The Fraud Blog with Tracy Kitten

Fraud-Fighting Insights from Visa

Why Devaluing Card Data, Using Data Analytics Are Key Steps

Ellen Richey, Visa's chief legal officer and enterprise risk officer, offered two important messages in her keynote presentation at Information Security Media Group's Fraud Summit San Francisco. First, it's time to use technology to devalue card data to something that cannot be used to perpetuate fraud. And second, it's time to make greater use of data analytics to detect suspicious activity.

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

As recent breaches, including the Target Corp. incident, have shown, fraudsters are no longer just going after data that is stored at the POS. Today, attackers are actually focusing on exfiltrating data as it's being processed, in transit, Richey said.

Visa is pushing a three-part plan for devaluing card data so it's of little use to fraudsters. That includes a migration away from magnetic-stripe cards to chip cards; tokenization of card data; and end-to-end encryption - which means card data will never be processed or transmitted in the clear.

But taking these three steps won't be easy, Richey acknowleged.

While chip technology that conforms to the Europay, MasterCard, Visa standard is readily available, U.S. banking institutions and merchants will need to devote plenty of time, planning and money to complete their EMV migrations, she said.

And, while tokenization is a necessity to ensure card data is sufficiently devalued, it, too, will require an investment in software and hardware upgrades.

End-to-end encryption poses its own challenges as well, Richey noted. Anything that's encrypted has to be decrypted, and that means the keys used to decrypt that data have to be protected - which is not a simple task (see Why Is End-to-End Encryption So Daunting?).

Data Analytics

Even if they adopt all of those technologies to help devalue card data, banking institutions and retailers, as well as processors, "still need data analytics," Richey explained. Data analytics enables monitoring of transactional patterns to detect suspicious activity that can pinpoint points of compromise.

"Containing breaches faster is a necessity, and an aspect of that ties back to big data," she said. "Larger financial institutions are using this technology, but smaller institutions will need to rely on partners and networks, such as Visa, for many of the analytical tools they don't have the resources to manage in-house."

No one can deny that analytics is going to play an increasing role in fraud prevention. Many of the retail breaches we've seen over the last two years were detected by good analytics, often on the card-issuing side.

But major retailers also must play a role in monitoring transactions via analytics. And by sharing their discoveries, retailers and banking institutions can more quickly identify breaches, and help prevent fraud.



About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.