Big data at the forefront of cyber security: Visa

By Madushka Balasuriya

E-commerce is the fastest growing payments channel in Sri Lanka with transactions having increased 30% year-on-year as at July, but alongside this growth is the even more breakneck rise in cybercrime and online threats. These criminals, however, aren’t merely targeting your hard-earned cash - no, they’re after your data.

“Data has become really important for cyber criminals. Information - whether it’s transaction-based, or whether it’s profile information about you - has become a really important piece of information that cyber criminals are trying to get access to,” explains Anthony Watson. 

Watson is the Country Manager to Sri Lanka and Maldives for Visa, the global payments giant boasting some 65,000 transactions a second, and as such is particularly well-placed to comment on this growing threat, one that the company is on the frontlines of combating. “It’s fairly obvious that criminals, particularly on cyber security, and cyber-based fraud, are getting very well organised. And that definitely poses a financial risk for our clients. The role we play is providing banks - which have both the merchant relationship and the consumer relationship - the platform, tools, and global best practices, which then bring together the overlaying security kind of foundation.”

A shifting payments landscape, with the advent of Fintech firms and the level of complexity with which transaction management is rapidly changing, however, complicates matters.

This is a point echoed by Lakshmi Ramakrishnan, Visa’s Director (Risk Services) for India and South Asia, who points out that it is this present state of affairs which makes the work Visa does in terms of security so vital.

“All these different partners in these transaction streams are adding to data. There is more and more data, and Visa looks at how to secure that data, which will in a way secure the entire stream,” she explains.

Both Watson and Ramakrishnan were speaking to Daily FT on the eve of the 6th Annual Cyber Security Summit, of which Visa are Strategic Partners. Ramakrishnan, in fact, is set to provide a presentation on securing digital commerce later today.

“It’s about how transactions are growing, and the channels they are growing in. What are the challenges we see today, and how Visa and its partners can work together to secure the transactions,” she tells me briefly.

Visa Advanced Authorisation and Visa Risk Manager 

Without giving too much away, among these challenges is ensuring the continued security of client data, while at the same time allowing for innovation and growth. With Fintech (financial technology) companies sprouting up ever more frequently and looking to insert themselves within the transactional flow, it is imperative that a company as ubiquitous in the transaction space as Visa doubles-down on its security measures.

“While we encourage and work with those partners, there’s a responsible level of innovation that needs to come with it. We work on making sure that the model of security that we have continues to apply as new entrants start to come in,” notes Watson. “We will equip them with tools that not only help identify how best to interact with a transaction, but being able to give them certain platforms and tools that they may want to leverage themselves.”

One such tool is the Visa Advanced Authorisation and Visa Risk Manager (VAAVRM), which uses artificial intelligence to analyse the collated data on card users - such as transaction location data or average spending information - to form an unparalleled understanding of consumer spending patterns. This then helps banks identify as to whether a transaction is fraudulent or legitimate.

“VAAVRM allows us to gather a bunch of different data elements on a transaction - it could be where the merchant is located specifically, what time of day it is, what device you are using to make that transaction - all of which we vet, and then use as a scoring mechanism,” says Watson. “Depending on the score, we can then tell the bank, ‘here is what our tool is saying, the risk of that transaction being fraudulent’, and then the bank coupled with their information say ‘we know this person, they’ve done those transactions in the past, it’s a regular transaction such as school fees, and we’re happy to allow that transaction to go through’. Now whether a Fintech is in the middle of that transaction - that’s maybe providing the interface for you to do it - is irrelevant.”

With the amount of data being gathered by Visa increasing exponentially on a daily basis, Ramakrishnan meanwhile believes their system has now reached a point where it is capable of spotting threats that a human being may miss.

“This system that we’re talking about works in machine learning and artificial intelligence, so it is a self-learning tool, and the amount of data Visa collects just makes it more robust. The machine learning is now becoming deep learning, and is able to help the banks identify fraud, which might in most cases be missed by a human,” she notes. “That’s why VAAVRM is one of the most important tools we have for fraud prevention. It harnesses that data to come up with a unique score. That just simplifies the way a transaction is looked at by our clients. So that they can better serve the consumers.”

Tokenisation and two-factor authentication

Apart from VAAVRM, there are also several authentication systems in place to ensure that those executing transactions are who they say they are. Many of us in Sri Lanka would have come across the utilisation of Verified by Visa one-time passwords (OTPs) sent to our phones, which are used as two-factor authentication for purchases.

Meanwhile the use of tokenisation - a process by which sensitive data is replaced with unique identification symbols, which retain all the essential information about the data without compromising its security - and dynamic chips in bank cards, ensure that even if cyber criminals gain access to the data, it would be rendered useless.

“What we do is, we look at different pieces of data and where they exist in a network, or they exist with our partners, and devalue the data to the extent where even if they were able to get into a particular point and access that information, they can’t do anything with it,” explains Watson. “The chip meanwhile creates a dynamic value to what data you can get. If I was able to get your card information, but at the point that I got your card information it was a particular number, the next time you do a transaction, that number changes. Then the previous number I managed to get off you becomes irrelevant.”

Adds Ramakrishnan: “It is useless data to them. When it is useless, the desire to get that data goes away. Chip transactions also cannot be replicated, that is one of the biggest areas of concern across the globe, that card data could get replicated. But after the introduction and the adoption of chip technology, the data now means nothing even in a criminal’s hand.”

Balancing act

That said, big data is not all about security prevention - it’s also about innovation. For Watson, this is a fine balancing act, especially when it comes to the accommodating third-party Fintech companies that may not always have security as a primary priority. “I think that there is a really clear balance from whatever security we bring in - platform, sophisticated tools, and using the information - it doesn’t stop, slow down, or stifle any of the information we all want to see go through in Sri Lanka.  So while the information is there and it’s being developed, and it’s going to help deal with new consumers’ experiences, it’s got to be a responsible level of innovation. Coupled with the security elements, but not to the point that we stop or we stifle.”

But in the end, as with anything, all of these measures can be for nought if consumers aren’t vigilant when it comes to their online purchases. “It’s also about how we educate our consumers, so that they become more familiar with what may look like a purchase they could be making with a legitimate merchant, but it isn’t. It’s imperative that we are able to educate people on what that transaction flow needs to look like, and maintain that level of consumer confidence and trust.”

The 2018 Cyber Security Summit takes begins at 9 a.m. today at Cinnamon Grand.

Pix by Indraratne Balasuriya