By Gene Shablygin, CEO and founder of WWPass
If you’re a merchant who accepts credit cards, you know you’re obliged to comply with the Payment Card Industry Data Security Standard (PCI DSS). You’ve also undoubtedly read about the credit card breach settlements, identity theft precautions, and other hassles that Home Depot, Target, and other payment victims have endured. The newest PCI version, 3.2, released in May 2016, will become mandatory on Feb. 1, 2018 and provides a good baseline for security measures necessary to reduce security breach risks. However, it’s by no means sufficient to keep customers’ data secure.
PCI DSS rules are based on best practices of the past and reflect the experience gained by analysis of past security breaches in longstanding environments. However, as the IT landscape changes rapidly to withstand the latest challenges, new security measures beyond the PCI DSS requirements are necessary.
But here’s the dilemma: If you want to implement additional security measures — which may increase protection of customers’ data and reduce fraudulent transactions — you could face losing customers if it takes longer for them to complete transactions. Customers want something convenient and easy, and traditional two-factor authentication for customers may significantly reduce usability of e-commerce websites, creating frustration for even the most loyal customers.
Simply increasing the complexity of passwords and requirements often cost merchants a significant loss of revenue. While it’s relatively easy to determine direct losses of fraudulent transactions, the loss of revenue and profits due to inability to engage or complete transactions could be many times larger.
Despite conventional wisdom, increases in security do not need to be associated with decreases in usability unless one sticks to old-fashioned, obsolete approaches. One example (hated by all) is to use unique, complex passwords. In a perfect world, where credentials are unique, complex, and never left unattended, every additional “special” symbol in a password may easily mean a lost customer for an e-shop.
Interestingly enough, we’ve discovered usernames possibly pose a higher threat to both security and customers’ loyalty. From the security point of view, using open, unprotected information as the first factor in login processes — which in most cases is personally identifiable — is one of the major risk factors. Huge lists of usernames (including names and e-mail addresses in many cases) are widely available on the dark web for very low prices, and hackers often get easy access to randomly selected accounts. Additionally, during targeted attacks, open usernames offer unlimited opportunities.
At the same time, the necessity to use a username at all often repulses buyers. Simple, easy-to-remember usernames are usually already taken and an offer to use an e-mail address as a username suggests that the new customer is already a target for spam.
The use of different “factors” for signing up, and later signing in to e-commerce web sites, may offer security and convenience, bringing an additional incentive to complete online purchases. If this sign-on mechanism offers similar experiences among multiple sites (say, loyalty and partners’ sites), it would provide additional revenue streams to merchants who implement them.
The good news? Retailers can take what they’ve learned from user-friendly loyalty programs and adopt similar approaches for username-less/password-less sign-ons, offering much better security for users and financial data than even traditional, inconvenient two-factor authentication mechanisms with one-time passwords or text messages.
Merchants should expect their mass adoption soon, first among high-growth and innovative organizations. To stay ahead of competition, merchants should expect the next incarnation of PCI DSS will mandate these sort of password-less security protocols for everyone in the years to come.
About The Author
Gene Shablygin, nuclear physicist and CEO and founder of WWPass, focuses on freeing individuals, retailers, and enterprises from ineffective, insecure password systems that can’t protect their data from increasingly sophisticated security threats. Prior to starting his own businesses, Gene led the midrange systems team at CompuCom Systems, a global IT managed services company, and was a senior researcher at the Institute for Nuclear Physics at Moscow State University, where he earned his master’s degree in physics.