X P E R T E R I A

Loading

customer journey

Customer experience is a top priority to businesses. It’s becoming increasingly complex, spanning multiple channels, assets, and involving multiple departments and business processes across the entire organization.

Customer expectations have never been higher; they want more personalization, instant gratification and fewer hoops to jump through at checkout. Merchants are evolving to deliver these seamless customer experiences. 

Unfortunately, where great opportunities exist, so too do people trying to exploit them. Online fraudsters are also innovating to develop more sophisticated techniques to take advantage of the explosion of ecommerce and the steady rise in new customer accounts.

What is customer experience?

Customer experience (also known as CX) is defined by the interactions and experiences your customer has with your business throughout the entire customer journey, from first contact to becoming a happy and loyal customer.

CX is an integral part of Customer Relationship Management (CRM) and the reason why it’s important is because a customer who has a positive experience with a business is more likely to become a repeat and loyal customer.

In fact, according to a global CX study found that 74% of senior executives believe that customer experience impacts the willingness of a customer to be a loyal advocate. If you want your customers to stay loyal, you have to invest in their experience

Simply put, happy customers remain loyal. It makes sense, right?

The happier you are with a brand, the longer you stay with them. So, if you treat your customers poorly or ignore their customer service emails, then they are more likely to stop doing business with you. This is why companies that deliver a superior customer experience outperform their competitors – and this means they’ll be spending more with your business (and less in theirs!).

For example, here’s a few statistics that caught our eye:

  • Customer experience is set to be the number one brand differentiator in 2020 (and beyond)
  • 1 in 3 customers will leave a brand they love after just one bad experience,
  • Customers are willing to pay a price premium of up to 13% (and as high as 18%) for luxury and indulgence services, simply by receiving a great customer experience,
  • 49% of buyers have made impulse purchases after receiving a more personalized customer experience.
  • Customers that rate companies with a high customer experience score (i.e. 10/10) spend 140% more and remain loyal for up to 6 years.

So, it’s extremely important that you focus on the experience you deliver to your customers.

The importance of consumer identity and access management

The importance of a secure customer journey has grown, along with the rising investments companies are making in digital business and online customer engagement. Most organizations have seen the num­ber of customer accounts and the associated data sets proliferate including those in industries, such as consumer packaged goods, that have not had large customer-facing digital channels.

The growth of the digital channel has also expanded the domain for cybercrime. Malicious actors have more opportunities to commit fraud or take over accounts, exploiting vulnerabilities associated with consumer-identity and access-management controls. Customers, meanwhile, expect an easier digital experience, including fast authentication and log-in, as well as seamless web and mobile interactivity. Companies able to offer all this while maintaining strong security standards will gain customer loyalty. An experience-driven secure journey can even become a competitive advantage.

Meanwhile, regulators are pressing organizations to secure the customer journey and to give more data privacy and flexibility in terminating accounts. Many organizations collect and use customer data to offer personalized digital experiences, but they have not taken effective measures to prevent the risks that data breaches pose to their customers’ privacy.

Consumers also expect options to manage data-privacy settings and to have the data associated with their identities expunged by companies that hold them. New legislation will impose escalating penal­ties on companies that fail to gain user consent to collect and process data at nearly all stages of digital transactions. Current CIAM architecture may not readily accommodate such data-privacy requirements, so companies will have to make adjustments. Many still struggle with the existing requirements of the General Data Protection Regulation (GDPR). Now they will also have to address the new legislation, which further strengthens consumer protections. Customers, for example, will be able to refuse cookies that track behavior, avoid digital marketing unless they opt in, and file “right to be forgotten” requests.

Companies are essentially being asked to improve and adapt digital channels in several ways to meet regulatory demands, to fulfill consumer expectations, and to ensure security and resilience against cyberattacks. The enabler will be the secure customer journey.

Fraud touch points across the customer journey

1. Fraud touchpoint: Creating an account

Creating an account at an online store provides shoppers with a seamless and personalized shopping experience, access to special offers and a pathway to loyalty programs. But it’s also fertile ground for synthetic identity fraud. 

As the name suggests, instead of stealing another person’s identity, these fraudsters create an entirely new fake person using a combination of fake information (e.g., burner phones, fake email addresses) and real identity information (e.g., stolen social security numbers). 

