me that most of the time, simply offering a documented shoplifter customer service is enough to get them to vacate a store without incident.

Even if an individual successfully gets away with committing a crime, face recognition can add tremendous value. An image of the retail criminal can be taken from store CCTV or VMS systems and enrolled in the system. You might not have a clue who the person is, but your security team will know the moment they return to a store.

The Network Effect: How Data Sharing Reduces Crime

Since facial recognition requires an individual being documented in a database in order to recognize them, it does not typically help loss prevention professionals thwart first-time shoplifters. But the biggest source of external shrink by far is perpetrated by organized retail criminals and habitual shoplifters, those who steal expensive items and steal them often.

One of the biggest advantages of facial recognition is that stores within a chain can share a face recognition database. Retailers are currently doing this with increased frequency because organized retail crime gangs are typically quite loyal to their favorite brands, favoring to strike multiple locations within a chain in a single geographic region.

FaceFirst conducted a recidivism study over six months that examined the behavior of documented shoplifters. The study found that 60% of known shoplifters were detected entering at least two separate locations of the same retail chain, while 20% of known shoplifters visited three or more locations of the same retail chain.

Combating Fraud

According to the NRF, 10.8% of returns made each year are fraudulent, costing the retail industry $9.6 billion a year. Facial recognition also has the potential to protect retailers from a specific kind of return fraud.

Many companies have generous return policies that don’t require receipts. But retail criminals are eager to take advantage of these generous policies. From talking to loss prevention executives, I learned that one of the most prevalent return fraud schemes is when dishonest customers take merchandise off shelves and attempt to return it. Facial recognition can be used at return desks to pop a video of that customer entering the store. The clerk can then see whether the customer making the return entered the store with merchandise or not. While this method of return prevention isn’t foolproof, it will provide retailers with a much-needed intelligence layer that can help them assess the validity of returns.

These are just some of the ways that retailers will use face recognition to combat retail crime in 2019. While major retailers already have started using the technology, it’s far from ubiquitous. As adoption increases over the next few years, I expect the retail industry to finally turn the corner on external shrink.


Peter Trepp is the CEO of FaceFirst, a facial recognition solution provider. Trepp has experience as an entrepreneur, advisor and consultant. He has an MBA in finance from UCLA Anderson School of Management. He is based in Encino, Calif. Connect with Trepp on LinkedIn.

]]> (Peter Trepp, FaceFirst) Executive ViewPoints Wed, 06 Mar 2019 09:18:53 -0500
Study: Only 11% Of Consumers Trust Retailers To Handle Data Breaches Properly Study: Only 11% Of Consumers Trust Retailers To Handle Data Breaches Properly

Retailers face a significant mistrust issue when it comes to data breaches: only 11% of consumers trust retailers to properly handle data breaches, according to a survey by First Data. High-profile events, such as the HBC data breach that affected as many a 5 million shoppers in 2018, can erode trust across the entire industry. But retailers have many tools to help them build up shoppers’ trust.

“The media continues to give breach events a public profile, and they pounce when they discover them and disseminate that information pretty broadly,” said EJ Jackson, SVP and GM of Security and Fraud Solutions at First Data in an interview with Retail TouchPoints. “I think that’s also a reflection that fraudsters are getting more sophisticated and more successful, and I think retailers aren’t quite keeping pace. They really have to solidify their efforts to protect trust.”

The most important step retailers can take to build trust with shoppers is also the most straightforward: protect themselves from data breaches before they can happen. While this is a complex process with no single solution, adhering to best practices can help retailers rise to the challenge:

  • Ensure anti-fraud efforts are properly funded. The first step in building trust is making sure infrastructure is up-to-date, data is properly encrypted, the right third-party solutions are implemented and other basic security measures are in place;
  • Let shoppers know security is in place. People care about their data, and telling customers that their concerns are being taken seriously (while also explaining how it is being protected) can help build goodwill and trust;
  • Protect shoppers from themselves. Retailers need to recognize that customers often practice poor security management and act accordingly. Tools like two-factor authentication and one-time passwords, while potentially inconvenient, can keep shoppers from accidentally exposing themselves to fraudsters; and
  • Use machine learning to ease friction. Harnessing AI can help retailers not only detect fraudulent activity but also determine when regular shoppers access a site, which allows inconvenient security protocols to be waived at checkout.
  • 34% prefer a text;
  • 33% prefer an email; and
  • 28% prefer a phone call.

