Subscribe to our podcast via:
The following is a transcript of the podcast episode between Margaret Reid, SVP North America Risk at Visa, Tim Sloane, VP, Payments Innovation at Mercator Advisory Group, and Ryan McEndarfer, Editor-in-chief at PaymentsJournal.com.
Ryan: Margaret, as e-commerce and m-commerce continue to grow, what new payment security technologies do you see playing a more prominent role in securing payments?
Margaret: We’re definitely seeing the volume of digital payments growing and we expect it to do nothing but increase from this point forward. We are seeing some analysts predict that there could be more than 20 billion IOT (internet of things) devices by 2020, which is a tremendous increase in the number of potential points at which transactions could take place.
One of the things that we’ve been looking at is we would love to see the equivalent of what we have now with chip technology but in the digital channel. Chip technology has significantly reduced fraud in stores, and we need a similar kind of security defense for the digital channel. Our view is that tokens can be that solution.
The reason we think that is that tokens definitely replace the transmission of the actual payment card number, so we don’t have to be concerned about the proliferation of PANs (personal account numbers) in this space and obviously can work with the various different point-of-sale or point-of-transaction mechanisms that we’re now starting to work with like mobile devices or iPads.
The other benefit of the token is that it can include a dynamic value so it changes with each transaction just like with an EMV chip and that further secures the transaction. We see the adoption of tokens increasing across both the North America region and around the world. For example, we now have Netflix deploying tokens broadly, and we’ve expanded the number of tokens so that we have 20 in North America and the 60 in total around the world now.
One of the other benefits of tokens is, particularly for our merchant partners. It means that they no longer have to store the sensitive account numbers on their systems. And that, of course, will help them in reducing the risk of them being a target for compromise as well as reducing the expenses associated with compliance with standards like PCI.
So, all in all, I think we’re looking at tokens as being definitely a technology that we are looking to deploy more broadly in our e-commerce and m-commerce channels so that we can further secure the payment transactions over time. Payments have evolved over the 60 years that Visa has been in business now. We’re continually looking for how to secure those additional channels and we definitely see tokens playing a valuable role.
Tim: I totally agree with that. Mercator expects that tokenization is going to make a big impact on digital commerce and reduce fraud in a really big way. In 2017, there was $31 billion in fraud-based chargebacks. And when you take a look at how tokenization is now going to be brought to the browser, to the mobile devices, and to more of that digital channel, it should really be able to start to cut back on that fraud rate.
Ryan: I’m sure everybody out there has seen the headline of the death of the password. That notion came into vogue in 2018. But as we’re looking at 2019, what technologies are you seeing that are going to potentially replace the password an enhanced security method, if you will?
Margaret: I think everybody is looking for the end of the password. I think we’re all at the personal level increasingly frustrated with how difficult it is to remember all the different passwords and make sure that we’re being secure with the ones that we have.
I think the big area that we’re seeing making a change here is with biometrics. It’s been a technology that’s been talked about for a long time, but we’re starting to see that really gaining traction now and definitely consumer familiarity.
We actually did a survey recently that showed that 86 percent of consumers are interested in using biometrics to verify identity or confirm a payment, and more than 65 percent are already familiar with biometrics. So we’re definitely getting to that tipping point with both the availability of the technology and the familiarity of consumers with using it and confidence in using it that we will start to see inroads made now in replacing passwords. And we’re definitely looking forward to it.
We’ve seen some pilots that we’ve been doing. There are obviously ways in which you can use it in mobile phones with either fingerprint biometrics or facial recognition. But we’re also seeing some pilots with on-card biometrics as well so that we don’t lose the familiarity of the set of physical plastic for people. I think that’s where we see the most hope for getting rid of passwords.
Tim: Mercator put out a report last year that was looking at the adoption of biometrics. And one of the things we use to judge that changeover was the rate at which consumers adopted mobile banking. Initially only 20 percent of consumers were comfortable with doing banking on the internet through their mobile device. Within five years, it was 80 percent were actually using it. And I think the key criteria there is the availability and the functionality of it that benefited the consumer. When they got that convenience factor in place, they rushed to use it. I think part of our problem right now is biometrics are very limited in their use case.
They open up my phone. A few banking apps can be opened up with it, but I still need to remember passwords for every darn website I go to and so what we really need to see is a federated approach maybe on the FIDO model, maybe some other model. But when consumers can use finger touch or facial I.D. or whatever to be able to open up many of their different websites and apps, I think we’ll see a rush to biometrics.
Ryan: Keeping with the security topic, security and fraud have always been kind of a cat-and-mouse game. How do you see this game playing out in 2019?
Margaret: Quite a serious game, isn’t it? We’re definitely seeing cybercriminals increasingly organized and well funded and backed by criminal organizations with deep pockets. So it’s a clear concern for us. The black markets that now support these cybercrime activities have also evolved to a level where they’ve effectively democratized the tools that are available. And so anybody with that particular desire can continue to participate in it now if they want. Which means for all of those who are under potential attack, it means they have to be ever more vigilant, whether that is an issuer, a processor, ourselves at Visa, and also the merchant. It’s a constant battle really to make sure that we stay ahead of the criminals.
