Security and Trust Cybersecurity in payments requires a proactive approach

In today’s payments landscape, there are ever-evolving threats from AI deepfakes, sophisticated hackers, and attacks from the dark web. Businesses and consumers need to proactively create and execute cyber security strategies to stay ahead of these threats.

Visa is creating new opportunities for clients and partners to access our deep cybersecurity expertise through our value-added services and risk management offerings. This is part of Visa's $12 billion investment over the last five years in tech and infrastructure to help the payments ecosystem stay ahead of cybercrime.

Visa’s global head of Advisory Services, Carl Rutstein, and the newly appointed head of global cyber products, Jeremiah Dewey, sat down to share more.

What are the primary categories of threats facing the payments ecosystem today?

As digital commerce grows, so do the risks. In just the last few years, digital fraud has gone up over 300%.¹

Fraud typically falls within these categories:

• Application fraud, which is largely driven by identity theft i.e. one individual impersonating another;
• Card fraud, when there is unauthorized use of an account;
• Account to Account fraud, which encompasses unauthorized push payments across accounts or consumer e-wallets; and
• Scams and money mules where threat actors improperly use payment credentials and account access.

Each fraud scenario presents a different set of challenges. It is one of the reasons why cybersecurity is no longer a back-office function, but a top-line priority that is integral to a business’ growth strategy. And Visa is uniquely positioned to help our clients get ahead of these issues and lead with confidence.

Can you summarize the emerging trends in payments cybercrime?

There are a few emerging trends in cybercrime:

1. AI-driven cyberattacks. AI has become a double-edged sword in the world of cybersecurity. In the same way that Visa uses it to protect the ecosystem, fraudsters are exploiting it to scale and sophisticate their attacks. They include deepfakes, data poisoning, automated vulnerability discovery and phishing campaigns powered by natural language processing that mimic legitimate communications.
2. Adaptive malware programs that evolve in real time. AI-powered programs, like BlackMamba, can dynamically alter their codes or attack methods in real-time to evade detection. As new players enter the payments ecosystem, especially smaller ones who are less invested in cybersecurity, they become the weakest link in the chain and create new vulnerabilities.
3. Ransomware attacks targeting payment systems. Cybercriminals hack into and commandeer systems with precision and speed, then they hold the business’ entire operations and/or data at ransom. Ransomware-as-a-Service (RaaS) has now emerged as a business model for cybercriminals.
4. AI-powered social engineering attacks. Cybercriminals can now easily generate highly personalized and convincing threats that beat security measures. Whether they are malware attacks, deep fakes or highly personalized and convincing phishing emails, cybercrime in the payments context has led to billions of dollars in damage.

To stay ahead, many businesses are shoring up their approach to cybersecurity.

What is the focus of Visa’s Cybersecurity Advisory Practice and how does Visa Consulting and Analytics (VCA) help guide clients through cyber security challenges?

Visa's decision to launch the Cybersecurity Advisory Practice is driven by a clear and growing need among our clients to be much more proactive in an increasingly risky ecosystem.

The new practice provides a broad range of services for institutions of all sizes, guiding them through the process of creating and maintaining a robust cybersecurity strategy.

Current services that we offer clients include the Payment Cybersecurity Institute, where we provide workshops and training to empower a cyber vigilant workforce culture.

The team also provides enumeration defense and cybersecurity maturity assessments.

Enumeration defense is a term that helps merchants defend against a type of card fraud, when fraudsters test the combination of 16-digit card numbers, 3-digit CVVs and 4-digit expiration dates at various merchants. When they find a numerical combination that works, they then issue a flood of transactions at other merchants. We leverage artificial intelligence (AI) to track that activity and help clients mitigate risk.

Cybersecurity maturity assessments can help clients evaluate their current security capabilities, pinpoint weaknesses, and develop a roadmap for strengthening their cybersecurity posture.

Because the cyberthreat environment is constantly evolving and there is no one-size-fits-all for any client, Visa takes a holistic approach—drawing on the experience of Visa’s Consulting and Analytics global network, which includes thousands of consultants and data scientists, ensuring that clients have access to the right expertise and products for any situation. The new practice is structured to be flexible and responsive, so our team can provide solutions that are both comprehensive and specifically tailored to each client’s particular situation.

What new services are on the horizon for Visa’s Cybersecurity Advisory Practice?

It is our priority to protect Visa and its ecosystem partners, ensuring that we are the most secure, resilient and trusted engine in commerce. To do this, we continually invest and innovate in new technology and collaborating with business partners. The new Cybersecurity Advisory Practice is considering a roll out of additional services such as threat intelligence and vulnerability testing and assessments, which is subject to change and availability.