TL;DR: Retail is facing rising identity theft, account takeover, bot abuse, and payment fraud, with Descope citing 6.2 million retail and hospitality accounts compromised via ATO from 2023 to 2025 and 39% of organisations reporting incidents from lax authentication. The governance problem is that retail security now has to preserve conversion, privacy, and compliance at the same time, which makes CIAM a control plane, not just a login layer.
NHIMG editorial — based on content published by Descope: Retail cybersecurity: key threats and defense mechanisms
By the numbers:
- 6% of all attacks are directed at businesses in retail, which is more than other high-risk sectors like healthcare and education.
- 6.2M accounts in retail and hospitality were compromised via ATO between 2023 and 2025.
- 39% of organizations experienced security incidents due to lax auth, and 28% lost customer trust.
Questions worth separating out
Q: How should retailers reduce account takeover without adding too much checkout friction?
A: Use adaptive authentication that only increases verification when risk rises.
Q: Why do passwords create disproportionate risk in retail environments?
A: Passwords are easy to reuse, phish, and automate against, which makes them weak at the exact boundary retailers defend most often: customer accounts.
Q: What do retailers get wrong about third-party identity risk?
A: They often treat partner systems as procurement issues instead of part of the identity perimeter.
Practitioner guidance
- Implement risk-based step-up authentication Trigger stronger verification at checkout, payment changes, shipping updates, and support handoff points where fraud value is highest.
- Replace password dependence with phishing-resistant methods Prioritise passkeys, magic links, and device-bound login options for customer journeys where account takeover is common.
- Map inherited trust across third-party integrations Inventory payment, loyalty, CRM, and customer service integrations and document what identity assurance each one inherits.
What's in the full article
Descope's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step examples of retail authentication patterns across shopping, loyalty, and payment journeys
- Specific CIAM feature combinations for passwordless login, adaptive MFA, and SSO in omnichannel retail
- Practical retail UX guidance for reducing friction while strengthening account protection
- Examples of how retail teams can educate customers about scams without disrupting the journey
👉 Read Descope's retail cybersecurity analysis for CIAM and fraud defense →
Retail cybersecurity and CIAM: what IAM teams need to know?
Explore further
CIAM is now the control plane for retail trust. The article treats authentication as a customer convenience layer, but the governance reality is stronger: CIAM now determines whether retail identity risk is contained or amplified across shopping, payments, and support. When account access, transaction authorization, and user permissions all pass through the same journey, the identity system becomes the primary fraud boundary. Practitioners should treat CIAM as a security architecture decision, not a UX feature.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- In the same research, 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.
A question worth separating out:
Q: Who is accountable when a retail customer account is compromised through a partner system?
A: The retailer remains accountable for the customer journey, even when the weakness sits in a linked platform. Governance teams should define ownership for partner access, logging, scope limits, and escalation paths before an incident happens, because customers experience the breach as one brand, not multiple vendors.
👉 Read our full editorial: Retail cybersecurity depends on stronger CIAM, not just better fraud tools