One of the things besides the new technologies that we see coming along whether it’s tokens or biometrics to secure payments, one of the things that we see and benefit from as well is increased partnership between partners in the payment industry and law enforcement so that we can work together to gather the evidence that we need to be able to effectively terminate some of the activities that are happening in the criminal world.
I don’t know whether you recall, but last year three members of the “Fin7” cybercrime group, which has been one of the largest known organizations responsible we believe for stealing a billion dollars over the years, were arrested as a direct result of the partnership between the private institutions and law enforcement. We were definitely proud to be part of that effort and to bring those perpetrators to justice. It’s going to continue to be a challenge, though.
It’s particularly challenging when they move across different jurisdictions, obviously. They often use different levels of law, the different laws that apply, to hide away effectively, but we need to keep pushing and to keep promoting the cooperation both domestically as well as across borders to try and disrupt their efforts.
Tim: I would just add that as we were talking about before with biometrics, being able to nail down the identity of the individual making the transaction is so critical to being able to prevent the fraud from occurring in the first place. The provisioning of the device, the ability to link that device and the individual to the transaction should be able to cut down significantly on fraud. And we’re moving in the right direction for that in many different areas.
Ryan: Personal data continues to be a huge topic in 2019. We’ve already seen some policies beginning to be implemented such as PSD2 [the European Union’s revised Payment Services Directive] looking at open banking that gives consumers better control over their data. So how do you see the payments industry adapting to these new policies?
Margaret: Yes, I agree. It’s going to continue to be a big topic. We’ve obviously seen some of the legislative moves that have taken place, whether it’s PSD2 or GDPR [the EU’s General Data Protection Regulation], and we’re seeing a new flurry in the U.S. as well with a lot of state-level activity for data privacy too.
But I agree with what Tim was saying, which is that we need to push toward developing a better construct for digital identity so that we can tie people to more confidently confirm the identity of someone that’s participating in the transaction when we see them. While we see some of the early production pilots in the space that are promising, I think that we’ll need to keep working diligently in this area to be able to push forward to have something that’s much more scalable at the level that we need for secure transactions that we definitely support.
So I think it’s going to be an area that there’s going to be a lot of continuing focus this year, but we may take a little time before we have something that’s fully productionalized in place.
Tim: I agree with that, Margaret. The PID (personal identifier), the electronic identity, the self-sovereign kind of model, or identity management, are all coming into the market and are starting to be recognized as viable approaches.
But going from viability of approach to implementation is going to take some time. And then there’s the other side of it. Even if the consumer controls the data they release, the ability on the back end for businesses to consolidate, aggregate data from multiple sources, still enables a lot of privacy issues to leak through the cracks. So I think we have a long ways to go to be able to lock that down.
Ryan: Going back to the rise of e-commerce and m-commerce, that means there’s going to be an increase in card-not-present transactions. With that increase in transactions obviously comes the fraud component. From your point of view, what do you see the payments industry is going to do to help combat this growing threat?
Margaret: Well, we’ve always been proponents of a layered approach to prevention. I don’t think that we’ll ever see necessarily a silver bullet to deal with all the different types of threats that we deal with. There are two areas that we’re continuing to invest in this year. The first one will be around the introduction of our new 2.0 protocol for 3-D Secure [Visa 3-D Secure 2.0]. You know 3-D Secure has been around for some time now, and EMV has brought out the new 2.0 protocol which will allow for it to be used in more than just browser-based activity. So that will extend into mobile and other forms, other devices. So that will help.
And then the other thing that 3DS 2.0 brings is that it will I’m sure help increase the viability of the program, and also its effectiveness is the amount of data that can be shared between the merchants and the issuer going forward. So we’re moving from around 10 different fields of data to upwards of 90 or so.
And that data is definitely a key theme with respect to how to combat some of the fraud. If we’re able to provide more data from the merchants to the issuer, then the issuer can make more effective decisions about the transaction.
So 3-D Secure is something that we’re clearly putting a lot of focus on this next year. Underlying all that as well is our ongoing use of AI [artificial intelligence] technology in our services like Visa Advanced Authorization. That again has been around for multiple years now, but we continue to enhance it every year. And that allows us to take a look at up to 500 unique risk attributes in a millisecond. Looking for those patterns of activity that may be taking place and then providing a score to our issuers which they can use in making a decision whether or not to approve the transaction.
So more data in the message flowing between merchants and issuers for better decisions. More use of technologies like AI in searching through all of that data that’s available to look for the different patterns of behavior. They’re all the things that we’ll be looking at for this year to help us improve and combat fraud.
Tim: You know, despite a few discouraging interviews with large merchants here in the U.S. about 3-D Secure, primarily based on the problems they had with version 1, Mercator Advisory Group really is confident 3-D Secure 2.0 is going to take off. With PSD2 pushing the U.S. merchants to adopt 3-D Secure, if they’re going to do business in Europe, that’s going to put that 3-D Secure anti-fraud mechanism into their toolbox and they’re sure to start to use that as they see the significant benefits of it.
So we have a lot of confidence that if there are any hiccups in the initial roll-out, they’ll get fixed and that ultimately the merchants will see the value of 3-D Secure 2.0. I think it will significantly reduce fraud.
Subscribe to our podcast via: