1

Online Shopping Carts

The Next Security Battleground

2

About Corporate Insight Corporate Insight (CI) provides competitive intelligence and user experience research to the nation's leading

financial institutions. For over 20 years, Corporate Insight has tracked new developments in the financial

services industry through our Monitor research and custom consulting services. We are known for our

detailed, objective research, unmatched expertise, and emphasis on the actual user experience. There are no

assumptions in CI’s work – we use live accounts at the firms we track to benchmark their effectiveness and

give our clients unparalleled competitive intelligence.

Corporate Insight is continuously tracking and identifying best practices in online asset management, banking

and investing, insurance, annuities, mobile finance, active trading platforms, social media and other emerging

areas. In the process, we have helped our clients across financial services stay on top of industry trends and

improve their competitive position.

PRESS COVERAGE

CONTACT US Doug Miller

Director of Research

dmiller@corporateinsight.com

Connect with Doug

Media Inquiries

Joshua Grandy, Director of Public Relations:

(646) 876 7524

pr@corporateinsight.com

CONNECT WITH CI

3

TABLE OF CONTENTS

Introduction .............................................................................................................................................. 1

Background ............................................................................................................................................... 2

Controlled Payment Numbers .................................................................................................................. 3

Virtual Account Numbers by Citi ........................................................................................................... 4

ShopSafe by Bank of America ............................................................................................................... 7

Comparative Analysis: Virtual Account Numbers vs. ShopSafe ............................................................ 9

Two Key Issues ........................................................................................................................................ 10

Issue #1: Large Gap in Security Products Offered ............................................................................... 10

Issue #2: Negative UX and Incompatibility with Future Trends ......................................................... 11

Recommendations .................................................................................................................................. 12

Short-Term Recommendations ........................................................................................................... 12

Medium-Term Recommendations ...................................................................................................... 12

Long-Term Outlook ............................................................................................................................. 13

Eight Key Takeaways ............................................................................................................................... 14

Corporate Insight Syndicated Studies..................................................................................................... 16

Corporate Insight Thought Leadership ................................................................................................... 16

1

INTRODUCTION

The Target data breach1 and the Heartbleed bug2 intensified a focus on the vulnerability of personal credit card data in both the physical and digital realms. As a natural consequence, consumers have become increasingly concerned about giving their card data to physical and online merchants. EMV chips for physical cards served as the solution to the Target breach. But what can prevent or at least mitigate e-commerce incidents similar to Heartbleed, wherein hackers gain the encryption keys to unscramble payment information? What is the security product that will keep information secure at online points of sale? We’ve already identified the way to strengthen security at cash registers, but online shopping carts are inevitably the next security battleground. As consumers shift to online shopping at greater rates, it is crucial for credit card companies to turn their attention to developing more effective cybersecurity products. In this whitepaper, a current best practice will be identified with the hopes that other credit card companies will implement it in the near term. Credit card issuers, positioned at the intersection of merchants and consumers, for the most part have not focused on minimizing identity theft in online checkout systems specifically. There is an established and accessible cybersecurity product with the capability of masking card data in online points-of-sale – however, it is only currently in use by Bank of America and Citibank. This product, known formally as a controlled payment number, generates proxy account card numbers that stand in for a user’s actual card number. In providing a proxy number, users never supply a merchant with real data, even at the checkout page. The “heartbeat” sent between the servers never includes the real number, giving a hacker no chance to unscramble the payment data of the user’s physical card. At best, the hacker would de-encrypt the proxy number, giving them much less power to spend recklessly. Like EMV chip technology, this substitute credit card number service is not a new invention, but is surprisingly hard to find as an offering among credit card firms. Unlike the EMV chips, however, substitute card numbers do not require an overhaul of any payment systems for either the merchants or the card issuers. For these reasons, this product could be implemented across all credit card firms and could help prevent future e-commerce breaches.

