The one-two punch breakout of the Target data breach and the Heartbleed bug intensified a focus on the vulnerability of personal credit card data in both the physical and digital realms. As a natural consequence, consumers have become increasingly concerned about giving their card data to physical and online merchants. EMV chips for physical cards served as the solution to the Target breach. But what can prevent or at least mitigate e-commerce incidents similar to Heartbleed, wherein hackers gain the encryption keys to unscramble payment information? What is the security product that will keep information secure at online points of sale? We’ve already identified the way to strengthen security at cash registers, but online shopping carts are inevitably the next security battleground. As consumers shift to online shopping at greater rates, it is crucial for credit card companies to turn their attention to developing more effective cybersecurity products. In this whitepaper, a current best practice will be identified with the hopes that other credit card companies will implement it in the near term.
Credit card issuers, positioned at the intersection of merchants and consumers, for the most part have not focused on minimizing identity theft in online checkout systems specifically. There is an established and accessible cybersecurity product with the capability of masking card data in online points-of-sale – however, it is only currently in use by Bank of America and Citibank. This product, known formally as a controlled payment number, generates proxy account card numbers that stand in for a user’s actual card number. In providing a proxy number, users never supply a merchant with real data, even at the checkout page. The “heartbeat” sent between the servers never includes the real number, giving a hacker no chance to unscramble the payment data of the user’s physical card. At best, the hacker would de-encrypt the proxy number, giving them much less power to spend recklessly.
Like EMV chip technology, this substitute credit card number service is not a new invention, but is surprisingly hard to find as an offering among credit card firms. Unlike the EMV chips, however, substitute card numbers do not require an overhaul of any payment systems for either the merchants or the card issuers. For these reasons, this product could be implemented across all credit card firms and could help prevent future e-commerce breaches.
2. 2
About Corporate Insight
Corporate Insight (CI) provides competitive intelligence and user experience research to the nation's leading
financial institutions. For over 20 years, Corporate Insight has tracked new developments in the financial
services industry through our Monitor research and custom consulting services. We are known for our
detailed, objective research, unmatched expertise, and emphasis on the actual user experience. There are no
assumptions in CI’s work – we use live accounts at the firms we track to benchmark their effectiveness and
give our clients unparalleled competitive intelligence.
Corporate Insight is continuously tracking and identifying best practices in online asset management, banking
and investing, insurance, annuities, mobile finance, active trading platforms, social media and other emerging
areas. In the process, we have helped our clients across financial services stay on top of industry trends and
improve their competitive position.
PRESS COVERAGE
CONTACT US
Doug Miller
Director of Research
dmiller@corporateinsight.com
Connect with Doug
Media Inquiries
Joshua Grandy, Director of Public Relations:
(646) 876 7524
pr@corporateinsight.com
CONNECT WITH CI
3. 3
TABLE OF CONTENTS
Introduction..............................................................................................................................................1
Background...............................................................................................................................................2
Controlled Payment Numbers..................................................................................................................3
Virtual Account Numbers by Citi...........................................................................................................4
ShopSafe by Bank of America ...............................................................................................................7
Comparative Analysis: Virtual Account Numbers vs. ShopSafe............................................................9
Two Key Issues........................................................................................................................................10
Issue #1: Large Gap in Security Products Offered...............................................................................10
Issue #2: Negative UX and Incompatibility with Future Trends .........................................................11
Recommendations..................................................................................................................................12
Short-Term Recommendations...........................................................................................................12
Medium-Term Recommendations......................................................................................................12
Long-Term Outlook............................................................................................................................. 13
Eight Key Takeaways...............................................................................................................................14
Corporate Insight Syndicated Studies.....................................................................................................16
Corporate Insight Thought Leadership...................................................................................................16
4. 1
INTRODUCTION
The Target data breach1
and the Heartbleed bug2
intensified a focus on the vulnerability of personal credit card
data in both the physical and digital realms. As a natural consequence, consumers have become increasingly
concerned about giving their card data to physical and online merchants. EMV chips for physical cards served
as the solution to the Target breach. But what can prevent or at least mitigate e-commerce incidents similar to
Heartbleed, wherein hackers gain the encryption keys to unscramble payment information? What is the
security product that will keep information secure at online points of sale? We’ve already identified the way to
strengthen security at cash registers, but online shopping carts are inevitably the next security battleground.
