How To Avoid Security Scaring Your Shoppers

Evan Schuman is a guest contributor to the Sift Science blog.

Security vs. convenience is always a delicate balancing act in e-commerce. But even if you’re doing everything “right,” security communication can be challenging. No shopper goes to a particular merchant because that shopper think that merchant’s security is top-notch. Security perception can be a reason that someone decides to not shop somewhere, but it’s never a reason they decide to shop somewhere.

Even worse, we have the psychological reality that even bringing up the topic of security can send the wrong signal, making it look like you have something to hide. Saying too little can make shoppers nervous, but saying too much can also set off alarm bells.

Security remains a concern for shoppers – even Millennials – according to new research. American Express, in its 2016 payments security survey, found that nearly half (48%) of consumers who shopped online in the past year have experienced payment fraud. Furthermore, 4 in 10 consumers (40%) view online shopping as having more risk than an in-store purchase (28%) and 42% have abandoned an online purchase due to payment security concerns. Amex noted, “This increases to 48% for Gen X and 50% for Millennials, suggesting that while younger consumers are considered early adopters of new technology, they also place a high priority on the security of their information.”

There are a lot of specifics missing here, specifically about the “security concern.” Was the concern due to an anti-virus alert? Did their browser signal that this was an insecure site? Was there some site wording that worried them? Did the design of the checkout page look fake or amateur? Were there spelling mistakes that made the page seem risky?

All of those are very different situations, requiring very different responses. You can’t mash them together and draw any kind of a reasonable conclusion. That said, there are ways to allay security concerns on your website. Here are a few:

Professional Looking Payments Page

The vast majority of e-commerce sites today have very polished looking sites. However, does this polish continue through the end of the transaction? When the site hands off the shopper at the end for the payment/checkout process, it’s often to a page controlled by their processor or other payment facilitator. That is good security procedure—the merchant doesn’t want those payment credentials within 900 exabytes of their servers—but many merchants leave the design to their payments partner, which is a mistake.

With no mandates, many payments firms will cut corners and throw your merchant logo up on the easiest template they can find. The result? A page that looks very different—and sometimes worse—than your merchant site. Nervous shoppers may think the page has been hijacked and run off. Make sure that you design that payment landing page and make it look as much like the rest of your site as possible.

Anti-Virus, Firewall, Backlist Services

I have seen these alerts appear when users navigate to highly secure sites. It doesn’t necessarily mean a problem, but just try convincing a nervous shopper of that. Suggestion: Have your team purchase a wide range of security software and routinely access your site with them activated. This will give you the earliest possible heads up if there’s a problem, giving you time to make calls and fix it before shoppers are scared.

Blacklists will often come into the equation when a merchant emails customers, such as with special offers or purchase confirmations. If those messages get diverted into a Spam folder, it will disrupt your operations. But some consumers will interpret that negatively, assuming they even notice your messages in their “junk” folder.

Blacklists can really involve your IP address, which might have been used—without your knowledge—by a cybercriminal. (They’re usually smart enough to not use anything associated with their real identity.) That means that your IP address and even your domain could be involved in naughty conduct, when you are not. Suggestion: Test your domain and IP address routinely against as many blacklists as you can.

How To Tell Your Shoppers About Security? Very Carefully

This is the most delicate part of reassuring your customers. At best, any meaningful page space spent bragging about your security defenses is space better spent on marketing your products/services. At worst, a focus on security could actually suggest that you recently had some security problems, which actually hints at security shortcomings.

It’s classic reverse psychology. When a vendor starts listing all of their office locations, doesn’t it suggest that they’re tiny? Amazon and Walmart execs would never feel the need to say that.

But there is a smart way to do it. Have a simple, confident statement about your security, along with a link to “find out more.” That way, the reassurance takes up very little space and doesn’t draw unnecessary attention away from what the customer’s doing. But if someone does want to hear all of the details, it’s one click away.

A note of caution: That security page? Make sure that it’s written by someone with technical knowledge, and not by marketing. This is not the place for hyperbole or dramatic license. The Federal Trade Commission has slammed sites for claiming they have better security than they do. On that page, list as many technical details as your security team feels can be safely shared – like encryption levels, and the fact that your payments are handled by another site. It’s a good idea to list all of that third-party site’s top security details.