Monday, December 14, 2009

42% of users have a good reason to fear

Working in the risk management business, I often get these layman questions about ePayment security. They are close relatives of questions IT people are being asked about hardware purchasing; when people finally find that item they wanted to find or a bargain they can’t resist, they want to make sure they don’t get scammed. Who’s better for that than your friendly neighborhood risk management specialist? I’ve given my part to eCommerce, you should know, and if retailers felt a $3000 shift in their revenues this year – this one’s on me, guys. No need for commission this time.

Seriously, though – why are thousands and maybe hundred-thousands of interactions related to purchasing on the web really important? As I mentioned in my previous post about Square’s trust issue, good payment services instill trust (among other things); and for an industry based on users exposing themselves and their financials, trust – created, in my case, by getting a recommendation from an authority – is one of the main challenges for emerging companies.

Whether you’re a game developer concerned mostly about MAU and retention, a software vendor managing distribution channels, a jewelry retailer or a virtual world – you are managing people’s trust, because eventually you want them to reach out to their pockets and actually buy something. That’s a big step, and as the latest research published this week by Playspan suggests, the gaming industry isn’t doing a good job at that – 42% of the people who would otherwise, I would assume, have bought some type of virtual goods – did not do so, because of trust issues.

How do you create and manage trust? Unlike what some developers might think, you don’t just outsource that to your payments company. Why? Because building trust is beyond having an easy user interface and seamless billing. When examining the platform they are operating on or paying through, users are looking to see that their data is secured and that their account is not going to vanish overnight, locking away their unused credit; when looking at the ecosystem they are a part of, users are looking for certainty that they are safe – from account take-over, from being scammed by other users and from simply being abused. The key for that lies beyond traditional “risk management” – it lies in identity and reputation management.

Good people leave footprints” is one of the first catch phrases I ever heard about risk management. Being able to collect and manage relevant identity data, understand how it relates to real people, then use it to build their “reputation” inside your system is ability you must have – and the footprints good people leave (a Facebook page is an obvious example) help you do that. If you’re doing good job marketing you’ve probably started doing it already, unless you had already outsourced your distribution, offers wall and risk management. You cannot afford to not have identity data at the user level, because it means that you know nothing about your users. Is that new purchasing behavior new to this account, pointing at possible account take over? Is this new user, trying to resell game credits, legitimate or bad? Is the new surge of users from the middle east legitimate, or is an ad network cross-promoting links to another network’s affiliates (don’t tell me you don’t know what that means…)? Sorry, can’t tell? Let me tell you how – in a few (complicated) steps.

- Segmentation: Start learning how users are split on your site. Where do they come from? How do they interact with the system? Are they paying or not? Are they engaged? This part is so basic that I’d be surprised if there’s even one publisher not segmenting users.

- Identity building: identify people in your system. Note: people can be spread across more than one player account or your can have two or more people using one account. That’s the beauty of identity management – you start seeing all the irregular uses of your system. Are you going to let users use more than one account in your system? This is how collusive behavior starts. Are you going to let more than one user use a single account? This is how account take over is propagated. On the other hand, limit them too much and you’ll kill your business… so watch out.

- External sources: reach out wisely to web “authorities” that control user data. Use what they give you to learn about the users’ past and present, because determining their credibility before entering your system is key for reducing your surprise when they start behaving exactly like they always do – whether they’re legitimate or fraud.

If you follow the simple three steps above, you’re on the right track to building a network of trust in your system, one that will solve some of the users’ dilemma whether to spend money in your game. Showing your users that you know them not only increases user engagement but also fights the anonymity that drives a good chunk of the initial motivation to scam; when their reputation is on the line, users tend to commit less obvious fraud. It may sound simple or simplistic, yet it’s not – properly building and maintaining identity profiles is a tedious, hard to automate work. But it’s worth every bit of trust you can give your users, because once you’ve acquired them, trust is one of the main issues.



prashant said...

Yes, Trust attracts customers. Be it offline or online.

Oz said...

Actually, good payment services do exist. They are anonymous, secure, and fast. You simply pay your micropayments (games, virtual goods, etc.) with your phone bill (mobile or landline). Have a look at companies such as DaoPay (

Ohad Samet said...

My opinion on mobile payments can be found in these posts:

As for DaoPay, I think that the marketing pitch is off. The main unique differentiator for mobile over cards, for example, is payments without having the user leave the flow, leading to better conversion. Calling a number (and waiting for two minutes?!) is far from doing so, and not revealing your CC# is far from differentiating for mobile payments; other ewallets provide that too, and I wouldn't describe this as a "trust building" feature.