Invoice payments are the Wild West of online commerce. Here’s a checklist for responsible merchants.

There’s no danger in paying for your own online shopping by invoice, but some online stores make it easy for others to do it with your identity as well. The reasons include legal loopholes, ignorance and the vendor’s wish to offer a convenient purchase experience.

In Finland, invoices are not an official payment method in the vein of credit cards or online bank transfers, so they exist in a type of legal limbo. The payment terms and delivery methods of invoices are regulated, but the law is silent on authentication.

This is a problem because we have no single convenient strong authentication method available in Finland. If strong authentication is not specifically required by law, it can be tempting to go light on the verifications and make shopping as easy as possible for the customer.

There are two principal mistakes payment service providers can make in customer authentication:

• Weak information security.
• Making it unnecessarily difficult to actually buy something.

You could avoid both, though: there are many ways to combine safe authentication with ease of use.

Qvik recently held a webinar in Finnish that could be roughly translated as Risks and opportunities of invoicing: Concerns raised by serious data breach. In the webinar, payment service providers gave some pointers on customer authentication and data processing. The panel included Juuso Paulasuo from Collector, Benny Öhman from Svea, Katja Kopra-Kullas from OP Lasku, Juho Putkonen from Fellow Finance, Henri Komu from Arvato, along with independent data security expert Petteri Järvinen.

Making a deal with a stolen identity is easy

The number of data breaches reported to the police has nearly doubled over the past few years. Hundreds of identity thefts are reported every month. The Vastaamo data breach is not showing in the figures yet, but it could cause a delayed spike in cases.
Misuse of personal data in online stores is also on the rise. Our panelist Juho Putkonen recently demonstrated just how easy it can be by ordering products online with his friends’ details. He did have permission, though.

“I made two purchases with false identities and didn’t even need to use personal identity codes. You could buy the stuff with information publicly available on the internet”, Putkonen says. “It was damn easy.”

One of the purchases was a box of Fazer chocolates, which Putkonen shared with the other speakers.

But real-life fraud can be a nightmare for the victim. The situation is especially difficult if the victim only learns of the misuse after the invoice has already been sent to the debt collectors.

Who’s responsible if the law is silent?

Depending on the contract, either the merchant or payment service provider will bear the losses for a purchase made with a false identity. Some merchants choose weak or barely adequate authentication methods that make buying easy but increase the risk of fraud. In such cases, the parties usually agree that the merchant will shoulder the financial risks.

“As long as skipping strong authentication is not illegal, some merchants will continue to do so”, Öhman says.

“On the other hand, there are many well-informed vendors out there who are also thinking about the damage poor data security can do to their reputations”, Komu points out.

The panel discussed whether strong authentication could be a confidence-building experience for consumers too. They believe that the Vastaamo data breach will have an impact on public awareness of the safety of online shopping.

“Could e-commerce operators create a certificate that would increase consumer confidence by showing that purchasing is subject to certain security standards and requires strong authentication?”, Järvinen suggested.

It remains to be seen whether the market will improve the data security of invoice payments on its own, or whether legislation will be required to address the issue.

Checklist for responsible e-traders

Even many big players are slacking on customer authentication at the moment. If you want to make data breaches, fraud or identity theft harder to commit in your online store, answer at least these questions about your operations:

1. What information is needed to make a purchase in your online store?

The store’s data security is weak if purchases can be made with information that is easily available or easy to guess. These include the customer’s name, address, postal code, email address, telephone number and date of birth.

2. Has the customer passed strong authentication at any point?

Simply requiring strong customer authentication in connection with the first purchase improves data security considerably.

3. How can customers change their authentication credentials?

It’s important to identify the customer when they change essential information. Customers who try to change information like their telephone number or contact details should undergo strong customer authentication.

4. How is your in-house data security competence?

Data breaches often involve negligence, indifference or human error. Train your people to the required level and keep your online store’s certificates up to date.

Customer service also plays an essential role in data security. Provide your staff with clear up-to-date guidelines on critical issues, such as what customers are allowed to do through customer service, what information they can change, and which details can be given over the telephone.

5. How are you processing data? Hint: GDPR.

The General Data Protection Regulation provides a clear description of data processing requirements. Check the requirements for storing and processing data. Among other things, the GDPR requires companies to appoint a Data Protection Officer or DPO.

Following the GDPR’s guidelines ensures that your processes are in order and best practices are used to protect data.