As consumers shift to online shopping at greater rates, it is crucial for credit card companies to turn their
attention to developing more effective cybersecurity products. In this whitepaper, a current best practice will
be identified with the hopes that other credit card companies will implement it in the near term.
Credit card issuers, positioned at the intersection of merchants and consumers, for the most part have not
focused on minimizing identity theft in online checkout systems specifically. There is an established and
accessible cybersecurity product with the capability of masking card data in online points-of-sale – however, it
is only currently in use by Bank of America and Citibank. This product, known formally as a controlled payment
number, generates proxy account card numbers that stand in for a user’s actual card number. In providing a
proxy number, users never supply a merchant with real data, even at the checkout page. The “heartbeat” sent
between the servers never includes the real number, giving a hacker no chance to unscramble the payment
data of the user’s physical card. At best, the hacker would de-encrypt the proxy number, giving them much less
power to spend recklessly.
Like EMV chip technology, this substitute credit card number service is not a new invention, but is surprisingly
hard to find as an offering among credit card firms. Unlike the EMV chips, however, substitute card numbers
do not require an overhaul of any payment systems for either the merchants or the card issuers. For these
reasons, this product could be implemented across all credit card firms and could help prevent future e-
commerce breaches.
1 https://corporate.target.com/about/payment-card-issue.aspx
2 http://heartbleed.com/
5. 2
BACKGROUND
On December 19, 2013, a blogger broke the news that Target Corporation had been afflicted by a data breach,
the severity of which became known in the months following. All told, Target’s overexposed point-of-sale
systems virtually placed 40 million credit cards and 70 million emails into the hands of a few hackers. Although
the credit card data was stolen at the brick-and-mortar retail chain, only three months later, consumers
became aware of the pervasiveness of security breaches when the Heartbleed Bug was discovered in April
2014. The bug, exploiting a flaw in the Open Secure Socket Layer (SSL) system, gave the perpetrators access to
encryption keys, enabling them to unscramble sensitive consumer information which passed through the
“heartbeat” between two servers. The victims of these breaches have been the consumers, and the damage to
the consumer psyche is undeniable. According to a Pew Research Center poll, 61% of Internet users have taken
measures to protect themselves from Heartbleed3
. And Heartbleed, not the Target data breach, represents the
future nature of fraud attacks, which are increasingly happening online. Online attacks increased from 21% of
total attacks during all of 2011-2013 to 35% of total attacks in 2013 alone, while breaches at physical stores
decreased from 31% to 14% over the same period4
. Thus, there is great need for a security product consumers
can control and interact with for use in online shopping settings.
As the latest round of security breaches snatches up vast volumes of consumer data, and as consumers
experience the psychological and behavioral effects associated with these breaches, what e-commerce
security products are the credit card companies offering? Very few, if any. Despite being the nexus for all the
pieces in these transactions, credit card issuers have done little to ramp up their e-commerce security
products, and the products offered vary greatly in sophistication. In talking with representatives at the 10
credit card companies in Corporate Insight’s monitor group, nearly all of them cited their fraud monitoring as
the main security feature, and assured me that if my card data were compromised, I would not be held liable.
However, even if a credit card issuer does its due diligence, it can’t control the e-retailer’s behavior. Online
merchants perform minimal fraud monitoring. In a survey of e-retailers, 32% do not perform any fraud
screening online, and 61% manually review just 10% of transactions5
.
In another poll, 87% of consumers say they are not likely to do business with a company that has experienced
a data breach. And since 95% of web attacks targeted payment card information6
, credit card companies have
many customers who could directly be impacted by online identity theft. Rather than relying on fraud
monitoring, offering a proxy number service to customers could lower the incidence of fraud by preventing it
at the beginning of the transaction process.
3 http://www.internetretailer.com/2014/04/30/consumers-respond-and-try-suture-heartbleed-bug
4 http://www.internetretailer.com/2014/04/23/criminals-successfully-break-more-retail-web-sites-2013
5 http://www.internetretailer.com/2013/11/07/e-commerce-authentication-system-moves-checkout-page
6 http://www.internetretailer.com/2014/04/23/criminals-successfully-break-more-retail-web-sites-2013
6. 3
CONTROLLED PAYMENT NUMBERS
Devised and patented in the late 1990s7
by the Irish company Orbiscom (which was acquired by MasterCard in
20098
), controlled payment numbers give credit card customers a security tool enabling them to create a
randomly-generated number for use at online checkout carts. The software is offered in web-based and
downloadable versions. In either format, users load the software during the online checkout process and
generate a number. The tool generates an account number, expiration date and security code, which the user
copies and pastes into the payment information section on a checkout page. Users can set spending and time
limits on each number generated, giving them the flexibility to use the numbers for an extended but limited
period of time. Each saved number can only be used at a single merchant.
Controlled payment numbers garner value for these reasons only, and do not safeguard data in other
situations. They do not set a blockade preventing hackers from gaining access to personal online banking
accounts. Verification services, such as Discover’s Enhanced Account Verification, prevent these particular
incidents by sending a verification code to a user’s phone. Controlled payment numbers also do not prevent
computer viruses from invading computer hardware or software, which companies like McAfee are tasked to
prevent. In addition, the service is different from Verified by Visa and MasterCard SecureCode, which both
require a pre-set password before finalizing an online order. It is critically important to understand that
controlled payment numbers only prevent merchants or the hackers of merchants’ servers from ever accessing
real payment data, and that the encryption occurs before a transaction is sent through.
Since Orbiscom developed the software, the technology has been adopted by a number of large firms,
including Citibank, American Express, Bank of America and Discover. While American Express discontinued
their “Private Payments” service in 2004, the other three firms continue to offer it and remove it every few
years. In 2011, Discover discontinued its Secure Online Account Numbers service but re-instated it after
customer feedback, only to cancel it again in January 20149
. Currently, Bank of America and Citibank continue
to offer the service. Bank of America’s ShopSafe, which was acquired during the purchase of MBNA in 200510
,
is a web-based controlled payments service that customers can also use for recurring payments. Citibank’s
Virtual Account Numbers comes in web-based and downloadable versions, offering similar services to
ShopSafe. Although they accomplish the same goal, it is important to determine the optimal version of the
service by experiencing both products from the customer’s perspective.
7https://www.google.com/patents/CA2362033C?cl=en&dq=inassignee:%22Orbis+Patents+Limited%22&hl=en&sa=X&ei=xV5_U6CiL5W
0sQSv64DoBA&ved=0CDwQ6AEwAQ
8 http://www.mastercard.com/us/company/en/newsroom/orbiscom.html
9 http://www.examiner.com/article/discover-card-axes-temporary-number-program-for-online-purchases
10 http://www.nbcnews.com/id/8414809/ns/business-us_business/t/bank-america-buys-credit-card-firm-mbna/#.U39g4ShVIoo
7. 4
Virtual Account Numbers by Citi
Citi’s Virtual Account Numbers is offered to customers in web-based and downloadable versions, both of
which function within a pop-up window that includes sections to generate a number, manage transactions and
manage the current numbers in use. The downloadable version includes an Auto-Fill functionality.
To access the tool, customers must select the Virtual Account Numbers link from the private site account
overview page. Upon reaching the Virtual Account Numbers page, selecting the “Launch” link prompts a pop-
up window with two columns containing options to generate a Rewards Account Number or a Virtual Account
Number.
Virtual Account Number Landing Page
From this landing page, users can directly create a new virtual number by selecting the Generate link, which
displays an image of a Citi card with the card holder name, account number, expiration date, CVV and Amount
limit (if one is set). To use the new information, users can highlight the various pieces of the card to copy and
paste the numbers into the payment information section of the checkout cart at the user’s e-retailer of choice.
Generated Number
8. 5
Users can set time and spending limits for each new number they generate by selecting Advanced Options
from the landing page. The subsequent page includes boxes for entering a dollar limit and a month-based limit
with a minimum of two months and a maximum of 12 months. After entering the customizable settings, users
then generate a number with the additional preferences.
