The Gatekeeper: Talking Data Security with Visa CIO Mike Dreyer

By CIOinsight  |  Posted 09-06-2006

The Gatekeeper: Talking Data Security with Visa CIO Mike Dreyer

In the brave new world of data theft, Visa USA is sitting on the Fort Knox of personal information. Though he won't say just how much information the 21,000-member association is hording in its top-secret data centers around the world, Mike Dreyer, the executive vice president for technology solutions at Inovant LLC, Visa's IT subsidiary, is not afraid to drop some big numbers. "I forget sometimes just how many transactions we process," says Dreyer. "Right now we average about 100 million transactions a day, and we can handle up to 300 million. So already you're talking a huge amount of throughput. About 1,200 to 1,500 bytes of data in each transaction. We can process over 7,000 transactions per second. That still boggles my mind."

Appropriately, Dreyer is tight-lipped and guarded when talking about his network's security. The data that passes through it, and ultimately comes to rest in the San Francisco-based company's storage facilities, is coveted by nearly every imaginable party, both good and bad: hackers, petty thieves, marketers, day traders, terrorists and government agencies. All of this data must be fiercely protected, even as Visa undergoes major upgrades to its systems on a regular basis, a process Inovant CEO John Partridge likens to changing the engines on a 747 in mid-flight.

But in a recent conversation with Executive Editor Dan Briody, Dreyer opened up long enough to give us a glimpse at Visa's overall security philosophies. He also explained the value of separating the IT arm of the company out as a subsidiary. And how the advent of Advanced Authorization, a fraud detection program the company rolled out last year that assigns a risk score to each transaction, is translating into big bucks for Visa and its member banks. An edited version of his remarks follows.

Next page: Visa's IT Subsidiary

Visa

's IT Subsidiary">

CIO Insight: What is Inovant? What is the purpose of creating a separate IT subsidiary within Visa?
Dreyer:
Setting up Inovant as a separate entity allows for a cleaner division of responsibilities between what the business is trying to accomplish and what we, from a system's perspective, are trying to do.

We're set up as the IT arm, so we actually work with the various regions to understand what they're trying to accomplish, because what might be done in Asia Pacific, although the basic principles are the same, might be done differently in another area of the globe.

What kind of traffic are we talking about on the Visa network?
In 2005, we processed, or settled I should say, nearly 2 trillion U.S. dollars around the globe, and that's big in anybody's book. We have more than 1.3 billion cardholders on a worldwide basis. Over 20 million merchants accept Visa. You're looking at about 21,000 member financial institutions. And our transaction volume is growing at about 20 percent year over year.

All of this happens while we undergo two major upgrades every year with no downtime. So you have to have continuous availability, and that doesn't include the day-to-day enhancements we make to the system with no impact to the system's availability, reliability or flexibility. It's a fairly fast, complex, interwoven relationship.

What would the consequences be if the network went down?
We don't talk about that. It's in our DNA that we're up and running. Reliability, that comes first with us. Then security.

What is your general security philosophy?
We're obviously committed to being the safest, most reliable way to pay. We start with that as our basic tenet. And then we continually invest in technology.

We have an integrated, multilayered approach to security. What I mean by that is we look at it as layers: data, applications, platform and network. And then we employ a suite of fraud prevention and remediation tools.

Within data, you have two categories: data in flight and data at rest. Data is either going through a transaction right now, meaning "in-flight," or it is at rest, meaning it's in one of our systems.

How do you treat each differently from a security standpoint?
When data's in-flight, there's shared responsibility throughout the entire payment chain. But when the data comes into Visa, we screen it with our security tools, one of those being Advanced Authorization, where we look at a number of risk factors and help the industry in making better decisions about that transaction. So there are a number of things that happen there.

When data's at rest, it's really stored within our environment, and it's our internal security that keeps it safe here.

Next page: Securing the Network without Slowing it Down

Securing the Network

without Slowing it Down ">

What is Advanced Authorization?
As long as there's been money, there have been incidents of fraud. So you have to get very good at being able to combat that, and that requires working together.

We invest hundreds of millions of dollars each year to either upgrade or add new capabilities, and Advanced Authorization, which is what we launched last year, is a real-time risk-scoring system. It allows us to identify fraudulent transactions while the data is still in-flight, before being authorized. So we actually hit it at the start of the chain, if you will. And what Advanced Authorization does is it really supports highly informed decision-making. We look for vertical fraud, like anomalous activity occurring in a single account, and horizontal fraud, irregularities across either a number of cards or merchants.

That's got to slow down the transaction times.
Time is paramount in this industry. We knew we had to be able to add security into the payment chain and not have any degradation or latency of the time it takes to bring that information back. Our round-trip transaction time is 1.4 seconds, the same as it was before Advanced Authorization.

So how often do bad guys slip between the cracks?
Fraud is about 7 cents per $100, or as we refer to it, 7 basis points. That's the industry average, and it's been fairly stable for any number of years.

Many companies struggle to measure the value of security initiatives. How do you measure the ROI on something like Advanced Authorization?
That's a fair question, and we look at it not only from a Visa standpoint but across the payment chain as well. Even when you're investing the amount of money we invest, it's a finite universe of money. So we do rank the projects and understand their impact.

As with any organization, there have to be business cases that are justified and looked at and so forth. But there are some cases in which the importance of maintaining that trust and safety within the payment industry is such that you have to harden your systems, no matter the cost.

Over the last year, Advanced Authorization has identified about $350 million of fraud across all products for our members, creating the potential—and I do mean potential, because it depends on how you apply the information, since everyone looks at fraud in different ways and has different tolerances—to reduce fraud by 30 percent.

So Advanced Authorization is really a service that IT created for the business side to roll out, right?
All our efforts are collaborative, without a doubt, but it starts with the product side saying, "we have a challenge here, and how do we go about solving it for the industry?" Then they work with us to learn how we can use the systems or add incremental information to an authorization message stream, or whatever, in order to take advantage of these new risk-scoring tools or other things, without increasing the transaction time.

We work with our product partners because they're the ones that are coming up with the new products and applications. The product group provides the thought leadership in the market. Our job is to understand what the product group is trying to accomplish and help them make more informed decisions and help them to execute cleanly. Because they're driving the business.

Next page: Bringing Business to IT

Bringing Business to IT


Do you come from a technology background?
I've been with Visa going on nine years. I've been in this position for about the last 14 months. Prior to that, I worked on the Visa USA side where I ran emerging products, which is really the corollary to this position. And then I ran the commercial group for a while as well.

Before that, I worked at American Express on the technology side, and with a couple of banks as well.

So how does having a hybrid background inform your view of IT at Visa?
I think it allows you to work more collaboratively with your business partners, so you understand what they're trying to do in the market. It enables you to think about what can be done with the systems in a way that solves real business problems, possibly even with the assets you currently have, just by using them a different way. But I think it's a very strong partnership between the two organizations.

Not everyone in IT organizations understands that. How do you sell it to your employees?
We have what we call VTEX, or the Visa Technology Exchange, where our business partners come in and explain the practical business challenges they have in the market, so we can help translate them into what we are trying to do with the systems we build and operate on a daily basis. That's how we broached the subject of Advanced Authorization.

What spurred the need for this kind of Advanced Authorization?
It's an evolution of fraud. We just want to make sure that we stay ahead of it and work with our members, merchants and other stakeholders to keep ahead. Ideally, what we want to do is detect and stop fraud before it happens. I mean, really that's what the industry would like to do as a whole, and certainly Visa is committed to doing that. Advanced Authorization is one way of answering that challenge.

Recent media attention has raised consumer awareness, so we're very sensitive to those concerns. We have a brand that people look to as far as trust and safety and security are concerned, and we take that responsibility very seriously. We want to preserve the trust that consumers and businesses have placed in electronic payments and in Visa in particular.

Is consumer awareness of credit card fraud a good thing for Visa, or a bad thing?
You're talking about an erosion of confidence. Overall, I think consumer awareness is great.

Look, 15 years ago, how often did you use e-mail? Almost never. And now it's part of your life. It would be tough to operate without it. The same goes for electronic payments, and our job is to make sure we keep driving that trust and that high level of security. It's important, and I think the fact that consumers understand is fantastic.

Did you know that dumpster diving for pieces of paper is still the most effective way to get information on someone? Consumers now understand that they need to shred documents.

So if consumers and merchants trust Visa as a safe form of payment, that's our measure of success as we continue to fight fraud, because fraud's going to be here. And we'll fight it in both its current and evolving form.

Visa arguably has the most valuable treasure trove of personal information in the world, the so-called "data at rest." How do you protect these data centers? Armed guards? Attack dogs?
We don't go into the details of how we protect the data at rest. Suffice it to say that we take the safeguarding of information very, very seriously. It's our fiduciary responsibility to the entire payment chain. We've hardened our systems and our access for those purposes, but that's about as far as I'm willing to go.