Armed with this fake identity and some established credit history, fraudsters go shopping online, then disappear — leaving behind a trail of outstanding balances. Although the identity is false, the activities are real: spending time at online stores simulating genuine use, filling out forms and creating accounts before a transaction ever takes place.

This human factor makes synthetic identity particularly challenging for merchants to combat. This is especially true because they want to prioritize customer experience versus over-scrutinizing accounts to find the bad apples. 

2. Fraud touchpoint: Updating an account

Whereas our first fraud touchpoint focused on the bad actor creating a fake account, this one looks at legitimate activity that leaves honest consumers and merchants vulnerable.  

In account takeover fraud (ATO), a fraudster gains access to a customer’s ecommerce account. This can occur through any variety of methods including the purchase of stolen passwords or security codes or deploying a phishing or malware attack. Years of data breaches have provided fraudsters with a treasure trove of personally identifiable information (PII) that can be leveraged for ATO. 

Once the fraudster has control over the account, they will update more subtle pieces of data like phone numbers, emails and addresses and then begin making expensive purchases with the goal of reselling those goods or benefitting from personal use – before the breach is detected.

ATO is a serious form of identity theft and can be very damaging to a merchant’s reputation.

3. Fraud touchpoint: Payment authorization

Have you ever seen “pending charge” while reviewing your credit card statement online? If so, you’re seeing payment authorization in action. Once a shopper confirms their purchase, in seconds a chain of events unfolds between multiple parties including the merchant, payment gateway, payment processor and the issuing bank.

It’s at this critical touchpoint that fraudsters take advantage. Card testing fraud happens when fraudsters gain access to stolen credit card numbers through theft or by purchasing them through the dark web. They may not know the credit card limit or whether the credit card number is even valid, which is why bots are employed to test thousands of credit card numbers on extremely small purchases – quickly. These initial small purchases often go unnoticed. Once fraudsters know that a credit card number works, they up the ante with much more expensive purchases. 

Both merchants and impacted customers tend to realize that they have been victims of card testing fraud once larger purchases have been made. By that point, fraudsters may have been able to make several significant purchases.

4. Fraud touchpoint: Fulfillment

If buy online, pick up in store (BOPIS) was previously an omnichannel experiment, 2020 was the year it really took off. According to ACI Worldwide, merchants who had BOPIS available as an option pre-COVID-19, experienced a bump of 70% by volume and 58% by value in 2020. And 2020 was also the year that the highest number of merchants implemented BOPIS delivery for the first time. 

What’s not to love? Consumers get the convenience of shopping at home combined with the speed of in-store or curbside pick-up and don’t have to pay for shipping. 

But lurking in the shadows are the fraudsters ready to take advantage of this promising touchpoint. In addition to the growth of BOPIS, BOPIS fraud has also seen a significant increase, with a 7% fraud attempt rate compared to 4.6% in other delivery channels. Using the same stolen credit card used to place the order, fraudsters simply pick up the order with the confirmation receipt they received. 

This ability to place a fraudulent order online then pick it up in person removes many of the checkpoints that merchants rely on for verification, including different billing and shipping addresses, distance calculations and other red flags.

Reluctant to ruin the customer experience, store associates will often bypass checking a valid form of identification to see if the person is who they say they are or to see if this person even exists. And because of this, the fraudster is able to walk away with their loot the same day.

5. Fraud touchpoint: Loyalty and retention

If retention is a hallmark goal for merchants, a loyalty program is one of the mechanisms to help achieve it. Aside from increasing customer retention and reducing customer acquisition costs, loyalty programs generate a goldmine of data which can be used to fine-tune offers and personalize the experience. Customers receive special recognition, access to exclusive offers and have a foundation to cement a relationship with the merchant.

Sounds like a win-win, right? Well not exactly as there’s a third player that’s increasingly becoming involved in the loyalty equation: the fraudster. Unlike their bank account or credit card balances, consumers don’t often check loyalty account balances.