Advanced Options
Finally, users can view a list of their active virtual account numbers and corresponding transactions by
selecting the View Previous Number link on the landing page. This directs users to a page displaying a list of
recent transactions. A link at the bottom of the page enables users to view their active account numbers, with
columns dedicated to the creation date, merchant, account number, expiration date, dollar limit, and amount
remaining for the account number. By highlighting a row, users can elect to use or close the number by clicking
the respective link below. Closing the number prevents the merchant from using it thereafter.
List of Active Virtual Account Numbers
9. 6
Citi streamlines the process of using existing virtual account numbers by offering a downloadable version.
Downloadable from the private site Virtual Account Numbers page, users can install a file that runs the Virtual
Account Number service with a single click at e-retailer checkout carts. Users can activate the pop-up window
by selecting the Virtual Account Number file saved to their computer, and can even automatically fill in the
payment information with an Auto-Fill feature. This feature automatically completes the merchant’s checkout
form, effectively automating the process of purchasing goods online.
Overall, Citi’s Virtual Account Number service is incredibly intuitive to use as an isolated tool, and maintains its
usability at online checkout pages with the downloadable option. This firm deserves significant credit for
providing a proactive security product that customers can always use when shopping online. This product gives
users stronger security since they can dedicate a separate number to each retailer with time and spending
limits. In the event of a breach, users can close their virtual number immediately, or if they miss the breach,
the hacker never gains access to the customer’s actual account number and at worst can only use the virtual
number up to its specified spending limit. While not fool-proof, this system works to minimize the damage
caused by hackers.
Generated Number with Auto Fill Functionality
10. 7
ShopSafe by Bank of America
Bank of America provides a similar service to Citi, but without a downloadable version. Users access the
ShopSafe service from the Security & Fraud section of the private site Help & Support page. Clicking the “Use
ShopSafe” link generates a pop-up window with a landing page giving three options. Users can create a new
number, one for recurring payments, and can view all active numbers.
ShopSafe Landing Page
Creating a new number, whether for a recurring payment or a standard transaction, leads first to a page for
setting time and spending limits. After setting the spending limit and the time limit, with a minimum of two
and a maximum of 12 months, users can click a link creating the number.
Limit Settings
11. 8
Similar to Citi, the temporary account number is displayed with the spending limit, time limit, CVV number and
card holder name. Users copy and paste the information into the payment information section of the e-
retailer’s checkout page.
Generated Number
Users can view all active ShopSafe numbers, however, without the full account number listed, for security
reasons. As an additional security measure, the firm requires users to enter their actual CVV code whenever
they create or use a ShopSafe number, a feature that Citi does not have. Finally, users can select to use or
close an account number from the page listing active account numbers.
Active ShopSafe Numbers List
12. 9
Number Generation Security Checkpoint
Comparative Analysis: Virtual Account Numbers vs. ShopSafe
While both firms deserve praise for offering substitute credit card tools, Citi’s Virtual Account Numbers stands
apart from Bank of America’s for a number of reasons. Citi’s service includes a downloadable version which
streamlines the checkout process. Citi’s auto-fill feature, available in the downloadable version, allows
customers to quickly fill out information without storing any payment data. Accessing the web-based version
can be a cumbersome process when purchasing online, and runs the risk of having the checkout page time out
before loading the generated number. Although Virtual Account Numbers is a best practice from a user
experience standpoint, ShopSafe includes some unique benefits. ShopSafe includes a recurring monthly
payment setting that allows users to pay their monthly bills. Moreover, the ShopSafe service is offered on all
Bank of America Visa and MasterCard accounts, whereas Citi’s service is only featured on a few select cards.
Now that a familiarity with the product has been established, it is important to examine the problems with the
credit card industry’s other security offerings as well as the limitations of the current best practice.
