Card Breaches Catalyst for More Info SharingACI's Braatz Says Enhanced Cyberthreat Intelligence Needed
Major breaches at retailers, including Target Corp. and Neiman Marcus, will likely be catalysts for enhanced information sharing across the retail and banking sectors, says Mike Braatz, senior vice president of payments risk management for ACI Worldwide, an electronic payments company.
See Also: 7 SIEM Trends to Watch in 2019
But Braatz says most industries aren't yet very close to implementing effective cross-sector information sharing.
"There are a lot of hurdles," Braatz explains during this interview with Information Security Media Group (transcript below). "But I think some of the large-scale high-profile data breaches we've seen are pushing us closer to that model. I think people realize that is where the big opportunity lies."
During this interview, Braatz also discusses:
- How breaches could be detected sooner with information sharing;
- Why big data analysis remains challenging; and
- How big data could help card issuers reduce expenses in the wake of a card breach.
At ACI Worldwide, Braatz is responsible for the strategy and delivery of payments fraud products and solutions. Previously, Braatz worked for Memento, a provider of enterprise fraud management solutions that was acquired by FIS.
TRACY KITTEN: How could big data enhance the detection?
MIKE BRAATZ: If you think about the amount of data that is generated on the financial institution side and what they're monitoring, and then think about what is generated on the merchant side, there is a tremendous amount of data there. It's coming from a variety of channels, whether it's in the stores, branches of the financial institutions or, of course, from the online and mobile channels. That mix of data is really right for some of the big data applications and technologies we've seen, and where you really have the opportunity is if you can get merchants, financial institutions, or in some cases both, to cooperate and share data. That really unlocks a fraud detection and monitoring opportunity that I don't think the industry has ever seen. I think it would help us get our arms around the impact of these data breaches sooner and a lot faster.
Card Issuers' Strategy
KITTEN: How could big data help to enhance the strategy that card issuers use in a post-breach environment?
BRAATZ: Their strategy has been primarily to determine which cards have potentially been compromised, and then make their own risk decisions about reissuing cards. ... Reissuance is always going to be a strategy they have, but I think they can make it much more targeted with big data approaches. So they can save themselves a lot of money on the reissuance side [by] using a big data and analytics approach. ... It's being able to mine through all that data and get much more targeted about the risk levels that these cards are facing. As opposed to reissue, they can do a much more close monitoring job of the cards that have been exposed.
Big Data Helping Retailers
KITTEN: How could big data help retailers mitigate their risks?
BRAATZ: There is an opportunity for retailers to share data. If you are one merchant, you have a fairly narrow view of that customer or card's activity at your stores. But if you combine that with activity across multiple stores, multiple segments of the market, you can build a much richer profile of that customer and card's behavior. That allows you to do anomaly detection much earlier in the process. Again, it may not prevent the data breach itself, but it can prevent some of the fraud that happens as a result much earlier in the process.
KITTEN: How would some of that information sharing be facilitated?
BRAATZ: There are a lot of vendors that would like to get into that business because there is a big opportunity to provide value and reap the [benefits] from that. I think there is also an opportunity for some of the industry groups, and even consortiums of merchants in the same segment and financial institutions in the same geographies, to get together and create some type of data sharing consortium so that they could set up an independent third-party to facilitate information sharing. They also could rely on a vendor solution for that.
Eliminating POS Fraud
KITTEN: How will eliminating fraud at the POS in the face-to-face environment impact fraud in the card-not-present environment?
BRAATZ: There is opportunity is to share data and just do a better job profiling and identifying anomalies. That is exactly the type of prevention and risk management that these retailers and financial institutions can do. Put it in place in advance of the shift to EMV [the Europay, MasterCard, Visa standard], because we know when EMV happens, as we've seen in all other parts of the world, the fraud shifts to the card-not-present world. If we have data sharing, anomaly detection and point-of-compromise analysis in place prior to that, I think we're going to be better prepared in the U.S. than they were in other parts of the world.
Banks Sharing Info with Retailers
KITTEN: Do you see banking institutions, as card issuers, and retailers really working toward sharing information?
BRAATZ: It's hard to say. I think we're still a ways off. There are a lot of hurdles, some of them probably regulatory, about how to figure out the data-sharing model. But it has been done in certain, small cases. We're still probably talking years until it's really in place, but I think some of the large-scale, high-profile data breaches we've seen are pushing us closer to that model. I think people realize that is where the big opportunity lies. We can do a lot of little things to make it better, but the big opportunity lies in data sharing. With some of these big events, we have a lot more incentive to make progress there.