As the chief risk offer at Visa Inc., Ellen Richey knows a thing or two about data security.
After all, the criminals who make her job necessary are primarily out to steal personal data in order to commit fraud, she says.
“On one hand, data is the problem,” she acknowledges. “But on the other hand, we also believe it’s the solution, because we can use data to better identify consumers and equip constituents in the ecosystem in all kinds of ways to prevent fraud.”
Consequently, three of what Richey calls the company’s “four pillars of payment security” actually include the word “data” in them. They are:
- Protect Data;
- Devalue Data;
- Harness Data; and
- Empower Consumers
Richey notes that as Visa’s vice chair and chief risk officer, her primary focus is securing the company’s payment ecosystem – that is, the banks which issue cards and add merchants to its network – a separate issue from cyber security, which is managed by a separate division.
Nor is she alone in her work, with layered security, often involving multiple companies, a guiding principle in Visa’s efforts.
“There’s no silver bullet in fraud prevention,” she says. “[The principle of layered defense] applies with full force in the ecosystem security world, so it’s not just one thing, but a whole range of solutions working together.”
Thus far her team’s proudest achievement is that they have managed to reduce the Visa system’s fraud rate by two thirds over the past 25 years.
“Globally, the system’s overall fraud rate is only about seven basis points [approximately 0.0007 per cent], a historic low,” she says. “So in spite of the fact that about 10 years ago, criminals suddenly had a whole new way to steal data and automatically scale their business, so to speak, we as an industry have managed to resist.”
Still, Richey’s battle remains a constant one, with the security of the more than 16,000 banks, 40 million merchants, and 3 billion consumers in Visa’s system at stake.
“It’s a lot of potential security risks to deal with,” she says. “Our job is to help all of those stakeholders protect their data, and also use techniques and participate in systems that prevent fraud, hopefully before it happens.”
Here’s how the four pillars of payment security guide their efforts.
To start, Richey’s team has a risk-proofing structure in place to vet any product Visa might consider putting on the market, such as Visa Checkout.
“We have our security team and people from the ecosystem risk department involved right at the start,” she says. “And we’re advocates of the whole ‘shift left’ mentality in technology, which moves secure coding into the early stages of the coding process.”
More important than establishing and maintaining (and meeting) data security standards, however, is reducing the number of opportunities criminals have to access data, and its value to them, Richey says.
“We believe it’s very important to… devalue the data in the system, so that it can’t be reused to commit fraud,” she says.
Visa’s chip cards provide a perfect example: the chip is a microprocessor that generates an encrypted one-use code every time its user performs a transaction; without it, cardholders cannot perform a face-to-face transaction.
“It’s actually very easy to counterfeit a magnetic stripe card,” Richey says. “But the chip card completely eliminates that. Until those came into play, counterfeit fraud was a major problem.”
Another challenge, she says, is presented by credit card account numbers, which have become the primary method of identification used in online transactions.
“That account number never changes, so I could steal it, and then phish to get your expiration date and three-digit CVV2 code by calling and pretending to be your bank, right?” she says. “So your card is still vulnerable to online transactions.”
That’s why Visa is increasingly turning to tokenization, which substitutes that card number with a token that can only be used in a specific environment and managed throughout the account’s life cycle, she says – to mitigate that risk.
“It’s not revolutionary, but we think it can revolutionize security,” she says.
“For example, if you had a token on your physical card, then you would enter the account number, but when it went through the merchant’s terminal, only a token would appear,” she says. “Then if your data was compromised we wouldn’t have to reissue the card, we could just substitute a new token.”
In addition to being a pioneer of security standards, the payment industry is a pioneer of big data, Richey says.
“Going way back into the previous decade, we’ve had tools that use big data to authenticate consumers by essentially checking suspicious transactions at the point of sale – you’ve probably had this happen, where someone calls from your bank and asks if it’s you,” she says (a scenario this writer has indeed experienced).
“It’s my view that anybody can build a model, and that increasingly anyone can start using machine learning to improve that model, but the secret sauce in big data is how much data you actually have, and by being able to see so many transactions Visa is particularly well-positioned,” she says.
By processing each customer’s payment beyond the initial purchase, Visa is able to refine its authentication tools every six months, Richey says, and shares the resulting information with its banking partners not only to prevent fraud but to prevent false positives.
“We think this kind of databased solution, which we call risk-based authentication, can actually be more predictive, and certainly more convenient, than things like passwords,” she says. “We think the days of the password are numbered.”
Biometrics are another authentication technique that Visa exploring, through products such as the Visa ID Intelligence service it launched last October.
More vital to security than any program Visa itself can develop, however, is ensuring that users are aware of the risks inherent to digital payments, and the support they can expect from the companies that administer them. This is what makes mobile banking apps ideal, as they can be used to deactivate online transactions, send real-time alerts, or inform consumers about what they can expect from their provider.
The leading payment firms all strive to meet standards set by the Payment Card Industry Security Standards Council, which Visa helped establish in 2006 during what Richey calls “the early stages of the mass data breach era” and has since helped refine as new technologies, and their accompanying security risks, have hit the market.
“Now everybody’s talking about security standards,” she says. “But we were talking about them over a decade ago.”
Visa has a rule that requires all stakeholders with payment data to comply with PCI standards, which are also enforced by MasterCard, American Express, and Discover, she notes.
Richey considers this type of standards management essential to Visa’s role in the payments space.
“When you think about the number of technology ecosystems that are coming into being, like the Internet of Things (IoT), I think the whole question of ecosystem management is becoming a really critical piece of what’s happening in the industry,” she says. “And I think those who intermediate those platforms need to take on this type of responsibility.”