Service
Offered
With
Set
Spend
Limits
Set
Term
Limits
Automatic
or Manual
Process
Free
Special
Software
Needed
Recurring
Monthly
Payments
Auto
Fill
Feature
Downloadable
Version
ShopSafe
Visa,
MasterCard
Manual
Virtual
Account
Numbers
Select
Cards
Automatic
or Manual
13. 10
TWO KEY ISSUES
Issue #1: Large Gap in Security Products Offered
All credit card firms offer similar security features, which include timed log-outs, unique sitekeys and phrases,
24/7 fraud monitoring, and $0 fraud liability. A select group offer additional verification services, such as
Discover’s Enhanced Account Verification, which provides users with one-time passcodes for authenticating an
account log-in. Bank of America’s SafePass feature generates random codes to approve online banking
transactions. While all of these products and features are necessary to assure online safety, little attention is paid
to e-commerce security products. The grid below displays the e-commerce security products offered by firm,
with only Citibank offering products of all types. Some firms, like American Express, provide purchase protection
and extended warranty on purchased items; however, these are not created to prevent fraud in the first place. As
mentioned earlier, Verified by Visa and MasterCard SecureCode offer the functionality of multi-factor
authentication, but do not encrypt data prior to submitting a payment. Another prominent tool, V.me by Visa,
streamlines the checkout process by storing a user’s payment information and auto-filling it at each checkout.
However, this tool has convenience rather than security as a focus.
In observing this wide product offering gap, the key question is: Why haven’t firms caught on to the substitute
card number service and subsequently offered it? The principal answer is actually pretty simple: A low customer
adoption rate. While no firms offer statistics on the adoption rate of its products, it is safe to assume that very
few customers at Bank of America and Citibank use the product. This is evidenced by both Bank of America and
Discover’s continual removal and reinstatement of the product. When few customers use the product,
oftentimes the costs outweigh the revenue, since the credit card firms must pay licensing fees to host the service
on its site. However, there is also evidence of a minority group of dedicated users. After discontinuing the service
in September 2011, Discover re-instated it one month later, with Discover spokeswoman Laura Gingiss citing
“overwhelming amount[s] of feedback about the discontinuation of secure online account numbers” as the main
driver of the product revamp. Gingiss also implicated the insufficiency of $0 fraud liability policies when saying
“our cardmembers still liked to have the added control of using encrypted account numbers.”11
And although
Discover once again discontinued the service in February 2014, a customer service representative at Discover
admitted to me that the firm is again receiving strong feedback in support of re-installment, and that the firm is
weighing its options. This vocal minority of supporters could grow if a firm implemented the service in today’s
landscape. Discover’s 2011 rerelease proves that customers care strongly enough about security to demand
services like proxy account numbers.
Firm Verified by Visa
MasterCard
SecureCode
V.me by Visa
Proxy Account
Numbers
American Express
Bank of America
Barclays
Capital One
Chase
Citibank
Discover
PNC
US Bank
Wells Fargo
11
http://business.time.com/2011/10/19/discover-brings-back-single-use-account-numbers/
14. 11
Issue #2: Negative UX and Incompatibility with Future Trends
Even though proxy account numbers stand as the current industry best practice, the effort required to
generate a unique number for every online shopping experience is tedious and cumbersome for the user.
ShopSafe isn’t offered as a downloadable software, forcing customers to log in to their online banking account
while also managing their retailer account on the checkout page. And even Citi’s downloadable version grows
tiresome; the very practice of generating and keeping track of temporary account numbers is a negative user
experience. It is simply easier and more natural to use one account number that can be referenced by pulling a
card out of a wallet.
In addition, neither Bank of America nor Citi offer the tool within their mobile apps or mobile websites. These
products are confined to desktop computers, presenting a threat to the service’s survival, since nearly every
poll indicates that consumers are shifting to mobile. The statistics (see “Key Findings”) indicate that a growing
number of consumers are both shopping and banking with their mobile phones, leaving the virtual card
number services with low visibility for these growing consumers. Given the low visibility among mobile
consumers, Bank of America and Citi are missing opportunities to convert more consumers to the service.
Let’s revisit the claims made. It’s clear that both online shopping and online security breaches are increasing
over time in both extensity and intensity. It’s an objective fact that only two out of ten major credit card firms
offer e-commerce security products aimed at encrypting card data at the beginning of the transaction process.
However, it’s also a fact that these products are tedious to use and are not supported on mobile devices. Given
this mix of facts, firms must implement different security products over time. A catch-all recommendation is
not sufficient to keep up with this ever-changing industry.
15. 12
RECOMMENDATIONS
Short-Term Recommendations
As a short-term recommendation, all credit card firms should adopt the substitute credit card number tool.
The potential demand for the product has increased over time, with 86% of Internet users taking steps to be
anonymous online and 61% changing online information in reaction to Heartbleed alone. This general need to
anonymize information could translate directly to a high demand among online shoppers to also use
anonymous card numbers. Therefore, from a strictly business standpoint, the revenue could potentially
outweigh the costs this time around. And as shown above, the experience of using the tool is simple and
intuitive, which could help in retaining customers who try it for the first time.
Moreover, the software costs would be low since the software has already been designed; presumably,
licensing fees would make up the majority of the actual costs. Since the technology has been in existence for
over a decade, the implementation process would be faster compared with a rollout of an emerging
technology or sponsored product, which oftentimes require merchants to download special software or use
specific payment providers. For example, Verified by Visa and MasterCard SecureCode can only be applied at
participating merchants who are using the 3-D Secure platform. Emerging technologies usually depend on an
overhaul of the payments system or rely on access to internal services that in and of themselves pose new
security threats. Unlike any of these products, the substitute card payments service does not require any
special software for the merchants, since the process of generating a number occurs only on the credit card
issuer side of the transaction. Copying and pasting a randomly-generated payment number into a checkout
cart relies on simple keystrokes rather than new and complex security systems.
Ultimately, the economic consideration of revenue minus cost cannot be answered definitively in this paper.
However, a top concern among prospective buyers of this technology should be the customers’ sense of
safety. Ensuring stronger protection to customers could be more important than profit considerations. Many
costly security products, to be sure, are offered with these priorities in mind.
After implementation, to ensure a decent customer adoption rate, firms should devote a public site webpage
to promote the new tool. For example, Bank of America’s ShopSafe has its own public site page in the Privacy
& Security section, with promotional images and a demo that familiarizes prospective customers with the
service.
Medium-Term Recommendations
Once the service is rolled out on a credit card firm’s website, firms should adapt proxy numbers to a mobile
platform. Given the current number generation process, navigating the tool via mobile would be nearly
impossible. Therefore, firms should integrate it seamlessly into their existing mobile app platforms. The tool
should feature a large button for generating a number and should present the number in a text box with the
ability for it to be copied and pasted into a checkout page. In these ways, firms can acquire mobile-savvy
customers concerned about security, and can better retain customers who already use the web-based versions
of the tools.
16. 13
Long-Term Outlook
All credit card companies have made sincere efforts to monitor, catch and resolve cases of fraud. Features like $0
fraud liability and SSL technology have become ubiquitous and have also served as the benchmark. However,
neither of those benchmark practices can account for catastrophes in e-commerce. Promising zero liability to a
customer is merely a reactive approach to security, and the promise itself does nothing to prevent fraud from
happening. Meanwhile, SSL technology helps protect websites by encrypting site information, however this
doesn’t accomplish much if online merchants aren’t securing data properly. Moreover, SSL can become
vulnerable, as the Open SSL was compromised by the Heartbleed bug. Given this landscape, the solution is clear:
A higher benchmark must be set, and in the short term that benchmark is proxy credit card numbers. Rolling out
this pre-existing technology is crucial, and adapting it to mobile is also an important step for the near future.
This service could help prevent countless cases of online fraud in the future, and it could also gain back the sense
of safety among customers. However, having an extra layer of protection for every log-in and transaction made
online won’t make the cut in the long-run. The fact that customers need multi-factor authentication tools to
ensure their safety is indicative of a payment processing industry that is long overdue for a major change.
Reconfiguring the payment process so only encrypted data is exchanged would eliminate the need for customers
to authenticate every transaction with a password or a random number. A myriad of start-up companies are
challenging the payment processing industry with newer and sleeker ways of keeping transacted data safe and
hidden.
Or perhaps an unforeseen technology, like fingerprint authentication, could eliminate the need to even rethink
the industry in the first place. In the meantime, it’s better to guarantee security than to speculate.
17. 14
EIGHT KEY TAKEAWAYS
1. More Consumers are Shopping Online
E-commerce is ballooning into the next big retail industry, with a projected $482.6 billion in sales in North
America in 2014 alone12
. By 2017, 60% of U.S. retail sales will involve the web13
. As of Q1 2014, online
retail sales grew by 11% year-over-year14
. E-commerce will inevitably eclipse brick-and-mortar retailing
over time, therefore it is critical that credit card firms adjust their product offerings to reflect this now.
