Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Retail and hospitality authentication: what IAM teams keep missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Retail and hospitality identity now spans associates, customers, franchisees, contact centers, and machine-to-machine access, while PCI DSS v4.0.1 broadens MFA expectations across non-console cardholder-data access, according to Scramble ID. The decisive shift is away from passwords, KBA, and shared PINs toward phishing-resistant credentials and cryptographic caller verification, because the old trust shortcuts no longer scale.

NHIMG editorial — based on content published by Scramble ID: Authentication for Retail and Hospitality

Questions worth separating out

Q: How should security teams authenticate retail customers without slowing checkout?

A: Use passkeys for returning customers and reserve step-up verification for high-risk events such as new shipping addresses, unusual redemption volumes, or account recovery.

Q: Why do contact centers remain such a high-risk identity channel?

A: Because agents often rely on names, addresses, recent orders, or voice recognition, and those factors are easy to steal, guess, or clone.

Q: What breaks when franchisee authentication is left to local policy?

A: Brand-relevant systems inherit the weakest franchisee controls, which creates inconsistent assurance, weak auditing, and higher compromise risk.

Practitioner guidance

  • Replace KBA with cryptographic verification in the contact center Use an app-bound or device-bound challenge before refunds, gift-card reversals, address changes, or other cash-equivalent actions are permitted.
  • Bind associate credentials to the device or badge, not the password Use phishing-resistant credentials for POS and time-clock access so each transaction creates a signed event tied to one associate and one terminal.
  • Step up on high-risk customer actions Require stronger verification for large redemptions, transfers, new shipping addresses, and loyalty balance changes instead of using the same login assurance for every action.

What's in the full article

Scramble ID's full article covers the operational detail this post intentionally leaves for the source:

  • Pattern-by-pattern authentication guidance for POS, time clocks, contact centers, loyalty portals, and franchisee networks
  • Concrete implementation examples for phishing-resistant credentials, recovery, and step-up controls across retail channels
  • Compliance mapping to PCI DSS v4.0.1, SOC 2, PSD2 SCA, and state labour or biometric requirements
  • Operational anti-patterns such as shared PINs, KBA-based support, and weak franchisee back-office authentication

👉 Read Scramble ID's authentication guide for retail and hospitality →

Retail and hospitality authentication: what IAM teams keep missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Passwords and KBA are no longer adequate assurance primitives for retail and hospitality. The sector’s threat surface now spans customer, workforce, franchisee, and supplier identities, so a single weak factor creates risk across multiple channels. Credential stuffing, vishing, and refund fraud all exploit the same trust shortcut: the assumption that knowledge-based identity proofing is enough. The implication is that retail IAM should stop treating KBA and password reuse as acceptable default controls.

A few things that frame the scale:

  • 23.5% of security professionals are unsure about the biggest threat to their non-human identities, indicating a significant awareness gap, according to The 2024 Non-Human Identity Security Report.
  • Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities.

A question worth separating out:

Q: Who should own identity governance for store, customer, and partner access?

A: The brand should own the assurance model for any access that touches payments, loyalty, customer data, or operational controls, even when the user is a franchisee or supplier. Local teams can administer access, but the brand should define the authentication strength, recovery rules, and step-up thresholds. That is the only way to keep governance consistent across channels.

👉 Read our full editorial: Retail and hospitality authentication still breaks on trust shortcuts



   
ReplyQuote
Share: