Servicing The Web

In this article we explain:

• Why new rules have been introduced now.
• What exactly are the rules for UK online retailers?
• Solutions available to businesses to ensure compliance.

Why new rules have been introduced now

Online fraud has grown in step with retailers’ increasing amounts of revenue year on year from their online channels, costing business and the banking industry huge amounts of money annually. According to the Daily Telegraph online fraud costs consumers around £400m a year.

To combat this, new online anti-fraud legislation was instigated by the European Banking Authority and introduced into UK law prior to Brexit. The new rules were due to be introduced by the Financial Conduct Authority (FCA) in early 2021, but this was delayed until 14th March 2022 to give online retailers more time to adjust their systems to be compliant.

What are the new rules for UK online retailers?

Since the 14th March this year, retailers and payment providers are now legally required to make identity checks to their customers who buy online using a credit or debit card.

These Strong Customer Authentication (SCA) rules, as they are known, will predominently apply to purchases over £25 (30 Euros). However if multiple purchase patterns are seen from a customer for amounts below £25 this could also invoke the SCA rules for an identity check to make sure the customer is genuinely who they say they are. The new rules do not apply for purchases over the telephone.

Identity verification checks have only been around 1% of purchases before 14th March, but these new anti-fraud rules could see that figure rise to around 25% of all purchases according to Mastercard.

Solutions available to businesses to ensure compliance

There are a number of identity verification solutions available to check the custom is genuinely who they say they are.

Below are what we believe to be the best solutions for online retailers to use on their websites to comply with the new rules.

It is important to mention that the FCA expects websites to be able to provide identity checks on ALL customers. This means those who can’t be verified using their mobile phone device, either because of poor signal or they choose not to own a mobile, must still be verified via some other means. Therefore websites need to have several different methods of authentication available, not just one that relies on a mobile phone for example.

2 Factor authentication

A common way of verifying a customer is 2 Factor authentication via SMS text. The first stage is the customer entering the password to their account on the website. Then for the second stage the customer is asked to provide their mobile phone number and enter a one time numeric code into the webpage that is sent by text message to their mobile.

Read more about integrating text message verification into your website with the T2A text message API method.

You can also check the mobile number is current and in use with the T2A mobile number validation API method.

Person Verification using data matching

This is one of the most robust solutions for checking the identity of a customer to prevent fraud, as it matches against actual data so cannot be falsified.

The customer name and address details are matched against a comprehensive UK dataset comprised of several licensed databases such as the Electoral Roll. A message of ‘identity verified’ or ‘not verified’ is returned to the website and communicated on-screen to the customer.

Read more about integrating Person Verification into your website using the T2A Person Verification API method.

Age Verification using data matching

Age Verification is for websites that sell any age-restricted products or services where customers must be 18 or over to make the purchase. This is a great add-on to Person Verification where retailers are liable for any claims of underage selling, as well as identity checking.

Like Person Verification, this is a very reliable and robust solution as it matches the name and address details of the customer against a vast dataset of UK person databases including the Electoral Roll. A result of ‘verified under 18′ or ’18 or over is returned.’

Read more about using Age Verification on your website using the T2A Age Verify API method.

In Conclusion

UK online retailers have had a long period to get their website systems ready for the new anti-fraud rules that came into force on 14th March 2022. Therefore, it’s probable that the FCA will soon be checking that websites are complying with the rules and potentially making examples of those that are not and perhaps issuing companies with fines.

Online retailer’s websites must have a number of solutions for customer identity checking in place, not just one, to ensure ALL customers can be verified by some means.

Validating a customer’s identity using a system of matching customer details with recognised up to date databases such as the Electoral Roll, is the best way to be compliant with the rules as this method cannot be falsified.

The Person Verification API method from T2A is one such solution that retailers can integrate easily and cheaply into their website or App.

We have just successfully passed Cyber Essentials Plus, a test we undergo every year because we value highly the security of our IT systems. We also know it gives our corporate and individual customers piece of mind when searching for information on our websites or using our T2A API methods.

So here’s a bit more information about what the accreditation is, how it’s done, and some reasons to do it in your organisation…

What is Cyber Essentials Plus?

