How Visa's risk chief defends it against 71,000 cyber attacks a day

Visa Stalls Plans to Raise Fees for Some In-Store Retailers

For the past 15 years, Visa has managed the millions of fraud and cybersecurity attacks it faces each month with a trick known as devaluing data — making sure that any payment information a hacker or fraudster gets from a bank, merchant or consumer has as little value to the thief as possible.

One of the most important ways Visa devalues data is by implementing EMV chip transaction processes. This payments flow encrypts and tokenizes data, making it unreadable and obfuscated to would-be hackers, and renders much of the information on the card unusable for cloning purposes.

Paul Fabara, Visa's chief risk officer since 2019, says data devaluing is one of the five principal strategies the company uses to manage its fraud and cybersecurity risk. The strategy has become a payments security standard advocated by the industry and regulators.

Before Visa, Fabara was the chief risk officer and then president of the global services group at American Express. His 30-year career so far has focused mainly on operations, and risk has never been too far from what he has worked on at any given point.

In a recent interview, Fabara broke down how Visa assesses and manages cybersecurity and fraud risks — the data sources it feeds its models, and the strategies it follows to manage those risks.

Paul Fabara headshot 2022.jpg
Paul Fabara

How do you quantify cybersecurity risks?

We do a thorough assessment whenever we have a prospect in front of us of what type of business that company is engaged in. You might have a different perspective if that company is dealing strictly on personally identifiable information versus data that is not so transactional data or that crooks might not be able to take advantage of. From there, we have a few principles that, irrespective of revenue pools or reach of the product, we make sure to address.

What are those five things?

One of them is logical access controls, and second is to make sure we devalue all the company's data, whether that's personally identifiable information or otherwise. What I mean by devalue is making sure it is kept in separate and different data stacks with keys that are not readily available. [The idea is to make it not worth hackers' time trying to get any particular store of data because it's not so valuable as to be worth the time and effort it takes to get it.]

The third item is you want to make sure that any of the points of entry, whether that's on the internet or through any other services you provide, are fully galvanized.

The fourth is that we want to make sure that we have the ability to patch quickly. We take patching to heart, and we patch a lot and very quickly.

The last one is compliance. We operate in over 220 countries, and there are different laws that apply to and govern cybersecurity in each of those.

I'm sure most of the data you use for quantifying cybersecurity risk comes from internal or partner sources, which would be about the actual data you're protecting. To what extent do you use external sources, such as reports about ransomware payments like what the Financial Crimes Enforcement Network has released?

The way we approach cybersecurity is that all data points and data intakes are welcome. Some of them, of course, are much more credible than others. As you can imagine, we get a lot of false positives given what we do. We deal with thousands of law enforcement agencies around the world.

There's no such thing as a bad source of data when it comes to this type of stuff. It's just how you catalog the data and how you use it. Ultimately, it's about intakes — because a lot of this data is helpful for 24 hours, then it loses its value.

Is there an external source that is like a gold standard — a wellspring of information that is particularly useful to you?

Homeland Security has been very helpful with us in terms of helping us catch a few crooks, but I can't say anything beyond that.

Tell me about your investments over the past five years in fraud prevention and network security.

I'll break it down by people, technology and policy.

First is people. Today, we have five fusion centers, which are constantly monitoring all of the volumes coming across our network. On an average day, we have about 71,000 attacks — 45 million in a month, but that comes from reviewing around 12 billion potential alerts of suspicious activity a day. Not all alerts are created equal. Some of them are just blips; some of them are real threats that we have to investigate, so we put a lot into the tools that give our people the ability to be able to sift through those potential threats.

On technology, we have spent well over $400 million on AI alone over the last five years. A product we've been developing most recently is called ETD, which stands for e-commerce threat disruption, and it allows us to identify wherever malware has been dropped on one of our clients or potential merchants. It allows us to identify that quickly, which is becoming a great feature for our clients and customers around the world.

Lastly is procedures. We want to make sure that all of our procedures are consistent with the changes in the marketplace. The payments ecosystem is so fluid and robustly populated — payment facilitators, acquirers, merchants, tech partners, fintechs, neobanks, issuers, and so on. Putting it all together, it looks very much like the schematic of a transistor radio. So, we need to make sure that we have procedures that allow us to be able to do things the right way, and in a way that facilitates commerce without creating too much friction for both buyers and sellers.

How would you describe the lines of defense you have protecting you and your clients against cybersecurity threats?

There are three. The first line of defense is mainly the cybersecurity group, which is a quality control group. They check to make sure that patches have been done correctly, make sure we do what we need to on leavers and joiners, that our logical access control files are up to date, and so on.

The second line of defense is a group within risk; they check to make sure that we cover all our bases with respect to the five principles I just laid out for you. They make sure we are following each of the five principles to the extent of what we committed to the marketplace.

The third line of defense is our internal audit group, which is independent. For each of these lines of defense, there's a clear separation between church and state, which allows us to have three sets of eyes on the same thing.

What are the biggest threats that keep you up at night?

First is cybersecurity, by which I mean DDoS attacks and attacks that are designed to interrupt our ability to provide a good service to our clients and customers. We're a large part of the economies around the world when it comes to connecting buyers and sellers safely, and so cybersecurity is always front and center for me.

The other is what I consider to be the weakest link in this chain, which in most cases is the consumer. There are consumers that are not fully prepared to interact in a fully digital environment, and as you can imagine, crooks take advantage of that through phishing attacks and social engineering. There's been an influx in synthetic IDs appearing in the marketplace, a lot of it coming from stealing personally identifying information that is readily available on the internet and other sources.

I would urge consumers to be very careful as they engage folks on different digital commerce platforms and to make sure that they have the appropriate protection. We provide quite a bit of training on that through our website, and financial institutions around the world, do a great job educating their consumers, but the pandemic forced so many customers that otherwise would have transacted in brick and mortar stores to transact in digital form, and many of them that weren't prepared for that. It took a little while for them to get there, and unfortunately, some of them had to suffer because they were victims of fraud.

For reprint and licensing requests for this article, click here.
Cyber security Data security Risk analysis Technology
MORE FROM AMERICAN BANKER