With loyalty program fraud, the criminal will utilize ATO or synthetic identity fraud to redeem or steal credits, points or other forms of value. Typically the fraudster will redeem gift certificates and then sell them on the black market for a percentage of their face value. And because many loyalty programs include other data points on the customer, accessing a loyalty account offers the fraudster easy access to PII — including date of birth, household size, marital status, annual income and other nuggets which make it easy to perform more acts of fraud.

6. Fraud touchpoint: Returns

A flexible, customer-friendly return policy has a significant impact on a shopper’s likelihood to purchase. And it’s this very flexibility that makes returns another target for fraudsters. Return fraud happens anytime a fraudster abuses a merchant’s return policy.Of the $428 billion in merchandise that consumers returned to merchants last year, approximately 5.9% of those returns were fraudulent, amounting to $25.3 billion according to the NRF. 

Many fraudulent returns are carried out by individuals. Here are some of the ways individual consumers abuse merchant return policies:

  • Purchasing multiple items to receive free shipping or other merchant benefits, with the full intent to return many of the items. 
  • Wardrobing which refers to a consumer using an item before returning it as new. 

While individual return fraud is damaging, the more sinister forms of return fraud are being carried out by organized crime rings (OCRs). 

Once these organized fraudsters have breached a customer’s account through credit card theft, ATO or synthetic identity fraud, they use the credit cards to purchase merchandise. The merchandise is then returned without receipt for a merchandise credit or gift cards, which can then be turned around and sold for cash to businesses, individuals or third-party gift card retailers.

Aside from lost revenues from returns abuse, there’s the added operational cost of processing returns, shipping and restocking inventory. Return abuse can be challenging to detect and stop, as the organized crime rings are sophisticated — often setting up new accounts and payment methods to avoid detection and hide their identities.

Secure the entire customer journey

If ecommerce fraud is happening throughout these customer journey touchpoints, the challenge is to detect it early before the damage occurs. 

Before fraudsters can return stolen items, they need to receive the goods. Also, before receiving the goods, they need to submit payment. Before submitting a payment or stealing loyalty points, they must create or update an account. And before any of this, fraudsters do what legitimate customers do. They initiate an ecommerce session. 

And with the advent of fully automated fraud prevention platforms, powered by machine learning models, merchants can detect suspicious behaviors across the customer journey, and across all sessions not just at the point of transaction.

1. Compose personas and design appropriate customer journeys

To design a best-in-class secure customer journey, organizations must understand consumers’ paths of engagement for receiving products and services. This understanding is expressed as well-defined consumer personas, each with its own assigned characteristics, behavior, attitudes, and pain points. The steps those users take are mapped, whether they are logging in to a healthcare portal to book an appointment, submitting an insurance claim, or reviewing a credit-card bill and submitting a payment.

The catalog of user personas and journeys should be comprehensive enough to cover nearly all likely actual users and activities. User personas are designed to be representative of the different segments comprising the organization’s customer base. They are sometimes represented as a fictional individual, such as “a member of a health-insurance plan”; alternatively, they might be labeled by role (“insurance agent”) or entity (“third-party vendor providing detailed data analytics using the organization’s data”). Similarly, a comprehensive set of user actions—selecting a provider, submitting a claim, paying a bill—ensures the degree of nuance needed to reveal pain points and to design controls that avoid them.

Once the user personas and their corresponding transactions have been shaped, they can be mapped to the secure-journey life cycle: the totality of activities associated with the customer account. It underlies all transactions, regardless of industry. The secure-journey life cycle includes user registration; user life-cycle management, including username and password recall and reset; changes to user-account settings, such as multi factor authentication (MFA) preferences; user deprovision­ing and account deactivation; user-account reactivation; and account termination.

The integration of the secure-journey life cycle with user personas and transactions helps organizations identify everything that might require additional controls. It also ensures appropriate trade-offs among convenience, experience, and security for each user segment.

2. Select and apply CIAM controls for prioritized journeys

Strong CIAM controls are used across the secure-journey life cycle to reduce risk from cyberattacks. To combat fraud and prevent accounts from being taken over, identity-proofing (validating the identity of the user) and multifactor authentication have become standard controls during user registration and log-in. Organizations may take different approaches to implementing controls through the secure-journey life cycle, however, depending on their risk appetite, recent incidents, and the desired customer experience.

