It was 2007. The era of data breaches had begun, and Visa was not only a prime target, but it had to play the detective, too — sifting through fraud reports to figure out the origin and the scope of every breach.
The game was unwinnable. The only way to succeed was to change the rules.
"When I first came to Visa, I was told that if we built a 10-foot wall, the bad guys will build a 12-foot ladder and steal our wares, which was payment data," said Ellen Richey, who had just joined the card network as its first chief enterprise risk officer.
Two years ago, Richey became Visa's vice chairman and chief risk officer, propelled to this role by more than a decade of work that fundamentally changed how the average consumer makes a payment. Richey plans to retire this summer, ending a 40-year career in law and risk management.
In her time at Visa, Richey set out to erase the mindset that its network was a Fort Knox that needed to be protected with stronger walls. Most data security researchers were fascinated with building a firewall that criminals could not get over, Richey said.
Instead of simply defending Visa's data, Richey chose to devalue it. Her goal was to make sure that any payment card information — whether held by a bank or merchant, or written to an individual consumer's card — became worthless if it was ever stolen.
Visa was instrumental in the U.S. migration to chip-card payments. It was a key player in the launch of Apple Pay and similar mobile wallets, which use a process called tokenization to replace static card account numbers with a unique "token" that can't be used on its own to create a counterfeit card.
This was a major shift in Visa's approach to security. It reflected the expectation that no matter how tough the defenses, the criminals were going to get through.
"Every new attack getting through the perimeter gets countered," Richey said. "Protecting the data was still important, but we were moving toward the future … thinking ahead to what the next attack could be, and having the defense system ready. The name of the game now is resilience."
The dawn of data security
Richey has had an accomplished 40-year career in law, enterprise risk management and data security. But she had to create her biggest role, rather than fill the shoes of someone who came before her.
"It wasn't a case of standing up in a room as a little girl and telling my mom and dad that I wanted to be a payments professional," Richey said. "They would have thought I was a little peculiar."
In her early legal work, Richey worked in the San Francisco office of law firm Farella, Braun and Martel, where she first handled credit risk and securitization of credit portfolios for a client, Providian Financial, in the late 1980s.
Because credit card security was something only those in the IT departments thought about in those days, Richey was working more on pooling contractual debt and credit card debt to sell the related cash flows to third-party investors as securities.
Still, this experience helped her transition into the banking world, and ultimately gave her a unique perspective on how to handle the evolving risks facing card issuers.
"I went to work for Providian Financial, a card issuing bank, where I worked in the legal business with bank regulators and we started running pilots on something called 'supervision by risk,' " Richey said.
Richey began assembling her thoughts on what risk management really meant and what it should look like. Because she had a group of different departments reporting to her in the early 1990s, she floated the idea that "enterprise risk" should include all departments — credit, review, corporate relations, government relations, legal, compliance and audit preparation.
"That's how I got started with this," she said. "I thought they wouldn't like the idea, but they all did, even the legal department, and they actually made a brand for us."
Richey acknowledges that the concept of enterprise risk management was not born through that process. It had been in place in other businesses like pharmaceuticals and defense contractors. But she recognized an opportunity to bring this concept into the banking and payments industries.
"I borrowed from those industries and also the bank regulators who were starting to think of something like this as well," she said.
In advancing a concept that was clearly needed for payments security, Richey earned a reputation as someone who could thrive in stressful situations and react wisely to unexpected challenges.
"When working in the banking sector, our role in security was more what you would call the second line of defense," Richey said.
"We had moved from worrying about dumpster diving and stealing things from the post office, to an era of mass data breaches."
The Y2K bug — a global problem caused by systems designed to read years as two-digit numbers and thus unable to smoothly transition from 1999 to 2000 — fundamentally changed the thinking of many corporations. It was a major event that caused corporations to view their technology as something that needed to be handled with long-term challenges in mind.
And one of those key long-term challenges was data security.
"It wasn't until I came to Visa that it was a much more direct opportunity to be part of the security sector," Richey said. "We are a processing company, and the fraud challenge we faced as an industry has turned into the cybersecurity challenge in the early 2000s. We had moved from worrying about dumpster diving and stealing things from the post office, to an era of mass data breaches."
The scope of Richey's job increased dramatically, as payment data security became a major concern for all processors, issuers, acquirers and merchants.
"It became a huge issue, and I became engaged in what kind of processes it would take and what tools could be applied in cybersecurity," she said. "We called it predictive analysis at that time, and that has now morphed into machine learning and artificial intelligence and very complex technology."
'Quite remarkable'
Richey's skill-sets are not lost on her peers, especially those who are part of a growing number of women holding key positions. Her ability to turn setbacks into motivation has inspired her colleagues.
"Ellen is an executive I admire the most, because I have gotten to know and learn from her over the past few years," said Taira Hall, vice president of U.S. partnerships and new initiatives for Visa Business Solutions. "She openly shares her own experiences, including those periods in which she faced substantial challenges and great uncertainty."
Richey remained steadfast and focused no matter what type of challenge was in front of her, with a knack for "reducing the external noise and pursuing a multi-pronged plan that instilled confidence in her team and her team's ability to deliver," Hall said.