1 https://corporate.target.com/about/payment-card-issue.aspx 2 http://heartbleed.com/

2

BACKGROUND

On December 19, 2013, a blogger broke the news that Target Corporation had been afflicted by a data breach, the severity of which became known in the months following. All told, Target’s overexposed point-of-sale systems virtually placed 40 million credit cards and 70 million emails into the hands of a few hackers. Although the credit card data was stolen at the brick-and-mortar retail chain, only three months later, consumers became aware of the pervasiveness of security breaches when the Heartbleed Bug was discovered in April 2014. The bug, exploiting a flaw in the Open Secure Socket Layer (SSL) system, gave the perpetrators access to encryption keys, enabling them to unscramble sensitive consumer information which passed through the “heartbeat” between two servers. The victims of these breaches have been the consumers, and the damage to the consumer psyche is undeniable. According to a Pew Research Center poll, 61% of Internet users have taken measures to protect themselves from Heartbleed3. And Heartbleed, not the Target data breach, represents the future nature of fraud attacks, which are increasingly happening online. Online attacks increased from 21% of total attacks during all of 2011-2013 to 35% of total attacks in 2013 alone, while breaches at physical stores decreased from 31% to 14% over the same period4. Thus, there is great need for a security product consumers can control and interact with for use in online shopping settings. As the latest round of security breaches snatches up vast volumes of consumer data, and as consumers experience the psychological and behavioral effects associated with these breaches, what e-commerce security products are the credit card companies offering? Very few, if any. Despite being the nexus for all the pieces in these transactions, credit card issuers have done little to ramp up their e-commerce security products, and the products offered vary greatly in sophistication. In talking with representatives at the 10 credit card companies in Corporate Insight’s monitor group, nearly all of them cited their fraud monitoring as the main security feature, and assured me that if my card data were compromised, I would not be held liable. However, even if a credit card issuer does its due diligence, it can’t control the e-retailer’s behavior. Online merchants perform minimal fraud monitoring. In a survey of e-retailers, 32% do not perform any fraud screening online, and 61% manually review just 10% of transactions5. In another poll, 87% of consumers say they are not likely to do business with a company that has experienced a data breach. And since 95% of web attacks targeted payment card information6, credit card companies have many customers who could directly be impacted by online identity theft. Rather than relying on fraud monitoring, offering a proxy number service to customers could lower the incidence of fraud by preventing it at the beginning of the transaction process.

3 http://www.internetretailer.com/2014/04/30/consumers-respond-and-try-suture-heartbleed-bug 4 http://www.internetretailer.com/2014/04/23/criminals-successfully-break-more-retail-web-sites-2013 5 http://www.internetretailer.com/2013/11/07/e-commerce-authentication-system-moves-checkout-page 6 http://www.internetretailer.com/2014/04/23/criminals-successfully-break-more-retail-web-sites-2013

3

CONTROLLED PAYMENT NUMBERS

Devised and patented in the late 1990s7 by the Irish company Orbiscom (which was acquired by MasterCard in 20098), controlled payment numbers give credit card customers a security tool enabling them to create a randomly-generated number for use at online checkout carts. The software is offered in web-based and downloadable versions. In either format, users load the software during the online checkout process and generate a number. The tool generates an account number, expiration date and security code, which the user copies and pastes into the payment information section on a checkout page. Users can set spending and time limits on each number generated, giving them the flexibility to use the numbers for an extended but limited period of time. Each saved number can only be used at a single merchant. Controlled payment numbers garner value for these reasons only, and do not safeguard data in other situations. They do not set a blockade preventing hackers from gaining access to personal online banking accounts. Verification services, such as Discover’s Enhanced Account Verification, prevent these particular incidents by sending a verification code to a user’s phone. Controlled payment numbers also do not prevent computer viruses from invading computer hardware or software, which companies like McAfee are tasked to prevent. In addition, the service is different from Verified by Visa and MasterCard SecureCode, which both require a pre-set password before finalizing an online order. It is critically important to understand that controlled payment numbers only prevent merchants or the hackers of merchants’ servers from ever accessing real payment data, and that the encryption occurs before a transaction is sent through. Since Orbiscom developed the software, the technology has been adopted by a number of large firms, including Citibank, American Express, Bank of America and Discover. While American Express discontinued their “Private Payments” service in 2004, the other three firms continue to offer it and remove it every few years. In 2011, Discover discontinued its Secure Online Account Numbers service but re-instated it after customer feedback, only to cancel it again in January 20149. Currently, Bank of America and Citibank continue to offer the service. Bank of America’s ShopSafe, which was acquired during the purchase of MBNA in 200510, is a web-based controlled payments service that customers can also use for recurring payments. Citibank’s Virtual Account Numbers comes in web-based and downloadable versions, offering similar services to ShopSafe. Although they accomplish the same goal, it is important to determine the optimal version of the service by experiencing both products from the customer’s perspective.

