Somers: From a security and anti-fraud perspective, what are your views on the potential of biometrics?
Noka: Let’s be clear, using biometric data is controversial. Traditionally, for example, fingerprints have been associated with law enforcement. Critics of using biometric ID for payments, fear that fingerprints (and other biometric data) could be made available to government agencies or law enforcement officials.
Regardless of the controversy, however, in the final analysis, a biometric payment system – like any system that accesses sensitive information – is only as secure as the associated systems, databases and acceptance devices. Companies that have tried to commercialise the technology – Pay By Touch, for example – said that they didn’t actually hold a record of individual fingerprints, rather identification numbers that represented the characteristics of the fingerprint.
This sensitive data is, quite clearly, vulnerable to attack. This is why we advocate compliance with the PCI DSS – which stipulates that sensitive data should not be stored – and why we’re backing the transition from static data to dynamic data, rendering its unauthorised use impossible.
Somers: What are some of the security issues with mobile and contactless payments, particularly with respect to the growing trend away from PINs and signatures for capped transactions?
Noka: They’re the same security issues that we face with any type of payment – for example your card or phone could just as easily be lost or stolen as your wallet. The difference is that in today’s internet-enabled, social-media-savvy, 24-7 society – you’re going to notice your phone’s missing long before you notice your wallet’s gone, which means you can put a stop on it that much faster.
Low value transactions that don’t require PIN entry, or a signature, offer a balance between convenience, transaction cost and risk. Not requiring a PIN or signature also lowers the risk of some criminal activities like shoulder-surfing or capturing the PIN entry on camera. Cardholders still need to be vigilant, however monitoring their statements and registering for a service like Visa Alerts, allowing them to keep track of purchases in near-real time.
Somers: Some industry observers cite a resistance between telcos and card issuers to integrate their mobile phones and payments offerings as the main stumbling block preventing the rollout of next generation contactless payments. What are your views on this?
Noka: I don’t believe it’s the case. We recently announced, with DeviceFidelity and Apple, a cover for the iPhone which contains a chip enabling the phone for contactless payments. This is a significant beginning, and follows on from trials of mobile payments in locations as diverse as Kuwait and Russia.
We’re a 24-7 internet society, in which we’re reliant on our handheld devices to keep us in touch – and mobile payments are a logical next step. The hurdle we have to overcome is not any sort of friction between telcos and card issuers – it’s more about a lack of suitable handsets on the market. This is the issue that DeviceFidelity, Apple and Visa are addressing.
Somers: What are your IT priorities for the next 12-18 months?
Noka: As I am responsible for fraud risk control and security of the external Visa card payment infrastructure, my priorities relate to moving the infrastructure to a more secure technology base that uses dynamic authentication to prevent fraud.
With dynamic authentication, criminals that steal data will not be able to misuse stolen data for fraudulent transactions, because the payment card data that is necessary to conduct a transaction changes from one transaction to the next. To be more specific – Visa is promoting smart card technology for transactions in which the card and cardholder are present and dynamic authentication for e-commerce transactions where the card and cardholder are not present. To give issuers the flexibility to use the authentication technology of their choice without impacting all e-commerce merchants, Visa built the 3D-Secure infrastructure, which serves the delivery mechanism for any type of authentication data the issuer chooses.
Somers: Person to Person (P2P) payments has been cited as one of the “next big thing” in payments (for example, there is an iPhone app that allows you to transfer money by bumping one phone to another). Do you agree/disagree; and why?
Noka: Mobile payments will play a big part in the future of electronic payments. There is already technology allowing mobile device owners to accept card payments. Person-to-person payments move the game on further.
For example, in Kazakhstan, Visa launched a cross-border mobile money transfer service with the capability to transfer four different currencies (Kazakhstan Tenge, Russian Ruble, US Dollar and the Euro). This service, a world first, built on the success of an existing money transfer service that – according to client bank data for the first 18 months of the service – was used by 230,000 people, with over 600,000 transfers and a total volume of over 14.7 billion KZT (approximately US$123 million).
Somers: Visa champions a multi-layered fraud management strategy: Protect, Prevent, Respond. Can you elaborate; and what new fraud tactics should consumers be aware of?
Noka: We’ve tried to make our strategy self-explanatory – we aim to prevent (or minimise) fraud in the payment system; protect vulnerable account data; and respond to fraud events and data compromises by working closely with banks and law enforcement agencies. For us, it’s all about building and maintaining trust in the security of the payments system – in this way we’ll promote and expedite the shift away from cash and cheque to electronic payment.
The tipping point is when consumers become willing and able to pay for everyday goods and services with their cards. For this to happen they have to feel secure when making payments, and the merchants have to feel secure in accepting those payments. Payment system risk management oils the wheels of acceptance and usage.
Somers: Virtual payments (i.e. the purchasing of virtual goods on sites like Facebook) are gaining traction in the market. How do you see this trend evolving; and what are the main concerns?
Noka: Virtual payments and virtual currencies are not new – Second Life’s Linden dollar currency was one of the first – and in the case of the Facebook move towards Facebook credits, founder Mark Zuckerberg is saying that they are doing it to make life easier for the developers selling products through the site, not because they see it as a way of monetising Facebook itself.
Virtual payments and virtual currencies are particularly specialised and, mostly, do not extend beyond the environment within which they’re being used (Facebook, Second Life, World of Warcraft). In any case, to have value, virtual currencies, whether Linden dollars or WoW gold units must be exchangeable with real currencies and thus virtual payments must have a base in real online payments – subject to the same levels of security scrutiny as all online payments.
Somers: Would you agree that there still remains some hesitation from consumers and merchants to use contactless transactions; and how can the industry help drive the adoption of mobile and contactless payments?
Noka: Not really. These are still quite new technologies and it’ll take time for people to become accustomed to them – mobile payments especially as people will have to either get new mobile devices, or obtain a new sim card or plug in for their existing ‘phones. As the technology becomes more commonplace, it will become more accepted.
You can draw a parallel with card payments in general – as we build trust in the electronic payment system, so card acceptance becomes more widespread, and card usage grows. Globally speaking, card payments only account for 33 per cent of PCE (personal consumption expenditure*) and while we’re seeing a shift away from cash and check to card payments, there’s still work to be done. We find that the ‘tipping point’ in any market is where consumers become both willing and able to use their cards for everyday purchases – gas, groceries and gear.
It’ll be the same for mobile and contactless – when people become both willing and able to wave their phones or cards in front of a reader to validate low-value transactions, that’s when it will generate its own momentum. And the driver is the same – trust in the security of the system.
(*Personal Consumption Expenditures (PCE) from Global Insight. PCE penetration figures based on The Nilson Report (October 2007) and its underlying methodology, Euromonitor International and analysis by Visa Insights.)
Somers: What are the top three technology trends in Asia Pacific, or abroad, that you’re keeping an eye on right now?
Noka: From the point of view of a Visa payment security professional , three important technological developments are issuance of chip cards, deployment of chip-enabled terminals at POS and the Verified by Visa tool, which adds a layer of security for ‘card not present’ transactions over the internet. It’s all to do with the shift from static data to dynamic data, making it more and more difficult for fraudsters and criminals to get their hands on data that they can use, and making transaction authentication more robust.
Somers: Every leader, particularly at your level, has a legacy they wish to be remembered for. What is yours?
Noka: Everything we do in Visa we do as a team. I would not consider any of the successes we have achieved as my legacy. If there is anything at all, I would like to be remembered by colleagues and partners in the industry as having a good portion of common sense, the persistence to see things through and the ability to change my point of view where necessary.