In an increasingly digital-first world, the credit card company is using a multi-layered security approach to enable safe transactions.
Visa has invested $9 billion over a five-year period to fund new fraud and security initiatives that include multi-layered cybersecurity, AI and analytics to further secure digital transactions.
One service, Visa’s flagship predictive analytics product Advanced Authorization, prevented an estimated $26 billion in fraud in 2021, according to Michael Jabbara, vice president and global head of fraud at Visa, in a recent interview with TechRepublic.
Advanced Authorization leverages 500 data elements in every Visa processed transaction to provide a risk score to clients.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
The $9 billion in funding represents “the level of investment necessary for us to drive innovation in the payment space,’’ Jabbara said. “For us to drive access to Visa products and capabilities, we have to continue to invest in that security foundation and build new capabilities as they relate to data, AI and tokenization to allow cardholders to transact more securely.”
The technologies enable Visa to shift its focus as the security landscape evolves along with changing customer behaviors, and the growing sophistication of threat actors, he said. While some of the funding went toward cutting-edge technologies, the lion’s share is being used for bread-and-butter security platforms and services.
“A lot of attention is paid to the innovations on the bleeding edge of finance and payments — tap to pay, crypto and buy now, pay later, for example,’’ said Paul Fabara, Visa’s chief risk officer, in a recent blog post. “What garners less attention are the products, platforms and services that ensure any new form of money movement is safe, secure and private.”
Security is a “collective effort across multiple stakeholders,” including Jabbara’s group, which works to protect clients against large-scale data breaches and provides analytics expertise to enterprises that may not be able to garner that information independently, he said. Visa’s cybersecurity group is responsible for day-to-day monitoring of the credit card giant’s network and infrastructure.
Breakdown of multi-layered technologies
Visa continues to invest in 3-DS, the three-domain secure protocol that allows for the exchange of information between merchants and banks as they validate and authorize a cardholder purchase. The protocol gives insights into IP address, phone device and other variables that “enable us to fine tune risk while approving transactions to ensure they are legitimate,’’ Jabbara said.
There was wider adoption of 3-DS during the pandemic due to the shift to online commerce, and in Europe, Visa saw a 28% reduction in fraud in 2021.
The company has already invested $5 million in the past five years to transform massive amounts of data to get insights, such as risk associated with billions of transactions. Visa is using deep learning to differentiate between legitimate and illegitimate transactions and has seen a 30% reduction in false declines, Jabbara said.
The next wave of consumer protection, which Visa has termed “Authentication 2.0,” includes tokens, which aim to reduce the risk of identity theft by replacing cardholder information with a unique identifier for a specific transaction.
Tokenization is up 60% year-over-year and has led to a 2.5% increase in approval rates and 28% reduction in fraud rates, Fabara wrote. Visa has also introduced its Cloud Token Framework, designed to enhance security and increase approval rates for card-not-present transactions across multiple payment experiences and devices.
Targeting fraud on eCommerce platforms
One of the capabilities Jabbara is personally excited about came about as a result of a huge spike in new digital storefronts during the pandemic mainly by small and medium businesses so they could continue to operate.
Fraudsters began targeting those businesses, which typically don’t have the resources to deploy security capabilities, he said. Attackers started injecting malware into the checkout page so that “as a customer would complete a purchase and click submit, the payment information would be transmitted to a malicious command and control center, and from there, payment information would be sold on the dark web,’’ Jabbara said.
So Visa built a malware scanning capability called eCommerce Threat Disruption, which scans a merchant checkout page for malicious code. When malware is discovered, Jabbara said they work with the merchant to remediate it.
The company also continues to invest in monitoring and detection of its own network and opening three 24/7 global cyber fusion centers manned by 1,000 cyber professionals. For every $100 spent on Visa, less than 7 cents is fraudulent because of these investments, Jabbara said.
Visa will continue to enhance its foundational platforms and invest further into AI.
“AI is really critical in how we take all this additional data being generated across the network from new devices, and use it to craft very tailored, personalized risk profiles for our cardholders that will allow for the scalability of the next wave of digital payment — whether buy now, pay later or order ahead or crypto,” Jabbara said. “Each presents unique challenges.”