Loyalty programs have become nearly ubiquitous in the U.S., with most large and mid-sized product and service providers offering some form of frequency or points-based loyalty programs. With so many merchants collecting and storing so much data about their customers, the issue of data security, as pertaining to identity theft or fraud, is becoming a concern for many consumers and consumer advocates. The question is, how can companies better protect their customers’ data to alleviate some of these concerns?
We can look to the Payment card industry for ideas and techniques that have proven successful over the years. For instance, Europe and Asia employ chip cards (specifically EMV chip cards) which provide security via on-chip cryptographic keys and processors for encryption and cryptographic signatures. But these cards are relatively expensive and not suitable for most loyalty programs (though some issuers do offer on-chip loyalty programs that coexist with the EMV application.) Magnetic stripe cards have used a verification value which is generated by enciphering the account number, service code, etc. under a DES key known only to the issuer, but this method only ensures that the data on the card is authentic. It does not authenticate the customer. It must also be remembered that many loyalty programs use the customer’s phone number as the loyalty identifier, which negates both methods discussed above.
However, the Payment card industry also utilizes online PIN verification to authenticate the cardholder, which gives two-factor authentication (i.e. the card number and the PIN) making fraud and identity theft more difficult. The PIN is cryptographically linked to the account number via a 3DES key (known as a PIN offset) and can work for both card-based and phone number based loyalty programs. There are, of course, pros and cons to the addition of PINs to a loyalty process.
- Relatively simple and inexpensive to implement
- Two factor authentication gives added security
- PIN is cryptographically linked to the account number (card or phone number)
- PIN can be used to verify customer by phone support personnel (to reduce identity theft)
- If a PIN pad is used, there is extra cost and hardware at POS
- HSM integration on the backend
- Another number the customer must remember
- Extra time to process loyalty transactions (i.e. the time require to enter the PIN)
There, of course, could be variations on the PIN process, such as only prompting for the PIN based on velocity usage (i.e. if the loyalty account number was used many times in one day or at sites outside of normal activity) or the customer’s account could be “flagged” for PIN prompt on the backend by the merchant.
As loyalty programs increase in number and complexity, fraud and identity theft will most likely also increase. The addition of PIN to the loyalty process is just one possible tool to combat the problem. Mobile applications allow greater flexibility and capabilities to thwart fraudsters (e.g. session keys that expire after each login/transaction, hashing of data, NFC, etc.), but are not always the right option for a loyalty program.
Download our Whitepaper: Ten Tips for Customer Rewards Program Success: