Visa knows where commerce is headed: the change from card to phone leading to financial services done via social platforms. So, in preparation for the next generation of social payments, Visa is testing and refining all sorts of behavioural biometrics, from voice recognition into more passive states of "ambient authentication".
This involves the way that people behave with their devices, like the average pressure on the screen, the way they use the keys, range of motion, predominant hands, average amount of charging during the day etc.
Measuring a combination of between 100 and 200 vectors in the background can offer a pretty fair determination that the person is the owner of the device. Looking forward to ubiquitous social payments, Visa wants to work with platforms to create secure transactions that don't require the level of intervention by the payer that they perhaps do today.
Bill Gajda, senior vice president of innovation and strategic partnerships at Visa, said: "If your screen is always on and you are looking at it while you are doing this social media payment, we can authenticate your face three or four times a second while you are making that payment. We can probably create a pretty good profile around that payment that convinces us that you are who you say you are. So we are looking at a lot of ways we can add value and take friction out of those payments.
"It's that balance between how we use some of the machine learning, AI or biometrics as it emerges, to create on the one hand a seamless customer experience and take friction out of it and move a lot of this authentication into the background – what we call ambient authentication. But at the same time, move more towards risk based authentication, where we can use multiple factors that don't involve direct participation of the buyer to add even more certainty or other factors to authentication."
This is a frictionless digital world where chatbots will assist banking services embedded in social media platforms. And it brings with it a number of security concerns. "It's one thing if you put a chatbot on a mobile banking app which is at very much kind of closed and secured environment," said Gajda. "But if you are going to put chatbots on public platforms, then the whole idea around whether it's voice authentication or some of the behavioural biometrics that can isolate and identify that user from another user of that same platform on that same device, become really important in order for those things to scale."
"It's really early days in this space but we are thinking about all the ways that we can use this mobile and related technology to put authentication in the background and convince ourselves that that one in one million is a good or a bad transaction."
Fighting fraud is a running battle which evolves at pace with technology. Today a whole fraud industry operates on the dark web, where hacked credit card numbers can be tested on a grand scale using downloadable software scripts, for example.
Peter Bayley, global head of fraud strategy & executive director ecosystem risk, Visa Europe, said: "Today this is less about card data and more about identity data. Without doubt, this has become a commercial business in its own right and is far broader than card payments. This is a fundamental issue that we as a society are going to have to work to manage. Visa does monitor this stuff; of course we do, we have to. To see what activity is going on, what's changing, are the volumes changing, who is being mentioned, what attacks etc. But mostly our focus is to remove the capability of this information to be re-used."
Visa cards are designed to be used easily almost anywhere, be that at ATMs, point of sale, online, contactless. Tokenisation is one way of addressing the problem of "replayability" of data, by restricting a card's use.
"If somebody has loaded a card to a given merchant or a given device, only for use in that device, well why should it ever be used anywhere else but in that device? This is effectively reducing attack vectors and making it much harder for folks to attack our system," said Bayley.
Gajda explained how tokenisation has allowed Visa to ramp up its innovation "Say four or five years ago people would come to us with great ideas about how to put a card number in a car, or in a white good, or some consumer electronics, a mobile phone.
"But unless there was a very specific use case, usually involving hardware, we had to say no, because there was too much systemic risk putting the actual card number in all these myriad devices. If one of them goes wrong, so does your entire card identity, the plastic, and everywhere you put it; every card on file now has to be replaced.
"So as a result we kind of slowed down innovation because we just knew we didn't quite have all the right capabilities to address the pace of innovation.
"We expect over time people are going to 20 or 30 active tokens, and probably eventually have a dashboard where they will be able to manage them differently; spend controls on this, time of day on this, certain merchants on this if they like."
Bayley added: "But fundamentally, for a lot of customers, they won't even know they have got a token. They don't need to know. All they need to know is it's not a problem."