VISA – Fighting the escalation of digital payment fraud
With the fraud battle moved online, how to stay ahead in a war worth billions
Visa helped set the path for the payments industry by introducing a shift to EMV chip cards in 2011, which since has spurred a 75% drop in US card counterfeit fraud [1]. However, success in reducing card fraud has moved the battleground into the digital space, as U.S. digital transaction (“card not present” or “CNP”) losses grew 11% annually from 2015 to 2018, reaching $4.4 billion [2]. Visa, a global payments technology company enabling fast and reliable electronic payments across a global network of merchants, financial institutions, and consumers, sits at the heart of this security battle and will remain a key participant in resolving widespread concerns around fraud, identity theft, and digital privacy. The continued development of machine learning capabilities may serve as a vital tool for Visa in better securing transaction networks.
Amid the mass of data points and contextual attributes (device identification, user behavior analysis, timestamps, payment histories) used to determine the likelihood of fraudulent activity, legacy systems have relied on systemized rules to flag anomalies. To match increasingly complex attacks, these rules-based systems have grown into a layered confusion of tools and signals, no longer flexible enough to effectively manage the risk vectors. This ultimately has a detrimental impact on the customer experience of legitimate users caused by high numbers of false positives and negatively impacting revenue [3]. Networks like Visa must build adaptive machine learning algorithms to deliver complex risk decisions quickly, securely, and seamlessly.
Visa has invested significantly in fraud prevention and analytics solutions in recent years to combat the escalating problem, including acquisitions of fraud and authentication platforms CyberSource (2010) and CardinalCommerce (2017) that together provide Visa, merchants, and issuers with a more complete end-to-end view of the transaction origin and authentication path [4]. In the near term, the Company is continuing to integrate machine learning algorithms to improve accuracy, using a mix of ensemble models, supervised, and unsupervised methodologies. Given threat actors may also be increasingly utilizing machine learning as a tool to disguise their activities, Visa recognizes the value in its massive data sets as essential elements in properly training fraud detection algorithms [5]. The Company will continue to integrate existing services such as Mobile Location Confirmation, a geolocation tool identifying if an account holder’s mobile phone is near a purchase location, to enhance the analysis [6].
In the longer term, biometric signals may become a viable tool for Visa to further trim the potential risk, though introduction of biometrics presents a magnitude larger data complexity issue. Deep learning may provide a way to explore complex features within even larger data sets so that the model can learn better to predict frauds [7].
As Visa approaches integrating machine learning into its fraud prevention strategy, the Company might be best suited to enhance its solutions through acquisition or partnership. There are a number of smaller players in the fraud prevention space – representative vendors include Feedzai, Signifyd, and Sift Science – that could benefit from Visa’s scale of available data and that Visa could incorporate to speed up its technology development. Acquisitions by other competitive payment networks MasterCard (NuData, Brighterion) and American Express (Accertify) signal the market-wide impetus to seize the machine learning opportunity [8].
One area Visa should consider in development of these systems is their auditability. Any system relying so extensively on behavioral, tracking, and biometric data to create consumer identities may need to provide mechanisms for auditing its decision criteria and demonstrate the basis for decisions is lawful and ethical. Prioritizing a clear understanding of the premises for machine learning-enabled decisions will be important in establishing trust.
Open Questions:
Blockchain technologies may become a more significant part of a secure transaction network. How might Visa’s established network need to adjust for such an environment? What might these technologies do better than a data-centric machine learning approach to risk mitigation?
(Word Count: 782)
References:
[1] Pegoraro, Rob. “Why those chips in your credit cards don’t stop fraud online”. Yahoo Finance. November 5, 2018. https://finance.yahoo.com/news/chips-credit-cards-dont-stop-fraud-online-200041701.html. Accessed November 2018.
[2] Pegoraro, Yahoo Finance.
[3] Care, Jonathan and Phillips, Tricia. “Market Guide for Online Fraud Detection.” January 31, 2018. Gartner, Inc., accessed November 2018.
[4] Visa Inc., September 30, 2017 Form 10-K (filed November 10, 2017), via Visa company investor relations, accessed November 2018.
[5] “Machine Learning in the Payments Industry.” Visa Research. May 24, 2018. https://usa.visa.com/dam/VCOM/global/support-legal/documents/webinar-machine-learning.pdf. Accessed November 2018.
[6] Visa Inc., 2017 Form 10-K.
[7] Jaseena, K. U. and Binsu C. Kovoor. “A Survey on Deep Learning Techniques for Big Data in Biometrics.” International Journal of Advanced Research in Computer Science 9, no. 1, January 2018. Accessed November 2018.
[8] Care and Phillips, “Market Guide for Online Fraud Detection.”
While reading your commentary on Visa’s future applications for machine learning, I kept thinking about user security. Metrics such as mobile phone location and especially biomarkers of users, made me question how much privacy I would be willing to give up in order to increase my credit card security. This may be a difficult balance for Visa. I also agree with your hesitancy that a machine learning model may eventually be used as a tool or guideline to commit undetectable fraud. With both of these in mind, Visa will have to be careful with how it approaches this problem and should have its own security measures in place to ensure that this is successful.