Cyber Essentials is a scheme, backed by the UK government, that helps you protect your organisation against a range of common cyber attacks. There are two types of certification:

• Cyber Essentials
• Cyber Essentials Plus

Cyber Essentials is the cheaper option at £300+VAT. This is a self-assessment where you answer of series of questions relating to your IT infrastructure. For those organisations that don’t have anyone with a technical IT background and may find some of the questions difficult to answer, there is help available from one of the Certification Bodies who are trained and licensed for the Cyber Essentials scheme.

Cyber Essentials Plus involves a hands-on technical verification that your IT systems meet the required standard to repel common cyber attacks. As these hands-on tests of your network and computers are done by experts from one of the Certification Bodies, having the Cyber Essentials Plus certification displayed to customers gives more assurance that you are complying with the scheme than the basic self-assessment option above.

This was the reason we felt it better to go for the “Plus” option even though it is more expensive. The price varies depending on the size and structure of your organisation and you can get a quote on the Government’s Cyber Essentials partner IASME website here: Cyber Essentials Plus Get a Quote – Iasme

In these times of the Covid-19 pandemic we expected that we would have to look at safe distancing measures etc. when someone from our chosen certification body came to visit our office. Instead they sent us an impressive looking case of technical equipment for us to plug in. They were then able to do all their necessary checks remotely, but just as good as if they has been in our office in person.

Reasons you should get Cyber Essentials certified

As we’ve already mentioned, at T2A we thought it was well worth going for Cyber Essentials Plus. But if you can’t afford that it’s still worth doing the basic Cyber Essentials certification. There are good reasons for doing either option:

• It prompts a review of your IT security and procedures.
• Gives customers piece of mind that you take cyber security seriously and are taking positive steps to block all common cyber attacks.
• Customers know that you have taken extra steps to protect their personal details and passwords.
• Certification of the scheme, especially the Cyber Essentials Plus option, gives you an extra positive selling point to new potential customers.
• If you tender for public sector work, some government contracts will only deal with companies that have Cyber Essentials certification.

More information

There is a good FAQs section on the National Cyber Security Centre’s (NCSC) website: Frequently Asked Questions – NCSC.GOV.UK

Here is an overview of the scheme on the NCSC website: About Cyber Essentials – NCSC.GOV.UK

What is Scalping?

You might be familiar with the gruesome act of removing an enemy’s hair (and scalp!) featured in many Hollywood westerns. However, there’s another meaning of scalping which is used increasingly in business.

A definition of scalping, in a business sense, from the Cambridge English dictionary:

The activity of buying things, such as theatre tickets, at the usual price and then selling them when they are difficult to get at higher prices.

Scalping is most prevalent online. The coronavirus pandemic has benefited online scalpers by creating the perfect storm of:

• A huge consumer shift towards online purchasing.
•  Delays in product delivery due to problems with global supply chains.
• Other purchasing channels, such as high street retail, being closed during lockdowns.

What’s the problem?

The Scalpers say that buying up desirable items for sale on the internet, like the new PlayStation 5 console, and selling them for a handsome markup is just good business. They claim they are only being entrepreneurial and it’s not illegal to do it.

Indeed it is not illegal, but it’s certainly regarded as pretty unethical and angers many consumers who can’t get items they really want, like the PS5.

Scalpers often use bots to trawl the internet to find websites selling these desirable in-demand items. This practice adds to the view that this is unethical, with ordinary customers standing little chance of finding items in stock on a website against such mass volume automated techniques.

Many people have written to their MPs complaining about the practice and a debate on scalping was raised in parliament specifically about the unfairness on consumers of scalping in the computer consoles market.

Very few retailers have protection in place against scalping

In the gaming market, most retailers recognise the problem of scalping.

Our very quick mystery shopping exercise found that the current ‘hard to get’ PS5 cannot easily be bought on the internet at it’s RRP of £449.99 because stocks on retailer websites are all sold out.

However, you can get one if you’re prepared to pay the inflated cost of the scalpers on reseller websites like Ebay, some adding on hundreds of pounds. The cheapest PS5 we found on Ebay was £535.00, going up to £999.99.

Currys PC World seem to be one of the few online retailers trying to offer a fairer system. You can enter their PS5 VIP pass draw and if you’re one of the lucky winners you get a code to purchase a PS5 when they secure more stock.

Companies have a choice to retain their brand reputation and win over customers

The use of automated bots has only been made illegal for buying tickets for concerts and gigs.

For all other items currently in high demand scalpers can continue to use bots and buy up stock from websites that aren’t doing anything about it. There are many items that attract scalpers, here are just a few examples:

• Game consoles
• New technology and computer equipment
• Hot tubs
• Gym equipment
• Special edition records
• Limited edition trainers and clothing

Companies risk losing their brand reputation and customer loyalty when customers go to their website and cannot get what they want as it’s out of stock, scalpers with their automated bots having got there first and purchased the items in bulk.

Customers are less likely to return to a website in future when looking for other items if they have been unable to get their in-demand item before because the company has allowed scalpers to buy up much of the stock.

In fact, because it’s becoming such an issue, there’s an opportunity for companies to get ahead of their competitors by introducing anti-scalping operating procedures onto their website. This will create a fair and level playing field for consumers, plus a real positive PR story for their brand which in turn can increase customer loyalty and sales.

The Anti-Scalping solution for companies to keep their customers happy

Companies can use Person Identity Verification on their website to ensure an order is from a genuine name at the delivery address given. Person Verification matches the order details against the full Electoral Roll dataset. Steps for companies are:

1. Restrict a product liable to scalping to 1 order per person.
2.  Check the name and address typed in hasn’t already been used to buy it.
3. Someone scalping would need to invent false names at their address, or other addresses they are using. Running this through Person Identity Verification would then tell the company that the name and address doesn’t exist and so refuse the purchase.

This data-based method of verification is easier and cheaper to implement for the company, and much less hassle for the customer, than having to find photo ID and upload to the website.

Our API for websites can integrate our Person Verification method easily into your website. We also offer Person Identity Verification on our public website ukphonebook.com.

Contact Us or visit our website for more information.

Companies will be aware that selling certain products such as alcohol, tobacco and fireworks to anyone under 18 years of age is illegal. However, companies may not be so aware of the positive steps they are required to take under UK Government guidelines to check the age of customers buying these products.

Proof of age can easily be done in a shop by judging whether the customer looks old enough, or asking for photo id if the shopkeeper is unsure. It is much more tricky for online retailers to be certain a customer is over 18, yet the same responsibility applies to a website owner as it does to a shop owner.

In this article we explain what an online retailer’s responsibilities are and how to comply with Trading Standards guidelines.

Duty of online retailers

It is the responsibility of online retailers not to sell age-restricted products to customers under the minimum legal age.

That is no surprise, but importantly it is also the duty of online retailers to use effective systems capable of verifying the age of potential purchasers to ensure they are old enough to buy a product.

The list of age-restricted products in the UK includes:

• Alcohol
• Tobacco and vaping products
• Fireworks
• Spray paints and hazardous chemicals
• Cooking and camping knives
• Certificate 18 films and games
• Pharmaceuticals and medicines

What age checks are not likely to be viewed as taking ‘due diligence’ ?

What we mean by ‘due diligence’ here is all reasonable checks made by an online retailer to verify the customers age before selling them age-restricted products.

According to the Business Companion website (who describe themselves as “Trading Standards law explained”) the following checks are unlikely to satisfy ‘due diligence’ , and thus not be a reasonable defence if an online retailer appeared in court for selling to an under age person.

Not sufficient to satisfy ‘due diligence’:

• Using tick boxes to ask purchasers to confirm they are over 18.
• Asking the purchaser to give a date of birth.
• Relying on the purchaser confirming that they are over 18.
• Using a general disclaimer on your website – e.g. “anyone ordering this product will be deemed to be at least 18”.
• An ‘accept’ tick box that the purchaser has read the website terms and conditions where it states they must be over 18.
• Only taking credit card payment. Credit cards are not available to under 18s but some debit cards and pre-paid cards are.

Age verification methods that are likely to show compliance

Age verification checks are much more likely to display an online retailer’s compliance with ‘due diligence’ and their responsibilities when selling age-restricted products. Examples of these age verification methods are:

• Age Verification of a purchaser by matching name and address details against a frequently updated dataset comprised of the Electoral Role and other UK data sources. See more details on T2A’s pay-as-you-go Age Verification method.
• Obtaining proof of age at the door when delivering the product. However, third party delivery companies may not want to take responsibility for this on your behalf.
• Follow up checks after the product has been ordered, for example if proof of age could not be done at the time of purchase. This can create time consuming admin for website owners and can be a problem if purchases slip through the net and forget to be checked.
• If a website has stores as well, click and collect can be offered and age checks can be done face-to-face when the customer comes in to collect the product. This option is not likely to be viable for the majority of websites, just big brands with stores nationwide.