"With 13 billion data records lost or stolen since 2013, the fact that Ellen and her team have overseen a steady reduction in payment card fraud really is quite remarkable."
It is not difficult to track the pace at which cybercrime has exploded in the past decade, and what it has meant to have Richey in place to protect payment data, said Julie Conroy, a research director and fraud expert with Aite Group.
"With 13 billion data records lost or stolen since 2013, the fact that Ellen and her team have overseen a steady reduction in payment card fraud really is quite remarkable," Conroy said.
It is even more impressive when considering all of the potential compromise points for hackers to target in more than 16,000 banks, 45 million merchants and 3 billion consumers, Conroy added.
"Under Ellen's tenure, Visa has been one of the leaders in establishing policies, protocols and products that help better protect payment data and devalue the data through tokenization, and bringing more dynamic forms of customer authentication," Conroy said.
Visa knows it will have big shoes to fill when Richey steps down.
"For nearly 12 years, Ellen Richey has played an invaluable role in protecting the broader payments ecosystem and strengthening trust as vice chairman and chief risk officer at Visa," the company said in a statement about Richey's pending retirement. "She combined an already impressive career in the financial and legal fields to work in payment security. She has led not only our company, but also the entire industry, during a time of challenges and change for payments."
Even though Richey leaves a strong security team behind at Visa, "her vision and energy will, without question, be missed," Conroy said.
Remembering her mentors
If there is one trait Richey chose to guide her as a leader, it would be respect for those who worked with her.
"One thing I live by almost instinctively is that I believe in treating everyone with respect, no matter what job they have, whether it is the CEO of the company or the person who brings coffee in," she said. "I feel I can learn something from everybody."
Richey picked up that philosophy from
"It had a big influence on me because here he was, a justice of the Supreme Court [who] definitely had his own philosophy on things," Richey said. "And here are these recent law graduates working with him — and he knew far more than we did, but felt our opinion and analysis were on equal par with him."
Richey took that as a lesson, and believes those who worked with her over her career noticed that quality in how she treated others.
"He was an incredible guy and a definite inspiration for me," Richey said of Powell, who died at age 90 in 1998.
Visa spokesperson Sandra Chu has watched Richey's roles at the company evolve, and can vouch that her co-workers notice her demeanor and fairness.
"Ellen's ability to connect with people is a key as to why she is asked to go beyond her role with risk at Visa," Chu said. "Ellen does a lot of our work on the China market entry and other issues that take her around the globe in meeting with the highest leaders."
Richey's other mentor was Joe Saunders, who was Visa's first CEO when it became a public company in 2007. He hired Richey at Visa.
Saunders didn't hire Richey on a hunch — he was the CEO at Providian Financial and worked with Richey when the bank went through tough times, leading to its sale to Washington Mutual in 2005.
"He came into a situation at the bank for a turnaround and I will never forget his ability to motivate everyone," Richey said. "Things seemed to be hovering on the edge of going completely wrong, yet he maintained his optimism and got things done. He always made you feel you were going to get through a tough situation."
Indeed, even though Richey brought a unique perspective to Visa and was said to be an inspiring leader, she credits her team for stepping up the fight against payment card fraud.
"I don't think I can take total credit for it, but with the new cyberattacks and the sophistication and funding of the criminal sector since I have been here, it is astounding that we have held our own," she said. "We have remained stable here at Visa that whole time."
The next chapter
Retirement won't be particularly easy for Richey, who admits her "learning personality" will force her to keep in touch with what is happening in the industry.
But she has another passion that is likely to get more attention now — the Girl Scouts.
Richey has been president and board chairman for the Girl Scouts Council for all of northern California with its more than 35,000 girl members and 40,000 adult volunteers.
"It is quite an organization, and many people don't realize that Girl Scouts is really the premier leadership organization for girls in the U.S.," Richey said. "I'm really excited about spending more time with that in the future, getting more involved with the girls and helping them to attain leadership goals."
She also is not ruling out getting an old family piano tuned up. "I used to be an accomplished amateur pianist. I maybe can bring back that skill-set."
"I would like to think I have helped put the industry on the right path."
Richey would hope to describe her career in one sentence — "She secured payments for the long term." But knowing the payments industry as she does, she is reluctant to take that much credit.
"I cannot say I have made that contribution, but I would like to think I have helped put the industry on the right path," Richey said.
When she first came to Visa, Richey noticed that most of the payments policies and standards were regional in nature. She'd like to think she helped the company put the time, money and effort into the type of analytics needed to secure payment data on a global scale.
Mostly, she helped transform Visa from a company simply stressing
The idea that extra layers of defense can protect data is a far more solid game plan than ignoring the risk of having weak passwords, too many employees with access to private information, or unpatched software in key network points.
But there is another strategy, one that Richey and her team consider a new idea. It's one that could let the criminals know that organizations are no longer taking this cybercrime threat sitting down.
"It's not hacking back or anything like that, but striking back by finding out who these people are and where they are operating in cyberspace — and then working with law enforcement to stop them," she said.
Richey calls it "payment fraud disruption" and it essentially calls for organizations and security vendors to track where criminal servers are operating and shut them down.
"This is kind of a new idea, but you can see why I get excited, rather than frustrated, because we keep coming up with these new techniques," she said.