7https://www.google.com/patents/CA2362033C?cl=en&dq=inassignee:%22Orbis+Patents+Limited%22&hl=en&sa=X&ei=xV5_U6CiL5W0sQSv64DoBA&ved=0CDwQ6AEwAQ 8 http://www.mastercard.com/us/company/en/newsroom/orbiscom.html 9 http://www.examiner.com/article/discover-card-axes-temporary-number-program-for-online-purchases 10 http://www.nbcnews.com/id/8414809/ns/business-us_business/t/bank-america-buys-credit-card-firm-mbna/#.U39g4ShVIoo

4

Virtual Account Numbers by Citi

Citi’s Virtual Account Numbers is offered to customers in web-based and downloadable versions, both of

which function within a pop-up window that includes sections to generate a number, manage transactions and

manage the current numbers in use. The downloadable version includes an Auto-Fill functionality.

To access the tool, customers must select the Virtual Account Numbers link from the private site account

overview page. Upon reaching the Virtual Account Numbers page, selecting the “Launch” link prompts a pop-

up window with two columns containing options to generate a Rewards Account Number or a Virtual Account

Number.

Virtual Account Number Landing Page

From this landing page, users can directly create a new virtual number by selecting the Generate link, which

displays an image of a Citi card with the card holder name, account number, expiration date, CVV and Amount

limit (if one is set). To use the new information, users can highlight the various pieces of the card to copy and

paste the numbers into the payment information section of the checkout cart at the user’s e-retailer of choice.

Generated Number

5

Users can set time and spending limits for each new number they generate by selecting Advanced Options

from the landing page. The subsequent page includes boxes for entering a dollar limit and a month-based limit

with a minimum of two months and a maximum of 12 months. After entering the customizable settings, users

then generate a number with the additional preferences.

Advanced Options

Finally, users can view a list of their active virtual account numbers and corresponding transactions by

selecting the View Previous Number link on the landing page. This directs users to a page displaying a list of

recent transactions. A link at the bottom of the page enables users to view their active account numbers, with

columns dedicated to the creation date, merchant, account number, expiration date, dollar limit, and amount

remaining for the account number. By highlighting a row, users can elect to use or close the number by clicking

the respective link below. Closing the number prevents the merchant from using it thereafter.

List of Active Virtual Account Numbers

6

Citi streamlines the process of using existing virtual account numbers by offering a downloadable version.

Downloadable from the private site Virtual Account Numbers page, users can install a file that runs the Virtual

Account Number service with a single click at e-retailer checkout carts. Users can activate the pop-up window

by selecting the Virtual Account Number file saved to their computer, and can even automatically fill in the

payment information with an Auto-Fill feature. This feature automatically completes the merchant’s checkout

form, effectively automating the process of purchasing goods online.

Overall, Citi’s Virtual Account Number service is incredibly intuitive to use as an isolated tool, and maintains its

usability at online checkout pages with the downloadable option. This firm deserves significant credit for

providing a proactive security product that customers can always use when shopping online. This product gives

users stronger security since they can dedicate a separate number to each retailer with time and spending

limits. In the event of a breach, users can close their virtual number immediately, or if they miss the breach,

the hacker never gains access to the customer’s actual account number and at worst can only use the virtual

number up to its specified spending limit. While not fool-proof, this system works to minimize the damage

caused by hackers.

Generated Number with Auto Fill Functionality

7

ShopSafe by Bank of America

Bank of America provides a similar service to Citi, but without a downloadable version. Users access the ShopSafe service from the Security & Fraud section of the private site Help & Support page. Clicking the “Use ShopSafe” link generates a pop-up window with a landing page giving three options. Users can create a new number, one for recurring payments, and can view all active numbers.

ShopSafe Landing Page

Creating a new number, whether for a recurring payment or a standard transaction, leads first to a page for setting time and spending limits. After setting the spending limit and the time limit, with a minimum of two and a maximum of 12 months, users can click a link creating the number.

Limit Settings

8

Similar to Citi, the temporary account number is displayed with the spending limit, time limit, CVV number and card holder name. Users copy and paste the information into the payment information section of the e-retailer’s checkout page.

Generated Number

Users can view all active ShopSafe numbers, however, without the full account number listed, for security reasons. As an additional security measure, the firm requires users to enter their actual CVV code whenever they create or use a ShopSafe number, a feature that Citi does not have. Finally, users can select to use or close an account number from the page listing active account numbers.

