Mercado Livre: how does it work and what is the photo of the document for?

It doesn’t take much effort to find a Mercado Livre (ML) customer on the Complain Here website questioning the company’s security policy of requiring a photo of their ID card or National Driver’s License (CNH) when creating a registration. With a simple search, the report found the following publication.

“I’ve been shopping through Mercado Livre for a long time. I even made a few sales. And I never had a problem. I paid by credit card and I was never in debt or even late. And now I can’t access my account because they require me to put a photo of it. My ID. I can’t even access to complain if I don’t. Why do they want my ID? Why did they change the way I access the site? I don’t want to put a photo of the ID. Will I have to stop using the Market Free after all these years?” reads an excerpt from a customer complaint posted on August 12, 2021.

The policy adopted by the 2nd largest company in market value in Latin America raises concern for some people, as they do not feel safe when sending a photo of their personal document. In addition, in Reclame Aqui itself, it is also possible to verify posts from those who even consented to the verification, but are having difficulties in being able to validate the information.

Due to the volume of complaints, why does ML bet on this security policy? To understand how the system works and what it is for, the TechWorld interviewed Allan Buscarino, the company’s senior Cybersecurity manager in Brazil.

He talks about the choice of Mercado Livre and the history of the solution, the relationship of users’ accounts with Mercado Pago and other matters. A spoiler for those who complain about the obligation is that, according to him, the company should continue asking for the photo of the RG/CNH.

Validating Identities

Allan explains that since the launch of Mercado Pago, in 2004, it works as a platform to validate payments made in transactions between ML’s customers and retailers.

Mercado Pago, which today is a Payment Institution (after a license received in 2018), has always validated the identity of people, as this is one of the obligations of the Central Bank (BC) with enterprises operating in the field.

“At the end of last year, we started requesting document images for the user who accesses our ML platform. This request is made only to users who will carry out what we call a ‘risk transaction'”, said Buscaino.

In this regard, it is important to point out that despite the ML saying that the request for the images of the documents began at the end of last year, there have been publications in Reclame Aqui on the subject since at least 2018.

Another detail that the company representative made a point of stressing is that opening an account at ML does not mean automatically opening a digital bank account at Mercado Pago. In June, the company had sent a note to the website UOL Tilt making this mess.

Therefore, this time, the manager made a point of explaining that the Mercado Pago digital account, which gives access to a wide range of services, is not opened instantly when a user registers to buy something on Mercado Livre.

Who is required to have a photo of the document?

The ML manager argues that the financial world deals with so-called “risky transactions”, which mainly take into account the method of payment that will be made by a person. He exemplifies that anyone who is going to pay for purchases using a bank slip or make a purchase from a payment link does not need to carry out validation, as these types of transactions are not considered dangerous.

“Now, if the customer is paying by credit card, for example, we ask for a conference. It serves to guarantee and ensure that the user is not using someone else’s identity and card,” he said.

The executive adds that, in addition to the photo of the document, the virtual store asks for a “proof of life” which consists of a moving photo of the face. “We have systems that use machine learning and are able to analyze aspects of a person’s face that certify that they exist and are really alive,” he says.

Why do I need to take photos of the document?

The representative of the e-commerce company says that companies that deal with financial transactions are required, by law, to apply a strategy called Know Your Customer (KYC), which in Portuguese means “Know Your Customer”.

The BC demands that policies like the KYC be used to prevent “financial wrongdoing” such as fraud, money laundering and even terrorist financing. Entities such as the Financial Activities Control Council (COAF) provide for sanctions such as warnings, fines and even cancellation or suspension of operating authorization for companies that do not comply with the security requirement.

However, there are several methods of identifying the user from KYC, whether by SMS or email message confirmations, checking public databases and others. Why, then, does ML choose the photo of the documents?

CNH

“We understand that the more secure the user experience, the more they will use a platform. And because of legal obligations, we believe that risky financial transactions, such as credit card transactions, require this type of validation [foto do documento]”, says Buscarino.

He added that “there is no prospect of not using this method anymore”, as stated at the beginning of the article, but that the tool is being used at “necessary times” and that proof of life will not be required for those who will carry out “simple transactions on the platform”.

“[…] “there is no prospect of no longer using this method [checagem de documentos]”. Allan Buscarino, Senior Cybersecurity Manager at ML in Brazil

Exemplifying the importance of the policy adopted, Allan said that “numerous attempts at fraud” have already been stopped. Without going into further details, he mentioned that ML performs 24 sales per second and that, according to BC, Brazil has three fraud attempts (such as identity theft) for every ten financial transactions (ie, 30% of all transactions are fraud).

Security guarantee

Talking about how ML protects customers’ hypersensitive information, since a possible RG leak would be a “banquet” for cybercriminals, the representative told us that all precautions are taken and the idea is to make everything more transparent for users .

“The main objective of Mercado Livre is to guarantee the best possible buying and selling experience. So, we thought our architecture based on priority number 1, which is the protection of people’s personal data. Because of that, all our collection is according to the LGPD (General Data Protection Law). We still comply with international standards as we have users in more than 18 countries.”

Alleging security issues, ML did not provide more details about how the photos of users’ documents are stored and processed, nor the number of users who have these records in the company’s system. However, the manager said that the information base is protected with encryption.

Free market

“The process of sending documents is for the benefit of the user. In order for us to continue evolving and giving access to more people, our user needs to go through this step so that we can establish a relationship of trust. If we don’t transmit trust through security, the user does not buy or sell with us again”, concludes Allan.

Procon

O TechWorld contacted Procon-SP to find out if the agency considers the request for photos of the ML document a violation of Consumer Rights. The institution did not respond, however, to the questions until the end of this article. The text will be updated if Procon takes a position on the subject.

Leave a Comment