The rising controversy over China’s alleged cyber espionage against U.S. companies has dominated the recent discussion over network security. While politically motivated intrusions are doubtless a threat to many corporations around the world, those concerns may be obscuring a much bigger and more immediate threat to many businesses and their customers—and that is the mounting sophistication of criminal gangs that operate online.
“We are confronting a criminal population that continues to improve its sophistication and its attack vectors, so we can’t stand still,” says Ellen Richey, chief enterprise risk officer at Visa Inc. “You see the criminal capability evolving on the technology side,” she said. “They are getting into the systems of [Visa] stakeholders and other companies that process payments, and they are able to encrypt their own movements on networks, sometimes for months, and exfiltrate the data.”
No company—and certainly not Visa, the credit and debit card processing giant—can afford to “stand still,” Richey says. The company risks losing trust, and standing, with its customers – something it cannot afford to let happen in an increasingly competitive payments market. To confront the risk, Visa introduced a new analytic engine in August 2011, which she says has changed the way the company combats fraud. The analytic platform harnesses the power of Big Data—a term that refers to larger and more varied set of data, powerful algorithms, and underlying hardware and software that runs calculations faster and more cheaply than traditional databases or analytic engines. The company estimates that the model has identified $2 billion in potential annual incremental fraud opportunities, and given it the chance to address those vulnerabilities before that money was lost.
Visa’s fraud detection efforts moved into the digital world 20 years ago, when the authorization system went online. Fraud has declined by two thirds, during that period of time. In 2005, it added advanced authorization techniques, in which a customer may be asked to provide more than a simple password. However, 6 cents out of every $100 in transactions are believed to be fraudulent.
Earlier analytic models studied as little as 2% of transaction data. Now the company said it endeavors to analyze all of its data. In the past, the company based its security assumptions on average fraud rates for merchant categories, like grocery stores. Now it said it can analyze the actual market, right down to individual merchant terminals. That allows it to drill down on hundreds of attributes, such as average authorization volumes, average ticket sizes and frequency of purchases that turn out to be fraudulent, the company said.
Visa said it can identify high-risk purchases such as big screen TVs and prepaid cards, that can easily be converted to cash. It determined, for example, that in certain merchant categories, for transactions of $200 or more, prepaid cards were included in 85% of cases that turned out to be fraudulent. The company is also on alert for other warning signs such as orders in which the billing and shipping address are different.
Visa said that while this information is connected to a specific card number, “it’s not personally identifiable in the Visa system.”
Visa said that the larger data set helps it identify fraud more quickly. While one transaction at a merchant might not look suspicious, a data set that includes hundreds or thousands of transactions makes it easier to spot a problem, such as a tampered PIN pad.
The new analytic engine can study as many as 500 aspects of a transaction at once. That’s a sharp improvement from 2005, when the company’s previous analytic engine could study only 40 aspects at once. And instead of using just one analytic model, as it did in 2005, Visa now operates 16 models, covering different segments of its market, such as geographic regions.
The models can be updated much more quickly, too. An attribute can be added to a model in as little as an hour. Back in 2005, it would take two or three days to make that happen.
To accommodate larger data sets, Visa has updated its database technology. In 2010, it began using Hadoop, a software framework that is based on open-source technology from Google Inc. It is designed to quickly process huge amounts of information from disparate sets, and to work with clusters of lower-cost machines, instead of expensive servers.
“From the strategic point of view, we are achieving an amazing improvement, year over year, in our ability to detect fraud,” says Richey. “It’s not just our ability to analyze our transactions, but our ability to add new kinds of data, such as geo-location, to that analysis. With every new type of data, we increase the accuracy of our models. And from a strategic point of view we can think about taking and additional step change of fraud out of our system.”
In the future, Big Data will play a bigger role in authenticating users, reducing the need for the system to ask users for multiple proofs of their identify, according to Richey, and 90% or more of transactions will be processed without asking customers those extra questions, because algorithms that analyze their behavior and the context of the transaction will dispel doubts. “Data and authentication will come together,” Richey said.
The data-driven improvement in security accomplishes two strategic goals at once, according to Richey. It improves security itself, and it increases trust in the brand, which is critical for the growth and well-being of the business, because consumers won’t put up with a lot of credit-card fraud. “To my mind, that is the importance of the security improvements we are seeing,” she said. “Our investments in data and analysis are baseline to our ability to thrive and grow as a company.”
CORRECTION: This story has been updated to say that Big Data makes it easier to spot tampered PIN pads. An earlier version referred only to PINs, or personal identification numbers. The story also clarifies the role of prepaid cards in certain kinds of fraud. The cards were purchased fraudulently, not used to make fraudulent transactions.
Follow @steve_rosenbushRead More About: