Visa Views: Looking ahead at payment security

The evolution of security and risk management will better accommodate modern ways to pay and be paid

Ellen Richey, Visa Chief Risk Officer

February 04, 2019, 12:00 AM Eastern Time

As we enter into the final month of the quarter, some people continue to work towards their New Year's resolutions and try to commit to a change in lifestyle—eat healthier, exercise more, and achieve more work-life balance.

Change that leads to improvement is usually good in my opinion, and in my role at Visa, I anticipate some healthy changes ahead for the payment industry. A lot of investment and innovation has taken place over the years to secure digital channels for payments, and I expect growing momentum for many of those security innovations. Of course, no one can perfectly predict what is to come but here is my take on possible payment security trends for the rest of 2019.

1. In-person payment fraud will continue to decline through modern card technology.

Despite the global growth in e-commerce, consumers around the world still make purchases in person. Fortunately, chip technology has helped drive down in-person counterfeit payment fraud by more than 80 percent in the United States in recent years.

The great news for merchants and consumers is that most chip-enabled point-of-sale (POS) terminals also support contactless “tap to pay” cards that enable a customer to tap their card on the terminal for payment. With the top credit card issuer in the U.S. bringing tap to pay to the industry’s largest portfolio of credit cards in the coming months, millions of customers will benefit from a fast, easy, and secure checkout experience. Contactless cards use the same chip technology and proven anti-fraud security while enabling a better consumer experience—which is why an increasing number of mass transit systems and quick-service restaurants globally have implemented or are planning to implement contactless card acceptance.

As magnetic stripe-only payment cards expire, issuers replace them with conventional chip- and tap to pay chip-enabled cards, and merchants continue to update to modern POS terminals, I expect in-person payment fraud to decline even further in the coming year.

2. Continued growth in e-commerce and m-commerce will drive the need for secure digital payments.

The volume of digital payments will likely continue to increase, driven in part by the growing comfort and habit among consumers with making purchases on their phones, tablets, computers and IoT devices. Industry analysts predict that there could be more than 20 billion IoT devices by 2020. While chip technology has significantly reduced fraud in stores, we need a security defense like chip for the digital channel. Tokens can be that solution.

Tokens replace the transmission of actual payment card numbers, so if a point-of-sale (POS) system, mobile device, mobile application or network connection is compromised, payment card numbers are safe since they are not exposed. Tokens also include a dynamic value that changes with each transaction, similar to chip technology for in-person transactions. The Visa Token Service now supports Netflix and expanded to 20 new partners bringing the total to 60 around the world. With tokenization, merchants no longer have to store sensitive data, like primary account numbers, greatly reducing risk for people who store their card information on mobile devices, mobile apps or online with e-commerce merchants. Instead, merchants will be able to mask their customer’s primary account number with a token, which is protected by restrictions that render it useless to fraudsters if it were ever to be compromised.

As e-commerce and m-commerce continue to grow, I expect a growing number of merchants in 2019 to test and implement programs that scale the use of tokens to protect customer card data while offering less customer friction when making a payment.

3. Insecurity and consumer frustration with passwords will lead to increased adoption of biometrics.  

Cardholder verification methods have evolved, including the optional removal of signatures in 2018. This is partly because the use of multiple modern security layers have made legacy methods of verifying identity such as signatures unnecessary. Extending beyond the payments industry, many people would probably also agree that remembering passwords and PINs as a way to verify identity can be difficult and not very secure. The use of biometrics for authentication for in-person and online shopping causes less friction for consumers and offers stronger identity verification for issuers and merchants. A survey commissioned by Visa showed that 86 percent of consumers are interested in using biometrics to verify identity or to make payments and more than 65 percent are already familiar with biometrics.

Visa worked with issuers to pilot on-card biometrics this year where a fingerprint scanner was built directly into a payment card. This is because consumers are most comfortable and still prefer the plastic card form factor to other available options. I expect more pilot programs to come from other financial institutions since integrating biometrics brings innovation to the card, reduces payment fraud and speeds up transactions.

4. Sharing of cyber threat intelligence among ecosystem partners and law enforcement will continue to chip away at attempted fraud
Cybercriminals are increasingly organized and well-funded, backed by criminal organizations with deep pockets. The black market for cybercrime has also evolved to enable individuals of all skillsets to participate as long as they have the desire. This democratization of cybercrime means more attempts at exploiting known vulnerabilities will take place and organizations have to be vigilant.

Although collaboration already exists among partners in the payments industry and law enforcement, I believe you will see more collaboration between the two groups in the coming year because it yields results. Most notably, three senior members of the Fin 7 cybercrime group—one of the largest known cybercrime organizations responsible for stealing roughly a billion dollars over the years from some well-recognized retail and hospitality companies—were arrested this year because of a public-private partnership between payment networks, financial institutions, merchants and law enforcement. Visa was a proud contributor to this effort, working with the FBI, the U.S. Attorney’s Office and other payment networks to bring the perpetrators to justice.

Catching cybercriminals is difficult, especially if they reside abroad due to jurisdiction and sovereignty laws. However, when everyone pulls together, we have the best chance of disrupting their efforts and preventing fraud before it can happen.

5. Digital Identities will begin to put personal data rights in the hands of consumers.

Policymakers will likely side with consumers and give them more rights, visibility and control over how personal data is used. The Open Banking initiative under Europe’s Revised Payment Service Directive (PSD2) has the potential to make the sharing of personal information more secure, private and frictionless using digital identities to reduce merchant abandonment rates.

We may not see the operationalization of digital identities at scale in 2019, but I do believe we will see some early production pilots sometime during the year as financial institutions and merchants explore possibilities. It is more important than ever to figure out how to securely handle digital identities to support e-commerce for merchants while protecting the privacy of personal information of account holders.

6. Advanced technology in risk-based decision-making and A.I. will help reduce card-not-present (CNP) payment fraud.

According to data from eMarketer, e-commerce is forecasted to only represent 11.9 percent of total global retail sales in 2018, with brick and mortar still the dominant retail channel. This means there is still much room for growth for e-commerce sales. However, we know cybercriminals follow the money, so what can we do to protect CNP transactions?

The payments industry will be introducing new advanced risk-based decision-making for e-commerce to reduce CNP fraud in 2019 using updated standards from EMV® 3-D Secure[1]. It will enable financial institutions to better assess whether a transaction is legitimate or fraudulent by examining 10 times more risk factors than before such as the browser type, device type, and location of a transaction, among other factors to help decide whether step-up authentication is required.

In addition, companies that facilitate digital payments will likely layer 3-D Secure with other advanced analytics technologies like artificial intelligence, similar to Visa. Visa uses AI technology called Visa Advanced Authorization to analyze up to 500 unique risk attributes in a millisecond, searching for fraud the moment a payment is initiated. The AI algorithm assesses these attributes to produce a score of the transaction’s predicted fraud probability and relays the score to the cardholder’s financial institution for them to decide to either approve or decline the transaction.

I believe the combination of merchants and issuers implementing 3-D Secure and the use of predictive analytics such as AI will help drive down CNP fraud in many regions of the world.

In 1965, Gordon Moore of Intel predicted that the increase in computing power and the decrease in relative cost would occur at an exponential pace. Many industries have witnessed this prediction become reality in the last 40-plus years. Visa has been in business for 60 years, has used the rapid pace of innovation to contribute to the advancement of the payment industry and we are optimistic about the future. The evolution of security and risk management in the industry will better accommodate modern ways to pay and be paid, and make things easier, faster and more secure for the entire ecosystem.

 

[1] EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.