Improving Customer Authentication

Stephanie Ericksen
Head of Authentication Product Integration – Visa

Blake McDaniel: Hi, my name is Blake McDaniel with the Federal Reserve Bank of Atlanta and I'm here with Stephanie Ericksen, head of Authentication Product Integration with Visa.U.S. News and World Report recently published an article titled "How Credit Card Companies Spot Fraud before You Do," in which the focus was on how advances in technology and data processing assist networks and issuers with detecting and mitigating fraud. Would you speak a little about Visa's efforts in this area?

Stephanie Ericksen: Certainly. Security and fraud detection has always been a core part of what we do at Visa. For the last 50 years it's been a focus of ours. We work very closely with the broader industry, with law enforcement, with industry participants and stakeholders on improving best practices for managing fraud. But, specifically in our network, we look at every transaction in real time and provide a score on every transaction authorization back to the issuer, for the issuer to be able to take that information into account when making an authorization decision. And that information is based off of all the transactions that process through our network on a daily basis, whether it's the short-term account activity of individual accounts or long-term activity of multiple accounts and transaction environments, for us to be able to score that transaction based off of 500 different data elements, whether or not that transaction has a likelihood of being risky or fraudulent.

McDaniel: Seems like an extremely complicated process.

Ericksen: It's really sophisticated, yes. When I first started at Visa almost 20 years ago, it was about 6,000 transactions a second that we were processing, and now we can process up to 30,000 transactions per second.

McDaniel: Balancing risk and consumer convenience can be a difficult proposition, and I'm sure you'd agree that there is no one-size-fits-all approach to customer authentication, especially with the evolution of technology and consumer behavior. With that framework in mind, what would you say is Visa and its partners' risk-based approach to authentication?

Ericksen: Certainly. We do have a risk-based authentication approach, and what we mean by that is that we try to tailor the authentication methods to the likelihood of any risk or fraud of that transaction. So putting that into an example—let's say there's a card holder that typically uses their card for grocery store purchases in an in-store environment for 50 dollars or less, and then suddenly we see a transaction come through on that card holder's account which is an e-commerce transaction, or an online transaction, to buy a TV for 700 dollars. That's going to be outside of that card holder's spending pattern. So while at the grocery store, they may be able to do that 50 or less purchase without having to sign or authenticate themselves, for that TV purchase online in the e-commerce environment, that's outside their behavior pattern—we might mention to the issuer or put a code in the authorization message to the issuer that says, "This transaction has a higher score, or a higher likelihood, of potentially being fraudulent." The issuer might want to do some step-up authentication there, and then either send a text message to the card holder to verify that that's what they're doing in terms of it being a valid transaction, or any other type of additional authentication requirement that the issuer wants to support.

So that's what we mean by risk-based authentication. It's trying to score the likelihood of the transaction being fraudulent, and then tailor the authentication solutions that we're bringing to bear on that one transaction based off of that risk.

McDaniel: With the promotion of zero liability for Visa-branded payments cards, what is the best way to encourage consumers to accept additional responsibility for using enhanced security procedures on their cards, computers, and phones?

Ericksen: Visa has a very proactive approach to education for consumers. We do have a lot of information on a website on Visa.com called "Visa Security Sense," which has tips for consumers on how to secure their account and how to make themselves less susceptible to attacks such as phishing and fraudsters trying to get their data. And so we have certain points that we certainly make available to consumers, as well as sharing that information with the issuing community to also get out to card holders and provide that education.

But some of the key points that we like to make card holders aware of is to remember to regularly monitor their account statements to look for any transactions that they don't recognize that could be potentially fraudulent, as well as make sure they don't give out their account information to any unknown party. They need to make sure that they're really conscious of, "Is the party I'm interacting with a known party that I would like to have my account information?" And if anything seems suspicious, then they should try to contact that party directly to make sure it's not a phishing scam, for example. Also to keep their PINs and their passwords secure and not to have those be openly shared. And to make sure they sign the back of the card as soon as they receive it in the mail. And then there's other practices as well. There's monitoring accounts that may not be active, closing any inactive accounts, and checking their credit reports. So there's a lot of different steps consumers can take.

Ultimately, it's in the consumers' best interest to make sure they are monitoring their statements and taking an active stance in all of their financial practices. Certainly we don't want consumers to be inconvenienced with having to manage any fraudulent activity.

McDaniel: Thank you, Stephanie. It's been a pleasure speaking with you today.

Ericksen: Thanks, Blake. It was a pleasure for me as well.