First published in The Paypers Web Fraud Prevention, Online Security & Digital Identity Market Guide 2014/2015.

As online transactions increase in volume, so do customer expectations of a seamless online experience. As a consumer, you don’t want to jump through hoops to complete your transaction. But on the other side of the coin, as transactions increase, so does the risk of online fraud. The merchant or payment provider is required to consider the fraud risk and put in place security measures to prevent their businesses making losses.

How do vendors juggle the customer requirement for a fast and effective online transaction with the business requirement to prevent fraudulent attacks?

Customer experience and security are often considered to be at polar ends of the spectrum. Creating a smooth customer journey and also preventing 100% of fraud is difficult at the best of times. At SXSW 2014, Edward Snowden challenged startups to combine exceptional user experience with privacy at the inception of a
product stating: “The tools that exist to enable secure end-to-end encryption are not very polished. You have to choose between a service that is easy-to-use and reliable and polished, and a tool that is highly secure and impossible for the average person to use.”

According to TRUSTe 2014 report on privacy, 74% of internet users are more worried about online privacy than in 2013. Also, more than 9 in 10 people worry about their privacy online and on social networks. A Harris Interactive poll last summer found that 7 in 10 people will not download an app they do not trust. Most organisations give users notice on how they manage fraud and use consumers’ data in this context somewhere in their terms and conditions. Yet how many of us actually read these lengthy terms and conditions? We also have many recent examples where users simply are not informed by organisations as to how their information is or has been used, like the recent Facebook experiment. All this does is simply erode trust and the internet needs trust to operate and grow.

In 1980, a US organisation called the Organization for Economic Cooperation and Development first published their seven Privacy Guidelines. However in 1980, there was no World Wide Web, mobile phones, social networks, wearable tech or ‘big data’. These are the privacy regulations we are still supposed to be adhering to today and the notice and consent requirements of those laws have fallen way behind today’s technology.

The lack of modern guidance makes it difficult for companies, merchants and payment providers to navigate the right path of security and privacy, especially when they are trying to acquire more customers and create a seamless online experience. And it is particularly difficult across borders; a privacy process that is deemed acceptable in the US may not be in Germany or the UK. Equally, it is difficult to know if customers actually care and it seems to divide them, which is no good if you have a ubiquitous product that you want to sell to everyone. Baskets are being abandoned because of too much security or concerns about how their personal information is going to be used.

The good news is that more guidance is coming. In 2013 (updated March 2014) Microsoft and Oxford University’s Oxford Internet Institute (OII) published a report outlining recommendations for revising the 1980 OECD Guidelines. Their report makes recommendations for rethinking how consent should be managed in the internet age.

Noting that expecting customers to manage all the notice and consent duties of their digital lives in circa 2014 is unrealistic if we are using rules developed in 1980. This report paves the way for merchants to start understanding how they might manage user consent today with the new technologies that are available. This is going to be helpful for many companies, because more information about what their customers like and do not like enables them to create better-targeted and more compelling products. Without it could mean they find it harder to create a successful ongoing relationship with their customers.

So, does the customer experience and security requirements
need to be mutually exclusive?

The answer is no, but gone are the days when one or two customer on-boarding journeys would suffice. User journeys will need to become more sophisticated, taking advantage of new technologies that enable security but
only collect the proportionate amount of customer data to do so. These more sophisticated journeys will dynamically re-route customers based on risk in real-time. Merchant and payment providers will need to start thinking about putting their customers at the heart of their product development and test how real customers move through their transaction journey. Too often the product is tested but the customer journey is created in a vacuum without real customer input.

In the future, organisations will need to better engage and educate their customers on the personal data they need to complete a transaction, how they use this data and why. This transparency should lead to less abandoned baskets and more fulfilled orders. How companies embrace this customer empowerment will be key in the critical balance of security, privacy, user trust and the holy grail of customer experience in the future.