The FINANCIAL — With less than one cent per every USD 100, Georgia has one of the lowest fraud levels on Visa. According to Visa globally more than 50% of fraud transactions nowadays are from e-commerce. In line with the fast development of IT, the level of security required is becoming more difficult and expensive. Currently, criminals have moved from “card present” to “card not-present” transactions, along with having moved from individual to organized crime syndicates. Meanwhile, Visa Inc. is targeting a payment system which will never raise concerns about the use of cards among its holders.
“We calculate the rate of fraud per each USD 100 spent. Currently it is around 5 cents per USD 100 processed through VisaNet. That is a global number. In the Caucasus region the fraud rate is much lower, especially in Georgia. In Georgia it is between1 and 2 cents per USD 100 transacted on Visa cards and processed through VisaNet,” Ingo Noka, Regional Risk Officer, CEMEA (Central Europe, Middle East and Africa), told The FINANCIAL.
“Different countries have different risk appetite. Obviously, the risk is higher in that country in which the transaction volume is higher. Another reason is that compared to many other countries in this region Georgia is better positioned in terms of chip issuance – more cards are chip, more terminals accept chip cards. The cards here are a lot more secure than in other countries. The third reason is that there are just not as many internet transactions. However internet transactions take a direction of upward trend. So, the opportunities available to criminals are lower in number,” said Noka.
In Noka’s words, security, or more broadly, risk management, safety, and efficiency, is one of the main objectives that Visa has. “Everything we do in the area of risk management is absolutely necessary and crucial. It is the one thing that you absolutely have to have if you want to be a global payment system and security is something all stakeholders should be investing in. I do not think it would ever be a good reason for anyone to say: it is too costly to have that much of that. We have never approached risk management from that angle,” he said.
Q. What was the main reason of your visit to Georgia?
A. The main reason was to meet with law enforcement agencies, central banks and main clients from Georgia, Armenia and Azerbaijan. That was the first time we hosted Law Enforcement workshop for three Caucasus countries together, and I think it was really successful. There are a lot of issues which really make sense to cooperate on. We talked about security strategy, what new threats we are seeing and how we can be trained better to approach those new threats– how we make sure that law enforcement agencies and banks in this region are prepared for the new type of technologies that are coming: mobile phone payments, chip payments, e-commerce. This is a lot more technical and law enforcement agencies need to build the capacity to actually deal with these things.
Q. What are the global fraud trends?
A. For Visa as a company it is very bad when people have concerns about using their cards. Trust in our products and trust in payments generally is very important for us. It is also a kind of social responsibility. Currently fraud is being committed by criminals that are part of very well-organized groups. These are not people who are inspired to commit a crime because of a lack of money to buy food for their children, for example. They use this as a funding source for more criminal activities. So, we feel strongly responsible to make sure that it does not happen. In large complex systems, like ours, we cannot prevent all fraud. For many years we have invested heavily in this area and we have very good expertise. We have risk managers for each country who are managing this issue. We invested fairly heavily in our own systems as well. VisaNet is a core system for that. There are a number of systems that we have developed within VisaNet. If there are some transactions that do not get processed through VisaNet, like interbank transactions, then we face problems. We can only detect fraud and protect transactions if they are processed via VisaNet. The third area in which we are eager to invest a lot is making new products secure from the very start. If you have a mobile phone payment system, you cannot just sit and see how it goes and later on add some security. That cannot work, especially now. With the new technologies that are out there, security needs to be built into new products right from the very start. That is actually very difficult to do. For example, in the case of mobile phones, many companies need to work together to make a mobile phone transaction work securely. You have to make sure that the card number registered in the phone, even if it is stolen, cannot be used for internet transactions and so on. We call this tokenization. Accordingly, securing new technologies is really expensive to fulfil. Security is becoming more and more difficult and expensive. Devices on mobile phones are far more complex than just plastic cards. Keeping up with these new technologies, from the security stand point, is not easy to do. However, Visa is quite good at that. So, to maintain security we invest in people, our own systems and the development of new technologies.
Q. So, can it not be said that criminals dictate which security measures you implement?
A. Criminals are creative as well. I wouldn’t say that we always foresee everything. However, we are not simply waiting around until someone breaks our systems. We do things proactively. We invest heavily in protecting these systems right from the start. We do not let criminals dictate how to secure our systems. All the banks and their clients connected to Visa get this same security.
Q. You have been involved in Visa Inc. for more than a decade. How have the methods of criminals been changing in line with contemporary technological development?
A. Things have been developing in several directions. Criminals are shifting from “card present” to “card-not-present” fraud. More than 50% of all fraud transactions are happening now in e-commerce. It used to be that we would deal with individual criminals who would steal cards from someone and later use them. That has changed completely. Criminals are now operating in well-organized groups. Those groups used to be operating in some countries. It was a national, domestic thing. Today it is international, well-organized groups that have a very well-structured division of labour. There are some people to break into database services. Another group to sell the data on the internet. And another group to organize people all over the world, and tell them to withdraw money from ATMs. The move from card present to card-not-present and the move from individual to international organized crime syndicates have been the main changes recently. The targets are different. From individual card theft currently criminals are targeting banking systems, the processes and switches. We spent a lot of time and resources to make sure that all these service providers that surround our banks and provide services like switching and card manufacturing are secure. Whenever we see a particular threat we also try to warn potential sufferers. However, we have so many defences around VisaNet, that all of our customers are strongly protected.
Q. How much support do you have from local regulators to support your business?
A. Regulators are becoming more involved in payments. Electronic payments are a bigger part of overall payments. In the past central banks were responsible for printed notes but today they need to pay more attention to electronic payments. What we want to do is to make sure that we meet the requirements of individual countries. At the same time we want to share the best practices of other countries. In Georgia the National Bank of Georgia is a very supportive and knowledgeable regulator. They support the payment industry in all the right places: new technologies, security, and cooperation, helping us to build cooperation between Caucasus countries for example. There are countries where I have problems with that but Georgia is not one of them. The problem I face in some countries is that well-intentioned regulation sometimes makes my job harder; for example some regulators may want to move processing into domestic companies. Whatever the reason, sometimes commercial, sometimes they don’t want data to go out of the country, the question is if you can really develop electronic payments with all new technologies if you do it on a small scale with a domestic scope only. Of course, in some areas you can, but in many areas you cannot. For example how long it would take you to build a completely new way to pay with international companies such as the big phone manufacturers, if that new product only works in one country, but it will not work in another one.
Q. You recently issued payment stickers on the Georgian market. There is a fear that they increase the threat of fraud. Is there a higher risk in terms of privacy?
A. We should be talking about technology, and it is the same Visa payWave for chip cards or stickers. There is so much security built into payWave transactions, compared to the old-styled magnetic cards or even compared to many internet transactions. You cannot counterfeit the payWave chip. Some concerns maybe about privacy, like somebody might walk by with their iPad and read all the data. However, it doesn’t really work like that. First of all you have to be very close to the sticker or phone or card. If one were to try to read another person’s data otherwise, they would need to apply so much energy that if one had a pacemaker it might stop working.
Q. Some Georgian commercial banks are actively promoting plastic card insurance with their cardholders. Do you recommend this service for added safety?
A. Plastic card insurance is not what Visa delivers. It is the individual offer of commercial banks. The Bank has to decide what they want to offer to their cardholders and how they treat their cardholders. However, Visa does not get involved in this.
Q. You hold degrees in Criminology and IT. Can we conclude that risk management in payment systems is based on knowledge of these two fields?
A. Absolutely, I’m very lucky that I had that. As I said before it is not enough anymore to simply understand some basics about ATM skimmers or counterfeit cards. Those are the old terms. Today you have to understand how mobile phones work. Tokenization is a technical subject, even with a contactless chip you have to understand why it cannot be counterfeited, etc. It is a computer science subject. Meanwhile, all of the people who are well aware of database systems and break into them are criminals. So, we have to deal with that from the good old style of police workers. In my line of work I need to understand how these people act. The combination of police worker with a good understanding of technology is what risk management in payment systems requires today. Law enforcement agencies, regulators and also risk management people at banks need to work together. And you can’t stop and think “now I understand how card payment fraud works” you really have to improve capacity all the time. And that was actually was one of the things we discussed at Visa Law Enforcement Workshop in Tbilisi.
Q. What is your main security advice for your cardholders?
A. In some countries we have educational campaigns and simply teach consumers things that they should and should not do. These are simple rules: keep your cards safe, keep your information secret, contact your bank immediately if your card is lost or stolen, check your sales slips etc. We believe that customers need to be made aware of these issues. We all understand the importance of financial literacy training, in some sense safety literacy training is also needed. So, we provide materials to banks. Many of them have tips on their websites. In some countries such as in India and Egypt we also created consumer facing campaigns in the mass and social media. Another way to involve our cardholders is by sending transaction notifications so they can keep track of what is going on with their payment instruments. Many customers actually really appreciate this -to get involved. The third thing is that we are trying to build products with one thing in mind -that the cardholders and merchants should be able to use them without thinking too much about safety and security. The objective is that cards should be so secure that their holders do not need to worry about it. What we are aiming for is to let our customers transact without the need to think about their safety and security. The best situation is when people feel so confident, have so much trust in electronic payments that they just take a phone or a card and just use it for payments. And in many countries it’s actually the case.
Q. How are the merchants involved in security environment?
A. Most of the technologies that we put in place always have two components: the issuance and acquirer components. When it comes to merchants, their role is to provide the second component – chip terminal, Visa payWave terminal. As in case with cardholders we don’t really want merchants to become security experts. If a merchant installs a terminal, that terminal actually has been tested for security and approved by Visa. In that regard a merchant is very well protected. However, we also expect merchants to protect the data of cardholders. The first principle of course is that merchants should not collect any data. And we work with our acquiring banks so they can teach merchants how to protect data. We have standards in data protection created by the Payment Card Industry (PCI) Security Council for issuers, acquirers and merchants. But again the objective is to make it so that even if the data stolen it can’t be used to conduct fraud. When it comes to e-commerce, we expect merchants to implement Verified by Visa. On the issuing side a cardholder needs to get one-time password via SMS or using a small device to generate a password, a merchant on the other hand needs to implement some functionality on their website so that the first thing a cardholder sees on the screen when he pressed “pay” is the request for this one-time password. Even if a merchant knows nothing about card issuer in some other country, a merchant can authenticate the customer and be sure that this is actually the cardholder who is making transaction. And this happens via VisaNet and works globally.
Discussion about this post