Gord Jamieson is a Senior Business Leader at Visa and serves as the head of Canada Risk. His goal is to differentiate Visa from competition, reduce risks of regulatory impact and support core growth by engaging Canadian clients to minimize payment system risks. Having been with Visa for 17 years, he has always been in the Risk function. Prior to joining Visa, Jamieson served as a member of the Royal Canadian Mounted Police for 20 years. In that capacity, he has investigated organized crime involvement in forged credit card manufacturing and distribution. Jamieson has held positions as both the President and Vice-President of the Central Canada Chapter of the International Association of Financial Crimes Investigators (IAFCI) and presently is a member of the IAFCI Board of Advisors.
As the head of Visa Canada Risk Services, can you let us know about some of your responsibilities to give our readers a better idea of your role?
My role at VISA is to maintain the integrity of the payment ecosystem. We are a client facing function at Visa and work with entities involved in the transaction process to deliver the best experience possible for the vendor, merchant, financial institution, and consumer.
What are some of the initiatives you’re planning to put in place to help prevent fraud?
I have been working on several initiatives and they have been ongoing for some time. We have gone through the process of integrating the EMV chip which started 10 years ago. In fact, Canada is considered a mature chip market globally.
The main challenge we face is how do we further secure the payment ecosystem, and our main focus has been the e-commerce and the card not present channels. By securing the fraud at the point of sale, fraudsters started looking at other fraud opportunities. We’re seeing all-time lows in fraud in Canada because of the chip. We also implemented the 3-digit CVV2 code on the back of the card, and all merchants (e-commerce and telephone order for example) require the 3-digit CVV2 code on the back. If you require an additional value in the transaction process, it’s just another hurdle for fraudsters.
There is also risk based authentication: we have a tool that’s known as ‘Verify by VISA’. We don’t prompt the consumer for a password. Instead, we use several other tools for confirmation. By October 2020, we’re requiring all merchants in Canada to become EMV chip enabled. When we migrated to chip in 2011, a merchant could make the choice when to migrate. If they decided not to and the consumer was a victim of fraud, the merchant would be liable.
Statistics reveal that 1 in 5 businesses can be victims of fraud. What do you believe is the main cause of that?
From a data breach perspective, in the last 2 years, over 75% of data breaches are targeting smaller card not present merchants. That’s where they are exploiting the data.
Merchants often rely on a vendor to install a point of sale terminal. If they own a restaurant, they may know how to make a good pizza but may know very little about the security details when it comes to accepting payments. They are therefore dependent on a third-party vendor to properly install and securely maintain their point of sale environment. Whereas larger organizations may have a department dedicated to improving ways to make the payment process as secure as possible for all parties involved.
From a fraud perspective, merchants need to deploy tools to protect their payment environment, especially deploying EMV chip. In the card not present channel, using tools such as CVV2, address verification value, ‘Verified by Visa’ and other third party or proprietary tools.
What role does Visa Canada Risk Services play when it comes to fraud prevention?
At Visa, we take a comprehensive approach to security that relies on multiple layers of technology and analytics. We examine and analyze the four security pillars: protecting data, devaluing data, harnessing data, and empowering the consumer.
Visa’s role is to promote this strategy to our clients and partners. Through many years of extensive research and analysis of the payments industry, we have learned that security must be multi-layered, and it must be built into the foundation from the beginning. It cannot be an afterthought or an isolated effort. It must be part of the DNA of our innovations and technology advancements. This approach has helped us keep fraud low despite the increasing cyber threats. We keep evolving daily to stay ahead of criminals.
Any entity that processes transmits or stores account data, must do so according to the Payment Card Industry Data Security Standards (PCI DSS). The criminals are after data, so the idea is to devalue data in the environment so it’s useless to the fraudster. The EMV Chip plays a major role in devaluing data because it is dynamic and changes with each transaction.
There will be a huge push in the market towards tokenization. This is the concept of replacing the 16-digit account value with a proxy value that is relevant to that account. The token can be replaced anytime that it’s compromised without changing the account number. For example, when you tap your mobile phone, a token is sent to the issuer for authorization. That token is unique to that device and that domain. This is part of devaluing data.
