OPINION
E-Commerce: It's All About Trust

Consumers around the world are becoming increasingly concerned about the trustworthiness of e-commerce. They may have good reason: Cases of identity theft appear in the daily headlines, and we are only now starting to understand exactly how difficult it can be to restore one's name and credit rating.

In recent weeks, we have learned that millions of customers may have been exposed to identity theft through security breaches at ChoicePoint, LexisNexis and Bank of America (NYSE: BAC). Although the details vary, there is one common theme: Any breach must be dealt with swiftly, in a manner that preserves customers' trust.

ChoicePoint discovered its breach in fall 2004 but did not disclose it until Feb 15, 2005. Bank of America, on the other hand, informed affected customers quickly and offered them help in dealing with the situation. The two firms stand in sharp contrast in terms of the trust relationship they hold with their customers.

Faced with rising concerns about identity theft, many businesses are rethinking their IT security strategies. "My firm relies on the Internet for communication, commerce and, ultimately, our success," says Joanne Ireland, president of Ireland Presentations, a San Francisco-based event management company. "Since we do business around the world, we must take every step possible to ensure that our clients have the highest level of trust in our firm."

That's why Ireland Presentations, like so many other firms, employs a layered security strategy that focuses on the customer experience rather than technology.

A Layered Approach

Unfortunately, there is no silver bullet that will stop all security breaches, thwart all hackers and thieves, and ensure strong customer loyalty. However, by employing a layered series of defenses, companies can demonstrate that they adhere to a standard of prudent care, and thereby increase trust among their clientele.

The first step is to protect data stored inside the organization. That means employing a firewall, anti-virus software and anti-spyware software on the perimeter and on endpoints (desktops and laptops) inside the firewall, coupled with utilizing strong authentication and access control mechanisms. The second step is to safeguard mobile endpoint devices, making sure each device runs a managed personal firewall, up-to-date anti-virus and anti-spyware. Also, the protective software should prevent all systems from running potentially dangerous applications such as peer-to-peer software, etc.

"The peer-to-peer applications can really overwhelm your network with traffic," says Ed Golod, president or Revenue Accelerators, a consulting firm to CEOs and technology solutions providers in New York. "P2P applications are easily blocked from your network. You've just got to take the time to do it."

The third step is strong authentication, which may come in various forms. One increasingly popular approach is two-factor authentication, usually through the use of secure cards or Universal Serial Bus (USB) tokens in conjunction with a strong password.

Other, simpler, approaches involve asking users targeted questions before allowing online access to bank accounts or credit card information. A bank customer, for example, might be asked for several detailed pieces of information, such as father's middle name, some digits of the Social Security number, and the zip code, as well as the account number and PIN. Similarly, e-commerce sites may require a pass-phrase rather than a simple password.

Convenience Versus Privacy

Will customers accept this added inconvenience for improved security? Recent studies show that about 25 percent of consumers are willing to pay a considerable price for privacy, either in money or reduced convenience. The vast majority, however, are waiting for the enterprise to build in privacy voluntarily, or for the government to step in and force enterprises to ensure privacy.

Industry research firm Gartner (NYSE: IT) Inc.estimates that roughly 80 percent of security-conscious online consumers are willing to try more complex authentication approaches beyond passwords. However, more than half are willing to do so only if they can choose to use it or not, highlighting the fact that strong authentication approaches intrude on convenience and ease of use, and may not be universally appropriate.

"It's difficult to strike the right balance between user convenience and security," says Golod. "People are generally willing to take 20 seconds or less to log onto a Web service. If the security process requires more time than that, your customer will move on to the next Web site."

We've seen massive efforts over the past few years to increase customer convenience. Microsoft's (Nasdaq: MSFT) Passport initiative aimed to provide the ultimate in convenience for its users -- storing their user IDs, passwords and credit card information centrally to make it easier for them to conduct business on the Web. However, Passport hasn't gained critical mass with customers for multiple reasons, including security and privacy concerns and limited partner support. Recently eBay (Nasdaq: EBAY) notified its users that it is abandoning Passport.

Maintaining Trust

Meanwhile, the Liberty Alliance, a coalition of more than 150 businesses and other organizations, is making slow but steady progress. Liberty is defining a federated identity management mechanism that would provide the best of both worlds: strong security and privacy, coupled with user convenience. Federated identity allows users to seamlessly access multiple Web sites without reentering user names, passwords, and other information when moving from site to site.

The Liberty Alliance is a worldwide organization and reflects the fact that strong identity services are, at present, more prevalent in the European Union and Asia than they are in the U.S.. We will take a closer look at Liberty Alliance activities in an upcoming article, and see how digital identity services can help build consumer confidence.

Bottom line: Don't let e-commerce fall victim to a crisis in consumer trust. Build customer loyalty and trust through a layered approach to protecting personally identifiable information, and keep an open approach to advances in authentication.