Visa’s Chief Risk Officer On Securing Commerce In The 2020s

risk assessment EMV cards

Futureproofing is the process of creating systems and processes resilient enough to hold their value in the face of an unknown future. It’s also about creating a mindset and a corporate culture where everyone is responsible for weighing risks against future opportunities.

Visa Chief Risk OfficerIt’s one of the things about his company that has most impressed Visa’s Executive Vice President and Chief Risk Officer Paul Fabara, as he told Karen Webster in a recent conversation. Fabara officially joined Visa in September of 2019, coming from Amex, where he was president of its global services group. Now four months in, he told Webster that the idea of a secure and trusted payments ecosystem is part of Visa’s “corporate DNA.” Regardless of the product or initiative, every conversation starts and ends with a single overriding question: “Is it secure?”

“Building safe and secure products isn’t an afterthought or a conversation that happens at the end of a development sprint,” Fabara explained. “The question that guides every conversation I’ve seen at Visa in my first four months on the job is, ‘How do we create a safe, connected product that will allow open and free commerce that connects buyers and sellers?’”

Visa’s culture that risk management is everyone’s responsibility, Fabara said, is a competitive advantage and a strategic weapon in the payment ecosystem’s fight against an ever-more sophisticated fraudster. It has motivated a different approach for fighting fraud in the 2020s and beyond. Not only are Fabara and his team using the latest tools, technology and tactics to defend against intrusions, but they are also building and using sophisticated tech to find fraudsters well before they are ready to be found.

Going on the Offense

Fabara’s role is to maintain the integrity and security of the Visa payment system in the face of a daunting set of new challenges. The decade of the 2010s was rife with data breaches and cyberattacks of increasing frequency and sophistication. It was also rife with innovation that took payments to new physical and digital endpoints.

The 2020s, Fabara told Webster, will see a rapid acceleration of these new digital payment flows by consumers and businesses, as innovators create new opportunities for commerce at those new touchpoints. That means there is more ground to secure as more criminals look for ways to attack them.

“In many ways, the rise of data breaches really forces the adoption of smarter and more dynamic security products to truly protect data and manage fraud,” he noted. “More and more, we are going after bad actors with a vengeance. I wake up every day thinking about how we can catch those folks and pull them out of the ecosystem.”

Going on the offensive is a powerful goal, but tricky to pull off — a fact of which cybercriminals are well aware. Fraudsters are good at hiding, particularly in parts of the world where enforcement is weak and it’s easy to virtually disappear. Fabara says there’s a stark divide between the places where financial institutions’ (FIs) regulations and standards for detecting, enforcing and preventing fraud are high and the places where they are lacking — including those nation-states where cyberfraud is now an industry specialization.

It’s at those places, he noted, where it is even more important for Visa to be present and to be “the fraud-fighting engine,” using more advanced and sophisticated tools.

Artificial intelligence (AI), said Fabara, will be used to build data models to systematically probe weaknesses and potential target points to “spot” fraudsters and their tactics before they can strike. Those models make it possible for the payments ecosystem — FIs, merchants and FinTechs — to get ahead of the fraudsters by patching vulnerabilities long before attacks begin.

When Risk Management Is a Mindset and Not a Business Unit

Protecting the commerce ecosystem from fraud and risk is both a short- and long-term game. In the near term, Fabara told Webster, he believes the global market will see a much wider adoption of 3D Secure standards and the updated EMV standards online, which will provide a greater measure of protection for digital commerce without compromising the user experience.

In the longer future, he sees the development of authentication and payment tech converging, making the authentication method and the payment method a single credential that consumers use to transact across the ecosystem. He noted that the market is moving there, though perhaps somewhat more slowly than one might expect given the technological advances, particularly in the wearables arena.

And there’s the fact that consumers still love and use their physical cards.

“Consumers are still in love with the old form factor. They love their metal cards and their branded cards,” Fabara pointed out.

Despite the loyalty to the old-fashioned form factor, the digitization of commerce is accelerating — and with it will come the inevitable payments/identity convergence. The benefits to both consumers and merchants will be profound: A more secure way to transact across the many channels that exist for doing commerce and a seamless way for consumers to interact across those touchpoints. As Fabara told Webster, it’s a “when,” not an “if.”

“The progress is all pointing this way,” he said. “If we use EMV as a reference point, it might take some time, but when I look at the changing security needs, I think we all know that conversations need to happen, because that merger [of credentials] needs to happen.”

Those conversations are happening today because headlines aside, Visa’s core mission and DNA lies in operating a set of rails that secure the commerce happening across them, and in creating the trust that consumers and businesses need to feel comfortable using those rails in this dynamic digital age. Fabara noted that Visa’s work — across all of Visa, not just his risk management team — will never be done, because cybercriminals are a remarkably indefatigable group. But everyone knows the job has to be done.

“At the end of the day, we are deeply committed to keeping it safe for consumers, merchants, financial institutions and anyone else who needs to use the rails with confidence,” Fabara said.