Through harnessing transaction data, Visa reviews and analyzes fraud patterns. We consider where breaches have happened and we are able to make timely risk decisions. We use our AI technology called ‘Visa Advanced Authorization’, to analyze over 500 unique risk attributes within a millisecond, searching for fraud the moment a payment is initiated. This process is repeated up to 32,500 times per second, with Visa’s AI analyzing more than six billion pieces of data every day.
Empowering the consumer: rather than relying on consumers to check their monthly statements, their mobile devices connect them to their financial institutions in real time. Consumers can use real time purchase payments alerts, turn their cards on and off, or choose to share their geo-locations. For example, in the past, I have been alerted on my mobile phone to a transaction that I did not authorize. I then proceeded to call my issuer and report the transaction. We encourage consumers to pay attention to suspicious transaction activity on their accounts and become empowered to stop fraud. It’s becoming easier than ever with consumer alerts offered by their issuers.
In your expert opinion, what typically represents a red flag that could indicate that a business has been a victim of fraud?
It depends on the channel. For the card present channel, we’re seeing less and less fraud because of chip. With the card not present channel, larger-than-normal orders, multiple orders for the same product, multiple cards used for a single purchase, orders for products readily convertible to cash (gift cards) or orders made up of “big-ticket” items can all signal a red flag. You need to ask yourself: is that how a normal consumer would purchase their goods? If something seems a little more suspicious than the average transaction encounter, perhaps look into. But often, it may not be one specific detail on its own but several that add up to lead the merchant to believe that it could potentially be fraud. Perhaps it’s delivery to an international address, or sometimes when the billing is different than the shipping address. When you combine all these things together, that can certainly raise a red flag rather than one of these scenarios on its own.
What fraud prevention advice can you give to a business owner who is in the Startup phase?
In general, security should be a multi-layered approach. You have to look at channels that you will be operating in. If you operate in the card present transactional encounter, you will be looking at deploying EMV chip. With card not present, you will look at all the tools at your disposal: CVV2, Address Verification Service, ‘Verify by Visa’, and others mentioned earlier.
If you don’t absolutely need sensitive data like account numbers, don’t keep it. Ensure you are PCI (Payment Card Industry Data Security Standard) compliant and that you are using a qualified 3rd party vendor. Ensure that your systems are regularly checked. From a data security perspective, merchants should be aware of certain simple. They should be encouraged to install vendor patches in a timely manner. The most common vulnerability today is that the merchant leaves remote access to their network ‘ON’ all the time. Its equivalent to leaving your door open and allowing people to walk in. Remote access to a merchant’s network should only be turned ‘ON’ when it’s needed to service the acceptance environment.
Look for all the red flags around transactions, and if something does not seem right, then certainly investigate it!
What are the top 3 mistakes that business owners make that could ultimately lead to being a victim of fraud?
- Storing data when there’s no need for it. If you do need to store it, look into ways of protection – tokenization.
- Limit your risk and understand the red flags. Be careful about how you accept data when conducting a transaction and know when you are liable.
- Not being PCI compliant.
On a final note, what is your outlook for the next five years when it comes to fraud prevention?
For Visa to continue to be the partner of choice for our clients, we are investing in new technologies to stay ahead of where Canadians’ purchasing trends are going, and to ensure that each transaction secure. We provide expert insights and access to navigate through these changing landscapes. Over the next five years, the key focus will be to devalue data through EMV chip in the card present environment and tokenization in the card not present channel. It’s difficult to try to protect this data completely. It’s a very tough challenge! Our goal at VISA is to move towards creating a better cardholder experience, securing the payment transaction and eliminating the friction associated with transactions.
Visa Inc. (NYSE: V) is the world’s leader in digital payments. Our mission is to connect the world through the most innovative, reliable and secure payment network – enabling individuals, businesses and economies to thrive. Our advanced global processing network, VisaNet, provides secure and reliable payments around the world, and is capable of handling more than 65,000 transaction messages a second. The company’s relentless focus on innovation is a catalyst for the rapid growth of connected commerce on any device, and a driving force behind the dream of a cashless future for everyone, everywhere. As the world moves from analog to digital, Visa is applying our brand, products, people, network and scale to reshape the future of commerce. For more information, visit visa.ca, visacorporate.tumblr.com and @VisaNewsCA.