Fraud-Fighting Insights from Visa
Why Devaluing Card Data, Using Data Analytics Are Key StepsEllen Richey, Visa's chief legal officer and enterprise risk officer, offered two important messages in her keynote presentation at Information Security Media Group's Fraud Summit San Francisco. First, it's time to use technology to devalue card data to something that cannot be used to perpetuate fraud. And second, it's time to make greater use of data analytics to detect suspicious activity.
See Also: When Every Identity is at Risk, Where Do You Begin?
As recent breaches, including the Target Corp. incident, have shown, fraudsters are no longer just going after data that is stored at the POS. Today, attackers are actually focusing on exfiltrating data as it's being processed, in transit, Richey said.
Visa is pushing a three-part plan for devaluing card data so it's of little use to fraudsters. That includes a migration away from magnetic-stripe cards to chip cards; tokenization of card data; and end-to-end encryption - which means card data will never be processed or transmitted in the clear.
But taking these three steps won't be easy, Richey acknowleged.
While chip technology that conforms to the Europay, MasterCard, Visa standard is readily available, U.S. banking institutions and merchants will need to devote plenty of time, planning and money to complete their EMV migrations, she said.
And, while tokenization is a necessity to ensure card data is sufficiently devalued, it, too, will require an investment in software and hardware upgrades.
End-to-end encryption poses its own challenges as well, Richey noted. Anything that's encrypted has to be decrypted, and that means the keys used to decrypt that data have to be protected - which is not a simple task (see Why Is End-to-End Encryption So Daunting?).
Data Analytics
Even if they adopt all of those technologies to help devalue card data, banking institutions and retailers, as well as processors, "still need data analytics," Richey explained. Data analytics enables monitoring of transactional patterns to detect suspicious activity that can pinpoint points of compromise.
"Containing breaches faster is a necessity, and an aspect of that ties back to big data," she said. "Larger financial institutions are using this technology, but smaller institutions will need to rely on partners and networks, such as Visa, for many of the analytical tools they don't have the resources to manage in-house."
No one can deny that analytics is going to play an increasing role in fraud prevention. Many of the retail breaches we've seen over the last two years were detected by good analytics, often on the card-issuing side.
But major retailers also must play a role in monitoring transactions via analytics. And by sharing their discoveries, retailers and banking institutions can more quickly identify breaches, and help prevent fraud.