Why won't mobile retailers do what's necessary to prevent fraud?

There are products and methodologies available that could reduce the incidences of fraud but only a minority are using them.

mobile retail2
Credit: Thinkstock

It is a huge understatement to say that retailers have a problem with fraud, especially mobile payment fraud.

Retailers lost $11.1 billion in 2013 overall due to fraud, according to the 2014 LexisNexis "True Cost of Fraud Study." Those numbers are expected to go nowhere but up, especially for retailers that accept mobile payments, a related report from LexisNexis that looked just at mobile fraud found.

Fraud for this segment of retail is increasing at a far more rapid rate, with the percentage of revenue lost to cyber thieves increasing 70 percent, from 0.80 percent in 2013 to 1.36 percent in 2014.

In fact, one could conclude that m-commerce merchants are under siege from fraudsters, given the higher level of attempts thrown at them. Mind you, mobile retailers are preventing more than half, or 53 percent, of the fraud attempts against them, but when stacked up against the success rate for all merchants they are failing woefully. For comparison, all merchants lost 0.68 percent of revenue to fraud in 2014 compared to 0.51 percent in 2013.

There are reasons for that, of course. Mobile retailers tend to accept more payment channels -- 4.5 compared to 2.6, according to the study -- such as digital wallets and smartphone apps, than merchants in general. Also these channels are new to many consumers, especially with the launch of Apple Pay, and consumers are not as savvy about protecting their information.

Given all of the above, why then, won't retailers implement security measures that could better protect their bottom lines? 

Biometrics, 3D Secure

The LexisNexis study found that biometric-based solutions are not only more effective for retailers but more feasible as well, since more and more smartphones are coming to market equipped with the necessary technology.

"Device fingerprinting, for instance, is among the best-suited solutions for mobile device authentication," the study said. "Device identification can be used with both m-commerce card transactions and alternative payments, along with the benefit of being invisible to the consumer and adding no friction to the checkout process."

Yet LexisNexis found that this solution is used by only 14% of online retailers.

Meanwhile the security methodologies retailers do tend to use have significant holes.

Card verification values (CVV), for example, only prevent CNP, or "card not present" fraud, adds friction to the customer experience and are prone to misuse, the study notes. It requires additional data entry, cumbersome on a mobile keypad, "and even then this credential is relatively ineffective since it is liable to be compromised through malware or online data breaches along with the card numbers."

Another industry methodology is 3D Secure. It is a supplemental authentication protocol that uses the cardholder's relationship with the issuer to verify identity during an online transaction. This solution does not rely on easily compromised static data, LexisNexis notes -- yet is used by just over half as many merchants as CVV.

So I wondered: Why are retailers not using such technologies -- at least not in large enough numbers -- as 3D Secure and device fingerprinting? Why are they still clinging to the more error prone CVV system?

Do they perceive to be higher cost solutions or are they afraid they may appear to be more intrusive to customers? Or are they waiting for an uber security solution to present itself.

LexisNexis' Aaron Press gives his view

For answers I turned to Aaron Press, LexisNexis Risk Solutions’ retail industry fraud expert and director of its Ecommerce, Retail, and Payments Risk Solutions unit.

The short answer, he told me, is that it is a little of everything.

Here is the long version.

There are a number of reasons that merchants don’t make bigger investments in fraud protection and yes, first and foremost is the perception of cost.

"Merchants often view fraud prevention as a cost associated with payment acceptance, which they already perceive as too high," Press says. "One thing the True Cost of Fraud study makes clear is that fraud likely accounts for a much bigger hit to the bottom line than they realize."

Merchants also don’t fully understand the true ROI of implementing fraud mitigation measures like device fingerprinting and identity verification.

"Merchants usually understand that a certain amount of fraud is inevitable, and feel they can manage it," he says. What they don’t realize is that device fingerprinting and identity verification "not only pay for themselves in terms of fraud prevented, but they also allow the merchant to increase sales by allowing them to accept transactions that might otherwise have looked suspicious and been declined."

Finally, if you haven't heard of 3D Secure don’t feel bad. It has failed to take off in the U.S. due to the way it alters the consumer experience -- so include justifiable fears of introducing friction into the payment process as another reason for merchants not using the latest in security technology.

"Very few consumers registered for the program, and merchants were reluctant to add another step to the checkout process," Press says. "Not only was there an added step, but it typically included a re-direct or a pop-up window that confused shoppers and increased cart abandonment."

"Newer versions and implementations are much better, but U.S. retailers are still reluctant. The rollout of EMV may shift that attitude, but it’s still early in the process."

But that is another story altogether.

This article is published as part of the IDG Contributor Network. Want to Join?

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon