Wednesday, July 8, 2009

In eCommerce We (Don't) Trust - The Fickle Pickle

Oracle Report: Consumers Fickle About Ecommerce Security Controls

Nearly one-third of U.K.'s online shoppers don't trust online securitymeasures, but most don't want additional controls if it affects easeand speed of transactions
Editor's Note I don't blamethem as I feel exactly same way.  In fact, that's a major reason why HomeATM "replicated the "brick and mortar" experience.  It's not slower, it's faster.  It's not frustrating, it's enamoring.  By swiping your card, "you are the power" behind the buying experience, wheras when you type, you don't know if you're "giving your power away" to fraudsters. 

Let's look at this through the eyes of pure common sense:


First, wouldn't you agree that it is undeniably EASIER to "swipe" your card than "type" 14-16 digit cardnumbers, 8 digit expiration dates and 3 digit CVV numbers!  That doesn't sound "convenient."  And to those who say you've got all that stored on your PC, well, shame on you.  Can you say malware?

Second: It is undeniable that it's faster too.   One swipe vs. pick and peck and pick and peck and pick and peck and oops, gotta start over, must've dyslexiated one number somewhere.

Third: When it comes to familiarity, swiping their card is something that consumers do everyday at brick and mortar locations, so in terms of making the user experience strong, convenient, with ease of use AND security, I would argue that at the end  of the day, swiping will replace typing.   Whether it's Mag and PIN or Chip and PIN, it doesn't matter as HomeATM is EMV ready. 

Fourth:  Swiping is obviously more secure when the consumers cardholder data is encrypted outside the browser space instead of "typed" into it. 

So what's the problem?  The naysayers cry, "Oh,  you have to get the terminal into the hands of the consumers!  So?  I never heard the argument to stay with paper and carbon because it would be too difficult to get Point  of Sale Terminals out to all the retailers.  (Even though they cost about $2500 each)  So it is nonsensical to argue it is too much of a hassle to get them out to consumers...especially at $15.00 bucks each... 


  • Online consumers don't have much patience for security controls that slow or complicate their purchases -- even though they say they don't trust existing online security to keep them safe, according to a new report.

  • Two-thirds wanted more online security, but many still said that if this meant slower transaction processing, then they would find it frustrating.

  • Some 72 percent of consumers had experienced problems with online transactions, including slow processing speed or too many steps to go through.
  • This created a “dilemma” for online retailers, the report said, asthey weighed up improving security against making user experiencestrong.  Editor's Note: Weighed up?  It's NOT "one or the other."  Hopefully I've made the point that it is possible to conduct a secure transaction and at the same time make the user experience strong.  There's NO dilemma here, I promise.

  • Most of those interviewed said they did not want two-factorsecurity authentication outside the banking sector. Editor's Note: What?  Hold on, I was taking a sip of coffee when I read that and now it's coming out of my nose...
Okay...I'm back.  With all due respect to Oracle, I would humbly suggest they didn't ask the "online retailers" the "right" question...

Here's why:  Brick and mortar retailers have their customers "swipe" their card and "enter" their PIN each and every minute of each and every day.  That's "two-factor security authentication" folks.  What you have (your card) and what you know (your PIN) equals "two-factors". So why on earth would "most" of those interviewed say they did not want 2FA?     

Here's the question I'd like to ask online retailers:  "If you could offer your customers a truly secure way to pay, one with which they are already familiar, and, at the same time, create a card-present environment, which reduced your Interchange Fees by up to 100 basis points, Would you consider that a dilemma?  Didn't think so.
Here's the Oracle Study:  But first an important quote:

"Low consumer confidence impacts revenue generation...
but the inverse isalso true: good security that increases confidence without creatingfurther hassle, drives sales.

Our research shows that smart retailersand their technology partners have an opportunity to build securityinto their value proposition, and in doing so, foster customer loyaltyand increase revenue,” said Marty Carroll, Director, Foviance.

“Consumer says no” – Oracle Study Suggests Current Security Technologies Impede Online Commerce
Significant opportunities for retailers with a more sophisticated security strategy to strengthen customer loyalty

Findings reveal a complex picture of consumer activity online with emotions and attitudes influencing behaviors

“Online Security: A Human Perspective”

  • Thames Valley Park, Reading, UK – July 06, 2009: OracleCorporation UK Ltd today launched “Online Security: A HumanPerspective” a report based on research by Foviance, the userexperience consultancy
  • Foviance spoke to UK consumers, whoregularly use the Internet about their experiences of online securityand its impact on their behaviour. The study gathered quantative datathat was assessed in more detail through a diary study and focusgroups. This approach offered both baseline statistics and a deeperunderstanding of consumer attitudes and behaviours
  • Thequantative survey covered 550 respondents and the diary study assessedthe responses and habits of sub-group of 24 people, asking them abouttheir experiences of real-life online security situations. The focusgroups brought this smaller panel together to qualify trends andextract greater detail about the initial findings
  • The research revealed three key areas of interest:
Current consumer attitudes to online security: mixed messages

  • Consumersappeared to have contradictory attitudes towards online security, withperceptions very much ‘press-led’ and fuelled by assumptions of thepotential threats and expectations about their rights.
  • Consumerscontinued to list predictable threats, such as malware, spyware,identity theft and 30% said they do not trust central or localGovernment with their personal data.
  • Yet when questioned moreclosely respondents revealed a distinct contradiction between theirattitudes and their understanding of the issues. For example, almost athird of survey respondents (30%) do not trust online securitymeasures. When some members of the focus groups raised WiFi as asecurity threat, others agreed, but detailed questioning revealed aclear lack of understanding
  • Indeed the majority of surveyrespondents (70%) blamed themselves as the primary cause their ITsecurity problems, which suggests they accept their ‘culpability.’ Thatsaid a nearly a quarter (24.9%) blamed the website, brand or technologyif they experienced login problems
  • The focus groups alsorevealed consumers showed no desire to understand the mechanics of ITsecurity in more detail and had high expectations about their rights ifaffected by a security threat
  • However, consumers go on tosuggest they would not respond favourably to stricter security. Despitetwo thirds (66%) stating they would be more confident online ifwebsites imposed additional security measures, they were unlikely toaccept these measures if it meant the transaction process increased ineither time or complexity. In fact, 26% reported that such measureswould drive them onto competitors’ sites.
  • This creates adilemma for less recognised brands to reassure prospective customersand for larger brands that have been hit by a security issue. How doesa company engender trust, which can lead to customer loyalty andpotential revenue growth if consumers offer such mixed messages aboutcurrent security technology?
Cracking the code: balancing security and convenience to avoid bad habits

  • Theanswer seems to be that both online retailers and other organisationswith an online presence need to demonstrate a greater understanding ofinstinctive human responses to security. Customers want reassurance,demonstrating this with their buying preference for trusted brands, butthey do not want it at the expense of convenience
  • Respondentsto the research and focus group participants cited a number offrustrations that have led to them abandon online transactions,including being perplexed by username and password selection rules,being forced to wait for an email password reminder and being flummoxedby password reminder questions
  • The survey also produced some worrying statistics:
-72% of respondents have had at least one problem in the past three months alone
- The number one reason for discontinuing a transaction was the process taking too long (48%)
- 38.9% said that a purchase process with too many steps is a barrier to online shopping
- For survey participants that had abandoned a purchase in the last 12 months 16% did so because the transaction took them to another website, such as 3D Secure Way
  • Stricter security policies also lead to less secure consumer practices
- 25% of those questionned in the survey admitted to keeping written lists of their online usernames and passwords

- In one focus group a participant admitted to writing passwords on every account statement

  • Thedangers to online vendors are obvious as consumers are quite preparedto complain to others about their frustrations to others. 8 exampleswere raised over the course of the focus groups with participants veryquick to name the brand. 31% of people surveyed were likely to use asite less frequently if they encountered login problems.
  • Thismakes it extremely difficult for online retailers (and for that matterany organisation wishing to interact with its stakeholders via theInternet) to balance security needs against providing a fast andefficient service. For example, there was a point blank refusal toaccept the extension of 2-factor security beyond the banking sector onthe grounds transactions, which involved smaller sums should notrequire this technology.
  • The report offers some guidance withrespondents and focus group participants suggesting that they look for‘trust signals’ from an online brand, which could include:
  • 3rd party certification logos
  • Security and privacy policies
  • Customer reviews / ratings
  • Confirmation page / confirmation email
  • Terms & conditions



A security enabled online world: using security to tip the scales

  • Theresearch provides clear insights beyond the usual assessment ofconsumer concerns about IT security to suggest that there are clearbenefits for online vendors, whose security approach can help to tipthe scales in their favour
  • For instance if consumers have tomake a risk assessment of two online sites, weighing up the merits of aprice-based one against those of a recognised brand, unsurprisinglyattitudes to online security tend to drive the consumer to the latter.Furthermore focus group respondents suggested they would be willing topay a premium for such products and services.
  • Hence theobvious calculation is that a good approach to security breeds trust,which in turn engenders loyalty that can help to drive revenues
  • ConsequentlyOracle recommends a number of steps that businesses can take to improvethe customer experience and foster brand loyalty without compromisingsecurity:


Take the onus away from the customer and reassure them: customers are anxious about security and do want online transactions to be protected. As a result, companies should publish highly visible third-party security certification logos, so that customers immediately recognise that each click, transaction or purchase is secure. Businesses should also make their own security and privacy policies highly visible, with customer reviews and ratings on show for visitors to see. In addition, businesses should also confirm all purchases with a confirmation page, followed by a confirmation email


Build a better user experience by recognising there are shades of grey: Organisations need to appreciate that the one-size-fits-all approach for assessing the risk of fraudulent activity no longer works. Instead, businesses should assess the varying degrees of risk presented by particular transactions. If we consider that the most likely reason for abandoned transactions is because it is taking too long, then businesses should consider the level of threat versus disruption to the customer. For instance, a £5,000 online transaction calls for more security controls, such as two-factor authentication, than for a purchase of just £10.


Stop thinking in terms of a moat and castle – introduce a multi-layered approach: Organisations need to shift the onus of responsibility away from the consumer to encourage online sales. This can be achieved by taking a layered approach, with technology that drives confidence at each level of an online purchase. From the website to the back-end processes and where sensitive customer information is stored, companies can install a mechanism that manages customer information throughout its lifecycle, wherever it resides. Technology is now available that automates and simplifies the setting and management of IT security policies, which minimises users’ need to clear a confusing variety of security checks. By taking the concern away from consumers, organisations can take positive steps towards building a trusting, long-term relationship with customers. By analysing the origin and nature of incoming transactions, behavioural intelligence and profile information can be gathered to generate a risk score for each transaction, allowing continual assessment of threat levels and the ability to dynamically update policies and respond to new threats.


Supporting Quotes

“It’s time to stop viewing IT security as a castle and moat, companies need to take a more sophisticated approach and that requires a shift in mindset,” explains Des Powley, Director Security, Oracle UK and Ireland. “Done well security can be an enabler of online activity, whether that is retail eCommerce or engagement with public services. Organisations must remember that security is an emotive subject that understandably triggers very primitive instincts for consumers and citizens. It’s time to be more strategic, which includes using technologies such as adaptive authentication and single-sign-on all delivered seamlessly with the service.”

“Low consumer confidence impacts revenue generation, but the inverse is also true: good security that increases confidence without creating further hassle, driving sales. Our research shows that smart retailers and their technology partners have an opportunity to build security into their value proposition, and in doing so, foster customer loyalty and increase revenue,” said Marty Carroll, Director, Foviance.

About Oracle
Oracle (NASDAQ: ORCL) is the world’s largest business software company. For more information about Oracle, please visit our Web site at http://www.oracle.com.

About Foviance
Foviance is a leading customer experience consultancy with a focus on delivering measurable benefits that works globally with some of the world’s best known brands.

Founded in 2000 and with a heritage in website usability and data analytics, Foviance delivers consultancy to its clients about the effectiveness of their individual channels, such as mobile, web and call centre and how they combine in a cross-channel environment. For many clients, insight is provided not only in their home market, but also internationally through Foviance extensive alliance network.

Foviance engages with its customers wherever they are in their product lifecycle, and provides insight so they understand how to improve, create and deliver excellent customer experiences.

Foviance boasts 43 of the UK FTSE 100 companies among its client roster, including Barclays, BSkyB, and Sainsbury’s. In addition Foviance works with International brands such as Astra Zeneca, Dell and Nokia. For further information please visit: http://www.foviance.com

Trademark
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

# # #


Reblog this post [with Zemanta]

Disqus for ePayment News