Photo: Walmart
The long-standing narrative of credit card security is that offline transactions are more secure than online. Today, this narrative is more fiction than fact.
Online transactions are more popular and secure than ever before, thanks to advancements in digital payments technology, demographic shifts, and the evolving cyber-security landscape. At the same time, offline payments seem more insecure than ever before. The outbreak of high-profile security breaches at major retailers has shed light on the fact that offline transactions are vulnerable to attack.
These trends lead us to consider a number of important questions that affect every consumer and retailer — are online transactions more secure than offline, and will this realization propel ecommerce into its next stage of growth?
Offline and Off-Guard
The reality is that security concerns exist whether you are online, offline, or on a mobile device. They exist with credit cards, debit cards, and even cash. A common misconception is that offline is safer than online, but this is changing as a result of the massive security breaches that hit the headlines over the past year.
Target announced that hackers stole personal information from as many as 70 million customer accounts between November 27th and December 15th, 2013. Then, Home Depot announced that 56 million cards were compromised in a five-month attack on its payment terminals. 1.1 million credit cards were exposed in a three-month hack on Neiman Marcus. Hackers also hit grocery chain Supervalu multiple times, which has thousands of locations, and Asian bistro chain P.F. Chang’s saw data stolen from eight of its locations over the course of eight months. Even before these huge hacks took place, retailers were already losing roughly $3.5 billion in ecommerce sales a year due to credit card fraud, according payment processor CyberSource.
If this laundry list of major security breaches isn’t enough to convince consumers that offline payments are just as risky, if not more so, than online payments, I don’t know what is.
When you physically offer up your credit card in a retail store, that merchant still stores data on a computer; those computers are generally Windows PCs running old-school Point-Of-Sale software and storing data in environments that are inherently insecure and inadequate. To process transactions, the payment application has to communicate with the payment terminal, POS, and payment processor, which means sensitive data is constantly being circulated. This makes it vulnerable.
“You walk out of the store while the transaction continues to ricochet across the country — using technology from the 1970s,” Jason Oxman, CEO of the Electronic Transaction Association, told NPR.
“What we need to do in the U.S. is completely replace an architecture that has been deployed over the course of the last 40 years. That’s how long mag stripe cards have been on the market.”
The security guidelines put in place by the major credit card companies were designed for collecting data at rest. That is no longer the world we live in, and today these standards don’t do enough to ensure retailers are protecting consumers’ data. The guidelines don’t require credit card information to be encrypted while traveling through a private computer network, and so hackers can steal data as it moves. PCI data security standards are failing us.
Is Online Safer?
In general, big box retailers don’t make the same commitment to security as online retailers. Overhauling their entire system and taking extra security precautions is an expensive and time-consuming proposition, and so they neglect to take extra measures. This stands in contrast to online retailers, who are built from the ground-up with strict security in mind, because just one hack could destroy their business.
Online retailers also have a greater array of security tools at their disposal — tools that were created for the world we live in today, not the world of a decade ago. Square, for example, encrypts card data on the device. Stripe encrypts all card numbers on a disk with AES-256, and stores decryption keys on separate machines. PayPal’s security key offers a second authentication factor when you are logging in to your account. Online transactions from any reputable vendor are also protected by SSL certificates (to protect data in transit), firewalls, and regular systems scans. Furthermore, consumers are empowered to add extra security layers to online transactions. They can create strong passwords, sign up for identify theft protection services, and keep their anti-virus software up-to-date.
Perhaps the most exciting advancement in security technology is tokenization — described by Bain Capital Ventures managing director Matt Harris as “a system where you substitute a proxy set of identifying information for the real payment card data, so that merchants don’t have to handle this sensitive and regulated data and it isn’t exposed more than necessary.” Tokenization not only limits exposure, but also enable more rigorous identification features, such as a fingertip or picture of your face (as opposed to a pin number or signature). It will play a pivotal role in eliminating consumers’ fear of digital payments.
The Rise of Ecommerce
For all the reasons outlined above, online transactions can be more secure than offline transactions. Now let’s consider how that shift will affect the ecommerce industry as a whole.
Ecommerce is already experiencing significant growth. To put it simply, more people are buying more things online than ever before. Today, there are 191.1 million online buyers in the U.S.. and a whopping 80% of the Internet population has purchased something online. Ecommerce is growing fast at 9.5% a year, and is expected to outpace sales growth at brick-and-mortar stores over the next 5 years. eMarketer estimates that U.S. retail ecommerce sales will increase 15.5% in 2014 to reach $304.1 billion, up from $263.3 billion in 2013. That growth will represent more than 20% of the year’s $199.4 billion increase in total retail sales. Forrester estimates that by 2018, ecommerce will represent 11% of the market, which means a hefty 89% will still happen offline. Despite all this growth, we are still at the beginning of the shift to online.
There are a number of driving forces here, the first of which is the raw fact of Internet penetration. More people with access to the Internet means a greater pool of online shoppers. Secondly, we’ve got e-commerce innovation. Hordes of companies are creating exciting, new, and convenient online shopping experiences. Amazon (of course) puts anything you could ever need just a few clicks away, and offers bottom-of-the-barrel prices. Etsy makes it easy to browse and buy from millions of talented craftspeople you never would have encountered on your own. Wanelo makes online shopping social. Gilt and Zulily offer limited time sales for high-quality items at a steep discount. The list goes on, and there is an ecommerce experience out there to suit just about any preference.
Third, demographic shifts are driving the growth of ecommerce. Millennials were raised with online shopping and remain its key age demographic. This generation represents 80 million people in the U.S., who spend more money online than any other age group. Within this group, members of “Generation Z” (aged 18 to 24) spend almost one in ten of their dollars online, and a higher share of their income. As they age and make more money, these numbers will go up.
Ecommerce isn’t just growing in the U.S.. eMarketers project that global ecommerce sales will hit $1.5 trillion this year, driven by growth in emerging markets. Considering the astonishing rate that people in emerging markets are coming online, this growth is only going to get steeper. Further driving this curve is the fact that cash transactions are shrinking around the world as well.
Online payments are clearly the way of the future, but security concerns remain a barrier to its growth. Security is still one of the top reasons why people don’t shop online, or do it less than they might otherwise. Kapersky Lab found that 49% of participants worldwide felt vulnerable while shopping online or making online transactions, and 62% fear financial fraud on the Internet. These concerns all increase on mobile.
Millennials, however, are less worried about security, and more likely to make online purchases than older consumers. In addition, the high-profile nature of the offline security breaches have created much wider awareness about offline threats. A survey conducted by AP shortly after the breaches found that more than one-third of Americans are more likely to use cash instead of credit or debit cards.
Clearly, all-cash is not a long-term solution. Consumers have grown accustomed to the convenience of credit and debit cards, as well as the perks, and any changes in payment behavior will only be temporary. Even chip technology, which will help make credit cards more secure, is by no means a silver bullet for offline transactions.
What will change, however, is the attitude toward online payments. The move to online is happening, and I predict these breaches will accelerate the process. Older consumers, who were previously wary of paying for things on the Internet, will become less so. At the same time, millennials are increasing their spending power. Together, these trends will fundamentally tip the balance between online and offline payments.
Marc Summe is the Director of Product Management at 2Checkout.
No comments:
Post a Comment