Mobile Commerce Creates New Security Challenges

Mobile commerce presents new and different data security challenges than those posed by traditional e-Commerce. Shoppers already have mixed feelings about whether mobile payments can be as safe as other methods. While 49% of those aged 24 to 34 believe mobile payment channels can protect their information — the highest trust rate of any demographic — shoppers aged 55 and older display the least amount of trust, at 40%.

Some of that trust might be misplaced: the amount of time shoppers spend on mobile devices can make them feel the platform is more mature than it really is, according to Jackson. As omnichannel shopping journeys become more common, retailers should be prepared to accept that new solutions are needed; iterate them quickly; and work to improve their security practices on mobile.

“Just like e-Commerce, there are a lot of lessons and investments involved in learning, and being good at e-Commerce doesn’t necessarily translate into being an expert on mobile commerce,” said Jackson. “There’s a new learning curve you have to go through — infrastructure, capabilities, tools, processes, operating procedures and so forth — and I think most retailers are going with great speed, but truthfully it’s new for them.”

Breaches Happen, But A Rapid Response Minimizes Fallout

When a breach does occur, good communication is paramount for retaining trust. Time is of the essence: 45% of all consumers expect to be notified that their data may have been accessed within one hour. Retailers should be prepared to send messages on different channels, as shopper preferences vary with regard to how they want to receive their alert:

“I think speed is the issue,” said Jackson. “The quicker you find a breach, and the quicker you identify the parties affected by it, the better. Your ability to communicate confidently that you’re aware of the breach, you’ve identified what was hit, you’ve taken corrective actions, you’ve remediated the problem and that it won’t happen again, is important.”

Identifying the affected parties is the linchpin of this communication — a message sent only to those who actually had data stolen will generate much less panic than an email blast to everyone who shopped during the event. Messages also should include assurances when possible, as well as remediation steps such as offering free credit monitoring. If the stolen data was encrypted, let shoppers know their information is still safe despite the breach.

A combination of preventative measures and intelligent responses can help the retail industry as a whole build trust with shoppers. While these stories are likely to always make the news, reducing their overall impact can make customers feel more secure, and build loyalty with the retailers that keep their data safe.

]]> (Bryan Wassel) Security / PCI Compliance Mon, 04 Mar 2019 09:01:25 -0500
49% Of Shoppers Abandon A Retailer After Experiencing Credit Card Fraud 49% Of Shoppers Abandon A Retailer After Experiencing Credit Card Fraud

Nearly half (49%) of consumers have reported being a victim of credit card fraud where their card information was illegally used by someone else, according to a survey from Riskified. Among these victims, 49% abandon the retailer entirely after learning of the fraud, with 29% blaming the merchant that approved the fraudulent purchase.

Retailers also can lose customers when they adopt strict anti-fraud measures. Merchants often decline orders out of caution, which means they sometimes reject good, honest customers. Up to 30% of shoppers say they have had their purchase wrongly declined, and 57% of those declines happen to returning customers, with a corresponding negative impact on their satisfaction and return shopping. These false declines end up robbing retailers of as much as 5.5% of their annual revenue.

Approximately 42% of shoppers who experienced a decline moved on, either abandoning the purchase completely (28%) or shopping with a competitor instead (14%). Retailers have to be smarter about how they review and approve orders if they want to keep these shoppers, said Eyal Raab, VP of Business Development at Riskified.

“A lot of retailers are still using legacy solutions, and they haven't caught up to the way people shop,” said Raab in an interview with Retail TouchPoints. “For example, some retailers reject orders with an AVS mismatch (when the billing address used for the purchase doesn't match the billing address on file with the credit card issuer). Given how many people shop on their phones these days, and how easy it is to mis-key a ZIP code, that's going to cost retailers a lot of legitimate orders. And as we saw, declining legitimate customers now can have long-term repercussions. Retailers need to use solutions that look at the whole story of an order, and approve or decline based on more data and with more accuracy.”

38% Of Shoppers Admit To Creating Multiple Email Addresses For Discounts

Retailers have another growing worry: fraud in the form of account takeovers. Fighting this form of cybercrime is complicated, because it’s difficult to distinguish between criminal hackers attempting an account takeover and opportunistic consumers using multiple email addresses in order to take advantage of promotional discounts. In fact, 38% of shoppers admitted that they have created multiple email addresses to gain additional online shopping discounts. While not illegal, this type of discount abuse can seriously impact merchants' bottom lines. Raab recommended that retailers review account logins and account creations as a deterrent.

“We strongly recommend this to prevent account takeover attacks, but it can also be used to prevent promotion abuse,” Raab said. “A fraud prevention solution can review the account being created — looking at things like the IP address, device being used, etc. — and compare them to existing accounts. When a shopper is trying to create multiple accounts to abuse a promotion, the merchant can then respond however they prefer.”

Poor Checkout Experiences Are The Prime Reason For Cart Abandonment

Beyond fraud risks, the survey also analyzed cart abandonment, which continues to be a big problem for merchants: 84% of shoppers reported abandoning a purchase in progress. Some of this behavior is unavoidable; customers may encounter unexpected shipping costs or simply change their mind about a purchase. However, a difficult checkout process is often the culprit: more than 71% of cart abandoners blamed the checkout process — for being overly complicated, not mobile optimized or seeming untrustworthy — as the reason they didn’t complete the transaction.

“Creating an optimized mobile checkout process is really hard to do,” Raab said. “Retailers spend huge amounts of time and money to create a mobile experience that's as good as their in-store experience. And then they squander it with a balky fraud-review solution that rejects legitimate customers or takes forever to approve orders.”

]]> (Glenn Taylor) Security / PCI Compliance Mon, 25 Feb 2019 08:31:26 -0500
The ‘Art’ And ‘Science’ Of GDPR Consent For Retailers

0aaaEric Holtzclaw PossibleNOWYou’ve seen it before, the long form you must sign before participating in a potentially dangerous activity, the checkbox at the bottom of an end user agreement before you can use a new piece of software, the numerous documents that are part of every major financial purchase.

These arduous processes are developed by companies in response to a regulation, an issue or advice from a lawyer. Not surprisingly, organizations are responding similarly to growing regulatory concerns such as GDPR, ePrivacy and CCPA. In hopes of addressing the new regulations quickly and efficiently, enterprises err on the “science” side of consent collection while ignoring the “art” of consent collection. This is an important distinction because customer consent is the key that unlocks customer conversation and insights that drive a more meaningful exchange.

What is the ‘science’ of consent collection? It is the technology, data and regulations surrounding such collection. These elements are well-defined, understood across any retailer, are trackable and can be readily reported both inside and outside the retailer.

While there is nothing inherently wrong with viewing consent this way, by only approaching preference and consent management scientifically, enterprises are only “checking the box” — doing the bare minimum to achieve a passing grade. Just because a company deploys technology doesn’t mean it fully addresses customer and retailer needs or the intended spirit of the laws. In fact, a science-only approach prevents good retailers from benefiting from the best aspects of what consent management can offer.

In European countries, many companies are more mature in their view and further along on the timeline of allowing customers to provide consent. Organizations in these locales realize that to get a bigger take rate on collecting consent, they must marry preference with consent management to offer an incentive. If there is no perceived value to the individual providing consent, why would they willing provide it?

By adding preferences to consent, retailers allow customers to be specific with the types of communications, the cadence and the mode that they receive such communications. This increased specificity is a building block for trust between companies and customers, ultimately establishing and bolstering a long-term relationship.

To achieve the greatest return on investment for addressing mandatory compliance requirements, organizations should include a focus on the ‘art’ of consent and preference management. In doing so, preference and consent management drives initial adoption and results in the greatest long-term benefit.

Retailers must further approach consent with the goal of empowering customer conversations. They must focus on deploying implementations that drive more granular preferences across business units, applications, products, communication channels and desired frequency. This long-term perspective leads to healthy and profitable customer relationships. Factors such as timing, placement and design drive adoption by both the company and by its customers.

Aspects of deploying consent artfully include:

  • Consent Spot Collection: Instead of requesting consent via one singular checkbox or a long comprehensive form, consent is spread thoughtfully through the customer journey. Consent and preferences are collected from the customer at points that are significant — during registration, when looking for new products, etc. Taking advantage of these “moments that matter” increases the likelihood the customer will understand what they are agreeing to and their willingness to provide consent increases.
  • Ability to Opt Down: After consent is collected and communications are received, organizations that think of consent in broader terms provide well-designed and tailored forms that allow customers to opt down from communications they are currently receiving. These forms should be easily accessible from any customer touch point. A sophisticated opt-down approach is a step toward turning a would be global opt-out into a more useful and specific opt-in.
  • Proactive Suggestion: Based on customer behaviour, lack of engagement with outbound communications or customer-driven actions, companies may offer alternatives to current modes, frequency and types of communications. This prediction of a potential change in consent increases the likelihood of maintaining some level of consent for continued communications.

Privacy technology must be considered with industry-specific and problem-specific best practices — for example, a financial services company needs the ability to collect consent across multiple channels, such as in-person interaction, while an e-Commerce-only company does not. A one-size-fits-all approach will fall flat and ultimately negatively impact a company’s consent collection initiatives.

The best way to successfully combine the science with the art of consent and preference management is to review and evaluate implementations based on real world use cases. Spend time on competitive web sites, follow the “unsubscribe” link in emails and study customer engagement best practices. Combining this research with an understanding of why your customers provide consent in the first place, and how they benefit from doing so over their relationship with your company, is the foundation for a winning approach.

Regardless of your organization’s approach to addressing consent, download The Forrester New WaveTM: GDPR And Privacy Management Software, Q4 2018 report. This report provides insight into vendors that are equipped to solve your organization’s unique consent challenges across the spectrum of science to art.


Eric V. Holtzclaw is Chief Strategist of PossibleNOW. He’s a researcher, writer, serial entrepreneur and challenger-of-conventional wisdom. Check out his book with Wiley Publishing on consumer behavior – Laddering: Unlocking the Potential of Consumer Behavior. Holtzclaw helps strategically guide companies with the implementation of enterprise-wide consent and preference management solutions. PossibleNOW leverages powerful technology and industry-leading expertise to enable companies to listen to customers, remember what they like and dislike and respond in useful, personalized ways. Its enterprise consent and preference management platform, MyPreferences®, collects customer and prospect preferences, stores them safely and makes them available to any other system or application in the enterprise. PossibleNOW strategic services experts identify opportunities, plan technology deployments, design preference collection interfaces and position clients for a win. For more information call (800) 585-4888 or visit

]]> (Eric V. Holtzclaw, PossibleNOW) Executive ViewPoints Tue, 19 Feb 2019 09:23:01 -0500
A Cloud Security Blanket For Retail Operators

0aaaJoseph Harding WindstreamBy now, retail operators are very familiar with the reasons for moving their networks to the cloud: flexibility, scalability, centralized management capability, consistency of commerce experience and cost, to name a few. They also likely are well aware of the issues that can accompany such a move, none of which is more concerning than that of network and data security.

Given the U.S retail sector’s growing dependence on the cloud, along with that sector’s apparent vulnerability to data breaches, the concerns about security are justified. Half of U.S. retailers were breached in the past year, well above the 27% global average for retailers, according to a recent report from Thales eSecurity. What’s more, U.S. retailers lead the world in security breaches; three-quarters of them have been breached at least once.

Nevertheless, the migration to the cloud continues apace, with 85% of U.S. retailers now storing sensitive data in either an IaaS (infrastructure as a service), PaaS (platform as a service) or SaaS (software as a service) public cloud environment, Thales reports.

“Despite the advantages, cloud computing comes with an added vulnerability if data is stored incorrectly or if the provider’s own security is compromised,” Gartner practice leader Matthew Shinkman said, summing up findings from his firm’s recent survey of risk executives. “To mitigate these risks, executives will need to guarantee that their cloud security strategy keeps up with the pace of this growth.”

For many retailers, that means taking a fresh approach to network security, Thales asserts in its report. “Traditional endpoint and network security are no longer sufficient, particularly for heavy adopters of public cloud resources such as the U.S. retail sector.”

Defending against data breaches, DDoS (distributed denial of service) attacks and other bottom-line-crushing network security threats requires multiple layers of security baked into various vulnerable areas of the network infrastructure. But where exactly should retailers be prioritizing their cloud security investments? Here are eight suggested focal points, based on our company’s extensive experience building and supporting secure cloud-based networks for retail operators:

  1. A “zero trust” security philosophy. Moving to a multichannel, cloud-based commerce experience creates new surfaces that can be vulnerable to cyberattack. Protecting them means committing to verify anything and everything attempting to access their network systems. That could entail implementing an application-centric security policy, with micro-segmentation and granular perimeter enforcement as a means of determining whether to trust a user, machine or application seeking access to a particular asset or part of the network.
  2. A third-party threat assessment of your cloud strategy and planned environment. Moving apps, processes and data to the cloud can create security gaps that a third-party network security specialist can identify via an audit/gap analysis.
  3. End-to-end encryption. While data in any form, at rest or in transit, can be vulnerable to exfiltration, data in motion and data housed in the public cloud are especially susceptible to attacks. The best defense is strong end-to-end encryption algorithms, starting at the source. This is particularly important in protecting traffic flowing over the Internet between multiple retail sites, and between retail sites and customers. There’s plenty of room for improvement in this area. Thales found that despite having a higher propensity to store sensitive data in the cloud, only 26% of U.S. retailers are implementing encryption in the cloud.
  4. Multi-factor authentication Single-factor (username/password) authentication may not be adequate to keep cybercriminals from hacking account credentials. Multi-factor authentication adds an extra layer of validation to ensure that only those with proper credentials are able to access critical data, systems and infrastructure.
  5. Firewall policy/governance based on user, device and actual application flow. In a decentralized network environment, incorporating security approaches such as deep packet inspection and micro-segmentation within the network enables organizations to inspect and protect traffic from outside, as well as traffic between internal sites, from advanced persistent threats, ransomware/malware, etc. The firewall(s) tie back to a centrally managed security policy that applies to all IT assets across the network, whether they are located inside or outside the company network.
  6. Security class differentiation. In order to prioritize security resources and allocate them accordingly, enterprises need the ability to set distinct segmentation and security policies for each data class level, and to adjust them in real time as necessary.
  7. Software-defined services and VNF (virtual network function) software. Software-defined services and VNFs provide the flexibility to centrally manage and update services in real time and provide unprecedented visibility into current and past network and application performance.
  8. A solid mitigation/event management plan. It is imperative to have a comprehensive mitigation plan in place and ready for a multi-pronged attack, including DDoS attacks, with a system of alerts across the network that prompts an enterprise to mobilize as an event is happening, or better yet, before it happens.

By incorporating security measures like these into a coherent cloud security strategy, retail operators can tap the many benefits of cloud-centric commerce, with the confidence that their data, network, IT assets and customers are protected. Because in today’s retail world, protecting yourself and your customers is as vital to growth as digital transformation itself.


Joseph Harding is executive vice president and chief marketing officer for Windstream Enterprise and Wholesale, where he is responsible for all aspects of marketing and product management, including go-to-market strategy, demand generation, product development, pricing, customer insight and brand management.

]]> (Joseph Harding, Windstream) Executive ViewPoints Thu, 07 Feb 2019 09:27:30 -0500