Optimizing Security: How much payments friction is the right amount of friction?

Posted by Modo on Jul 10, 2019 1:33:51 PM



Brian Billingsley, CRO of Modo, spoke with John Brown from NS8, a fraud detection and defense company, and Modo CISO Matt McBride to dive deeper into how businesses can use payments security to their advantage and create real value for their customers. Listen to the full webinar here at BrightTALK

Selling goods and services online made it easier for customers to buy from companies (Ariana Grande’s song “7 Rings” ringing in our heads), but that accessibility also brought with it issues like confirming the identity of the customer and securing customer data. Because of these new challenges, online payments security has become top-of-mind for both customers and businesses. In order for customers to make it through the checkout experience, they have to trust you as a company. And if you break that trust, it can be next to impossible to get back. 

The resident security experts from NS8 and Modo walked through the balancing act between convenience and security that merchants need to maintain their customers’ trust and keep them coming back.

What Amount of Friction is the Right Amount of Friction?

How would you feel if you didn’t have to fill out any information whatsoever online when purchasing an item? Just click the “I want it” button and it’s yours. Since we can’t all be Ariana Grande, this may not be the most practical situation for you, and you’re not alone. 

According to NS8’s John Brown, “60% of online customers believe they’re at a higher risk

 of online fraud. They want to feel safe and, [with] selective friction introduced dynamically and done the correct way, customers feel safe and they appreciate it. They feel like they're shopping with a merchant who cares about not having their data compromised.” 

But create too much friction and you lose customer conversions. Too little and you could lose customer trust. So what amount of friction is the right amount? The answer: it depends. 

It’s all about being selective, John explains. If you’re checking out with a $100 bill in-store, you’re going to assume the cashier will pull out the marker to ensure the $100 is in fact real. But what if the cashier checked every single bill that came across the till with the counterfeit marker? Seems a little bit overkill, right? Finding the correct amount of friction comes down to the situation, what you know about the customer, the information you have already gathered, and what makes the most sense for your customers and your business. 

Sometimes too little friction can also cause an uptick in false declines. John mentioned a use case they saw at NS8 where a client saw an increase in approvals after they implemented 2 factor authentication at their online checkout. This was due to a decrease in false declines, which drove their repeat customer rate up. Customers aren’t going to come back to a site that declined their perfectly valid card, right? Right! It’s too time-consuming when there are plenty of competitors waiting to offer themselves up to your customers. 

So, why not just never decline a transaction? Well, you can easily overdo the amount of fraud you tolerate in order to keep good customers from getting a false decline. Industry research asserts that a fraudulent transaction costs you three times the amount of the actual purchase. 

John is a man brimming with great security metaphors, but our favorite was likening the online checkout vetting process to a bouncer at a nightclub. 

“It's like a bouncer at a club: everybody has to show their ID, everybody has to go through basic checks. But if you are not acting shady then there is no reason to pat you down or run you through the metal detector and go through all the extra steps.” 
- John Brown, Solutions Consultant at NS8 

Levels of security can be raised or lowered based on scores and other factors like typical transaction amount and use of a VPN. These security checks have varying levels as well. Suppose a card has had a lot of velocity in the past 24 hours. It would be beneficial to call the cardholder to verify the transaction rather than just send an SMS text message. John says customers appreciate that. This process is called “dynamic friction.”

Protecting your Customer Data

Another piece to the fraud puzzle is ensuring that the fraudsters don’t get their hands on payments details in the first place. How your business stores and manages your customer data is a large factor in maintaining trust, because we all know what impact hacking can have on a company

The starting point for ensuring data security is to become PCI compliant. Maintaining PCI compliance can be a large hurdle for merchants, but there are many ways to reduce your risk as a merchant while ensuring your data is safe. A few of them are:

  1. Don’t store the Permanent Account Number (PAN). Storing customers’ PAN data dramatically increases your business security risk, and unless your business reasons outweigh those risks, don’t store the PAN! 
  2. Offload PCI scope. There are a variety of companies that will handle managing and storing your customer data. At Modo, we leverage a patented, proprietary process to complete transactions for merchants with minimal friction - and we own PCI compliance for merchants through our Modo Modal hosted checkout. 
  3. Utilize tokenization. Tokenization is the process of protecting sensitive data by replacing it with a machine generated number called a token. Tokenization is part of what Modo does for merchants to counter credit card fraud. In credit card tokenization, the customer’s PAN is replaced with a series of randomly-generated numbers, which are referred to as the “token.”


Keeping up with the Security Trends

Sometimes, the payments space can get overwhelming. The number of acronyms used can make #paymentsgeeks sound like highschoolers clandestinely planning their next house party via text: XML, 3DS, RTP, PSD2, APM, PSP, the list goes on. 

There are some of these trends, however, that you should keep top-of-mind. 


3-D Secure is an XML-based protocol designed to be an additional security layer for online credit and debit card transactions. We are now in the second iteration of 3-D Secure (3-DS V. 2). The use of 3-DS is required if both the cardholder’s issuer and the transaction are based in the EU. Otherwise, strong customer authentication (SCA) is required. More and more organizations are calling for strong customer authentication. 

Advanced analytics tools:

Merchants have so much data at their fingertips, but it all comes down to knowing how to use what you have in front of you. NS8 has a variety of tools that look at customer behavior, technology, and identity that help merchants find and leverage customer patterns. 

“When asking merchants questions about their customers about their purchase size and their purchase patterns, suddenly they know a lot more about the customers than they thought they did, and in turn now they know a lot more about their bad customers.” 
- John Brown, Solutions Consultant, NS8

Becoming a #PaymentsGeek

Payments can be a complicated space due to the number of connections that need to be made, maintained, and secured across platforms. Payments can also be a humongous competitive advantage as merchants look to reduce costs, increase conversions, and remove friction from the customer experience. 

Keeping an eye on the amount of friction you’re allowing into your checkout, and having a pulse on which payments security trends are going to work best for your business and your clients is going to allow you to stay ahead of the curve on topics like PCI compliance, fraud detection, and dynamic security. You might even find yourself becoming a #paymentsgeek along the way. 

To learn more about NS8, and to speak with John Brown check out their website at www.ns8.com. To learn more about Modo, and learn how to build and manage your payments stack, check us out at www.modopayments.com.

Topics: Payments industry, ns8, security trends, friction, security, paymentsgeek