Active ShopSafe Numbers List

9

Number Generation Security Checkpoint

Comparative Analysis: Virtual Account Numbers vs. ShopSafe

While both firms deserve praise for offering substitute credit card tools, Citi’s Virtual Account Numbers stands apart from Bank of America’s for a number of reasons. Citi’s service includes a downloadable version which streamlines the checkout process. Citi’s auto-fill feature, available in the downloadable version, allows customers to quickly fill out information without storing any payment data. Accessing the web-based version can be a cumbersome process when purchasing online, and runs the risk of having the checkout page time out before loading the generated number. Although Virtual Account Numbers is a best practice from a user experience standpoint, ShopSafe includes some unique benefits. ShopSafe includes a recurring monthly payment setting that allows users to pay their monthly bills. Moreover, the ShopSafe service is offered on all Bank of America Visa and MasterCard accounts, whereas Citi’s service is only featured on a few select cards. Now that a familiarity with the product has been established, it is important to examine the problems with the credit card industry’s other security offerings as well as the limitations of the current best practice.

Service Offered

With

Set Spend Limits

Set Term Limits

Automatic or Manual

Process Free

Special Software Needed

Recurring Monthly

Payments

Auto Fill

Feature

Downloadable Version

ShopSafe Visa,

MasterCard Manual

Virtual Account Numbers

Select Cards

Automatic or Manual

10

TWO KEY ISSUES Issue #1: Large Gap in Security Products Offered All credit card firms offer similar security features, which include timed log-outs, unique sitekeys and phrases, 24/7 fraud monitoring, and $0 fraud liability. A select group offer additional verification services, such as Discover’s Enhanced Account Verification, which provides users with one-time passcodes for authenticating an account log-in. Bank of America’s SafePass feature generates random codes to approve online banking transactions. While all of these products and features are necessary to assure online safety, little attention is paid to e-commerce security products. The grid below displays the e-commerce security products offered by firm, with only Citibank offering products of all types. Some firms, like American Express, provide purchase protection and extended warranty on purchased items; however, these are not created to prevent fraud in the first place. As mentioned earlier, Verified by Visa and MasterCard SecureCode offer the functionality of multi-factor authentication, but do not encrypt data prior to submitting a payment. Another prominent tool, V.me by Visa, streamlines the checkout process by storing a user’s payment information and auto-filling it at each checkout. However, this tool has convenience rather than security as a focus.

In observing this wide product offering gap, the key question is: Why haven’t firms caught on to the substitute card number service and subsequently offered it? The principal answer is actually pretty simple: A low customer adoption rate. While no firms offer statistics on the adoption rate of its products, it is safe to assume that very few customers at Bank of America and Citibank use the product. This is evidenced by both Bank of America and Discover’s continual removal and reinstatement of the product. When few customers use the product, oftentimes the costs outweigh the revenue, since the credit card firms must pay licensing fees to host the service on its site. However, there is also evidence of a minority group of dedicated users. After discontinuing the service in September 2011, Discover re-instated it one month later, with Discover spokeswoman Laura Gingiss citing “overwhelming amount[s] of feedback about the discontinuation of secure online account numbers” as the main driver of the product revamp. Gingiss also implicated the insufficiency of $0 fraud liability policies when saying “our cardmembers still liked to have the added control of using encrypted account numbers.”11 And although Discover once again discontinued the service in February 2014, a customer service representative at Discover admitted to me that the firm is again receiving strong feedback in support of re-installment, and that the firm is weighing its options. This vocal minority of supporters could grow if a firm implemented the service in today’s landscape. Discover’s 2011 rerelease proves that customers care strongly enough about security to demand services like proxy account numbers.

Firm Verified by Visa MasterCard SecureCode

V.me by Visa Proxy Account

Numbers

American Express

Bank of America

Barclays

Capital One

Chase

Citibank

Discover

PNC

US Bank

Wells Fargo

11 http://business.time.com/2011/10/19/discover-brings-back-single-use-account-numbers/

11

Issue #2: Negative UX and Incompatibility with Future Trends Even though proxy account numbers stand as the current industry best practice, the effort required to generate a unique number for every online shopping experience is tedious and cumbersome for the user. ShopSafe isn’t offered as a downloadable software, forcing customers to log in to their online banking account while also managing their retailer account on the checkout page. And even Citi’s downloadable version grows tiresome; the very practice of generating and keeping track of temporary account numbers is a negative user experience. It is simply easier and more natural to use one account number that can be referenced by pulling a card out of a wallet. In addition, neither Bank of America nor Citi offer the tool within their mobile apps or mobile websites. These products are confined to desktop computers, presenting a threat to the service’s survival, since nearly every poll indicates that consumers are shifting to mobile. The statistics (see “Key Findings”) indicate that a growing number of consumers are both shopping and banking with their mobile phones, leaving the virtual card number services with low visibility for these growing consumers. Given the low visibility among mobile consumers, Bank of America and Citi are missing opportunities to convert more consumers to the service. Let’s revisit the claims made. It’s clear that both online shopping and online security breaches are increasing over time in both extensity and intensity. It’s an objective fact that only two out of ten major credit card firms offer e-commerce security products aimed at encrypting card data at the beginning of the transaction process. However, it’s also a fact that these products are tedious to use and are not supported on mobile devices. Given this mix of facts, firms must implement different security products over time. A catch-all recommendation is not sufficient to keep up with this ever-changing industry.

12

RECOMMENDATIONS Short-Term Recommendations

As a short-term recommendation, all credit card firms should adopt the substitute credit card number tool. The potential demand for the product has increased over time, with 86% of Internet users taking steps to be anonymous online and 61% changing online information in reaction to Heartbleed alone. This general need to anonymize information could translate directly to a high demand among online shoppers to also use anonymous card numbers. Therefore, from a strictly business standpoint, the revenue could potentially outweigh the costs this time around. And as shown above, the experience of using the tool is simple and intuitive, which could help in retaining customers who try it for the first time. Moreover, the software costs would be low since the software has already been designed; presumably, licensing fees would make up the majority of the actual costs. Since the technology has been in existence for over a decade, the implementation process would be faster compared with a rollout of an emerging technology or sponsored product, which oftentimes require merchants to download special software or use specific payment providers. For example, Verified by Visa and MasterCard SecureCode can only be applied at participating merchants who are using the 3-D Secure platform. Emerging technologies usually depend on an overhaul of the payments system or rely on access to internal services that in and of themselves pose new security threats. Unlike any of these products, the substitute card payments service does not require any special software for the merchants, since the process of generating a number occurs only on the credit card issuer side of the transaction. Copying and pasting a randomly-generated payment number into a checkout cart relies on simple keystrokes rather than new and complex security systems. Ultimately, the economic consideration of revenue minus cost cannot be answered definitively in this paper. However, a top concern among prospective buyers of this technology should be the customers’ sense of safety. Ensuring stronger protection to customers could be more important than profit considerations. Many costly security products, to be sure, are offered with these priorities in mind.

After implementation, to ensure a decent customer adoption rate, firms should devote a public site webpage to promote the new tool. For example, Bank of America’s ShopSafe has its own public site page in the Privacy & Security section, with promotional images and a demo that familiarizes prospective customers with the service.

Medium-Term Recommendations

Once the service is rolled out on a credit card firm’s website, firms should adapt proxy numbers to a mobile platform. Given the current number generation process, navigating the tool via mobile would be nearly impossible. Therefore, firms should integrate it seamlessly into their existing mobile app platforms. The tool should feature a large button for generating a number and should present the number in a text box with the ability for it to be copied and pasted into a checkout page. In these ways, firms can acquire mobile-savvy customers concerned about security, and can better retain customers who already use the web-based versions of the tools.

13

Long-Term Outlook

All credit card companies have made sincere efforts to monitor, catch and resolve cases of fraud. Features like $0 fraud liability and SSL technology have become ubiquitous and have also served as the benchmark. However, neither of those benchmark practices can account for catastrophes in e-commerce. Promising zero liability to a customer is merely a reactive approach to security, and the promise itself does nothing to prevent fraud from happening. Meanwhile, SSL technology helps protect websites by encrypting site information, however this doesn’t accomplish much if online merchants aren’t securing data properly. Moreover, SSL can become vulnerable, as the Open SSL was compromised by the Heartbleed bug. Given this landscape, the solution is clear: A higher benchmark must be set, and in the short term that benchmark is proxy credit card numbers. Rolling out this pre-existing technology is crucial, and adapting it to mobile is also an important step for the near future. This service could help prevent countless cases of online fraud in the future, and it could also gain back the sense of safety among customers. However, having an extra layer of protection for every log-in and transaction made online won’t make the cut in the long-run. The fact that customers need multi-factor authentication tools to ensure their safety is indicative of a payment processing industry that is long overdue for a major change. Reconfiguring the payment process so only encrypted data is exchanged would eliminate the need for customers to authenticate every transaction with a password or a random number. A myriad of start-up companies are challenging the payment processing industry with newer and sleeker ways of keeping transacted data safe and hidden. Or perhaps an unforeseen technology, like fingerprint authentication, could eliminate the need to even rethink the industry in the first place. In the meantime, it’s better to guarantee security than to speculate.