Conclusion

Considering the options above, the first option of verifying a purchaser’s age against third party data, seems to be the best for the vast majority of websites that sell age-restricted products. The reasons are:

• First and foremost the online retailer is doing the most they can by checking age at the point of purchase. This represents a good level of ‘due diligence’ should the retailer be accused of selling age-restricted products to someone under age.
• Matching against data sources like the Electoral Role before the purchase is confirmed make it a reliable way to verify the purchaser’s age without the admin that results from making manual age checks.
• The online retailer does not have to rely on courier companies making an age check for them on delivery. A driver may forget to ask if they are busy with many deliveries, or the purchaser may not be at home which creates logistical issues when the product cannot be left at the door.

For more information on T2A’s Age Verification method for online retailers, please click here.

This is also available as an Age Verification plugin for websites built using WordPress and WooCommerce.

The T2A API is powering lots of companies’ websites, apps and internal systems to help them deliver new efficient processes in their business. They depend on our UK data sources, the most accurate and up to date available, to deliver instant reliable results for their staff’s people, address and company information searches.

Our customers are wide and varied, from delivery companies to fraud prevention specialists, E-Commerce websites to estate agents, telemarketing agencies to building societies.

Here is a case study about one of our customers to give you a flavour of how we help companies, working with them as their data partner…

---

T2A Customer Focus – Raspberry Software Systems Ltd

Raspberry Software Systems, providers of software solutions to the UK rail industry since 2004, have been working with us for 10 years and have increased their usage of our T2A data during that time.

Through Raspberry Software’s Ticket Inspection and Prosecution System (TIPS) their rail clients have been able to replace paper based systems, and arduous record checking over the phone by Revenue Protection Officers on the train, with instant passenger identification through the app on an Officer’s tablet or smart phone.

At the heart of the TIPS system is the T2A data upon which it replies, delivered by API methods that we worked on in partnership with Raspberry Software to help them deliver the unique tailored system they wanted to develop.

The feedback that Raspberry Software has had from their clients has been excellent. Rail companies using TIPS have reported a much greater number of Penalty Fare Notices issued and a marked increase in those settled.

“Working with T2A has been a very rewarding process for us. Their agile and flexible approach to delivering quick solutions to the data requirements we had for our system has been very refreshing. Add to that the fact that through their API we have access to good quality data at very good value prices, this relationship has been a win for us and a win for our clients.“

Peter Jarvis | Director
Raspberry Software Systems Ltd

---

In the case study example above, Raspberry Software are using our API methods relating to finding who lives at a UK address, accessing the Electoral Roll and our other data sources.

We have a host of other methods too within our API to help you with whatever people, address and company data searching you need to perform within your system. Here is our full method list to show what the T2A API can do.

Some of our most popular applications of the API are:

• Person Verification – checking a UK person’s identity.
• Age Verification – making sure someone is 18 years old or over, e.g. for selling age restricted products like alcohol, vaping and tobacco, etc.
• Find a UK person’s details – search by name, email, partial address.
• Find who lives at a UK address – ideal for Sales or Marketing teams, many business sectors including estate agents, banks/building societies, investigation agencies.
• Search for a UK telephone number – residential or business.
• Find address/postcode – ensures quicker customer sign up and correct data.
• Company information – company director details, accounts, credit reports, etc.

…and much more. See all our API services

Try before you buy!

One of the best things about our API is that you can sign up for an account and start testing it out straight away without any financial commitment. There are free demos (using limited access to live data) and example scripts to get an idea of how accessing the API could work for you with HTML, CSS and JavaScript.

So if you have an app, website or internal system (or you’re looking to develop one) and need an API to return results using comprehensive up to date UK data sources…let’s talk!

Quick links:

Sign up to try out how our API can work for your system, on a trial basis with no commitment!

Contact Us – we’d love to hear from you!

Find out more – a summary of what you can do with the T2A API