To prioritize controls, companies should determine their most important sources of risk. A bank concerned with a spike in fraudulent accounts, for example, may focus on controlling user registration by applying strong identity-proofing controls when accounts are created and for certain transactions. Leading organizations have made these decisions by mapping “attacker journeys,” much as they map user journeys: they imagine how a malicious actor might exploit a system’s weaknesses and then solve for needed new controls.

Collaboration between business and cybersecurity teams can alleviate customer pain points related to the complexity of controls. Customer feedback can help organizations design controls thoughtfully. To reduce friction from rigid multi factor-authorization requirements, for example, customers could be allowed to choose their preferred multi factor method from a list of options. A customer-sensitive, risk-based approach to the selection and application of controls through the secure-journey life cycle will not only improve security but also support a positive customer experience.

3. Strike a reasonable balance between security and experience

When designing the secure journey, organizations will have to make trade-offs between security and the customer experience. If they achieve the right balance, users will be offered a seamless journey—creating greater business opportunity—while the risk from exploitative attackers will fall significantly.

Here are some sample trade-off considerations:

  • What level of consumer flexibility is appropriate for multi factor authentication? Customers might want fully customizable authentication, and their choices may gravitate toward less secure options, such as email-based links or text-message codes.
  • How often should users have to reauthenticate after logging in? Reauthentication provides stronger security by repeatedly requiring accounts to be verified. When this is required for each transaction (such as log-in, bill payment, and rewards-portal access), customers can become discouraged and leave the site.
  • For how long should user devices be recognized? Long recognition times increase the risk of account takeovers, especially if a device is lost or stolen. Friction could arise, however, if users are asked to complete the full authentication process for each session.

Every organization will need to balance its risk appetite, known customer pain points, and the desired experience across the secure-journey life cycle. A defined perspective on each of these trade-offs ensures effective decision making.

4. Integrate design principles within the broader architecture

Optimally designed secure customer journeys use architecture that is both flexible (dynamic on the back end) and conducive to new business value. Three design elements aid this process: centralized entity management, seamless cross-platform customer authentication, and speedy authentication.

Centralized entity management. This structure enables companies to use a single ID and set of credentials for each customer, valid across all consumer-facing digital engagement channels. This approach improves security: each customer’s data are correlated with a single account, making it easier for the company to identify anomalous behavior. The customer experience is also enhanced, since customers have to recall relatively few credentials to perform the desired transactions. Companies can also respond more quickly to customer-initiated data-privacy requests, as each customer has their own identifier. This structure also creates business value, as all pertinent data are correlated with the originating ID, irrespective of channel. That increases opportunities to offer tailored customer services or behavior-based recommendations.

Seamless cross-platform customer authentication. A single standardized log-in for all channels reduces friction for the customer. The experience of the brand’s entire digital presence is thus an integral one. From an architectural standpoint, organizations can make any needed modifications (such as sunsetting a legacy system or adding or removing a vendor) easily and quickly.

Speedy authentication. Rapid movement through authentication is desirable for customers and organizations alike. Architecturally, this means offer­ing controls suited to existing customer behavior, potentially including biometrics or pattern-based authentication for mobile applications. To improve the customer experience, the design should also permit the effective layering of controls, such as identity-proofing and multifactor authentication. MFA, for example, might be triggered only after certain thresholds have been reached, rather than for each transaction the user undertakes during a session.

5. Support the secure customer journey with strong governance

Strong governance is an integral part of the best-in-class approach to the secure customer journey. This means that an organization clearly defines the scope and activities of the secure-journey program, aligns on participation and decision-making responsibilities, and develops the means to measure the program’s success. Governance bodies should bring together interested parties from the executive leadership, cybersecurity, and the business to ensure that feedback is accurately reflected in a timely manner.

Wrap up

As the ecommerce industry continues to innovate, so too will the fraudsters. Customer experience is an area that needs constant nurturing and care and, with a greater focus on customer experience strategy, companies will realize a positive impact on customer loyalty, higher retention and increased revenue growth. Also, it impacts all areas of your business.

Instead of only securing the point of transaction, merchants must realize that fraudsters reveal themselves throughout the customer journey through every keystroke and in every session.