14

EIGHT KEY TAKEAWAYS

1. More Consumers are Shopping Online E-commerce is ballooning into the next big retail industry, with a projected $482.6 billion in sales in North America in 2014 alone12. By 2017, 60% of U.S. retail sales will involve the web13. As of Q1 2014, online retail sales grew by 11% year-over-year14. E-commerce will inevitably eclipse brick-and-mortar retailing over time, therefore it is critical that credit card firms adjust their product offerings to reflect this now.

2. Consumers are Increasingly Using Mobile Devices As people increasingly shop online, another inevitable ongoing trend is the shift among consumers towards using mobile devices. Most tellingly, 58% of Internet users regularly use their bank’s mobile app15. Thirty-four percent of Internet users mostly use their phones to access the Internet, and 63% of mobile users overall access the Internet, up from 31% in 200916. Coupling these statistics with the explosion of e-commerce indicates that credit card firms must not only adjust products to accommodate e-commerce, but must also make those products compatible with mobile devices.

3. Target and Heartbleed Breaches Damaged Consumer Psyche and Sense of Safety

The Target data breach underscored the inadequacy of current point-of-sale systems at brick-and-mortar stores, while the Heartbleed bug showed the dangers of also providing merchants with payment data in online settings. Fifty percent of consumers now worry about the amount of personal data online, up from 33% in 200917. Meanwhile, 87% say they would not do business with a company that has been subject to a data breach18. The bottom line is that consumers care now more than ever about safety, particularly online fraud protection, and want to take an active role in safeguarding information.

4. Not Enough Focus on E-Commerce Security Measures and Product Development In a survey of the 10 credit card firms in Corporate Insight’s Credit Card Monitor group, only two firms offered e-commerce security products that allowed customers to encrypt or hide their payment data from merchants when shopping online. Among the other eight firms, there was no consistent security product or method of protecting account information. At a time when breaches are the norm, there appears to be little competition among credit card firms to ramp up security and offer products that consumers can be active in using. Fraud detection has dropped approximately 75% since 2004 as the method of breach discovery19, and is no longer sufficient for protecting both consumers’ data and their sense of safety. Offering a product that encrypts data before checkout is essential.

12 http://www.emarketer.com/Article/Global-B2C-Ecommerce-Sales-Hit-15-Trillion-This-Year-Driven-by-Growth-Emerging-Markets/1010575 13 http://www.internetretailer.com/2013/10/30/60-us-retail-sales-will-involve-web-2017 14 http://www.internetretailer.com/2014/05/01/web-shows-increased-might-retail 15 http://www.mobilepaymentstoday.com/article/211341/Study-Despite-increased-use-mobile-payments-banking-dogged-by-security-concerns 16 http://www.pewinternet.org/2013/09/16/cell-internet-use-2013/ 17 http://www.internetretailer.com/2014/04/14/reports-personal-data-theft-are-rise 18 http://www.internetretailer.com/2014/04/10/security-breaches-undermine-consumer-confidence-retailers 19 http://www.verizonenterprise.com/DBIR/2014/

15

5. Controlled Payment Numbers are Currently the Best Solution Controlled payment numbers, informally called disposable, proxy, or substitute account numbers, are randomly-generated 16-digit credit card account numbers that represent a customer’s actual card number. By submitting a substitute number to merchants through the online checkout page, customers never provide merchants their actual card number. This prevents hackers like the Heartbleed bug perpetrators from de-encrypting a real card number with a merchant’s encryption key. This service, offered by Bank of America and Citi, is stronger than an additional password checkpoint such as Verified by Visa because the proxy number serves to encrypt the actual data before it is even sent to the merchant. This gives hackers no entry point to unlock the real payment data. As such, it is the best solution because it provides the strongest guarantee of protection.

6. Credit Card Firms Should Offer Controlled Payment Numbers Since substitute account numbers are a proven technology, and since merchants do not need special software to accept substitute card number payments, all credit card firms concerned about security should consider offering this product. Adopting a proactive security product consumers can engage with will prove to be much smarter than maintaining a simply reactive stance on fraud.

