Retail and hospitality authentication: what IAM teams keep missing

TL;DR: Retail and hospitality identity now spans associates, customers, franchisees, contact centers, and machine-to-machine access, while PCI DSS v4.0.1 broadens MFA expectations across non-console cardholder-data access, according to Scramble ID. The decisive shift is away from passwords, KBA, and shared PINs toward phishing-resistant credentials and cryptographic caller verification, because the old trust shortcuts no longer scale.

NHIMG editorial — based on content published by Scramble ID: Authentication for Retail and Hospitality

Questions worth separating out

Q: How should security teams authenticate retail customers without slowing checkout?

A: Use passkeys for returning customers and reserve step-up verification for high-risk events such as new shipping addresses, unusual redemption volumes, or account recovery.

Q: Why do contact centers remain such a high-risk identity channel?

A: Because agents often rely on names, addresses, recent orders, or voice recognition, and those factors are easy to steal, guess, or clone.

Q: What breaks when franchisee authentication is left to local policy?

A: Brand-relevant systems inherit the weakest franchisee controls, which creates inconsistent assurance, weak auditing, and higher compromise risk.

Practitioner guidance

• Replace KBA with cryptographic verification in the contact center Use an app-bound or device-bound challenge before refunds, gift-card reversals, address changes, or other cash-equivalent actions are permitted.
• Bind associate credentials to the device or badge, not the password Use phishing-resistant credentials for POS and time-clock access so each transaction creates a signed event tied to one associate and one terminal.
• Step up on high-risk customer actions Require stronger verification for large redemptions, transfers, new shipping addresses, and loyalty balance changes instead of using the same login assurance for every action.

What's in the full article

Scramble ID's full article covers the operational detail this post intentionally leaves for the source:

• Pattern-by-pattern authentication guidance for POS, time clocks, contact centers, loyalty portals, and franchisee networks
• Concrete implementation examples for phishing-resistant credentials, recovery, and step-up controls across retail channels
• Compliance mapping to PCI DSS v4.0.1, SOC 2, PSD2 SCA, and state labour or biometric requirements
• Operational anti-patterns such as shared PINs, KBA-based support, and weak franchisee back-office authentication

👉 Read Scramble ID's authentication guide for retail and hospitality →

Retail and hospitality authentication: what IAM teams keep missing?

Explore further

View Full Forum →  |  NHI Foundation Course →