“Cardholder data will become increasingly available to the fraud community – making it more difficult for issuing banks to identify the point of compromise, and easier for fraudsters to monetize that data they have with transactions that are reliant on card data alone,” says Nick Craig VP for global security specialist, CA Technologies. In a recent interview with MPD CEO Karen Webster, Craig described how he’d design the ideal solution for stopping cyber criminals cold, and how some of the tools he’d use are right under everyone’s nose.
KW: Before we get into what I know you want to talk about – fraud and security – now that we’ve seen Apple Pay, what is your reaction? How do you think it will transform payments?
NC: First and foremost, I think it’s a fantastic announcement that was a long time coming. As to how it will transform the world we live in, I think the most important thing that we’ve seen is that clearly there’s been a lot of focus on NFC as a method of payment. We think that’s a great thing to encourage commitment to NFC as a platform, and the opportunity that then introduces. Introducing payment mechanisms onto millions mobile phones around the world is something we’re all very excited about, and something we hope will act as a catalyst to drive mobile payments.
KW: I agree, I think there’s been so much speculation about Apple, and now that we know, we’ll begin to see a lot of interesting moves being made by different players in the ecosystem.
When Apple Pay was announced, Tim Cook made a very big deal about the secure aspect of the solution, and how card credentials were never going to be exposed to anyone at the POS, along with the tokenization of cardholder data being stored on the phone and being part of the transaction stream. What are your thoughts on their approach to keeping transactions secure?
NC: Our take on the Apple Pay announcement is that there were two use cases associated with the use of tokens. The first was where the Apple device was going to be used to complete a “tap and pay” payment at the point of sale. Apple stated that the Apple Pay system would use a one-time payment credential in passing the payment data from the mobile device to the merchant NFC terminal. We think that’s a good thing in that it limits the availability of card data that can be leaked or compromised in the payment system.
The second use case that Apple mentioned was around the use of the mobile phone in the context of an e-commerce transaction. It’s really unclear what exactly the user experience will be for e-commerce, but we believe that also represents an interesting opportunity and an impact on the way in which cardholders shop online.
I think tokenization has an important role to play in mobile payments, and we’ve incorporated tokenization in a feature of our mobile payments infrastructure. We’re very excited that Apple is moving down that path, and it represents a great opportunity for the industry to take advantage of that.
KW: There’s been so much discussed particularly, as the US is moving to EMV, as to how fraud will move to a card-not-present environment. There’s been mixed reviews with respect to the available solutions in market today to address that. I know that CA Technologies is a pioneer in 3D-Secure authentication, which has had its own mixed reviews over the year. How do the various things we’re hearing about – tokenization, 3D-Secure – work together? How are you helping your customers sort out this landscape?
NC: This whole space is obviously quite a complex ecosystem. Card-not-present has become a significant area of fraud, and as fraud becomes more sophisticated and developed, we’ve also seen the payments industry respond with those new initiatives. Tokenization, EMV, and 3D secure are just some examples that mitigate the fraud. What that means in the industry, particularly in relevance to recent breaches, is that cardholder data will become increasingly available to the fraud community. That makes it more difficult for issuing banks to identify the point of compromise, and easier for fraudsters to monetize that data they have with transactions that are reliant on card data alone. These card-not-present transactions represent such an opportunity for a fraudster.
What we are doing is ensuring that we focus on a couple of things that we think are significant in developing an effective fraud strategy. The first is to build adaptability into a fraud strategy. No longer can issuers look at this world, deploy technology solutions, and really be confident that those solutions will solve a problem for a period of time. There needs to be continuous improvement through the use of data, technologies and processes available. This means that treating portfolios in the same way becomes far less effective – we’re an advocate of ensuring that we built adaptability into the solutions we offer and put the issuer right at the heart of the decision cycle. It’s about adaptability and control in a fraud strategy.
We also know the importance of data in fighting fraud. Issuers are continuing to seek deeper insights to allow better understanding of fraud and the threats they’ve seen. Having this flexibility to act quickly sounds simple, but for lost of systems and processes today, that flexibility is difficult to achieve. What we focus on is allowing issuers to achieve greater levels of adaptability and insight to put them at the heart of the decision process. In particular, the work we’re doing around authentication models is a very exciting opportunity to combine a couple of those elements to deliver solutions that really do attack the card-not-present fraud problem.
KW: CA Technologies’ neural network authentication models sound very interesting, and potentially very useful to card issuers. How do they work?
NC: The first thing to understand is that this really is the first time that artificial intelligence and these advanced techniques are being applied to the world of authentication. And that’s important because authentication itself offers a unique opportunity.
When you think about the world that we live in and the fraud prevention solutions deployed to issuing banks over the years, on the authorization side, those systems are working with very limited data streams that largely have not changed in many years. Authentication brings new digital data that can be leveraged, so for instance, you’re able to see the device the cardholder is using, the location of that cardholder at the POS, the connection speed that they’re connecting over, and each of those provide an affective variable when compared to traditional data streams that we’re used to seeing – transaction amount, currency, merchant details, etc.
There’s a set of capabilities that we are deploying to map both the genuine cardholder behavior as well as the fraudulent behavior. Historically, the focus has been more on trying to map fraudulent behavior to predict future instances of fraud occurring again. But the combination of the data with advanced techniques allows us to provide a significant opportunity to issuers in fighting fraud.
KW: As a consumer, the first time that I transacted on a German fashion site that I’d never visited before, I was sure that I’d have my transaction declined because it was totally out of pattern for me. But it went through just fine. Around the tenth time I went to that site, however, my transaction was declined and I got an alert from my issuer asking if I was really attempting to make that purchase. Why would the first time have been okay, but the tenth time not okay?
NC: If you think about what we are doing, ultimately we want to separate the fraud from normal behavior. When we look at normal behavior, we are mapping it at a detailed level. We’re not just looking at whether or not this is Karen, if she’s using the normal credit or debit card that she typically uses, is she shopping at the same merchant that she usually visits. It’s those additional data points that provide opportunity to get the broad perspective. We’re identifying deviations from your normal behavior by looking at pivots in data elements, and how the connection speed versus the card versus the merchant interact together. That’s why, perhaps, in your situation, if the solution behind the scenes is trying to map fraudulent behavior, there might be something like the value of the transaction, time of day, or the merchant itself that triggers the riskiness of the transaction.
What we’re doing is matching the fraudulent behavior with the genuine behavior, and the combination of those data streams with sophisticated techniques that we’re using give us that opportunity to reduce those instances where your shopping experience is impacted because the transaction is declined. That’s really what’s behind the scenes.
KW: It seems to me that this is something that should be a typical part of the fraud strategy for an issuer. Why isn’t it, and what are those individuals or companies leaving on the table by not incorporating this strategy?
NC: I think issuers certainly are doing more of this. What we’re seeing, with the introduction of our advances analytics models, is that this is providing a significant opportunity for banks. It’s not that they’re not using them, it’s just that there’s a new set of technology there that they can now take advantage of. Speaking to the value itself, obviously the most immediate benefit for the card issuer is reducing the net loss and improving fraud protection.
An affective fraud solution is going to really need to improve the balance between fraud and customer experience. It’s very easy to reduce fraud – just decline lots more transactions. The consequence of that, however, is that the customer is not able to shop without getting frustrated. That has a big impact, causing lost revenue and, more importantly, lost loyalty.
Consumers now have increasingly different options for payment methods, so it is becoming important for banks to not only make sure that they’re offering the best customer experience, but also that they’re securing that front-of-wallet status so that consumers always continue to use their card. As customers decide and create preferences, it’s very difficult to change people’s minds, moving them from one payment method to another. The other thing that’s often overlooked is the operational impact. Clearly there’s a big revenue opportunity in allowing customers to shop online more frequently and easily, and to reduce fraud. There’s a very significant ROI that comes with these types of solutions.
KW: If you had a clean sheet of paper, and you were asked to design the optimal fraud solution, what would it look like?
NC: I think the principles we’ve talked about are very important. It’s about going deeper into the data and understanding it, looking at it from a multichannel perspective across the entire organization. Also, the adaptability that we talked about – building and designing systems not just from the standpoint of delivering a result, but from the standpoint of knowing that, in the future, it’s likely to change. Putting that control in the hands of the issuer to be able to develop and continuously evolve their strategies is key.
KW: I think people think about card-not-present transactions as those that we’re initiating from our computers or mobile devices when we’re shopping online. But as we’ve witnessed with Apple Play and other players over the last few years, the ability and cloud-based digital solutions to transact in physical stores will only create more of an environment for CNP transactions to evolve and scale. These kinds of things will only become more important.
NC: Completely. And when we also think about how quickly things move, industries change, and opportunities emerge, and the existing systems that banks run today, the challenge is a consideration of these existing systems and investments that have been made. It’s much more about openness, adaptability and integration, rather than silver bullets that solve all of the problems, which we know is not the way of the world.
VP of Sales for CA Digital Payments, CA Technologies
With an impressive amount of experience in SaaS and enterprise security software systems, Nick is currently responsible for CA Digital Payments at CA Technologies, working with clients globally to provide innovative solutions to the payment industry. He has in-depth knowledge in current online payment authentication schemes and possesses expertise on using advanced models and dynamic, bank-defined rules to help card issuers fight fraud in real time while providing a frictionless checkout experience for genuine cardholders. Nick has held several management roles in EMEA, including 9 years with IBM with responsibility on IBM software portfolios. He previously ran CA Digital Payments in EMEA at Arcot (acquired by CA Technologies), the leader in securing 3-D Secure ecommerce transactions.