7. Develop Controlled Payment Numbers for Mobile Usage After an immediate rollout of substitute account number services, firms should adapt them according to mobile usage trends. Currently, substitute account number tools are not compatible with mobile devices; therefore, firms should develop a mobile-friendly version, preferably integrating it into a firm’s existing mobile app. This will ensure that consumers who mainly use mobile devices adopt the product quickly.

8. Need for Security Services Indicative of an Outdated Payment Processing Industry Although this product is a viable short-term and medium-term solution, it forces customers to constantly generate temporary account numbers – a tedious and cumbersome process. From a user experience standpoint, this is unsustainable in the long-term. Multiple emerging technologies are in the product pipeline that will hopefully change both e-commerce and payment processing for good, eliminating the need for multi-factor authentication products. Until that technology is made publicly available, however, firms would be wise to implement substitute account number generators.

16

Corporate Insight Syndicated Studies The Millennial Shift: Financial Services and the Digital Generation

With 80 million members, the Millennial generation is the largest in the history of the United States. They already possess a direct annual spending power of $200 billion, a number that will increase substantially as they enter their prime earning years and inherit wealth from their Baby Boomer parents. While this represents a potentially huge opportunity for financial services firms, Millennials also pose a clear challenge to the industry’s traditional marketing strategies and business models. They have different preferences from their Boomer parents, particularly when it comes to financial products, technology and the way they interact with companies.

This study will help financial services marketers, product managers and strategists better understand Millennials and identify effective tactics for marketing to and serving these individuals.

Release Date: April 2014 | Download Study Preview

2014 Investor Survey Report

CI’s 2014 Investor Survey Report examines the relationship between retail investors and their brokerage firms, identifying the Web and mobile features that matter most to different types of investors and have the greatest impact on their overall satisfaction. Our analysis explores the behaviors and preferences of key demographic groups including mass affluent and high net worth investors, mobile brokerage users, active traders and more.

This study answers three questions about investors: What do investors consider the most important website and mobile features? What activities do investors perform using their firm's website and mobile app? How can firms improve their offerings to enhance client satisfaction?

Release Date: June 2014 | Download Study Preview

Next-Generation Investing: Online Startups and the Future of Financial Advice

This is the first comprehensive study on the investing- and personal finance-related startups that have emerged in the wake of the financial crisis. The study represents the culmination of nearly two years of research, encompassing over 100 online startups pioneering a wide variety of unique investment ideas.

The Next-Generation Investing study offers detailed analysis of ten categories of unique investment products and services. The study features startup profiles with reviews of innovative online startups challenging traditional models of investing and planning. We also offer our analysis of the implications for the industry, which examines the potential impact of these ideas.

Release Date: October 2013 | Download Study Preview

17

Corporate Insight Thought Leadership

User Insights: Retirement Plan Websites Disappoint Millennial Participants Our latest User Insights usability study features analysis of the DC plan platforms' UX strengths and weaknesses from the perspective of actual Millennial participants and test results for four leading defined contribution plan providers: Fidelity, J.P. Morgan, TIAA-CREF and VALIC.

Online Communities Across Financial Services - American Express, Bank of America and TIAA-CREF This slide deck examines the design and capabilities offered by each firm’s online community, with a focus on noteworthy site features. We also provide tips for financial services firms looking to improve their online communities.

Active vs. Passive Investment Management Marketing Practices In this whitepaper, we examine how three firms – American Funds, MFS and Vanguard – promote their services in the active and passive management spheres. We compare the firms’ marketing strengths and weaknesses and place a special emphasis on online thought leadership, examining the value, volume and website placement of the pieces the firms produce.

Complete Bitcoin User Experience: Mining, Exchanges, Wallets and Beyond This study provides a detailed analysis of how Bitcoins are created, traded and stored. The study includes reviews of the top websites and online services driving the Bitcoin marketplace including Slush’s Pool, Blockchain.info and Coinbase among others.

2014 Mobile Finance Trends and Innovations The 2014 Mobile Finance study draws on our ongoing tracking of the industry as well as relevant developments outside of the financial services space. This study includes commentary on mobile developments, key takeaways for financial services firms and thoughts on what’s next for mobile finance.

Tablet-Friendly Web Design: Best Practices for Financial Services The study examines the tablet-friendly website features provided by four leading firms across financial services and provides recommendations for financial services firms building tablet-optimized websites.