2. Consumers are Increasingly Using Mobile Devices
As people increasingly shop online, another inevitable ongoing trend is the shift among consumers
towards using mobile devices. Most tellingly, 58% of Internet users regularly use their bank’s mobile app15
.
Thirty-four percent of Internet users mostly use their phones to access the Internet, and 63% of mobile
users overall access the Internet, up from 31% in 200916
. Coupling these statistics with the explosion of e-
commerce indicates that credit card firms must not only adjust products to accommodate e-commerce,
but must also make those products compatible with mobile devices.
3. Target and Heartbleed Breaches Damaged Consumer Psyche and Sense of Safety
The Target data breach underscored the inadequacy of current point-of-sale systems at brick-and-mortar
stores, while the Heartbleed bug showed the dangers of also providing merchants with payment data in
online settings. Fifty percent of consumers now worry about the amount of personal data online, up from
33% in 200917
. Meanwhile, 87% say they would not do business with a company that has been subject to a
data breach18
. The bottom line is that consumers care now more than ever about safety, particularly online
fraud protection, and want to take an active role in safeguarding information.
4. Not Enough Focus on E-Commerce Security Measures and Product Development
In a survey of the 10 credit card firms in Corporate Insight’s Credit Card Monitor group, only two firms
offered e-commerce security products that allowed customers to encrypt or hide their payment data from
merchants when shopping online. Among the other eight firms, there was no consistent security product
or method of protecting account information. At a time when breaches are the norm, there appears to be
little competition among credit card firms to ramp up security and offer products that consumers can be
active in using. Fraud detection has dropped approximately 75% since 2004 as the method of breach
discovery19
, and is no longer sufficient for protecting both consumers’ data and their sense of safety.
Offering a product that encrypts data before checkout is essential.
12 http://www.emarketer.com/Article/Global-B2C-Ecommerce-Sales-Hit-15-Trillion-This-Year-Driven-by-Growth-Emerging-
Markets/1010575
13 http://www.internetretailer.com/2013/10/30/60-us-retail-sales-will-involve-web-2017
14 http://www.internetretailer.com/2014/05/01/web-shows-increased-might-retail
15 http://www.mobilepaymentstoday.com/article/211341/Study-Despite-increased-use-mobile-payments-banking-dogged-by-security-
concerns
16 http://www.pewinternet.org/2013/09/16/cell-internet-use-2013/
17 http://www.internetretailer.com/2014/04/14/reports-personal-data-theft-are-rise
18 http://www.internetretailer.com/2014/04/10/security-breaches-undermine-consumer-confidence-retailers
19 http://www.verizonenterprise.com/DBIR/2014/
18. 15
5. Controlled Payment Numbers are Currently the Best Solution
Controlled payment numbers, informally called disposable, proxy, or substitute account numbers, are
randomly-generated 16-digit credit card account numbers that represent a customer’s actual card number.
By submitting a substitute number to merchants through the online checkout page, customers never
provide merchants their actual card number. This prevents hackers like the Heartbleed bug perpetrators
from de-encrypting a real card number with a merchant’s encryption key. This service, offered by Bank of
America and Citi, is stronger than an additional password checkpoint such as Verified by Visa because the
proxy number serves to encrypt the actual data before it is even sent to the merchant. This gives hackers
no entry point to unlock the real payment data. As such, it is the best solution because it provides the
strongest guarantee of protection.
6. Credit Card Firms Should Offer Controlled Payment Numbers
Since substitute account numbers are a proven technology, and since merchants do not need special
software to accept substitute card number payments, all credit card firms concerned about security should
consider offering this product. Adopting a proactive security product consumers can engage with will
prove to be much smarter than maintaining a simply reactive stance on fraud.
7. Develop Controlled Payment Numbers for Mobile Usage
After an immediate rollout of substitute account number services, firms should adapt them according to
mobile usage trends. Currently, substitute account number tools are not compatible with mobile devices;
therefore, firms should develop a mobile-friendly version, preferably integrating it into a firm’s existing
mobile app. This will ensure that consumers who mainly use mobile devices adopt the product quickly.
8. Need for Security Services Indicative of an Outdated Payment Processing Industry
Although this product is a viable short-term and medium-term solution, it forces customers to constantly
generate temporary account numbers – a tedious and cumbersome process. From a user experience
standpoint, this is unsustainable in the long-term. Multiple emerging technologies are in the product
pipeline that will hopefully change both e-commerce and payment processing for good, eliminating the
need for multi-factor authentication products. Until that technology is made publicly available, however,
firms would be wise to implement substitute account number generators.
19. 16
Corporate Insight Syndicated Studies
The Millennial Shift: Financial Services and the Digital Generation
With 80 million members, the Millennial generation is the largest in the history
of the United States. They already possess a direct annual spending power of
$200 billion, a number that will increase substantially as they enter their prime
earning years and inherit wealth from their Baby Boomer parents. While this
represents a potentially huge opportunity for financial services firms,
Millennials also pose a clear challenge to the industry’s traditional marketing
strategies and business models. They have different preferences from their
Boomer parents, particularly when it comes to financial products, technology
and the way they interact with companies.
This study will help financial services marketers, product managers and
strategists better understand Millennials and identify effective tactics for
marketing to and serving these individuals.
Release Date: April 2014 | Download Study Preview
2014 Investor Survey Report
CI’s 2014 Investor Survey Report examines the relationship between retail investors
and their brokerage firms, identifying the Web and mobile features that matter
most to different types of investors and have the greatest impact on their overall
satisfaction. Our analysis explores the behaviors and preferences of key
demographic groups including mass affluent and high net worth investors, mobile
brokerage users, active traders and more.
This study answers three questions about investors: What do investors consider the
most important website and mobile features? What activities do investors perform
using their firm's website and mobile app? How can firms improve their offerings to
enhance client satisfaction?
Release Date: June 2014 | Download Study Preview
Next-Generation Investing: Online Startups and the Future of Financial Advice
This is the first comprehensive study on the investing- and personal finance-related
startups that have emerged in the wake of the financial crisis. The study represents
the culmination of nearly two years of research, encompassing over 100 online
startups pioneering a wide variety of unique investment ideas.
The Next-Generation Investing study offers detailed analysis of ten categories of
unique investment products and services. The study features startup profiles with
reviews of innovative online startups challenging traditional models of investing and
planning. We also offer our analysis of the implications for the industry, which
examines the potential impact of these ideas.
Release Date: October 2013 | Download Study Preview
20. 17
Corporate Insight Thought Leadership
User Insights: Retirement Plan Websites Disappoint Millennial Participants
Our latest User Insights usability study features analysis of the DC plan platforms' UX
strengths and weaknesses from the perspective of actual Millennial participants and
test results for four leading defined contribution plan providers: Fidelity, J.P.
Morgan, TIAA-CREF and VALIC.
Online Communities Across Financial Services - American Express, Bank of
America and TIAA-CREF
This slide deck examines the design and capabilities offered by each firm’s online
community, with a focus on noteworthy site features. We also provide tips for
financial services firms looking to improve their online communities.
Active vs. Passive Investment Management Marketing Practices
In this whitepaper, we examine how three firms – American Funds, MFS and
Vanguard – promote their services in the active and passive management spheres.
We compare the firms’ marketing strengths and weaknesses and place a special
emphasis on online thought leadership, examining the value, volume and website
placement of the pieces the firms produce.
Complete Bitcoin User Experience: Mining, Exchanges, Wallets and Beyond
This study provides a detailed analysis of how Bitcoins are created, traded and
stored. The study includes reviews of the top websites and online services driving
the Bitcoin marketplace including Slush’s Pool, Blockchain.info and Coinbase among
others.
2014 Mobile Finance Trends and Innovations
The 2014 Mobile Finance study draws on our ongoing tracking of the industry as
well as relevant developments outside of the financial services space. This study
includes commentary on mobile developments, key takeaways for financial services
firms and thoughts on what’s next for mobile finance.
Tablet-Friendly Web Design: Best Practices for Financial Services
The study examines the tablet-friendly website features provided by four leading
firms across financial services and provides recommendations for financial services
firms building tablet-optimized websites.