Online sales may be booming, but consumer concerns over the security of their account data remains the biggest barrier to unbridled growth for e-retailers. News stories about web site hacking and identity theft shake consumers` confidence in the system and make them wary of online purchases.
For e-retailers that means not only lost sales, but also higher operating costs to service customers who shop online only to make a purchase over the phone because they perceive that method as more secure.
At the same time, many e-retailers are struggling to screen transactions for fraud as their sales explode. Subsequently, fraud prevention and web site security remain a daunting problem for e-retailers, especially since cyber crooks continually search for ways to hack into databases, steal consumer account data, and conduct fraudulent transactions.
Nevertheless, the battle is far from lost. Fraud prevention and web site security solutions are streaming into the market and are not only putting cyber crooks on their heels, but also allowing e-retailers to secure their sites more cost effectively and significantly boost sales.
"There is a big payoff in sales increases when e-retailers can demonstrate to consumers site security through a security mark or others means," says Ken Leonard, president of ScanAlert Inc., Napa-Calif.-based provider of security solutions to e-retailers.
In 2005, fraud losses cost e-retailers $2.8 billion, about 1.6% of total sales, according to CyberSource Corp. While the percentage of online sales lost to fraud has declined from 3.6% in 2000, the losses still remain a thorn in the side of e-retailers.
"Sales are growing 20% to 30% annually for most e-retailers, which increases the risk of more transactions being fraudulent," says Mike Bradley, director of managed services for CyberSource, Mountain View, Calif.-based, provider of electronic payment and risk management solutions. "To prevent fraud from growing proportionally, fraud solutions must scale accordingly."
That means providing e-retailers not just with tools to detect and prevent fraud, but with expertise in how to use them. "Spotting holes in web site security is not easy because they can unknowingly open up on a daily basis as changes are made to the site," explains Leonard. "In many cases, spotting security holes is beyond the expertise of the IT department because it is a specialized skill."
ScanAlert and CyberSource each offers hosted solutions that can scale according to the retailer`s volume and that provide analysis and monitoring to minimize manual reviews. The advantage goes beyond the usual gain of minimizing infrastructure costs to include a higher level of expertise in thwarting criminals.
ScanAlert customers using the company`s HackerSafe solution see a sales increase about 14% on average and as high as 30%. The gains are a combination of attracting new customers and converting existing customers from online browsing and offline ordering to online ordering.
"Site security is greatly appreciated by consumers," says Leonard. "If consumers haven`t been personally affected by site hacking or know someone who has been the victim of cyber crime like phishing, they read or see news reports about hackings that raise concerns about the security of shopping online."
Although Visa U.S.A. and MasterCard International have implemented security programs under their brand umbrellas to provide consumers with a higher level of confidence in the merchant site at which they are shopping, adoption by e-retailers has not been universal. "We estimate the adoption rate is growing about 25% annually," says Bradley. "That`s good, but it`s still not a silver bullet. The aim is for retailers to take further steps to mitigate risk."
CyberSource, which has 14,000 retail clients, examines more than 200 variables based on statistics and business rules per transaction to verify an order`s legitimacy. "If there are several high dollar purchases in one or two product categories that can easily be resold, such as consumer electronics or brand name apparel, charged to a single card in less than 24 hours, that`s an indication the transaction needs to be reviewed further," explains Bradley.
CyberSource is able to spot such trends by scanning the transaction data of its customer base. When a suspect transaction is flagged, the retailer is sent an advisory notice recommending further review. If need be, the shopper whose name and personal information are provided at checkout is cross referenced in the CyberSource database for prior transactions and contact information. If doubt about the current order persists, the cardholder listed is contacted to verify the order. "Fraud evolves, so fraud prevention strategies have to evolve too," says Bradley.
Testing the fence
Thwarting fraudulent transactions is just one aspect of site security. E-retailers must also secure their databases from attacks. "Hackers are always testing the fence to find new ways to get in," says ScanAlert`s Leonard. "Every change made to a web site can create new vulnerabilities the retailer does not necessarily realize."
ScanAlert protects retailer sites by acting as a hacker, probing for weak points. Customers undergo an initial security probe, about 75% of which fail. Once the weak spots are identified, daily audits are conducted to identify vulnerabilities.
ScanAlert`s database of identified weak points and solutions to correct them is updated every 15 minutes. "Auditing site security on a monthly or quarterly basis is not enough, nor is meeting the minimum Visa and MasterCard requirements for site security," says Leonard.
Such diligence is essential, because about 75% of the vulnerabilities identified are found by site security firms, software vendors, and web site operators and shared with the industry over the Internet. Ironically, the process makes the information available to hackers. Hackers then rush to exploit the identified weaknesses. "It is always a race between IT and the hackers as to whether the hole gets closed before it is exploited," Leonard says.
Still, retailers need to be cognizant of how they implement their site security and anti-fraud solutions. Lack of personnel to review suspect transactions often leads to implementation of strict guidelines to reject a transaction which can lead to rejection of a significant amount of legitimate transactions.