The Fourth Payment Security Revolution
Technological innovations have revolutionised the way we live, work and play. Yet with the emergence of new technologies comes newer and more complex risks. As our hyper-connected world moves increasingly towards digital experiences, cybersecurity has never been more pertinent, especially for banking and payments.
We sat down with Shivakumar Sriraman, Head of Risk for Visa Southeast Asia, to discuss the fourth payment security revolution, the power of cybersecurity innovations and the role of emerging technology in the future of payments.
Given your experience managing risks for banking and payment ecosystems, how would you describe the evolution of payment security over time?
The concept of the Fourth Industrial Revolution has received wide attention as it promises to profoundly change the way we live and work. It suggests that society has industrialised over the past 200 years to digital technology and information and will be marked by emerging technologies, including robotics, artificial intelligence (AI), quantum computing and others.
In parallel, we are also in the midst of the Fourth Payment Security Revolution. Sixty years ago in the analogue age, criminals stole mail for personal documents to steal identities and open fraudulent accounts. In today’s Fourth Payment Security Revolution, sophisticated criminal organisations employ advanced technology and social engineering techniques to carry out targeted attacks.
But regardless of era, the prize is the same — that is, personal data and payment information. In today’s age, it is clear that data will be both an asset and a security liability. When we use data correctly and ethically, we can create a full range of innovations. But it is the same data that criminals want to get their hands on. While the payment industry has been subject to wave after wave of changes, we must not lose sight of the importance of customers’ trust which takes years to build but only one incident of data loss to lose.
What kinds of notable innovations in cybersecurity has helped in shaping the way we make payments, and consequently digital banking, today?
We live in the current age of what is known as the new data economy. Data can be a transformational force to shape the future of society and commerce. As early as in 1993, Visa became one of the first payment technology companies to use AI as way to detect and prevent fraud.
Visa’s AI system, called Visa Advanced Authorization (VAA), has helped issuers prevent an estimated US$25B in annual fraud. In 2018, more than 127B transactions flowed across VisaNet between merchants and financial institutions, and AI was used to analyse 100 percent of those transactions. VAA works by examining transactions for indicators of fraud — activities, patterns and more than 500 risk attributes — all in about one millisecond, to help financial institutions approve and reject the right transactions.
In the broader context, we are at a great inflection point where hyper connectivity is creating more ways to pay and at the same time also creating more ways to exploit. Today’s cyber criminals are well-organised and no longer get their hands dirty and pass the risk to technically skilled criminal enterprises. It is important for professionals who care about payment security to think about cyber security — more importantly security by design and adopting standards-based approach. These will be guiding principles in the future of payments as we seek to balance the need for innovation and security.
Working in a risk management function requires one to think a lot about the “what-ifs”. Beyond looking at the worst-case scenarios, how do you and your team work towards driving innovation in the organisation?
Analysts have predicted that the number of connected or Internet of Things (IoT) devices will reach 25B by 2021, and every one of these IoT devices has the potential to become a payment touchpoint. By comparison, Visa is currently accepted at 61 million locations worldwide.
With this confluence of factors, we can expect a burst of new payment methods and flows. For all of us in the ecosystem, this requires a rethink in the way the industry innovates and our shared approach towards cyber and payment security. While payment security has come a long way, our fundamental belief is that security cannot be an add-on or an afterthought when it comes to innovation. Instead, security needs to be embedded right at the start. At Visa, we call this approach “responsible innovation”.
Innovation requires us to balance the customer expectation of convenience and security. Think for a moment if security is over consumer experience, profitability and growth, it will stifle innovation. The critical path is all about balancing this equation and data is crucial.
What cybersecurity challenges do you foresee in the future of digital banking and payments, and what can we do to address them?
We live in a climate where cybersecurity incidents and data breaches are not a matter of if, but when. There are two things that we also know for certain. One, the future of payments will be highly complex. Two, security challenges will be multi-faceted. It is also important to know that payment security is a shared responsibility and it is in all our interests to align to the mission of keeping the payment system secure.
The future of payments is borderless, one should expect a flowing exchange of personal and payment data as commerce becomes increasingly hyperconnected. When it comes to data, Visa’s strategy is to protect, devalue and harness data as well as empower consumers. One of our key priorities is to remove static data from the payment system so technologies like the chip card are extremely important. For organisations that really have to store static data, we encourage the adoption of PCI DSS (Payment Card Industry Data Security Standard) to encrypt them under our protect data pillar.
While financial institutions normally focus on systems and processes to improve cybersecurity, consumers are a powerful but under-utilised asset. No one in the payment chain is more aware of unauthorised transactions than the accountholder. This is why we need to get the consumer to become more involved in verifying transactions and this can be accomplished by offering transactions controls, such as payment alerts and the ability to decide how their credentials are used.
Do you see any emerging technologies taking a lead role in the development of payments towards the future?
We’re curious and open-minded about any new technology that has the potential to advance digital payments. Visa has been testing, analysing, piloting and prototyping capabilities in several new areas of our business. In the field of AI, we have been running trials on behavioural biometrics as a new method of authentication. We are also expanding the test cases of machine learning models for voice anti-spoofing, photo transformation, dynamic authentication as well as in-store and in-car authentication.
One of our newest and most innovative payment products, the Visa B2B Connect network, uses elements of blockchain architecture to give financial institutions a simple, fast and secure way to process business-to-business cross-border payment globally.
Regardless of technology, we advocate a standards-based approach so that it can be accessible by anyone, anywhere. Our belief is that, ultimately, it will be the end-users who decide which technologies to adopt on mass scale.
